Snap updates and developer notifications on security updates

Relaying a question from a 3rd party developer.

Assume a snap is being pushed on each commit through to the edge channel. The developer promotes release to the other channels when necessary.

What happens when a build/stage package is updated in the archive?

Currently the developer wouldn’t know to trigger a new build of their software. For an active project, it may be that coincidentally on a recent push to master, they get new build/stage packages as a byproduct, but unintentionally.

What can we do to assist developers hooking their software up to our build service to ensure they deliver secure updates to their users promptly? Is there a plan to notify a developer of CVEs in affected build/stage packages? Will this come out of the work to build a comprehensive manifest file?

Yes, we do plan to have a system that warns developers about the fact their snaps are affected by a CVE, and indeed we’ll use the manifest information for that purpose.

I’m not sure about how high in the roadmap the task is at the moment. @sergiusens will have more details about the manifest part at least.

1 Like

There are two halves to this, first enable it, which we already have the code for; make an MP to tell to generate these and then have the store side of the work for presenting this.

The work is a target for 18.04, so it will definitely be done by then, how soon in the cycle I cannot say.

On our side, we are pretty much done and have been iterating with the security team on the actual data and details; and it is the snapcraft version that has been on the release path for the past weeks.

Given we are starting to spec the required work store-side, we were wondering if this feature[1] will be eventually enabled by default[2] , or if it would be an optional flag[3] to pass when building the snap.

[1] it seems to be behind the SNAPCRAFT_BUILD_INFO env var, right?
[2] any ETA?
[3] including this manifest file would be an optional thing for developers?

I just need to tell @cjwatson to set SNAPCRAFT_BUILD_INFO. I think it is safe to do so now.

Ok, great.
OTOH, is this something that would be eventually enabled for every user running snapcraft?

It should be fine for public builds. Once, if ever, private builds are supported on launchpad/buildd for snaps then this should be optional.

On the presentation side, I would just say the information is not available to determine if updates due to security fixes are needed.

I tried this with cleanbuild and am not getting a manifest file.


SNAPCRAFT_BUILD_INFO=1 snapcraft cleanbuild

There is nothing in meta/ or snap/. Note that I tried with both a toplevel snapcraft.yaml and also with snap/snapcraft.yaml.

Per @sergiusens on IRC:

07:08 < sergiusens> jdstrand oh, with cleanbuild you need 2.35, the env var
                    wasn't being passed in before