I agree with you that there are security issues to be addressed. Some comments below, for each item:
Not sure if I got it right, but I’d definitely feel safer if all Snaps where built on Snapcraft server. I mean, someone could upload a Snap, include source YAML on the description as a way of gaining trust, but AFAIK the only way to ensure the uploaded package was, in fact, built from these sources is building it yourself and doing some comparison. I might be wrong on this, maybe someone more versed could jump in and make things clearer.
There’s the verified badge some publishers have. This improves trust, for sure, but I’m not aware of the criteria needed for getting one.
This process exist and is strictly followed. Some permissions don’t need review, but more sensible ones must go through a vetting process managed and conducted by Canonical employees.
I believe this is also present. Every uploaded snap goes through a series of automated checks. Not sure which ones are security-related.
I’d like to thank @capruro and @lance, and everyone else that maintained and/or contributed to the ZeroTier packages (and this community), it’s really great to see things organically popping up like this. I’ve personally moved into this ecosystem for my daily computing now and so I’d like to do my little part in helping maintain this community.
I agree with the general sentiment of the thread that it’s probably best that the original vendor/author controls the package in question and releases often to keep things up to date. We at ZT would be willing to take ownership of the packages in question and keep them current. Ideally We’d like to shut one of them down to avoid redundancy and confusion if possible.
I’ll be sending DMs to the relevant authors to better understand the requirements for maintaining a snap repo. Feel free ask me any ZT-related questions, I’ll keep an eye on this thread and will update it once I’ve taken control of the package.
Hello, Joseph! It is great to hear from you. I would be happy to help transition the snap into the care of its rightful owners. The build tools and snap ecosystem have really come a long way since I originally created the snap, which should make it quite simple for you. At first, I had to maintain some changes against the ZeroTier code (related to file paths, for example) to allow zerotier-one to run in strict confinement, but with the snapcraft layout feature that is no longer necessary. Later on, @capruro and I struggled a bit with build flags for ARM systems, but that also seems to be less of an issue today. It could be as simple as adding a snapcraft.yaml file to the ZeroTier repository and setting up automated builds on build.snapcraft.io. I could issue a pull request if that is desired.
As for ownership in the snap store, I believe the proper procedure is to create a new forum message requesting an admin to transfer ownership. I believe they should verify your identity somehow, maybe through your organization email address or some other method. Even if I delete the snap from the store, I do not think it will free up the name for you to use, so transferring is probably the best way.
