Hello!
A few months ago we started the work to track assets, that then will be recorded in a manifest file that will be saved inside the snap for auditing.
We have some common assets that we are already tracking, like build packages and stage packages. Now we need to start tracking things that are specific to each plugin. As the first example to get this bootstrapped, think about the python packages installed inside the snap during the build step.
We have discussed about this, and it’s not complex to achieve. But we have two options for how the plugin reports the assets it wants to track:
- the assets will be returned by the plugin step methods
- the plugin handler will call a specific plugin method that returns the assets
I’m slightly inclined to the first option. This way it seems to me that the steps would be returning a summary of the important things that they did in the form of assets. In the python example, the method for the build step performs the installation of python packages, so it returns a dictionary like: {'python-packages': [package1=version1, package2=version2]}
.
The code would look like this:
https://github.com/snapcore/snapcraft/pull/1395/files
After our discussion this morning, @kyrofa seems a little more inclined to the other option. He can expand more in the comments, but the idea would be that after the plugin handler finishes the build step, it will call a method like get_assets
that each plugin needs to implement.
Both seem easily doable, with just some details to solve along the way. For example, if the assets are return values of the steps, then we would need a way to merge the assets coming from pull with the assets coming from build for the final manifest.
If there is a get_assets
method, then the plugin will take care of collecting and returning the assets as it wants them recorded in the manifest.
And one additional detail to take into account is that the assets are tracked in the per-part per-step state files, and then copied into the manifest. With the first option, it’s clear that the plugin assets can be stored in these files. With the second option, we need to figure out where to save the assets. Maybe we just save them in the build state, or maybe we add a new state file. We could even remove the state files as intermediaries and keep the assets just in memory.
As I said at the start, this is not a big deal. We just need to agree on the form, and start implementing it for all our plugins.
pura vida