Verified developers

snapd
6

Ended up here due to this post.

I understand the complexity of this and it’s mainly a business process issue and it really depends how much the SNAP store wants to take on.

Political Blurb:

  1. I don’t want to rehash an old issue, but you really need to figure out what the SNAP store wants to be. For example, SNAP has been very adamant about forcing auto-updates. Which is fine, but understand that from a business perspective, you’re taking on more power and responsibility as the store. If you want that power and responsibility, you can’t just wash your hands of the situation and say we can’t take responsibility for verifying.

Some Ideas on Verification based on increasing ‘verification’

  • Just ensuring the publisher is valid
  • Manual check to ensure the publisher is the one who ‘owns’ that software. For example, GIMP SNAP should be verified to be built by the ‘GIMP’ team.
  • Manual inspection of the build process. For example, if there is some project on GitHub, you should inspect the SNAP build process to make sure that you’re basically getting a build from the sources on GitHub.
  • Manual rating of Publisher trust Level. Something like Mozilla would get a higher level of trust than myself. You don’t want this to get political, like if a product is say ad-supported or has tracking… that shouldn’t reduce it’s trust. It’s more a trust of if the SNAP is going to get you what you expect. if you download a Facebook SNAP in the future, it’s basically a are you a getting the Facebook SNAP free from viruses, malware… It shouldn’t get into Facebook’s tracking of users or business model.
  • Manual inspection of the app itself. Functionality, security, source code…

How far up the chain you go is up to you. Obviously it’s going to be more expensive as you go up the chain. But that’s the cost of doing business if you want to be in the ‘app-store’ game. Maybe even start charging money to evaluate an application; especially for commercial users.

Edit, I think as well, you might want to not just have a boolean here, but some value. Maybe a trust score of 0-10 (Where 10 is very trustworthy). Or something along those lines. Maybe different numbers of checkmarks if you want it easier. The user can then hover over or click in to see more details to see what was verified for that applications/publisher.