What stops someone from copying an executable from my snap

Hi, I’m trying to understand snaps, but I’d like to know:

If snaps are read-only, what is to stop someone from copying off an executable from my snap and running it elsewhere outside of snapd infrastructure?

AFAIK not a thing. Although given that is is possible to run programs packaged in a snap outside of its confinement, I would say ridiculousness

That’s correct, there is no copy-prevention included in the snap ecosystem currently. Once a user has a copy of your snap they can do as they wish with the contents, including copying it out of the .snap file to a location of their choosing. The same is true of virtually all distribution systems, and even those that claim copy-protection such as DVD or BluRay discs or streaming media must at some point share the key with the person consuming the data and thus can be broken given an amount of effort to find the key in memory.

Right, so say if the snap is for an IOT device, is there a method to prevent anything other than those devices from downloading the snap from the snap store or otherwise reading the snap?

A brand store is the right way to restrict public access to the snaps?

At this point you only hope is a dickish license stating that end users may not build/improve competing products/services using the snap or derivates thereof and may not talk to your competitors about the package. Also a legal assault team to sue them out of existance if they try.

We do have mechanisms for devices to authenticate to device-specific stores, but securing the snap content once it is on the device is orthogonal to that. If you are looking to use snaps on a commercial IoT device, please reach out to us and we can provide additional info on our services and capabilities in that regard.

1 Like

I’ve left a query for establishing a branded store with canonical, but our security prior to snaps was simply to lock everything down, but that sort of eliminates an upgrade process. How would you like me to get in touch?

Licencing doesn’t help anyone.

I distribute a shell script with my snap which is designed to be run outwith the snap confinement.
My application generates MusicXML files which I need to import to the MuseScore snap. Because MuseScore cannot see my application’s snap directory, I developed the shell script to copy the files to another directory in my home directory. This way MuseScore can get access to my files.

Hey Peter,

The official way of contacting Canonical for professional services is using the form at the Contact Us page. Depending of what you write for “What would you talk to us about” it will be routed to the right person/team who will get in touch with you.

Hope this helps,