What stops someone from copying an executable from my snap

peter.milani · January 23, 2018, 6:27am

Hi, I’m trying to understand snaps, but I’d like to know:

If snaps are read-only, what is to stop someone from copying off an executable from my snap and running it elsewhere outside of snapd infrastructure?

jamesb192 · January 23, 2018, 9:00am

AFAIK not a thing. Although given that is is possible to run programs packaged in a snap outside of its confinement, I would say ridiculousness

lucyllewy · January 23, 2018, 2:21pm

That’s correct, there is no copy-prevention included in the snap ecosystem currently. Once a user has a copy of your snap they can do as they wish with the contents, including copying it out of the .snap file to a location of their choosing. The same is true of virtually all distribution systems, and even those that claim copy-protection such as DVD or BluRay discs or streaming media must at some point share the key with the person consuming the data and thus can be broken given an amount of effort to find the key in memory.

peter.milani · January 23, 2018, 11:02pm

Right, so say if the snap is for an IOT device, is there a method to prevent anything other than those devices from downloading the snap from the snap store or otherwise reading the snap?

A brand store is the right way to restrict public access to the snaps?

jamesb192 · January 24, 2018, 12:04am

At this point you only hope is a dickish license stating that end users may not build/improve competing products/services using the snap or derivates thereof and may not talk to your competitors about the package. Also a legal assault team to sue them out of existance if they try.

noise · January 24, 2018, 12:22am

We do have mechanisms for devices to authenticate to device-specific stores, but securing the snap content once it is on the device is orthogonal to that. If you are looking to use snaps on a commercial IoT device, please reach out to us and we can provide additional info on our services and capabilities in that regard.

peter.milani · January 24, 2018, 12:32am

I’ve left a query for establishing a branded store with canonical, but our security prior to snaps was simply to lock everything down, but that sort of eliminates an upgrade process. How would you like me to get in touch?

peter.milani · January 24, 2018, 12:40am

Licencing doesn’t help anyone.

songbuilder · January 24, 2018, 10:09am

I distribute a shell script with my snap which is designed to be run outwith the snap confinement.
My application generates MusicXML files which I need to import to the MuseScore snap. Because MuseScore cannot see my application’s snap directory, I developed the shell script to copy the files to another directory in my home directory. This way MuseScore can get access to my files.

koza · January 25, 2018, 10:24am

Hey Peter,

The official way of contacting Canonical for professional services is using the form at the Contact Us page. Depending of what you write for “What would you talk to us about” it will be routed to the right person/team who will get in touch with you.

Hope this helps,
K