Friday, 9 February 2018

Re: RFC: Ubuntu Seeded Snaps

On Thu, Feb 08, 2018 at 03:10:08PM -0800, Steve Langasek wrote:
> = Maintainer =
> Packages in the Ubuntu archive arrive there by one of two means: they are
> synced from Debian as upstream, or they are uploaded by an Ubuntu developer.
> Similarly, to be included in an Ubuntu image, a snap should have as its
> publisher either the upstream, or the Ubuntu developer community. For the
> latter, a common team should initially be created in the Snap Store whose
> membership is managed by the Developer Membership Board, and kept in sync
> with the ubuntu-motu team in Launchpad, with the Ubuntu Security team
> additionally included.

For better or worse, the snap store doesn't have teams. Should this be
rephrased in terms of collaboration or something?

> = Source availability =
> Unlike Launchpad, the Snap Store allows publishers to upload binary snaps
> directly. While a valuable option in the general case, for snaps installed
> by default we should ensure that they build from source in the common
> Launchpad environment. This helps to avoid any increase to the build time
> attack surface and provides a known good environment that can be similarly
> duplicated if the snaps needs to be rebuilt in the future
> In addition, maintainability of the product demands that the package remains
> buildable if no changes have been made to the product's source. For .deb
> packages, we enforce this by only building against other packages in the
> Ubuntu distribution. Launchpad allows snap builds to pull from third-party
> repositories; this means that if those repositories change - or disappear -
> the snap may no longer be functionally equivalent when rebuilt, or may not
> build at all. To address this, official Ubuntu snaps should be built only
> from source that is available in Launchpad. Snap recipe builds already
> require a launchpad-hosted branch to host the snapcraft.yaml, so it is a
> logical extension to require launchpad hosting for the parts also.
> Both of these requirements will likely depend on changes to Launchpad and
> possibly the Snap Store, to either support enforcing a different network
> policy at build time or to tag builds as compliant or not with this policy.

I've done the bulk of the Launchpad work for this, pending review:

Colin Watson []

ubuntu-devel mailing list
Modify settings or unsubscribe at: