undefined | Better HN

0 pointspopey7y ago0 comments

The build service at build.snapcraft.io is what builds it. Anyone can hook up their github repo (containing a snapcraft.yaml) to build and have to automatically rebuild the snap when changes in the git repo occur. It then pushes the snap to the 'edge' channel in the store. Developer validates that build and then pushes to stable for all users.

0 comments

hsivonen7y ago

Thank you.

As a user, how (other than asking here) was I supposed to convince myself of the identity binding between “snapcrafters” and the GitHub org and to convince myself that trust in the correspondence between snapcraft.yaml and what I get when I install a snap is rooted in Canonical’s build service and not in trusting an individual uploader not injecting different binaries?

RayDonnelly7y ago

And what is to stop someone from pushing malicious code to GitHub and you guys distributing malicious packages to end-users via your 'stable' channel?

And who's liable here?

j / k navigate · click thread line to collapse