On Thu, Feb 08, 2018 at 03:10:08PM -0800, Steve Langasek wrote: > = Maintainer = > Packages in the Ubuntu archive arrive there by one of two means: they are > synced from Debian as upstream, or they are uploaded by an Ubuntu developer. > Similarly, to be included in an Ubuntu image, a snap should have as its > publisher either the upstream, or the Ubuntu developer community. For the > latter, a common team should initially be created in the Snap Store whose > membership is managed by the Developer Membership Board, and kept in sync > with the ubuntu-motu team in Launchpad, with the Ubuntu Security team > additionally included.
For better or worse, the snap store doesn't have teams. Should this be rephrased in terms of collaboration or something? > = Source availability = > Unlike Launchpad, the Snap Store allows publishers to upload binary snaps > directly. While a valuable option in the general case, for snaps installed > by default we should ensure that they build from source in the common > Launchpad environment. This helps to avoid any increase to the build time > attack surface and provides a known good environment that can be similarly > duplicated if the snaps needs to be rebuilt in the future > > In addition, maintainability of the product demands that the package remains > buildable if no changes have been made to the product’s source. For .deb > packages, we enforce this by only building against other packages in the > Ubuntu distribution. Launchpad allows snap builds to pull from third-party > repositories; this means that if those repositories change - or disappear - > the snap may no longer be functionally equivalent when rebuilt, or may not > build at all. To address this, official Ubuntu snaps should be built only > from source that is available in Launchpad. Snap recipe builds already > require a launchpad-hosted branch to host the snapcraft.yaml, so it is a > logical extension to require launchpad hosting for the parts also. > > Both of these requirements will likely depend on changes to Launchpad and > possibly the Snap Store, to either support enforcing a different network > policy at build time or to tag builds as compliant or not with this policy. I've done the bulk of the Launchpad work for this, pending review: https://code.launchpad.net/~cjwatson/launchpad/db-snap-allow-network/+merge/336923 https://code.launchpad.net/~cjwatson/launchpad/snap-allow-network/+merge/336924 -- Colin Watson [[email protected]] -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
