please add mechanism to enforce trusted LP builds for snaps
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snap Store Server |
New
|
Wishlist
|
Unassigned | ||
Software Center Agent |
New
|
Wishlist
|
Unassigned |
Bug Description
In working through the processes surrounding 'confinement: classic' and who can use it, it has recently been agreed to by stakeholders (Jamie Bennett, Emily Ratliff and Bret Barker) that under certain conditions the store should enforce the use of LP builds. These reasons include:
- if using 'confinement: classic' and a member of motu/ubuntu-
- if using 'confinement: classic' with an official upstream open source project
- if the snap is designated as officially supported by Canonical
What this does is provide a direct path from the snap in the store to a particular source build.
All of the details have not been worked out yet for the above scenarios, however at a minimum the store can add a check (in the non-CRT checks) that can flag for human review if using 'confinement: classic' without a trusted LP build. In this manner, a human can waive something through if needed for each upload (ie, the decision isn't remembered to encourage people to move to trusted LP builds), but snap approvals flow normally for trusted LP builds.
description: | updated |
Changed in snapstore: | |
importance: | Undecided → Wishlist |
Changed in software-center-agent: | |
importance: | Undecided → Wishlist |
Note that we need to sort out https:/ /bugs.launchpad .net/launchpad- buildd/ +bug/1650946 before "only LP builds for classic" constraints can usefully be imposed, although I certainly have no objection to the constraint in principle.