launchpad-buildd

private snap builds lack manifest.txt

Bug #2030668 reported by Dimitri John Ledkov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
launchpad-buildd
New
Undecided
Unassigned

Bug Description

https://git.launchpad.net/launchpad-buildd/commit/?id=22579385406c299ac000f26a3f0857c911a520bb

builds private snaps without manifest.txt, which is quite annoying given one doesn't know any package versions of staged packages, breaking automatic rebuild notifications from snapstore for private snap builds that are published in the global store.

Is there a way to somehow turn on manifest.txt? especially when embargoed builds will later be made public elsehow (i.e. one can get staged .deb packages from Pro archives)

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

This is very unfortunately, and makes me want to build private fips snaps outside of launchpad, such that i can generate snap with manifest.txt which has correct package versions that match Pro fips archive published versions.

Revision history for this message
Colin Watson (cjwatson) wrote :

The concern here was that it was moderately likely that if we enabled manifests for private builds then credentials from the build process could leak out into the built snap. I dug through some history and it seems that this caution was originally suggested by Sergio from the snapcraft team: https://forum.snapcraft.io/t/snap-updates-and-developer-notifications-on-security-updates/2754/4

It's possible that this is a non-issue now: credentials that Launchpad generates as part of private snap builds are carefully arranged to be ephemeral and scoped to the lifetime of the build, so even if they do leak it wouldn't matter; but it's possible that some private snap recipes take hacky approaches with credentials in URLs for their dependencies and the like, so it's possible that making the change you propose would cause information leaks. I'm subscribing Sergio here to see if he still has the same opinion that he did in 2017.

Revision history for this message
Sergio Schvezov (sergiusens) wrote :

To clarify, my comment about private builds was more of an on-prem (and back then default --destructive-mode) situation where a vendor could be leaking. For this case of a launchpad build itself, I do not personally see an issue with it.

Much less with the onwards trend or requirement rather from state entities to provide a form of manifest (i.e.: sbom)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.