Publishing snap to edge channel changes store metadata
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snap Store Server |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Publishing a snap to a branch on the edge channel overwrites the store metadata such as name, icon and description.
## Steps to reproduce
1. Publish a snap to the stable channel. The store metadata shows the metadata of that snap version.
2. Change the metadata and publish the snap to a branch in the edge channel. The store metadata now shows the metadata of the snap in the edge channel.
## What I expect to happen
* Publishing a snap to the stable channel changes the store metadata if it isn't manually set.
* Publishing a snap to a branch of the edge channel doesn't change the store metadata.
The user installs the stable channel by default so the user should see the metadata of the stable snap by default.
## Security issue
"branch" channels are documented as a good way to create snaps for test-versions. Our CI infrastructure is set up that an open PR will trigger a new push to a pr-specific branch in the edge channel. Thus, a malicious actor can change the snap metadata simply by creating a PR. For example, a malicious person could change the description to include a deprecation notice and point to a different installer that installs malware. From the user's point of view, this message will come from the verified publisher of the charm.
At the moment, our build infrastructure is set up so snaps will only get created for PR's of our core contributors. Thus, the security implication is small for us.
Changed in snapstore: | |
status: | Incomplete → New |
summary: |
- Pushing a new snap to the store changes description, icon name and - display name + Publishing snap to edge channel changes store metadata |
description: | updated |
information type: | Private Security → Public Security |
What are you using to push your builds? i.e. you say "Every PR will trigger a new push to the edge/branch channel to make testing easier.". How is this done?
The reason I ask is this. The main issue here has already been reported (https:/ /bugs.launchpad .net/snapstore/ +bug/1782368) but we tried this extensively and the workaround is to use dashboard. snapcraft. io. The reason is that metadata (icon, description, summary...) that are edited in dashboard are marked specially, so when a push comes from snapcraft or Launchpad, dashboard notices a human has already modified the data and prevents the update by indicating there is a conflict.
So it would be good to know how you're publishing your snaps to see if there's something we missed.