license: field in meta/snap.yaml is not validated store-side

Bug #1862242 reported by Daniel Manrique on 2020-02-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snap Store
High
Unassigned
Snapcraft
Undecided
Unassigned

Bug Description

Snapcraft now supports the license: field, and it claims to verify the contents as a valid SPDX expression but ONLY if the `snap` command is available; this doesn't seem to work out of the box. If snapcraft is unable to validate the license, it will just upload the bogus-licensed snap to the store. The store also doesn't validate / ignores the license: field (i.e. we don't extract or verify licensing metadata from it, otherwise it would fail our license expression validation). As a result, it's perfectly possible for a snap with a bogus license: field to make it into the store.

When trying to install such a snap, this happens:

$ sudo snap install --edge hello-roadmr-1
error: cannot perform the following tasks:
- Mount snap "hello-roadmr-1" (164) (cannot validate license "some really bogus license": unknown license: some)

To repro this, given a working snapcraft setup and a registered snap name, use this snapcraft.yaml:

name: hello-roadmr-1
version: 2020-02-06-04
summary: say hello to this snap which is ok
confinement: strict
grade: stable
description: just a description.
license: some really bogus license
base: core18

architectures:
  - amd64

apps:
  hello:
    command: echo "hello"

parts:
  empty:
    plugin: nil

then snapcraft build, snapcraft push --release etc (the whole snap publishing shebang), then try to snap install it and you'll get the error I noted above.

I noticed snapcraft says this at build time:
Could not find '/snap/core/current/usr/bin/snap', validation of the license string will only take place once pushed to the store.

which is strange because it also said this *prior* to that:
Launching a VM.
Launched: snapcraft-hello-roadmr-1
2020-02-06T20:58:24Z INFO Waiting for restart...
snapd 2.42.5 from Canonical✓ installed
core18 20200124 from Canonical✓ installed
snapcraft 3.9.8 from Canonical✓ installed

I notice it says /snap/core so probably it's looking for core16 (aka core) but since this is a clean core18-based build, the expected path does not exist

Daniel Manrique (roadmr) wrote :

Store-side, "we never extracted the license data from the snap.yaml...? the only way to set license was through the web UI".

However,

"it should be simple to extract and validate license during scan".

This meshes well with the idea of populating metadata from a snap's actual contents.

Changed in snapstore:
status: New → Confirmed
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers