license: field in meta/snap.yaml is not validated store-side
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Snap Store Server |
Fix Released
|
High
|
Hasan Ammar | ||
| Snapcraft |
Fix Released
|
Medium
|
Sergio Schvezov | ||
Bug Description
Snapcraft now supports the license: field, and it claims to verify the contents as a valid SPDX expression but ONLY if the `snap` command is available; this doesn't seem to work out of the box. If snapcraft is unable to validate the license, it will just upload the bogus-licensed snap to the store. The store also doesn't validate / ignores the license: field (i.e. we don't extract or verify licensing metadata from it, otherwise it would fail our license expression validation). As a result, it's perfectly possible for a snap with a bogus license: field to make it into the store.
When trying to install such a snap, this happens:
$ sudo snap install --edge hello-roadmr-1
error: cannot perform the following tasks:
- Mount snap "hello-roadmr-1" (164) (cannot validate license "some really bogus license": unknown license: some)
To repro this, given a working snapcraft setup and a registered snap name, use this snapcraft.yaml:
name: hello-roadmr-1
version: 2020-02-06-04
summary: say hello to this snap which is ok
confinement: strict
grade: stable
description: just a description.
license: some really bogus license
base: core18
architectures:
- amd64
apps:
hello:
command: echo "hello"
parts:
empty:
plugin: nil
then snapcraft build, snapcraft push --release etc (the whole snap publishing shebang), then try to snap install it and you'll get the error I noted above.
I noticed snapcraft says this at build time:
Could not find '/snap/
which is strange because it also said this *prior* to that:
Launching a VM.
Launched: snapcraft-
2020-02-
snapd 2.42.5 from Canonical✓ installed
core18 20200124 from Canonical✓ installed
snapcraft 3.9.8 from Canonical✓ installed
I notice it says /snap/core so probably it's looking for core16 (aka core) but since this is a clean core18-based build, the expected path does not exist
| Daniel Manrique (roadmr) wrote | #1 |
| Changed in snapstore: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| Sorin Sbarnea (ssbarnea) wrote | #2 |
| Hasan Ammar (hasanammar) wrote | #3 |
| Changed in snapstore: | |
| assignee: | nobody → Hasan Ammar (hasanammar) |
| status: | Confirmed → Fix Released |
| Changed in snapcraft: | |
| status: | New → In Progress |
| Sergio Schvezov (sergiusens) wrote | #4 |
| Changed in snapcraft: | |
| importance: | Undecided → Medium |
| assignee: | nobody → Sergio Schvezov (sergiusens) |
| Changed in snapcraft: | |
| status: | In Progress → Fix Committed |
| Changed in snapcraft: | |
| status: | Fix Committed → Fix Released |
Store-side, "we never extracted the license data from the snap.yaml...? the only way to set license was through the web UI".
However,
"it should be simple to extract and validate license during scan".
This meshes well with the idea of populating metadata from a snap's actual contents.