Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial commit of Snap package #2378

Closed
wants to merge 1 commit into from

Conversation

Projects
None yet
3 participants
@dmp1ce
Copy link

commented Feb 6, 2019

Adds snap package code which will allow Snap packages to be automatically built and hosted on the Snapcraft store.

#568

@dmp1ce dmp1ce requested a review from ManfredKarrer as a code owner Feb 6, 2019

@ripcurlx
Copy link
Member

left a comment

NACK - see my comments below. Unfortunately I don't have time to evaluate if we want to "offically" support Snap packages. @devinbileck do you have time to look into this if we want to add this kind of support? Thanks!

- home
desktop: usr/share/applications/bisq.desktop
environment:
JAVA_HOME: "$SNAP/usr/lib/jvm/java-11-openjdk-amd64"

This comment has been minimized.

Copy link
@ripcurlx

ripcurlx Feb 6, 2019

Member

Bisq should be built with Java 10. Java 11 isn't officially supported yet.

This comment has been minimized.

Copy link
@dmp1ce

dmp1ce Feb 7, 2019

Author

I think java-11-jdk is Java 10 on Ubuntu. I have also learned that a Snap package can be created from the .deb if that would be better.

This comment has been minimized.

Copy link
@dmp1ce

dmp1ce Feb 7, 2019

Author

Ubuntu 18.04 is still on Java 10 it seems. https://askubuntu.com/a/1037655/25776

source: https://github.com/bisq-network/bisq-desktop.git
source-tag: v0.9.3
build-packages: [openjdk-11-jdk]

This comment has been minimized.

Copy link
@ripcurlx

ripcurlx Feb 6, 2019

Member

Bisq should be built with Java 10. Java 11 isn't officially supported yet.

This comment has been minimized.

Copy link
@dmp1ce

dmp1ce Feb 7, 2019

Author

I think java-11-jdk is Java 10 on Ubuntu. I have also learned that a Snap package can be created from the .deb if that would be better.

This comment has been minimized.

Copy link
@dmp1ce

dmp1ce Feb 7, 2019

Author

Ubuntu 18.04 is still on Java 10 it seems. https://askubuntu.com/a/1037655/25776

source: https://github.com/bisq-network/bisq-desktop.git
source-tag: v0.9.3
build-packages: [openjdk-11-jdk]
stage-packages: [openjdk-11-jre]

This comment has been minimized.

Copy link
@ripcurlx

ripcurlx Feb 6, 2019

Member

Bisq should be built with Java 10. Java 11 isn't officially supported yet.

This comment has been minimized.

Copy link
@dmp1ce

dmp1ce Feb 7, 2019

Author

I think java-11-jdk is Java 10 on Ubuntu. I have also learned that a Snap package can be created from the .deb if that would be better.

This comment has been minimized.

Copy link
@dmp1ce

dmp1ce Feb 7, 2019

Author

Ubuntu 18.04 is still on Java 10 it seems. https://askubuntu.com/a/1037655/25776

@devinbileck

This comment has been minimized.

Copy link
Member

commented Feb 7, 2019

To be honest, I am unfamiliar with snap packages and this is my first time looking into it. The more I look into it, the less inclined I am to suggest the snapcraft store as a way to distribute Bisq (or any Bitcoin application for that matter) as I have not found a way to verify the application against our signature files (and ideally it should be verified before installing via snap in the first place). @HarryMacfinned highlighted these same concerns in #568.

Up until this point, we have only provided DEB packages with our releases which is serving only a subset of the Linux community, and with our next release we will be able to provide an RPM package (see #2200), which will help cover a wider audience.

We could potentially provide a snap file with our releases (along with signature file) as it can be installed locally. For example (as per https://docs.snapcraft.io/java-applications/7819):

sudo snap install bisq-desktop.snap --devmode --dangerous

But this kind of defeats the purpose of using snaps as an easy install/update app-store.

However, since snaps can be used on all major Linux distributions (according to https://docs.snapcraft.io/installing-snapd/6735), providing a snap package would allow us to provide an install package for the majority of the Linux community.

But to be honest, this may not warrant the added effort as it is likely the rest of the Linux community is skilled enough to just build the application from source.

@ripcurlx

This comment has been minimized.

Copy link
Member

commented Feb 7, 2019

NACK - Based on the concerns by @devinbileck and @HarryMacfinned I won't merge it into master. @dmp1ce Sorry for the efforts you put into this. Maybe you can use this on your own fork, but we won't add this as an official distribution channel yet.

@ripcurlx ripcurlx closed this Feb 7, 2019

@dmp1ce

This comment has been minimized.

Copy link
Author

commented Feb 7, 2019

Snaps installed from the Snapcraft store can be verified by an end user with a signature or checksum easily because the .snap files are all stored in /var/lib/snapd/snaps and mounted as read-only for the system to use.

The .snap and signature could be added to the releases page on Github and .snap file could be distributed on the Snapcraft store. The validity of the .snap can be verified if one so chooses either way the user gets the .snap.

@devinbileck

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

I suppose that may be a viable solution. But I guess it all depends if building the snap package is deterministic and yields the exact same file between a locally generated package and one published to the snapcraft store. Do you know if that is the case?

@freimair how is bisq distributed via the Arch platform? I am not familiar with the platform or process. Is a compiled package provided and if so how do you address these concerns?

@dmp1ce

This comment has been minimized.

Copy link
Author

commented Feb 8, 2019

I don't know if a snap build is deterministic but I'll try to find out.

I help @freimair maintain the Arch Linux Bisq packages.

There are scripts for installing both the binary and the source compiled version of bisq. https://aur.archlinux.org/packages/?O=0&K=bisq Arch Linux users can also install snapd and install the Bisq snap if they choose.

The typical way Arch Linux users address these concerns is either relying on the Arch Linux official maintainers to package the application as a binary or use a package on the AUR. If using a package on the AUR it is recommended to look over the PKGBUILD, which is a bash script, before using it to install the application. Many PKGBUILD scripts install from source or official binaries.

@dmp1ce

This comment has been minimized.

Copy link
Author

commented Feb 8, 2019

I just built the Bisq snap again and got a different sha256 hash. So, I'm going to say no. The build is not deterministic, at least not the way I am building the snap.

@devinbileck

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

When you upload a locally generated snap file to the snapcraft store, does the hash of the snap that actually gets installed match? If so, that may be a viable approach as opposed to having it automatically built and published out of our control.

@devinbileck

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

Another item to consider is the update check mechanism within the app. If installed via snap, does it still make sense to download the install files? Should it instead show a prompt to upgrade via snap? If so, that means it would bypass the automatic signature verification portion after download and would be up to the user to self verify it.

@dmp1ce

This comment has been minimized.

Copy link
Author

commented Feb 8, 2019

Great questions. I think the hashes do match after going through the Snapcraft store but I haven't verified yet.

I wasn't aware that Bisq had an automatic signature process. Snaps update automatically which has some people in the community concerned. I need to learn more about how Bisq and Snaps update to see if they are compatible.

For Arch Linux packages I usually ignore update messages from apps and just install the latest package from the AUR. The Bisq AUR package does the verification every time.

@dmp1ce

This comment has been minimized.

Copy link
Author

commented Feb 8, 2019

I don't know if it is of interest here but the Snapcraft community has been discussing how "refreshing" apps should work for over a year. https://forum.snapcraft.io/t/bug-saves-are-blocked-to-snap-user-data-if-snap-updates-when-it-is-already-running/3226/16

Issues around data consistency, user feedback and you bring up good points about security. It might be that the Bisq application could ask snapd to refresh Bisq and the validated current version of Bisq could verify the hash from the Snapcraft store. I'll keep an eye on it.

@devinbileck devinbileck referenced this pull request Feb 9, 2019

Closed

Official Snap #70

@devinbileck

This comment has been minimized.

Copy link
Member

commented Feb 9, 2019

Thanks. I have added comments to the proposal and we can continue discussion there.
bisq-network/proposals#70

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.