One day I was using F-Droid and I was thinking… What if there was something like the F-Droid client, but for snap packages? Something that would perhaps support adding third party repositories made and hosted by other people? Obviously not as a replacement for the existing App Center and the Snap Store, as they are irreplaceable and I couldn’t even hope to do something like that, not to mention that they’re a core part of the snap experience. But just as an alternative for the people that are interested in distributing their snap packages in their own way. Plus, I needed something for my bachelor’s degree exam.
The journey started with a simple graphical interface to sideload a snap package that is stored locally, something that was already possible, just not graphically (as a side note, this would be a nice addition to App Center, as it’s already possible to do that with deb packages). And then I continued to add things until the end result is a somewhat functional client that can browse third party repositories and download and install as well as manage packages from them. I call it “The Snap Sideloader”. Here’s a short demonstration:
In short, repository details are stored inside SQLite database files structured to be compatible, which are then downloaded and read by the client. As such anyone can create their own repository in TSS format by making use of the following database schema: GitHub - thetechdog/the-snap-sideloader-repo-template: Template for creating repositories compatible with TSS format .
A repository for demonstration purposes is available at: GitHub - thetechdog/test-repo: Example of a TSS-compatible repo .
Let’s say a developer creates their own repository in TSS format. Obviously they will have to host the package and repository files somewhere, but that’s besides the point. All they have to do is make available the direct download link for the SQLite database file, which we could call the “repository file”. The user will then add the repository link in The Snap Sideloader, enabling them to browse that repository and manage software from it.
The users can add as many such repositories as they please, and The Snap Sideloader will keep track of the installed packages per repository.
Looks like an interesting project and obviously you put a lot of work and thought into it, well done.
My primary concern would be security:
How are these 3rd party snaps vetted?
Is the code checked during or after download to ensure it contains no malicious content?
Is there some kind of warning, especially for new users, along the lines of you are about to install an unvetted/unverified app do you want to continue?
This sounds awesome! A Snap version of F-Droid would make managing third-party repos way easier, and the SQLite repo system is a smart approach. Definitely a neat project for your bachelor’s.
When it comes to security, a centralized software source will be more secure. With decentralization there is more flexibility, but it inherently cannot be as secure.
That is to say, installing snap packages from a third party repository would be as secure as installing any other form of software from a third party source. Meaning that the user has to use their judgment and trust the source before they use it.
I think however, that the barrier to entry is high enough that beginner PC users and most intermediate PC users will not bother with installing from third party sources. For an analogy, take Android as an example. Most Android users only ever install from Google Play, but some intermediate and advanced users like to install from third party sources as well. This is basically to whom The Snap Sideloader is catering to, a more advanced user that can choose whether or not to trust a third party supplier of software (in this case said software is packaged as snaps).
And, as people that would want to distribute malicious software through a third party repository, I am not saying that would be impossible, but it’d be much easier for those actors to create a repository of deb packages and list the command to add it to apt (which does have support for third party repositories) so that users that are not careful may add it.
I think that this is a great project, and well done for it!
It’s not something that I personally would use, as I tend to be a more conservative user, but I can see that other people might be interested in it, increasingly over time.
I’d like to see more visibility for your project. Perhaps consider posting this on r/Ubuntu? (Ignore the snap-haters that always crawl out of the woodwork there.) The only thing is that I’m not sure that it fits the rules of the forum.
Thank you for your kind words.
Sorry if it doesn’t fit here, I would’ve tried to post it in Lounge as it seems to be more for general discussion, but I don’t have a high enough trust level.
I will try to post it on r/Ubuntu though, thanks for the suggestion!
