SlideShare a Scribd company logo
1 of 25
Download to read offline
Exploits of the
Snapcraft Ninja
Dani Llewellyn (diddledani) she/her
08/11/2022 Dani Llewellyn 2
My Background
●
Linux user since ~1997-8
●
Web, Desktop, and Server dev/admin experience
●
Windows, macOS, and Linux
●
Single System Image Beowulf-style clustering ~2001-5 (OpenMosix)
●
Ran Gentoo for a decade learning a LOT
●
Learned high-availability techniques via tools like CoroSync and Pacemaker
●
Have since forgotten it all 😛
●
Used Docker and containerisation since Docker first appeared
●
Primary contributions to Snaps/Snapcraft, WSL2, and Ubuntu Mate
●
Featured multiple times on the Ubuntu.com Blog
●
Ubuntu Member February 2018
●
Ubuntu Membership Board September 2018-present
●
Microsoft MVP primarily for WSL-related community work
08/11/2022 Dani Llewellyn 3
Snap Packages
●
Avidly followed Ubuntu Touch efforts
●
Loved the advocacy streams by Alan Pope et al
●
Excited by the Click Packaging system
●
Backed the Ubuntu Edge campaign on Indiegogo
●
Snaps arose like a phoenix from the ashes of UT
●
Just as exciting as Click Packages, and for more than just
phones
●
Cue my jumping in to start experimenting...
08/11/2022 Dani Llewellyn 4
First steps with Snap Packaging
●
Started out simple with a package for HexChat IRC Client
●
Handed-off to upstream developers
●
Began learning how desktop stack fits together
●
Spread my wings further to look at other desktop apps
●
My understanding of the desktop stack continually improving…
●
Packaged several games, including
●
OpenRA (Open-source Command & Conquer engine reimplementation)
●
OpenTTD (Open-source Transport Tycoon Deluxe engine reimplementation)
●
SuperTuxKart (Similar to Super Mario Kart)
●
Micropolis (Open-source release of Sim City by the copyright holder for the One Laptop per Child
project)
●
And others...
08/11/2022 Dani Llewellyn 5
Fully committed?
08/11/2022 Dani Llewellyn 6
Yup, fully committed!
●
After cutting my teeth on more simple desktop apps I wanted more of a
challenge
●
So I bit off a huge chunk with the GNU Image Manipulation Program
●
This app is a monster package!
●
Many dependencies that need to mesh just right
●
At the time, and for the stable branch still, GTK2-based
●
GTK2 was already legacy and no examples existed within the Snap community
●
Yup, I learnt a LOT more about the desktop stack here, too
●
Still principle maintainer via the Snapcrafters project
08/11/2022 Dani Llewellyn 7
How many Snaps?
●
Lots! 125 repositories related to Snapcrafting – not all of these are
package but more are.
08/11/2022 Dani Llewellyn 8
Snapstats
●
I’ve been running snapstats.org for some time now
cataloguing the Snap Store
●
Unfortunately the scraping is now unpredictable – The Store
is returning inconsistent numbers on repeated runs
●
The site was an attempt at maintaining a third-party list of
available Snap Packages in the Store along with some basic
statistics like number of packages over time and which how
many packages per architecture over time
08/11/2022 Dani Llewellyn 9
Screenshots – The graphs went wonky in
February 2022 🤦‍♀️
08/11/2022 Dani Llewellyn 10
Snapcraft Summits
●
My GNU Image Manipulation Program snap, along with my other snaps and wider activities
in the ecosystem, brought attention from the Snap Advocacy team (Alan Pope and Martin
Wimpress)
●
They invited me to the Snapcraft Summit in Seattle in February 2018
●
The summits are organised hackathons where Canonical engineers work with developers from other
organisations and open source projects to get their respective apps working inside Snap Packages
●
Previous wins include the launch of Spotify as a Snap Package during a summit
●
I mentioned I was working on a package for PowerShell Core so they organised for Travis Plunk
from Microsoft to join us where we worked in partnership to bring a first-party snap of PowerShell
Core to the store
●
I contributed fixes to PowerShell Core to ensure that features of PowerShell that assumed non-
immutable filesystem were functional
●
One such example being the telemetry opt-out mechanism that relied on a file being created alongside the
pwsh executable, which isn’t possible in a Snap Package due to the immutable filesystem
08/11/2022 Dani Llewellyn 11
So I’m a trusted expert now?
●
Canonical employees regularly request my
expertise
●
Several blog posts featuring my insights on
Ubuntu.com
●
Star Developer on the Snap Store
●
Core member of the Snapcrafters project
●
Well known and trusted within the
community
08/11/2022 Dani Llewellyn 12
What else have I contributed?
08/11/2022 Dani Llewellyn 13
Background: About Snapcraft Extensions
●
In the past there were “cloud parts”
●
Magic “parts” that you could declare your dependence upon
●
When depending on a “cloud part” in your snapcraft.yaml the cloud would be pulled
and built first
●
Authorable by anybody
●
Not scalable due to implementation
●
Now there are Snapcraft Extensions
●
Similar to cloud parts in that they are natively supported by Snapcraft
●
Shipped as part of Snapcraft so requires a PR and approval and may be rejected
●
Scalability not really proven yet
●
So far only desktop-related and flutter extensions exist
08/11/2022 Dani Llewellyn 14
Why I want to replace Snapcraft Extensions
●
Snapcraft Extensions “just work”, so why invent something
new?
●
They ship within Snapcraft itself
●
Lead time till available is too long
●
PR approval is arbitrary and may not be granted
●
Must sign the Canonical Contributor License Agreement
08/11/2022 Dani Llewellyn 15
My idea and implementation
●
At their heart, Snapcraft Extensions merely augment the snapcraft.yaml before
using it to build your Snap Package
●
Let’s do the augmentation instead of Snapcraft
●
Enter sc-jsonnet: https://snapcraft.io/sc-jsonnet
●
Write your snapcraft.yaml in jsonnet instead of YAML
●
Use sc-jsonnet’s import capability to import remote jsonnet libraries
●
When you have a snapcraft.jsonnet file, generate the snapcraft.yaml before building
with Snapcraft:
$ sc-jsonnet -o snap/snapcraft.yaml
$ snapcraft
08/11/2022 Dani Llewellyn 16
Example snapcraft.jsonnet
local snapcraft = import 'snapcraft.libsonnet';
snapcraft {
name: "my-jsonnet-snap-name",
version: "0.1",
summary: "Single-line elevator pitch for your amazing snap",
description: "This is my-snap's description. You have a paragraph or two to tell the most important story about your
snap. Keep it under 100 words though, we live in tweetspace and your description wants to look good in the snap store.",
grade: "devel",
confinement: "devmode",
parts: {
"my-part": {
plugin: "nil",
},
},
}
08/11/2022 Dani Llewellyn 17
Adding a third-party extension to
snapcraft.jsonnet
local snapcraft = import 'snapcraft.libsonnet';
# import my ALSA extension
local alsa = import 'https://raw.githubusercontent.com/diddlesnaps/snapcraft-alsa/master/alsa.libsonnet';
snapcraft {
# removed for brevity – it’s identical to the example
# on the previous slide
} + alsa() # this is all you need to add beyond the import above
08/11/2022 Dani Llewellyn 18
Even better, extensions can take arguments
local snapcraft = import 'snapcraft.libsonnet';
# import my ALSA extension
local alsa = import 'https://raw.githubusercontent.com/diddlesnaps/snapcraft-alsa/master/alsa.libsonnet';
snapcraft {
# removed for brevity – it’s identical to the example
# on the previous slide
} + alsa("1.1.9")
# this builds ALSA version 1.1.9 from source instead of using the version
# from the Ubuntu package archive (via APT)
08/11/2022 Dani Llewellyn 19
Documentation and available extensions
●
Documentation for sc-jsonnet is available at
https://sc-jsonnet.readthedocs.io/en/latest/
●
I’ve written two libraries of extensions:
●
Snapcraft ALSA – A single extension to pipe ALSA output through
PulseAudio for more a less privileged Snap Package:
https://snapcraft-alsa.readthedocs.io/en/latest/
●
Snapcraft Utils Library – several extensions that perform common
tasks usually handled via Copy+Paste:
https://snapcraft-utils-library.readthedocs.io/en/latest/
08/11/2022 Dani Llewellyn 20
Any more?
08/11/2022 Dani Llewellyn 21
Snapcraft CI/CD pipelines
●
Don’t want to use the Snapcraft Build Service on snapcraft.io?
●
I’ve developed a build pipeline for both GitHub Actions and
GitLab CI
●
Uses my own OCI container image that can be used in any CI
system that allowed privileged mode execution of containers
●
i.e. launched via Docker CLI’s --privileged flag
●
See my other talk “Automated Snap Package build processes
without the Build Service” for full details
08/11/2022 Dani Llewellyn 22
Wrapping up… but first...
08/11/2022 Dani Llewellyn 23
Snapcraft skills for sale
●
I provide contracting services to anyone creating
Snap Packages of their apps
●
Multiple organisations have now benefited from my
expertise
●
Contact me via https://snapcraft.ninja/ to introduce
your project
08/11/2022 Dani Llewellyn 24
Acknowledgements
●
Martin Wimpress (@m_wimpress), Alan Pope (@popey), both alumni, and Igor (of the
Snap Advocacy team)
●
For recognising my capability and enthusiasm for the Snap Packaging world
●
For inviting me to Snapcraft Summits to share my knowledge and expertise
●
For encouraging me to get deeper into the Ubuntu Community, such as applying for Ubuntu Membership
●
Ubuntu Desktop Team, Snapcraft Team, and Snapd Team all at Canonical
●
For being receptive to my contributions and constantly encouraging my continued involvement
●
Sarah Dickinson (@dickinsonsarah7) formally head of Canonical PR
●
For featuring my thoughts about Snaps and other Canonical projects in multiple blog posts on Ubuntu.com
●
Heather Ellsworth (Ubuntu Desktop team; @linux_flower) and Monica Madon (former Ubuntu
Community Respresentative; @communiteatime)
●
For being excellent friends and providing constant encouragement and moral support, especially while I'm
trying to find work that is suitable for my talents
08/11/2022 Dani Llewellyn 25
Where to find me
●
https://snapcraft.ninja/
●
Ubuntu Discourse (diddledani)
●
Snapcraft Forum (diddledani)
●
https://github.com/diddlesnaps
●
https://github.com/diddledani
●
https://github.com/UbuntuAccomplishments
●
Twitter (@diddledani)
●
Mastodon (@diddledani@mastodon.lol)
●
Also: I’m currently looking for (more permanent) work 😉

More Related Content

Similar to Exploits of the Snapcraft Ninja

Docker primer and tips
Docker primer and tipsDocker primer and tips
Docker primer and tipsSamuel Chow
 
OSCONF Jaipur - A Hitchhiker's Tour to Containerizing a Java application
OSCONF Jaipur - A Hitchhiker's Tour to Containerizing a Java applicationOSCONF Jaipur - A Hitchhiker's Tour to Containerizing a Java application
OSCONF Jaipur - A Hitchhiker's Tour to Containerizing a Java applicationNicolas Fränkel
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...DynamicInfraDays
 
Snap - the universal packaging format for linux distros
Snap - the universal packaging format for linux distrosSnap - the universal packaging format for linux distros
Snap - the universal packaging format for linux distrosAnthony Wong
 
Angular based enterprise level frontend architecture
Angular based enterprise level frontend architectureAngular based enterprise level frontend architecture
Angular based enterprise level frontend architectureHimanshu Tamrakar
 
Getting started within the Ubuntu Community
Getting started within the Ubuntu CommunityGetting started within the Ubuntu Community
Getting started within the Ubuntu CommunityDani Llewellyn
 
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...CodiLime
 
Exploring Next Generation Buildpacks - Anand Rao & Scott Deeg
Exploring Next Generation Buildpacks - Anand Rao & Scott DeegExploring Next Generation Buildpacks - Anand Rao & Scott Deeg
Exploring Next Generation Buildpacks - Anand Rao & Scott DeegVMware Tanzu
 
Buildpacks: the other way to build container images
Buildpacks: the other way to build container imagesBuildpacks: the other way to build container images
Buildpacks: the other way to build container imagesAnthony Dahanne
 
Making your app soar without a container manifest
Making your app soar without a container manifestMaking your app soar without a container manifest
Making your app soar without a container manifestLibbySchulze
 
Choosing Drupal as your Content Management Framework
Choosing Drupal as your Content Management FrameworkChoosing Drupal as your Content Management Framework
Choosing Drupal as your Content Management FrameworkMediacurrent
 
VASCAN - Docker and Security
VASCAN - Docker and SecurityVASCAN - Docker and Security
VASCAN - Docker and SecurityMichael Irwin
 
Using Kubernetes to Provide Services
Using Kubernetes to Provide ServicesUsing Kubernetes to Provide Services
Using Kubernetes to Provide ServicesGLC Networks
 
Java and Container - Make it Awesome !
Java and Container - Make it Awesome !Java and Container - Make it Awesome !
Java and Container - Make it Awesome !Dinakar Guniguntala
 
Montreal OpenStack Q3-2017 MeetUp
Montreal OpenStack Q3-2017 MeetUpMontreal OpenStack Q3-2017 MeetUp
Montreal OpenStack Q3-2017 MeetUpStacy Véronneau
 

Similar to Exploits of the Snapcraft Ninja (20)

Docker primer and tips
Docker primer and tipsDocker primer and tips
Docker primer and tips
 
devops@cineca
devops@cinecadevops@cineca
devops@cineca
 
OSCONF Jaipur - A Hitchhiker's Tour to Containerizing a Java application
OSCONF Jaipur - A Hitchhiker's Tour to Containerizing a Java applicationOSCONF Jaipur - A Hitchhiker's Tour to Containerizing a Java application
OSCONF Jaipur - A Hitchhiker's Tour to Containerizing a Java application
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
 
Container Days
Container DaysContainer Days
Container Days
 
Snap - the universal packaging format for linux distros
Snap - the universal packaging format for linux distrosSnap - the universal packaging format for linux distros
Snap - the universal packaging format for linux distros
 
Angular based enterprise level frontend architecture
Angular based enterprise level frontend architectureAngular based enterprise level frontend architecture
Angular based enterprise level frontend architecture
 
Docker workshop
Docker workshopDocker workshop
Docker workshop
 
Getting started within the Ubuntu Community
Getting started within the Ubuntu CommunityGetting started within the Ubuntu Community
Getting started within the Ubuntu Community
 
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
 
Drupal 7: More than a simple CMS
Drupal 7: More than a simple CMSDrupal 7: More than a simple CMS
Drupal 7: More than a simple CMS
 
Exploring Next Generation Buildpacks - Anand Rao & Scott Deeg
Exploring Next Generation Buildpacks - Anand Rao & Scott DeegExploring Next Generation Buildpacks - Anand Rao & Scott Deeg
Exploring Next Generation Buildpacks - Anand Rao & Scott Deeg
 
Buildpacks: the other way to build container images
Buildpacks: the other way to build container imagesBuildpacks: the other way to build container images
Buildpacks: the other way to build container images
 
Making your app soar without a container manifest
Making your app soar without a container manifestMaking your app soar without a container manifest
Making your app soar without a container manifest
 
Choosing Drupal as your Content Management Framework
Choosing Drupal as your Content Management FrameworkChoosing Drupal as your Content Management Framework
Choosing Drupal as your Content Management Framework
 
VASCAN - Docker and Security
VASCAN - Docker and SecurityVASCAN - Docker and Security
VASCAN - Docker and Security
 
Using Kubernetes to Provide Services
Using Kubernetes to Provide ServicesUsing Kubernetes to Provide Services
Using Kubernetes to Provide Services
 
Java and Container - Make it Awesome !
Java and Container - Make it Awesome !Java and Container - Make it Awesome !
Java and Container - Make it Awesome !
 
Montreal OpenStack Q3-2017 MeetUp
Montreal OpenStack Q3-2017 MeetUpMontreal OpenStack Q3-2017 MeetUp
Montreal OpenStack Q3-2017 MeetUp
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Exploits of the Snapcraft Ninja

  • 1. Exploits of the Snapcraft Ninja Dani Llewellyn (diddledani) she/her
  • 2. 08/11/2022 Dani Llewellyn 2 My Background ● Linux user since ~1997-8 ● Web, Desktop, and Server dev/admin experience ● Windows, macOS, and Linux ● Single System Image Beowulf-style clustering ~2001-5 (OpenMosix) ● Ran Gentoo for a decade learning a LOT ● Learned high-availability techniques via tools like CoroSync and Pacemaker ● Have since forgotten it all 😛 ● Used Docker and containerisation since Docker first appeared ● Primary contributions to Snaps/Snapcraft, WSL2, and Ubuntu Mate ● Featured multiple times on the Ubuntu.com Blog ● Ubuntu Member February 2018 ● Ubuntu Membership Board September 2018-present ● Microsoft MVP primarily for WSL-related community work
  • 3. 08/11/2022 Dani Llewellyn 3 Snap Packages ● Avidly followed Ubuntu Touch efforts ● Loved the advocacy streams by Alan Pope et al ● Excited by the Click Packaging system ● Backed the Ubuntu Edge campaign on Indiegogo ● Snaps arose like a phoenix from the ashes of UT ● Just as exciting as Click Packages, and for more than just phones ● Cue my jumping in to start experimenting...
  • 4. 08/11/2022 Dani Llewellyn 4 First steps with Snap Packaging ● Started out simple with a package for HexChat IRC Client ● Handed-off to upstream developers ● Began learning how desktop stack fits together ● Spread my wings further to look at other desktop apps ● My understanding of the desktop stack continually improving… ● Packaged several games, including ● OpenRA (Open-source Command & Conquer engine reimplementation) ● OpenTTD (Open-source Transport Tycoon Deluxe engine reimplementation) ● SuperTuxKart (Similar to Super Mario Kart) ● Micropolis (Open-source release of Sim City by the copyright holder for the One Laptop per Child project) ● And others...
  • 5. 08/11/2022 Dani Llewellyn 5 Fully committed?
  • 6. 08/11/2022 Dani Llewellyn 6 Yup, fully committed! ● After cutting my teeth on more simple desktop apps I wanted more of a challenge ● So I bit off a huge chunk with the GNU Image Manipulation Program ● This app is a monster package! ● Many dependencies that need to mesh just right ● At the time, and for the stable branch still, GTK2-based ● GTK2 was already legacy and no examples existed within the Snap community ● Yup, I learnt a LOT more about the desktop stack here, too ● Still principle maintainer via the Snapcrafters project
  • 7. 08/11/2022 Dani Llewellyn 7 How many Snaps? ● Lots! 125 repositories related to Snapcrafting – not all of these are package but more are.
  • 8. 08/11/2022 Dani Llewellyn 8 Snapstats ● I’ve been running snapstats.org for some time now cataloguing the Snap Store ● Unfortunately the scraping is now unpredictable – The Store is returning inconsistent numbers on repeated runs ● The site was an attempt at maintaining a third-party list of available Snap Packages in the Store along with some basic statistics like number of packages over time and which how many packages per architecture over time
  • 9. 08/11/2022 Dani Llewellyn 9 Screenshots – The graphs went wonky in February 2022 🤦‍♀️
  • 10. 08/11/2022 Dani Llewellyn 10 Snapcraft Summits ● My GNU Image Manipulation Program snap, along with my other snaps and wider activities in the ecosystem, brought attention from the Snap Advocacy team (Alan Pope and Martin Wimpress) ● They invited me to the Snapcraft Summit in Seattle in February 2018 ● The summits are organised hackathons where Canonical engineers work with developers from other organisations and open source projects to get their respective apps working inside Snap Packages ● Previous wins include the launch of Spotify as a Snap Package during a summit ● I mentioned I was working on a package for PowerShell Core so they organised for Travis Plunk from Microsoft to join us where we worked in partnership to bring a first-party snap of PowerShell Core to the store ● I contributed fixes to PowerShell Core to ensure that features of PowerShell that assumed non- immutable filesystem were functional ● One such example being the telemetry opt-out mechanism that relied on a file being created alongside the pwsh executable, which isn’t possible in a Snap Package due to the immutable filesystem
  • 11. 08/11/2022 Dani Llewellyn 11 So I’m a trusted expert now? ● Canonical employees regularly request my expertise ● Several blog posts featuring my insights on Ubuntu.com ● Star Developer on the Snap Store ● Core member of the Snapcrafters project ● Well known and trusted within the community
  • 12. 08/11/2022 Dani Llewellyn 12 What else have I contributed?
  • 13. 08/11/2022 Dani Llewellyn 13 Background: About Snapcraft Extensions ● In the past there were “cloud parts” ● Magic “parts” that you could declare your dependence upon ● When depending on a “cloud part” in your snapcraft.yaml the cloud would be pulled and built first ● Authorable by anybody ● Not scalable due to implementation ● Now there are Snapcraft Extensions ● Similar to cloud parts in that they are natively supported by Snapcraft ● Shipped as part of Snapcraft so requires a PR and approval and may be rejected ● Scalability not really proven yet ● So far only desktop-related and flutter extensions exist
  • 14. 08/11/2022 Dani Llewellyn 14 Why I want to replace Snapcraft Extensions ● Snapcraft Extensions “just work”, so why invent something new? ● They ship within Snapcraft itself ● Lead time till available is too long ● PR approval is arbitrary and may not be granted ● Must sign the Canonical Contributor License Agreement
  • 15. 08/11/2022 Dani Llewellyn 15 My idea and implementation ● At their heart, Snapcraft Extensions merely augment the snapcraft.yaml before using it to build your Snap Package ● Let’s do the augmentation instead of Snapcraft ● Enter sc-jsonnet: https://snapcraft.io/sc-jsonnet ● Write your snapcraft.yaml in jsonnet instead of YAML ● Use sc-jsonnet’s import capability to import remote jsonnet libraries ● When you have a snapcraft.jsonnet file, generate the snapcraft.yaml before building with Snapcraft: $ sc-jsonnet -o snap/snapcraft.yaml $ snapcraft
  • 16. 08/11/2022 Dani Llewellyn 16 Example snapcraft.jsonnet local snapcraft = import 'snapcraft.libsonnet'; snapcraft { name: "my-jsonnet-snap-name", version: "0.1", summary: "Single-line elevator pitch for your amazing snap", description: "This is my-snap's description. You have a paragraph or two to tell the most important story about your snap. Keep it under 100 words though, we live in tweetspace and your description wants to look good in the snap store.", grade: "devel", confinement: "devmode", parts: { "my-part": { plugin: "nil", }, }, }
  • 17. 08/11/2022 Dani Llewellyn 17 Adding a third-party extension to snapcraft.jsonnet local snapcraft = import 'snapcraft.libsonnet'; # import my ALSA extension local alsa = import 'https://raw.githubusercontent.com/diddlesnaps/snapcraft-alsa/master/alsa.libsonnet'; snapcraft { # removed for brevity – it’s identical to the example # on the previous slide } + alsa() # this is all you need to add beyond the import above
  • 18. 08/11/2022 Dani Llewellyn 18 Even better, extensions can take arguments local snapcraft = import 'snapcraft.libsonnet'; # import my ALSA extension local alsa = import 'https://raw.githubusercontent.com/diddlesnaps/snapcraft-alsa/master/alsa.libsonnet'; snapcraft { # removed for brevity – it’s identical to the example # on the previous slide } + alsa("1.1.9") # this builds ALSA version 1.1.9 from source instead of using the version # from the Ubuntu package archive (via APT)
  • 19. 08/11/2022 Dani Llewellyn 19 Documentation and available extensions ● Documentation for sc-jsonnet is available at https://sc-jsonnet.readthedocs.io/en/latest/ ● I’ve written two libraries of extensions: ● Snapcraft ALSA – A single extension to pipe ALSA output through PulseAudio for more a less privileged Snap Package: https://snapcraft-alsa.readthedocs.io/en/latest/ ● Snapcraft Utils Library – several extensions that perform common tasks usually handled via Copy+Paste: https://snapcraft-utils-library.readthedocs.io/en/latest/
  • 21. 08/11/2022 Dani Llewellyn 21 Snapcraft CI/CD pipelines ● Don’t want to use the Snapcraft Build Service on snapcraft.io? ● I’ve developed a build pipeline for both GitHub Actions and GitLab CI ● Uses my own OCI container image that can be used in any CI system that allowed privileged mode execution of containers ● i.e. launched via Docker CLI’s --privileged flag ● See my other talk “Automated Snap Package build processes without the Build Service” for full details
  • 22. 08/11/2022 Dani Llewellyn 22 Wrapping up… but first...
  • 23. 08/11/2022 Dani Llewellyn 23 Snapcraft skills for sale ● I provide contracting services to anyone creating Snap Packages of their apps ● Multiple organisations have now benefited from my expertise ● Contact me via https://snapcraft.ninja/ to introduce your project
  • 24. 08/11/2022 Dani Llewellyn 24 Acknowledgements ● Martin Wimpress (@m_wimpress), Alan Pope (@popey), both alumni, and Igor (of the Snap Advocacy team) ● For recognising my capability and enthusiasm for the Snap Packaging world ● For inviting me to Snapcraft Summits to share my knowledge and expertise ● For encouraging me to get deeper into the Ubuntu Community, such as applying for Ubuntu Membership ● Ubuntu Desktop Team, Snapcraft Team, and Snapd Team all at Canonical ● For being receptive to my contributions and constantly encouraging my continued involvement ● Sarah Dickinson (@dickinsonsarah7) formally head of Canonical PR ● For featuring my thoughts about Snaps and other Canonical projects in multiple blog posts on Ubuntu.com ● Heather Ellsworth (Ubuntu Desktop team; @linux_flower) and Monica Madon (former Ubuntu Community Respresentative; @communiteatime) ● For being excellent friends and providing constant encouragement and moral support, especially while I'm trying to find work that is suitable for my talents
  • 25. 08/11/2022 Dani Llewellyn 25 Where to find me ● https://snapcraft.ninja/ ● Ubuntu Discourse (diddledani) ● Snapcraft Forum (diddledani) ● https://github.com/diddlesnaps ● https://github.com/diddledani ● https://github.com/UbuntuAccomplishments ● Twitter (@diddledani) ● Mastodon (@diddledani@mastodon.lol) ● Also: I’m currently looking for (more permanent) work 😉