bruno icon indicating copy to clipboard operation
bruno copied to clipboard
verified publisher icon usebruno

Snap: large differences between published and self-built version

Open george-hopkins opened this issue 1 year ago • 1 comments

In the light of CVE-2024-3094 I took a closer look at the distributed Snap (v.1.12.3/revision 31). I do not want to spread any unfounded accusations or leap to any conclusions. However, there are some large differences if the Snap is built from the source (d20de4da0af5195c34ff05d7906e6bb238d854a7):

resources/app.asar left: expected/source, right: distributed resources/app.asar

package.json left: expected/source, right: distributed package.json

The build process is fragile and I do not expect it to be reproducible bit-by-bit. Are there any plans to reduce the amount of differences or plans to automate the publishing process?

george-hopkins avatar Apr 03 '24 09:04 george-hopkins

Hey @george-hopkins, the Build published by Anoop on the Snap-Store, GitHub Release etc. includes the proprietary code for the "Golden Edition". That's why there are more files/file changes in the Final build. Because the Code is not Open Source, it is very unlucky to get any reproducibly builds.

Its-treason avatar Apr 03 '24 10:04 Its-treason