Closed FrederikBolding closed 1 year ago
Could this be implement using the blocklist? Ref: #869
Could this be implement using the blocklist? Ref: #869
Yeah, we could refactor the blocklist logic to function as an allow list as well.
The allowlist needs to be versioned just like the blocklist. We should not allow the snap to be updated by either modifying the NPM package with the same version number or updating to a new version number, without a manual review of that update from us.
Additionally, the versioning needs to verify both the checksum of the tarball and the npm version, because it might be possible to replace npm package version in some fun ways (npm unpublish --force
).
We should make sure to have the implementation of this be easily swappable for another endpoint/implementation for future proofing.
Snaps release in the main extension in v1.0.0 will be based on an allow-list of third-party audited Snaps. A technical solution needs to be implemented that allows the extension to reference that list during install time.
Outcome
snaps-registry
repository that will be polled by the extension