[hsivonen]

How does one figure out who a given snapcraft packager is? E.g. Sublime Text says it's packaged by Snapcrafters. Who is that?

[hsivonen]

Presumably it's https://github.com/snapcrafters , but what links the Snap Store identity to that GitHub org?

Where does snapcraft.yaml get executed? On my computer? On Canonical's infra? On the packager's computer?

[popey]

The build service at build.snapcraft.io is what builds it. Anyone can hook up their github repo (containing a snapcraft.yaml) to build and have to automatically rebuild the snap when changes in the git repo occur. It then pushes the snap to the 'edge' channel in the store. Developer validates that build and then pushes to stable for all users.

[hsivonen]

Thank you.

As a user, how (other than asking here) was I supposed to convince myself of the identity binding between “snapcrafters” and the GitHub org and to convince myself that trust in the correspondence between snapcraft.yaml and what I get when I install a snap is rooted in Canonical’s build service and not in trusting an individual uploader not injecting different binaries?

[RayDonnelly]

And what is to stop someone from pushing malicious code to GitHub and you guys distributing malicious packages to end-users via your 'stable' channel?

And who's liable here?