 Hello people. Thank you for coming. I'm a segment. This is Neil. Hello. I'm gonna talk about fedora and snaps obviously So we're both of us gonna talk we haven't rehearsed so this is not gonna work very well So I'm just gonna let Neil talk until I interrupt him. Okay. Go ahead. So Wow So My name is Neil that is England over there Many of you know me because I've been involved in the door community for almost a little over a decade now I'm a fedoric. I'm a fedora a packager a contributor. I'm also involved in magia open Suza open Mandreva Occasionally you will see my name show up randomly in Debian things Hopefully not too often, but it shows up every once in a while I'm a contributor to RPM DNF open build service Koji zipper the work all the related projects in that particular space And I guess for completeness. I professionally am a DevOps engineer at Datto Incorporated And my Twitter email address if you want to email me and gump at fedora project org Zygmunt Yeah, so I'm with canonical. I've been at various places before but essentially here. I'm representing the snapcraft project And I'm working on snappy since 2016 and Yeah, so there's been a lot of stuff you can Google about me, but that's not that's interesting. I think That's it. So just because Zygmunt keeps forgetting us. He's technically officially the cross distro guy and He's the guy who does all the confinement crap And so he's I get to bug him all the time when stuff doesn't work. It's a team effort So So what are snaps? So says some of the boilerplating stuff that That he uses that he pulled from the Website from snapcraft.io, but it basically is you know, just squash a fest file system thingies that Contain all the code of your application and hopefully is minimally linked to other things But can be connected to each other to provide something marginally useful kind of like bundles of bundles Hopefully it's easy to use and easy to set up and easy to make that's the hope anyway This is the technical view. Yeah, this is you know, this is squash a fest read only confines You know tries to be simple But really I think the point of a snap is just to ship software like raise your hand if you ship software on Linux yourself to users Okay, not everyone's holding their hand up If this was me talking to people in any other community, everyone would be holding their hand up because they can just do it So we'd like to make that possible as well So these are some of the popular snaps You'll notice, you know to some Means that not all of them are actually free and opens our software, but you know, they apparently they don't discriminate So here you go there's stuff that's good and nice and fun and stuff that just makes you want to cry inside and One thing that I think is really important to highlight is that we're trying to make people ship software not through Intermediate people like distributions. We really want them to ship the software themselves So not all of these are shipped by The upstream people I think maybe Minecraft is not and the rest is actually shipping directly from the people who make the software in the first Place, so I think this is the thing. I wanted to highlight This is really trying to make a funnel to users from the people making the software in the first place And we have of course, you know The a big part of this is because it's about making the development and the shipping of software easy and useful There's obviously going to be integration with various development stacks including, you know Weird IOT things like robot OS and moose and you know horrible things that make you want to cry when you look at how the code is Actually organized how you build stuff because we want to abstract away the crappy Yeah, so this part is coming from the build part of snaps, which is not snapd It's a sister project at snapcraft, but essentially the idea is that people already are using the stuff that is natural for whatever their environment They're working with like Python has its own stack for you know doing stuff So instead of like coming up with another you know way of doing things if you have to learn We're just like essentially asking them to point us to the thing They're familiar and comfortable with it in the first place so the whole packaging experience is much easier and One thing which is not clear from all of this is not another packaging format without Bible We have to read which is the policy that makes it work. There is nothing to read this is essentially a Wild West free-for-all because of the Changing the mechanism this works. So you don't have to adhere to a policy because well if you don't nothing breaks It's not that all of these live next to each other have to be very nice and you know very gentle order They stop on each other's toes. It's much easier to package software. That's why we actually went through the effort to integrate all of these things because you know If we integrate but all these people still have to read the you know a hundred page manual to figure out how to package A strip of program they're not gonna really do it and they're not gonna go through the exercise and we wouldn't have the previous slide So I think the point is that snaps are easier to package than normal software used to be because we change kind of how they run So we don't have to have all these rules So this is kind of the the story for my part of this You know how it kind of started the conversation. This is obviously a little bit of a dramatic Renactment this is a little bit of a dramatic reenactment But it was like I showed up in the snappy RSC channel after they were taught made their Fanciful press release about how they wanted to make snaps like a cross distro thing I was like hey you want to help doing this I saw you know you made this stuff you made this package for fedora and it's god-awful and it doesn't actually work Would you like some help and it's like awesome. This guy is the guy who's working on it and He says you know, I don't know what I'm doing help and I'm like sure and Next thing I know I'm getting a plane ticket and to go and meet him in person here in Germany First time I've ever been to Germany is because of him and you know We had fun and we figured out and that's how it kind of started And the ongoing work that you know Zygmunt and I've been working on have been mainly about getting them made Snappy releases actually a lot better a lot faster and also like we can actually catch things before they become release problems for Fedora and that's always been a you know troublesome and so like I wrote a Nessie Linux policy one of my first complete policies to be quite honest and Started yeah, I upstreamed it into the code base because it makes way more sense to have it part of that and we just you know We tested against it. We keep improving it And we've started turning on integrations now that things are actually starting to work We've started turning on integrations for desktop environments So GNOME software was turned on and then plasma discovery some got switched on and the big focus for Zygmunt And I has been mainly things that get weird because it expects Ubuntu We find them and kill them with fire and so the whole process is actually you know if you don't hate go with the passion It's actually kind of fun ish You know come and take a look and yes actually the cookies are quite good So where we are right now since Fedora 26 we've actually had snap deactivate available It actually was technically in the archive in Fedora 25, but it was in updates But as of 26 it was part of the relief a GA and we've all also had it so that snapd will actually activate correctly depending on your environment Since 27 we had it working correctly for cloud environments, so We have snapd and GNOME software integration that was turned on since in 26 It's been improved over the last few releases. So now it actually Will give you the ability to select channels and tracks which are various aspects of testing different classes of the software Either it's in testing or it's got a different feature or some kind of configuration difference You can and it's basically like the same kind of experience You'd expect from you know if you want to install an application from from the Fedora repos or other third-party repos That have upstream data and stuff like that The sum of the data is not quite there, but at least it'll all show up and you can actually pick them We have for plasma discover since plasma 513 it finally works enough that I'm actually comfortable with switching it on So I have plasma 513 has been back ported to 28. So it is now available there, too Please give it a shot start talking about it start using it file bugs against KDE because like they Nobody has it on except for us right now. So we're like the guinea pigs for this It kind of works there's glitches, but I'd love to hear more about what's going on in there So that we can see and improve that The bad thing right now we have no development developer story for Fedora snaps yet. That's something we're like aren't working on When I say some bits about this Yeah, there's gonna be some nice stuff shut like the the the point of this thing is to prepare you so you can See the nice left we come come up with later. So snapcraft is the part that makes snaps buildable Which you know what's like belts of suspenders is easier to build. You don't have really understand the full thing You can still build them manually, but people actually use snapcraft because it's nice But snapcraft is like tied to the Ubuntu archive as a source for many things So you have actually want to build something the tool chains coming from there. So, you know, it's it's just one thing And when we looked at making it possible to use, you know the for-door archive for that Well, it turned out to be extraordinarily difficult. Yes much so that I gave up twice So the good thing is that snapcraft itself has changed. It's changed because it's gotten way too complex to actually Work reliably. So when people are on a specific configuration, things would work But when people drift from that configuration things would just stop working So the the whole concept of snap prep works internally has been much simplified essentially There is no deviation everyone would just build in a VM Which is appropriate for the the snap they're trying to build if the snap Expects to be built in a fedora environment. It's just gonna build enough environment. It's just gonna work fine So that's actually possible to take you know, take a snap file and hand it off to someone is they're gonna build it They're gonna get a working package instead of something that doesn't work Right, so that actually allows us to make the fedora part of it possible because it's both easier to do internally in snapcraft and Because we have done something cool, which we're gonna come to soon. Yeah You like Zygmunt did a nice lead on here. So like where we're going. Wow damn So they're supposed to be Moji there. There's a there's a super nice emoji It'll probably show up when I like export the slides and put it up for people to look at later But just imagine like a smiling angel with a halo on top, you know, that that's what it's supposed to be You know whole the whole thing we've been working on since everything is now running, you know, more or less Okay, there's there's some ugly caveats with you know security confinement and stuff But you know, we're getting we're working through those the big thing that we're working on right now is making Fedora first-class citizen that means including People making fedora a preferential source for building snaps and shipping them because a lot of times what people want is the latest and greatest Stacks and today as fedora as it is is actually an excellent source for all these things And we want to make it the way people want to build software to release to people so that They get the first-class software They get the new stuff as it is available and is stabilized and tested and so the testing and integration for the base snap Is actually happening during this development cycle The whole hope is that we will actually be able to get all the pieces in place To make it so that within the info that as part of release composes We will be automatically updating and pushing these out and then same to how we do for docker images and eventually Hopefully I think for a flatback. They're doing something with a fedora runtime stuff we want to have the same kind of facilities in place for for snaps and That part after that which is honestly, I think probably going to be Kind of the most difficult aspect and hopefully once we've got the base snap stuff done People will be interested in helping us because I would love to have some other people like working with us on this is getting Snapcraft to be first-class in fedora because I already have snapcraft kind of packaged I can't ship it because it's basically broken But we would love to make it so that fedora support is first-class and works so well that people will choose it over a boon-two Just to expand the one thing here So we may not Know that if you have an application snap the developer of that snap actually chose the base is going to run on top of essentially the runtime, you know the libraries the The data files that it chooses to use is Is per snap so I may have a system running two applications from two developers One of them is going to run on top of the you into runtime Well, the other is going to run to the the fedora runtime and they don't conflict and it would with each other in any way And also doesn't mean that if I'm on fedora every application I have is running on the fedora on the fedora runtime or has to or has to be rebuilt It's just the same binary running always on all the machines But the developer gets to choose what they want to like who essentially they want to trust more or who has the most latest software available And as you actually develop your application you can freely switch this I'm you know on this releases was this thing, but I actually tested this out of base It's actually better and I can switch and for users is there's no you know They don't actually you know get to do anything Complicated it's just an application update and there are none other release using perhaps another base So it's all smooth and integrated in a way that developers can have the tools They have they want to have from the best source. They feel comfortable with and so the users is just works So demo time Yeah, so this is gonna be a live demo where I will show you some something pretty simple So you can try this on if you're on fedora There are four steps. I'm just gonna read it out so people can see what I'm doing later Mentally for installing snapd is not installed by default Then we ask snapsd to install the fedora 29 base snap I have to actually do it explicitly because we're not comfortable that to say this is stable So I have to do it explicitly. Otherwise just installing a snap that chooses to use some base Which is pull in the base and I'm gonna install the hello fedora snap and for all of these snaps there are nice Get URLs so you can see how they're made. They're super trivial to understand You don't they're like they're essentially made with shell and make and I run this snap Using either snap run if you haven't Installed snapd before you will not have to pass up correctly So snap run will run it or just say hello fedora if you have before so I'm gonna type it now And you're gonna see what happens and there's no Ubuntu in any of that So I run a snap on fedora without Ubuntu pieces being included So that's the thing we managed to reach this cycle most importantly while segment is running this He's running this on a laptop running fedora 28 because there's no Ubuntu on his computer I made sure that he made sure of that so this is this is live and in you know all the right ways Wow, you can't type. You know nobody can hear you right now No, he's gonna Check check. Okay. He's just gonna hold it for you. Be nice to Florian So the the infocommand actually shows you the information about the snap and it doesn't show you the base here Unfortunately, you know, it knows about the base. It just doesn't choose not to show it But you can see that this is just a simple hello application. There's some license There's some metadata you would see in a story. It has some commands that exports the system and there's some channels available So you actually you can actually choose like the stability level of this per application you want to install So right now I think I have installed version one. Sorry, actually I have 2.0 So yeah, the practice of trying your demo before actually makes you leave the state at the end But I'm just gonna run it so you can see what happens Well, that was like a non-event, right? It just ran but there is no boon to anywhere in involved in that whole thing. It was essentially creating a Not a truth like a container with the fedora root file system based on fedora row heights It had the application which is just a single C file compiled to a single executable essentially in that space It ran it and that's what I had How can you prove it? so Because people are like always when they're introduced to a new technology They don't understand that you want to understand how it works by playing out in the environment We have a way to run a shell within a within the environment of a given snap So this is now the environment in which the hello fedora binary would execute and actually actually show you you know around What it is and it's just row height, but it's not a boon to So this is a little bit hacked that version of row height because I pushed the patch to master obviously doing this I had to find a bug and snap these so this is just working around the bug But this is just a row hide os release file except for the little hack and the whole root file system is essentially row height There are a bunch of things that are coming from my distribution Which is fedora 28 like my home home directory and a couple of other things But essentially it is just this distribution that I chose to pick as my runtime and the application actually is mounted here So this is where this is where the entire application Lives and this is another file system and actually you can see that there's not that many things in here It's not the full container with like this is not like you know You get a docking container with some application and it's like a gigabyte and you're not quite sure what's in it This is just what actually you want to ship So as little as possible that makes your application work could be a single file could be you know A huge Java runtime which have another example of that and some jar files or whatever you want It's just some container bundle you want to have that runs on top of the file system bundle You picked as the base snap and actually I can run just the hello fedora binary here to shoot you know to prove it This works You know, it's not like interesting because it's obviously just Doing it, but again, it took us a while to get to point where Ubuntu is not a strict dependency of the whole stack anymore so one thing I also want to show you is that Snaps have this fancy thing which we call channels and I'm just gonna quickly show you that I can switch Per snap the version of application. I want to have you can also install them simultaneously, but well, I'll get to that So as I said before and right now I have a version 2.0 It's at the very bottom is this is installed version 2.0 It's the revision switch to 1.0, which is in the stable channel right now. I'm testing the candidate release So I'm gonna switch to stable. See how this works so I asked snappy to ref to the stable channel and That's done. And now if I actually run it again It says the same thing, but actually that's the only application is just hello fedora But if I go to the candidate channel, I have another application there Which is in the same snap, but there's another application One day you'll get the hang of this typing thing. Yeah And boom, there's another application here. It says goodbye fedora And it's just another application exposed out of the same snap And the point for this is that you can actually have multiple applications services in your background staff Desktop applications come online to us in a single package. So you can actually do this and Every user can choose per snap the you know stability level the risk level there They want to follow you can also have like major releases So maybe there's like a 1.x release with which is stable and 2.x which is stable But people actually have to choose to go from one to the other So if every developer who makes a snap gets to essentially design how people can consume the snap as a user And this is this is what I was mentioning earlier about Channels and tracks and things like that. So like a developer can choose How they want to structure the delivery of the software and how people move forward and stuff like that So as a simple example, that's I'm done typing. So just gonna quickly stand up as a simple example This is the Skype snap which is published by Microsoft and you know snap has sorry skype has this insider thing Which is the Microsoft term for you know beta for a future beta whatever so you can actually see that I can install Skype from either the stable channel or from the insider channel So insider is like a you know a separate track So I can like pick the latest and greatest insider which is kind of stable or you know even follow edge And it's essentially up to the developer to figure out how to shape this space in a way that is meaning for the project So this is like modularity, but you know kind of delivered per application per package Well, it's it's basically, you know per application rather that it's it's modularity in Is the concept itself is actually more or less in the snap world and like module how modularity aims to offer With the snaps you can actually do modules for any type of application rather than having a multiple different technologies to try to Achieve that like instead of having to have different docker thingies and different flat pack thingies and stuff like that Where you have piecemeal integrations across the board the idea is that you can have a coherent and consistent integration with your host system and the application environment in a way that is flexible and meaningful and relatively easy to audit and maintain Over time and across the server and clouds and IOT and desktop You know, so it's just one solution that seems to fit all the places very well Sure Yeah, so So it anyone have any questions This slide is just Q&A so now you know you can just feel just ask us questions But if you switch to the next slide, there's gonna be some links if you want to take photos and just go there later Yep, no, you don't have to take photos because I will actually export these slides and put them up on the block 2018 page Whenever it shows up But if you want, yeah, there's actually a couple of other tools I'll probably add the links later, but like these two are the ones that Zika used for this particular demo There's a couple of others that I wrote as well for like how to make these things so So wow Stop being ashy microphone So I was told that if we actually speak we don't have to speak of it We cannot speak at the same time or we get ashy and if we don't want to speak green just put this but Just as a quick Explanation this is the source the entire store for the Fedora 29 base step. It's done under the umbrella of the server working group I think So we have the permission to call it Fedora. We're gonna hand it off to the infrastructure team Essentially when we stopped tweaking the way it's built and I think we're feeling comfortable We need to have a conversation, you know about we want to hand it off This is how it looks like where do we plug it every time there's a compose and the hello Fedora? Program is just a there's a mic file. There's a C file There's a license and you can build it yourself. You can try the new machine So all of these things you can essentially easy try on your machines either by following the demo instructions Which lets you just install the Fedora 29 snaps straight from the store by building it on your own machine Installing it by you know directly and note that the hope is that once we get to snap craft You can just take regular Fedora packages no modifications No need to rebuild them all over the place to change like namespaces or whatnot We can use them as pristine inputs to actually put together Snaps of application services and stuff like that so unlike in the flat pack model, you know It's fine for you know how they're doing it for their model But unlike the flat pack model actually we can just use the packages as they are because we preserve full FHS inside And we use a what is it bind mounts and we use the mount namespace to actually yeah The mount namespaces with squash fests overlays and stuff like that no overlays actually But I mean the overlay isn't not not overlay effect specifically because there's a whole host of problems there So the Fedora 29 step is actually just a bunch of our pms impact So we have like a the file system package some line packs Bash core use things like that just like we don't have to we actually rebuild them It's just like the whole thing takes like you know 10 seconds to build I mean it only takes 10 seconds because you split up all the steps Not if you put all the steps in one. It's like four and a half seconds so I'm the RPM guys. So I have to ask how our updates are going to work. So first how do you? How do you get updates on your base system and do you have tooling basically to monitor the packages? You've put in there to get those base updated and also how are users? going to see updates and are there automatic updates for the snap snaps themselves Think questions. So the question is how those updates works out both on the Back end. How do you know where we have to rebuild something and how the users get it? So on the back ends Technically we just build it for instance every day or every time there's something urgent like a CVE triggers a rebuild We can look at the manifest of things that are actually in it and if it change we can say okay That's fine. We now can publish it. So essentially every time you build it You get a squash of his file a single file and they can just say okay. I find I'm gonna upload this to the edge channel In the store and after some QA can go to beta to candidates and to stable And then whichever channel you're subscribed to as a user you will just get the update So you don't have to actually you know do anything about it. Just everything updates automatically updates are done By default I think twice a day So twice a day every machine just or once a day I forgot just goes to the store and asks You know well is there anything to update to and just gets pulled in and for some of the updates they are applied live so things like Well, it's complicated, but the essence is that If you have like a service a patch sheet for instance, and there's an update it just gets restarted It's up to date. You're actually running the new version if it's like Firefox You will actually get a prompt you have to restart it and once you close it all the processes go away Then the switch happens and you actually get the new one So for the youth from users point of view there is no off switch Which is sometimes controversial, but they mean it means they actually are updating all the time They can only pick the schedule when they on update they can defer it for like three months But they cannot turn it off. So everyone's gonna update. Oh, yes And if you're on a matter connection like you have a modem you're roaming You don't want to pull them in right now We can this is actually integration with that so we're you know, just gonna be postponed while you're on this connection This is also a preference. So there's a lot of things you can tweak But the default is you just update all the time And it's transparent and also Delta updates. So this is actually pretty nice You know if if there's a typo, but it's essential. Well, it's a very very very small update So one of the things actually is gonna come out of this is we're gonna have to figure out Building is easy. Well publishing is interesting because we publish it to stable is they're gonna be QA involved We don't have answers for that yet. This is just sustaining. There's some possibilities. We can explore But we don't have a process for this yet I can tell you how this works in Ubuntu or time. There's a new core snap, which essentially is like a small truth with Ubuntu It goes through a huge QA phase which lasts around a week at least of busy work like tons of tons of things happen during that time and This is only after it has been in candidate for I think so. There's a you know It there's always like a one month lag Maybe unless it's super urgent. We do a very quick release with a very targeted update But there's a lot of QA involved The reason for this is again because this actually goes to people and they are always gonna get it And there's no distributor in between. So if we ship something broken, well, we break Everyone who has it. So the good thing is we can also unbreak it. So The it's one really interesting thing like I've been doing packaging in the past and it was always like, yeah, you know Well, it's broken and we're gonna fix it the next package. That's fine But also we have some devices which you do not have classic packages There's no deep packages. There's no apt on the system The only thing that is on the system is snapd and everything is a snap So we had some gray hair and some very interesting technologies that let us Unbreak the world in case we ship something that doesn't work at all So people can still recover these things and one of the things we did use a couple of times as we were just Figuring out how the whole thing works Is that because the store has binary that are you know, there's revision one when I upload it There's revision two when I upload it and I say okay revision one is stable people get revision one They say revision two is stable and people get revision two and oh my god, it's broken I don't have to build revision three. I can just say, you know revision one is stable So you just go to revision one these are now like version you have to increment them This is like a branch you follow. This is a stream of things you get they have a version as a name for you to look at So it's you know, you can familiarize. Okay, this is this version of the application But essentially it's a channel you're you subscribe to so you can go back to the one you had just a moment ago And you know devices stop catching on fire in the field Yeah, but the the problem with that is of course, you know I assume you've got config files sitting in a user's home directory So, you know, you've your stable has been version two the user's config files have all been rewritten They you then declare stable being version one and it can't read all the version two config files And you've broken it even more that's such a fantastic question. Thank you So we actually solve that in a very nice way So what we do so what we can do this from our end we can say oh my god We broke the world we can say go back to revision one If a user sees that it's broken for me, I don't like it for whatever reason I can just say snap revert firefox and bam and on the rest version I was running including the data I had so if there was like an incompatible schema change or the data just got lost because there Was a typo and it removed everything Snap the actually manages the application data. So it knows where it is it can be anywhere else You can just write all over the system. You can actually take a snapshot of that data before we do the refresh So we actually have something to go back to so in this case where you know someone ships Broken update to a photo application and it's all of your photos Well, well we have some at least some attempts to solve that you can also always kind of circumvent system because if an application developer Chooses to integrate with snaps at this level they can say I want to have two data sets I want to have these that just gets managed by snap the entirely and it may be copying that Snapshotting that's gonna be you know costly. I also want to have a snap Sorry a data set which is common across revisions So maybe it's like, you know me like the metadata for the photos get snapshotted all the time The actual photos are not so it would be like a separate data set But at snapd level we have this distinction and applications can be written in a smart way to do the right thing So we can both do it from our end like pull in and pull an update And switch it to something that used to work before and every user can choose to do it from themselves because not only You know, it's their computer. They are in control of this They have the data you can go back and also gives us a hint that didn't work for them So this revision gets like marked as bad on their machine and we get a ping in the store So we can we don't have this working end to end yet But essentially we're going to be able to surface this to developers like a large percentage of your population is actually You know having issues with this release. So they will have some information I'll take this one. I'll just So I'm sorry I have questions about publishing. So how many snaps do you Make and how do you publish them and can you sign them? And I'm guessing you are only making base snap And you are letting the developers make their own snaps on top of it. So are you releasing? Ping those Layered snaps on you were in infrastructure or they can build their own Okay, so full of things to unpack here I'm going to go back because this is like recent memory. So The developer gets to build the application and they can push it to the store for publishing They can also set up a CI CD solution where essentially a developer This works perfect for free software. It just gets the point to a git tree Which has all the things that are necessary to know how to build it. We build it in our infrastructure It's it's essentially like a click on get up and you get a snap out of this repository And it's fully automatic But you can always build it on your infrastructure and upload it to the store So you can completely control the build process for publishing We publish like canonical publishes bunch of snaps for the products we make we publish the base snaps with the boom 2 in it Because we maintain we like we have security promises for that. We have maintenance promises for that We have a community of people who publish third party software But most of that is just like, you know, we published like we made a snap. It works You can see how this works in the store. Would you like to take it and they say usually say, oh, that's great Yes, and they just do it themselves now. So essentially on the first slide with all the icons One of these snaps out of all the all the set was done by someone working essentially More on snaps than the upstream project. Everything else is purely upstream people doing the releases doing the qa Driving figuring out how they want to use it and them are publishing the whole thing to the store So the store is essentially a place for you to publish And we just to help the bootstrap the system Sometimes package software that is popular and hand it over to the upstream developers to publish Do you have more questions on every velocity context? You please repeat that Yes, it's just fantastic question. So snap d which I have not mentioned has a fantastic security system about signatures There's a root of trust Everything is signed permissions are signed like if I want to be a snap Which has super deep system integration like I'm a container runtime Which means I can do a lot of things which probably allow me to break out of the sandbox This is a fully signed document saying that this snap id has these permissions It's fully signed all the way back to the store. So yes, everything is automatically signed by you as a developer when you build it By the store it gets cross signed. It's it's there's all across the stack. Yes Sure All right, so I will take this question. So the answer is currently no, you cannot host your own store Oh, yeah, so repeat the question. Okay, uh, you asked if we could host our own store The answer is unfortunately. No, not right now or possibly ever. I don't know I can tell you about the the idea the idea is there's going to be one store But you can host your snap so you can have your own private view of the store that let's like you deploy in an enterprise You want to have your private snaps so you can both host them locally physically on your premise that they never leaked on the internet And you can also have a proxy Which essentially is like a proxy for all the machines that talk to this thing instead of the real store So it's just all in your network So you can do like really like offline like deployments and you can keep the snaps local But essentially there's one store. So this thing is just like a filter on the real store You can say I'm a full filter. I just give you the file five snaps that I want in my enterprise and nothing else It couldn't be like an add-on could be like a filter It's essentially we don't want to have a world where there's a very little repositories And all the users are tricked to sign up to that repository Which will never like there was this fantastic case where somebody uploaded an application the miner in it So you run a game, but it's mining bitcoin or whatever on your machine What we did when this was identified is within a couple of minutes we blocked this Snap so no one could install it. We pulled it from the store We removed the miner Reuploaded it to the store got in touch with the developer and within a couple of hours the whole planet was on a version without the miner If this was a separate repository that this guy has set up None of that will be possible. So we have a you know, we have a firm vision and design on why we have a single store We have ways of deploying stores for enterprises for companies for even people I mean, it's like you could just deploy the proxy in your laptop if you want to But there are reasons why we chose to do it. It's not like an work. It's wild west and This ppa has a fancy game, but it also happens to ship lipsy. Why well people don't really understand Why but it ships it and it has this fancy version number nine on nine So you're just gonna update why well because that's how the packaging system works We want to avoid these problems because there's a ton of these things in the wild You know and it's just a design issue. It's not like we can walk them more We have to make the system so that they cannot be done Sorry Yes Yes, but every device has to sound like I want to talk to the proxy. Tell the device. Please talk to this proxy Uh, essentially essentially what this is the proxy Is a mechanism in which you have a slice of it where you're hosting yourself And it's a transparent overlay on top of the main snap store That means that the ultimate root trust is the canonical store pun intended But uh Yeah, well the the root it's x 509 based Root trust not gpg trust So it's based on the root ca that comes from the canonical store and every cert is derived from that and that's how snapd trusts everything Um, there is no currently open source implementation of The proxy server, which is something that i'm fighting to have a version of because that will make it easier for us to say in fedora Have a gateway for actually storing them and actually plugging it into bodi or some other release process To be able to do this correctly as we push it forward The store is hugely complicated like it's a living project with a long pass So it's not like we don't want to you know, it's both a product and it's both a complex Stack that doesn't really make sense to give to people One thing that I think was going to happen very quickly It's part of the other proxy work is that essentially going to be able to have a snap in the main store But I say I want to host it here So people actually go to the store and say I want to install this snap and instead of going to the cdn Which would give everyone for free if you can just go to the place you picked so It's evolving. I mean we're Using it people are saying I would like to use it in this way, but it's not doable right now And we talked to them and things improved. So the store has improved tremendously The api is public api is documented. It's just also kind of Not full because it's been improved tremendously, but there are still some crafty things in it because it's it's been a legacy project in the past And I think at some point we're going to hit a moment We're going to feel this is the feature set we plan to have and this is okay. We're going to say this is the stable api I think people can just easily make another store the thing that is tricky there is essentially snapd has You know a certificate of trust. So well, you can always rebuild snapd to trust too But then you get to figure out what federation means in this context So maybe we'll get there eventually. It's just a process. That's why that's this is simpler now I'm going to hand this to you because it would be my thanks for all A little different question now So can the proxy store blacklist some packages from the main store because of some policies for example Yes, so that's actually so that's one of the reasons why I kind of want to have an open the open source version of the proxy server because So for example currently today canonical publishes a network manager snap They publish it based on the Ubuntu packages for network manager. However, that does nobody any good If you are running that snap on a fedora because it isn't compiled to support If config red hat so without that capability, it is not able to read our configuration So in our case, we would want to have our divide fedora based systems go through our proxy first Detect our network manager snap use it which can read our configuration But still provide all the same functionality and plug into the slot And override essentially the canonical snap. These are all good ideas I mean, you're just like we have never Attempted something like this before we have the network manager snap specifically because Snaptly has a double life on the desktop and the server everywhere else and as a core distribution Which is without any classic packages meant for embedded device for IoT So we have actually network managers so we can have like a little box somewhere in the forest with a solar panel And an antenna and you know, you'd actually want to have it reliable So a kernel is a snap the whole file system is a snap all the applications are snaps when something is bad can roll back Automatically, it's all super reliable and robust to the level which we could never do with the package Because like all of these are squash squash of us file system We don't unpack 100 and 1000 of files in the file system just mount them and pick the one we want to use So it's atomic and all the levels that matter So we have the network because iot but you know improvements welcome really It's the best example I could come up with on a short notice about a reason why we would want to be able to do that But there's obviously other reasons like policy reasons. Maybe you don't want people to install, you know Weird games or stuff like that on on the computers or maybe have approved vendors or whatnot So uh, that question is something that actually yes, I actually have the answer to this because I have talked to gustavo who is the tech lead and other things about this One of the things that we are working on for both genomes for for snapd first because it's not quite in place yet Because snapd now actually validates spdx expressions as well as other conditions and assertions We can actually add filters that part is already in place just the store part doesn't like the the gnomes after doesn't do it But snapd can you well snapd has those i was gonna get to that damn it uh, so the Because snapd has these facilities the store side You know there's work on that on going to export this information and now what we're also working on is getting The various desktop integration plugins to be able to respect that so that for example in fedora It's very important that we present by default a view that doesn't include things that would Encumber otherwise, you know, uh, you know be bad for people to deal with So we want to be able to present a view that is consistent with fedora's principles by default If people want to choose to see other things we can obviously Option of flipping it just like what happened with third party for third party repos for fedora 28 So just to compliment that The store knows the license of everything the snapd knows and can parse and can analyze And you can actually make a query give me like this like kind of is this snap pre software Can I install it? So the only thing that's missing today is a flip switch in gnomes software that just shows you a different list By default, but the whole backend work is done Sure, so I think this is tricky because you're actually shipping vlc So it's a legal question whether that's necessary or not. I'm not gonna answer I'm just gonna point out that this is not coming from the repository of fedora It is not shipped on the image. It is something they can just like saying it's It's about to ship firefox because you can go to a website with mpeg on it it's Users the users has actually gonna do the thing unless you start shipping snaps in the distribution Well, then then it's tricky But it's this But it's the same situation with the third party repository toggle that you start when you run gnomes software The first time it asks you if you want to have this or not And if you do you have vlc and No, no, there's spotify there There's tons of stuff. No, no the switch is essentially saying instead of looking just as the fedora repository look at anything that is there The while it is true that that list is curated It does include chrome and chrome most definitely has patented technologies So, you know, it's up again The point is we want to make it so that by default We're not presenting people with things that they're either uncomfortable with or don't want to see or or against fedora's principles But we want to be able to give the same level We want to give people the option of choosing if they want to deliberately ignore that With all the same warnings and whatnot that happens, you know when we when the third party repo setup occurs Um, richard, I believe you had a question. I mean, um, just to kind of follow up there You know in open suzer, we do not have the third party toggle on known software because you know, it's You know, but all of these reasons it's it's legally unsound at least in europe Um, in addition, I mean that the general principle from our lawyers is one of if it's enabled by default Then we are responsible for the distribution of everything via that software source So the coven the whole single unified snap store Completely kills the idea of being anywhere near an automatic open suzer installation because we can't trust a third party That we have no control over. So it's it's just legally unsound. We never could even if you were doing everything wonderfully You know, it's we're the legal person responsible. How how could we trust you? Um, and that that's something really desperate need to look at because with flat pack There's a story that we can live with with that image is the story we can live with And we Yeah, but it's a story we can live with better than the snap one. Well, I mean, but because there's no story in app image Yeah, but yeah, but yeah, so that's yeah, if you want what word you need to look at this In some cases you can maybe make the analogy of Yaman open suzer choose to install steam and therefore I as a user made the choice wasn't on by default And now I can run all the proprietary stuff in steam Well, that's okay. I think that's like we can definitely make it better. I mean, this is really useful feedback We can definitely make it better. So maybe it could be installed by default But it gives you a different view by default that you can control. That's fine Uh, but there are always just ways to install it and let people use it because it's their choice Not the distribution at this point doubt, you know, the distribution is legally encumbered because someone may install steam And therefore install proprietary software which also may be patented. So, I mean, I think there Hold on but steam is a gateway to a load of things that are definitely proprietary. So I don't get the point So if you ship steam in the repository and someone puts bad stuff in steam and valve says we will not remove it This is the exact situation that you would be if you ship the snap store Steam's an intermediary. So down, you know, adding, you know, have adding an app store So, you know, we don't install steam by default choosing to add an app store of the third party and then Find no problem. If we enabled steam by default, so steam was automatically pulling stuff from the third party, which is basically Then we're in legal trouble. That's the difference. Sure. I understand, you know, so yeah snap is a So I think we just need to have a conversation of what will be accessible Because I think we have the means of figuring out how to make it happen So, you know, for what it's worth segment, I think this this is more or less the same conversation We have, you know, when it comes to fedora and so well right now Obviously activating the snap integrations is actually the user's choice. It's not active by default. It's not shipped on any images And so for us the question is more or less this Basically the same kind of answer that, you know, you rich would have for open suzo with steam Basically user has to choose to even install it in the first place And at that point they'll see the view and then they'll get the question about which views they want to see So I think from the fedora perspective at least how we're doing this now We're in the clear, but we do need to start having that conversation. I think it was actually great I'm glad that you did bring that up because it's not just me But I definitely want to have a More conversation about that and less ash involved Check, check, so I mean definitely this is really great feedback because We need this kind of feedback to know what is the blocker for, you know, making this just available to users I make it pleasant and easy to use It's one thing legal while studying, you know, in sync with the principles of the given medium. So I think this is all great Any more questions So when we were talking about the The when when some application breaks and I need to revert to some older version So me as a user, can I return to any arbitrary older version or can I return just the latest one? So that's actually a fantastic question as you saw earlier in the demo Zygmunt actually did that exactly and you can actually speak When you do the refresh you can he said refresh to Channel but you can actually refresh to any revision that's installed or has been installed on your computer barring Barring certain restrictions that the developer has indicated that say for example, there may be a blacklisted revision or something has been There's a feature that we didn't talk about called epochs and stepped up gray If you have gone through a sufficient number of data migrations that the developer may have said that there's Going backwards at this point is like a super bad idea. So I don't want to let you do it There is a certain point, but generally speaking I think most software haven't been using that particular restriction So as a general rule you can assume that you can go backwards and forwards Provided that the data has been captured so that it can roll back and move forward the data migrations And just to clarify one specific detail But you can always go to any revision which is published in that channel So, you know like if you look at snap in for my sql You're gonna see lots of things you can go to like all the major revisions a bunch of like, you know Nightly builds from from master and and some other things you can always go to all of these In addition you can go to any revision that you had on your machine like snapd when you refresh this A snap it keeps up to three It's it's a toggle now so you can keep like up to one or up to a hundred It keeps a set of revisions you have before along with their data So you can go back in case something breaks on like an iot device We also have the factory one we can go to always in case everything breaks So we were always a way to you know to bootstrap the machine So this means that as a user you have a public set of things you can go to which are just the published versions In some branches plus the things you had Before on your machine that you can still go back to because you have the data as a developer You can always go to any revision that is in the store Even if it's not published because you can actually upload a revision and not publish it and you just use it on your machines This is one way in which people actually use snaps They just you know have their app publish it to the store. Well publish upload it to the store. It's private And just use it on your fleet of machines. That's fine Or even just copy the file around and install it there But As a developer you have access to anything you have uploaded as a user You have the access to the things that the developer chose to publish or the things you were on Which means the things you were on before because the developer chose to publish it And can I have several revisions active at the same time for a snap? The answer to that is actually yes because Zygman is very very happy about this because he spent like two months working on making that possible It's not me. It's matcha from our team. So we have something which we call powerl installs So I can say it's like think about a web developer Thinking and I'm sure I'm gonna do something on my laptop, but it's gonna look like I'm like a server Oh, it's that okay So I can say like snap install mysql underscore Production snap install mysql underscore develop. I had just choose Like I have the same snap installed twice under different name. So I can choose that it has separate datasets, obviously That I can freely choose to move like I can keep production on like five point x stable And just to move the valve to like find with x like candidate or edge or six I can essentially install a snap on my machine any number of times I want under different names So it's going to be like, you know, the prefix is the same and you're going to have you know an identifier of the instance essentially So this is modularity with parallel installability take that Availability and parallel installability and you get to choose every single revision of every version of every track of every channel And this is this is in master now It's going to be roughly either it's going to be available in the next release as an opt-in because it's a new feature And it's going to have general availability perhaps in the following release, which is probably two months from now So the plan is that the next release because it includes some of the fixes that Some of the fixes that Zygman finally got merged today Probably the next release 235 whenever it gets tagged. Um, he's he and I are going to work on actually bringing it into fedora So they expect to see it as a body update Sometime for all stable fedora releases and another thing that we're working on or I'm working on because It's complicated and awful and hard is actually bringing it also to apple 7 So we want to also add this to apple 7 and I've been gradually working on this for the past. I think what eight nine months or so Um, it's actually quite A lot of work done within the security stack in fedora to make things really good And we've been working off of the assumption that like that stuff is available to us Some of that stuff has doesn't exist in el 7 and for a while That made it just not possible and as every rebase of rel 7 has occurred and sent all 7 Consequently, uh, it has made it easier and easier to bring it And so we're like nearly to the point where I can actually start being comfortable with shipping it to apple 7 itself although To be quite honest you probably the same cadence for releases that we do for apple 7 that we do for fedora itself because It's a it's an application that people don't generally integrate with and it also Is a gateway application for accessing other services and stuff that people will generally want to use So I'm I generally do this on a monthly just because Frankly, most of the point releases are most of the point releases that they make are irrelevant to me because they're mostly because They're broken on a boon to and none of the breakages affect me So the point releases we make are because we have the very integrated qa pipeline of something breaks We actually have to make a new release so that either the test is corrected or you know Something else happens that makes it fixed So this formally a point release but typically doesn't really mean anything in the applications in the whole qa around it And also on the core devices because it's the same thing that gets shipped with both desktop service and iot devices Some of the things that are shipped Are actually only meaningful in an iot context where it snaps run without anything else And they have to manage the kernel. They have to manage the bootloader and everything else So some of the updates are actually, you know, yeah, you get the update But there's nothing really changing for you because you're not using that part of the code The reason why you tend to only see me do snap update snap the updates More or less monthly maybe every two months because sometimes It doesn't work and then fixing it. It takes a lot of effort and whatever so I I try to keep up as close with this with the snappy upstream maintenance and like zygman and I actually work very closely upstream A lot because like it's a big deal and we want to make sure Everything is working as well as it can to the best of our ability Now if anyone's interested one of if you are interested and want to help us with making this better Please Get in touch with either one of us either me or zygmint and like we can help We we have all kinds of things that you know We would love to have help on and just you know and we'll give you cookies And maybe you'll get to see like random awesome countries, too Maybe I don't know probably not but you know, there's at least good cookies. Yeah, any other questions? Okay Last question because I think we are already over time So if I want to create if I want to create a snap and It's not currently packaged in federal let's say But I want to use the existing rpms for dependencies of the program and then just compile The actual application is it possible? So that is literally the whole point of what we're trying to do because aside from being able to use fedora content for door rpms for Like the applications themselves. We also want to make it so like Um, yeah, finally, could you unlock the screen so that the we can go back to the slide with the stacks? Thank you and connected the internet again. Yes, really because you've disconnected for too long And okay, so now There we go So this this is sort of the point of this particular slide with the development stacks Pre-built apps is only one of them But the idea is all of these stacks. Um, so I'm going to use some snapcraft terminology here So snapcraft has a concept of parts and inputs and sources And the idea is that these would be defined in the fedora context to use the fedora framework stacks Libraries language things and so on and so like for example, let's talk about python because that's a very common thing You know, maybe you want to use python 3 7. It's not available anywhere else Nobody else has it yet or python 3 8 because it's got an alpha in the brawl hide or whatever And you want to build an application that uses that So you you you choose a fedora base that includes that python you install that python You then tell it to pull in all the dependencies that you want or python modules and whatnot then you just Do the pip thing inside or the or the pie build or whatever whatever mechanism you use to install the files And the packages are here. So so you can do whatever you want there Yeah, no, it doesn't matter that yeah Essentially the point is that this is not that doesn't mean you have to have a python package It means is the python language with its ecosystem every pre-built rpm is here So we can pick webkits And if this is a community that chooses to use a certain way to deploy and install and manage software like pip Or whatever is here gems or whatever is here cargo or I don't know rust And these things are the native thing for that community. So essentially when there's a community making for instance electron applications The native thing for them is some version of electron builder. I suspect and we haven't invented a new way and said this is better You have to learn this now. We actually went to them and said Electron bullet is great. And now it's actually when you make out of the electron builder You get a snap So for them, it's the same thing. They're used to X. So this is exactly why all these icons are here This is the same thing people are using in these communities And this is the entire distribution as it's you know as its muscle So you can take all the good stuff including pulling the security fixes So one thing I want to highlight because this is super cool And it's really unknown if i'm a developer and I pull in as a pre-built application Just some packages, right And there's a cv. I get an indication that my my snap may be vulnerable to the cv And there are instructions on how to rebuild my stamp their instructions what to do to check There's more information about cv It's just sent to the developer because we don't know it's actually used by the stamps We're going to sell tell it in public But the whole pipeline of security updates goes really nicely because I can say okay I am maybe vulnerable. I'm just going to hit this button to rebuild I'm going to publish it and people are going to get it with a delta update And when it comes to for the fedora perspective the idea was that we integrate with things like Our update info publishing and bode and whatnot and we could since we know what the content is inside And we have an introspector which I already wrote for Identifying rpms and what's going on inside we can actually just go and see okay This version is matched to this update info say this packages match this update info Saying this nvr is newer and this one fixes this cv. This one's older than that Maybe there's something that's affected so like we want to introduce that kind of pipeline also for fedora And hopefully we can actually do some interesting Things for applications that are published by fedora and within the release engineering pipeline To make things a little bit better for things that people want to publish under the fedora organization But for you as an individual developer, you know, we have we we have some resources for that kind of stuff And the other important thing is this is all mix and match So that means that you could have some stuff that is pre-built rpms Some stuff that uses pip some stuff that uses gem some stuff that uses fuck all who knows what uses go and then all those other things and It will it has introspectors and part managers for all of those things To be able to tell you whether or not you might have to do something As an interesting observation like there was a session here on this course like this course is a nicer thing than a mailing list obviously and it's maybe useful to use So if you go to the forum that snapcraft.io That is the the discourse instance obviously and all of that is a snap The whole discourse is a snap the database is a snap all of that thing is running from a snap So you can essentially it's not like I have to have like my application like python dash something dash develop But also like, you know, it's not like a huge split It's you can put all of these things in a single package if that's what the what what what makes sense to your system Well, if you wanted to build something that's super weird and complicated You want to put koji as a snap that would involve pulling in python stuff That would involve pulling in c and c++ stuff some pre-built applications Maybe you're going to wind up having some application services like database stuff You're going to have you know a web server thing and then so all those things together would wind up being in a snap and Or if you choose to for whatever reason you can actually make multiple snaps and make connections between them to make like All of these things I already maintain have pythons. I'm just going to have my own python snap I'm going to connect it to all of these. I don't have to have A another copy of python and b I can actually ship an update to this my my version of python across my fleet of snaps and hey they update So there's their ways to mix and match You know how much you want to have in one snap and how much you want to share among your snaps It's really interesting because it's not among the planet So if you make a python step, you're not promising a support for the planet It's just your pipe your snaps that can actually use it and one can install it But they cannot refer to it So they cannot like you're not going to be on the hook just because you made some snap with some files in it and then Someone actually uses it in some way you don't know about but then you change it and you broke the other guy So this is impossible in the snap world because essentially you can only break yourself Which is always good by shipping a broken snap you have If you break your users, it's all your fault Okay, but thank you for coming