tl;dr - Is grant primarily used as a target utility for SBOMs to be piped to, or as a standalone utility to scan files & folders? Or maybe both? Should grant
Background
Recall a while back, I published snaps for Syft and Grype as a proof of concept. I published both Syft and Grype as classic snaps - so they have access to whatever folders on the filesystem they need.
This seemed sensible since both have dir:/ as a legitimate, supported scan target.
syft --help | grep dir\:
syft scan oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
syft scan dir:path/to/yourproject read directly from a path on disk (any directory)
grype --help | grep dir\:
grype oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
grype dir:path/to/yourproject read directly from a path on disk (any directory)
If I had published them as strictly confined snaps, this feature would be broken in those packages.
Grant confinement
I also snagged Grant’s name in the store. But I never published it because I wasn’t 100% sure whether it needed to be confined (as in, unconfined, full access).
It suspect that Grant maybe doesn’t need full filesystem access as it’s mainly intended to be fed SBOMs via pipes, or files, right? I don’t know how many people use grant list over syft scan foo -o spdx-json | grant list
for example.
The reason I am asking, is that if grant is published non-classic (confined, able to access $HOME and potentially /mnt and /media only), and it needs to transition to classic later, it’s a bit painful.
However, but if it needs to be classic (unconfined) then so be it. The Snap Store reviewers will want to know that I’m genuinely requesting classic confinement because it’s required as a core function of the tool. So I shouldn’t request that if it’s not absolutely required for core functionality.
What do we think?
Should grant be a classic snap or not?