Open Beta Readiness Guide #1411
Replies: 13 comments 7 replies
-
|
thanks for the details @Montoya. quite helpful |
Beta Was this translation helpful? Give feedback.
-
|
This is all great news for Snaps developers who have been working on building their snaps for the last year or so to finally come to fruition. Can't wait for official release of Snaps! |
Beta Was this translation helpful? Give feedback.
-
|
this audit requirement is absurd, exclusive and contrary to the principles of decentralization. what's the point of isolating the snap in a secure environment if you're going to manually micromanage which snaps are allowed? also, what if we update our code? will we have to start the audit process from scratch? |
Beta Was this translation helpful? Give feedback.
-
|
We want to exercise caution as we roll out the first version of the MetaMask Snaps API to the MetaMask extension. To that end, we are using an allowlist + 3rd party audits to make sure that all snaps included in the launch have been carefully reviewed. This is necessary because we will be educating users about Snaps and we do not want users to be installing arbitrary snaps before they understand the implications. We understand that the audit requirement can be onerous for some teams, so we launched a grants program where teams can apply to cover the cost of their audit. Updates for snaps will be handled on a rolling basis. We do not plan on requiring additional audits for snaps. We will manually review snaps with our internal team, and after a period of time we will stop requiring manual review and trust the allowlisted teams to deliver updates safely on their own terms. Over time we will be moving towards a permissionless distribution model for snaps, relaxing the allowlist and implementing community driven solutions for users to verify snaps from the ecosystem. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the update @Montoya ! |
Beta Was this translation helpful? Give feedback.
-
|
Perfect 100 |
Beta Was this translation helpful? Give feedback.
-
|
Very detailed. Keeping an eye! |
Beta Was this translation helpful? Give feedback.
-
|
thanks for the detail. keep an eye here |
Beta Was this translation helpful? Give feedback.
-
|
Hey, I was wondering if the date of August 16th is still the plan? Our use-case requires |
Beta Was this translation helpful? Give feedback.
-
|
as far as i understand, the thing getting audited must target the 1.0.0 release, which is already sealed/frozen, and does not contain
thus, apps which need this feature are essentially excluded from the (initial) whitelist. i am in the same boat, and am somewhat frustrated. see also discussion in #1421. |
Beta Was this translation helpful? Give feedback.
-
|
Sorry @SebastienGllmt, like @firnprotocol said above, it is unlikely that |
Beta Was this translation helpful? Give feedback.
-
|
Hi, I am wondering if our developed snap app included in the allowlist and later we updated it to new version, is there any way MetaMask will help upgrade the latest version? Is there any upgrade process or materials we can refer further? |
Beta Was this translation helpful? Give feedback.
-
|
There is no auto-update feature yet. You would have to update the version requested by your dapp and then users can go to your dapp to connect and install the new version. |
Beta Was this translation helpful? Give feedback.
-
|
Understood. Thanks for the details. |
Beta Was this translation helpful? Give feedback.
-
|
Hm... Who can help me with the audit? Have no idea whom to even ask... |
Beta Was this translation helpful? Give feedback.
-
|
Please reach out to Manish Tomer: [email protected] |
Beta Was this translation helpful? Give feedback.
-
Is this still true as of January 2024? What version of @metamask/snaps-sdk does that correspond to? |
Beta Was this translation helpful? Give feedback.
-
|
Ah good point! I will update this with the version of snaps-sdk. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @Montoya, I'm Trong - from NexmLabs which develops Bitcoin Snap on Metamask. The requirement is to finish the audit before listing snap to Metamask Snap Store, and it exceeds our budget honestly. Therefore we applied for the grant more than a couple of weeks ago but haven't received any feedback or information yet. Does MetaMask still support the startup grant? Thx |
Beta Was this translation helpful? Give feedback.
-
MetaMask Snaps Open Beta successfully launched to the MetaMask Extension on Sept. 12, 2023! 🎉 Here's everything you need to know to be part of our Open Beta:
Reference version
MetaMask Flask 10.29+ &
@metamask/snaps-cli0.32.2@metamask/snaps-sdk1.4.0 is your reference version for MetaMask Snaps v1. There are no further changes planned for this API before releasing to stable. If your snap works with this version of Flask, you can expect it to work with the stable extension in Q3 and beyond.The MetaMask Docs have recently been updated with the latest information about the MetaMask Snaps API and a design guide for Snaps builders. You can also use the Test Snaps site to demo all of the functionality in the v1 API.
Allowlist process
For the Open Beta, we are using an allowlist to restrict which Snaps can be installed by users. While any Snap can be installed in MetaMask Flask, installation on MetaMask stable is restricted to only Snaps that are explicitly defined by npm package name, version, and a checksum of the contents. Furthermore, installing Snaps from localhost is disabled on MetaMask stable.
We are asking all developers that wish to be included in this allowlist to make their Snaps' source code public, publish the Snap package to npm, and get a third-party audit. The audit should cover the Snap code itself that will run in MetaMask. The commit hash that was audited and the commit hash of any fixes, if applicable, should be stated clearly in the audit report. Any audit findings that are medium/major or greater severity should be addressed. Once the audit is complete and these issues have been addressed, please share the audit report with the MetaMask Snaps team for final review.
The MetaMask Snaps team maintains a list of approved auditors that can audit Snaps code. For a list of approved auditors
or to submit an audit report, please reach out to Manish Tomer [email protected].visit the Snaps Builders team space. Also, fill out the onboarding form linked from our readiness guide to get in touch with our team.Update Process
Allowlisted snap developers can publish updates for their Snaps. These updates do not require additional security audits, but they must be manually reviewed by the MetaMask Snaps team. Please reach out to us if you have an update for your allowlisted Snap.
Resources for Developers
We recently published a redesigned MetaMask Snaps documentation site and design guidelines for Snaps. Along with the MetaMask Snaps tutorials, we have also published example Snaps for authenticated API access, using Ethers to read from the blockchain, and storing and retrieving data with manageState. We have also created a Snaps Simulator that can be used for testing Snaps (including in end-to-end testing) and for validating a JSON manifest.
Frequently Asked Questions
What is the roadmap for MetaMask Snaps? What new features will be added in the future?
New features will be rolled out to MetaMask Flask and the MetaMask extension over time. There is no timeline for when these new features will be ready, but they include custom interactive UI, better transaction insights, and domain resolution. To learn more about new features and give feedback, please visit Snaps Improvement Proposals.
When will the API be stable? How can we be sure that the API will not break in the future?
A lot of changes were made along the way to v1. Going forward, we do not plan to make breaking changes.
Will MetaMask Snaps be supported on mobile?
We do not have a timeline for MetaMask Snaps in the MetaMask mobile app, but we are working on it. The goal is to have API parity across browser and mobile devices, so that Snaps can run in either environment without requiring code changes. We have beta releases of MetaMask Flask for iOS and Android via TestFlight and BitRise. If you would like access to the mobile Flask beta, please contact Christian Montoya [email protected].
Is the Snaps platform free to use? Will it always be free? Are there any costs associated with building and deploying Snaps?
MetaMask Snaps can be developed and deployed for free using our open source tools and the public npm registry. There are no fees associated with building or deploying Snaps. However, there may be costs associated with third-party audits and any cloud infrastructure that your snap relies on.
How is MetaMask ensuring that Snaps is safe for users? What if someone makes a malicious snap?
Snaps run in an isolated environment that uses a permissions model to restrict access to certain features such as network access and disk access. At installation, users are informed of which permissions the snap will use. Also, all Snaps are required to make their source code public in order to be included in the allowlist for the MetaMask extension, so users can check the code for each snap to see what it does. Lastly, all Snaps included in the allowlist have been audited by third-party auditors.
Along with the allowlist, there is also a blocklist. If a snap is found to have an issue that could be dangerous to users, it can be blocked from being installed, and all previously installed instances will refuse to run.
What kind of testing is required for launching a snap?
We recommend using unit testing and E2E (end-to-end) testing for Snaps. Each snap should be tested in latest Google Chrome and Mozilla Firefox on at least Windows and macOS.
How should I handle customer support for my snap?
You should have the following lines of communication for your snap:
Your general support contact and general FAQ URL should be easily discoverable from your dapp and you can also include it in the description of your snap (this will be displayed in MetaMask).
How will MetaMask market the Snaps platform? Will MetaMask market individual Snaps?
MetaMask will market the MetaMask Snaps platform to users, including various categories and use cases enabled by MetaMask Snaps.
How will users find and install Snaps?
The primary mechanism for finding and installing Snaps is dapps. Each snap developer should deploy a dapp to onboard users to their snap or work with other dapps to implement their snap. Any dapp that invokes a snap can help onboard users to that snap. MetaMask users can also find Snaps via the official Snap Directory or 3rd party curation sites like this.
Will Consensys / MetaMask develop Snaps?
Consensys has developed a StarkNet snap and various example Snaps and tutorials, and we may develop Snaps in the future, but we are primarily focused on making the MetaMask Snaps platform the best platform for developers to build on.
Why is MetaMask launching the Snaps platform?
We want to empower each and every person who uses MetaMask to do more with their wallet. The MetaMask Snaps platform allows developers to do things that were not possible before. This is important because the pace of innovation in Web3 is rapidly increasing. The ecosystem is moving toward a multichain, multiprotocol, account abstraction, and decentralized identity future. Furthermore, there are now many services that provide security, privacy, and decentralized communication for users. MetaMask Snaps makes it possible for all of this innovation to reach users at the wallet level.
I have an idea or feedback for the MetaMask Snaps platform, or I want to contribute.
Ideas, feedback, and contributions are always welcome! You can propose new APIs or changes to existing APIs with Snaps Improvement Proposals, or share your ideas and feedback in the MetaMask Snaps Discussion Board. The Snaps Monorepo is open to contributions, but it is highly recommend to start with a Snaps Improvement Proposal.
This guide is subject to change and will be edited as more information becomes available.
Beta Was this translation helpful? Give feedback.
All reactions