One of the core aspects of the snap ecosystem is the built-in, robust auto-update mechanism. Whenever there is a snap update available in the Snap Store, the snapd service will apply it, keeping your software patched and up to date. Most of the time, this works great. In some scenarios, though, this may not be what the user wants or expects.
For instance, you may not want an application to update while you’re running it and using it. We’ve all witnessed the arguably funny situations where someone’s laptop performs a system update just as they’re about to present to a large audience at a conference. You could be on a metered connection, or your organization has a strict test-before-update policy. While there are workarounds for how to effectively manage snap refreshes, they don’t fully provide the required level of control. A new refresh hold feature, available in the snapd edge channel, now resolves this long-outstanding conundrum.
The new hold feature allows system administrators and end users to stop or postpone their snap updates for as long as necessary. The hold can be applied to individual snaps or the entire set of installed snaps, for a limited period of time, or – if necessary – indefinitely.
For instance, to pause snap updates for VLC for 3 days, you would run the following command:
snap refresh --hold=72h vlc
General refreshes of "vlc" held until 2022-11-17T12:04:59Z
Similarly, to pause snap refreshes for all snaps for a period of 48 hours:
snap refresh --hold=48h
Auto-refresh of all snaps held until 2022-11-16T12:27:25Z
To stop the automatic refresh completely, and without a timer:
snap refresh --hold
Auto-refresh of all snaps held indefinitely.
The really cool part about the new functionality is that it still allows you to manually run snap refreshes, for either the entire system or specific snaps.
Timing is everything
With the refresh hold active, the end users can now carefully choose when and how to update their snaps. For instance, for those traveling (and presenting at a conference), they may want to disable updates for a few days. If you’re using a snap of a really ancient application (say Mosaic or KompoZer), you may not want to have it updated, as the update may potentially break the software.
On a wider scale, the hold feature allows a tightly controlled integration of snaps within existing system update tooling and configuration management software in businesses and organizations even without the use of a snap proxy. For example, you can use a tool like Puppet or Chef to trigger manual, targeted snap updates in a staggered fashion at very specific timings, but not in between or without rigorous testing. If a particular snap does not use tracks to differentiate major versions, you can use the hold function to make sure nothing goes wrong after a large upgrade.
The snap refresh hold gives administrators an almost endless range of possibilities on how they can manage their software. They can combine security and compliance policies with carefully timed updates, they can integrate snaps with other tools, stagger updates based on the criticality or complexity of the software involved, and still use frequent auto-updates for remotely managed edge devices where needed. Similarly, desktop users have the freedom and choice to run their applications as they see fit. Most probably, this will be a healthy mix of security and convenience, not at the expense of one another.
Typically, security and functionality are opposing forces. It is quite difficult to provide one without affecting the other. The snap refresh hold should address both, and give everyone the chance to set up their system in a way that provides the highest level of quality and security. We call on early adopters and tinkerers to refresh their snapd from edge and give the hold option a whirl. Please test and let us know what you think via the forum. May the snap be with you.