I used snapcraft to package minecraft (to test security policy on a non-trivial java program). Here is the bzr tree: lp:~jdstrand/+junk/minecraft-snap
$ click-review minecraft_0.1_amd64.snap
Errors
------
- lint_external_symlinks
package contains external symlinks: /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libnss_nis.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libnss_hesiod.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libresolv.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libutil.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libcidn.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libnsl.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libnss_files.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libBrokenLocale.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libnss_dns.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libnss_compat.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/librt.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libm.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libthread_db.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libcrypt.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libdl.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libnss_nisplus.so, /tmp/clickreview-fo5rcfjk/usr/lib/x86_64-linux-gnu/libanl.so, /tmp/clickreview-fo5rcfjk/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts
This check in the review tools is looking at the symlink in the unpacked snap and seeing if they point outside of the snap's directories. The goal of the check is to point out problems when installing a snap on a minimal system like Ubuntu Core where the target files may not exist. For example, after installing the snap, /apps/minecraft.sideload/current/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts is a dangling symlink to the non-existent /etc/ssl/certs/java/cacerts.
This is not a security issue because AppArmor will resolve the symlinks before applying policy.
This is known to at least affect 'stage-packages: openjdk-7-jre-headless' and 'type: python3-project'
WORKAROUND: if you have a snap that does this, use snapcraft, run the review tools on it to see the list external symlinks, then unpack the snap, remove the external symlinks, then repack the snap.
Assigning to Sergio since when we spoke about this on IRC he said he'd jump right on it since it blocks autopublication in the store.