[00:04] <jdstrand> we should probably just document how to use the oem config bits and remove hw-assign
[00:11] <asac> jdstrand: so for me hw-assign is about drafting rules for development
[00:11] <asac> you do hw-assign app /dev/null
[00:11] <asac> this creates a rule with path=/dev/null :)
[00:12] <jdstrand> that was how I saw it too
[00:12] <jdstrand> yes, that used to work
[00:12] <jdstrand> now with the cgroups and launcher, it doesn't
[00:12] <asac> you could also do hw-assign --kernel=ttyS* --with-tag=...
[00:12] <asac> this will just create the same rules we havae
[00:12] <asac> just "runtime rules
[00:12] <asac> :"
[00:12] <asac> once you are happy you can dumb them and copy them into your oem config :)
[00:12] <jdstrand> right, we'd need to define the cli experience for that
[00:12] <asac> jdstrand: sure i am saying this would be mapped into that
[00:12] <asac> udev engine
[00:13]  * jdstrand nods
[00:13] <jdstrand> right, if we didn't remove hw-assign, we would have to integrate it
[00:13] <jdstrand> the trello card currently says update it for cgroups
[00:13] <asac> ack
[00:14] <asac> think that can be SRU'd the advanced CLI is then future
[00:14] <jdstrand> yeah, that sounds fine
[00:14] <asac> fine
[00:14] <jdstrand> heh
[00:18] <asac> jdstrand: so you say that apps have now zero device nodes?
[00:18] <jdstrand> no, they have a few
[00:18] <asac> wasnt there a default set of nodes that we wanted to assign
[00:18] <asac> where can i find that?
[00:18] <jdstrand> /dev/null, /dev/full, /dev/zero, etc
[00:18] <asac> that list :)
[00:18] <jdstrand> it is hardcoded in the launcher
[00:18] <jdstrand> let me get the link
[00:19] <jdstrand> asac: http://bazaar.launchpad.net/~snappy-dev/ubuntu-core-launcher/trunk/view/head:/src/main.c#L57
[00:23] <asac> jdstrand: ok, did you upload new -security?
[00:24] <jdstrand> I am about to
[00:24] <jdstrand> it will be a few minutes
[00:26] <asac> hmm
[00:26] <asac> so the go webserver does not start anymore
[00:28] <jdstrand> asac: sudo grep DEN /var/log/syslog ; sudo sc-logresolve /var/log/syslog
[00:28] <jdstrand> I can try here
[00:29] <asac> Apr 22 00:24:44 localhost kernel: [ 6546.952744] audit: type=1326 audit(1429662284.103:45): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=2682 comm="sed" exe="/bin/sed" sig=31 arch=c000003e syscall=137(statfs) compat=0 ip=0x7f9a1d0a4017 code=0x0
[00:29] <asac> jdstrand: statfs
[00:29] <jdstrand> ah we added statvfs earlier
[00:30] <jdstrand> I'll fix and see if there are any other stat* that we missed
[00:30] <asac> jdstrand: so python xckd server also has no port open
[00:30] <asac> root      1244     1  0 00:29 ?        00:00:00 /usr/bin/python3 /apps/xkcd-webserver.canonical/0.4/bin/xkcd-webserver
[00:30] <asac> it is running though
[00:31] <asac> or wait
[00:31] <jdstrand> what does logresolve say about that?
[00:31] <jdstrand> fyi, the final syscall list hasn't been uploaded yet. tyhicks and I have been reviewing it today
[00:31] <asac> its fine
[00:32] <asac> python works
[00:32] <asac> just didnt have right port forward
[00:32] <asac> and was to stupid for lsof
[00:32] <jdstrand> which is what I am preparing now. it changes some things around wrt to the networking bits that could have blocked it, but the new upload won't block it
[00:32] <jdstrand> ok, good
[00:32] <asac> its odd
[00:32] <asac> lsof doesnt have a hit on 80\
[00:32] <asac> e.g. no hit on liten
[00:32] <asac> LISTEN
[00:33] <asac> oha
[00:33] <asac> i dont see the LISTEN ports as normal user
[00:33] <asac> guess thats a feature?
[00:33] <asac> as root i see it
[00:33] <jdstrand> that is normal
[00:34] <asac> http://paste.ubuntu.com/10864024/
[00:34] <jdstrand> yeah
[00:34] <jdstrand> I don't know why otoh, but that is consistent with my experience
[00:36] <asac> jdstrand: its not on my normal desktop :)
[00:36] <asac> maybe admin group
[00:36] <asac> good
[00:36] <asac> jdstrand: added statfs and fstatfs to seccomp
[00:36] <asac> and now go is running
[00:37] <jdstrand> cool
[00:38] <asac> slangasek: is there a new image supposed to happen now?
[00:38] <asac> iirc it should be about time :)
[00:39] <asac> jdstrand: not sure if fstatfs is needed, but saw fstatvfs so thought it makes sense
[00:39] <slangasek> asac: next one fires off in 16 minutes
[00:39] <asac> jk
[00:39] <asac> k
[00:40] <jdstrand> asac: it does, there are also statfs64 and fstatfs64 that I am adding
[00:40] <asac> right
[00:41] <jdstrand> I'm also downloading the latest linux-libc-dev to see if we are missing anything else
[00:44] <jdstrand> interesting, a new syscall 'switch_endian'
[00:46] <asac> heh
[00:46] <asac> guess docker might want to use that later
[00:46] <jdstrand> it is something for powerpc
[00:46] <asac> sure
[00:50] <asac> jdstrand: so i am lost currently how our mir etc. framework can easily be tested without hw-assign
[00:50] <jdstrand> asac: it is probably also broken under the launcher
[00:51] <asac> jdstrand: you mean if you assign the right devnodes it still doesnt work?
[00:51] <jdstrand> because aiui, it uses a hadn-crafted policy
[00:51] <asac> jdstrand: well, there are two things... a) policy and b) access to dri devnodes
[00:52] <asac> do you know what the policy hacks look like?
[00:52] <jdstrand> hw-assign does nothing with udev atm (hence the trello card). the launcher looks at udev to add devices to the cgroups
[00:52] <asac> right
[00:52] <jdstrand> it may not. I have not seen the branch
[00:52] <asac> but we need some cli so folks can test mir
[00:52] <asac> without having to put togehter a full appliance
[00:52] <asac> jdstrand: where do we put the udev rules?
[00:53] <asac> /lib/udev/rules.d/80-snappy-assign.rules
[00:53] <jdstrand> but if they use hw-assign, it is broken cause hw-assign and udev don't do anything. if it uses hand-crafted policy, it is broken because nothing tells the launcher to add the devices to the cgroups
[00:53] <asac> sure i get that
[00:53] <asac> saying that hw-assign should just add new udev rules :)
[00:53] <asac> lol
[00:53] <jdstrand> yes, it should :)
[00:54] <jdstrand> hence the aforementioned trello card :)
[00:54] <jdstrand> hehe
[00:54] <asac> so
[00:54] <jdstrand> anyway, yeah
[00:54] <asac> what does a udev rule look like?
[00:54] <asac> that just matches the path?
[00:55] <jdstrand> so, that is going to be in snappy somewhere
[00:55] <jdstrand> I see that http://bazaar.launchpad.net/~snappy-dev/ubuntu-core-launcher/trunk/view/head:/src/snappy-app-dev is a script to add files to the cgroups
[00:56] <asac> https://code.launchpad.net/~mvo/snappy-hub/snappy-examples-oem-hardware-snap
[00:56] <jdstrand> hw-access could call out to that
[00:56] <jdstrand> but, I think that is being removed (no matter, the same functionality could be added to hw-assign
[00:57] <asac> well hwassign should add the proper rules imo
[00:57] <jdstrand> if hw-assign is going to be persitent, use, it should add the udev rules
[00:57] <jdstrand> s/use/yes/
[00:58] <jdstrand> it is probably pretty easy to add come to think of it-- all of it is already in snappy
[00:58] <asac> hmm
[00:58] <asac> so an oem snap can ship binaries?
[00:58] <asac> wow
[00:59] <jdstrand> I was not aware of that either
[00:59]  * jdstrand jots that down to ask about later
[01:00] <asac> sergiusens: where are our oem snap sources
[01:00] <asac> i dont see them in ~snappy-dev
[01:11] <asac> jdstrand: ok somethign worrying: http://paste.ubuntu.com/10864146/
[01:11] <asac> hello-world.jdstrand failed to install: exec: "sc-filtergen": executable file not found in $PATH
[01:12] <jdstrand> indeed
[01:12] <jdstrand> that looks similar to the fs issues I keep talking about
[01:12] <asac> ?
[01:12] <jdstrand> what does dmesg say?
[01:13] <asac> jdstrand: thats when running udf
[01:13] <jdstrand> udf
[01:13] <asac> dmesg doesnt say much
[01:13] <asac> [10770.939947] systemd-udevd[10485]: failed to execute '/tmp/test.sh' '/tmp/test.sh': No such file or directory
[01:13] <asac> :)
[01:13] <asac> not sure what that is
[01:13] <jdstrand> I guess you need to have ubuntu-core-security-utils on your host
[01:14] <jdstrand> I'm not sure where you are seeing that
[01:14] <jdstrand> on the host or in the guest?
[01:14] <asac> hmm. thats not in the ppa it seems
[01:14] <asac> jdstrand: on the host
[01:14] <asac> when running udf
[01:14] <jdstrand> ubuntu-core-security-utils is a part of ubuntu-core-security
[01:14] <asac> to produce an image with stuff preinstalled
[01:14] <jdstrand> I see
[01:15] <jdstrand> so, you should be able to install ubuntu-core-security-utils from vivid
[01:15] <asac> i am on trusty though
[01:15] <asac> so this has to go into tools ppa's
[01:15] <asac> for all supported things
[01:15] <asac> and dependency need adding
[01:15] <jdstrand> sergiusens: ^
[01:16] <asac> do we need to run this stuff?
[01:16] <jdstrand> I've been a little surprised how much need to be on the host for udf
[01:16] <asac> i mean those sc-... commands?
[01:16] <jdstrand> I don't know
[01:16] <asac> jdstrand: i think udf just runs snappy tool
[01:16] <jdstrand> I guess it is preinstalling the snap via the host tools
[01:16] <asac> right
[01:16] <asac> but the apparmor stuff is done on first boot
[01:16] <asac> this one should be done similar i gues
[01:16] <jdstrand> it seems it would be much safer to use the tools in the image
[01:16] <asac> s??
[01:16] <asac> no?
[01:16] <asac> well
[01:16] <jdstrand> I agree
[01:17] <asac> i think its wrong
[01:17] <jdstrand> but, we don't have the systemd unit file to do that yet
[01:17] <asac> to do what?
[01:17] <jdstrand> which was one of the things I mentioned earlier
[01:17] <asac> i think appamor is run on first boot, no?
[01:17] <jdstrand> apparmor is run on every boot
[01:17] <jdstrand> on first boot it will notice that there isn't policy for the snaps
[01:18] <asac> hmm. i mean the stuff that you run when package gets installled
[01:18] <asac> okk
[01:18] <jdstrand> and it will call aa-clickhook and everything is fine. niext time, the policy won't have to be regenerated
[01:18] <asac> shouldnt sc do all the same?
[01:18] <asac> i thought we would have same semantics
[01:18] <jdstrand> seccomp doesn't have that
[01:18] <jdstrand> click had that nice quality
[01:18] <jdstrand> so we have to reimplement it for seccomp and then again for apparmor when it moves away from click
[01:19] <jdstrand> this morning I was talking about updating policy via a unit if the seccomp policy changed
[01:19] <jdstrand> that unit would solve this problem too
[01:20] <jdstrand> asac: sc and aa should have the same semantics. aa is still implemented as a hook tool. sc is not. aa will be made to not once we clean it up in 15.10
[01:21] <asac> yes, but what i thought you said was that we would follow same approach for sc
[01:21] <asac> anyway
[01:21] <asac> so now we have to add unit?
[01:21] <asac> and figure how to get rid of sc invocation in snappy install?
[01:22] <jdstrand> what I said was that we would implement the new approach so we only have one thing to migrate when we drop the click methodology
[01:22] <jdstrand> sc is new approach
[01:22] <jdstrand> aa is old
[01:22] <jdstrand> you still need sc invocation on snappy install so that the policy is in place when a service or binary is started prior to reboot
[01:23] <asac> so now we have two approaches... in future never do two approaches
[01:23] <asac> always one and then move both over
[01:23] <asac> so we need unit
[01:23] <asac> and special case in snappy to not run anything if its on host tool
[01:23] <asac> not sure how to do that
[01:24] <asac> sergiusens: any idea?
[01:24] <jdstrand> asac: well, you say the two approaches thing. the reality is that it would have taken as much time to do the old approach for sc as the new, and it seemed silly to do the old only two weeks later to undo it
[01:25] <asac> i know, but the new approach makes things more complex
[01:25] <asac> so we should have done that
[01:25] <jdstrand> not really
[01:25] <jdstrand> there is a unit for apparmor
[01:25] <jdstrand> it is just a different unit
[01:25] <asac> hmm
[01:25] <asac> anyway, what needs doing now?
[01:25] <asac> we need to fix this for sure somehow
[01:25] <jdstrand> I don't think this two approaches thing is something to worry about
[01:26] <jdstrand> I will implement the unit as I said I would this morning
[01:26] <asac> ok
[01:26] <asac> and how to fix snappy tool?
[01:26] <jdstrand> I helped with the launcher all day today
[01:26] <asac> right
[01:26] <jdstrand> that we need serguisens on
[01:26] <asac> sergiusens: see above, we need the snappy install not call sc- stuff if run through udf
[01:26] <asac> e.g. on host
[01:26] <asac> and defer that to the first boot/unit
[01:27] <jdstrand> maybe it is as simple as unpacking and not running the tools if doing a preinstall
[01:27] <jdstrand> right
[01:27] <asac> i dont think they will like just unpacking
[01:27] <asac> they were super happy that snappy install was finally able to run on host tool
[01:27] <asac> cross
[01:27] <jdstrand> that's fine-- just saying, whatever doesn't need the tools
[01:27] <asac> i think it does logic
[01:27] <asac> the sc tools yes
[01:28] <jdstrand> that didn't come out right
[01:28] <asac> so we dont want to run the sc- tools if on host
[01:28] <asac> if cross
[01:28] <asac> not sure how we do the decision on appamor
[01:28] <jdstrand> yes, do everything except run these bits. that said, these bits could run on the host-- they are not complicated tools
[01:28] <asac> but we run them on first boot anyway
[01:28] <asac> i dont want to add more stuff to tools ppa really
[01:29] <asac> think that starts to become nasty
[01:29] <asac> need to be tested and done for trusty etc.
[01:29] <jdstrand> I was more talking about unblocking you now
[01:29] <asac> i am not blocked. but tomorrow we have to get things together
[01:30] <asac> so we should do it right right away
[01:30] <jdstrand> ok, 15.04.7 uploaded to image ppa and archive
[01:30] <asac> yep saw that
[01:30] <jdstrand> go-example-webserver wrks
[01:30] <asac> thx
[01:30] <asac> great
[01:30] <asac> check 1 :)
[01:32] <jdstrand> I'll work on the unit tomorrow. that will give me insight as to what needs to happen with apparmor when we switch it to the new
[01:32] <asac> jdstrand: generateSeccompPolicy
[01:32] <asac> is that the whole function to kill?
[01:32] <asac> on cross?
[01:33] <jdstrand> let me check
[01:34] <asac> is the unit difficult?
[01:34] <jdstrand> addOneSecurityPolicy() can exit early if run under udf
[01:34] <jdstrand> it shouldn't be
[01:35] <asac> addOne
[01:35] <asac> isnt matching
[01:35] <jdstrand> that is in snappy/click.go
[01:35] <jdstrand> in trunk
[01:35] <asac> ah
[01:37] <jdstrand> hmm
[01:37] <jdstrand> no, it's ok
[01:37] <jdstrand> I thought namespaces might trip me up, but it won't
[01:38] <asac> jdstrand: is there a script you can give us to run after boot so we can test this in the morning?
[01:39] <jdstrand> that is what I need to write
[01:40] <asac> jdstrand: you say we can run those tools on host?
[01:40] <asac> to shortcut?
[01:40] <jdstrand> I don't see why not
[01:40] <jdstrand> I installed several images today with udf
[01:40] <jdstrand> I have ubuntu-core-security-utils installed
[01:41] <asac> jdstrand: did you try snaps with built-in?
[01:41] <asac> normal images work
[01:41] <jdstrand> I did not
[01:41] <asac> it just busts if we have built-in stuff
[01:41] <jdstrand> I don't know how to do that
[01:42] <asac> jdstrand: run udf with --oem ./...
[01:42] <asac> and use http://people.canonical.com/~asac/tmp/generic-amd64_1.1_all.snap
[01:42] <asac> locally
[01:42] <asac> udf ... --developer-mode ... --oem ./generic-amd64_1.1_all.snap
[01:42] <asac> that one tries to install hello-world.jdstrand
[01:43] <asac> sudo ubuntu-device-flash core rolling --developer-mode --channel edge --oem ./oem-hardware-assign_1.0_all.snap --enable-ssh -o outputamd64.img
[01:43] <asac> jdstrand: that command
[01:43] <asac> give it a spin
[01:45] <jdstrand> just grab fyi, I just installed ubuntu-core-security-utils and ubuntu-core-security-seccomp from the image ppa and python3-yaml from the archive in a trusty vm fine
[01:45]  * jdstrand adjusts the deps for ubuntu-core-security-utils
[01:46] <jdstrand> curious why ${python3:Depends} didn't do it for me
[01:49] <jdstrand> ./oem-hardware-assign_1.0_all.snap failed to install: snappy package not found
[01:50] <jdstrand> I don't know where that is
[01:50] <asac> jdstrand: sorry wrong name
[01:50] <asac> uuse the one
[01:50] <asac> you downloaded
[01:50] <asac> ./generic-amd64_1.1_all.snap
[01:50] <asac> not ./oem-hardware-assign_1.0_all.snap
[01:50] <asac> sudo ubuntu-device-flash core rolling --developer-mode --channel edge --oem ./generic-amd64_1.1_all.snap --enable-ssh -o outputamd64.img
[01:50] <jdstrand> oh right, duh
[01:50] <asac> heh
[01:54] <jdstrand> asac: it failed in some other manner, but it seems like it probably got past sc-filtergen
[01:54] <jdstrand> http://paste.ubuntu.com/10864267/
[01:54] <asac> jdstrand: thats probasbly becauuse your system is busted
[01:54] <asac> reboot
[01:55] <asac> jdstrand: wait
[01:55] <asac> jdstrand: so remember that udf does not use a chroot anymore afaik
[01:55] <asac> its just run on host with path etc.
[01:55] <asac> not sure what your tools are doing
[01:55] <asac> if you are sure your system is still alive
[01:55] <asac> then reboot :)
[01:55] <jdstrand> I was running sbuild at the time. it had a problem related to unmounting
[01:56] <asac> good
[01:56] <jdstrand> it might've been the systemd shared mount space stuff
[01:56] <asac> ok how does it look now?
[01:56]  * jdstrand is trying again
[01:57] <jdstrand> it reported breaking differently, but still a umount issue
[01:57] <asac> i would suggest to reboot
[01:57] <jdstrand> I can reboot, but it will be a minute
[01:57] <asac> sure, better than giving up :)
[01:57]  * jdstrand has a lot of context atm
[01:58] <jdstrand> you could also try installing the tools I mentioned on trusty
[01:59] <asac> this will mess my system a lot
[01:59] <asac> but ok
[01:59] <asac> utils?
[02:00] <jdstrand> ubuntu-core-security-utils ubuntu-core-security-seccomp from the ppa
[02:00] <jdstrand> you will also need python3-yaml
[02:00] <jdstrand> and seccomp
[02:00] <jdstrand> that should be it
[02:01] <asac> yay
[02:01]  * jdstrand uploads 15.04.8 to add Depends on python3-yaml 
[02:01] <asac> it worked :)
[02:01] <jdstrand> good!
[02:04] <asac> too bad
[02:04] <asac> hw assign is broken anyway
[02:05] <asac> jdstrand: sent mail
[02:06] <asac> i drop off
[02:06] <jdstrand> ok, good night
[02:06] <jdstrand> jeex it must be late there
[02:07] <jdstrand> jeez*
[02:10] <asac> i think autopilot jsut udpated :)
[02:10] <asac> yay
[02:10] <asac> it atuomatically rebooted
[02:11] <asac> nice
[02:11] <asac> good to end day like that :)
[02:11] <asac> lol
[02:11] <asac> cu in a bit
[02:12] <jdstrand> hehe
[02:12] <jdstrand> nice :)
[05:12] <kickinz1> o/
[07:11] <dholbach> good morning
[08:55] <dholbach> dpm, davidcalle will work on refinements for the raspi bits, the channels and the start page - those are going to be most important pieces, later on we might look into importing stuff like you did
[08:55] <dholbach> dpm, great work
[08:56] <davidcalle> dholbach, +1
[08:57] <dholbach> davidcalle, sorry
[08:57] <dholbach> I meant to say...
[08:57] <dholbach> "davidcalle and I"
[08:57]  * dholbach needs another coffee :)
[08:58] <plorenz> hi, i'm running snappy ubuntu on my raspberry pi 2 (by lool) and for some reason, the system only shows 116 MB of RAM available although it should be 1 GB of RAM. i guess it's a problem with GPU memory split, but i can't find a setting. can anybody help me please?
[08:58] <davidcalle> dholbach ;)
[09:03] <JamesTait> Good morning all; happy Earth Day! :-D
[09:10] <dpm> dholbach, ack, thanks!
[09:12] <dholbach> davidcalle, I updated https://developer.ubuntu.com/en/snappy/guides/channels/ - do you feel it's clearer in the regard we discussed earlier?
[09:13] <dholbach> davidcalle, also... I'm considering extending the image at the bottom to explain the transition from alpha to beta, etc - wdyt?
[09:39] <davidcalle> dholbach, not sure if the image needs to be extended. The table on top looks good, I still think you should add a wget and a udf examples under it, to make it clear what to do with this channel/release combination.
[09:39] <davidcalle> dholbach, the page works well for me, especially with the table called a cheatsheet
[09:41] <dholbach> davidcalle, ah yes, that's right - I'll add an example, but I'm not sure about wget/udf instructions - wouldn't we have to update the instructions as well whenever thing change again or images get updated?
[09:44] <davidcalle> dholbach, that's true, I forgot udf was a moving target. But for wget, it would be mostly to show off how the path is composed (http://cdimage.ubuntu.com/ubuntu-core/15.04/edge/ubuntu-15.04-snappy-armhf-bbb.img.xz), to show people they can compose the img path based on what they need.
[09:45] <dholbach> that makes sense
[09:46] <dholbach> unfortunately we don't have http://cdimage.ubuntu.com/ubuntu-core/rolling/ yet
[09:46] <davidcalle> dholbach, implementation detail :p
[09:46] <dholbach> all right, I'll figure it out, thanks for the feedback
[09:47] <sergiusens> dholbach: davidcalle we have finalized u-d-f, it won't be moving again except for bug fixes
[09:47] <davidcalle> dholbach, I'd like to say something like "if it's documented, it needs to exist ASAP" ;-)
[09:48] <davidcalle> sergiusens, oh cool :)
[09:55] <dholbach> davidcalle, ok, updated - thanks again
[10:06] <dholbach> davidcalle, are you working on the start page now?
[10:30] <dholbach> davidcalle, I added channel info for the kvm case - does it look all right to you? do you think it helps like that?
[10:46] <davidcalle> dholbach, I'm starting now. It looks right to me, so these are the final paths? edge at cdimages.ubuntu.com/ubuntu-snappy and stable, beta, rc at releases.ubuntu.com?
[10:51] <davidcalle> dholbach, also, we talked about this earlier, but I'm not sure we had a definitive answer : are cloud images going to follow the naming scheme for release? (or should we just use the stable image names they provide tomorrow?)
[10:52] <davidcalle> dholbach, don't mind the lat question, I've found what I'm looking for.
[10:52] <davidcalle> last*
[11:24] <yngves> Wondering if something is broken in the new Docker 1.6 package? I keep getting "aa-exec: ERROR: profile 'docker_docker_1.6.0.002' does not exist" when invoking Docker.
[11:33] <dholbach> davidcalle, I'll ping the cloud guys and point them to the page - AFAIK those are the final paths, yes
[11:34] <davidcalle> dholbach, thanks
[11:34] <dholbach> a review with Steve and Alex later on should let us know if we're on the right track or not :)
[11:40]  * davidcalle starts getting confused about the naming scheme again.
[11:43] <asac> ppisati: hey, how is the cape going?
[11:46] <dholbach> davidcalle, in the case of OVA, do you think we should explain the URL scheme - or just add the box with the links?
[11:46] <davidcalle> dholbach, I've done both
[11:47] <dholbach> ok... I personally would've thought that the box would be enough, but maybe just leave it in there and we talk about it later on together :)
[11:50] <davidcalle> dholbach, the scheme of cloud-images is a bit different
[11:52] <dholbach> oh! did you find out how it works there?
[11:53] <ppisati> asac: i've got the original image to work, but once i compile the TI kernel, it doesn't boot on my board
[11:54] <ppisati> yesterday i spent the entire day doing test for the release
[11:54] <asac> ppisati: why do we need TI kernel?
[11:54] <asac> if we have it working with our generic one?
[11:54] <asac> ok have to go for lunch
[11:54] <asac> bbiab
[11:55] <ppisati> asac: because first you get a piece of hw working with the code that supports it
[11:55] <ppisati> asac: then you derive a delta from it etc
[11:56] <davidcalle> dholbach, I think so
[12:11] <dholbach> davidcalle, I added a box like this to the bbb docs too
[12:11] <dholbach> davidcalle, it gets placed in the wrong area though
[12:12] <dholbach> davidcalle, do you have an idea how to fix it?
[12:15] <davidcalle> dholbach, I'm fixing
[12:16] <dholbach> davidcalle, if we ever do a sprint together, you should do a workshop on how to fix stuff like that :-)
[12:17] <dholbach> I'd make sure to get a seat in the first row!
[12:19] <davidcalle> dholbach, why not :) Fixed. I'm confused by the fact that if you download both images (15.04/stable and 15.04/edge), you have no way to differentiate the files by their names.
[12:20] <dholbach> davidcalle, we should note this down
[12:23] <davidcalle> dholbach, I've also left a comment on the card regarding the other tasks.
[12:23] <dholbach> thanks
[12:24] <dholbach> davidcalle, do you feel we're done with the page now, barring any changes we might need to do after a meeting with Alex and Steve and potentially the cloud guys?
[12:24] <davidcalle> dholbach, yep
[12:24] <dholbach> cool
[12:24]  * dholbach hugs davidcalle
[12:24] <dholbach> good work
[12:26] <davidcalle> dholbach, same :)
[12:32] <dholbach> asac, slangasek: whenever you have time, davidcalle and I would review https://developer.ubuntu.com/snappy/start/ and https://developer.ubuntu.com/snappy/guides/channels with you
[12:36] <dholbach> asac, mvo, sergiusens: I'm still not quite sure which ppa to recommend? right now there's 'beta', 'tools', 'tools-proposed' (and probably unrelated: 'image')
[12:36] <dholbach> asac, mvo, sergiusens: what kind of changes do you anticipate to land in which of the PPAs
[12:36] <dholbach> I'm still not sure how to explain the four PPAs to users
[12:37] <sergiusens> dholbach: tools has latest and greatest and always breaks, beta is for users; but I want to get rid of that as it's too confusing
[12:38] <dholbach> sergiusens, ok... so I just recommends 'beta' for nowß?
[12:38] <plorenz> sergiusens: do you know how i can increase my available ram with snappy on the raspberry pi 2?
[12:39] <sergiusens> dholbach: yes
[12:39] <sergiusens> plorenz: no
[12:42] <dholbach> thanks sergiusens!
[13:09] <dholbach> can somebody review and land https://code.launchpad.net/~dholbach/snappy/markdown-doc-fixes/+merge/257080?
[13:19] <sergiusens> dholbach: done
[13:19] <asac> pitti: is there an easy way on the cli to query for devices that got assigned to the app?
[13:19] <asac> pitti: from the app point of view?
[13:19] <asac> udev query
[13:19] <sergiusens> dholbach: would be nice to use the ```[code] annotation eventually :-)
[13:20] <dholbach> sergiusens, did you see r416 on the MP as well? I pushed another commit
[13:20] <dholbach> sergiusens, I've never seen any ```[code] notation
[13:23] <dholbach> thanks Chipaca
[13:23] <sergiusens> dholbach: github markdown being the engine I refer to
[13:23] <dholbach> ah ok
[13:24] <sergiusens> dholbach: https://help.github.com/articles/github-flavored-markdown/#syntax-highlighting
[13:24] <dholbach> cool
[13:24] <dholbach> I hope one day a bunch of people get together and figure out one markdown standard to rule them all
[13:24] <sergiusens> dholbach: that's easy; github :-P
[13:24] <dholbach> right
[13:25] <sergiusens> standards are hard in an ever moving fast paced world
[13:33] <pitti> asac: yes, cat /sys/fs/cgroup/snappy.appname*/devices.list
[13:33] <pitti> asac: this gives you the real actual ACL
[13:33] <pitti> asac: you can also get a list of devices tagged for the app with udevadm
[13:34] <pitti> asac: udevadm trigger --verbose --dry-run --tag-match=snappy-assign --property-match=SNAPPY_APP=$APPNAME
[13:41] <asac> pitti: so jdstrand is a bit unhappy to allow apps to ask for what they can talk to this way
[13:42] <asac> i think its super useful for some app to say "give me all the devs that are of type X and that i am allowed to use"
[13:42] <asac> pitti: so trigger is doing the query?
[13:42] <pitti> asac: well, so far that's coming from OEM.yaml, so not from the app?
[13:42] <asac> pitti: but an app needs too know what it can talk to
[13:42] <asac> at best using the closest to current practices
[13:42] <pitti> asac: why shouldn't we allow the apps to query for what they can access? either by devices.list or udev?
[13:43] <pitti> they can just try and open everything in /dev/ after all
[13:43] <asac> pitti: jdstrand doesnt like that this leaks info about what is installed
[13:43] <asac> i think its a bug that we can address later :)
[13:43] <asac> but we should allow apps to query udev
[13:43] <pitti> asac: oh, you mean the udevadm?
[13:43] <asac> pitti: not sure
[13:43] <dholbach> https://code.launchpad.net/~dholbach/snappy/more-markdown-fixes/+merge/257094
[13:43] <pitti> asac: oh, we need to
[13:43] <jdstrand> pitti: I'm fine with apps trying to open things in /dev
[13:43] <pitti> asac: but right now the apps aren't confied at all
[13:44] <asac> pitti: only thing i know is that i want to tell a story on how an app that we assigned access to
[13:44] <asac> can find the usb devices that it can now poke
[13:44] <jdstrand> pitti: I'm less fine about an app querying udev and being able to see all the tags, and therefore, enumerate installed apps on the system
[13:44] <pitti> asac: that udevadm on the shell or libudev in C should be fairly adequate for that query
[13:44] <asac> right
[13:44] <asac> pitti: but jdstrand wants to take powers away from us to not allow to use libudev :P
[13:45] <asac> which i think is not good for real life :P
[13:45] <pitti> well, not querying sysfs at all is a no-go IMHO
[13:45] <asac> right :)
[13:45] <asac> i agree!!
[13:45] <asac> so i think for me this is a must
[13:45] <pitti> so you could at most restrict the access there
[13:45] <asac> and we need to figure later how to make things even better
[13:45] <asac> right
[13:45] <asac> we can try to make udev smarter later
[13:45] <jdstrand> well hold on
[13:45] <asac> to hide stuff :)
[13:45] <pitti> but quite frankly, this is by faaaaaar not the most problem we are having :)
[13:45] <pitti> 'impotant'
[13:46] <jdstrand> sysfs is another conversation
[13:46]  * ogra_ thought you were planning something like the trust-store we have on the phone 
[13:46] <asac> its the same kinda
[13:46] <asac> ogra_: thats a higher level
[13:46] <ogra_> why
[13:46] <pitti> well, libudev just queries /sys and /run/udev/
[13:46] <asac> no time to argue
[13:46] <ogra_> jus integrate something like that with udev
[13:46]  * jdstrand notes that I am not taking powers away from using libudev. apps don't currently have it. I am trying to understand what the access gives
[13:47] <asac> jdstrand: apps on normal ubuntu have it
[13:47] <jdstrand> asac: apps on touch do not
[13:47] <pitti> libudev itself is just conveience; you can't do anything with it that you can't already do with /sys and /run/udev/
[13:47] <asac> right, but they dont want to poke devices :)
[13:47] <pitti> so we need to restrict /run/udev/ if we want to restrict app access
[13:47] <jdstrand> if we allow this and don't fix udev to restrict the access, then on touch we regress
[13:47] <asac> we should restrict it
[13:47] <asac> later
[13:47] <asac> smart
[13:47] <pitti> that might break some apps, but might be appropriate
[13:47] <asac> not sure how
[13:47] <asac> is there a way we can restrict it?
[13:48] <ogra_> polkit ?
[13:48] <ogra_> via udev-acl
[13:48] <asac> e.g. is /run/udev/ content compatible with apparmor?
[13:48] <jdstrand> pitti: is it fair to say that if I use udevadm trigger --verbose --dry-run --tag-match=snappy-assign --property-match=SNAPPY_APP=hellow-world.sideload under confinement I can see what read only access is required?
[13:49] <asac> jdstrand:  you need read access to /sys and to /run/udev i think
[13:49] <jdstrand> pitti: is there a udev daemon?
[13:49] <asac> yeah
[13:49] <asac> i think there is and that could later mediate
[13:49] <jdstrand> pitti: as in, udevadm talks to a daemon?
[13:49] <asac> not sure if libudev is going through that, but could be!
[13:49] <pitti> jdstrand: there is udevd, but udevadm query and libudev don't talk to it
[13:50] <pitti> as I said, it's just reading /sys and /run/udev (for the properties and tags)
[13:50] <asac> ah bummer :)
[13:50] <asac> jdstrand: yeah so short term we woudl have to open access for those friends
[13:50] <asac> to those directories
[13:50] <asac> and then later see how to make libudev go through mediation or make /run/udev so that the app info can be confined
[13:50] <pitti> we also don't yet start apps under its own pid namespace, so presumably apps can already see what other apps are running?
[13:51] <jdstrand> well, in the future to resrict this, we would want to have a tool that talks to an out of process helper, perhaps udevd, then udevd asks libapparmor for the label of the client, then filters the query results to be only those for the app
[13:51] <ogra_> and "those friends" would be aware that their apps break at some point ?
[13:51] <jdstrand> then we remove access to /run/udev, etc
[13:51] <pitti> again, there is *no* point in restricting libudev as such
[13:51] <dholbach> Chipaca, sergiusens: any idea why https://code.launchpad.net/~dholbach/snappy/more-markdown-fixes/+merge/257094 might be unhappy?
[13:51] <asac> jdstrand: can you do a find on /run/udev after tagging something?
[13:51] <asac> jdstrand: i think its a simple pattern match to hide that
[13:52] <asac> i think the app name is really in the tagname on disk
[13:52] <jdstrand> pitti: we have restricted access in /proc, but there are some leaks there that we plan to address. I'm concerned about adding more and more stuff that leaks info about the system. if we understand what needs to be done, that is fine
[13:53] <asac> right
[13:53] <asac> but we have to take a holistic look at that later :P
[13:53] <pitti> "private process namespace" :)
[13:53] <ogra_> i dont really get that ... there is such a mechanism via polkit and udev--acl already, why dont we use it ?
[13:54] <pitti> now that we have a launcher, we can easily add that, and private /tmp and such
[13:54] <asac> thats too high level. we work on primitives to hard wire access here
[13:54] <jdstrand> we can't use polkit because no one can do the authorization
[13:54] <pitti> ogra_: that doesn't restrict visibility
[13:54] <asac> polkit or such can be built on top
[13:54] <ogra_> pitti, thats indeed true, but access ...
[13:54] <pitti> also, it's logind plus ACLs
[13:54] <ogra_> ah, right, i'm a bit behind :)
[13:54] <pitti> ogra_: access restriction is already in the lanucher nw
[13:54] <pitti> now
[13:54] <sergiusens> dholbach: hmm, outage or godeps changed
[13:54] <pitti> that's what mvo and I worked on last week
[13:54] <ogra_> ok
[13:55] <ogra_> the launcher = ubuntu-app-launch ?
[13:55] <pitti> yes
[13:55] <ogra_> ro did you re-implement that
[13:55] <ogra_> awesome :)
[13:56] <jdstrand> ogra_: the snappy launcher is ubuntu-core-launcher. how this will work on touch is less clear, but either ubuntu-core-launcher is updated to do UAL-y things, or the other way around
[13:57] <ogra_> ah, so it is a separate thing ... k
[13:57] <jdstrand> for now
[14:01] <jdstrand> pitti, asac: ftr, right this second, we don't leak anything in /proc on snappy (we do on touch, but there is a bug on that). udevadm will change that, but it sounds like that is what is required, so I'll document all this
[14:02] <asac> jdstrand: given that we have to revisit all this holistically anyway for next releases i really think its fine to have leak about apps that have hw assigned for the time being.
[14:02] <asac> jdstrand: we could in future use a crypto token for assign that is only known to the core system itself and the app?
[14:03] <asac> so instead of SNAPPY_APP:=....
[14:03] <jdstrand> fyi, udevadm doesn't work under the launcher
[14:04] <jdstrand> I'd prefer to wait on designing how to fix it for when we are interested in fixing it. way to much to do today
[14:05] <jdstrand> pitti: do you know why udevadm would fail under our cgroups implementation?
[14:06] <pitti> jdstrand: no, it shouldn't have anythign to do with the devices cgroup; when I tried mvo's MP even sudo worked there
[14:06] <pitti> jdstrand: how does it fail?
[14:06] <jdstrand> I get apparmor denials under aa-exec but nothing under the launcher other than the app saying: udevadm: Operation not permitted
[14:06] <pitti> apparmor? syscalls failing? (strace)
[14:06] <pitti> sorry, deeply in release prep/testing mode right now
[14:06] <jdstrand> no, none of that. I'll keep poking
[14:06] <davidcalle> dholbach, back o/
[14:07] <pitti> jdstrand: ok, so stracing it might be insightful?
[14:07] <asac> pitti: just last thing: to query on cli i would use trigger?
[14:07] <asac> or adm?
[14:08] <asac> err ignore
[14:08] <pitti> asac: trigger --dry-run is nice for getting a list of devices that have certain names/attributes/properties/tags
[14:08] <dholbach> davidcalle, I looked into importing the snappy internal docs and fixed a few bits in the markup to make it easier for us to import it "as is"
[14:08] <pitti> query is good for getting info about a particular dev
[14:09] <pitti> asac: ^
[14:09] <asac> nice
[14:09] <asac> thanks
[14:09] <davidcalle> dholbach, yes, seen it, I'm starting on the meta one
[14:09] <dholbach> davidcalle, looking at 'oem' now
[14:10] <dholbach> davidcalle, one problem we're going to have is linking from files to each other
[14:10] <dholbach> davidcalle, we could wrap dpm's instructions into a small python script
[14:10] <davidcalle> dholbach, there are a lot of links?
[14:10] <asac> jdstrand: https://pastebin.canonical.com/130117/
[14:10] <asac> those i am getting
[14:10] <dholbach> ... which could replace a mention of "security.md" with a proper link to its location on the website
[14:10] <dholbach> davidcalle, not too many
[14:11] <asac> jdstrand: udevadm trigger --verbose --dry-run --tag-match=snappy-assign
[14:11] <dpm> dholbach, yes, and feel free to improve it, I just wrote a few one-liners to make it simpler, but could be more elegant
[14:11] <asac> jdstrand: maybe its working if you have the /dev as r ?
[14:11] <davidcalle> dholbach, let's assume their path is guides/<name>
[14:11] <davidcalle> dholbach, a script is fine too :)
[14:11] <asac> jdstrand: yeah so /dev/**
[14:11] <dholbach> davidcalle, to keep stuff in sync I just thought that it'd be nice if we had a self-contained script that won't grow into a chaotic monster (~50 lines) which would take an .md file from the branch and turn it into exactly what we need to paste into the text box of django cms
[14:11] <asac> not just /dev/*
[14:12] <dholbach> dpm, that was no criticism - thanks a lot for figuring stuff out so far already! :)
[14:12] <davidcalle> dholbach, oh right, keeping stuff in sync after that.
[14:12] <dholbach> yep
[14:12] <davidcalle> dholbach, then absolutely :)
[14:12] <dpm> dholbach, I didn't interpret it as criticism, just saying I'm not particularly proud of the one-liners :)
[14:13] <dpm> but I did it between other things this morning, and I thought I'd put something together real quick
[14:13] <dholbach> davidcalle, dpm: I'll put the oem article online, and could then look into writing such a script
[14:13] <dpm> cool
[14:13] <davidcalle> Ok
[14:14] <dpm> dholbach, I noticed a few typos and markdown syntax errors on the config.md script that I fixed on the final HTML. I think the original docs might need some fixes.
[14:14] <dholbach> asac, slangasek: davidcalle and I still around for a review of /snappy/start and /snappy/guides/channels - we have a meeting coming up in 45m though
[14:14] <dholbach> dpm, https://bazaar.launchpad.net/~snappy-dev/snappy/snappy/changes :)
[14:15] <dholbach> dpm, there might be more though
[14:15] <dpm> dholbach, nice, good work :)
[14:16] <jdstrand> pitti: it was an apparmor issue but there was no denial. kernel rate limiting may have been in effect
[14:18] <davidcalle> dpm, dholbach, moving on to frameworks
[14:27] <dholbach> https://code.launchpad.net/~dholbach/snappy/even-more-markdown-fixes/+merge/257112
[14:37] <sergiusens> mvo: want to remerge trunk on your branch?
[14:37] <sergiusens> mvo: it conflicts with the packageYaml removal from the signature in oemHwUDRules you did in another branch
[14:38] <dholbach> dpm, davidcalle: I'll mail the snappy lists to help out with a docs review for the release tomorrow and tell them to either respond on list or ping davidcalle and me on IRC - does that sound all right to you?
[14:38] <dholbach> ... or file bugs on developer-ubuntu-com
[14:38] <dholbach> maybe that's the best option
[14:38]  * dholbach reviews  bug list
[14:52] <mvo> sergiusens: I updated the branch, thanks again and also removed println()
[14:55] <sergiusens> jdstrand: can you ack https://code.launchpad.net/~mvo/snappy/snappy-add-apparmor-override/+merge/257076 ?
[14:55] <sergiusens> you have needs info there
[14:55] <jdstrand> I thought I did
[14:56] <sergiusens> given we are so close to release I don't want to override
[14:56] <jdstrand> ah, I was trying to test it. that is what I was working on when the meeting came
[15:04] <dholbach> https://code.launchpad.net/~dholbach/snappy/even-more-markdown-fixes/+merge/257112
[15:05] <dholbach> oops
[15:06] <Chipaca> dholbach: “ARM or X86 devices such as the Beaglebone Black” is probably unfortunate word order
[15:06] <Chipaca> dholbach: or unfortunate lack of oxford comma,
[15:06] <Chipaca> or something :)
[15:06]  * genii armors his X86
[15:09] <dholbach> Chipaca, good find - fixed, thanks!
[15:09] <dholbach> we inherited quite a few docs, trying to get on top of things everywhere :)
[15:10] <Chipaca> man, i had to use wdiff to see machanisms -> mechanisms in that diff
[15:11] <dholbach> Chipaca, yeah, sorry - I always use    bzr diff --using=wdiff     for commits like that :)
[15:11] <Chipaca> heh :)
[15:11] <Chipaca> dholbach: updates on in `oem` package
[15:12] <sergiusens> Chipaca: oh, I just commented the same
[15:16] <dholbach> sergiusens, pushed a change to fix your comment
[15:16] <Chipaca> dholbach: hmm
[15:16]  * Chipaca tries something
[15:21] <Chipaca> dholbach: so, in pandoc, instead of ```yaml, you'd do ~~~ {.yaml}
[15:21] <Chipaca> dholbach: you then need css to do the highlighting, but it's something
[15:21] <Chipaca> dholbach: you can also use -B for the content before the body, and -A for after
[15:21] <dholbach> oh nice
[15:22] <dholbach> I'll take a look
[15:24] <sergiusens> dholbach: Chipaca does pandoc have some form of syntax checker we can enable in ./run-checks?
[15:24] <dholbach> Chipaca, do I need to close the ~~~ {.yaml} tag somehow?
[15:24] <Chipaca> dholbach: yes, ~~~ on its own line
[15:24] <dholbach> right
[15:25] <Chipaca> dholbach: http://pandoc.org/README.html#extension-fenced_code_blocks
[15:25] <Chipaca> it's actually 3 or more ~s
[15:26] <Chipaca> sergiusens: i didn't think markdown had the idea of 'bad syntax'
[15:26] <sergiusens> Chipaca: markdown itself, no; maybe pandoc does
[15:26] <Chipaca> also, you can tell pandoc to use markdown_github
[15:26] <Chipaca> which would probably make sergiusens wet himself
[15:26] <sergiusens> oh neat
[15:26] <Chipaca> so don't tell him that
[15:26] <sergiusens> we should do that
[15:26] <sergiusens> lol
[15:26] <dholbach> haha
[15:27] <sergiusens> it is the markdown style everyone uses
[15:27] <dholbach> I'll leave this open for discussion for the team
[15:27] <dholbach> I don't care too much
[15:27] <dholbach> as long as we have something which spits out raw html I can paste into developer.u.c's djangocms, I'm happy
[15:28] <sergiusens> dholbach: is it fully automated now?
[15:28] <sergiusens> dholbach: or html that you copy paste?
[15:28] <dholbach> the latter
[15:28] <dholbach> automating this fully will be too much work right now
[15:29] <sergiusens> dholbach: maybe adding a form to upload a raw html file will allow full automation
[15:29] <sergiusens> oh
[15:29] <sergiusens> I thought it wouldn't be too hard
[15:29] <dholbach> the content right now lives in a database
[15:29] <sergiusens> just a uri you can post to or put to change the resources
[15:29] <sergiusens> and django would save it to the db
[15:29] <dholbach> if you want access, then yes, you have a page where you can copy/paste
[15:30] <dholbach> sergiusens, Chipaca: can somebody make a decision on if we want to use github markdown or something else?
[15:30] <dholbach> I don't care too much
[15:30] <dholbach> but it'd be good to decide this
[15:31] <dholbach> maybe it'd also allow us to change the .rst doc to an .md doc
[15:31] <Chipaca> whatever's the path of least work
[15:31] <dholbach> AFAIR it was just tables which stopped it from using regular markdown
[15:31] <dholbach> maybe tables work in github markdown?
[15:31] <Chipaca> pandoc's take on github markdown might not be github markdown
[15:31] <Chipaca> just to keep things clear
[15:32] <dholbach> ok
[15:32] <Chipaca> dholbach: i don't think we need to change anything more than the minimum to get things to look right on our website, now
[15:32] <Chipaca> dholbach: next week we can talk grand designs
[15:32] <dholbach> +1
[15:32]  * dholbach moves on
[15:32] <dholbach> :)
[15:32] <dholbach> I'll file a bug on snappy
[15:33] <sergiusens> dholbach: easy
[15:33] <sergiusens> Chipaca: mvo jodh http://www.poll-maker.com/poll299911x1d4b4d87-11
[15:34] <Chipaca> hahahah
[15:34] <Chipaca> sergiusens: that's sweet
[15:34] <Chipaca> sergiusens: markdown_phpextra (PHP Markdown Extra)
[15:34] <Chipaca> footnotes, pipe_tables, raw_html, markdown_attribute, fenced_code_blocks, definition_lists, intraword_underscores, header_attributes, abbreviations.
[15:34] <Chipaca> markdown_github (Github-flavored Markdown)
[15:34] <Chipaca> pipe_tables, raw_html, tex_math_single_backslash, fenced_code_blocks, auto_identifiers, ascii_identifiers, backtick_code_blocks, autolink_bare_uris, intraword_underscores, strikeout, hard_line_breaks
[15:34] <Chipaca> markdown_mmd (MultiMarkdown)
[15:34] <Chipaca> pipe_tables raw_html, markdown_attribute, link_attributes, raw_tex, tex_math_double_backslash, intraword_underscores, mmd_title_block, footnotes, definition_lists, all_symbols_escapable, implicit_header_references, auto_identifiers, mmd_header_identifiers
[15:34] <Chipaca> markdown_strict (Mar
[15:34] <Chipaca> ...
[15:34] <Chipaca> :)
[15:35] <sergiusens> Chipaca: mark down strict is nice
[15:35] <sergiusens> I like strict
[15:35] <Chipaca> no you don't
[15:36] <Chipaca> :D
[15:36] <mvo> sergiusens: haha
[15:36]  * Chipaca stops having fun with sergiusens 
[15:36] <mvo> I guess the fact that we talk markdown now means we can release, right?
[15:36] <mvo> :P
[15:36] <Chipaca> mvo: +1
[15:36]  * mvo hugs dholbach, Chipaca, sergiusens
[15:36] <sergiusens> Chipaca: it's bad tat we are having some fu and mvo is still crunching at it
[15:37]  * sergiusens hugs back
[15:37]  * Chipaca joins the hug party
[15:37] <dholbach> hugs! :)
[15:37]  * dholbach hugs you all
[15:37]  * sergiusens wonders if it's beer'o clock already
[15:37] <Chipaca> sergiusens: it is in germany!
[15:38] <dholbach> asac, slangasek: are you going to have time to review the start and channels pages any time soon?
[15:41] <mvo> Chipaca: hahaha, beerclock=[0-24] in germany
[15:52] <Chipaca> mvo: that also :) but i meant it was after 5pm
[16:00] <jdstrand> asac, pitti: fyi, I profiled 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign --property-match=SNAPPY_APP=<appname>'. it requires this rule: '/run/udev/data/* r,'. This actually gives away far more info than what apps are installed
[16:00] <jdstrand> asac, pitti: eg "The files in this directory reveal all kinds of information about the hardware, UUIDs of partitions, the MAC address of ethernet interfaces and more. This is enough information for a malicious snap to conduct data mining and identify individual systems and breaks our privacy model."
[16:00] <jdstrand> this is bug #1447237
[16:04] <asac> dholbach: the image links would be nice to have them right on top
[16:04] <asac> of the section
[16:04] <asac> like in getting started on baeglebone black
[16:04] <davidcalle> dholbach, hangout dropped for me
[16:05] <asac> sergiusens: i assume avahi wont work unless you have webdm or did we move that to core system?
[16:05] <jdstrand> asac: so, we've worked extremely hard on touch to not reveal things such as the mac address
[16:07] <sergiusens> asac: no, it's not in core on request from high above
[16:08] <asac> jdstrand: could we argue that only apps that get hw assign can read this?
[16:08] <jdstrand> asac: so we have a couple of choices. accept the information disclosure, but have someone get on the restriction soon or don't allow reading /run/udev/data/*. Interestingly, if you call udevadm without -property-match=SNAPPY_APP=<appname>, you don't need /run/udev/data/*
[16:08] <asac> jdstrand: in the end this would put the decision into the yard of the guy that makes the system
[16:08] <asac> and touch could for instance just allow only their framework to access that
[16:08] <asac> and they can still realize their model
[16:09] <jdstrand> asac: yes, we can adjust mvo's branch to do that
[16:09] <asac> jdstrand: would this make you feel more comfortable?
[16:09] <jdstrand> it would
[16:09] <jdstrand> I would downgrade the priority significantly
[16:09] <asac> lets do that i guess... later we have to look how to make udev better
[16:09] <asac> i think udev coul dhave different data directories
[16:10] <asac> one with /snappy/ and one with /crazy/data/
[16:10] <asac> or wait
[16:10] <asac> i think we could even restrict acces to the devices in there that the snapp has assigned?
[16:10] <jdstrand> most hardware assigned things are frameworks and trusted. if a system builder preinstalls, that is also a form of trust (though different). a user that opts in is saying opting into this
[16:10] <asac> jdstrand: right
[16:10] <jdstrand> asac: I put ideas in the bug
[16:11] <asac> yep
[16:11] <asac> cool
[16:11] <asac> lets do that
[16:11] <asac> jdstrand: will the hw-assign cli work same way? i think its fine and maybe we even disable that in non-developer mode eventually
[16:11] <jdstrand> asac: it will
[16:12] <jdstrand> ok, I'll update the policy for the safe access and then talk to mvo about this one extra access
[16:12] <jdstrand> that will be a very small addition
[18:15] <fionnan> anyone getting this `profile 'docker_docker_1.6.0.0.002' error does not exist` on a fresh snappy install? https://bpaste.net/show/5fb0130cf91c
[20:40] <yngves> fionnan: Yes, I do.
[20:42] <yngves> fionnan: There definitely is no AppArmor policy of that name in the package. I hacked my way around it by changing the last line of /apps/bin/docker to read: aa-exec -p docker-default -- /apps/docker/1.6.0.002/bin/docker "$@"
[20:42] <yngves> fionnan: A very ugly hack. Hope it gets fixed.
[22:59] <fionnan> yngves: cheers!