liuxg I am now trying to development a simple snap app on 16.04 desktop. I met a problem. whenever install my snap app onto my desktop, it takes quite a lot of space since I get all of the Qt stuff. the problem is that it get different versions in my hard disk, and each takes that space. How can I remove the versions that i do not need any more? thanks00:52
=== chihchun is now known as chihchun_afk
=== chihchun_afk is now known as chihchun
shuduoogra_: hello, may i know where is official kernel repo for rpi2 snappy image?07:55
ogra_shuduo, ppisati maintains it on kernel.ubuntu.com (i always forget the exact branch name)08:37
shuduoogra_: got it. let me find it. :)08:37
shuduoppisati: ping08:46
=== chihchun is now known as chihchun_afk
=== chihchun_afk is now known as chihchun
ppisatishuduo: pong10:37
shuduoppisati: may i know what kernel tree and branch is being used for snappy on raspberry pi 2?11:17
shuduoppisati: i cloned it from  git://git.launchpad.net/~p-pisati/ubuntu/+source/linux and see   remotes/origin/x-raspi211:37
shuduo  remotes/origin/x-raspi2_rtlfix11:37
shuduo  remotes/origin/x-raspi2_rtlwififix11:37
=== chihchun is now known as chihchun_afk
kyrofaGood morning12:07
qenghojdstrand: what does the "unconfined" security plug look like these days? Still old-security?12:10
=== Guest24582 is now known as devil_
jdstrandqengho: it looks like --devmode :)12:40
jdstrandqengho: more seriously, it was decided that unconfined isn't a thing any more12:41
jdstrandpeople can use --devmode to be unblocked and file a bug for what they need (please add snapd-interface tag)12:41
ppisatishuduo: that's my personal git tree12:45
ppisatishuduo: use this:12:46
ppisatishuduo: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/xenial/log/?h=raspi212:46
shuduoppisati: got it. thanks.12:59
morphisjdstrand: first step towards slot support in the pulseaudio interface: https://github.com/morphis/snappy/commit/08da30f860ab68cf9ed866e10874e8b353894d3613:38
morphisneeds cleanup and then I will push that as PR next week13:38
niemeyer_ssweeny: ping13:40
jdstrandmorphis: nice! :)13:42
morphisjdstrand: however policy might be too in open in some points, we need to figure those things out once I open the PR13:44
* jdstrand nods13:45
KristbaumHello people, is it intentional that the same snap can be run multiple times at once? E.g the Telgram-Snap can be executed 50 times on my system.14:37
ogra_file a bug ... i guess that needs some discussion14:39
ogra_(if it was a terminal app you probabl ywould want it to start multiple times .... apps that use login credentials probably not so much ... might need a field in snap.yaml/snapcraft.yaml for the dev to define)14:40
KristbaumCan I also file a bug, concerning the "repoducable Builds" thing, or would this be more anoying, than helpful?14:58
kyrofaKristbaum, are you talking about bug #158241715:01
ubottubug 1582417 in Snapcraft "snapcraft doesn't create binary-identical reproducible builds" [Undecided,New] https://launchpad.net/bugs/158241715:01
KristbaumOh, very nice, I thought I needed to create one first ;) Is there also one about linking to sources, so that you can verify, that you are running the correct software (in case it's opensource), or did I also miss that?15:05
kyrofaKristbaum, not that I know of15:10
ogra_thats really up to the developer, iirc the store app page pffers you to specify a source url and homepage when you register your snap15:12
Kristbaumogra_: But the source on the Website doesn't have to macht the final snap image, right?15:14
ogra_nothing has to match a snap ... but if you are OSS developer you can indeed specify your git tree and homepage15:14
ogra_snaps really only care about binary ...15:15
ogra_everything else would be added meta data for the store side15:15
ogra_there arent even any requirements that you have the source for what you put inside your snap (assumed you are allowed to distribute it indeed)15:16
KristbaumOkay, and we can agree that is a problem? Because, e.g. there is a Telegram app out there (wich I cant find the source for), how do I know it isn't sending out all I write to somebody? Or another example: The Keepassx snap, can't send anything because it has no network plug, but but how do I know if it really encrypts it correctly?15:21
ogra_you dont15:29
ogra_(afaik that telegram app is actually the binary from telegram.org ...)15:32
Kristbaumogra_: okay so this is a problem.. Should I bug report this, or is this more of a management decision?15:33
ogra_i dont see where it is a problem15:33
ogra_the snap design is only built around binaries ... how you produce them is in your responsibility15:34
ogra_it tries to give everyone the most freedom it can ... by not enforcing such stuff15:34
ogra_what it enforces is the security model ... no app should be able to access any data or service you havent explicitly authorized15:35
ogra_weather the source code that binary was initially built from is open or not doesnt matter ... a good OSS dev would indeed mention where the code comes from and give you a reciepe how it is built ... but thats totally not mandatory15:37
KristbaumI think the whole concept (at the moment), works really great for proprietary software. But for Free Software people, and Security minded ones it isn't really a step forward, because you can't check the software you are using. Isn't this a contrast to the whole security story?15:39
ogra_well, you cant check whet the single binary does, but you have full control about its outside connections15:39
ogra_be it disk, network, sensors on your phone or whatever15:40
KristbaumThats right, but in a OSS binary I want to trust the binary too. And I can't if i can't verify if it's the same code as on the website.15:41
ogra_you can if the developer tells you how it was built and points you to the source code15:42
ogra_if you are concerned about that you will have to check the details of the respective snaps you use15:43
ogra_but after all, do you actually do that for ... say the desktop you use ?15:44
ogra_i.e. do you know the filemanager you use doesnt come with a keylogger inside15:44
KristbaumThats right, but considering that it's quite easy in apt, snaps are kind of a step back. There is a really high chance that somebody will build a malicous e.g. Telegram app and there will be no checks possible, and when sobody finds out it will be a mess etc.. And no ofcource I am to lazy to ever check the source of my software, but I trust you and all the other Ubuntu/Debian developers that they have access to th15:47
ogra_well, the hope is indeed that telegram uses a snapcraft.yaml in its tree and simply provides an official snap15:48
KristbaumWe woudn't need to hope on every company to to this, if there would be something like a automated trustet OSS snap build service, where oss developers provide a link to the source and a .yaml file, and it gets built, and we can check it if needed with something like snap source telegram-sergiusens.15:54
ogra_thats called launchpad ;)15:55
ogra_(such an LP feature exists already)15:55
ogra_but still, it is optional15:55
ogra_the telegram-sergiuens snapcraft.yaml wouldnt help you much though ... i'm 90% sure it doesnt build the source15:56
ogra_afaik it just pulls the latest binary from upstream and snaps it15:56
KristbaumBut the Version in the store already is behind?15:57
ogra_and there will likely be many snapcraft.yaml files like this15:57
oparozLP snap builders, when they work, are great. You can even build partials15:57
ogra_did they stop working ?15:57
* ogra_ hasnt had issues yet15:58
ogra_Kristbaum, well, ask sergiusens :)15:58
ogra_if he feels like updating15:58
ogra_or just hit the update button inside the running app ;)15:59
KristbaumBut still, can people check if they want to, with this LP plugin?15:59
Kristbaumthe Update Button chrashes it :D15:59
KristbaumMaybe it is malicions :D16:00
ogra_it gets updated, but cant restart for whatever reason16:00
ogra_if you start it newly it is up to date16:00
KristbaumNope, it's the same as before16:01
ogra_https://code.launchpad.net/~ogra/+junk/ircproxy is a branch of mine (bit outdated, i'm waiting for "snap config" to come back) ...16:01
ogra_https://code.launchpad.net/~ogra/+snap/ircproxy are the snap packages created from that branch16:01
ogra_on the branch summary page i have a "build snap" button ...16:01
KristbaumInteresting indeed. But there is still the risk of a malicous person taking x/y oss app (modify it in a bad way), load it up in the store, and noone would notice. Snaps are a redirection of trust in the hands of the person that uploads it, and non officail app can be trusted.16:08
ogra_it depends ... i assume if you woulld use a snappy based desktop install you would still trust canonical as much as you do today16:09
jdstrandKristbaum: to expand on/reiterate what ogra said: snappy itself doesn't enforce anything regards to sources or builds from source, just like debs don't either. snaps and debs are a packaging format. Launchpad is used to build Ubuntu binaries from deb source packages. Launchpad has facilities for building snaps from source packages as well16:09
ogra_and that PPA guy from whom you install packaages to your system ... you trust him enough to give him root on your machine16:10
jdstrandKristbaum: and aiui there are plans to make building from sources even easier for open source projects and devs16:10
ogra_it shuffles the trust around indeed ... but also adds a massive amount of safety and security in the end16:10
KristbaumNo way :D That also no a good solution but at least I can go to the launchpad site and check it, and I know it is the same, as is running on my system.16:11
jdstrandKristbaum: then there *will* be a way to verify the origin-- there will be sha512 sums of the generated snap that can be compared against Launchpad, etc16:13
ogra_and if an OSS dev wants you to have that info today he can already put a link to the tree and a build HOWTO in the package description16:13
jdstrandand aiui, all this is going to get easier and better16:13
ogra_jdstrand, well, the origin for the binary16:13
ogra_i can slap a bunch of downloaded binaries together in a snap and just upload them from my desktop ... you can probably track it to me via that ... but you wont know if i built a thing of it from source16:14
jdstrandogra_: I'm saying that if someone uploads a source/build from source, the resulting binary's sum can be verified against what is installed on the device16:14
jdstranduploads and builds on LP that is16:14
ogra_but so can my binary blob collection16:14
ogra_right, if you build it there too, thats indeed different16:15
jdstrandso a security minded person might make a personal or site-specific decision-- I will only install snaps that are built on LP, etc16:15
jdstrandI can imagine snapd and the store gaining functionality to make that all convenient16:16
KristbaumOkay, thats a start ;) I really love the snappy concept in every way, this is the only thing that still bothers me. I think it's great that I will be able to at least check projects build on lp,16:16
KristbaumAnd marking the trusted OSS snaps would be nice to16:16
jdstrandreproducible builds and builds from source are important concepts that will be supported. the minimum bits are, more will come16:17
KristbaumI know you have a lot to do these days, I just hope noone gets bad ideas and builds malicious snaps. Because this could really damage the reputation early one, despite it beeing a grat idea.16:19
ogra_i actually hope people do :)16:20
ogra_it will prove the security setup16:20
KristbaumMaybe we should do a challenge to try and test the limity of snappy.16:20
ogra_definitely ... and indeed file bugs for everything16:20
KristbaumThe snappy challenge, who can get the most keyloggers to people :D Has UBuntu-Marketing an IRC channel?16:22
ogra_well, keylogger and Xorg vulnerabilities would be a bit unfair until Mir is there16:22
ogra_since it is a known open hole16:22
Kristbaumokay, fair point16:22
ogra_i'd start with a headless challenge ;)16:23
KristbaumWould In-App-Keyloggers be allowed?16:27
ogra_why not16:28
Kristbaumok, maybe I find somebody in marketing that likes the idea :D16:29
ssweenyniemeyer_, sorry I missed your ping earlier17:01
slvnHello! Just wondering about this issue which seems to lack attention. Some snap can't be validated because of invalid checksum ... https://bugs.launchpad.net/ubuntu/+source/squashfs-tools/+bug/157733317:32
ubottuLaunchpad bug 1577333 in squashfs-tools (Ubuntu) "snap-review failed with "checksums do not match"" [High,Confirmed]17:32
kyrofajdstrand, how do the review tools check that ^^? Uncompress and recompress and compare checksums?17:33
ogra_do you need to uncompress ?  the sum should be in the meta data ...17:34
ogra_so you just need to compare the squashfs sum vs meta17:34
kyrofaogra_, ah, I didn't realize that. What would cause them not to match?17:35
ssweenyjdstrand, if I'm writing a dbus rule to allow getting/setting a particular property what would that look like? Would the interface be /com/ubuntu/location/service/<property> or would it be /org/freedesktop/dbus/properties with the destination com.ubuntu.location.service.<property>?17:35
ogra_recompressing them ??17:35
jdstrandkyrofa: there are 3 bugs related to this that I'll be getting to after the interfaces, doc and devmode work17:38
kyrofajdstrand, ah, okay. I just noticed that you reassigned to squashfs-tools, so you must know what's going on there. I wasn't sure if snapcraft was doing something wrong or what17:38
kyrofaslvn, ^^ FYI17:39
jdstrandkyrofa: to answer your question specifically, I updated squashfs-tools to add an option to unsquashfs to grab the fs time from a snap. then I added an option to mksquashfs to injuect that time into the superblock. in this manner, we can resquash17:39
jdstrandkyrofa: however, there are a couple of issues where timestamps are causing trouble, and perhaps something not timestamp related17:39
jdstrandno, snapcraft is fine17:40
kyrofajdstrand, ah, I see, okay17:40
jdstrandit works a lot of the time but unfortunately it isn't 100% yet17:40
slvnkyrofa, I don't fully understand ... it seems to me *all* my packages systematically fails the checksum test.17:42
jdstrandslvn: you might be hitting one of the three different bugs17:43
slvnjdstrand, hmm ok! so all is under control :)17:44
jdstrandI'll be updating the review tools for something else, I should turn this check off until it is reliable17:44
jdstrandwell, yes, though it'll still be a little while before it is fixed. but let me make it better for people17:45
jdstrand(ie, make the check temporarily non-fatal17:45
jdstrandtyhicks, beuno: fyi, I just committed 'turn resquash test into info for now until the squashfs-tools bugs are fixed and this is a reliable check' to address ^17:54
tyhicksjdstrand: ack - I hope we can get to those bugs soon and reenable the checks17:58
jdstrandme too :|17:58
beunojdstrand, ack18:15
ssweenyjdstrand, for the location-control interface I have apparmor rules that enable "{Get,Set}" for properties. You mentioned expanding the dbus rules as well but I'm not sure what that should look like18:29
jdstrandssweeny: I was only saying that in general-- ie, whatever org.freedesktop.... accesses you might need to have Get and Set work18:39
jdstrandssweeny: maybe that is nothing beyond what the dbus abstractions already give (I just didn't know)18:39
jdstrandssweeny: (when location-control is standalone)18:39
ssweenyjdstrand, ah, that makes more sense. I don't think it's possible to do what I thought you meant (i.e. enumerate the properties themselves in the policy)18:39
jdstrandssweeny: oh no, we can't mediate on message contents, no18:40
ssweenyjdstrand, ok, thanks!18:41
jdstrandroadmr (cc beuno, nessita and tyhicks): can you pull r664 of the review tools for devmode support?21:17
jdstrandroadmr: and hi! :)21:17
roadmrjdstrand: sure! I'll work on it, hello :)21:18
jdstrandroadmr: it can be next week if needed21:18
jdstrandroadmr: thanks :)21:18
roadmrjdstrand: well it's fri evening so unless we escalate the hell out of it, it will be next week :(21:18
roadmrjdstrand: I'll get the ball rolling though :)21:18
jdstrandroadmr: right, please don't escalate the hell out of it :)21:20
roadmr\o/ thanks :)21:20
=== JanC is now known as Guest59129
=== JanC_ is now known as JanC
=== Kristbaum1 is now known as Kristbaum

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!