[00:38] Bug #1603838 opened: Interface for reading files in /usr [01:08] Bug #1594324 opened: pulseaudio interface needs access to pulse libraries [02:15] So I feel uncertain about how apps/snap packages will improve the Linux desktop. Could someone share their reasoning on why apps will improve the user experience? [02:19] Let's take the example of a security update. Let's say that OpenSSL has a critical vulnerability, and 5 different apps are all bundled with it. Wouldn't this mean that all 5 apps need to be updated? [02:21] Especially in third-world countries, where every byte of data matters, wouldn't this be detrimental? [02:22] Do apps actually help the user? Are they worth the bloat? Are they just an easy way out for application developers? [02:54] skiboy, in many ways, it's essentially an easy way out [02:55] one of the things that the snap/flatpak/appimage/etc model does is return the full burden of security to the upstream author [02:55] the blame lays squarely on them [02:56] And I can see the hassle in packaging something for so many different distros... But I feel it will be to the detriment of the end user... [02:56] packaging for Linux doesn't have to be so hard, and indeed there are several people working on this problem all the time [02:57] but at the end of the day, most people like to cling to enough differences that unifying the underlying architecture that allows for software delivery is not likely to happen [02:57] everyone is guilty of this, even myself [02:57] in many ways, the development of flatpaks, snaps, appimages, etc. is a signal that we've all thrown in the towel [02:59] after nearly 20 years of trying to push for the better model, most of the folks who are commercially invested in Linux are trying to switch to the Windows model of software distribution [02:59] how frustrating === chihchun_afk is now known as chihchun [03:00] nearly a decade ago, the Linux Standards Base attempted to solve this problem, but some distros never fully agreed to implement the specifications [03:01] the Debian family was a rather big opponent back in the day [03:01] but snap packages aren't replacing apt-get, right? I can still easily update my system with one command? [03:07] eventually, it will [03:07] at least, in Ubuntu [03:07] the Ubuntu Snappy Core is the prototype of the future of Ubuntu [04:48] PR snapd#1662 opened: client, cmd, daemon, osutil: support --yaml and --sudoer flags for create-user [05:53] PR snapd#1663 opened: disallow create-user on classic systems === PatrizioQON is now known as pbek [06:50] PR snapcraft#719 opened: support dest-subdir on dump plugin [07:01] didrocks, I just tried to search for "mysql" and I find a few of them. I want to know how mysql and tomcat are installed in the snap. I think it could be good to have them preassembed somewhhere.. [07:03] liuxg: it seems you just volounteered :) [07:04] didrocks, frankly, I have not tried that yet. I do not know the process for it. [07:04] liuxg: maybe a good opportunity to explore and learn IMHO === faenil is now known as faenil_ [07:23] Bug #1611639 opened: docs/package-names.md is out of sync with the rest of the project [07:32] Bug #1611641 opened: Running "snap" should produce more helpful output [07:39] PR snapd#1656 closed: snap: do not sort the result of `snap find` [08:47] ogra_: not sure, but a sudo /snap/bin/ubuntu-device-flash core 16 --verbose --channel edge --kernel pi2 --gadget pi3 --os ubuntu-core -o test.img gives me an image where the bootloader can't read the initrd [08:47] ogra_: getting https://paste.ubuntu.com/22893704/ [09:42] morphis, well, is there an initrd.img file in / of your boot partition ? [09:43] (that should be in a subdir named like the kernel snap) [09:43] ogra_: https://paste.ubuntu.com/22896672/ [09:44] morphis, yeah, thats what i thought ... [09:44] u-d-f issue [09:44] hah [09:44] mvo: ^^ [09:44] (it shoudl copy the initrd and vmlinuz in place and set the snap_kernel var) [09:50] morphis: please try "--kernel pi2-kernel" [09:50] ooh [09:50] i missed that one ... [09:50] it should error out there though [09:50] morphis: ideally the code would verify that but I'm not sure its worth the work (given that u-d-f will go away soon) [09:50] ogra_: yeah, see above [09:51] yeah [09:55] ogra_: was using what you gave me yesterday :-) [09:55] mvo, hmm, dont you need --devmode for the snapped u-d-f ? (your mail doesnt mention it) [09:56] ogra_: you need devmode, yes [09:56] * ogra_ cant imagine we have loop device access [09:57] * ogra_ answers the mail [09:57] sigh [09:57] and i'm blind ! [09:57] * ogra_ blushes [10:03] PR snapd#1664 opened: integration-tests: add update-rollback stress tests [10:05] http://www.zygoon.pl/2016/08/creating-your-first-snappy-interface.html [10:05] :-) [10:05] * zyga -> coffee [10:06] ogra_: heh, no worries [10:17] ogra_, mvo: if I use a local kernel snap do I just have to pass --kernel my.snap or a absolute path? [10:18] both should work (if the snap is in the same dir at least) [10:18] zyga: new failures on snapd-git on archlinux [10:19] http://pkgbuild.com/~tredaelli/logs/snapd-git/x86_64.log [10:21] timothy: looking [10:23] timothy :thanks, I will report this [10:26] timothy: I reported https://bugs.launchpad.net/snappy/+bug/1611706 [10:26] Bug #1611706: Test suite failures on Arch [10:27] Bug #1611706 opened: Test suite failures on Arch [10:30] dholbach: hey [10:30] hey zyga [10:31] dholbach: I'd like to start publishing content on snapcraft.io [10:31] I don't have access to the page [10:31] dholbach: how can I do that? [10:31] zyga, https://github.com/ubuntudesign/snapcraft.io [10:40] dholbach: thank you [10:40] anytime [10:41] mvo, ogra_: ok, using a local kernel snap doesn't wor [10:42] it don't end up on the boot partition [10:42] morphis, hmm, i thought mvo had added a fix for that yesterday [10:43] doesn't look like === davidcalle is now known as davidcalle|afk [10:49] zyga: nice blog post, thorough and useful i think [10:50] morphis, ogra_: sorry, did not manage that yet, will look after lunch, please keep poking, the world is a busy place for me currently, sorry for that [10:50] no worries === hikiko is now known as hikiko|ln [10:55] mvo: np [10:59] ogra_: hey hey did you do that thing about making paths writable yet? [10:59] mwhudson, bah, crap ... i forgot it ... [11:00] mwhudson, that was /var/lib/console-conf and /etc/netplan ? [11:01] ogra_: yes [11:01] * mwhudson checks his "things he was going to bug ogra_ about list" [11:01] ;-p [11:02] does u-d-f accept local files for the gadget / core snap? i know it does the the kernel snap... [11:02] and where can i download those files? [11:05] you can extract them from a downloaded image ;-) [11:05] * mwhudson unhelpfuls [11:05] joc_: thank you :) [11:06] i mainly want to avoid: 1) download time 2) development clashes (e.g. something changes in edge that breaks up my stuff) [11:10] ppisati, it used to, but i'm not sure about the current state, it changed a lot the last days [11:12] I look into the kernel sideload bug now [11:19] ogra_: sideloading amd64 kernel works, is that a problem with pi2 (uboot) only? [11:19] mvo, yeah, i only saw it on amr builds (dragonboard and pi2/3) [11:19] *arm [11:20] aha, ok [11:23] [ 6.377542] smsc95xx v1.0.4 [11:23] [ 6.435520] smsc95xx 1-1.1:1.0 eth0: register 'smsc95xx' at usb-3f980000.usb-1.1, smsc95xx USB 2.0 Ethernet, b8:27:eb:c9:2b:03 [11:23] [ 7.901142] smsc95xx 1-1.1:1.0 enxb827ebc92b03: renamed from eth0 [11:23] hmm [11:23] ppisati, any idea why the kernel would ignore net.ifnames=0 ? [11:25] ogra_: it's not the kernel [11:25] ogra_: hold on [11:25] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1593379 [11:25] Bug #1593379: systemd 229-4ubuntu6 ignores net.ifnames=0 on USB or /etc/udev/rules.d/80-net-setup-link.rules being a /dev/null symlink (Ubuntu):Fix Released by pitti> [11:25] fixed in yakkety, still open in xenial [11:26] * ppisati goes for lunch, back later [11:30] ppisati, ah ... well, that wasnt systemd but the smsc95xx driver printing the above [11:31] would systemd change it back ? (i would expect the kernel to not rename it at all) === chihchun is now known as chihchun_afk === hikiko|ln is now known as hikiko [12:22] ppisati, ogra_: can you please try r4 of u-d-f from the store? it should fix the kernel sideload bug [12:22] * ogra_ just tested the pi3 image with the new ubuntu-core from the store, looks fine [12:23] i'll test a sideloaded kernel next [12:26] hmmm .... hmmmmm ... [12:27] morphis, did you try to build an armhf snap for u-d-f too ? [12:27] i wonder if you could build an image on the pi or dragonboard on an all-snap system :) [12:42] sergiusens: didrocks brings up a good point in the sub-parts mailing list thread regarding older versions of snapcraft needing the still namespaced part names. I think we can work around it by having the namespaced part names explicitly in the wiki and updating the origins. [12:43] i.e. parts: [desktop/gtk2, desktop/gtk3, ...] and another entry with "parts: [desktop-gtk2, desktop-gtk3, ...] [12:45] noise][: that's fine. I've got a meeting in a few minutes but suspect that next commit in less than 2 hours [12:54] ogra_: no :-) [12:57] has anyone ever snapped tomcat into snap? [12:58] yeah, in 15.04 ... not sure if there is a s16 snap [12:59] ogra_, would you please show me the project? thanks [13:01] no idea where that lives [13:02] ogra_, a customer is using apache, tomcat, mysql, java for a server on ubuntu core. I am trying to find out how we can package the stuff into a snap. [13:02] i only remember someone packaging it [13:02] iirc either asac or lool [13:03] asac, lool, have you every packaged tomcat into a snap? a customer is trying to build a apache server with tomcat. thanks [13:04] (probably asking on gitter in the snappy-playpen channel makes more sense though ) [13:05] didrocks, ^^^ didnt mosquitto use tomcat ? [13:05] iirc you worked on that === mterry_ is now known as mterry [13:06] ogra_, mosquitto does not use tomcat, it uses MQTT to do thaht. [13:10] yeah, only mqtt AFAIK [13:11] didrocks, ogra_, if tomcat is not in the official ubuntu archive, we cannot install it directly from the debian packages, right? we have to use the source code to build it, right? [13:12] well, arent there tarballs with binaries ? [13:13] i see tomcat in the archive though [13:14] 7 and 8 [13:16] ogra_: the kernel is printing it because the rename function (dev_change_name()) is invoked through an ioctl() [13:16] ogra_: if you try with the xenial's release systemd package, you won't hit that [13:17] liuxg: you can always at worse download the content of binaries and uncompress while using the copy/dump plugins [13:17] ppisati, ok, i was just curious since that happens before init even runs i think [13:19] didrocks, the thing is that we need to copy to the right place in the snap. we have to know where the files should go. [13:20] liuxg: Hi, here's the sample snap I did with Tomcat a long while ago https://github.com/snapcore/snapcraft/blob/master/demos/tomcat-maven-webapp/snapcraft.yaml [13:20] liuxg: it is not very fancy, but it worked; let me know how it goes [13:21] liuxg: indeed [13:21] liuxg: I'm travelling this week, so a bit hard to reach [13:21] lool, many thanks for your help. I will take a look at it. Have a good trip! [13:22] thanks [13:23] didrocks, lool, strange, "dump" is not listed when I use "snapcraft list-plugins". is this a bug? [13:23] liuxg: It's the first time I hear about it; I think this example was modified when this plugin landed in snapcraft [13:23] liuxg: it will be available with the next version of snapcraft (which is in -proposed right now) [13:24] dump is the new name for the copy plugin i think [13:25] didrocks, my current snapcraft version is 2.13.1, what will be next release? [13:25] .14 [13:25] ogra_, do you mean that I can use "copy" to replace it? [13:25] yes [13:26] or just look at an older version of the branch :) [13:26] ogra_, then in the example https://github.com/snapcore/snapcraft/blob/master/demos/tomcat-maven-webapp/snapcraft.yaml#L17, it does not specify the destination, will it work? [13:27] ogra_, sorry, this is the line https://github.com/snapcore/snapcraft/blob/master/demos/tomcat-maven-webapp/snapcraft.yaml#L22 [13:28] didrocks, do you know how I can make use of the latest snapcraft (-proposed)? my snapcraft is from the stable channel so far. [13:28] liuxg: you can just wget the package on launchpad and install it manually [13:28] with dpkg -i [13:29] liuxg, this is the snapcraft.yaml from before the rename (seems it wasnt only copy that got renamed to dump) https://github.com/snapcore/snapcraft/blob/f0a19ebccfa3f0502b792095d4b0edae4e04eb68/demos/tomcat-maven-webapp/snapcraft.yaml [13:30] didrocks, OK, I will have a try. thanks. previously, I just directly installed it from the source, and I messed up everything. [13:30] yeah, you can go this way, it's safer :) [13:31] ogra_, thanks for your help. yeah, it looks different [13:47] lool, what is the purpose of the file ".travis.yml" in the project https://github.com/lool/snappy-mvn-demo/blob/master/.travis.yml? thanks [13:48] liuxg: it's to trigger a travis build when something gets pushed or when a pull request is made [13:48] liuxg: see travis-ci.org [13:48] liuxg: I dont think it worked correctly for that project though [13:49] lool, I just tried to compile it, it failed. I compiled it using the its previous version http://paste.ubuntu.com/22912200/ [13:50] lool, the error message is like http://paste.ubuntu.com/22912252/ [14:00] didrocks, where did you find the binaries for the snapcraft on launchpad? I found a site https://launchpad.net/snapcraft/trunk, but I did not get the release file? thanks [14:00] liuxg: https://launchpad.net/ubuntu/+source/snapcraft/2.14/+build/10589180 [14:00] see "built files" [14:01] didrocks, yes, I saw it. thanks [14:02] ogra@anubis:~/datengrab/images/snappy$ sudo snap refresh --channel=beta ubuntu-device-flash [14:02] error: cannot refresh "ubuntu-device-flash": snap "ubuntu-device-flash" has no updates available [14:02] mvo, ^^^ did you publish the new u-d-f ? [14:02] oh [14:03] ignore that ... needs --devmode too [14:03] uuuh [14:03] error: cannot perform the following tasks: [14:03] - Setup snap "ubuntu-device-flash" (4) security profiles (cannot setup apparmor for snap "ubuntu-device-flash": cannot load apparmor profile "snap.ubuntu-device-flash.ubuntu-device-flash": cannot load apparmor profile: exit status 10 [14:03] * didrocks was going to suggest that [14:03] apparmor_parser output: [14:03] ) [14:04] ogra_: wuut [14:04] ogra_: how can apparmor fail for a devmode snap :( [14:05] ogra_: if the file is still there, can you pastebinit ? (I guess its not :/ [14:07] now ... that didbnt go so well ... calling u-d-f anyway after that error had-locked my machine [14:08] * ogra_ removes and re-installs [14:08] that looks better [14:09] lool, ogra_, I have upgraded my snapcraft to 2.14, but I still get the same error when I tried to build the tomcat demo example https://github.com/snapcore/snapcraft/tree/master/demos/tomcat-maven-webapp. the error message is like http://paste.ubuntu.com/22913740/, do I miss anything there? [14:10] mvo: note, the apparmor policy is wholly present with --devmode-- all that is different is the complain flag [14:10] jdstrand: hey, I posted another interface article on my blog, feedback welcome :-) [14:10] mvo: hmm? [14:11] ogra_: that is still pretty terrible, this is snapd 2.11? [14:11] jdstrand: oh, ok [14:11] mvo: devmode can still fail, it's just another profile [14:11] mvo: so if there is an error in the policy then it will fail to parse. also, if this is done on a machine that doesn't have an updated parser for newer rules (like unix), it will fail to parse [14:11] zyga: see above, ogra_ installed an update of ubuntu-device-flash and the install aborted with an exit 10 [14:11] ogra@anubis:~/datengrab/images/snappy$ snap --version [14:11] snap 2.11+0.16.04 [14:11] snapd 2.11+0.16.04 [14:11] series 16 [14:11] ubuntu 16.04 [14:11] is this by chance running on a trusty machine? [14:11] nope [14:11] there is no snap on trusty :) [14:11] jdstrand: well, I did not do anything with the policy [14:12] jdstrand: this is a quick-n-dirty devmode snap of ubuntu-device-flash [14:12] mvo: we should see exactly what apparmor_parser said [14:12] it worked fine after snap remove and snap install [14:12] ogra_: can you pastebin the profile from /var/lib/snapd/apparmor/profiles please [14:12] zyga, i fear thats gone now ... but indeed i can [14:12] mvo: maybe there's a bug in some of the intefaces that causes this to fail [14:12] (i mean the broken one is gone) [14:13] http://paste.ubuntu.com/22914044/ [14:13] ogra_: this looks like a efault template [14:13] ogra_: anything in snap changes or snap change XX (nr) that might give a clue? [14:14] zyga: it is [14:14] ogra_: if that fails then all the snaps will fail the same way [14:14] ogra_: can you install hello-world snap please? [14:14] mvo, http://paste.ubuntu.com/22914167/ [14:15] artmello_: hey [14:15] jdstrand: hey [14:16] zyga, installed === artmello_ is now known as artmello [14:16] artmello_: are you planning on snapping the thumbnailer service or assuming it will be present on the system? [14:16] jdstrand: does exit-code 10 has any meaning (context is http://paste.ubuntu.com/22914167/) [14:17] jdstrand: snapping it. I have an untested snap of it but I was thinking about fixing the interface first [14:17] jdstrand: but I can start using the snap thumbnailer during these tests [14:18] artmello: ok, so 'classic' is the traditional Ubuntu desktop system and interfaces that access those services need different policy than those that are services as snaps [14:18] jdstrand: ok [14:18] artmello: because you are snapping thumbnailer, you don't have to worry about classic at this time [14:19] jdstrand: right [14:19] artmello: so, yes, do the ConnectedSlotAppArmor stuff I mentioned in privmsg. when testing, you'll want to remove the thumbnailer service deb and install the thumbnailer service snap [14:20] (so the snap can bind to the dbus interface, etc) === davmor2_ is now known as davmor2 [14:20] artmello: but you'll need to adjust the thumbnailer to not do the security label check any more (since it doesn't have to with interface connections) [14:21] jdstrand: right, will change thumbnailer as you suggested [14:21] artmello: (or again, if sharing codesbases for the thumbnailer with click, short-circuit with the snap. check I mentioned) [14:24] jdstrand: ok, thx! I undertood it better now. Will apply the changes and see how it goes [14:24] ogra_: hmmmm so if that doesn't fail then I have no idea [14:24] ogra_: is the problem reproducible? [14:24] zyga, dunno, i can tell you the next time i upgrade something in --beta with --devmode from the store i guess [14:25] ogra_, mvo can we release the OS snaps into staging as part of our process as well? [14:25] josepht we can just pick up another cache file [14:25] mvo: '10' doesn't mean much to me. that seems to be ECHILD... [14:25] perhaps mvo can upload a no-change snap of u-d-f so i can re-test (though perhaps that should wait til after the meeting, i dont want to have to hit the reset button during meeting :)) [14:26] kyrofa, i just released a set today [14:26] what is the snap.yaml of ubuntu-device-flash? [14:26] ogra_, ah, into staging as well? [14:26] kyrofa: staging? you mean candidate? [14:26] mvo, no, the staging server [14:26] mvo, staging store, whatever it's called [14:26] kyrofa: oh, sorry. hm, yes we can :) [14:26] kyrofa, i'm waiting for jdstrand's review tools fix to land to see how the auto-landing goes ... but i think we still need to manually hit the publish button [14:26] mvo, if you setup a clean machine and point it to staging, there's no OS snap to pull down so you can't install anything :) [14:27] mvo, easy workaround, but if that's something we can automate it'd be useful [14:28] kyrofa: I shared it with you, you can now just download it directly from the real store and upload to staging as you need [14:28] mvo, ah, super useful thank you! [14:28] kyrofa: +1 for automation, we are still working on that, its still very manual right now (manual approve, manual publish, lots of button clicks :/ [14:29] kyrofa, i guess thats also a cjwatson question if LP can offer uploads to staging [14:29] (if there is a way i'll happily add a parallel ubuntu-core build, thats trivial) [14:31] reading pi2-kernel_x1.snap/kernel.img [14:31] ** Unable to read file pi2-kernel_x1.snap/kernel.img ** [14:31] reading pi2-kernel_x1.snap/initrd.img [14:31] ** Unable to read file pi2-kernel_x1.snap/initrd.img ** [14:31] Bad Linux ARM zImage magic! [14:31] ogra_, oh, good point [14:31] mvo, ^^^ [14:32] ogra_: only from LP staging [14:32] ah, well, then i should be able to set something up (i have to check if i still have staging access) [14:33] staging access isn't a special thing [14:33] but it does require a separate staging SSO account [14:33] and staging LP isn't up all the time [14:33] ogra_: can you run "file pi2-kernel_x1.snap/kernel.img" (and the same for initrd.img? [14:33] ogra@anubis:~/datengrab/images/snappy$ ls /media/ogra/writable/system-data/snap/pi2-kernel/ [14:33] unset [14:33] ogra@anubis:~/datengrab/images/snappy$ [14:33] ogra_: and what commandline did you use? I will try to reproduce [14:33] same issue as before [14:34] ogra_: hm, hm [14:34] and no kernel/initrd in system-boot at all [14:36] ogra@anubis:~/datengrab/images/snappy$ sudo /snap/bin/ubuntu-device-flash core 16 --channel edge --gadget pi3 --kernel pi2-kernel_4.4.0-1019-raspi2_armhf.snap --os ubuntu-core -o test-pi3.img [14:36] that was what i used for building ... the kernel was manually downloaded from the store [14:38] PR snapcraft#719 closed: support dest-subdir on dump plugin === matiasb1 is now known as matiasb [14:51] is network-control the only plug i need so that my snap can create a network bridge? [14:51] well, you probably also want to use thenetwork .. so the "network" plug would also be handy in that case [14:52] ok, problem is when i set those 2 and attempt to run my snap it just errors with "Bad system call" [14:53] this is running in strict mode [14:54] https://www.irccloud.com/pastebin/F04R1oh6/ [14:54] thats my log output [14:55] stokachu: assuming this is amd64, you need network-bind (scmp_sys_resolver 49 shows as bind) [14:55] stokachu: no if you aren't actually binding to a network port, then the network-control interface should probably include bind [14:55] s/no/now/ [14:56] jdstrand: yea im just creating a bridge for my lxd containers to use [14:58] stokachu: can you file a bug and add the 'snapd-interface' tag with a simple reproducer for needing bind? [14:59] jdstrand: sure thing [14:59] stokachu: and mention the workaround is to use 'network-bind' [14:59] stokachu: thanks! :) [14:59] jdstrand: np, building now and testing to make sure it won't fail [15:00] elopio do you want to tackle https://bugs.launchpad.net/snapcraft/+bug/1611498 ? [15:00] Bug #1611498: snapcraft fails install using virtualenv instructions [15:01] next week [15:01] or maybe josepht as you got this going in the first place ^ [15:01] jdstrand: cool! works [15:02] sergiusens: I can take care of that [15:02] elopio: ^ [15:02] sergiusens, I just tried to build the demo example at https://github.com/snapcore/snapcraft/tree/master/demos/tomcat-maven-webapp, there was an error. I do not know how to correct the problem for it. I have upgraded my snapcraft to 2.14 already. thanks [15:02] stokachu: nice! :) [15:04] is http://search.apps.ubuntu.com down? [15:13] Getting details for ubuntu-core [15:13] Expecting value: line 1 column 1 (char 0) [15:13] ... [15:14] snapcraft just returned this while trying to fecth ubuntu-core [15:14] dragly, there is an update going on, launchpad is down too. [15:14] ppisati, funny error ... and so descriptive :P [15:14] OerHeks: Okay. Thanks :) [15:14] ogra_: :( [15:14] i hope is connected to the lp / store/ etc downtime [15:14] ppisati, thats the kernel plugin trying to get the initrd from the store ? [15:15] is it true you cannot snap an app that starts as root and then drops its privileges? [15:15] ogra_: yep, to download the ubuntu-core snap i think [15:16] I'm checking https://developer.ubuntu.com/en/snappy/build-apps/debug/#common-problems [15:16] the switch from root to unprivileged user (or any other user) is blocked? [15:16] ahasenack, where to would it drop its privs ? [15:17] there are no users [15:17] is that the reason? [15:17] or is the set?uid call blocked?/ [15:17] asnd there is no ability to create any from a snap [15:17] it could be a default user from /etc/passwd [15:17] setuid gets stripped out by snapcraft at build time [15:17] shipped in the base system [15:17] and daemons/services always run as root [15:17] I meant the syscall, not the setuid bit on a file [15:18] yeah,m i think thats blocked, together with fchown and others [15:18] not in the real world, there good services run as unprivileged users. I understand apparmor can confine root, sure [15:21] ahasenack: A couple of aspects to that: [15:22] ahasenack: snapd can easily mediate any interactions around that, including privilege dropping [15:22] ahasenack: So if there are requirements, we can cook the proper interface lifting the exact allowances the application would need for doing its job [15:23] ahasenack: Unfortunately and ironically, "dropping" privileges is often done with system calls that allows *gaining* privileges [15:23] ppisati please log a bug for that :-) [15:24] ahasenack: So although the app intent is good, relinquishing access to certain things, from a system perspective it may not be advantageous to allow even the initial phase of the application to do those actions [15:25] ahasenack: So, YMMV.. I wouldn't strongly prescribe anything at this point.. I know you are very security-mindful, and if you have suggestions or would like to research about how much to give and how much to take, that'd be very welcome [15:26] Bug #1611819 opened: implement a way for daemons to play audio [15:26] sergiusens: pong. [15:26] ahasenack: we are going to support privilege dropping, we first need snap-confine in xenial-updates, then we'll allow something, perhaps priv dropping to 'daemon'. later we might allow requesting a uid and/or gid and dropping to that (that would be farther out) [15:27] jdstrand: Nice [15:28] I feel like I keep talking about snap-confine landing. fingers crossed it will be soon :) [15:29] that said, I have several things on my plate to get to before that, so that's ok [15:36] noise][: hey, Canonical irc seems down so mentioning here [15:37] noise][: r706 is ready to pull. that, among other things, will do what ogra_ asked me to address wrt auto-approve of the ubuntu-core snap [15:37] jdstrand, yep, lost it here too [15:39] jdstrand, that includes the confinement complaint too ? [15:39] (or was that not causing a block) [15:40] ogra_: can you give me the link to the snap that had that? [15:40] if the store lets me in :P [15:40] ogra_: the issue was 'confinement' not being present? [15:41] no, being present in a non "app" snap [15:41] jdstrand: hi, i'm trying to confirm if the udev tagging for cgroup access is working for me as discussed yesterday, i'm finding that i get access to everything matched by /dev/** though [15:41] https://myapps.developer.ubuntu.com/dev/click-apps/4142/rev/176/ [15:41] PR snapcraft#679 closed: add multiple generator script options to autotools