/srv/irclogs.ubuntu.com/2016/10/31/#snappy.txt

=== chihchun is now known as chihchun_afk
=== chihchun_afk is now known as chihchun
=== JanC_ is now known as JanC
=== Guest79971 is now known as ahasenack
=== ahasenack is now known as Guest85272
rvrogra_: Still no wifi on the Raspi 311:06
=== hikiko is now known as hikiko|ln
ogra_rvr, yes, likely a kernel issue11:30
mupBug #1637981 opened: failed snap refresh removes security profiles <Snappy:New> <https://launchpad.net/bugs/1637981>11:44
mupPR snapd#2231 opened: overlord/ifacestate: setup profiles is its own undo task <Created by zyga> <https://github.com/snapcore/snapd/pull/2231>11:47
bzoltanelopio: I would need some help with the snapcraft tests11:53
zygaPharaoh_Atem: hey, how are you?11:54
Son_Gokuzyga: yo11:54
Son_Gokuzyga: I just pushed a commit to (theoretically) grant homedir access: https://gitlab.com/Conan_Kudo/snapcore-selinux/commit/0e2c1fb73a520b348254142347bb7f4b8445b63a11:56
=== hikiko|ln is now known as hikiko
kalikiana_Hrm12:07
kalikiana_Cannot allocate qemu:ubuntu-16.10-64: cannot launch qemu qemu:ubuntu-16.10-64: exec: "kvm": executable file not found in $PATH12:07
kalikiana_Trying to run 'spread -v qemu' as suggested by HACKING.md12:08
kalikiana_Tried to add a symlink in /snap but even that's not helping12:08
kalikiana_It goes without saying I've installed what was asked for, and I do have a working kvm command on the host12:08
kalikiana_Also: I do have the image in ~/snap/spread/23/.spread/qemu because I realized that's where spread is looking for it, even though it's not clearly stated and spread's readme actually talks about ~/.spread/qemu12:15
sitterWe're having some problems with dbus confinement. KDE has lots of apps that (semi-implicitly; as in: devs might not even know dbus is involved) access the session bus and claim a service name on it. For all intents and purposes these are like dbus service-daemons with a well defined service name of the form org.kde.$appname.12:16
sitterThis is how we implement unique application behavior (e.g. user starts foo, foo claims org.kde.foo, when foo is invoked again by whatever means it will first check if org.kde.foo is claimed and if so send a raiseWindow to that instead of starting a second instance of foo).12:16
sitterThis also can be the case with multiple apps registering org.kde.$appname-* where * can be $pid or $pid-$randomstuff.12:16
sitterI am wondering if it would be possible to have a common interface which allows a snap to connect to the session bus and interact with a specific service name there (i.e. its own).12:16
sitterI did see a bus-name property in snapd's app validator, that doesn't seem to be supported as per snapcraft's validator though.12:16
sitterzyga, popey ^12:16
ogra_grrr, reconnect ...12:16
ogra_kalikiana_, all necessary interfaces connected ?12:17
kalikiana_ogra_: I have no idea. There's 0 information on what I might need :-)12:17
sitterpopey: also, I just filed reservation requests for kcalc, kruler and ktuberling when you find a minute to approve them :)12:17
ogra_kalikiana_, snap interfaces ... check if there are unconnected ones for the spread snap12:17
kalikiana_ogra_: it has home,network,network-bind12:18
ogra_well, was worth a try :)12:19
kalikiana_it's also running in --devmode as per instructions, but I can't see that here12:19
ogra_snap list should show that12:19
kalikiana_Ah, it does indeed12:19
popeysitter: will do12:20
kalikiana_ogra_: So you have the same ones? I feel I might be missing some kind of magic OR the snap itself has the wrong version - although it doesn't say anything about needing an edge channel version12:20
Son_Gokuzyga, I wish snapd failed gracefully when it can't write files in protected places rather than hanging12:20
ogra_kalikiana_, i never used spread before ...12:21
kalikiana_Aha, okay.12:21
ogra_seems edge and stable have th same revision though12:22
kalikiana_I'd have to say I'm suspicious how it should be able to access "kvm" on my host, it'd be the first snap I see that can run anything from /usr/bin12:22
kalikiana_And there's no such script inside it12:22
ogra_well, --devmode should allow it to do anything it likes12:23
ogra_(but spam your syslog like crazy)12:23
Son_Gokuzyga, does snapd use FUSE for something?12:23
kalikiana_Except accessing /usr/bin - even if it was in its PATH, it will see the core's /usr/bin12:23
ogra_hmm, indeed12:24
kalikiana_I don't see how that could ever work12:24
kalikiana_So... there must be some other trick to it12:24
bzoltanogra_:  do you know who could be around this time who has some understanding of the snapcraft tests?12:24
ogra_snap-confine does some bind mount magic here ... though i'm nmot sure how much of /usr/bin12:24
ogra_bzoltan, fgimenez perhaps12:25
bzoltanogra_:  thanks12:25
bzoltanfgimenez:  I would need some help with the snapcraft tests. How to run individual tests?12:25
kalikiana_ogra_: I can see via snap run --shell that it's got a bunch of stuff but none of the qemu or kvm bits12:26
kalikiana_(awesome command to have for debugging, sadly I'm still poking in the dark)12:26
ogra_kalikiana_, i fear you need to wait for niemeyer12:29
niemeyerkalikiana_: If it is in --devmode, it should see the host filesystem in /var/lib/snapd/hostfs12:31
niemeyerkalikiana_: We're also working on a feature that will enable you to see that in / soon12:31
kalikiana_Aha that's good to know12:36
kalikiana_niemeyer: Would you know anything about using spread to run snapd tests? I can't get past 'Cannot allocate qemu:ubuntu-16.04-64: cannot launch qemu qemu:ubuntu-16.04-64: exec: "kvm": executable file not found in $PATH'12:37
fgimenezhey bzoltan, i don't know too much about snapcraft testing, probably elopio can explain accurately, but according to https://github.com/snapcore/snapcraft/blob/master/runtests.sh#L70 you can execute individual integration tests passing the name of the file, same goes for unit tests, hope this helps12:41
bzoltanfgimenez: thanks. i will check that out12:41
mupPR snapd#2232 opened: tests: add test for incorrect security files generation on undo <Created by mvo5> <https://github.com/snapcore/snapd/pull/2232>12:41
Son_Gokuniemeyer, does snapd have its own SSL cert loader?12:45
niemeyerSon_Goku: Hi12:46
niemeyerSon_Goku: What's the context?12:46
zygaSon_Goku: no, but it can control fuse through an interface somehow AFAIK12:46
zygaogra_: what was the question about snap-confine?12:46
Son_Gokuniemeyer, I'm writing the snapd selinux policy, and I got to the point where now it throws errors instead of hanging on enforcing...12:47
Son_Gokuthis is what I get: https://paste.fedoraproject.org/466809/47791801/12:47
kalikiana_fgimenez: Any idea on the 'kvm: executable not found' error? I'm out of ideas on how to run the spread tests12:49
mupPR snapd#2231 closed: overlord/ifacestate: setup profiles is its own undo task <Created by zyga> <Closed by zyga> <https://github.com/snapcore/snapd/pull/2231>12:52
Son_Gokuniemeyer, why does snapd download the /tmp instead of downloading to /var/lib/snapd/snaps?12:58
=== fginther` is now known as fginther
niemeyerSon_Goku: Hmm.. the former issue looks like snapd cannot open the local certificate on the host system13:03
Son_Gokuyeah, I fixed that13:03
niemeyerSon_Goku: Ah, ok.. after you asked the previous question (SSL cert loader), or was that a different question?13:04
Son_Gokuafter I asked the SSL question, I pretty much guessed it does its own HTTPS stuff13:04
Son_Gokuso I added rules for it: https://gitlab.com/Conan_Kudo/snapcore-selinux/commit/3b7e03c4428f8908e1d21a22cea9a78b522694fe13:04
Son_Gokuniemeyer, now I want to know why snapd downloads snaps to /tmp instead of /var/lib/snapd/snaps13:05
Son_Gokuit doesn't make much sense to me13:05
niemeyerSon_Goku: Yeah, it can talk to remote systems using TLS so it needs a proper db of certs indeed13:05
niemeyerSon_Goku: Yeah, we've fixed that already13:05
niemeyerSon_Goku: 2.17 will have that corrected13:06
Son_Gokuah, so it doesn't do this anymore, good13:06
Son_Gokubecause I wasn't sure how to handle the context transition case when files get moved around13:06
Son_Gokufrom /tmp to /var/lib/snapd13:06
niemeyerSon_Goku: Yeah, 2.17 will write .partial files on a download directory and then rename them in place, which is much nicer for multiple reasons13:07
Son_Gokuyep13:07
Son_Gokuand it neatly solves an selinux problem I wasn't sure how to solve13:07
Son_Gokuand the practical problem of systems having ramdisk /tmp run out of space13:08
Son_Gokuniemeyer, the download directory is in /var/lib/snapd?13:08
Son_Gokuas long as it's in there, I don't need to do anything to handle it13:09
ogra_zyga, already answered (/var/lib/snapd/hostfs)13:14
zygaogra_: ah, thanks13:23
Son_Gokuzyga, why does snapd need to read the dbus config dir?13:23
lorenzo__Hello13:27
lorenzo__Quick question, does anyone know how to install snapd on CentOS?13:28
zygaSon_Goku: it needs to read it to remove stale files it creates13:34
zygaSon_Goku: in all those cases it manages a subset of "snap-*"13:34
niemeyerSon_Goku: Yes, it will be in there for sure13:34
Son_Gokuzyga: so it needs read/write access there13:35
niemeyerSon_Goku: Not sure if under .../partial or .../snaps yet.. we're likely touching this today/tomorrow for making it nicer13:35
Son_Gokuniemeyer, as long as it's in /var/lib/snapd, I don't care :)13:35
niemeyerSon_Goku: So you're good :)13:36
Son_Gokuniemeyer, I'd probably suggest /partial or /snaps/partial13:36
Son_Gokuthe latter is more intuitive13:36
niemeyerSon_Goku: That's what we have in master, but it creates some non-obvious consequences13:36
Son_Gokuoh?13:36
niemeyerSon_Goku: e.g. on "snap download foo", we want foo.snap.partial in $CWD13:36
niemeyerSon_Goku: We're still figuring the details, but we want to make sure the same code path works nicely both on snapd and on snap download, etc13:37
Son_Gokusnap download doesn't use snapd?13:38
niemeyerSon_Goku: It does, but not for everything.. we don't want plain users fiddling with content that goes into sensitive directories13:40
niemeyerSon_Goku: IOW, anyone in the system can do "snap download".. only root can put content into snapd/...13:41
Son_Gokuniemeyer, what does snapd depend on fusedevice for?13:47
mhall119sitter: I've approved your app name registrations14:20
bzoltanelopio: ping14:21
elopiobzoltan: pong14:23
bzoltanelopio: yo man :) I need some help with snapcraft plugin/tests14:24
elopiobzoltan: sure. Unit or integration?14:24
bzoltanelopio:  whatever needed. I guess unit14:24
elopiobzoltan: well, if you are adding a plugin you need the two types :) I first need to take a look at the ones from Pharaoh_Atem, and then I have all the time for you. How can I help you?14:25
elopiopitti: ping. Any idea about "No annotated tags can describe 'cdefe0fc2dda29b4290eb4a054dbe607b61da21b'."? https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial-elopio-snapcraft-semaphore/xenial/amd64/s/snapcraft/20161028_194936_f7252@/log.gz14:25
bzoltanelopio:  I made a simple plugin what zips up the staging space after build. This is for development use. For example when we build the qt-ubuntu content interface we will need a tar.gz with the  .h and .so files. Like -dev package in deb world.14:26
bzoltanelopio:  the plugin is ready (super simple) and I want to make nice tests for it... I am not familiar with the test framework of the snapcraft.14:27
elopiobzoltan: we have unit tests for full line coverage, and integration tests where you call the snapcraft command in a real snapcraft.yaml14:30
kalikiana_balloons: Did you have a chance to check out the lxd-client interface?14:31
elopiobzoltan: your plugin sounds really similar to dump, so you can probably start copying the initial tests from snapcraft/tests/test_plugin_dump.py14:31
elopioand integration_tests/test_dump_plugin.py14:31
elopioI see a naming inconsistency there :/14:32
ogra_mvo, !14:33
mvohey ogra_14:33
ogra_mvo, do you mind if we kill the arch: all pi3 gadget in the store (seems there was an old one that used to be arch: all, not armhf ... people can actually download it on x86 machines)14:34
mvoogra_: sure, lets do that14:34
bzoltanelopio:  the problem is that the dump is done before the build... my plugin needs a built snapcraft project.14:34
* ogra_ goes ahead14:34
mvoogra_: aynthing new on the pi3 wifi issue? if not I will try to get pitti to have a look at it too14:34
ogra_mvo, i suspect there is also a relared kernel issue here ... sadly ppisati fried his pi3 during the sprint :(14:35
ogra_(and now he is on vacation)14:35
ogra_mvo, but having pitti aboard might help (if there is no bank holiday for him today (reformationstag))14:36
ogra_bah ... so i cant just uncheck all channels for pi3 rev214:36
elopiobzoltan: I thought your plugin would be dump + zip. Do you need it as a post-step for all the existing plugins?14:37
ogra_but at least i can unpublish14:37
ogra_sigh14:37
bzoltanelopio: it is just a zip14:37
ogra_and the store automatically went back to publish rev1 instead14:38
* ogra_ unpublishes that too14:38
ogra_ok, thats better, only rev6 now ... and armhf only14:38
bzoltanelopio:  it will look like this: http://pastebin.ubuntu.com/23407202/ and the project produces the qt-ubuntu.snap and the qt-ubuntu-api.tar.gz files14:41
elopiobzoltan: to me, that sounds like a new step in the lifecycle, probably handled with a new attribute in the yaml. But Sergio and kyrofa are the ones that decide about that kind of design.14:43
elopioSergio is in a sprint. You can find him in rocket or telegram.14:44
bzoltanelopio:  well... i am doing the plugin and will offer to upstream :) But my problem is that I do not understand the unit test structure14:46
sittermhall119: thanks14:46
elopiobzoltan: put a simplified version of your paste into integration_tests/snaps, and in integration_tests/test_development_plugin.py write a test that calls snapcraft and checks that it creates the zip file.14:50
bzoltanelopio: ok, that is the integration test part. That sounds doable. What about the unit test?14:52
elopiobzoltan: on the unit tests, it really depends on the code you write. I imagine a test like this one: https://github.com/snapcore/snapcraft/blob/master/snapcraft/tests/test_plugin_dump.py#L42 but called something like test_build_creates_zip14:55
bzoltanelopio:  Okey, thanks. I will pull together something and we'll see if it does the job.14:56
bzoltanelopio:  my problem with the  unit test is that I do not know how to create a stage space from a template yaml14:56
bzoltanelopio:  the integration test you suggest will do the trick...14:57
elopiobut I'm confused about your code. I'm not really sure how you would enforce that there are contentes in stage, or how to make sure that it's the last to run.14:57
elopiobzoltan: but if you want, push the code to a PR, and comment on it that's work in progress. It will make the discussion easier.14:57
elopiobzoltan: in unit tests, you don't always need a yaml. You just mkdir stage, and put some files in there.14:58
bzoltanelopio: ahh... mkdir and file creation... cool15:00
balloonskalikiana_, is the interface ready?15:01
balloonskalikiana_, I can definitely try it out if it's ready15:01
kalikiana_balloons: It's in the branch, https://github.com/snapcore/snapd/pull/222515:03
mupPR snapd#2225: Implement lxd-client interface exposing the lxd snap <Created by kalikiana> <https://github.com/snapcore/snapd/pull/2225>15:03
balloonskalikiana_, awesome. I've got release work to do today and tomorrow, but I will definitely try it this week. If you want to vet it out yourself, feel free to try adding it to juju and building a snap: https://github.com/juju/juju/blob/staging/snapcraft.yaml15:05
sittermhall119: something that puzzles me about the store. I upload something -> it gets auto rejected on account of being crap quality -> I upload a new revision with fix -> new revision is now queued for automatic checks saying "Revision waiting for review of a previous upload." and that previous upload is in status "Manual review pending". is that intentional?15:06
sitterbecause that is fairly screwing with my productivity just now :/15:06
mhall119nessita: ^^ can you answer that? It sounds like a bug in the workflow to me15:26
kalikiana_stgraber, jdstrand: wrt lxd-client being all-powerful, is that a shortcoming in apparmor/seccomp? or the lxd API being unrestricted?16:26
kalikiana_Wondering where to take that discussion, presuming the current unconfined state is temporary16:27
=== JanC_ is now known as JanC
stgraberkalikiana_: nothing to do with apparmor/seccomp limitations, it's just that LXD has legitimate use for all of that access17:21
stgraberkalikiana_: the LXD API lets you define containers that have raw access to disks, PCI devices, USB devices, specific kernel modules and intefrace, ...17:21
stgraberand things like Juju actually use that to pass through access to openvswitch for OpenStack or even /dev/mem in some cases17:21
stgraberkalikiana_: we may at some point add the concept of tenants to LXD and could then in theory have security profiles or something to restrict what those tenants can pass to containers and then build a snapd interface on top of that to allow for auto-connect to lxd. But that's not on our roadmap for this cycle nor even for the next one, so right now, the LXD API is very much privileged and can't be given to17:24
stgraberany random user/snap.17:24
Sweet5hark"cannot bind mount nvidia driver /usr/lib/nvidia-340 -> /tmp/snap.rootfs_OKbiYH/var/lib/snapd/lib/gl. errmsg: No such file or directory" <- anyone has an idea what that is?17:27
ogra_Sweet5hark, some leftover nvidia driver cruft ?17:29
ogra_does /usr/lib/nvidia-340 exist and does it have the GL libs inside ?17:30
Sweet5harkogra_: yes and yes17:30
ogra_any other nvidia-* dirs in /usr/lib ?17:31
Sweet5harkFWIW, /tmp/snap.rootfs_OKbiYH/ exists, is owned by root:bjoern and is empty -- the paths below it do not exist.17:33
Sweet5harkAlso for context: I tried to install libreoffice from edge, aborted the dl, which FUBARed snap state. Thus I ran https://raw.githubusercontent.com/zyga/devtools/master/reset-state -- retried, it installed fine, but doesnt start because of the above ....17:35
Sweet5harkogra_: There is nvidia-340 and nvidia-340-prime in /usr/lib17:36
ogra_the message comes from inside the core snap, i dont think you can see anything when looking from the outside17:36
ogra_probably it chokes on -prime ...17:37
ogra_zyga, ^^ any known remaining bugs with snap-confine and nvidia ?17:37
=== Guest85272 is now known as ahasenack
=== ahasenack is now known as Guest84237
kyrofaIsn't the core snap supposed to handle GL access?17:59
kyrofaogra_, do you know anything about that? I have an app dying because it can't access libGL.so.118:12
ogra_nop18:12
ogra_e18:12
ogra_it isnt so much the core snap, rather snap-confine that bind mounts the libGL stuff from the host into the core snap and provides the gl interface18:13
cwaynekyrofa: ISTR having to  have something like this in my wrapper script: export LIBGL_DRIVERS_PATH=$SNAP/usr/lib/$ARCH/dri18:15
kyrofaHuh... I just ran `snap run --shell` and it's not in there anywhere, so it must not be bind-mounted in. zyga, any ideas?18:18
kyrofaOh my. I completely missed that opengl was an interface now18:25
kyrofaI'm sure that's it18:25
kyrofaNope, nevermind. Changes nothing18:29
kyrofaLooking at the interface, looks like something should be contained within /var/lib/snapd/lib/gl, but it's not18:32
ogra_kyrofa, well, snap-confine should mount your hosts GL libs there18:45
kyrofaogra_, yeah, that doesn't seem to be working18:45
ogra_(on demand i think)18:46
kyrofaMan it's quiet around here20:07
femmeDid a snappy security audit happen (yet)?20:46
femmeWe're considering using snaps for tor as distros tend to not update after a while and so I just joined to get caught up on the snap ongoings and discussions and maybe someone would like to help20:50
qenghofemme: Hi hi. I can't answer about an audit, but I would like to be a bridge between Tor and snappy communities. I think it's a great fit. I made the tor-middle-relay snap, and am on the OFTC channel too.20:54
qenghofemme: I would love to contribute what I know to make snaps a side-effect of building the official builds for deb packages.20:55
femmeqengho: great, I didn't know there was a middle relay snap20:56
* qengho moves to that dev channel.20:58
kyrofafemme, I'll point you to the security team -> tyhicks?21:16
kyrofafemme, qengho please let me know if you run into difficulties from a packaging perspective21:19
tyhicksfemme: hey - there's not been an independent security audit of snappy as a whole but the Ubuntu security team is active in the development of snappy21:19
tyhicksfemme: for example, we review all that changes that go into the snap launcher (snap-confine) and we also review and/or author the changes to the interfaces (security policy)21:21
zygatyhicks, femme: suse security team did review snappy security21:27
zygaand found a few issues that were since fixed21:28
zygayou can count that as indepdentend security review i think21:28
tyhicksoh, good point21:28
zygakyrofa: it's been a long day :)21:28
tyhicksI had forgotten about that21:28
kyrofazyga, yeah I bet! How's the sprint?21:28
zygakyrofa: hey, so wha'ts about nvidia that you have issues with?21:28
zygakyrofa: and which distro are we talking about as each one is different21:29
kyrofazyga, I've got an app that wants libGL.so.1, and it's not finding it. Neither am I, using snap run --shell21:29
zygakyrofa: sprint is tense :) we're working on the release again21:29
kyrofazyga, classic21:29
zygalibGL.so.1 you say?21:29
kyrofaYep21:29
femmetyhicks: thanks for the response, so I'm having a glance and the parts wiki page jumps out at me. It seems more complicated than it has to be when a (signed) repo would have been better.21:30
femmezyga: great to hear21:30
zygakyrofa: do you see it in /usr/lib/nvidia-/ anywhere?21:30
femmewould love to read a writeup if there was one21:30
zygafemme: signed repo of what?21:30
femmehttps://wiki.ubuntu.com/snapcraft/parts21:31
kyrofazyga, indeed, both /usr/lib/nvidia-340/libGL.so.1 and /usr/lib/x86_64-linux-gnu/mesa/libGL.so.121:31
zygafemme: you do relise the whole idea is that that we don't review actual code, just the sandbox21:31
kyrofafemme, those are just build-time parts for users to utilize when building snaps. It has nothing to do with snapd itself21:31
zygakyrofa: the latter is not something we handle, the former, hmm, is this a hybrid system?21:31
femmeI know21:31
zygakyrofa: can you do snap-confine --version by any chance (or just tell me the version from dpkg)21:32
kyrofazyga, yes, it's one of those monstrosities. Never do it!21:32
zygas/relise/realise/21:32
kyrofazyga, 1.0.43-0ubuntu1~16.04.121:32
zygakyrofa: is it a hybrid system?21:32
kyrofazyga, yes21:32
zygakyrofa: if it is, then what you may be observing is that a) we have a bug (maybe) b) nvidia driver is not really loaded yet21:33
kyrofazyga, indeed, the nvidia driver isn't loaded21:33
zygakyrofa: please collect as much data as you can and report a new bug21:33
kyrofazyga, well, I'm using the intel side21:33
zygakyrofa: for hybrid systmes I bet we need more smarts21:33
kyrofazyga, but I shouldn't HAVE to be using nvidia...21:33
femmeI realize it's not directly snapd related but it's a single point of failure for those using the parts, which seems to be recommended21:33
kyrofafemme, no need to use them, they just help sometimes when snapping things21:34
zygakyrofa: I agree, I just need data to know how to fix it21:34
kyrofazyga, sounds good, happy to help21:34
zygafemme: snaps should be okay to use even if you use none of the shared parts21:34
kyrofaEven the shared parts get confined the same if used21:35
zygakyrofa: look at /sys/module/nvidia/version21:35
zygakyrofa: do you have it?21:35
zygakyrofa: and if so, what's in it?21:35
kyrofazyga, it seems I don't have it when using intel21:35
zygakyrofa: right, then what I think is happening is that the app expects a particular GL.so but the snap is not providing it21:36
zygakyrofa: typically snaps seem to bundle all FOSS userspace side drivers21:36
naccfemme: i think what you're referring to is that if the shared parts were to change/break in some way, there's not really a way to fix it in your current build; but that only matters for building a new version, the existing snaps don't depend on the parts any longer (the shared parts were integrated during the build, aiui)21:36
zygakyrofa: maybe that's just missing21:36
femmeWith the whole Startcom thing and whoever else has access to SSL CA certs I wouldn't want to wait until something goes wrong to say "you could have not used it"21:36
kyrofanacc, you understand correctly21:36
nacckyrofa: thanks21:37
zygakyrofa: I need to sleep, please report a new bug and let's work together on solving this21:37
femmenacc: yes, which makes the developer a target21:37
zygakyrofa: I'm so sleepy now, sorry21:37
kyrofazyga, yeah, go away, I'm sorry I pinged you, I forgot about the sprint ;)21:37
zygakyrofa: no worries, it' the (wink wink) last one this year21:37
kyrofazyga, ha!21:37
zyga(conditions apply, your mileage may vary)21:38
naccfemme: depends on how you mean that -- the developer is expressing a dependency by relying on the external code (which is really what the shared part is); so yes, the developer is a 'target' if that external code breaks21:38
kyrofafemme, that's an argument against any dependencies21:38
femmeIt's an argument against not checking the integrity of dependencies, aka relying on https as your only line of defense21:39
naccfemme: so are you arguing purely against how the shared parts are currently distributed?21:40
femmeif the developer's connection is mitm'ed by someone who can issue valid wiki.ubuntu.com ssl certs they can put whatever they want on that parts page21:40
femmeand it gets built into the binary and distributed to everyone21:41
kyrofafemme, if an attacker has that power I feel like that's the least of the dev's worries21:42
zygafemme: isn't that true in general21:42
zygafemme: your ubuntu.iso was fetched over https21:42
zygafemme: and we can do better but at some point you have to have some way to bootstrap trust21:43
femmekyrofa: that's a step above what the ubuntu security team said when I told them years ago that they should have ssl certs on ubuntu.com but they closed the ticket as WONTFIX21:43
zygafemme: remember that when this happes, the most you can exploit is what that single snap could do21:43
femmebut hey, they turned around on that too, only took them a few years.21:43
kyrofafemme, even if we could integrity check the contents of the wiki, it's just a dict pointing elsewhere. The code comes from github etc21:44
nacciirc, the ubuntu isos are actually served over http; the md5sums are served over https. We just had this argument a few days ago on #ubuntu. :)21:45
kyrofafemme, if an attacker can impersonate https-protected websites they can just impersonate that one21:45
femmekyrofa: that would've been the next point, there should be some signing mechanism implemented21:46
naccif all https sites are compromised (potentially), it does feel like there is a large issue at hand21:46
kyrofanacc, exactly21:46
femmeif all https sites are compromised I'm fine because I'm using tor21:46
kyrofafemme, how do you check a svn repo? Or git?21:46
femmeA few measures I would take are: 1) enable and test key pinning with wiki.ubuntu.com's key in snapd 2) have every snap developer keep a key with which they sign the tar of the sources and include the md5 of it in the yaml21:55
femmes/md5/sha256/21:55
kyrofafemme, they aren't necessarily tarballs, that's my point21:55
femmekyrofa: they can be tarred on the developers machine21:56
kyrofafemme, how are they verified then if the build recipe itself pulls from git?21:57
femmehttps://developer.mozilla.org/en-US/docs/Extension_Versioning,_Update_and_Compatibility#Securing_Updates21:59
femmekyrofa: they are made by ubuntu they can just be signed by a key already trusted22:01
kyrofaWhat are made by ubuntu? How is the signature of the tarball verified if the tarball isn't downloaded?22:02
femmeif the tarball isn't downloaded what is the dev planning on building the sources with?22:03
kyrofafemme, git cloned sources. Or svn. Or hg. Or any of the myriad of source types supported by snapcraft22:03
femmekyrofa: which can be tarred?22:03
femmethe tarring bit is just a technicality22:04
kyrofafemme, so your recommendation is to get rid of all source types except tarballs?22:04
femmeno22:04
femmeI'm kinda done with this conversation for now22:06
femmeI'll gladly write a report if someone pays me ;)22:06
mupPR snapd#2233 opened: docs: update the name of the command for the cross-build <Created by elopio> <https://github.com/snapcore/snapd/pull/2233>22:07
kyrofaAlright, have a nice day femme22:08
femme(speaking of keys already trusted by ubuntu, it's kinda scary with two keys from 2004 still there)22:09
femmekyrofa: the idea is that the sha256 of every source is included (and if it's not a single file, tar them and sha256) and that it's signed by the developers private key (the public part which is also included)22:36
femmeIt could be implemented for parts which was my main example but I don't know much about the key infrastructure of ubuntu and if it would make sense to suggest for example pinning the key for parts in snapd alongside the pinning of the ssl cert of the URL, because if both keys are kept at the same place it doesn't matter but otherwise it is an improvement22:38
femmeAnd it would use trust-on-first-use on a per snap basis for other keys22:40

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!