[01:00] Does anyone know if I can publish an unofficial MT snap based on the snapcraft.yaml in the snappy playpen? [01:01] (By MT I meant Minetest) [01:08] I have a question about the snappy playpen licensing. [03:18] PR snapcraft#954 closed: pluginhandler: convert to package [03:21] PR snapcraft#956 closed: tests: idempotent store installs === chihchun_afk is now known as chihchun === chihchun is now known as chihchun_afk [07:02] can anyone tell me what are really there in the Ubuntu Core OS? a Ubuntu core OS has kernel, Ubuntu Core OS, Gadget and snaps. thanks [07:55] hey hey [08:02] good morning dholbach! [08:03] salut didrocks [08:06] PR snapd#2465 opened: snap: show apps in `snap info` [08:20] JOIN [08:20] I tried to create a kernel snap for dragonboard [08:21] using snapcraft.yaml [08:21] It is created by snapcraft command [08:21] then I tried to create a gadget snap for my board [08:21] by using gadget.yaml and snap.yaml [08:22] here also created a gadget snap [08:22] but when try to create a ubuntu image it is showing the error like [08:23] error: cannot decode model assertion eragon.model: assertion content/signature separator not found [08:24] I just created a .json file for my board and used $ cat eragon-model.json | snap sign -k default &> eragon.model command [08:24] It asked me to enter password, entered then succeed [08:25] PR snapd#2466 opened: debian: fix Pre-Depends on dpkg [08:25] But When I use $ sudo /snap/bin/ubuntu-image -c devmode -o eragon410-SDtest.img eragon.model command for image creation, it fails and showing above error [08:25] Do you the reason Why? [08:26] Please update if knows [08:51] is it not possible for a snap in devmode to access programs outside the snap? [08:52] eyelash: hum, there are some tricky way to do, but you can't execute other snaps though (there is a bug for that) [08:52] didrocks: but if it's installed as a deb it should be possible? [08:54] eyelash: yeah, if you add the correct LD_LIBRARY_PATH yourself (as the hostfs is in /var/lib/snapd/hostfs/) [08:54] I was trying to create a snap package for the Meson build system and it obviously needs to access the compilers that are installed on the system [08:54] yeah, I guess some people asked for a compiler interface though [08:55] that will be great to have that, I'm pretty sure a bug was filed, but if you want to double check (and +1 on this) [08:55] didrocks: oh nice [08:58] I could not find anything with the keyword 'compiler' [09:07] seems to be this bug: https://bugs.launchpad.net/snappy/+bug/1618004 [09:07] Bug #1618004: Need a classic-bin interface to see classic binaries [09:25] PR snapd#2467 opened: many: improve support for trusty [09:27] PR snapcraft#958 opened: Add source name to error message [09:28] i think i need to adapt tests for this one [09:28] PR snapd#2466 closed: debian: fix Pre-Depends on dpkg [09:29] btw could someone press the "merge" button for https://github.com/snapcore/snapcraft/pull/951 ? [09:29] PR snapcraft#951: snapcraft plugins -> snapcraft list-plugins [09:41] PR snapd#2468 opened: tests: add debug output to see why autopkgtests are failing [09:45] PR snapd#2374 closed: snap: tweak snap install output as designed by Mark [09:59] hi [10:05] hi i request your help to guide me to install snap on debian [10:48] PR snapd#2469 opened: interfaces: upower-observe: refactor to allow snaps to provide a slot [10:56] PR snapd#2455 closed: many: implement alias command [10:58] sergiusens: i don't understand what you mean with "Please also remember to affect the bug this fixes" [11:21] t1mp: hi! The ubuntu-app-platform snap, in which distro should it be built? xenial? [11:37] mardy: xenial with overlay [11:38] See also https://developer.ubuntu.com/en/blog/2016/11/16/snapping-qt-apps/ [11:49] kalikiana_: thanks! [11:53] tsdgeos all PRs are required to have a bug on launchpad per https://github.com/snapcore/snapcraft/blob/master/CONTRIBUTING.md === chihchun_afk is now known as chihchun [11:54] sergiusens: nice way to make me not fix small issues like this :D [12:00] aaaaaaaaaand we live in the 1960 [12:00] E501 line too long (84 > 79 characters) [12:01] oh noes it won't fit in my 800x600 screen [12:02] PR snapd#2467 closed: many: improve support for trusty [12:06] Bug #1649569 opened: Make plugin/source error reporting a bit more useful [12:16] sergiusens: d1ad166365dfc2b934d2f28bebe31a99b1dd332f didn't have a LP bug linked :o [12:22] tsdgeos: revert it! ;-) [12:33] PR snapd#2470 opened: notifications, daemon: kill the unsupported events endpoint [12:37] I'm getting this error after running snapcraft to build ubuntu-app-platform: E:Unable to correct problems, you have held broken packages. [12:37] any idea on how to debug this? [12:37] I don't have any held packages in my system [12:38] maybe "you have held broken packages" means snapcraft refuses to work with anybody that has ever handled a broken package [12:38] :-) [12:42] Chipaca: still, this is a rather clean installation... [12:43] mardy, I'll let people that know snapcraft give you serious answers now [12:44] Chipaca: thanks :-) [12:51] anybody know what http://autopkgtest.ubuntu.com/ is running? [13:04] PR snapd#2415 closed: overlord/ifacestate: no interface checks if no snap id === elfgoh_ is now known as elfgoh [13:29] ogra_, hi, where could I find the sources for uboot used for rpi3? [13:31] abeato, they are the upstream sources with the patch thats in the gadget tree [13:31] ogra_, is that lp:~snappy-dev/snappy-hub/snappy-systems ? [13:32] abeato, the gadgets moved to https://github.com/snapcore [13:33] https://github.com/snapcore/pi3-gadget actually [13:33] ogra_, oh, ok [13:33] ogra_, I am trying to do boot from USB [13:34] ogra_, the issue I see is that uboot is not finding the right enviroment and it tries to use the default [13:34] note that the ROM change you have to do for that is irreversible ... afaik you wont be able to switch your Pi back to Sd onyl in case you care [13:34] ogra_, it apparently cannot load uboot.env [13:34] * abeato does not core :) [13:34] *care [13:34] right, that is the patch .... [13:34] in the prebuilt subdir in above tree [13:35] you need to tell the config to use uboot.env instead of uEnv.txt [13:36] ogra_, ok... how do you build uboot btw? [13:36] uff... i havent done it in ages ... make config-rpi3 or some such and then just make ... with the armhf cross compiler installed [13:37] ogra_, will give that a try, thanks! [13:37] (i would have to look up the exact lines upstream as well ... ) [13:38] nv [13:38] ppisati can surely help you too ... [13:38] * ogra_ goes back into vacation mode :) [13:38] besides games, are there other kinds of applications that would benefit from delta updates? [13:38] enjoy, sorry :) [13:38] why sorry, i dont need to answer :) [13:39] that's true too ;) === hikiko is now known as hikiko|ln [13:41] madprops, why would only games benefit ? everything benefits from tiny downloads ;) [13:41] you should be drinking a pina colada and ignoring me :( [13:41] haha [13:42] but yeah i think video games are the biggest forms of this [13:42] and this is handled by systems like steam [13:43] well, if you have a system that is competely built from snaps and upgrade 50 of them it sums up :) [13:43] and there are browsers ... office suites ... theme packs ... language packs ... the yall are huge by default [13:44] *they all [13:44] well not really when 50 of those download the same libs [13:44] just saying [13:44] they wont ... [13:44] (becaue they hopefully use the content sharing interface for the libs ;) ) [13:44] *because [13:45] of you're going to do that [13:45] why not just have a good unviersal package manager [13:45] erm ... that is what snap is [13:45] just a lot more secure [13:46] hmm [13:46] (securer enough that you wont have to worry that your webcam that runs snappy becomes part of a botnet ;) ) [13:46] *secure [13:47] well language packs and stuff are already their own packages [13:47] i don't know about the security, except for the isolation, but i think it's biggest plus is it's convenience [13:47] to developers [13:48] debs give every package maintainer 100% root on your box [13:48] well and users (except for bigger download sizes) [13:48] there isnt much security in them beyond the fact that you should use a trusted archive [13:49] as soon as you use a package from a PPA or one you download from a website, the person owning that package has full root access to your system [13:49] snaps fix this [13:49] hmm [13:49] but [13:49] what if it's an application designed to make system changes [13:50] how is it going to do them without root access [13:50] then it uses a snappy interface to talk to the system side ... [13:50] which will require your authorization for critical bits [13:51] by design a snap can not do any harm unless you as the system owner explicitly allow it to [13:52] "snappy interface" this is sounding like it's going to control the system a lot ala systemd [13:53] well, a snap runs in a sandbox ... an interface is the outside connection to other snaps or the system for your snap [13:54] but if i don't run a normal application with sudo .. how does it have sudo powers? [13:54] root powers [13:55] say you have a music player app you snap ... it wouldnt be able to play any sound without you allowitn to access the interface the pulseaudio snap provides [13:55] PR snapcraft#892 closed: Catch PermissionError when attempting to replace contents in a readonly file. (LP: #1640305) [13:55] that sounds terrible [13:55] like every application that controls sound has to ask for permission first [13:55] and why is that terrible ? [13:56] something as basic as playing sound [13:56] (you only allow it once at package install time indeed) [13:56] ok so the permission is implied by installing it [13:56] a la android permissions [13:56] more like IOS [13:57] but yeah, similar concept [13:59] Hi! Any tips on where I can get info on the different Snap "types" -> type: app | core | gadget | kernel ? [13:59] Either I'm blind or the docs arern't that clear on it [14:00] https://docs.ubuntu.com/core/en/ [14:01] ogra_ I think android moved to this model too since 5.0 [14:01] PR snapcraft#958 closed: Add source name to error message [14:01] Bug #1649569 changed: Make plugin/source error reporting a bit more useful [14:01] bossie__, under "build a device" [14:02] and very specific https://docs.ubuntu.com/core/en/guides/build-device/board-enablement [14:02] sergiusens, ah ... havent used android for so long :P [14:02] ogra, thanks! I've been searching under the snapcraft.io docs.... :/ [14:04] sergiusens: what do you think about https://github.com/snapcore/snapcraft/pull/951 ? [14:04] PR snapcraft#951: snapcraft plugins -> snapcraft list-plugins [14:05] tsdgeos let me comment there [14:16] stupid github should send comments to the address i made the commit with and not to my main github address [14:16] meh [14:23] PR snapd#2454 closed: client: only allow Dangerous option in InstallPath [14:25] PR snapd#2470 closed: notifications, daemon: kill the unsupported events endpoint [14:28] tsdgeos: I guess they can't because they haven't confirmed that you own that email address ;) [14:29] pbek: they have [14:29] since it's one of my confirmed email addresses in github [14:29] just not the main one [14:30] tsdgeos: didn't know that they were able to do that... maybe you should open a feature request... [14:32] PR snapd#2464 closed: cmd/snap: mock terminal.ReadPassword instead of using /dev/ptmx [14:32] pbek: do they accept feature requests? [14:33] tsdgeos: I've no idea to be frank... [14:33] GitLab does... [14:34] tsdgeos they do; I have made many and at least received replies (some are implemented). [14:34] tsdgeos you can configure email per project under your personal settings [14:35] sergiusens: Notifications -> Custom routing ? [14:37] Anyone know of a snap or mechanism which will allow my snap to access a USB drive plugged into my device? - Ubuntu Core Pi 2 environment === hikiko|ln is now known as hikiko [14:40] PR snapcraft#951 closed: snapcraft plugins -> snapcraft list-plugins [14:43] tsdgeos I think that's the one; Chipaca gave me the wisdom, he might recall better [14:43] sergiusens: that looks like what i'd like, but i only have one organization there, (which is not canonical or ubuntu) so doesn't seem to be per project sadly :/ [14:53] I did nothing of the sort! [14:53] * Chipaca reads about it [14:53] ah! I don't remember it being called custom routing, let me check [14:54] yep, that's the one [14:55] tsdgeos, AFAIK you need to be a member of the organization [14:55] i.e. it's per org [14:55] meh [14:56] which makes sense to me [14:56] I'd say something about free software web services, but i'd sound bitter [15:10] PR snapcraft#959 opened: Make plugins be an alias of list-plugins [16:03] bossie__, the snap in question needs to use the removable-media plug [16:04] madprops, ogra_ FYI android nowadays prompts the first time the app requests said feature instead of at install time [16:09] kyrofa, that could be annoying maybe [16:09] I quite like it. As a side effect, I can deny it [16:09] So now I can use an app minus a few features if I don't want to grant the permissions [16:10] madprops, note that it doesn't prompt every time, just the first time [16:15] yeah denying certain features is cool [16:21] thanks kyrofa I'll check it out === shuduo is now known as shuduo-afk [16:57] PR snapd#2471 opened: interfaces: add new boot-config interface [17:00] PR snapd#2472 opened: tests: update custom core snap with the freshly build snap-confine [17:08] Bug #1625805 changed: dragonboard: history daemon dereferences a rogue pointer [17:11] I am on Arch Linux and wondering if I am supposed to see http://sprunge.us/ePQQ (snapd.refresh.service fails, Dec 13 19:07:28 sedric snap[3541]: - Download snap "ubuntu-core" (423) from channel "stable" (cannot authenticate to snap store: Provided email/password is not correct.)) [17:31] PR snapcraft#947 closed: Add 'aliases' support to 'apps' [18:07] PR snapd#2473 opened: overlord,overlord/snapstate: implement snapstate.Unalias by generalizing the "alias" task [18:15] hi everyone. I would like to know if anyone has a link to share, tutorial, or reference on to how to develop a snap for rpi.GPIO. Basically, how to import the plugin.. thanks!!! [18:20] Seblai, no example that I know of, but there is a gpio interface described here: https://github.com/snapcore/snapd/wiki/Interfaces#gpio [18:25] I am trying to access to dbus from a python script in my snap [18:26] and I am getting -> dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied when I do bus = dbus.SystemBus(mainloop=DBusGMainLoop()) [18:26] any idea how to fix it? [18:44] PR snapd#2378 closed: interfaces: misc openstack snap enablement === chihchun is now known as chihchun_afk [19:37] pedronis: hey, wondering if you'll have a chance to review https://github.com/snapcore/snapd/pull/1613 ? (I'm told that it needs one more review and you were asked to do it. please correct me if I'm wrong) [19:37] PR snapd#1613: interfaces/builtin: add dbus interface (LP: #1590679) [19:38] niemeyer: hi! friendly reminder about my open question to you on https://github.com/snapcore/snapd/pull/2450 [19:38] PR snapd#2450: interfaces: add network-namespace-control (LP: #1624675) [19:39] jdstrand: Thanks for the reminder [19:39] jdstrand: I was told to look a it [19:39] at [19:39] pedronis: ack, I'll leave you to it then [19:41] niemeyer: note, the flurry of activity surrounding the testsuite failure in 2450 was mvo and I discovering a test infrastructure issue with the recent snap-confine merge (changes to snap-confine from PRs isn't getting properly applied to all snaps images) [19:41] niemeyer: he's working on that [19:43] is there a store problem right now? I am trying to setup a device (pi2) and it's just sat at "Contacting store..." after I enter my email address. [19:43] niemeyer: also, I just referenced you in a couple (few?) reviews requesting your input on the name of the interface [19:43] niemeyer: (just within the last couple hours) [19:44] wow, finally finished... that console setup takes an _age_ [19:49] jdstrand: Thanks for the poke [19:52] jdstrand: I'm not sure it makes much sense to have network-namespace-control separated, as you point out there [19:53] jdstrand: The question is this: what are we protecting against? [19:53] jdstrand: Can someone with network-control re-reoute traffic from other parties inside the system? [19:54] jdstrand: If so, we're just adding complexity for little gain.. network-control already allows abuse regardless, and network-namespace-control wouldn't work on its own [19:54] jdstrand: If network-namespace-control could work on its own, without network-control, then there might be some gain [19:55] jdstrand: In other words, if we could give some the ability to _just_ create a namespace, without being able to touch the network otherwise, then that might be justifiable [19:59] jdstrand: Off for some exercising.. back later [19:59] niemeyer: we can create _just_ the namespace, but then we can't configure it without network-control === devil is now known as Guest88459 [20:00] niemeyer: based on your comments, I'm going to put it in network-control and circle back. if I need to undo it, that's fine. I prefer it in network-control after working with it for a bit [20:03] niemeyer: thanks for the feedback! :) [20:47] jdstrand: does that dbus branch has a +1 from tyler? [20:56] pedronis: not formally. I know he looked at it at one point [20:57] jdstrand: did somebody review the snippets? I was asked to look at it, but I generally don't/cannot review those [20:57] * pedronis is a bit confused [20:58] pedronis: Gustavo and Zygmunt looked at them. I'll ask tyhicks to look at the security policy. I think Gustavo just wanted to make sure it made sense code wise [20:59] tyhicks: can you look at the security policy in https://github.com/snapcore/snapd/pull/1613 ? [20:59] PR snapd#1613: interfaces/builtin: add dbus interface (LP: #1590679) [20:59] tyhicks: actually, nm, I forgot you looked at that once [21:00] tyhicks: meh, I forgot, you looked at the proposal, not the implemented code. [21:00] tyhicks: so, can you mind again and take a quick peek at the security policy? we can chat on irc about the policy if you have questions [21:03] PR snapd#2471 closed: interfaces: add new boot-config interface [21:10] jdstrand: what do you mean by "snapd does not allow ###DBUS_NAME### to end with '-[0-9]+', so this is ok."? [21:10] New to snapcraft: How do you get a simple daemon to start automatically? [21:11] jdstrand: if snapd doesn't allow it, what good is allowing it in the policy? [21:11] pihole, all you have to do is declare it as a daemon in the YAML [21:11] pihole, do you have a snapcraft.yaml you could share? [21:11] Sure hang on [21:13] help [21:15] OK, not sure how to format the code in here [21:15] d [21:17] jdstrand: on line 83, the comment says "allow unconfined clients talk to ###DBUS_NAME### on classic" but the rule doesn't contain ###DBUS_NAME### [21:19] kyrofa: apps: dnsmasq: command: bin/dnsmasq daemon: simple plugs: - network - network-bind - network-control [21:20] pihole, yeah, use pastebin.ubuntu.com [21:20] jdstrand: same with the comment/rule on line 125 [21:21] (that one is less worrisome because the rule specifies the peer label) [21:21] kyrofa: http://pastebin.ubuntu.com/23625639/ [21:22] pihole, yeah that looks fine-- the `daemon: simple` tells snapd to run it as a daemon [21:22] pihole, are you not seeing that behavior? Is the daemons perhaps erroring out? [21:23] kyrofa: I checked journalctl -u and it shows it starts, but then stops shortly after. Also tried it without the custom config file. Load up fine either way when done manually [21:24] tyhicks: re '-[0-9]+', see the regex at line 218 [21:24] jdstrand: added some comments [21:25] tyhicks: what is happening is that a snap developer can request org.foo. snapd will create rules for org.foo and org.foo-[1-9]... [21:25] tyhicks: therefore we do not allow a developer to request org.foo-1 [21:25] jdstrand: got it, thanks [21:26] tyhicks: line 83 needs to be updated [21:27] tyhicks: well, really the comment is correct from a certain perspective, but I'll make it clear [21:27] pedronis: thanks! [21:30] pihole, perhaps it's not a simple daemon? [21:30] pihole, does it fork? [21:33] kyrofa: good point. Maybe I'll just try that. [21:33] kyrofa: thank you very much [21:33] pihole, of course [21:52] PR snapcraft#957 closed: sources: refactor base sources into module [21:52] Hi All [21:53] jdstrand: thanks for clarifying the comments [21:54] jdstrand: my final concern is that the rules on lines 86 and 94 essentially allow the snap to communicate with any unconfined application [21:55] PR snapcraft#960 opened: pluginhandler: install scriptlet support [21:56] I am very new to snappy. My requirement is that i have one app already working for x86 and arm. Now what i want to do is to have the stripped version of my exisitng app and make a snap of it and distribut it to the vendors so that they can play with it. Can anyone please gudie me how to start with the same? [21:56] tyhicks: it can only do it via that interface or path [21:57] tyhicks: the idea is to let this work within a traditional desktop environment (ie, classic) [21:58] tyhicks: so, say have some application that is a deb but knows about rhythmbox. I have a rhythmbox snap installed [22:00] tyhicks: the snap can use either the dbus interface that matches or the dbus path that matches. I was thinking that would make the other side not work so well, but thinking at last about the path one, maybe that should be a rec [22:00] receive [22:01] PR snapcraft#961 opened: sources: refactor local source into module [22:05] PR snapd#2473 closed: overlord,overlord/snapstate: implement snapstate.Unalias by generalizing the "alias" task [22:13] PR snapcraft#962 opened: sources: refactor bazaar source into module [22:22] PR snapcraft#963 opened: sources: refactor deb source into module [22:22] tyhicks: did you see my response? [22:23] tyhicks: in case not: [22:23] tyhicks: it can only do it via that interface or path [22:23] tyhicks: the idea is to let this work within a traditional desktop environment (ie, classic) [22:23] tyhicks: so, say have some application that is a deb but knows about rhythmbox. I have a rhythmbox snap installed [22:23] tyhicks: the snap can use either the dbus interface that matches or the dbus path that matches. I was thinking that would make the other side not work so well, but thinking at last about the path one, maybe that should be a receive [22:23] least* [22:24] I didn't see it (I apparently disconnected for a moment) [22:24] tyhicks: I could remove send from those two rules [22:24] I wonder how much it is needed for the interface rule though [22:25] I mean it just depends if the snap is going to be only replying to messages or if it needs to actually send a method_call or signal message [22:26] jdstrand: how does things fail if bus or name don't match? you get an connection but it doesn't work? [22:26] tyhicks: we don't know. this is a generic interface. let's think of this in terms of say, talking to download manager [22:28] pedronis: you get too many things matching. see the test for this here: https://github.com/snapcore/snapd/pull/1613/files#diff-c5f8555bf0fa0810f5d9dbd039036112R530 [22:28] PR snapd#1613: interfaces/builtin: add dbus interface (LP: #1590679) [22:28] PR snapcraft#964 opened: sources: refactor git source into module [22:28] pedronis: in that, the slot offers two well-known names but the plug only plugs one [22:29] pedronis: we want to connect the right ones. that little bit does that [22:29] jdstrand: I don't understand what you are saying at all [22:29] :) [22:29] pedronis: look at the test [22:29] pedronis: the slotYaml has 'this' and 'that' [22:30] the test calls ConnectedPlugSnippet [22:30] and gets what you told it to do [22:30] pedronis: look at the plugYaml, it only plugs 'that' [22:30] jdstrand: yeah, I appreciate that it is generic - I just wanted to point out that the rules with send perms grant a lot more than intended and it'd be nice if we could remove the send perms [22:30] pedronis: without this code, things go wrong [22:30] jdstrand: IMO, there's no use in removing the send perms on the interface related rule but not the path related rule [22:31] jdstrand: sorry, I don't understand, that tests proves that the code does what you told it to do [22:31] tyhicks: I was thinking the other way around [22:31] I don't understand how it relates to the higher levels [22:31] pedronis: ok, let me look at this again. two conversations at once is difficult [22:32] tyhicks: consider the snap has both rules [22:32] tyhicks: then it tries to talk to the session ubuntu-download-manager (udm) that is unconfined [22:33] tyhicks: so, the interface rule allows it to talk to the well-known name (name=udm) using the snap's interface (eg, org.foo) [22:33] tyhicks: wouldn't dbus just reject that rule cause udm doesn't have the org.foo interface? [22:34] hey snappy folks, i'm seeing recent failures autopkgtests of ubuntu-image (both locally and via gh pull request) when trying to build the pc-i386-model.assertion here: https://github.com/CanonicalLtd/ubuntu-image/blob/master/debian/tests/models/pc-i386-model.assertion [22:34] here is a log for example: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-yakkety-canonical-foundations-ubuntu-image/yakkety/amd64/u/ubuntu-image/20161213_220817_0caf6@/log.gz [22:34] scroll to the bottom. snap prepare-image can't find the pc-kernel snap on the beta channel [22:34] jdstrand: no, the message will be delivered and it is up to the receiving connection to reject that rule based on the invalid interface [22:34] tyhicks: the path rule is similar. the snap can talk to udm using path=/org/foo. I feel like that is maybe problematic and perhaps it should have the receive rule [22:35] afaict, pi2, pi3, dragonboard, and pc-amd64 all all fine [22:35] just the pc-i386 one is failing. has something changed here recently? [22:35] jdstrand: many dbus libraries will reject the message but the message is still delivered [22:35] tyhicks: ok, well, then the question becomes if on *classic* that is acceptable [22:35] like, the i386 arch of pc-kernel went away? [22:35] jdstrand: yeah, I agree that's the question [22:36] tyhicks: this is an environment with x11 [22:36] * tyhicks nods [22:36] though, this also support system [22:37] how about I remove 'send' and we see how it goes? if it needs to integrate with unity7 then the unity7 interface could gain whatever it needed [22:38] I would prefer that but can't say whether or not 'send' will just have to be added shortly after to make the interface useful in a classic environment [22:38] Can i double confirm that I can't login to the Ubuntu core via password? [22:38] I just haven't profiled enough dbus services to know for sure :/ [22:38] i.e., if i connect a monitor, i can't login. I can login via ssh tough [22:38] *though [22:39] tyhicks: we don't have concrete examples for this part of the ruleset [22:39] so, let's remove send and see what happens [22:40] tyhicks: I like the sound of that - it definitely improves the security properties of the policy so I think it is worth waiting and seeing [22:40] PR snapcraft#965 opened: sources: refactor mercurial source into module [22:40] barry: it's on snapd side, calling the api directly it seems there's no i386 beta kernel anymore in the store [22:41] barry: it's *not* on the snapd side [22:41] jdstrand: fyi, this was the crux of the kdbus authors' argument against our fine-grained dbus mediation [22:41] pedronis: that's what i suspected. do you know if that's intentional? who owns/owned the i386 kernel snap? [22:42] I don't know [22:42] ogra_: perhaps? [22:42] it might also be a store bug (wrong channel inheritance) [22:42] tyhicks: hmm? [22:42] jdstrand: they claimed that if a dbus client could send *any* message to a dbus service, that service must be smart enough to reject invalid/unexpected paths, interfaces, and method names [22:43] barry: afaict as I get from the api, there's a kernel in edge, and the same in stable and candidate, but nothing in beta [22:43] for i386 [22:43] jdstrand: and that filtering out certain values of paths, interfaces, and/or method names in security policy was not worthwhile [22:43] tyhicks: I see. well, obviously we disagree [22:44] yeah [22:44] tyhicks: the same could be said of seccomp [22:44] pedronis: so there is one in stable? maybe i should just switch the tests over to that. i suppose at one point they were only available in beta which is why the tests used that. /me tries [22:44] jdstrand: good point [22:44] it is reducing attack surface [22:44] jdstrand: ok, that was mostly useless knowledge - I'll let you get back to the PR [22:44] :) [22:44] barry: yes, stable and candidate have 44, edge has 48 [22:45] no beta [22:45] pedronis: if it's in stable, you'd expect it to be in beta too then right? [22:45] well it's in candidate [22:45] but yes [22:45] so as I said might be store issue [22:46] worth poking store people [22:46] pedronis: ok, thanks [22:47] anyway amd64 has something explicit in beta fwiw [22:50] Is it possible for me to modify the scheduled rebootreboot scheduled to update the system - temporarily cancel with 'sudo shutdown -c' [22:50] "reboot scheduled to update the system - temporarily cancel with 'sudo shutdown -c'" [22:55] jdstrand, hi, I am creating a tests where I am creating some methods in dbus and I call them from python calls in my snap [22:56] jdstrand, is it needed for that to create a new interface? [22:58] jdstrand, the process is the following, first I add policies in /etc/dbus-1/system.d, then register a method to be called [22:58] then I call this methods with some parameters and this method will spam signals depending on the parameters used. [22:59] I am doing this to measure dbus performance [23:00] jdstrand, but I am still getting this error > dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NameHasNoOwner: Could not get owner of name 'com.canonical.kpi.signal': no such name [23:00] any guess? [23:04] PR snapcraft#966 opened: sources: refactor rpm source into module [23:07] barry: I poked, seems indeed a glitch, there should be something there [23:08] pedronis: well, it seems something higher is doing the right thing. if I comment out that 'ensure' area and then install a snap with two slots and a slot with one plug, I get the right policy [23:08] pedronis: thanks [23:08] pedronis: I thought I observed different behavior before which is what prompted the test, but I don't recall specifically [23:08] jdstrand: nothing higher level consider that method [23:08] jdstrand: afaik it will either find too many, or if you are explicit enough [23:09] pedronis: I just mean if I try to snap connect the wrong slot, it doesn't [23:09] it connect but things will not work [23:09] jdstrand: with what kind of error? [23:09] no error [23:09] ? [23:09] so the connection is there? [23:09] but doesn't work [23:10] pedronis: consider [23:10] snap interfaces [23:10] foo:bar [23:10] meh [23:10] foo: bar - [23:10] meh [23:10] foo:bar - [23:10] foo:baz - [23:10] - norf:bar [23:10] sudo snap connect norf:bar foo:bar [23:11] that works fine (expected) [23:11] sudo snap connect norf:bar foo:baz [23:11] no error, no issues [23:11] (policy is correct [23:11] ) [23:11] ?? [23:11] but snap interfaces [23:11] will say they are connect no? [23:12] tpedsnap interfaces show it as connected [23:12] so you can connect things that will do nothing [23:12] yes [23:12] maybe it's the best we can get [23:12] but is not that great [23:13] well, I could error there [23:13] in the 'ensure' section [23:13] this is with that code commented out [23:13] but then it's too late [23:13] I think [23:13] if I put it back, I think it will work correctly since we return nil, nil [23:13] let me check [23:14] as far as I know [23:14] nothing checks that first nil [23:14] it just get ignored [23:16] ok, putting it back it is the same behavior. snap interfaces shows it as connected, but the policy doesn't have it [23:16] let me error in there [23:16] return nil, err [23:18] pedronis: yes, if I put an err there then snap connect shows the message, but snap interfaces still shows it as connected [23:20] jdstrand: the problem with the error is that if there's a 2nd interface that should work it will get in a strange state possibly [23:20] pedronis: I don't know what to do at this point [23:20] there's not place atm for that check afaict [23:21] so the nil, nil [23:21] is the best we can do [23:21] ok, so what I had [23:21] (also error handling in there is not very graceful) [23:24] jdstrand, any suggestion about the comment I did before? [23:26] cachio: you are going to need to have security policy that handles that. currently there is none [23:26] cachio: I suggest devmode for the time being [23:26] cachio: then finish your snap and then I can take a look at it [23:27] I am getting this error [23:27] dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NameHasNoOwner: Could not get owner of name 'com.canonical.kpi.signal': no such name [23:27] cachio: there is likely an apparmor denial in syslog [23:29] jdstrand, I just see apparmor="ALLOWED" [23:30] jdstrand, is it ok to copy the dbus config file to /etc/dbus-1/system.d ? [23:30] cachio: ah, it is in devmode [23:30] jdstrand, yes in devmode [23:30] cachio: right, so devmode isn't going to cover dbus bus policy, just seccomp, device cgroups, apparmor, etc [23:31] cachio: so you are going to need to put something in there. as it happens, the dbus interface I am working on would give you a bus policy that would work with devmode [23:31] cachio: see https://github.com/snapcore/snapd/pull/1613/files#diff-715ebbcbcd440b44a1e536f154ca6138R108 [23:31] PR snapd#1613: interfaces/builtin: add dbus interface (LP: #1590679) [23:32] cachio: eg, $ cat /etc/dbus-1/system.d/snap.test-hello-dbus.test-hello-dbusd-system.conf [23:32] "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" [23:32] "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> [23:32] [23:32] [23:32] [23:32] [23:32] [23:32] [23:32] [23:32] [23:32] [23:32] [23:33] cachio: create a bus policy like that ^ (adjust for your well-known name and interface of course) and that will allow any one to talk to your service [23:33] well [23:33] any unconfined process [23:33] (or devmode) [23:34] jdstrand, nice, but it would work when your change is landed, right? [23:34] jdstrand: it's late here, if you get a +1 from tyler it's mergeable I think [23:35] cachio: for devmode, yes. in strict might need some adjustments [23:35] it may work [23:36] jdstrand, good, so I'll need to wait [23:36] * pedronis => rest [23:36] jdstrand, any guess about when it is gonna be landed? [23:36] pedronis: thanks so much! [23:36] aprox [23:36] cachio: it is what I've been talking about with people in this channel today [23:36] jdstrand, we are talking about days, weeks? [23:37] cachio: it is targeted for 2.20. it will hopefully land tomorrow [23:37] 2.20 is for thursday I think [23:37] jdstrand, awesome [23:37] it will get in candidate thu or fri [23:37] jdstrand, it works for me if it is on this week [23:37] (stable is in January though) [23:39] cachio: note pedronis' comment [23:39] cachio: if you need something sooner, you are going to need to hack up your bus policy manually [23:39] jdstrand, it is ok, I am using daily builds for testing [23:40] jdstrand, so I'll test it as soon as possible once it is landed [23:40] barry: there should be again something in beta (for pc-kernel i386) [23:42] jdstrand, thanks for the support [23:43] cachio: np! :) [23:51] tyhicks: thanks for your review! :) [23:55] PR snapcraft#967 opened: sources: refactor script source into module [23:57] jdstrand: no problem!