[01:33] Can someone help me with a problem. On 16.04(Unity). I like to lock apps to the launcher. However I have noticed for snaps everytime a snap (such as firefox) updates, I lose it off the launcher and my muscle memory is disrupted. Any workarounds, or known issue? === ahasenack is now known as Guest4879 === kirkland is now known as Guest54596 === tyhicks is now known as Guest8831 [05:13] morning [05:52] PR snapd#5697 closed: overlord/snapstate: fix UpdateMany() to work with parallel instances [06:05] zyga: you have (good) feedback on 5307 [06:13] mvo: hey, left a small suggestion in 5704 [06:13] mborzecki: ta, looking [06:13] PR snapd#5708 closed: snapstate: use new "snap.ByType" sorting [06:15] uh and obviously forgot to +1 : ) [06:23] mborzecki: ta, I like your suggestion a lot, pushed. lets hope tests are less unhappy than yesterday [06:23] mvo: yeah, i think it was better towards the evening [06:39] PR snapd#5673 closed: ifstate: extra common code into checkAutoConflicts() [06:54] good morning :)\ [06:56] zyga: hey [06:59] jdstrand: thank you for the reviews! I know you are very busy so I'm extra grateful that you did so :) [07:00] * zyga has feedback on two updated PRs and jumps into iteration :) === pstolowski|afk is now known as pstolowski [07:08] mornings [07:17] pstolowski: hey [07:39] wow, didn't know that sigrok is packaged as snap [07:41] mborzecki: what is it? [07:41] mvo: it's for logic analyzers, dumping, viewing the traces and so on [07:42] mvo: sigrok can also do basic protocol analysis, eg i2c or spi [07:42] wonder if they ship the firmware for open source selae ripoffs too :) [07:44] nice [07:44] mborzecki: do you have any hardware like that? [07:45] I managed to boot my opensuse insallation [07:45] I don't know if it will work after reboot [07:45] zyga: yeah, the low end 8 channel selae ripoff is < $5 on aliexpress, got 2 of those [07:45] but it's closer than before [07:45] I'm rebalancing btrfs now, apparently, so I'll leave it be [07:46] on a side note, the 'new' selae analyzers can do analog signals too and iirc those were not supproted by sigrok at all [07:46] mborzecki: nice [07:46] mborzecki: I used to have an Agilent scope but I sold it as I didn't have time to really use it the way I wanetd [07:46] *watned [07:46] *wanted [07:47] we also had some lecroy analyzers, but those had windows only software, because 'professioanl', the pricing was also 'professional' level, sigh [07:54] zyga: I added a comment to 5621 - please have a look, I think the whole attempt to support this strange apparmor lxd setup is fruitless, I will go with a selftest instead [07:55] zyga: a selftest that will simply error [07:56] Ack, looking [08:00] hmmm [08:00] yeah, it looks like Alice is still falling [08:01] zyga: I ran out of ideas [08:01] zyga: which is sad, I had hoped to make it work [08:01] zyga: but if we can't run snap-update-ns because of outside strange interferences not much left we can do, can we? [08:02] yeah, I'm surprised how that happens [08:02] I need to read the fine details [08:02] but I think that doesn't change the outcome [08:02] it's all hopeless at that point [08:02] zyga: *despair* [08:02] hey, despair is when the sky falls down [08:02] this is just something we made :) [08:02] zyga: well, at least we will now give a clear error message (well, not now but *soon*) [08:02] yeah [08:03] +1 for a self-test [08:03] if we can make a reliable one [08:03] zyga: I think we can [08:03] zyga: I mean, we can just use the same detection we would have used otherwise [08:16] Good morning! [08:17] PR snapd#5715 opened: selftest: detect if apparmor is unusable and error [08:18] PR snapd#5621 closed: release: detect when apparmor is available but not usable [08:30] hey niemeyer ! good morning [08:31] zyga: I also added a forum post about this, feel free to add details, I wonder if I should link to it from the error message in the selftest [08:31] yeah, anything that helps people google it [08:31] zyga: +1 [08:32] zyga: I was actually thinking that the selftests should provide data to snap (the command) as well, let me try to sketch something out [08:32] hmm [08:32] so snap version [08:32] can say "but not functional"\ [08:32] ? [08:32] but selftest makes the daemon stop [08:32] zyga: something like "snap install foo" would return "snap cannot talk to snapd because: selftest-message" [08:33] aha [08:33] zyga: yeah, it needs to life in e.g. /run/snapd/selftest-fail or something [08:33] we could drop a file in /run/snapd/selftest [08:33] haha [08:33] nice ;D [08:33] we thought about the same idea :) [08:33] zyga: *or* we could go into degrated mode in the daemon but that seems overkill [08:33] * mvo hugs zyga [08:33] yeah, I agree, I think the file is sufficient [08:33] zyga: I wonder if thats a good or a bad sign ;) I mean group-think and allthat [08:33] and we need to unlink that file if snapd starts :) [08:33] zyga: thanks, I add a quick PR [08:33] :) [08:34] I think it's good because it is simple [08:34] zyga: yeah - we could also only look for it if we can't talk to the daemon but unlink is even easier [08:34] oh, good idea [08:34] yeah [08:49] PR core#38 closed: Add another pi-config option [08:49] PR core#83 closed: move most of the ubuntu-core config deb into the snap snap build [08:49] PR core#93 closed: hooks: unwind /etc/alternatives [08:50] PR core#38 opened: Add another pi-config option [08:50] PR core#83 opened: move most of the ubuntu-core config deb into the snap snap build [08:50] PR core#93 opened: hooks: unwind /etc/alternatives [09:04] PR snapd#5716 opened: tests: spread test for parallel-installs desktop file handling [09:11] there's a forum topic about docker from snap and LD_LIBRARY_PATH and it looks a bit weird, https://forum.snapcraft.io/t/ld-library-path-in-snapped-docker/6903/4 the problem seems to appear on ubuntu only, arch, opensuse, debian are fine [09:20] PR snapd#5700 closed: tests: significantly reduce execution time for managers test [09:39] PR snapd#5717 opened: snapd: go into degraded mode when the selftest fails [09:47] mvo: reviewed [09:50] mborzecki: hmm [09:50] mborzecki: LD_LIBRARY_PATH is managed by apparmor [09:50] zyga: thanks, thats good stuff [09:50] mborzecki: it's one of the special flags managed by AT_SECURE [09:50] PR snapd#5718 opened: overlord/ifacestate: remove "old-conn" from connect/undo connect handlers [09:50] zyga: fwiw, I tried the /run/snapd/selftest.err first but it was more convoluted [09:51] mborzecki: in essence, it doesn't traverse setuid-rooot binaries [09:51] mvo: this is nice :) [10:00] pstolowski: #5618 reviewed [10:00] PR #5618: overlord: instantiate UDevMonitor [10:02] zyga: thanks for leaving a note under the topic ;) [10:03] niemeyer: great, thank you! [10:04] #5716 is an easy win if anyone's interested [10:04] PR #5716: tests: spread test for parallel-installs desktop file handling [10:05] I'm 100 PRs behind that still, in #5623 now :) [10:05] PR #5623: advise-snap: add --dump-db which dumps the command database [10:06] zyga: pushed an update to #5713 [10:06] PR #5713: many: mount namespace mapping for parallel installs of snaps [10:12] mborzecki: added small review [10:15] zyga: aa haha ok [10:46] PR snapd#5719 opened: strutil: add new ParseValueWithUnit === Guest4879 is now known as ahasenack [10:57] zyga: on arch with linux-hardened kernel and apparmor userland bits: https://paste.ubuntu.com/p/FQ9TyxXkjB/ [10:57] mborzecki: nice [10:57] mborzecki: but not fully enabled (since we only do the fully enabled apparmor-in-snapd in tumblweed) [10:58] zyga: yup, will need to tweak that a little [11:00] [ 336.086774] audit: type=1327 audit(1535108348.381:97): proctitle=61707061726D6F725F706172736572002D2D7265706C616365002D2D77726974652D6361636865002D4F006E6F2D657870722D73696D706C696679002D2D63616368652D6C6F633D2F7661722F63616368652F61707061726D6F72002D2D736B69702D726561642D6361636865002F7661722F6C69622F736E6170642F617070 [11:00] wow, not very useful [11:03] pstolowski: Enumeration reviewed as well [11:03] * niemeyer => lunch [11:04] niemeyer: ty! [11:05] mborzecki: yeah, processes put garbage there [11:05] that's seccomp though [11:05] do you have more ? [11:07] zyga: the profiles appear to be loaded https://paste.ubuntu.com/p/3VGgW5bwRQ/ [11:07] mborzecki: no, I mean, the error is from seccomp [11:07] not from apparmor [11:08] zyga: ther was just some STATUS following that [11:08] can you paste more please? [11:13] pedronis: did I read your comment in 5606 right that you prefer a download options parameter instead of using the context? I can kill the context entirely when using the download options, it will just be a bit noisy because of the test updates [11:13] zyga: https://paste.ubuntu.com/p/cK3FG7WJP4/ [11:14] mborzecki: this is interesting: [ 928.212558] audit: type=1300 audit(1535108940.553:100): arch=c000003e syscall=1 success=yes exit=2953 a0=6 a1=f980dd043a0 a2=b89 a3=0 items=0 ppid=3853 pid=3854 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apparmor_parser" exe="/usr/bin/apparmor_parser" subj==unconfined key=(null) [11:14] that's seccomp telling us that write is okay? [11:16] zyga: seccomp is type=1326 (unless that recently changed?) I wonder if auditd is installed with rules to log writes to all files [11:16] ahh [11:17] thank you! so it's not seccomp at all [11:17] I was confused by arch and syscall numbers [11:17] I was confused by arch and syscall numbers [11:17] mvo: fyi, I approved 5715 (thanks!). that is indeed a weird configuration and am happy with the new approach [11:18] mvo: did you see my question yesterday about the -18 gadgets? do you want me to adjust the review tools for those? [11:20] niemeyer: I'm using the spread snap and while google works now I was wondering if you could special case running from a snap and use $SNAP_COMMON to look for qemu images. I don't know if there are other dependencies (interfaces) for this at this time (probably) [11:22] jdstrand: I did see it and I thought I had replied. apparently not :) sorry for that, please wait a little bit with the update of the review tools, we will discuss this today (or Monday). I think we want bases for gadgets in the new world but we could also simply always assume gadgets use the model.base. so its a bit of a policy decision if we want implicit or explicit bases for gadgets [11:23] oh my, travis is like rolling a dice nowadays === pstolowski is now known as pstolowski|lunch [11:24] pstolowski|lunch: yeah, its rather annoying [11:24] * mvo lunch [11:36] zyga: jdstrand: https://paste.ubuntu.com/p/WWb3rXGskG/ well, hello-world.evil does not seem to be getting policed by apparmor, the profile is http://paste.ubuntu.com/p/8czF54H45C/ [11:36] mborzecki: because we don't enable apparmor [11:36] aah damn [11:36] right [11:36] mborzecki: you need to patch apaparmor/backend.go [11:36] zyga: that's the first pase [11:36] zyga: but i still need to rebuild s-c [11:36] no, I think you are OK [11:36] s-c no longer plays any role [11:37] unless you built it without apparmor entirely ;) [11:37] zyga: yeah, i did :P it's a default install, i'm replacing the binaries i need [11:40] mborzecki: what is the output of 'sudo aa-status'? [11:40] jdstrand: http://paste.ubuntu.com/p/2f42M3D5Zv/ [11:42] mborzecki: can you run 'snap run --shell hello-world_foo.evil' in one terminal, then while that shell is open, run aa-status and see if a process is add to the profile (ie, look at the bottom of the output)? [11:44] mborzecki: or do it with the non-_foo one [11:44] jdstrand: zyga: wohoo, had to install s-c profile and load it, hello-world.evil is not getting blocked https://paste.ubuntu.com/p/Hn8tCkcxQs/ [11:45] s/not/now/ [11:45] yeah, I figured snap-confine was not performing the transition [11:45] fyi, this could've been used to confirm the kernel was working right: aa-exec -p snap.hello-world.evil -- /snap/hello-world/current/bin/evil [11:46] but you don't need that now of course [11:46] jdstrand: zyga: i'll put that bit for interfaces/apparmor/backend.go up for review and post a topic in the forums [11:46] anything else i could try here? [11:46] mborzecki: is this a default config for arch now? [11:47] mborzecki: run spread ;) [11:47] zyga: no, it's linux-hardened kernel, it's not the default, but it is avaialble in community repo, i only had to grab apparmor from aur [11:48] ooooh [11:48] I fixed my opensuse install :) [11:48] woooot [11:48] and learned a lot while doing that :0 [11:48] :) [11:49] mborzecki: it does seem like there is a problem though. whatever happened on that system it was failing open [11:49] mborzecki: normally we see the 'snap-confine is running with elevated privileges but without and apparmor profile" (or whatever) [11:50] an* [11:50] jdstrand: 'snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks' this? [11:50] yes [11:51] as I understand what you did to make it work, you loaded the snap-confine profile [11:51] jdstrand: i go that before i dropped snap-confine in /etc/apparmor.d (it wasn't there before) [11:51] I would've expected that message if the profile wasn't loaded. instead, hello-world.evil ran without the profile change to the apparmor profile [11:52] I think what happened is that we load the permissive profile [11:52] jdstrand: hm it didn't run after i got that message [11:52] you probably didn't rebuild snapd with the fix [11:52] mvo, hey [11:52] mvo, https://paste.ubuntu.com/p/sFhhhBzkQh/ [11:52] mborzecki: ok, so you didn't have the profile at all, then you got the message and it failed to run? if so, 'good' [11:53] the output got from dragonboard [11:53] jdstrand: i rebuilt snapd with the fix, but s-c was not rebuilt with apparmor and there was no profile for it (basically the default build on arch), then in rebuilt s-c but forgot the drop the profile in /etc/apparmor.d (that's when it got blocked) and last thing i did is to copy the profile and load it, and that's where .evil got blocked and so on [11:53] mvo: are you going to work on landing #5234 ? it has +1s but has conflicts and needs some tweak [11:53] PR #5234: snap: add `snap list --format=...` option [11:54] mborzecki: ok, that makes sense and it sounds like there is no snapd problem. that was a 'packaging problem', if you will [11:54] jdstrand: yes [11:54] mborzecki: thanks for confirming that [11:59] mvo: yes, I prefer a download options, context is not really meant to replace function arguments, it's more to cross unrelated layers or deal with cross-cutting concerns [12:14] PR snapcraft#2222 closed: lxd: support new style snap injection [12:18] PR snapd#5720 opened: interfaces/apparmor: do not downgrade confinement on arch with linux-hardened 4.17.4+ [12:18] zyga: jdstrand: ^^ [12:19] done [12:21] pedronis: I'm updating 5234 (and the others) now that they all have reviews, no new PR from me until the others are landed, promised [12:21] mvo: :) [12:21] thx [12:22] pedronis: thank you for the review(s) [12:22] cachio: meh, that lookds not encouraging [12:23] mvo: I think Chipaca added some helper to show Publisher now [12:23] related to #5234 [12:23] PR #5234: snap: add `snap list --format=...` option [12:24] mvo, yes [12:25] mvo, similar problem than the last time [12:25] pedronis: yeah, also the verified publishers ansi and all that, that pr needs some serious work [12:25] pedronis: I'm working through my pile, at least this one has clarity now [12:26] cachio: I will have to dig into it [12:28] heh, super dark outside, huuge storm coming my way [12:28] mborzecki: oh [12:29] zyga: it seems to be going east, so you're next :) [12:29] hi, I have a json-schema question (asking here sice snapcraft uses it): does anyone know if it possible to define constants for the patterns used in patternProperties? [12:29] mborzecki: yeah [12:29] ackk: constants as in what? [12:29] zyga: http://pogodynka.pl/polska/radary [12:29] default values [12:29] or what? [12:29] * zyga is somewhat familiar with JSON schema [12:30] zyga, I have the same value for the regexp used in patterProperties used in different objects, is there a way to avoid repeating it? [12:30] mborzecki: I'm considering skipping standup to go for that one last bike ride this week [12:30] ah [12:30] does anyone know if chipaca is back next week? [12:30] ackk: I see, last time I checked there was no other way than $ref [12:30] sergiusens: he will be back tuesday iirc [12:30] zyga, yeah but ref doesn't work in a key [12:30] so if you can use types/refs (however that was called) to somehow define what you want [12:30] otherwise no [12:31] zyga, I see, that's what I thought but I was hoping I was wrong :) [12:31] zyga, thanks [12:32] zyga: did ~35km yday and ~27km day before that :) it's a pity it's getting dark around 8pm now === pstolowski|lunch is now known as pstolowski [12:32] and it's gonna be worse only [12:34] mborzecki: I did just 23km yesterday and 14 the day before [12:34] I would like at least a 10km minimal run :( [12:34] but once it rains that's out of the question [12:34] ackk: if you find out otherwise do let me know :) [12:35] zyga, the little I found on the internet seems to confirm you can't [12:35] ackk: it's like with css, people invent ${extra_letter}css to add variables and then compile it to css using piles of javascript ;) [12:35] heh [12:37] zyga: Sounds reasonable.. we might just check if $SNAP_COMMON is set and if so use that path in addition to the default location [12:37] yeah [12:37] and also a very nice use of $SNAP_COMMON :) [12:37] exactly the sort of data we don't want to repeat [12:38] zyga: Yeah.. let's just be careful to use a subpath there, instead of assuming the snap is necessarily spread [12:38] Since people can embed spread in their own snaps [12:38] mmm [12:54] niemeyer: hey there. Wanted to ask if we can move today's meeting to Monday [12:59] PR snapd#5638 closed: interfaces: basic spread test for udev monitor [12:59] sergiusens: Sure thing [13:00] sergiusens: Morning [13:00] thanks, this will give us time to prepare better for a couple of discussion points. [13:00] niemeyer: and good afternoon for you! [13:01] mborzecki: hmm [13:01] mborzecki: can you checkout master and then go test ./... in interfaces [13:01] I get errors related to the new file checker [13:01] but they are clearly bogus [13:02] the checker is used as in Not(testutil.FileContains) [13:02] c.Assert(profile+".src", Not(testutil.FileContains), "# complain mode logging unavailable\n") [13:02] so we just want to check that something is not in the file [13:02] zyga: works fine [13:02] and then it says "failed" [13:02] but the searched string is _not_ in the file [13:02] zyga: you need to update vendored deps [13:03] aaah [13:03] thanks [13:03] zyga: that's a bug in go-check that's fixed in master and included in the version we vendor [13:03] nice [13:04] PR snapd#5721 opened: interfaces: retain order of inserted security backends [13:05] standup! [13:05] sorry [13:09] PR snapd#5593 closed: tests: new test for hostname-control interface [13:48] zyga: why doesn't it boot? [13:48] it was using a snapshot to load grub modules [13:49] a btrfs subvolume snapshots [13:49] and that snapshot is corrupted [13:49] the rest is ok :D [13:49] heh, nice feature btw [13:49] it was reliably failing even after I fixed it [13:49] for a reason :D [13:49] haha [13:49] i still think it's crazy to use btrfs by default, but whatever ;) [13:49] for _grub_ [13:49] anyway [13:49] I'm happy now [13:49] I need to fix this but it's clear why it is broken [13:50] did snapper complain at least? [13:50] can I get some tests of gimp from the edge channel please? I want to push stable if it is working fine [13:50] snapper used all the space [13:50] snapper didn't care [13:50] ping @popey @Wimpress ^^^^^ [13:50] gib me all your space ;) [13:51] oooh [13:52] diddledan: 2.10.6? [13:52] popey: I've added a banner image to the gimp store listing, so it can be a big-banner-featured at some point :-) [13:52] yup 2.10.6 [13:52] \o/ [13:54] diddledan: full screen splash intentional? [13:54] have you got a low-res screen? :-p [13:54] I've not changed anything regarding the splash [13:54] so that'll be whatever gimp does normally? [13:55] looks like the splash image from upstream is 1920x1080 [13:56] ah, i'm 1080p :) [13:57] I've got 1080p and it doesn't go fullscreen for me :-/ [14:00] https://usercontent.irccloud-cdn.com/file/SzjUD61N/Screenshot_20180824_145404.png [14:05] I need a small break to walk the dog and eat something [14:24] jdstrand: yeah, please allow bases for gadgets [14:25] jdstrand: we just discussed this and agreeded its the right approach [15:00] diddledan: gimp 2.10.6 "worked for me" [15:00] yey, thankyou [15:04] re [15:04] my dog is much happier now [15:04] as am I :) [15:04] good food, nice walk [16:04] * zyga welcomes rain [16:31] PR snapd#5655 closed: snap,snap-exec: support command-chain for hooks [16:43] how can i install a snap in my home directory? [16:48] We don't support that. [16:51] is installation for only one user possible? [16:52] Not currently, no. [16:54] would be nice if snaps supported that, is that feature planned for the future? should i suggest that feature in Launchpad? [16:55] PR snapd#5722 opened: tests: test for the hostname interface