=== chihchun is now known as chihchun_afk === epod is now known as luk3yx === chihchun_afk is now known as chihchun === chihchun is now known as chihchun_afk === chihchun_afk is now known as chihchun [05:11] morning [05:26] Hi [05:26] zyga: hey [05:27] How are you? [05:27] zyga: are we goign to be equally unlucky today? i've restarted some travis jobs yesterday evening, and all are red :/ [05:28] Whaaat [05:28] Why? [05:28] What is failing? [05:29] zyga: one failed with prepare image, another in go-build:s390x, the last one probably maanged to hit some mirror sync [05:30] Eh [05:30] Assorted bad luck [05:30] zyga: prepare-image was probably some issue fetching snaps from the store [05:30] I’m with the dog, outside [05:31] and the 4th job got 502 when pulling gopkg.in/yaml.v2 :P [05:31] Is the store wonky today? [05:31] feels like i should play some euro jackpot today [05:32] Haha [05:33] Nice [05:33] Yesterday I learned that apple support should be split in two [05:33] is #6667 waiting for something else? [05:33] PR #6667: tests: enable tests that write /etc/{hostname,timezone} on core18 [05:34] zyga: sup and port? [05:34] 90% of the people came with a shattered phone [05:34] That took forever [05:34] Looking at 6667 [05:34] zyga: many people are clumsy then :) [05:35] Hmm [05:35] Maybe ok to land? [05:35] #6659 can probably land too [05:35] PR #6659: snapcraft: build static fontconfig in the snapd snap [05:35] Mvo will be around soon [05:35] Yes [05:35] +1 there [05:36] there will be a followup but somewhere else in the code [05:45] re [05:45] back in the office [05:46] PR snapd#6502 closed: dirs,overlord/snapstate: add Soft and Hard refresh checks [05:47] eh, I feel even more sick than yesterday now [05:48] mborzecki: can you please review https://github.com/snapcore/snapd/pull/6643 [05:48] PR #6643: tests: deny ioctl - TIOCSTI with garbage in high bits [05:48] it's something that should have landed weeks ago but was under embargo [05:48] hello mvo [05:51] zyga: good morning [05:51] mvo: hey [05:51] zyga: how are you? how is the testing situation? [05:51] hey mborzecki [05:52] mborzecki: anything on the suspected memleak? [05:52] mvo: I have a running nose and something in my lungs :/ I probably will skip japanese classes today [05:52] mvo: no, Chipaca asked some questions in the LP bug [05:52] mvo: tests are grim, failing on assorted collection of random annoyances [05:52] from network to more network to random stuff [05:53] zyga: :( [05:53] zyga: I saw that archive.u.c had some issues last evening [05:53] mborzecki: cool, keen to learn what john figured out, I will check the bug [06:03] zyga: mvo: do you use auditd and ausearch on ubuntu? [06:03] no [06:03] well [06:03] auditd maybe [06:03] but not ausearch [06:06] ha [06:06] ok [06:07] so ausearch does not properly report denials from apparmor on arch, thought that ubuntu may carry some patches that fix that, but apparently not, doesn't work on ubuntu either [06:07] so only uses has extra patches to fix that [06:07] Malformed event skipped, rc=9. type=AVC msg=audit(1554271576.256:61): apparmor="DENIED" operation="open" profile="snap.hello-world.sh" name="/home/guest/" pid=13765 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [06:07] that's what I see on ubuntu (and arch for that matter too) when runnig ausearch -m AVC --debug [06:07] just ausearch -m AVC shows [06:10] i suggested name tweaks in #6656 but i'm not sure it's worth risking another travis run at this point, maybe we should just land it [06:10] PR #6656: tests: split travis spread execution in 2 jobs for ubuntu and non ubuntu systems [06:11] PR snapd#6674 closed: tests: use apt via eatmydata [06:15] hm https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1117804 [06:15] Bug #1117804: ausearch doesn't show AppArmor denial messages [06:16] 2014 [06:16] zyga: yeah, suse carries a patch that was submitted upstream, but then the discussion went to apparmor not using some common audit ids and thus being wrongly interpreted in userspace or sth [06:17] zyga: oh, and suse patch just works aroudn that in the userspace parser :P [06:17] kernel stuff is hard [06:20] PR snapd#6672 closed: metautil, snap: extract yaml value normalization to a helper package [06:21] ehh, opensuse this time: Some of the repositories have not been refreshed because of an error. [06:22] mvo: zyga: what about #6677, do we want to keep golang.org/x/sys/unix pinned? [06:22] PR #6677: vendor: pin golang.org/x/sys/unix to a revision before SYS_CLOCK_GETTIME on OSX [06:23] mborzecki: now that things are fixed again upstream I would say we don't need to pin until the next issue like this? the risk of pinning is that stay behind forever and don't get e.g. security fixes [06:34] mborzecki: I would unpin it [06:36] mvo: zyga: ack, closed the PR [06:36] because this gives us error visibility at the cost of ... well ... errors [06:36] PR snapd#6677 closed: vendor: pin golang.org/x/sys/unix to a revision before SYS_CLOCK_GETTIME on OSX [06:39] thanks mborzecki [06:53] * zyga prepares the next refresh app awareness batch [06:53] not a big one, but functional one [06:56] mvo: hi, need to decided what to do with #6659, follow up needs to be tracked, and #6667 is green [06:56] PR #6659: snapcraft: build static fontconfig in the snapd snap [06:56] PR #6667: tests: enable tests that write /etc/{hostname,timezone} on core18 [07:08] morning === pstolowski|afk is now known as pstolowski [07:17] hey pedronis, hey pawel [07:18] pstolowski: pedronis: hello guys [07:26] pedronis: hey, #6665 has 2 +1s; would you like to take a look or can it land? [07:26] PR #6665: overlord/ifacestate: implement String() method of HotplugDeviceInfo for better logs/messages [07:27] pstolowski: I need to take a look [07:29] k [07:29] pstolowski: we don't use "<...>" style of representation anywhere so far [07:29] so I need to think a bit actually [07:30] pedronis: ok; i think it'd make sense to somehow wrap this representation up as it's a bit long [07:31] pstolowski: yes, they are bit long; too long? [07:33] pedronis: maybe; maybe vendor/model should be omitted [07:34] pstolowski: well model seems important, are vendor usually that long? [07:38] PR core18#125 closed: hooks: create snapd directory skeleton [07:38] pedronis: not really; but models can be long, three examples from my VM: [07:38] ES1371/ES1373 / Creative Labs CT2518 (Audio PCI 64V/128/5200 / Creative CT4810/CT5803/CT5806 [Sound Blaster PCI]) [07:38] 82545EM Gigabit Ethernet Controller (Copper) (PRO/1000 MT Single Port Adapter) [07:38] 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI (LSI Logic Parallel SCSI Controller) [07:39] pstolowski: so model usually contains also the vendor name? [07:40] pedronis: it seems so, we could get rid of vendor [07:40] pedronis: usually the rules are: there are no rules :) [07:41] zyga: that's fine, we still need to do something reasonable and consistent with the rest of our code [07:41] I totally agree [07:42] that PR is not there yet from my POV [07:42] I think, while this may be odd, that a lookaside table (in the store perhaps) may be the best outcome [07:42] for real usability [07:43] that is over ambitious considering were we are now :) [07:44] is it? we can just reply with what is in the usb database already [07:44] and we can fix ugly things one-by-one as encountered [07:44] zyga: ? [07:44] I mean, it's not out of reach [07:45] zyga: what are you proposing? (I'm missing something here, given that you mentioned the store) [07:45] zyga: I notice that you gave +1 to that PR without further comments [07:45] pedronis: that using a simple solution now (no transformations) and planning to use the store for nice descriptions should be done [07:47] pstolowski: anyway the closest thing we have to this sort of display problem atm is this: https://github.com/snapcore/snapd/blob/master/asserts/asserts.go#L196 (though assertions are much more structured than what we have here) [07:53] zyga: #6605 has conflicts [07:53] PR #6605: cmd/libsnap,osutil: fix parsing of mountinfo [07:54] pedronis: yes, in fact i was looking at assertions for inspiration ;) [07:54] pstolowski: you could skip serial for sure [07:55] devpath can be quite long usually since, but devname is preferred anyway [07:56] pstolowski: I know, waiting for a review from Jamie though [07:57] he said he should be back reviewing things, now that he draft the daemon user stuff [07:57] *drafted [07:58] heh fedora 30 beta released, fedora repos back to the usual not-responding-when-release mode [08:02] :) [08:34] we just get that when we release kernels [08:53] PR snapd#6682 opened: snap, gadget: move gadget read/validation into separate package, tweak naming [08:56] pedronis: mvo: gadget package split ^^ [08:56] mborzecki: nice, I have a look [08:56] mvo: twekaed the naming too, so snap.GadgetSize is now gadget.Size and such [08:57] aaand damn go 1.9 fmt [09:00] mborzecki: nice [09:03] hope this lands soon [09:03] mborzecki: yeah, it will be a massive source of conflicts, right? [09:03] mvo: yeah [09:04] mvo: merging or rebasing changes on top is super annoying [09:05] pstolowski: some comments in 6665, happy to get feedback back on what I propose === chihchun is now known as chihchun_afk [09:18] PR core18#123 closed: hooks: remove /etc/apt/sources.list.d/proposed.list [09:19] pedronis: thanks [09:24] mvo: now that https://github.com/snapcore/core18/pull/125 is merged, how soon can we get core18 build? [09:24] PR core18#125: hooks: create snapd directory skeleton [09:26] that reminds me, is there a deep reason why we kept firstboot in snapd.dirs, is not used anymore since long time [09:27] zyga: let me see [09:27] pedronis: that sound like an oversight (90% confident) [09:38] zyga: I triggered a new core18 build, should be ready in ~30min or so (depending on the buildds) [09:38] super, thanks! [09:39] mborzecki: assuming all the renames are relatively obvious I don't need to review 6682 === ricab is now known as ricab|bbl [09:44] PR snapd#6436 closed: interfaces: add system-backup interface <⛔ Blocked> [09:44] mvo: I did another pass on some of the remodel PRs, the main one needs 2nd reviews [09:45] pedronis: ack [09:46] https://github.com/snapcore/snapd/pull/6656 is green, are we moving forward with the plan to split the travis jobs to ubuntu and non-ubuntu? [09:46] PR #6656: tests: split travis spread execution in 2 jobs for ubuntu and non ubuntu systems [09:47] mborzecki: sounds best to re-discuss it quickly at today standup [09:47] pedronis: ok [09:47] mvo: any reasons not to merge #6667 ? [09:47] PR #6667: tests: enable tests that write /etc/{hostname,timezone} on core18 === chihchun_afk is now known as chihchun [09:52] zyga: added a few comments to #6643 [09:52] PR #6643: tests: deny ioctl - TIOCSTI with garbage in high bits [09:56] pedronis: the SRU is not out yet officially, we just have the fixes in the ppa [10:06] PR snapd#6654 closed: packaging/fedora, tests/upgrade/basic: patch existing mount units with SELinux context on upgrade [10:07] mvo: so verifications will fail in some cases? [10:07] mvo: should it be marked blocked then? [10:11] pedronis: I think so, let me do that and add a small explaination [10:17] pstolowski: I reivewed #6660 [10:17] PR #6660: cmd/debug: integrate new task timings with "snap debug timings" [10:20] sil2100: re 121 for core18 - I'm on it, I think I know what is going on [10:24] hmm, hmm [10:24] mborzecki: this maybeShellcheck has broken a lot of tests here [10:24] grmbl grmbl [10:25] pedronis: ty [10:28] Chipaca: which tests? [10:29] mborzecki: the unit tests [10:30] Chipaca: master seems fine [10:30] mborzecki: this is on master [10:31] mborzecki: pastebinning in a bit [10:31] Chipaca: hm all fine here [10:31] mborzecki: is your shellcheck from the snap [10:31] Chipaca: no, let me try that [10:32] mborzecki: http://paste.ubuntu.com/p/9R5g6QFTtd/ [10:34] Chipaca: see the same here [10:34] haha, it's /tmp [10:34] you done fucked up, son [10:34] :-) [10:34] shellcheck from snap cannot access that probably [10:34] because it gets a private tmp [10:36] hmm hmm, not sure there's a workaround for that, unless shellcheck becomes classic [10:37] or check uses a different tmp directory [10:38] mborzecki: you've got the script [10:38] mborzecki: why not just feed it to shellcheck [10:38] Chipaca: ah right, that's another option all right [10:50] Chipaca: fix coming up [10:56] PR snapd#6683 opened: testutil: make mocked command work with shellcheck from snaps [10:56] Chipaca: ^^ can you do the honors? [10:57] mborzecki: for extra fun, go could be running from a snap as well :-) [10:57] Chipaca: all on ubuntu core :P [10:57] well, no, because go is classic [10:57] ah, right [10:59] pedronis: ok to drop serial in #6665 ? [10:59] PR #6665: overlord/ifacestate: implement String() method of HotplugDeviceInfo for better logs/messages <⛔ Blocked> [11:00] Chipaca: could have made it more fancy, like os.Open(), io.Copy(), but meh [11:00] mborzecki: i thought the same on reading it [11:00] pstolowski: is it useful or not? [11:00] pstolowski: how long do they tend to be? [11:01] pedronis: only if you have more instances of same device i suppose, to somehow distinguish them [11:01] pstolowski: yea, as I said we could truncate them [11:01] but I'm not sure how long they tend to be [11:02] back to zyga's PR [11:04] sergiusens: ideas about lp 1822988 would be great [11:04] sil2100: -^ [11:10] pstolowski: my current feeling it to leave it, not do truncating yet, and see how it works out in practice [11:11] pstolowski: we also need to deal with the fact that hotplug keys are long/unwieldy of their own [11:13] pedronis: ok, will only truncate model/vendor [11:13] pstolowski: but as you said, it seems we should indeed swap SHORT and non-SHORT for serial, I mean prefer SHORT if it exists [11:13] for this use [11:13] pedronis: yes === ricab|bbl is now known as ricab [11:28] pstolowski: can you take a look at #6682? [11:28] PR #6682: snap, gadget: move gadget read/validation into separate package, tweak naming [11:29] mborzecki: yes! [11:29] pstolowski: thanks! === chihchun is now known as chihchun_afk [11:39] pedronis: updated #6665 [11:39] PR #6665: overlord/ifacestate: implement String() method of HotplugDeviceInfo for better logs/messages <⛔ Blocked> [11:43] 6577 needs a second review [11:44] PR snapd#6683 closed: testutil: make mocked command work with shellcheck from snaps [11:44] * Chipaca ⇝ lunch [11:45] Chipaca: I would love your review of 6684 [11:45] PR snapd#6684 opened: overlord,tests: perform soft refresh check in doInstall [11:45] zyga: ack [11:45] it's deceptively short :) [11:45] and works in spread [11:51] is there a way to list snaps that use core18? [11:52] zyga: +1, with a silly suggestion you can ignore [11:52] vidal72[m]: installed ones? [11:53] Chipaca: wow, that's quick :) [11:53] mborzecki: re ausearch, I can't remember otoh, but either jjohansen1, ChrisCoulson or tyhicks would have more info on ausearch and apparmor [11:53] so... I need a 2nd review :) [11:54] * cachio afk [11:54] mborzecki: ah yes, I see now in backscroll you found the bug and extra context [11:55] Chipaca: no, those avalaible on store [11:55] vidal72[m]: no [11:55] :( [11:55] zyga: if that 2nd review was for me, please remember I was asked to focus on something ahead of all others, a queue formed and I will get through it. I promise [11:55] jdstrand: no no :) [11:56] ok :) [11:56] jdstrand: there are lots of people who can review that [11:56] and it's not security oriented [11:56] vidal72[m]: why do you care? [11:56] I thought this was a 6605 reminder :) [11:56] jdstrand: yeah, it seems the bug got deprioritized, which is ok, there's workarounds [11:56] see, it is so much in the queue I typed that from memory :) [11:58] I'm currently a bit stretched thin. joe is trying to help with that [11:59] mborzecki: you could ask the priority in #apparmor on OFTC. ChrisCoulson was assigned that at one point, but, yes, it got deprioritzed for various reasons [12:00] Chipaca: I don't want to install ones using older base [12:00] vidal72[m]: why? [12:01] zyga: nice review from opensuse again, pretty thorough [12:03] anyone wants to take a look at #6661? [12:03] PR #6661: data/selinux, tests/main/selinux-clean: fine tune the policy, make sure that no denials are raised [12:03] Chipaca: they are built without additional compiler hardening [12:03] hopefully that's the last one in the selinux series [12:03] vidal72[m]: what? [12:07] zyga: i raised one general question to #6643 ; my mistake for not adding that to review summary, it's kinda easy to miss and github makes it annoying to answer this kind of comments (no Reply underneath) [12:07] PR #6643: tests: deny ioctl - TIOCSTI with garbage in high bits [12:07] mvo: I'm not feeling very well and I'd like to take the 2nd half of the day off [12:08] mvo: my highlights for the day are https://github.com/snapcore/snapd/pull/6684 which gives us the first part of working refresh app awareness [12:08] PR #6684: overlord,tests: perform soft refresh check in doInstall [12:08] mvo: and the suse review from https://bugzilla.suse.com/show_bug.cgi?id=1127366 [12:08] mvo: both will need more work as you can suspect [12:09] Chipaca: https://wiki.ubuntu.com/Security/Features [12:10] pstolowski: whdyt about https://github.com/snapcore/snapd/pull/6682#discussion_r271708445 ? [12:10] PR #6682: snap, gadget: move gadget read/validation into separate package, tweak naming [12:10] Chipaca: some mitigations are enabled only since bionic [12:11] pstolowski: the catch is that we'll probably end up extracting snaps (instead of mounting them) like ubuntu-image does once we start to lear how to assemble an image [12:11] Chipaca: https://forum.snapcraft.io/t/build-snaps-with-hardened-toolchain-by-default/5444 [12:12] vidal72[m]: gotcha [12:13] vidal72[m]: 'snap info --verbose' will tell you the base of the most-stable channel of a snap [12:13] for arbitrary value of most-stable (but it's usually what you want) [12:13] ok, thx [12:15] vidal72[m]: otherwise, e.g., curl -s -H Snap-Device-Series:16 'https://api.snapcraft.io/v2/snaps/info/gnome-calculator?fields=base' | jq -r '.["channel-map"][] | .channel.name + "/" + .channel.architecture + ": " + .base' [12:20] mborzecki: works for me [12:21] mborzecki: perhaps mvo can vote as well === chihchun_afk is now known as chihchun [12:52] zyga: what's the status of #6583 ? [12:52] PR #6583: cmd/snap-confine: move ubuntu-core fallback checks [12:53] I think it needs a 2nd review and I just kicked tests that may acutally pass now [12:53] mvo: ^ can you finish your review there please [13:00] * zyga is skipping the standup and officially EODing now [13:00] thanks for the update zyga, enjoy eod [13:01] thanks (cough, literally) === ricab is now known as ricab|lunch [13:05] zyga: in this case, get well! [13:12] PR snapd#6656 closed: tests: split travis spread execution in 2 jobs for ubuntu and non ubuntu systems [13:21] mvo: let me take a look [13:26] sergiusens: thank you! [13:28] mvo: commented on bug and PR [13:29] sergiusens: yay, thank you - I think scriptlet is what we will do \o/ [13:29] sergiusens: we really just need control over the ENV and that gives it [13:32] PR snapd#6682 closed: snap, gadget: move gadget read/validation into separate package, tweak naming [13:41] sil2100: do you prefer a force push to https://github.com/CanonicalLtd/ubuntu-image/pull/168 or another commit on top of the current one? [13:41]