taskerI'm having issues getting "core" to install because the snap daemon is looking explicitly for "mount.squashfs" and "umount.squashfs". what package provides those? and, perhaps a better question, why can't the code simply look for "mount"?00:22
taskerI should explain that I can't install "core" because those two utilities don't exist on my system.00:25
=== chihchun_afk is now known as chihchun
=== chihchun is now known as chihchun_afk
zygaGood morning06:33
mvozyga: hey, good morning06:37
zygaHey :-)06:46
zygaJust drinking coffee06:46
zygaA bit sleepy still06:46
mborzeckimvo: zyga: hey06:52
mvohey mborzecki !06:58
=== pstolowski|afk is now known as pstolowski
pstolowskimorning o/07:09
mvohey pstolowski !07:09
mvopstolowski: does 6669 or 6712 need further samuele input? I saw he commented on both but it looks like you addressed all his input. would like to see if we can move forward here07:10
pstolowskimvo: no, i think we could move forward with them, i don't think there is anything controversial there; i can tweak in a followup if Samuele finds anything after it lands07:17
mvopstolowski: cool, thanks07:20
zygain the office, finally07:21
pstolowskimvo: btw not sure if you saw my comment to https://github.com/snapcore/snapd/pull/675507:21
pstolowskimvo: one of the dns-related messages that we use in retry code ("Temporary...") seems to be coming from glib (I grepped glib sources) and i think it can be translated :(07:22
mvopstolowski: uhoh07:22
mvopstolowski: I have not seen it :/ thats annoying for sure07:22
pstolowskimvo: perhaps we should simply catch *net.DNSError and don't try to be too smart wrt error message07:23
mborzeckipstolowski: glibc right?07:23
pstolowskimborzecki: right07:23
mborzeckipstolowski: actually an interesting problem, whether the error message by the time it's accessible in Go, is translated according to locale :/ that would be most unfortunate07:37
pstolowskimborzecki: i haven't actually verified that. just found the error in the code, and then in all po/*po files of glibc. don't know how the error is propagated to go07:39
pstolowskimborzecki: i'll actually cook something to check that under PL locale07:41
brlin430.09 NVIDIA graphics driver seems to broke OpenGL support: https://forum.snapcraft.io/t/call-for-testing-obs-studio-snap/4298/3907:46
zygabrlin: ack07:53
brlinzyga: Tks!07:53
zygabrlin: we have poor support for nvidia and have roadmap item to improve that but it will likely slip a little07:53
brlin(not really care much as I use intel graphics)07:54
pstolowskimvo, mborzecki : ok, false alarm with translated error msg, i think we're good. under pl locale i'm getting:07:57
pstolowski$ ping www.sadaa.pl07:57
pstolowskiping: www.sadaa.pl: Odwzorowanie nazwy jest chwilowo niemożliwe07:57
pstolowskibut with go test:07:57
pstolowskipanic: Get https://asjhdaksdjhka.org/get: dial tcp: lookup asjhdaksdjhka.org: Temporary failure in name resolution07:57
pstolowskiit seems only the standard cli utils get the translated messages07:57
mborzeckizyga: added some notes under https://github.com/snapcore/snapd/pull/6759 looks like something fishy with go toolchain, and not 1.10 specific08:21
zygamborzecki: https://github.com/snapcore/snapd/pull/6759#issuecomment-48493106708:47
zygamborzecki: if you remove the need for C, go build defaults change08:47
zygamborzecki: I observed this when working on BuildID originaly08:48
mborzeckizyga: hm the resulting test binary is still dynamically linked and gcc is involved in the build process, so it's not exatly the same as CGO_ENABLED=008:51
zygawhat was that pixel font...09:02
Chipacazyga: pixel font?09:24
zygawhenever I work on low-dpi screen I use that font09:24
zygaI found something good enough for now09:24
Chipacazyga: neep alt?09:24
Chipacain xfonts-jmk09:25
zygaofftopic: it would be good to be able to ship fonts in snaps09:25
zygaand have them work on the host09:25
zygaI would really like that09:25
pstolowskizyga: can we land https://github.com/snapcore/snapd/pull/6777 or do we need to verify CLA?09:31
zygapstolowski: 1) typos are not significant contribution that is protected by copyright and 2) we have automatic CLA verification in travis09:31
pstolowskizyga: ah ok09:31
Chipacazyga: pstolowski: the travis CLA verification does have a "don't know" result which does not block09:34
Chipacaso you shold look at the output if you're unsure about a contributor09:35
zygaI didn't know that09:35
zygabut anyway, in this case this is clearly not copyrightable because it is not a creative work09:35
Chipacain this case, it's not brlin's first contribution :-)09:35
brlinI thought I already signed the CLA...?09:36
* brlin Checking it out so it won't be a problem09:37
Chipacabrlin: yeah, your first one wouldn't've gone in if not09:38
pstolowskiwould be great to land https://github.com/snapcore/snapd/pull/671709:53
pstolowskineeds 2nd review though09:53
zygapstolowski: I'm reworking your test09:53
zygapstolowski: I will push there in 10 mintues09:53
zygawrong branch09:53
zygaplease review and let's land that09:53
zygamvo: will you be handling cherry-picking for 2.39?09:53
* zyga is puzzled10:11
mborzeckineed to drop the kids at school for some extra classes, back in ~3010:12
Chipaca"extra classes" is parent-speak for "torture"10:15
pstolowskimvo: https://github.com/snapcore/snapd/pull/6733 can land?10:29
mvopstolowski: looking10:31
mvozyga: sorry for the delay, had a meeting - yeah, I take care of 2.39 cherry picks in general, anything I should cherry-pick?10:32
zygathank you10:32
zygamvo: I'm not done yet, ideally tomorrow morning10:32
mvopstolowski: yes, thank you!10:32
mvopstolowski: that was just waiting for the second review :)10:32
mvozyga: cool! thanks10:32
pstolowskibtw https://github.com/snapcore/snapd/pull/6712 needs second review (hint! hint! ;))10:33
mvopstolowski: :) yes, its on my list but not super high (yet) unfortunately10:34
mborzeckiChipaca: that would 'piano classes' or somesuch10:36
Chipacamborzecki: 'culture appreciation classes'10:37
=== degville is now known as degville-afk
zygapstolowski: I found that the stale fix is insufficient10:56
zygapstolowski: working on a bit of more code to do it10:57
zygapstolowski: I expanded your unit test and found the issue10:57
pstolowskizyga: oh interesting11:00
zygapstolowski: I was unsure about the unit test so I started tweaking it towards "more obvious"11:01
zygapstolowski: essentially more than one thing calls backend.Setup11:02
pstolowskicachio: hey, can https://github.com/snapcore/snapd/pull/6710 be updated for 19.04 now?11:14
cachiopstolowski, checking11:19
cachiopstolowski, still I need to fix the test snap-handle-link11:21
cachiowhich fails on 19.0411:21
pstolowskicachio: ack, thanks11:21
zygaChipaca: https://explainshell.com11:24
* Chipaca pastes etelpmoc.sh in11:26
* Chipaca is thwarted by 414 Request-URI Too Large11:26
* Chipaca lunches11:33
mborzeckizyga: https://explainshell.com/explain?cmd=false+%7C%7C+%3A11:34
cachiozyga, hey, if you take a quick look to this one #6694 would be really nice11:34
mborzeckithat site is not too helpful11:34
mborzeckizyga: mvo: are you on 19.04? can you check if that appears? https://forum.snapcraft.io/t/selinux-warning-when-running-lxc/1110011:52
zygamborzecki: I'm on 19.0411:53
mborzeckizyga: do you see this warning?11:54
zygamborzecki: let me check, don't know11:54
zygaor can I queue this11:55
zygamy mind is set for attribute work now11:55
mborzeckizyga: sure11:55
mvomborzecki: I'm on 19.04, I can check after lunch11:55
mborzeckimvo: thanks11:55
mborzeckioff to pick up the kids, back in 3012:00
=== degville-afk is now known as degville
cachiomborzecki, hey12:17
cachioI am researching the issue related to the xdg-open on 19.0412:17
cachiomborzecki, I found that it works well https://paste.ubuntu.com/p/jq2ZnkXPtB/12:17
cachiowhen we don't install the package evolution-data-server12:18
cachiomborzecki, otherwise it fails12:18
cachiolike this https://paste.ubuntu.com/p/bqGhTbhSbj/12:18
cachiomborzecki, any idea why it could be happening?12:18
mborzeckicachio: will take a look12:24
cachiomborzecki, thanks12:25
cachioI have debug session open12:25
cachioif you want to use it12:25
cachiofor both scenarios12:25
jdstrandmvo: remind me. say I want to create a test snap and have it in the store, I know that I put its source in tests/lib/snaps, but after I snapcraft register and upload, who should I add as a collaborator?12:51
jdstrandit seems like mvo and Chipaca12:52
jdstrandthat's cool12:52
Chipacajdstrand: cachio also maybe?12:53
Chipacajdstrand: i'm not collab on all of 'em fwiw12:53
Chipacanobody invites me to the fun parties any more :-p12:53
cachiojdstrand, yes please12:53
jdstrandI looked at hello-world and classic :)12:53
cachioadd me too12:54
jdstrandcachio: sure, np12:54
cachiojdstrand, thanks12:54
mvomborzecki: I did not get this warning when just running lxc12:59
mborzeckimvo: interesting, thanks13:00
mborzeckicachio: can you check whether installing evolution-data-server somehow pulls in gnome-software? if not, then whether gnome-software is installed before the test actually executes13:12
cachiomborzecki, https://paste.ubuntu.com/p/Pjm2gr6FpN/13:16
cachiojust suggested13:16
cachiobut a lot of gnome-* stuff13:16
cachioChipaca, when you have time, could yo uplease take a look to https://github.com/snapcore/spread/pull/70 ?13:18
mvozyga: ?13:20
zygamvo: just realized the test shows the bug is deeper than I thought on refresh :)13:22
zygamvo: the unit tests I added were good enough to show it would still be broken in one case13:23
Chipacaroadmr: frontosphenoidal13:31
mborzeckicachio: mhm, so maybe we need to run some mime update thingy13:33
jdstrandcachio: hey, so I have the ability to create amd64, i386, arm64 and armhf snaps, so I am doing that for the new test-snapd-setpriority snap. I was thinking that I wouldn't worry about ppc64el or s390x unless you felt otherwise. if you do feel otherwise, what is the recommended way to provide those?13:37
taskerI'm having issues getting "core" to install because the snap daemon is looking explicitly for "mount.squashfs" and "umount.squashfs" both of which I don't have on my system. what package provides those? and, perhaps a better question, why can't the code simply look for "mount"?13:37
cachiojdstrand, I usually create those on launchap13:37
xnoxjdstrand, launchpad can build snaps for all architectures, include ppc64el & s390x. Or are you building without launchpad?13:38
cachiojdstrand, on this project https://code.launchpad.net/~snappy-dev/snappy-hub/13:38
Chipacatasker: mount always looks for mount.<filesystem> afaik13:38
xnoxjdstrand, and they are not special arches at all, anybody can enabled them on anything.13:38
cachiojdstrand, we store all the snapd to build13:38
Chipacatasker: bah, dunno13:38
Chipacatasker: I don't have a mount.squashfs here and things work13:38
Chipacatasker: maybe it's trying that because your kernel doesn't support squashfs?13:39
taskerChipaca: it does.13:39
jdstrandcachio: I looked there and did not see other test snaps13:39
Chipacatasker: can you pastebin the output of 'snap version'?13:39
cachiojdstrand, most of the tests snaps are there13:40
jdstrandxnox: right, I realize that and do it all the time. this is a spread test snap and I didn't see/know where LP builds of test snaps are is all13:40
cachiojdstrand, for example lp:~snappy-dev/snappy-hub/test-snapd-profiler13:40
* jdstrand looks again13:40
jdstrandcachio: I might've benn looking in git13:40
jdstrandheh, I typoed as 'snappy-hug'13:41
jdstrandcachio: yeah, I looked at git. ok, I'll do the bzr dance and go from there. thanks13:43
cachiojdstrand, np13:43
cachiojdstrand, yaw13:43
taskerChipaca: http://dpaste.com/1EQZGDW13:44
Chipacatasker: what do you get in 'dmesg' when the snap fails to mount?13:50
Chipacatasker: what error do you get from snapd when you try to install?13:50
taskerI'm going back through the strace again. maybe the mount utilities aren't the problem.13:51
taskerChipaca: http://dpaste.com/07T5MHT13:51
cmatsuokamup_: you're so quiet, are you alive?13:51
Chipacatasker: that's strange, but ok, let's back up a bit13:52
Chipacatasker: try this: snap download core (more to follow when that's done)13:53
taskerChipaca: done.13:53
Chipacatasker: now try to mount the .snap file, e.g. sudo mount core_6673.snap /mnt13:54
mborzeckitasker: also try 'grep squashfs /proc/filesystems'13:55
taskeryes. I can mount squashfs.13:55
Chipacatasker: that 'mount' worked, then?13:55
taskeryes, thank you.13:55
Chipacatasker: ok, can you pastebin the output of 'snap tasks --last=install' please?13:55
Chipacatasker: (feel free to umount that snap)13:56
* Chipaca very puzzled at this point13:56
taskerChipaca: http://dpaste.com/3AMJJ9D13:57
mborzeckitasker: can you post `journalctl --since 8:44`?13:59
Chipaca--system, also14:00
mborzeckitasker: right, journalctl --system --sice 8:4414:00
taskerI cannot. don't have journalctl.14:00
Chipacatasker: what14:01
taskerand if you follow up with "snap won't work without systemd", I'm done with this experiment.14:01
Chipacatasker: snap does not work without systemd14:01
tasker. )14:01
taskerokie doke!14:01
taskerthanks a bunch.14:01
Chipacatasker: we delegate a lot of stuff to systemd ¯\_(ツ)_/¯ including the mounting of stuff14:03
Chipacawe're open to people writing different backends for other init systems, but so far nobody has offered14:04
taskerI'm not mad. saddened, perhaps, but not mad.14:04
taskergood luck!14:05
taskerthanks again for your help.14:05
Chipacawhy would you be mad?14:05
zygamvo, pstolowski: I'll grab coffee and lunch14:15
zygaI'll share what I have after that14:15
roadmrzyga shares his coffee and lunch? :)14:15
zygachanges have some impact so not great14:15
* zyga is happy to share that too :)14:15
mborzeckiguys, i'm out of ideas, what could we do about a setup like this: https://forum.snapcraft.io/t/selinux-warning-when-running-lxc/11100/14:38
mborzeckiit's a mix of custom mainline kernel, which somehow got selinux enabled, plus selinuxfs is somehow mounted during boot14:39
mborzeckibut userspace tools are missing (as in https://github.com/PowerShell/PowerShell/issues/9252 ) or the userland is totally unprepared for selinux (i.e. missing policy and so on)14:39
mborzeckii suspect this will break with 2.3914:40
mborzeckiChipaca: wow, that kerlen that you linked, i looked at the config patches, +CONFIG_DEFAULT_SECURITY="selinux" +CONFIG_DEFAULT_SECURITY_SELINUX=y in debian.master/config/config.common.ubuntu14:44
Chipacamborzecki: detect a selinux with no policies as part of 'not supported'?14:44
Chipacamborzecki: ouch14:44
Chipacamborzecki: maybe ask kernel people about this then14:45
Chipacamaybe we're dropping apparmor for 5.0 :-p14:45
* Chipaca hides14:45
mborzeckii seriously wonder how did the system even boot properly14:46
ChipacaZombie processes detected, machine is haunted.14:47
Chipaca^ bofh knows all14:47
mborzeckipsdoom window pops up14:47
Chipacaman why are we not packaging psdoom14:49
zygaback from coffee14:56
zygasorry, sleepy since I slept so little last night14:56
Chipacaapology accepted15:01
zygalike this? :D15:02
=== juliank is now known as juliank|dalek
=== juliank|dalek is now known as juliank
mborzeckiChipaca: as far as selinux enabled detection is concerned: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/enabled.c#L11-L2115:06
jdstrandmvo: thinking through how to require that golang-seccomp is patched, since daemon user will have terribly incorrect bpf otherwise15:21
jdstrandmvo: I'm having trouble. golang-seccomp doesn't declare anything that we can use in system-key (eg, a version or something)15:21
jdstrandmvo: we could try to generate a tiny bpf and they see if it is correct, but that is kinda yucky15:22
jdstrandmvo: I do know that golang-seccomp is adding a new func called GetApi() for the new libseccomp call. that was added after the patch to AND15:23
zygapstolowski: I'm running spread after adjusting unit tests15:24
jdstrandmvo: so, in theory, we could reference that somewhere in the code and then snapd would fail to build. this would force people to update (we would fetch/merge into the vendored code)15:24
zygajdstrand: can we vendor golang-seccomp in snapd to the extent that we only depend on libseccomp and have a slimmed-down version of golang-seccomp for just the functions that we use?15:24
zygapstolowski: I'd like to proceed as follows15:25
zygapstolowski: I have some changes to unit tests in ifacestate15:25
zygapstolowski: those should hopefully not depend on the fixes that are coming after them15:25
jdstrandzyga: we already vendor it. the problem is fedora and debian strip it out and use the system golang-seccomp. if we vendored everything, there is no problem15:25
zygapstolowski: the motivation is simple: lots of tests use a common consumer/producer yaml that has lots of quirky attributes and hooks15:26
zygajdstrand: not vendor in that sense15:26
jdstrandzyga: debian and fedora should be fixed soon, but I'm worried about other systems15:26
zygajdstrand: make it a part of snapd tree15:26
zygajdstrand: strip rest of the code15:26
zygajdstrand: drop the vendored dep15:26
jdstrandyou mean an embedded code copy15:26
zygajdstrand: yes, but much reduced15:26
jdstrandzyga: it wouldn't be 'much reduced'. it is already small and we are using most of the api15:27
zygajdstrand: well, perhaps there would be still something to shed15:27
zygaI like the fact that it removes one moving part15:27
zygaand changes it to something we can instantly correct as we need to15:27
jdstrandzyga: a) I wouldn't necessarily want to just chop up golang-seccomp. I think it is fine to import wholesale and sit on it, which is what we are effectively doing now for most systems15:29
jdstrandzyga: b) but for the ones we don't do it on (eg, fedora and debian), they aren't going to be too keen on the embedded code copy since it is just circumventing their policy15:29
Chipacajdstrand: AFAICT using GetApi would also force using 2.4.015:30
Chipaca2.4.0+ i mean15:30
zygahence the simplification, I really mean a one-way copy and integration15:30
jdstrandChipaca: yes15:30
Chipacawhich is probably fine, but i thought we wanted to support but downgrade <2.4.0?15:30
jdstrandzyga: I know what you are saying. I'm saying I know distros and the whole reasons they balk at vendoring the way we do now are still there with an embedded code copy15:31
zygabut at some point it does become a gray area15:31
jdstrandChipaca: there are a spectrum of options. one is failing the build. one is trying to detect at runtime and degrading. I wanted to see if GetApi() was available for use at runtime, but it doesn't seem go supports that. reflect doesn't help cause it isn't an obj. it is a package function. If I could be proven wrong, I would go that route15:32
jdstrandzyga: for the distros that are enforcing not vendoring, there is no gray15:33
jdstrandzyga: again, if we embedded, I would strongly advocate *not* changing the imported code15:33
jdstrandwe use like 90% of the api. maybe more15:34
zygaor we can rewrite it :)15:35
zygaI would love to over summer holidays15:35
jdstrandplease stop suggesting that :)15:35
Chipacahaha, like zyga takes holidays15:35
jdstrandit has taken years for people to get it to the point that it is working now15:35
zygahaha, yes,15:35
zygajdstrand: well, I honestly think it's not something that is hard to do :-)15:35
jdstrandI know you don't ;)15:36
zygaalso we'd need a subset of real functionality and we'd have flexibility of doing more things15:36
jdstrandbut if you look at the seccomp library, it is hairy, tricky code15:36
zygaI still think the API is quirky, the results are (now) good but were not good before15:36
zygaand I think way more can be done15:36
zygaI did read libseccomp before, I didn't check the rewrite but I was honestly surprised by how complex that was, not for a good reason15:37
zygathe only valuable parts of libseccomp are: linux doesn't expose syscall numbers to userspace so libseccomp has to carry those, libseccomp has fallback code for multiplexers and deprecated syscalls (but even those are surprising IMO)15:37
zygabut that's an orthogonal discussion15:37
jdstrandI can't express strongly enough that rewriting a complex library that deals with various arch quirks and kernels that has wide industry adoption is a bad idea15:38
zygajdstrand: and is written in C15:38
jdstrandthis doesn't help my daemon user PR15:39
zygajdstrand: that same library was fundamentally broken for years <- this wasn't sent somehow15:39
zygayes, I agree15:39
zygaI'm just casually exploring the topic15:39
zygaI don't argue towards doing this for the daemon work15:39
zygabut doing this could remove *all of* snap-seccomp15:39
jdstrandChipaca: do you know of a way to detect if a package implements a function at runtime?15:39
zygaand make it all a part of snapd15:39
jdstrandI don't know how else I can express 'bad idea' :)15:40
Chipacajdstrand: I looked into it a bit, and no, sadly, not at the package level without doing horrible things15:40
Chipacajdstrand: if there were a method on a struct that we could look for, that, yes15:40
zygajdstrand: dlopen?15:40
jdstrandChipaca: yeah, I spent too much time on it this morning already15:41
jdstrandzyga: dlopen what?15:41
zygajdstrand: dlopen the so file, look up the symbol,15:41
zyga<jdstrand> Chipaca: do you know of a way to detect if a package implements a function at runtime?15:41
jdstrandzyga: there isn't an so. I'm talking about golang-seccomp15:42
zygaI see15:42
zygain go that's impossible AFAIK15:42
zygawell, there's reflect but I don't see the value15:42
zygait's a compile time thing15:42
jdstrandzyga: there are libseccomp bugs. I can and have worked around that because I dan downgrade if GetLibraryVersion is < 2.415:42
jdstrandzyga: but the golang-seccomp bug... there isn't version info in the package and I can't seem to do a cheap check at runtime15:43
zygajdstrand: make that a runtime choice?15:43
Chipacaoooh, ooh15:43
* zyga waits for Chipaca's idea15:43
Chipacajdstrand: so you could do this15:43
pstolowskizyga: sounds good, yeah, all those consumer/producer yamls there grew organically and out of control15:43
zygapstolowski: +1 preparing a patch now15:43
zygasorry, got distracted by family discussion that for some reason moved into the office15:43
jdstrandzyga: also, if you see above, reflect doesn't work cause it is a func in a package, not a func on an object with a method15:45
* jdstrand is curious about Chipaca's idea15:45
Chipacasorry, putting it into code15:45
zygajdstrand: indeed15:45
Chipacajdstrand: seccomp.ScmpAction(6).String()15:45
Chipacajdstrand: the commit that changes the result of that, is the same that adds GetApi15:46
mvojdstrand: was in a meeting will read backlog15:46
Chipacaor the one just before it?15:47
Chipacajdstrand: but I think that gets us there15:47
Chipacaoh no, drat15:47
ChipacaDate:   Thu Sep 21 03:14:51 2017 +000015:47
Chipacai read that wrong :-(15:47
Chipacabah, dunno15:48
Chipacathese are all old commits15:48
* zyga recommends just rewriting it all in Go15:48
* Chipaca whaps zyga over the head15:49
Chipacajdstrand: the commit that adds GetApi is from15:49
ChipacaDate:   Wed Oct 25 05:44:14 2017 +000015:49
Chipacais the one in distros really older than this?15:50
jdstrandChipaca: ah, hmm. let me look15:50
Chipacajdstrand: if it is, then checking that String would work (it's not the same commit but it's probably good enough)15:51
jdstrandwell you know, I could also just look for the actlog stuff15:51
Chipacajdstrand: that's what that String does15:51
jdstrandApr 19 2017 is the magic day15:51
Chipacait's either ActLog or Unrecognised15:52
jdstrandChipaca: ah right. we even do that in snap-seccomp. billiant :)15:52
jdstrandI can work with that. thanks :)15:52
jdstrandChipaca: I don't know why I got focused on the other stuff. thanks for listening and setting me straight :)15:55
Chipacajdstrand: it even mentions GetApi in snap-seccomp :-) now that i know what to look for15:56
jdstrandmvo: Chipaca set me straight. we are all good16:00
* Chipaca would gladly have set jdstrand queer, but thinks this is what they wanted16:00
=== pstolowski is now known as pstolowski|afk
* cachio lunch16:03
mvojdstrand: cool16:04
* mvo hugs jdstrand and Chipaca 16:04
alan_gjdstrand, any thoughts on the best name for this? https://forum.snapcraft.io/t/negotiating-a-vt-session-with-logind-needs-a-new-interface/1096916:05
alan_ggreyback and I have kicked around variants of "session" "login-session" & "logind-session"16:05
zygapstolowski|afk: https://github.com/snapcore/snapd/pull/6779/files16:12
zygaaw, he's gone :|16:12
* mvo grumbles about build failures of the snapd snap16:12
jdstrandalan_g: I suggest starting with 'login-session-control' and we can iterate in the PR16:16
alan_gjdstrand, WFM16:17
zygamvo: I'll EOD now given that my branch is blocked by 677916:18
zygamvo: the essential fix is in https://github.com/zyga/snapd/commit/e1bddc9d74fe5c08c7dd2c23f1312a6e31b1b25c16:18
zygait's stacked on top of that16:18
zygaI spawned a swarm of test machines to see if it breaks anything16:19
zygaand I will go out for a bike ride now16:19
zygamvo: let's try to attempt to fix the stale tools bug tomorrow16:19
mvozyga: thank you!17:03
* jdstrand hrms17:53
jdstrandsandbox/seccomp/compiler.go:27:2: build constraints exclude all Go files in /Users/travis/gopath/src/github.com/snapcore/snapd/vendor/github.com/mvo5/libseccomp-golang17:53
jdstrandthis is with the brew build17:53
jdstrandzyga: did you do anything with brew? ^17:58
jdstrandzyga: (in the past that is; I need to adjust sandbox/seccomp/compiler.go I guess17:59
Chipacajdstrand: that's the osx build17:59
Chipacajdstrand: why is the osx build pulling in seccomp :-)17:59
* Chipaca looks at the diff18:00
jdstrandapparently my PR did that18:00
jdstrandI need to use golang-seccomp to check for ActLog in check_snap.go18:00
Chipacajdstrand: so, move GoSeccompCanActLog out to a compiler_linux.go file18:01
Chipacathat should do the trick? probably18:01
Chipacajdstrand: you can test locally by doing GOOS=darwin go build ./cmd/snap18:01
jdstrandChipaca: should I create a compiler_???.go with GoSeccompCanActLog?18:02
jdstrandif so, what is ??? ?18:02
Chipacajdstrand: compiler_linux.go, as i said?18:02
Chipacaor am i missing something18:02
jdstrandChipaca: yes, but then osx will not have GoSeccompCanActLog()18:03
Chipacajdstrand: and what uses that?18:03
* cachio afk18:03
jdstrandChipaca: sorry. this pr is to support a check in the daemon user pr18:04
jdstrandChipaca: for this pr, sure, compiler_linux.go18:04
Chipacajdstrand: osx only builds cmd/snap, nothing else, if that helps?18:04
* Chipaca tries to understand but is a little tired18:05
jdstrandChipaca: but in the daemon user pr, check_snap.go from overlord/snapstate is going to call that18:05
Chipacajdstrand: ah, but cmd/snap doesn't use that18:05
Chipacajdstrand: overlord isn't built for osx18:05
jdstrandChipaca: I see18:05
Chipacaso you won't need a compiler_other.go18:05
jdstrandI was thinking that it would be in there since it is happening during snap install18:06
jdstrandgotcha. thanks again! :)18:06
Chipacajdstrand: anything that tries to talk to snapd errors out, on osx18:06
jdstrandChipaca: that fixed it right up. thanks again :)18:28
zygajdstrand: I did something with brew long time ago but not recently18:35
Chipacazyga: all fixed now18:36
zygaChipaca: cool, thank you!18:36
Chipacawell, allegedly18:36
* zyga just returned from a walk18:36
zyganow tempted to go on a bike ride18:36
zygato close the "rings" :)18:36
zygaI'd love to land https://github.com/snapcore/snapd/pull/677918:36
zygaif anyone wants to look at boring changes18:36
zygabut not today, today is rest day18:36
Chipacai'm off to the shops18:37
Chipacagonna get me some curry or sth18:37
zygathank you Chipaca !18:37
zygamvo: if you want to help, please land ^18:37
mvozyga: oh, interessting? what is the background there?18:38
zygamvo: it's spelled out in the PR :)18:38
zygabut the extra description is as follows18:38
zygalots of tests just use "consumerYaml" and "producerYaml"18:38
zygaand happily add extra crap to the definitions18:38
zygaso now they are a monster with all kinds of apps hooks plugs and stuff18:38
zygaand crazy hard to follow tests result from that18:39
zygaas I worked on https://github.com/zyga/snapd/commit/e1bddc9d74fe5c08c7dd2c23f1312a6e31b1b25c18:39
zygaI realized it would impact tests less if I change some of the existing tests18:39
zygato use a smaller version of consumer/producer yaml18:39
zygawhich has ... well, just what the test needs18:39
zygaso there's less noise in changes18:39
zygaas you can see in the patch I linked to, it changes two existing unit tests18:39
zygabut only those tests because only those tests meaningfully interact with what is changed18:40
zygawithout the yaml patches from that PR it would also affect a random collection of tests that just happen to have random properties added to consumer/producer yaml that is shared and grew organically over time18:40
jdstrandzyga: I thought I remembered you did which is why I asked; figured you'd at least point me to the right person, but, Chipaca to the rescue :)18:41
zygajdstrand: yeah, I was the ssh-to-macos-du-jour ;)18:42
zygajdstrand: I wondered if this is a CVE18:42
zygajdstrand: if you have a browser with sandbox and then refresh but stay on the stale attribute forever18:42
zygaor something along the same vein18:42
zygaanyway, I need to make tea18:43
zygaI'll check back later18:43
zygajdstrand: it's enough to read the commit message to get an idea about the impact18:43
jdstrandzyga: it's definitely a bug worth fixing (thanks!). in the grand scheme of things, I don't consider it a cve. In isolation, arguably so, but considering the store and snap declarations, probably not since the publisher was granted use of the attribute and can remove and add at will.18:47
jdstrandzyga: it would affect a snap declaration that revoked, but that isn't terribly different from the old bug where a user disconnected and then on refresh the interface was connected again18:48
jdstrandzyga: I say just fix it and be done with it. if someone argues for it to be one, we can reconsider18:48
jdstrandzyga: you probably noticed we finally have CVEs for those 2 snap-confine issues. I think I cc'd you on the email to oss-sec18:49
jdstrandzyga: just fyi18:49
zygaI noticed, thank you!18:49
zygaYes, I started following the ML18:50
jdstrandzyga: in other news, making the world a better place: https://github.com/seccomp/libseccomp-golang/issues/3218:51
zygajdstrand: oh indeed, thank you18:53
zygaAnd I’m sorry about my desire to rewrite all external deps as a part of snapd :-)18:53
zygaApparmor parser is in that list as well18:55
zygaUltimate way to both understand something and control it18:55
jdstrandI know it is18:55
jdstrandsandbox/seccomp/compiler_linux.go:22:2: build constraints exclude all Go files in /home/ubuntu/gocode/src/github.com/snapcore/snapd/vendor/github.com/mvo5/libseccomp-golang19:04
jdstrandI keep hitting this no cgo thing19:04
* jdstrand make it a snap-seccomp command and calls out to it19:04
zygajdstrand: do you want a shell on my iMac pro?19:18
jdstrandzyga: compiler_linux.go fixed brew. now I'm hitting this with CGO_ENABLED=019:18
jdstrandso the approach is not viable19:18
* jdstrand sighs19:18
* zyga hugs jdstrand19:19
* zyga merged and opened a new PR from his phone19:29
roadmrbut can it make phone calls? ;-|19:34
zygaroadmr: who knows, is that a feature? :-)19:35
roadmrwell it enables me to not have a landline, so I'd call it a feature :D19:36
roadmrinterestingly, the cell phone company does NOT allow you to put one of their numbers as your primary contact number - they still assume you have a landline or other bootstrappy phone. My primary contact number with them has been out of service for 8 years :)19:37
roadmr(as soon as I got the cell phone, I cancelled that other number)19:37
zygaWe hardly call anyone on phone numbers now. It is mostly spam calls and more spam calls19:39
zygaIntro family calls are all telegram and FaceTime19:39
roadmrhehe nice19:40

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!