[06:08] PR snapcraft#2954 closed: cli: enable config file for base snapcraft command [08:02] PR snapcraft#2957 closed: go plugin: do not remove install /bin directory before build [10:38] jdstrand: EHLO [10:38] jdstrand: I have an idea to run by you [10:38] jdstrand: we discovered that some containers do not run udev (they have it installed but udevd is down) [10:39] jdstrand: this breaks interface setup [10:39] jdstrand: I patched it to skip the entire udev backend [10:39] jdstrand: and got feedback to write the files but not invoke udev as a safer way [10:39] jdstrand: now the question: [10:39] jdstrand: should we do that for all the backends, specifically apparmor [10:39] jdstrand: write the profiles and not load them [10:39] jdstrand: . [10:56] PR snapd#8210 closed: wrappers: add mount unit dependency for snapd services on core devices [10:56] hmm [10:56] ogra@localhost:~$ sudo ls -alh /root/snap/ [10:56] total 16K [10:56] drwxr-xr-x 4 root root 4.0K Mar 4 10:56 . [10:56] drwx------ 3 root root 4.0K Oct 3 12:09 .. [10:56] drwxr-xr-x 6 root root 4.0K Mar 2 08:39 mir-kiosk [10:56] drwxr-xr-x 4 root root 4.0K Oct 3 12:09 pc [10:57] why do i have a dir for the gadget in /root/snap ?? [11:01] ogra: because it runs as root and has HOME=/root/snap/$SNAP_NAME [11:02] zyga, "runs" ? [11:02] its a gadget :) [11:02] it must have a hook [11:02] or is that from some hook [11:02] ah [12:08] PR snapd#8220 opened: interfaces/seccomp: allow passing an address to setgroups [12:42] PR snapd#8216 closed: tests: add session-tool, a su / sudo replacement [12:46] jdstrand: https://github.com/snapcore/snapd/pull/8220 is interesting [12:46] PR #8220: interfaces/seccomp: allow passing an address to setgroups [12:48] jdstrand: https://github.com/snapcore/snapd/pull/8219 is a priority for 2.44 that came up during the sprint [12:48] PR #8219: interfaces: use udev backend if udev socket exists [12:53] zyga, some cosmetics for you guys ... https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1866058 [12:53] Bug #1866058: gadget hooks should not write to /root/snap by default [12:54] ogra: aha [12:54] ogra: hmmm [12:54] full of assumptions :) [12:55] if you think this is wrong, just close it though [12:55] ogra: I think it's interesting but I don't know what to do about HOME in such a case [12:55] ogra: I'll ask others for opinions [12:55] yeah ... it is purely cosmetic anyway [12:57] zyga: hey, ack. I'm going into a meeting but otoh not running the udev backend means the device cgroup isn't going to work right (too restrictive). disabling that results in degraded policy (some apparmor rules depend on the cgroup) which would mean PartialConfinement [12:58] jdstrand: I'll be in the call [12:58] not removing the cgroups should be 'ok' security-wise since it should just be too strict [12:58] jdstrand: note that without udev /deve is really not populated [12:58] but, I want to look at it more carefully and comment [12:58] jdstrand: sure [12:59] jdstrand: note that the PR has two approaches [12:59] jdstrand: prior approach removed udev backend [12:59] zyga: well, that is an assumption of container setup. what if this isn't a container and udev just happens to not be running, or a container in the same way [12:59] jdstrand: and we changed that to avoid interacting with the system-key [12:59] jdstrand: it's a container configured not to run udev (buildd) even if installed (we do install it as a snapd dependency) [13:00] jdstrand: we are ready with the call [13:00] zyga: but the code afaics isn't checking any of that [13:31] jdstrand: can you clarify what is not being checked? [13:32] zyga: well, so, I haven't read the PR closely, but the problem statement includes 'some containers don't have udev' but the PR will fire on 'any system that doesn't have udev' [13:33] zyga: we aren't limiting the solution to containers in other words. I am not saying we should, but that is what I meant by 'not being checked' === ppd1990 is now known as ppd === ppd is now known as ppd1990 [13:46] jamesh: commenting out the line that loads from local cache makes the fonts look ok, so mabe the cache format did change, just that now i'm skippinng my real $HOME/.cache/fontconfig ? [13:47] mborzecki: But if your default font came from /usr/share/fonts, you'd have the same problem with caches in /var/cache/fontconfig [13:47] it's not just the user's home dir [13:58] jamesh: i think i need to run the bisect again, with adding the xdg path to the ~/.fonts.conf [14:19] ogra: hey! So I merged the --disable-console-conf change - one thing worth remembering though is to adjust it for uc20 once it's a thing [14:19] So that it always does what it's intended to [14:20] yeah ... i havent tried UC20 at all yet but will roll an UC18 image to test and verify [14:20] ogra: it should land in edge soonish [14:20] and my team owes you $BEER .) [14:20] yeah === ppd1990 is now known as ppd [15:01] jdstrand: I think this is fine, I only meant to say "we saw a system, namely a container, that didn't use udev" [15:06] zyga: I'm looking at it now [15:15] jdstrand: thank you [15:23] jdstrand: that's correct [15:23] ah [15:23] sorry, my backlog moved [15:23] I read your response from two hours ago [16:03] PR snapcraft#2960 opened: specification: base plugin and plugins for core20 [16:13] PR snapcraft#2927 closed: requirements: uprev lxml to 4.5.0 [16:16] PR snapcraft#2942 closed: pluginhandler: do not search installdir or stagedir for dependencies [16:18] jamesh: so this is the commit that broke stuff: https://gitlab.freedesktop.org/fontconfig/fontconfig/commit/c4324f54ee16e648ba91f3e9c66af13ab3b1754c [16:18] jamesh: feels like we've been there already [16:30] jamesh: we were https://forum.snapcraft.io/t/snapped-app-not-loading-fonts-on-fedora-and-arch/12484/30 [16:31] mborzecki: weirdly, the fontconfig inside the platform snap is from before all the UUID nonsense. I would have thought that change effectively reverted to the old behaviour [16:32] mborzecki: thinking about it some more, the incompatibility is probably further back: it's just that the versions before that commit produce cache files the snap can't see [17:17] zyga: ok, I spent a lot of time on PR 8219 and I wasn't thinking about it correctly up above. please see my PR comments [17:17] PR #8219: interfaces: use udev backend if udev socket exists [17:19] jdstrand: ack, thank you [17:30] does the snap search cache get updated intermittently? [17:31] i search `flutter-gallery` and get no hits, but it installs fine [20:32] PR core20#26 opened: Disable emergency.target & debug-shell, unless kernel cmdline is dangerous