/srv/irclogs.ubuntu.com/2020/10/26/#snappy.txt

RingtailedFoxhow do i compile snapd for a distro that doesn't have snap support?01:11
=== mup_ is now known as mup
mupPR snapd#9538 closed: o/snapstate/catalogrefresh.go: don't refresh catalog in install mode uc20 <Simple 😃> <UC20> <Created by anonymouse64> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9538>06:32
=== zyga_ is now known as zyga
zygajamesh, o/06:56
zygathank you for the review06:56
zygaamurray, jamesh: I would like to understand the status of .ICE-unix directory in the x11 interface06:56
zygacurrently the ICE sockets are a part of the interface06:57
zygashould we change that?06:57
jameshzyga: I would be in favour of removing them entirely06:58
zygaif amurray agrees we should just do it07:02
zygaI added ICE directory after your message on mattermost the other day07:02
jameshMy message there was more about reasons why we might _not_ want to include it07:03
mborzeckimorning07:03
zyga:D07:03
zygamy mistake then07:03
mborzeckizyga: hey07:03
zygahey mborzecki07:03
mborzeckizyga: heh, one kid at school, the other at home :/07:04
jameshzyga: see the "*Command" properties a client can set in https://www.x.org/releases/X11R7.7/doc/libSM/xsmp.html#Predefined_Properties07:04
jameshin the default configuration, gnome-session does not try to save and restore sessions.  That limits the potential damage07:05
mvogood morning mborzecki and zyga and jamesh07:06
zygagood morning mvo07:06
zygajamesh, some of the messages have funny names07:07
mborzeckimvo: jamesh: hey07:07
jameshhi mvo, mborzecki07:07
jameshzyga: in short: when the session manager asks the app to "save yourself" before the session ends, the app should save its state somewhere and set an argv to restart the app with that state, and an argv to discard the state.07:09
* zyga is sleepy07:17
zygaI'll make one more coffee, check on the kids e-school and remove ICE-unix from the patch07:21
amurrayzyga jamesh: I am in favour of ensuring that all interfaces follow the principle of least-privilege and hence present the minimum attack surface possible - so if /tmp/.ICE-unix is not generally necessary then I say it should not be included until a compelling use-case exists for it07:23
amurrayI am not super familiar with why it exists in the first place but am currently trying to become more familiar with it so I can make a more informed comment but for now I would remove it07:23
zygare07:47
zygaamurray, it's because we include the X abstraction07:47
zygaand it was simply there07:47
amurrayzyga: I expect we include the X abstraction for convenience - and since we currently don't expose the host /tmp/.ICE-unix to the snap it isn't a problem - but if now we bind in the real one then we are providing more APIs to the snaps than was previously available when all we exposed was the abstract socket07:50
zygaamurray, isn't ICE also available over an abstract socket?07:58
* zyga checks07:58
zygafortunately there is also the ICE authority file07:58
zygau_str                            ESTAB                            0                                 0                                                                                                           @/tmp/.ICE-unix/3052 72631                                                                     * 5699107:59
zygait seems we also have the abstract socket07:59
amurrayhmmm that may be problematic... (out of interest where are you looking to see that?)08:00
zygaamurray, I used ss -x to see sockets08:01
zygaand I looked at /etc/apparmor.d/abstractions/X for the permissions08:02
zygaso we do seem to grant that08:02
zyga(feels like CVE)08:02
zygawe can ask the session to run whatever we want on "restore'08:02
zygalimited in scope as we seem to not support that part in practice anymore08:02
amurrayyup.... well all it takes is a session manager to exist on the host which does support it...08:03
zygayes08:03
zygaamurray, I can follow up with that08:04
zygaer08:04
zygasorry08:04
zygaI was thinking about something08:04
zygaI can follow up with removal of ICE permissions08:04
amurrayzyga: (you mean for this PR or for snapd in general with the abstract socket?)08:05
zygain a separate PR, change x11 to deny ICE sockets08:05
zygaover abstract namespace08:05
pstolowskimorning08:06
amurrayzyga: thanks... I think we should do an LP bug for it as well and we can explore the security impact in that08:06
zygaamurray, I'll file one shortly08:06
amurrayzyga: thanks08:07
zygathank you guys!08:07
mvopstolowski: good morning08:09
mvopstolowski: 9522 has a conflict now08:09
mvopstolowski: also one comment there from zyga that is probably worth exploring08:10
pstolowskimvo: ok, looking08:10
mvopstolowski: thank you!08:11
pstolowskimvo: oh yes, the warnings, will do08:11
mvopstolowski: just to clarify, not urgent, just noticing while going over the state-of-things :)08:11
mvo(and a nice improvement)08:11
amurrayzyga: one quick question - it looks like this creates a new shared writable space for snaps to 'collaborate' (ie they could directly drop files at /tmp/.X11-unix) - could we instead make /tmp/X11-unix read-only and only give rw to /tmp/X11-unix/X[0-9]+ instead?08:15
zygaI've updated https://github.com/snapcore/snapd/pull/953008:16
mupPR #9530: interfaces: share /tmp/.X11-unix/ from host or provider <Needs security review> <⚠ Critical> <Created by zyga> <https://github.com/snapcore/snapd/pull/9530>08:16
zygaamurray, the bind mount is read only08:17
zygaso it can only be a one way comms space (server to client)08:17
zygaI think we can lock it down though, that's not a bad idea :)08:17
zygahmm08:17
zygaactuall08:18
zygaactually*08:18
zygathis doesn't give any more permissions than before08:18
amurrayoh I thought I saw rw, there - I am still planning to take a closer look but that will have to wait till tomorrow, it's getting to dinner time08:18
zygathe rw, perm is for snap-update-ns08:18
zyganot for snaps08:18
amurrayahh I see - we give it rw, perms but the actual mount is done ro - gotch08:19
amurray*gotcha08:19
zygayeah, snap-update-ns needs to create the directory08:19
zygabut apps won't have any more permissions08:19
zygaamurray, jamesh: https://bugs.launchpad.net/snapd/+bug/190148908:27
mborzeckianyone seen this on master? https://paste.ubuntu.com/p/q4Z2hdkKhX/08:31
mvomborzecki: I have not, that's strange08:35
zygahuh?08:35
zygawhat's the difference?08:35
zygaah08:35
zygaone hour08:35
zygamborzecki, I know08:36
zygamborzecki, daylight saving time08:36
zyga:D08:36
zygawhat else!08:36
mborzeckihaha, so the test will fails for half a year? :P08:36
zygayep08:36
mborzeckiehh08:36
mvolol08:36
mupPR snapd#9542 opened: interfaces: deny connected x11 plugs access to ICE <Bug> <⚠ Critical> <Created by zyga> <https://github.com/snapcore/snapd/pull/9542>08:38
zygamvo, https://github.com/snapcore/snapd/pull/954208:38
mupPR #9542: interfaces: deny connected x11 plugs access to ICE <Bug> <⚠ Critical> <Created by zyga> <https://github.com/snapcore/snapd/pull/9542>08:38
mvozyga: just saw it08:42
pedroniswhat's the regresssion potential for that?08:42
mborzeckiheh, so test mocks a snapshot with date one month in the past, ofc crossing daylight saving change08:44
mborzeckiso in march we'll have 29d23h i guess08:45
mvozyga: 9446 is in ! iirc you had some followups lined up, those are ready now08:46
mupPR snapd#9446 closed: overlord,usersession: initial notifications of pending refreshes <Created by zyga> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9446>08:48
mupPR snapd#9531 closed: tests: add a unit test for UpdateMany where a single snap fails <Created by stolowski> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9531>08:48
* zyga-mbp changed hosts08:50
mupPR snapd#9543 opened: cmd/snap: do not hardcode snapshot age value <Simple 😃> <Skip spread> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9543>08:58
mborzeckimvo: zyga: ^^09:02
mvomborzecki: \o/09:04
mborzeckimvo: force pushed a little tweak that lists possible formatted values09:05
pstolowskimvo: updated09:07
pstolowskimvo: not sure if you saw it, but i posted the final conclusion re presseeding failure to the preseed channel09:08
* mvo is in a meeting fwiw09:10
mvopstolowski: oh, nice! did not see that, will check after the meeting09:17
mvopstolowski: final conclusion on pre-seeding failure was that there is no snapd deb in the chroot, is that right?09:51
zygamborzecki, looking09:53
zygamvo, thanks, I'll open the follow ups in a moment09:53
zygamborzecki, fun stuff09:54
zyga+109:54
zygaamurray, jamesh: could you please review https://github.com/snapcore/snapd/pull/954209:54
mupPR #9542: interfaces: deny connected x11 plugs access to ICE <Bug> <⚠ Critical> <Created by zyga> <https://github.com/snapcore/snapd/pull/9542>09:54
zygamvo, first follow-up: https://github.com/snapcore/snapd/pull/954409:56
mupPR #9544: overlord/snapstate: stop warning about inhibited refreshes <Simple 😃> <Created by zyga> <https://github.com/snapcore/snapd/pull/9544>09:56
mvozyga: \o/09:56
zygaI have the next one waiting to open as well, it does some of the things you asked for as well09:57
pstolowskimvo: yes09:58
mupPR snapd#9543 closed: cmd/snap: do not hardcode snapshot age value <Simple 😃> <Skip spread> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/9543>09:58
mupPR snapd#9544 opened: overlord/snapstate: stop warning about inhibited refreshes <Simple 😃> <Created by zyga> <https://github.com/snapcore/snapd/pull/9544>09:58
mvopstolowski: ta09:59
mupPR snapd#9545 opened: devicestate: keep log from install-mode on installed system <Created by mvo5> <https://github.com/snapcore/snapd/pull/9545>10:03
zygaeveryone: please follow edge and enable refresh app awareness!10:11
jameshzyga: I left a comment: I think the chance of regression is practically zero, since it looks like XSMP access would have started breaking in Ubuntu 19.1010:11
zygajamesh, that's great news10:11
zygajamesh, I suspect xfce may support this but I didn't check yet10:11
zygajamesh, but for actual app regressions, I think we are safe10:11
mupPR snapcraft#3337 opened: cli,plugins: assume that core22 base wants v2 plugins <Created by xnox> <https://github.com/snapcore/snapcraft/pull/3337>10:27
* mvo needs to run some errands, bbiab10:52
om26erIs there a way to set TMPDIR for snapd during build time ? We are running snapd on Poky (yocto), on that system /var/log and /var/tmp are symlinks to a tmpfs mount point.11:01
om26erSo I guess we need to configure point snapd to an alternate location ?11:02
om26errelated topic https://forum.snapcraft.io/t/yocto-snaps-wont-start-after-compiling-snapd-with-strict-confinement/20728/211:02
om26er@zyga Hey! what are your thoughts on that ?11:03
zygare11:03
zygahmmm11:04
zygabuild time changes are not great IMO11:04
zygacould we just teach snap-confine (because I assume that is where it matters) to handle this case?11:04
zygaI'm -1 on new build time change and +1 on a runtime detection11:05
ogracouldnt you just set en environment var in the systemd unit ?11:05
ograor wont that trickle down to subsequent commands (i.e. snap-confine)11:05
zygaogra, snap-confine re-sets some of that11:05
ograah, i feared that 🙂11:05
zygabut for good reason11:06
om26er@zyga yeah, I guess that could help, should be able to cherry pick any patch that comes up11:06
ograyeah11:06
zygaom26er, is /tmp a real directory?11:06
om26eryeah, /tmp is realy11:06
zygaone sec11:07
zygalet me finish something11:07
zygathen we can talk11:07
om26erOTH: getting snapd running with strict confinement wasn't really difficult, thanks to @ogra for pointing us to three kernel patches ;-)11:08
om26er@zyga, sure sounds good11:08
ogra🙂11:08
zygapedronis, https://github.com/snapcore/snapd/pull/954611:10
mupPR #9546: overlord: add inert export manager <Created by zyga> <https://github.com/snapcore/snapd/pull/9546>11:10
zygathis adds an inert export manager11:10
zygait's still close to 2200 lines but that's one reviewable chunk11:11
zygaom26er, let me read that thread11:11
mupPR snapd#9546 opened: overlord: add inert export manager <Created by zyga> <https://github.com/snapcore/snapd/pull/9546>11:13
zygaom26er, replied in the thread11:16
* zyga posted https://forum.snapcraft.io/t/stepping-down-from-snapd-development/2075411:21
zyga... value *errors.errorString = &errors.errorString{s:"cannot sign assertion: bad GPG produced signature: it does not verify: openpgp: invalid signature: RSA verification failure"} ("cannot sign assertion: bad GPG produced signature: it does not verify: openpgp: invalid signature: RSA verification failure")11:26
zygahmmmm11:26
zygaI'd love to find out what is going on there11:26
mborzeckidamn, snap-bootstrap test suite is a pita to work with11:39
pedroniszyga: it happens very rarely from time to time, nobody had time to dig11:48
pedronisso far11:48
zygapedronis, yeah, I think the only hunch is that it happens in the azure hosted version of go11:49
* zyga afk for small errand11:50
mupPR snapcraft#3338 opened: Rename plugins keys <Created by xnox> <https://github.com/snapcore/snapcraft/pull/3338>11:52
* pstolowski lunch12:07
mupPR snapcraft#3335 closed: cli: remove spaces from progressive metrics <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3335>12:22
cachiozyga, hey12:47
cachiodo you have the tumbleweed cloud images?12:47
pstolowskicachio: hey, do you have a moment for HO?13:02
cachioyes13:02
cachiopstolowski, in the standup one?13:03
pstolowskicachio: ok13:05
ijohnsonman why does eu have to one-up the us and have their daylight savings time 1 week sooner13:08
pedronispstolowski: hi, I also answered here: https://github.com/snapcore/snapd/pull/9535#discussion_r51195162313:19
mupPR #9535: o/snapstate: generate snapd snap wrappers again after restart on refresh <Bug> <Needs Samuele review> <Created by stolowski> <https://github.com/snapcore/snapd/pull/9535>13:19
pstolowskipedronis: hi, thanks13:20
ograijohnson, if you country gives up its foot fetish for measuring distances and switches to celsius europe will switch to be in sync 😛13:20
zygacachio, re13:20
zygacachio, yeah, let me find the link13:20
cachiozyga, tx13:21
ijohnsonogra: haha I would be on board with that switch :-)13:21
zygaijohnson, that's it, we're moving to elbows13:23
ijohnsonlet's disappoint everybody and go back to measuring things based on individual hands, consistency be damned13:24
zygacachio, try https://software.opensuse.org/distributions/tumbleweed and click on jeOS13:24
zygacachio, then kvm and xen13:25
cachiozyga, got it, thanks13:27
mborzeckineed to run an errand, left a note in the standup docs, bbl13:27
pedronispstolowski: I reviewed #9535, looks good but left some suggestions13:35
mupPR #9535: o/snapstate: generate snapd snap wrappers again after restart on refresh <Bug> <Needs Samuele review> <Created by stolowski> <https://github.com/snapcore/snapd/pull/9535>13:35
pstolowskithanks13:35
mupPR snapd#9547 opened: Add `tmpfs-mount` interface <Created by fnordahl> <https://github.com/snapcore/snapd/pull/9547>14:24
zygamvo, cachio: https://www.digitalocean.com/blog/easily-transfer-snapshots-between-accounts/14:26
zygawe can just snapshot the machine and pass it over14:26
zygathat should be entirely effortless, just remove my ssh keys later14:26
mvota14:31
zygaonto those tests!14:39
mupPR snapcraft#3339 opened: tests: stub job to get autokpgtest for edge <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/3339>14:48
mupPR snapd#9544 closed: overlord/snapstate: stop warning about inhibited refreshes <Simple 😃> <Created by zyga> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9544>14:49
mupPR snapd#9548 opened: overlord/snapstate: refactor ihibitRefresh <Created by zyga> <https://github.com/snapcore/snapd/pull/9548>14:54
mborzeckire15:20
ijohnsonmborzecki: could you join the uc20 status meeting quick ?15:22
mborzeckiijohnson: sure, joining15:22
* cachio lunch15:23
mupPR core20#92 opened: Make the version number date-based <Created by sil2100> <https://github.com/snapcore/core20/pull/92>16:02
mupPR snapd#9548 closed: overlord/snapstate: refactor ihibitRefresh <Created by zyga> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9548>16:30
* zyga walk16:34
mupBug #1901575 opened: Option to disable compression on mounted snaps <Snappy:New> <https://launchpad.net/bugs/1901575>16:53
mupBug #1901575 changed: Option to disable compression on mounted snaps <Snappy:New> <https://launchpad.net/bugs/1901575>17:02
mupBug #1901575 opened: Option to disable compression on mounted snaps <Snappy:Triaged> <https://launchpad.net/bugs/1901575>17:05
mborzeckiijohnson:  can you take a look at https://github.com/snapcore/snapd/pull/9528 ?17:36
mupPR #9528: cmd/snap-bootstrap: mount ubuntu-save during boot if present <Run nested> <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9528>17:36
ijohnsonmborzecki sure will take a look this afternoon17:41
mborzeckiijohnson: thanks!17:41
mupPR pc-amd64-gadget#51 closed: gadget: add ubuntu-save <question> <Created by bboozzoo> <Merged by xnox> <https://github.com/snapcore/pc-amd64-gadget/pull/51>18:23
mupPR core20#92 closed: Make the version number date-based <Created by sil2100> <Merged by xnox> <https://github.com/snapcore/core20/pull/92>19:17
mupPR snapd#9549 opened: many: update to secboot v1 (part 1) <UC20> <Created by cmatsuoka> <https://github.com/snapcore/snapd/pull/9549>20:06
mupPR snapd#9534 closed: many: update to secboot v1 <UC20> <Created by cmatsuoka> <Closed by cmatsuoka> <https://github.com/snapcore/snapd/pull/9534>20:11
mupPR snapd#9550 opened: osutil/disks/mockdisk: panic if same mountpoint shows up again with diff opts <Simple 😃> <Test Robustness> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9550>20:31
* cachio afk20:57
mupPR snapcraft#3339 closed: tests: stub job to get autokpgtest for edge <Created by sergiusens> <Closed by sergiusens> <https://github.com/snapcore/snapcraft/pull/3339>22:34

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!