[01:11] how do i compile snapd for a distro that doesn't have snap support? === mup_ is now known as mup [06:32] PR snapd#9538 closed: o/snapstate/catalogrefresh.go: don't refresh catalog in install mode uc20 === zyga_ is now known as zyga [06:56] jamesh, o/ [06:56] thank you for the review [06:56] amurray, jamesh: I would like to understand the status of .ICE-unix directory in the x11 interface [06:57] currently the ICE sockets are a part of the interface [06:57] should we change that? [06:58] zyga: I would be in favour of removing them entirely [07:02] if amurray agrees we should just do it [07:02] I added ICE directory after your message on mattermost the other day [07:03] My message there was more about reasons why we might _not_ want to include it [07:03] morning [07:03] :D [07:03] my mistake then [07:03] zyga: hey [07:03] hey mborzecki [07:04] zyga: heh, one kid at school, the other at home :/ [07:04] zyga: see the "*Command" properties a client can set in https://www.x.org/releases/X11R7.7/doc/libSM/xsmp.html#Predefined_Properties [07:05] in the default configuration, gnome-session does not try to save and restore sessions. That limits the potential damage [07:06] good morning mborzecki and zyga and jamesh [07:06] good morning mvo [07:07] jamesh, some of the messages have funny names [07:07] mvo: jamesh: hey [07:07] hi mvo, mborzecki [07:09] zyga: in short: when the session manager asks the app to "save yourself" before the session ends, the app should save its state somewhere and set an argv to restart the app with that state, and an argv to discard the state. [07:17] * zyga is sleepy [07:21] I'll make one more coffee, check on the kids e-school and remove ICE-unix from the patch [07:23] zyga jamesh: I am in favour of ensuring that all interfaces follow the principle of least-privilege and hence present the minimum attack surface possible - so if /tmp/.ICE-unix is not generally necessary then I say it should not be included until a compelling use-case exists for it [07:23] I am not super familiar with why it exists in the first place but am currently trying to become more familiar with it so I can make a more informed comment but for now I would remove it [07:47] re [07:47] amurray, it's because we include the X abstraction [07:47] and it was simply there [07:50] zyga: I expect we include the X abstraction for convenience - and since we currently don't expose the host /tmp/.ICE-unix to the snap it isn't a problem - but if now we bind in the real one then we are providing more APIs to the snaps than was previously available when all we exposed was the abstract socket [07:58] amurray, isn't ICE also available over an abstract socket? [07:58] * zyga checks [07:58] fortunately there is also the ICE authority file [07:59] u_str ESTAB 0 0 @/tmp/.ICE-unix/3052 72631 * 56991 [07:59] it seems we also have the abstract socket [08:00] hmmm that may be problematic... (out of interest where are you looking to see that?) [08:01] amurray, I used ss -x to see sockets [08:02] and I looked at /etc/apparmor.d/abstractions/X for the permissions [08:02] so we do seem to grant that [08:02] (feels like CVE) [08:02] we can ask the session to run whatever we want on "restore' [08:02] limited in scope as we seem to not support that part in practice anymore [08:03] yup.... well all it takes is a session manager to exist on the host which does support it... [08:03] yes [08:04] amurray, I can follow up with that [08:04] er [08:04] sorry [08:04] I was thinking about something [08:04] I can follow up with removal of ICE permissions [08:05] zyga: (you mean for this PR or for snapd in general with the abstract socket?) [08:05] in a separate PR, change x11 to deny ICE sockets [08:05] over abstract namespace [08:06] morning [08:06] zyga: thanks... I think we should do an LP bug for it as well and we can explore the security impact in that [08:06] amurray, I'll file one shortly [08:07] zyga: thanks [08:07] thank you guys! [08:09] pstolowski: good morning [08:09] pstolowski: 9522 has a conflict now [08:10] pstolowski: also one comment there from zyga that is probably worth exploring [08:10] mvo: ok, looking [08:11] pstolowski: thank you! [08:11] mvo: oh yes, the warnings, will do [08:11] pstolowski: just to clarify, not urgent, just noticing while going over the state-of-things :) [08:11] (and a nice improvement) [08:15] zyga: one quick question - it looks like this creates a new shared writable space for snaps to 'collaborate' (ie they could directly drop files at /tmp/.X11-unix) - could we instead make /tmp/X11-unix read-only and only give rw to /tmp/X11-unix/X[0-9]+ instead? [08:16] I've updated https://github.com/snapcore/snapd/pull/9530 [08:16] PR #9530: interfaces: share /tmp/.X11-unix/ from host or provider <⚠ Critical> [08:17] amurray, the bind mount is read only [08:17] so it can only be a one way comms space (server to client) [08:17] I think we can lock it down though, that's not a bad idea :) [08:17] hmm [08:18] actuall [08:18] actually* [08:18] this doesn't give any more permissions than before [08:18] oh I thought I saw rw, there - I am still planning to take a closer look but that will have to wait till tomorrow, it's getting to dinner time [08:18] the rw, perm is for snap-update-ns [08:18] not for snaps [08:19] ahh I see - we give it rw, perms but the actual mount is done ro - gotch [08:19] *gotcha [08:19] yeah, snap-update-ns needs to create the directory [08:19] but apps won't have any more permissions [08:27] amurray, jamesh: https://bugs.launchpad.net/snapd/+bug/1901489 [08:31] anyone seen this on master? https://paste.ubuntu.com/p/q4Z2hdkKhX/ [08:35] mborzecki: I have not, that's strange [08:35] huh? [08:35] what's the difference? [08:35] ah [08:35] one hour [08:36] mborzecki, I know [08:36] mborzecki, daylight saving time [08:36] :D [08:36] what else! [08:36] haha, so the test will fails for half a year? :P [08:36] yep [08:36] ehh [08:36] lol [08:38] PR snapd#9542 opened: interfaces: deny connected x11 plugs access to ICE <⚠ Critical> [08:38] mvo, https://github.com/snapcore/snapd/pull/9542 [08:38] PR #9542: interfaces: deny connected x11 plugs access to ICE <⚠ Critical> [08:42] zyga: just saw it [08:42] what's the regresssion potential for that? [08:44] heh, so test mocks a snapshot with date one month in the past, ofc crossing daylight saving change [08:45] so in march we'll have 29d23h i guess [08:46] zyga: 9446 is in ! iirc you had some followups lined up, those are ready now [08:48] PR snapd#9446 closed: overlord,usersession: initial notifications of pending refreshes [08:48] PR snapd#9531 closed: tests: add a unit test for UpdateMany where a single snap fails [08:50] * zyga-mbp changed hosts [08:58] PR snapd#9543 opened: cmd/snap: do not hardcode snapshot age value [09:02] mvo: zyga: ^^ [09:04] mborzecki: \o/ [09:05] mvo: force pushed a little tweak that lists possible formatted values [09:07] mvo: updated [09:08] mvo: not sure if you saw it, but i posted the final conclusion re presseeding failure to the preseed channel [09:10] * mvo is in a meeting fwiw [09:17] pstolowski: oh, nice! did not see that, will check after the meeting [09:51] pstolowski: final conclusion on pre-seeding failure was that there is no snapd deb in the chroot, is that right? [09:53] mborzecki, looking [09:53] mvo, thanks, I'll open the follow ups in a moment [09:54] mborzecki, fun stuff [09:54] +1 [09:54] amurray, jamesh: could you please review https://github.com/snapcore/snapd/pull/9542 [09:54] PR #9542: interfaces: deny connected x11 plugs access to ICE <⚠ Critical> [09:56] mvo, first follow-up: https://github.com/snapcore/snapd/pull/9544 [09:56] PR #9544: overlord/snapstate: stop warning about inhibited refreshes [09:56] zyga: \o/ [09:57] I have the next one waiting to open as well, it does some of the things you asked for as well [09:58] mvo: yes [09:58] PR snapd#9543 closed: cmd/snap: do not hardcode snapshot age value [09:58] PR snapd#9544 opened: overlord/snapstate: stop warning about inhibited refreshes [09:59] pstolowski: ta [10:03] PR snapd#9545 opened: devicestate: keep log from install-mode on installed system [10:11] everyone: please follow edge and enable refresh app awareness! [10:11] zyga: I left a comment: I think the chance of regression is practically zero, since it looks like XSMP access would have started breaking in Ubuntu 19.10 [10:11] jamesh, that's great news [10:11] jamesh, I suspect xfce may support this but I didn't check yet [10:11] jamesh, but for actual app regressions, I think we are safe [10:27] PR snapcraft#3337 opened: cli,plugins: assume that core22 base wants v2 plugins [10:52] * mvo needs to run some errands, bbiab [11:01] Is there a way to set TMPDIR for snapd during build time ? We are running snapd on Poky (yocto), on that system /var/log and /var/tmp are symlinks to a tmpfs mount point. [11:02] So I guess we need to configure point snapd to an alternate location ? [11:02] related topic https://forum.snapcraft.io/t/yocto-snaps-wont-start-after-compiling-snapd-with-strict-confinement/20728/2 [11:03] @zyga Hey! what are your thoughts on that ? [11:03] re [11:04] hmmm [11:04] build time changes are not great IMO [11:04] could we just teach snap-confine (because I assume that is where it matters) to handle this case? [11:05] I'm -1 on new build time change and +1 on a runtime detection [11:05] couldnt you just set en environment var in the systemd unit ? [11:05] or wont that trickle down to subsequent commands (i.e. snap-confine) [11:05] ogra, snap-confine re-sets some of that [11:05] ah, i feared that 🙂 [11:06] but for good reason [11:06] @zyga yeah, I guess that could help, should be able to cherry pick any patch that comes up [11:06] yeah [11:06] om26er, is /tmp a real directory? [11:06] yeah, /tmp is realy [11:07] one sec [11:07] let me finish something [11:07] then we can talk [11:08] OTH: getting snapd running with strict confinement wasn't really difficult, thanks to @ogra for pointing us to three kernel patches ;-) [11:08] @zyga, sure sounds good [11:08] 🙂 [11:10] pedronis, https://github.com/snapcore/snapd/pull/9546 [11:10] PR #9546: overlord: add inert export manager [11:10] this adds an inert export manager [11:11] it's still close to 2200 lines but that's one reviewable chunk [11:11] om26er, let me read that thread [11:13] PR snapd#9546 opened: overlord: add inert export manager [11:16] om26er, replied in the thread [11:21] * zyga posted https://forum.snapcraft.io/t/stepping-down-from-snapd-development/20754 [11:26] ... value *errors.errorString = &errors.errorString{s:"cannot sign assertion: bad GPG produced signature: it does not verify: openpgp: invalid signature: RSA verification failure"} ("cannot sign assertion: bad GPG produced signature: it does not verify: openpgp: invalid signature: RSA verification failure") [11:26] hmmmm [11:26] I'd love to find out what is going on there [11:39] damn, snap-bootstrap test suite is a pita to work with [11:48] zyga: it happens very rarely from time to time, nobody had time to dig [11:48] so far [11:49] pedronis, yeah, I think the only hunch is that it happens in the azure hosted version of go [11:50] * zyga afk for small errand [11:52] PR snapcraft#3338 opened: Rename plugins keys [12:07] * pstolowski lunch [12:22] PR snapcraft#3335 closed: cli: remove spaces from progressive metrics [12:47] zyga, hey [12:47] do you have the tumbleweed cloud images? [13:02] cachio: hey, do you have a moment for HO? [13:02] yes [13:03] pstolowski, in the standup one? [13:05] cachio: ok [13:08] man why does eu have to one-up the us and have their daylight savings time 1 week sooner [13:19] pstolowski: hi, I also answered here: https://github.com/snapcore/snapd/pull/9535#discussion_r511951623 [13:19] PR #9535: o/snapstate: generate snapd snap wrappers again after restart on refresh [13:20] pedronis: hi, thanks [13:20] ijohnson, if you country gives up its foot fetish for measuring distances and switches to celsius europe will switch to be in sync 😛 [13:20] cachio, re [13:20] cachio, yeah, let me find the link [13:21] zyga, tx [13:21] ogra: haha I would be on board with that switch :-) [13:23] ijohnson, that's it, we're moving to elbows [13:24] let's disappoint everybody and go back to measuring things based on individual hands, consistency be damned [13:24] cachio, try https://software.opensuse.org/distributions/tumbleweed and click on jeOS [13:25] cachio, then kvm and xen [13:27] zyga, got it, thanks [13:27] need to run an errand, left a note in the standup docs, bbl [13:35] pstolowski: I reviewed #9535, looks good but left some suggestions [13:35] PR #9535: o/snapstate: generate snapd snap wrappers again after restart on refresh [13:35] thanks [14:24] PR snapd#9547 opened: Add `tmpfs-mount` interface [14:26] mvo, cachio: https://www.digitalocean.com/blog/easily-transfer-snapshots-between-accounts/ [14:26] we can just snapshot the machine and pass it over [14:26] that should be entirely effortless, just remove my ssh keys later [14:31] ta [14:39] onto those tests! [14:48] PR snapcraft#3339 opened: tests: stub job to get autokpgtest for edge [14:49] PR snapd#9544 closed: overlord/snapstate: stop warning about inhibited refreshes [14:54] PR snapd#9548 opened: overlord/snapstate: refactor ihibitRefresh [15:20] re [15:22] mborzecki: could you join the uc20 status meeting quick ? [15:22] ijohnson: sure, joining [15:23] * cachio lunch [16:02] PR core20#92 opened: Make the version number date-based [16:30] PR snapd#9548 closed: overlord/snapstate: refactor ihibitRefresh [16:34] * zyga walk [16:53] Bug #1901575 opened: Option to disable compression on mounted snaps [17:02] Bug #1901575 changed: Option to disable compression on mounted snaps [17:05] Bug #1901575 opened: Option to disable compression on mounted snaps [17:36] ijohnson: can you take a look at https://github.com/snapcore/snapd/pull/9528 ? [17:36] PR #9528: cmd/snap-bootstrap: mount ubuntu-save during boot if present [17:41] mborzecki sure will take a look this afternoon [17:41] ijohnson: thanks! [18:23] PR pc-amd64-gadget#51 closed: gadget: add ubuntu-save [19:17] PR core20#92 closed: Make the version number date-based [20:06] PR snapd#9549 opened: many: update to secboot v1 (part 1) [20:11] PR snapd#9534 closed: many: update to secboot v1 [20:31] PR snapd#9550 opened: osutil/disks/mockdisk: panic if same mountpoint shows up again with diff opts [20:57] * cachio afk [22:34] PR snapcraft#3339 closed: tests: stub job to get autokpgtest for edge