[06:05] <mborzecki> morning
[06:13] <mardy> 'morning!
[06:14] <mvo> good morning mardy
[06:31] <mborzecki> mardy: mvo: hello
[06:31] <mvo> mborzecki: good morning!
[06:31] <mborzecki> mvo: i've tweaked https://forum.snapcraft.io/t/extra-kernel-commandline-arguments-on-uc20/24370 a bit
[06:37] <mvo> mborzecki: awesome, thanks. if you feel it's ready I can publish
[06:39] <mborzecki> mvo: yeah, i think we can publish it, graham will still be able to tweak it as needed
[06:46] <mvo> mborzecki: excellent, I will do a final read and then publish
[06:49] <mborzecki> mvo: thanks! and thanks for starting with the doc
[06:49] <mvo> mborzecki: my pleasure
[06:59] <mvo> mborzecki: looks perfect, thanks for your edits, much clearer this way. I listed it now
[06:59] <mborzecki> mvo: yay, thanks!
[07:08] <pstolowski> morning
[07:14] <mvo> good morning pstolowski
[07:14] <mborzecki> pstolowski: hey
[07:25] <mup> PR snapd#10260 closed: secboot: switch encryption key size to 32 byte (thanks to Chris) <Needs Samuele review> <Run nested> <Squash-merge> <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10260>
[07:35] <mup> PR snapd#10263 opened: interfaces: fix linter issues <Created by mardy> <https://github.com/snapcore/snapd/pull/10263>
[08:14] <pedronis> mborzecki: hi, how should I install golangci-lint to try it locally?
[08:28] <mborzecki> pedronis: you can grab it from here: https://github.com/golangci/golangci-lint/releases
[08:28] <mborzecki> or go get, whichever is more convenient
[08:43] <pedronis> mborzecki: I'm probably using it wrong but I'm quite confused by its output, there's a lot of typecheck errors which is not even a linter we list
[08:48] <mborzecki> pedronis: have you checked the PR? https://github.com/snapcore/snapd/pull/10082
[08:48] <mup> PR #10082: github: try out golangci-lint <Needs Samuele review> <Simple 😃> <Skip spread> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10082>
[08:49] <pedronis> mborzecki: yes, I'm running it with ~/go/bin/golangci-lint run -c .golangci.yml
[08:49] <pedronis> from that PR
[08:49] <pedronis> maybe I don't even need the -c
[08:50] <pedronis> anyway the output doesn't seem useful, I expected testpackage problems but I don't see any, but I get typecheck problems
[08:50] <mborzecki> hm it shoudl pick up the config from he repo
[08:50] <pedronis> I get the same with -c or without
[08:50] <mborzecki> pedronis: which packages it complains about?
[08:50] <mborzecki> (typecheck specifically)
[08:51] <pedronis> which version were you using?
[08:53] <pedronis> mborzecki: this is the output I'm getting,  https://paste.ubuntu.com/p/bY6cgdbqrx/ it's rather confusing/useless
[08:53] <mborzecki> pedronis: i have 1.39 built from source directly, let my try the latest master
[08:54] <pedronis> this is 1.40 binary I think
[08:54] <pedronis> golangci-lint has version 1.40.0 built from 5c6adb63 on 2021-05-10T10:45:21Z
[08:55] <pedronis> did they change the config ?
[08:56] <mborzecki> hm 1.40 seems to be working fine here
[08:57] <pedronis> anyway if I can't make it work I'm kind of -1 on it
[08:59] <pedronis> mborzecki: I'm on focal fwiw
[08:59] <mborzecki> pedronis: hm this all i see it complaining about with current master: https://paste.ubuntu.com/p/sm6BdD9SB9/
[08:59] <pedronis> I get completely different errors
[09:00] <pedronis> did you use go get?
[09:00] <pedronis> as I said I grabbed the binary
[09:00] <mborzecki> pedronis: hm i think mardy is on focal too, but i don't expect it to be a factor here
[09:00] <mborzecki> pedronis: no it's a tarball from the releases page
[09:00] <pedronis> I think I got the same
[09:01] <pedronis> anyway if it's giving different outputs depending on the phase of the moon is not making me very happy
[09:02] <mborzecki> the way i run it is i'm inside the snapd source tree, and then just call `golangci-lint run`, the config file should be picked up automatically
[09:02] <pedronis> yea, I do that
[09:02] <pedronis> I get those other errors
[09:02] <pedronis> I get those errors also if I pass the config explicitly
[09:02] <mborzecki> can you run `golangci-lint run --verbose` ?
[09:03] <mborzecki> pedronis: this is what i get with --verbose: https://paste.ubuntu.com/p/jsfMJhNdRx/
[09:05] <pedronis> I get the same list of linters, but analyzers has output for example
[09:06] <pedronis> mborzecki: I get Issues before processing: 4033012, after processing: 53
[09:07] <RzR> ogra, hi i am back with my logs "the-tool[207]:  - assertion is signed with expired public key" , I need an RTC module
[09:07] <pedronis> mborzecki: very different:  https://paste.ubuntu.com/p/qhwgqZ8Rg2/
[09:08] <pedronis> mborzecki: ah, maybe I know what I'm doing wrong
[09:08] <mborzecki> pedronis: hm what is it?
[09:08] <pedronis> I might have the gopath set wrong, maybe
[09:09] <mborzecki> also got G111MODULE=off, but not sure that changes anything either
[09:10] <mborzecki> fwiw i was overriding GOPATH, but the tool worked fine with that too
[09:11] <mborzecki> (though the go-pls version i used was unhappy about changing gopath)
[09:12] <mborzecki> pedronis: did you get it to work?
[09:20] <ogra> RzR, i think ijohnson added a fix for that, try the edge channel for image builds
[09:21] <RzR> ogra, I tried edge see my versions
[09:21] <RzR> https://forum.snapcraft.io/t/built-uc20-rasperry-pi-image-hangs-on-boot/23891/22?u=rzr
[09:22] <ogra> ah, sorry, havent checked the forum in 1h or so 🙂
[09:23] <RzR> let me see if I have a RTC module if not I'll rebuild some snaps to update timestamps
[09:23] <pedronis> mborzecki: it worked, I'm not sure what to think about gosimple, it's both right and to naggy, also it's suggesting things that might be wrong if it gets is type analysis wrong
[09:25] <mborzecki> pedronis: the PR sets up the linter to only complain about new things, and the action adds notes rather than review comments, so not a hard fail
[09:28] <pedronis> mborzecki: that sounds annoying in its own ways
[09:28] <pedronis> I mean the added notes
[09:28] <pedronis> I struggle already sometimes with preexisting comments when doing reviews
[09:28] <mardy> pedronis, mborzecki: since running the linter takes ages, I always run it on one package at a time (for example, `golangci-lint run ./interfaces/`)
[09:29] <pedronis> mborzecki: we should probably run it without gosimple and testpackage, at least for a while, especially until we haven't switched to go1.13 everywhere
[09:29] <mborzecki> mardy: results should be cached between runs afaik
[09:34] <pedronis> mborzecki: fwiw it feels slow here too
[09:35] <mborzecki> pedronis: is it slower than runnning each linter separately though? :)
[09:36] <mborzecki> it probably takes a bit longer if you run it on the whole tree, i usually invoke it on the package(s) i modify in the branch
[09:36] <pedronis> mborzecki: anyway I left some comments in the PR
[09:37] <mborzecki> anyways, it's ~15s on the whole tree, vs ~3s after there's some cached data
[09:37] <mborzecki> pedronis: thanks, i'll take a look
[10:35] <RzR> ogra, maybe it also need https://github.com/snapcore/snapd/pull/10085
[10:35] <mup> PR #10085:  cmd/snap-bootstrap/initramfs-mounts: move time forward using assertion times (2.49) <Run nested> <Created by mvo5> <https://github.com/snapcore/snapd/pull/10085>
[10:35] <RzR> mvo, ^
[10:36] <RzR> well not sure i am using 2.50
[10:37] <RzR> sorry for noise, I need to dig deeper
[11:10] <pstolowski> pedronis: hi, i've updated the two refresh-control PRs you commented on yesterday
[11:10] <pedronis> pstolowski: I'll see if I can get back to them today
[11:10] <pedronis> that I also need 2nd reviews though
[11:10] <pedronis> thx
[11:13] <pstolowski> pedronis: i've also updated #10182 and set as ready to review although it probably makes no sense until phase1 is merged
[11:13] <mup> PR #10182: o/snapstate: autorefresh phase1 for refresh-control <Needs Samuele review> <Refresh control> <Created by stolowski> <https://github.com/snapcore/snapd/pull/10182>
[11:13] <mup> Bug #10182: Can not logout of gnome when xcompmgr is running <gnome-panel (Ubuntu):Invalid by fabbione> <https://launchpad.net/bugs/10182>
[11:21] <mup> PR snapd#10252 closed: boot: reseal given keys when the respective boot chain has changed <Needs Samuele review> <Run nested> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/10252>
[11:34] <mborzecki> pedronis: regarding https://github.com/snapcore/snapd/pull/10253#discussion_r630320902 i'm not sure we should also blindly add a system to current list, maybe it's better to error out in such case?
[11:34] <mup> PR #10253: boot: helpers for manipulating current and good recovery systems list <Run nested> <⛔ Blocked> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10253>
[11:35] <mborzecki> (also pushed master there, so the diff is smaller)
[11:42] <pedronis> mborzecki: well, we need the various pieces we have to fit together, the issue that we need to be careful with is not to accumulate either tried systems at the end of the list
[11:44] <pedronis> mborzecki: should we chat on this after the standup?
[11:45] <mborzecki> pedronis: hm can we try 1430 maybe? i need to leave at 4 and drop the kids off at school for their training
[11:45] <pedronis> mborzecki: I have another meeting at 14:30
[11:46] <mborzecki> pedronis: ah, ok, let's stay after standup then, we usually make it in half an hour so there should be enough time after
[11:46] <pedronis> thx
[11:50] <mardy> I noticed that we are not setting the NoNewPrivileges flag in snap-confine, because (as it's written in the comments) it breaks some snaps
[11:50] <mardy> do we have some bugs in launchpad to track this?
[11:50] <zyga> mardy no, because there is no point in no new privs there
[11:50] <zyga> snap-confine is a launcher
[11:51] <zyga> IIRC having that would block the launched program from doing what it may genuinely want to do
[11:51] <mup> PR snapd#10227 opened: test read the file from spread <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/10227>
[11:51] <mardy> zyga: mmm... maybe that would not be the right place, but I grepped for NO_NEW_PRIV in the snapd source tree, and there's no place where it's set
[11:52] <zyga> right but why do you want to have it?
[11:53] <mardy> zyga: to make sure that a process running in a snap cannot break outside of its confinement
[11:53] <mardy> I just wrote a comment about it in https://github.com/snapcore/snapd/pull/8926, please let me know if I'm not getting the story right :-)
[11:53] <mup> PR #8926: interfaces: add microstack-support interface <Needs security review> <Created by dshcherb> <https://github.com/snapcore/snapd/pull/8926>
[12:08] <zyga> mardy your assumption is wrong, basically
[12:08] <zyga> mardy I'm away from snapd development so I won't give you a full explanation now
[12:08] <zyga> but the assumption that permissions are only reduced is incorrect
[12:08] <zyga> there's a bounding box
[12:08] <zyga> but transitions are possible within it
[12:09] <mardy> zyga: but that's a bug, right?
[12:09] <zyga> no
[12:10] <mardy> I mean, in apparmor
[12:10] <mardy> if one sets the NO_NEW_PRIVILEGES flag, one should expect that any child process won't have more permissions that the process that this flag was applied to
[12:21] <mup> PR snapd#10227 closed: test read the file from spread <Created by sergiocazzolato> <Closed by sergiocazzolato> <https://github.com/snapcore/snapd/pull/10227>
[12:30] <mborzecki> ehh mocking is fun `revision 0 is already the current revision`
[12:36] <zyga> mardy I'm really not able to answer in detail beyond "that is not the goal", snap-confine is the entry point to the sandbox that is defined by snapd, an it can be as broad as required
[12:36] <zyga> mardy including not confined at all
[12:36] <zyga> it all plays with the fact that some interfaces are privileged and you cannot just use them
[12:36] <zyga> (at will that is)
[12:44] <jdstrand> mardy and zyga (see amurray): hey, I can't get into this now, but I added a comment to the PR. summary> nnp and apparmor haven't historically played well together, but that's ok wrt to snap interface policy since we have different types of interfaces that can be mediated via snap declarations (again, see the comment)
[14:01] <ijohnson> cachio: hey does this error message mean that core-initrd needs to change the spread URL it is using for spread tests ? https://travis-ci.org/github/snapcore/core-initrd/builds/770716802
[14:02] <cachio> yes
[14:02] <cachio> ijohnson, we should use the one I pasted in the notes
[14:02] <ijohnson> cachio: do you have time to propose a PR to core-initrd fixing the problem ?
[14:02] <cachio> ijohnson, sure
[14:02] <ijohnson> cachio: awesome thank you
[14:03] <ijohnson> the repo is https://github.com/snapcore/core-initrd/blob/main/spread.yaml
[14:06] <mup> PR snapd#10248 closed: tests: adding support for debian 10 on gce <Simple 😃> <Created by sergiocazzolato> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10248>
[14:10] <cachio> ijohnson, there is a problem
[14:10] <cachio> we need to move to github actions
[14:10] <ijohnson> cachio: what's the problem
[14:10] <ijohnson> cachio: yeah I have known about that, do we need to do it in order to fix their spread tests though ?
[14:11] <cachio> otherwise no way to use the gce sa key
[14:12] <ijohnson> cachio can you work with xnox to move them to GitHub actions then?
[14:12] <ijohnson> Or sil2100 if xnox is not working on core-initrd anymore
[14:39] <mardy> jdstrand, zyga: thanks, it's way more clear now :-)
[14:46] <mup> PR snapd#10264 opened: config: add "virtual" config via config.RegisterVirtualConfig <Created by mvo5> <https://github.com/snapcore/snapd/pull/10264>
[14:54] <xnox> cachio:  ijohnson: move to github actions would be welcomed. I thought at the time it was easier to do travis, hence that's what was done then.
[14:54] <ijohnson> yeah at the time it was easier to do travis but times have changed
[14:55] <ijohnson> sorry in a meeting right now, but will setup a private chat about migration in a little bit
[15:34] <RzR> hi I've found a minor mistake in
[15:34] <RzR> https://github.com/kubiko/roseapple-pi-ubuntuCore-build/pull/1
[15:34] <mup> PR kubiko/roseapple-pi-ubuntuCore-build#1: docs: Append gcc to PATH env var <Created by rzr> <https://github.com/kubiko/roseapple-pi-ubuntuCore-build/pull/1>
[16:07]  * cachio lunch
[16:45] <pedronis> mborzecki: I left some comments/questions in the tasks PR
[17:30] <mborzecki> pedronis: thanks!