[01:29] PR snapcraft#3619 closed: ci: switch snapcraft to edge in action-build [02:29] PR snapd#11425 opened: tests/main/snap-run-devmode-classic: reinstall snapcraft to clean up [04:25] PR snapd#11426 opened: Snap confine coverity fixes [06:10] morning [06:50] PR snapd#11427 opened: data/selinux: allow the snap command to run systemctl [07:29] good morning :) [08:04] morning [08:49] mvo: here? [08:55] zyga[m]: he is off this week [08:55] oh, I see [08:55] thanks [10:31] PR snapd#11415 closed: gadget/update.go: add buildNewVolumeToDeviceMapping for existing devices [10:36] PR snapd#11425 closed: tests/main/snap-run-devmode-classic: reinstall snapcraft to clean up [10:47] PR snapd#11416 closed: data/env: more workarounds for even older fish shells, provide reasonable defaults [10:52] PR snapd#11428 opened: data/env: cosmetic tweak for fish [11:02] PR snapd#11429 opened: data/env: more workarounds for even older fish shells, provide reasonable defaults (2.54) [11:07] PR snapd#11430 opened: cmd/snap-mgmt, packaging: trigger daemon reload after purging unit files [12:40] abeato: hey, is https://github.com/snapcore/snapd/pull/11422 fixing the test failure on master/ [12:40] PR #11422: t/m/interfaces-network-manager: use different channel depending on system [12:40] ? [12:41] pstolowski, yes [12:42] great [12:59] heh go cache is fun [14:04] zyga[m], seen this ? https://www.qualys.com/2022/02/17/cve-2021-44731/oh-snap-more-lemmings.txt [14:06] yes [14:06] quite some praise to the original programmer between the lines 🙂 [14:14] (in a call) [14:17] back [14:17] yeah, I the article was really nice [14:18] indeed [14:18] and nice team effort, that code would not be anything like it ended up beeing without the security team's review process [14:23] zyga: we had all kinds of fun with that security release, we realized that some devmode snaps are relying on being able to call `snap run ...`, which we ended up breaking since snap-confine now refuses to run in the inherited devmode confinement, and on top of that we also realized that just pushing out the fix wasn't enough to really resolve it, since the old snapd and core snap revisions are left around and are not mounted nosuid, so the [14:23] vulnerable suid snap-confines were left around and had to hack our way around that too [14:42] oh, that's an interesting point [14:43] old snap-confine's are indeed around [14:43] what did you end up doing for those? [14:43] well for the security release because the 14 day window had already started we just hacked snapd to remove known vulnerable revisions when it was refreshed to a fixed revision (one time only) [14:44] but we have ongoing patches to remount old snapd/core snaps as nosuid [14:44] nice [15:43] PR snapd#11205 closed: o/devicestate: pick system from seed systems/ for preseeding (1/N) [15:43] PR snapd#11377 closed: asserts: add preseed assertion type [17:03] PR snapd#11429 closed: data/env: more workarounds for even older fish shells, provide reasonable defaults (2.54) [17:21] PR snapcraft#3649 closed: parts,repo: integrate package-repositories (CRAFT-847) [17:26] PR snapcraft#3652 opened: parts: support for grammar parsing [18:04] PR snapd#11422 closed: t/m/interfaces-network-manager: use different channel depending on system [18:14] PR snapd#11431 opened: o/snapstate: add core22 migration logic [19:36] PR snapcraft#3653 opened: tests: pass proper type to run for version [21:16] PR snapcraft#3653 closed: tests: pass proper type to run for version [22:46] PR snapcraft#3652 closed: parts: support for grammar parsing [23:45] PR snapd#11423 closed: tests: skip boot loader check during testing preparation on s390x