[01:00] <mup> PR snapcraft#3662 closed: tests: update spread url <Created by mr-cal> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3662>
[01:00] <mup> PR snapcraft#3663 closed: tests: update spread url <Created by mr-cal> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3663>
[01:00] <mup> PR snapcraft#3665 opened: kde extension: new content snap for core20 <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/3665>
[04:24] <mwhudson> should i expect snap-preseed to work on a rootfs from a different architecture?
[06:26] <mup> PR snapd#11509 opened: tests/lib/fakestore/store: return snap base in details <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11509>
[06:27] <mborzecki> morning
[06:30] <mardy> hi!
[06:41] <mup> PR snapd#11510 opened: dirs: remove unused SnapMetaDir variable <Simple 😃> <Skip spread> <Created by mardy> <https://github.com/snapcore/snapd/pull/11510>
[07:27] <mup> PR snapd#11507 closed: overlord: extend single reboot test to include a non-base, non-kernel snap <Squash-merge> <Simple 😃> <Skip spread> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/11507>
[07:43] <mborzecki> wow github can re run failed jobs only now
[08:10] <pstolowski> morning
[08:22] <mup> PR snapd#11511 opened: many: replace use of "sanity" with more inclusive naming (part 2) <Simple 😃> <Skip spread> <:heart: Inclusive language> <Created by mvo5> <https://github.com/snapcore/snapd/pull/11511>
[09:47] <mup> PR snapd#11510 closed: dirs: remove unused SnapMetaDir variable <Simple 😃> <Skip spread> <Created by mardy> <Merged by MiguelPires> <https://github.com/snapcore/snapd/pull/11510>
[09:59] <zyga[m]> mwhudson: go 1.18 is out :)
[09:59] <mwhudson> zyga[m]: it's in 1.18/candidate!
[10:00] <mwhudson> but i should promote it
[10:02] <mwhudson> i wonder why https://launchpad.net/~go-snap-maintainers/+snap/go118-core18 is not getting pushed to the store
[10:02] <mwhudson> zyga[m]: ok it's in 1.18/stable now
[10:13] <zyga[m]> mwhudson: 
[10:13] <zyga[m]> mwhudson: woot, thank you so much for looking after the go snaps :)
[11:15] <mborzecki> meh the lxd jobs are failing on 20.04
[11:48] <mup> PR snapd#11506 closed: tests: fix test to avoid editing the test-snapd-tools snap.yaml file <Simple 😃> <Created by sergiocazzolato> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11506>
[11:53] <mup> PR snapd#11470 closed: boot: support factory-reset when sealing and resealing <Run nested> <factory reset 🔌> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11470>
[13:20] <georgios> hi. i ve installed firefox and a message appeares in Details:
[13:21] <georgios> "This app has no constrains. it can access all your personal files and system resources"
[13:22] <georgios> basically i wanted the app version in order to constrain firefox as much as possible, so this is an epic fail... but why?
[13:23] <georgios> is there a way to troubleshoot it?
[13:38] <mardy> georgios: hi! What distribution are you using?
[13:39] <ogra> georgios, snaps use interfaces to access the world outside their confined space ... you can check which ones FF uses with "snap connections firefox" ... but as mardy points out it depends on the support of your distro wether full confinement can be used or not 
[13:41] <ogra> if your distro supports full confinement can be checked with "snap debug confinement" and "snap debug sandbox-features" ... if your distro supports full strict confinement you can use "snap disconnect firefox:<interface name>" to block certain access by disconnecting the interfaces
[13:52] <georgios> archlinux with apparmor. here's the tragedy https://paste.debian.net/1234603/
[14:04] <zyga[m]> amurray: I've filed https://bugs.launchpad.net/snapd/+bug/1965139 
[14:06] <mborzecki> georgios: so on arch there's dbus mediation, or apparmor fine grained socket mediation, iirc the rest is supported, still we'll show that confinement is not strict as not all the boxes can be checked
[14:20] <mvo> thanks zyga[m] !
[14:20] <zyga[m]> mvo: pleasure, I hope this can help
[14:21]  * mvo hugs zyga[m] 
[14:21] <mvo> zyga[m]: fwiw I would switch to your version in a hearbeat (looked at the code, very nice) - if only we could vendor things everywhere :/
[14:24] <zyga[m]> just copy it in
[14:24] <zyga[m]> I've made it REUSE compliant for a reason
[14:24] <zyga[m]> super easy copyright handling
[14:24] <zyga[m]> or revert to old approach 
[14:24]  * zyga[m] is super light on details on purpose
[14:27] <georgios> so what does mediation mean, and how could i change that to a mode where confinement is the maximum snapd can offer?
[14:28] <zyga[m]> georgios: a way for the kernel to control delivery of dbus communication
[14:28] <zyga[m]> georgios: you would have to use a kernel with an extra patch that adds this feature
[14:29] <zyga[m]> georgios: snapd relies on this feature to control if two processes can communicate with dbus messages
[14:30] <zyga[m]> georgios: this allows a confined application to be denied communication with system or session services to bypass the sandbox and gain permissions that would otherwise be similar to an unconfined classic application that can do everything with the full permissions of the running user
[15:49] <mup> PR snapd#11512 opened: cmd/snap-bootstrap: support booting into factory-reset mode <Run nested> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11512>
[16:24] <mup> PR snapd#11513 opened: .github: run woke tool on PR's  <Skip spread> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/11513>
[16:54] <mup> PR snapd#11514 opened: o/devicestate: write preseed-export.json when preseeding <Preseeding 🍞> <Created by stolowski> <https://github.com/snapcore/snapd/pull/11514>
[16:55] <georgios> zyga[m]: thanks a lot for the valuable information. but this leaves me with a question. this dbus-mediation should be secured by the kernel itself while know it is just a userspace daemon? also, why apparmor mediation isn't capable of applying the correct restrictions?
[17:37] <zyga[m]> I am afk, I can respond tomorrow if you stick around.
[20:38] <georgios> ok zyga[m]. i can patch my kernel but this is an interesting topic anyway
[22:32] <zyga[m]> georgios: there are several approaches, some people think that userspace filtering based on dbus proxy is better, some think that it should be handled by the kernel LSM modules. I think both have valid points. The rest is just history.
[22:32] <zyga[m]> georgios: the problem is that this patch is out of tree and it's been this way for years due to complex changes around apparmor and networking that I don't fully follow
[22:37] <amurray> zyga[m]: thanks for the heaps up, I'll take a look
[22:49] <zyga[m]> Sure
[22:49] <zyga[m]> I don't think it is very serious but it might be for core20