=== benfrancis6 is now known as benfrancis
=== benfrancis0 is now known as benfrancis
[06:22] <mborzecki> morning
[06:57] <mup> PR snapd#11845 closed: tests/main/nfs-support: be robust against umount failures <Simple 😃> <Test Robustness> <Created by mardy> <Merged by mardy> <https://github.com/snapcore/snapd/pull/11845>
[08:17] <mup> PR snapd#11834 closed: o/snapstate: exclude services from refresh app awareness hard running check <Bug> <refresh app awareness> <Created by stolowski> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/11834>
[09:18] <mup> PR snapd#11847 opened: tests/main/interfaces-browser-support: verify jupyter notebooks access <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11847>
[11:23] <mup> PR snapd#11178 closed: tests: increase the memory on test minimal-smoke with secboot disabled <Simple 😃> <Run nested> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11178>
[11:28] <mup> PR snapd#11848 opened: tests: revert lxd change to support nested lxd launch <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11848>
[13:13] <mup> PR snapd#11824 closed: interfaces/browser-support: allow editing of Jupyter notebooks in browsers <Created by nteodosio> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11824>
[13:13] <mup> PR snapd#11847 closed: tests/main/interfaces-browser-support: verify jupyter notebooks access <Simple 😃> <Created by bboozzoo> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11847>
[14:33] <mup> PR snapcraft#3777 closed: parts: fix metadata extraction dirs <Created by cmatsuoka> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3777>
[17:33] <tacomaster> I have a question about snaps. I have found online that snaps are immutable but is there any protection to the rest of the machine? The reason I ask is I am trying to run a server service on ubuntu server and trying to see if it would be better to use, a container or a snap for security reasons?
[17:34] <tacomaster> or would it be best to write an apparmor profile for that service?
[20:40] <mardy> tacomaster: hi! When you launch a snap, a container is created: not only AppArmor confines the process, but also we use seccomp, cgroups, and mount namespaces to isolate the snap from the rest of the machine
[20:41] <mardy> tacomaster: the more interface you connect in the snap, the more "holes" we drill in the container
[20:41] <mardy> *interfaces
[21:13] <ogra> tacomaster, adding to what mardy said, every single snap undergoes an autmatic review during upload. there are interfaces that are harmless (like "audio-playback") when your snap connects them, and there are more privileged ones (i.e. "network-setup-control") ... snaps that use the higher privileged ones need to pass a manual review by the security team ... if you look at the "store-requests" category at forum.snapcraft.io you cn find them all ...