| mup | PR snapcraft#3918 opened: commands: add init option for git initialization <Created by atomcult> <https://github.com/snapcore/snapcraft/pull/3918> | 03:58 |
|---|---|---|
| === eoli3n_ is now known as eoli3n | ||
| LetoThe2nd | howdy there! i'm currently looking into how UC, and therefore the snap store are fit for on-prem, and possibly air-gapped operation. couldn't find any good information though. so 1) is it possible to build a custom UC image without network connectivity? 2) if regulations require hosting of my custom snaps, e.g. applications at a specific place, or even on-prem, is that possible? | 11:20 |
| mup | PR snapd#12162 closed: boot: apply boot logic also for classic with modes boot snaps <Created by pedronis> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/12162> | 11:36 |
| mup | PR snapd#12166 closed: overlord: start turning restart into a full state manager <Created by pedronis> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/12166> | 11:36 |
| ogra | LetoThe2nd, the siging with the canonical key is mandatory and happens on upload ... so your snap need to loop through the canonical store at least once ... for airgap there is a store proxy you can use and run in airgap mode ... you'd then download your snaps from the canonical store and push them to the proxy machine via ssh or usb stick | 11:43 |
| ogra | LetoThe2nd, https://docs.ubuntu.com/snap-store-proxy/en/ | 11:43 |
| ogra | *signing (heh, we do not require users to sing π ) | 11:44 |
| ogra | you can always use local unsigned snaps for building UC images as long as you use a "dangerous" model assertion | 11:45 |
| ogra | (indeed these snaps would never update) | 11:45 |
| LetoThe2nd | ogra: singing users would be fun! | 12:17 |
| * LetoThe2nd commences a moshpit | 12:17 | |
| ogra | π | 12:17 |
| LetoThe2nd | ogra: but what does store proxy mean then? | 12:18 |
| ogra | well, it is a proxy running on-prem ... with the ability to run it air-gapped | 12:19 |
| LetoThe2nd | e.g. a sneakernet-connected proxy? but that would be on-prem of the network that *receives* the snaps, not the one that *generates* them, right? | 12:20 |
| ogra | right | 12:24 |
| LetoThe2nd | understood, thanks! | 12:25 |
| ogra | "generate" something you can do locally though ... | 12:25 |
| LetoThe2nd | hm? | 12:25 |
| ogra | (all snap uploads to the store are binary, already in squashfs image form) | 12:25 |
| ogra | only the signing and security checking happens in the store | 12:26 |
| ogra | (during upload, before being able to publish) | 12:26 |
| LetoThe2nd | so i could generate air-gapped, technically, sneakernet out, and then upload+sign? | 12:26 |
| ogra | well, upload to the global stoe to get the signature ... then download from the global store and push to your air gapped machine | 12:27 |
| LetoThe2nd | i see | 12:27 |
| LetoThe2nd | but as you mention "everything is binary", how do you provide license compliance? | 12:28 |
| ogra | i.e. you need to loop once through the store to get a valid gpg signature with the canonical archive key | 12:28 |
| ogra | by store policy/terms and conditions ... | 12:28 |
| ogra | https://ubuntu.com/legal/terms-and-policies/snap-store-terms | 12:28 |
| ogra | (point 6 i think) | 12:29 |
| LetoThe2nd | uh huh. such legal, much read. | 12:29 |
| ogra | (not much different to the apple or google/android stores) | 12:30 |
| ogra | it boils down "up to you how you handle it, but everything has to be legal in the end" ) | 12:30 |
| ogra | *down to | 12:30 |
| LetoThe2nd | yeah. the more i look, the more it starts to feel like "an app store for iot devices". | 12:30 |
| LetoThe2nd | (no insult meant) | 12:30 |
| ogra | right,that is what it was originally π | 12:31 |
| LetoThe2nd | hehe | 12:31 |
| ogra | but then it grew support for desktop apps too ... so it is after all more like the apple app store nowadays | 12:31 |
| LetoThe2nd | slowly get it. | 12:32 |
| LetoThe2nd | Hopefully final question for now then, how do I enable a new board? | 12:35 |
| ogra | you need a gadget and kernel snap that support it ... then you create a model assertion that describes it and and that (and the snaps) to ubuntu-image | 12:37 |
| ogra | *and hand that | 12:38 |
| LetoThe2nd | ogra: what would the gadget and kernel snaps require? like, is it just a packages u-boot and kernel in the end? | 12:38 |
| ogra | the gadget carries bootloader, partitioning info and initial config data | 12:38 |
| ogra | the kernel ... well, is a kernel and initrd that prefareably support your hardware ... | 12:39 |
| ogra | the model assertion is just a json file you sign | 12:39 |
| LetoThe2nd | ogra: so again, without signing, no fun to be had? | 12:39 |
| ogra | for loacal testing and development you can use unsigned snaps and a model assertion that declares the image as "dangerous" | 12:40 |
| * LetoThe2nd cranks up Aerosmiths "Living on the edge" | 12:40 | |
| ogra | the ubuntu-image command comes with a --snap option that takes a path to a local snap as option | 12:40 |
| ogra | so you'd do something like "ubuntu-image snap --snap /path/tπgadget.snap --snap /path/tπkernel.snap model.assertion | 12:41 |
| ogra | " | 12:41 |
| ogra | bah !!!! | 12:41 |
| ogra | silly emoji plugin | 12:41 |
| LetoThe2nd | okay, i see. what if my hardware doesn't even support secure boot? or requires magic such as the imx'es HAB? | 12:42 |
| ogra | (th wavy hand is "to" with a slash indeed) | 12:42 |
| ogra | you dont have t use secboot at all | 12:42 |
| LetoThe2nd | maybe you should plugout the emojis then :-) | 12:42 |
| ogra | it is optional | 12:42 |
| LetoThe2nd | k | 12:42 |
| ogra | especially on ARM ou need optee support and such | 12:42 |
| ogra | *you | 12:43 |
| LetoThe2nd | well optee is not mandatory for secboot. | 12:43 |
| ogra | it is i ubuntu core | 12:43 |
| ogra | *in | 12:43 |
| LetoThe2nd | ah thats what you mean. | 12:43 |
| ogra | sigh ... need a new laptop ... kbd gives up | 12:43 |
| ogra | on x86 TPM is a hard req for secboot ... on ARM it is optee | 12:44 |
| * LetoThe2nd recommends a MBP, no kidding. | 12:44 | |
| ogra | (TPM2 in fact) | 12:44 |
| ogra | yeah, i was pondering an M2 ... but wanted to wait til there is a graphics driver | 12:44 |
| ogra | (i want to run ubuntu natively in any case ... and it should work as daily driver ... i think the M1/2 are still not ready for that) | 12:45 |
| LetoThe2nd | got a M1 Max here. Awesome machine, just a bit heavy. had a lenovo X1 nano before that, which was like wow. | 12:45 |
| ogra | i had XPS13s for the last three laptops ... to support the team building them π | 12:46 |
| ogra | but the keyboard quality really degraded with each model ... | 12:47 |
| LetoThe2nd | the laptop keyboard is ok-ish, but for daily i use a keyboardio atreus by now. | 12:48 |
| ogra | well, i have a collections of self-built keyboards ... but when using the laptop in a comfy chair in the living room i dont really want an external kbd π | 12:50 |
| LetoThe2nd | depends. i just don't like to work in what people call "comfy chairs" | 12:51 |
| LetoThe2nd | so only recently i thought about you once i joined #beagle again, nice to still see you around! | 12:51 |
| ogra | same ! | 12:51 |
| * ogra sadly has to go to a meeting now ... but i'll be back later | 12:52 | |
| LetoThe2nd | same here. take care! | 12:52 |
| ogra | you too ! | 12:52 |
| mup | PR snapd#12168 opened: i/b/mount-control: add optional `/` to umount rules <Simple π> <Created by mardy> <https://github.com/snapcore/snapd/pull/12168> | 14:52 |
| mup | PR snapd#12169 opened: i/b/fwupd: add more permissions <Created by valentindavid> <https://github.com/snapcore/snapd/pull/12169> | 14:57 |
| mup | PR snapd#12170 opened: many: add stub services for prompting <Created by mardy> <https://github.com/snapcore/snapd/pull/12170> | 14:57 |
| mup | PR snapd#12171 opened: tests: fix issues related to dbus session and localtime in uc18 <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12171> | 19:48 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!