[03:01] <lotuspsychje> good morning
=== deepSleep is now known as Guest3622
[12:28] <lotuspsychje> !focal
[12:28] <ubottu> Ubuntu 20.04 (Focal Fossa) is the 32nd release of Ubuntu and an !LTS release. Download at https://releases.ubuntu.com/focal/ - Release notes at https://wiki.ubuntu.com/FocalFossa/ReleaseNotes
[12:29] <lotuspsychje> time flies!
[14:43] <lotuspsychje> wich rss streams you like Psi-Jack 
[14:43] <Psi-Jack> Cool. Many different channels.. :)
[14:44] <lotuspsychje> thats to keep #ubuntu free for support
[14:44] <Psi-Jack> lotuspsychje: Usually security news, tech news, news related to important things, upcoming things, etc, in eneral about the community/distro, in this case obviously Ubuntu-centric.
[14:44] <lotuspsychje> join #techrss if you like
[14:44] <lotuspsychje> we got a nice collection already
[14:45] <lotuspsychje> if we miss one, let me know :p
[14:45] <Psi-Jack> Hehe
[14:46] <Psi-Jack> I see no harm in looking. My Nexcloud News server is pretty solid, thankfully. Been moving a lot of things over to quite different approaches than I'm used to in the course of the past several months. People think I'm crazy, but I'm running Docker Swarm now, and I find that to be the most eggcellent thing I've worked with in a while.
[14:46] <Psi-Jack> .oO(and I've worked with a LOT!)
[15:08] <Psi-Jack> So I have a lingering thought in my mind in with regards to snaps, specifically. I can definitely say since the first time I tried snaps back when it was pretty early and new... It's definitely become an interesting concept for sure. The very fact it allows you to run things as-if natively installed, unlike Flatpak which requires the use of the
[15:08] <Psi-Jack> flatpak tool to run them. I'm using nvim from snap now to have a later version of neovim than is packaged in Ubuntu 24.04 repos.
[15:09] <Psi-Jack> With, however, when I was running Discord, and I started running literally JUST the Steam client, I noticed Discord was reporting like 4~5 different seemingly random processes, as if it wasn't being sandboxed, for one, and secondly, just weird names like I'd seen as if I'd run Discord unsandboxed entirely. Names like srt-bwrap, and
[15:09] <Psi-Jack> pressure-vessel-wrap, until finally after a few of these changing things, it stopped and cleared presence.
[15:11] <Psi-Jack> When I run the Discord flatpak, which I am now because of that.. None of this happens. Granted I have the access (and do so), to implement %t/discord-rpc-0 to point to app/com.discordapp.Discord/discord-ipc-0 so things using the socket can work. For steam presence, I use a service, steampresence.py which works fantastically and honors my insivible
[15:11] <Psi-Jack> status for privacy... But why isn't the snap Discord contained as I would expect?
[15:12] <ravage1> the discord snap uses standard confinement
[15:12] <ravage1> so it is contained within its allowed permissions
[15:14] <Psi-Jack> Standard... As opposed to what? It's been a while since I really utilized snaps and I now see there's things like "classic" which nvim used. I assume which is not really confined but usable like any standard installed deb package.
[15:14] <ravage1> the only other option is classic
[15:15] <Psi-Jack> Okay. So standard confinement, Discord app is allows to monitor processes? This seems a little abnormal to me. I know flatpaks are not, by default, allowed to just snoop on any processes outside of it's specific confined space, as such, Discords "auto" "Rich Presence" doesn't report random weird things like wine, srt-bwrap, pressure-vessel-wrap,
[15:15] <Psi-Jack> and all the various things I've personally witnessed it reporting. 
[15:16] <ravage1> monitoring processes is a permission
[15:16] <Psi-Jack> Yeah, and I noted Discord's perms were not set to allow that.
[15:16] <Psi-Jack> Hence my surprise it still somehow did..
[15:16] <ravage1> snap connections discord
[15:17] <ravage1> thats the permission it has on your system
[15:17] <ravage1> what those allow are in the snapcraft documentation
[15:17] <Psi-Jack> It's uninstalled from my desktop now, but I can re-install it to see.
[15:17] <ravage1> https://snapcraft.io/docs/interfaces
[15:17] <ravage1> mine has system-observe for example
[15:18] <ravage1> "system-observe allows system status information to be queried, effectively giving privileged read access to all processes on the system"
[15:20] <Psi-Jack> I see. Yes. I'm seeing system-observe in there on that connections list.
[15:21] <Psi-Jack> It's just in GNOME Settings->Apps->Discord, I noted "Read processes and system information" is not showing active.
[15:21] <Psi-Jack> Yet, connections shows system-observe. So this is kind of conflicting a bit. :/
[15:21] <ravage1> it is enabled here
[15:22] <Psi-Jack> Weird. I installed Discord, new, on my tabtop which is also running Ubuntu 24.04, the connection shows, but the option in Settings shows off.
[15:22] <ravage1> https://i.imgur.com/FtGyJA9.png
[15:24] <Psi-Jack> https://i.imgur.com/2Kq2EKP.png
[15:26] <Psi-Jack> So I'm confused. :)
[15:29] <ravage1> it is not connected
[15:29] <Psi-Jack> Even more a suspect reason why it's reporting on Steam..
[15:29] <ravage1> i have no idea how that works
[15:30] <Psi-Jack> heh.
[15:30] <ravage1> never had that enabled
[15:30] <Psi-Jack> Heh. But you do, according to your screenshot. :)
[15:30] <Psi-Jack> Or do you mean Rich Presence?
[15:30] <ravage1> the steam reporting i mean
[15:30] <ravage1> and i rarely use discord anyway
[15:30] <Psi-Jack> That's not steam doing it, though. That's Discord's "Automatic Rich Presence"
[15:31] <ravage1> i start it on demand sometimes
[15:31] <Psi-Jack> It's monitoring processes and somehow, the Discord snap is monitoring processes outside of confinement.
[15:31] <ravage1> you can did into every single permission if you want
[15:32] <ravage1> as i said i have no idea how that presence thing works
[15:33] <Psi-Jack> It's literally just monitoring processes, in this specific case. I know this because Discord running without any confinement at all, as in, a native binary package, it does the same thing. Its own process snooping for automated "Rich Presence" is quite intrusive and ignores any and all privacy and just reports things.
[15:33] <ravage1> i connected system-observe manally because in the past it reduces apparmor spam in my logs
[15:34] <Psi-Jack> heh
[15:36] <Psi-Jack> Yeah, Discord itself enables, by default, this process snooping "Rich Presence" automation, which reports on processes it sees running and even if it doesn't seem to have any real information about it, properly, it still reports it. So, Steam, it literally goes through a list of processes it sees as steam is starting up, First is srt-bwrap, then
[15:36] <Psi-Jack> another then pressure-vessel-wrap, then another, then another... then finally clears. 
[15:37] <Psi-Jack> I started up a game, and it reported the game's process as well. Though in "Rich Presence" it only had the game title. Normally it has a graphic representing the title as well. Since it was strictly monitoring proccesses, it didn't have that.
[15:37] <ravage1> steam sees all your processes of course
[15:37] <Psi-Jack> I'm not even talking about Steam itself. Steam's not even reporting this.
[15:38] <Psi-Jack> This is 100% Discord doing this.
[15:38] <ravage1> "So, Steam, it literally goes through a list of processes it sees .."
[15:38] <Psi-Jack> So, for Steam, Discord literally goes through...
[15:39] <Psi-Jack> My wording wasn't as clear, but hopefully that correction makes it more clear?
[15:41] <ravage1> listing processes seems to be allowed in general
[15:41] <ravage1> snap run --shell discord
[15:42] <ravage1> so you can test what that snap is allowed to do
[15:42] <ravage1> process list works
[15:42] <Psi-Jack> Wow. But... Why? LOL
[15:43] <ravage1> you would need to go through the other permissions in detail
[15:44] <ravage1> probably needed to make it work at all. maybe for desktop
[15:44] <ravage1> there is a snapcraft room on matrix. maybe also on IRC if you want to ask for details
[15:45] <Psi-Jack> Shouldn't Discord on Flatpak only gets processes within it's confinement. As observed by it's similar entry to the shell.
[15:45] <ravage1> i know nothing about flatpak
[15:45] <Psi-Jack> Literally, it cannot see user processes, system processes, just the processes running within the confinement cgroup of the flatpak.
[15:46] <Psi-Jack> I see no connection, in snap, for discord that should be granting it any kind of permission, at least from "connections". But again, I know little about snaps which is why I'm discussing it, and this actual concern for security.
[15:47] <ravage1> it seems to be a default permission 
[15:49] <ravage1> https://forum.snapcraft.io/t/visibility-of-processes-originating-from-other-snaps/703/7
[15:49] <ravage1> could not find anything more recent
[15:50] <ravage1> but feel free to dig though the forums
[15:50] <Psi-Jack> I will do so, and I found Snapcraft's matrix channel, so I'm digging more in there, as well.
[15:51] <ravage1> yep saw you there already
[16:15] <Psi-Jack> Hehe
=== madmax__ is now known as madmax
[20:43] <jeremy31> !package linux-generic-hwe-20.04 focal
[20:44] <ravage1> it is !info here i think 🙂
[20:46] <jeremy31> Most likely
[21:09] <oerheks> !info x
[21:09] <ubottu> Package x does not exist in noble
[21:10] <oerheks> elon 🤪