💾 Archived View for gemini.ctrl-c.club › ~phoebos › logs › kisslinux-2022-09-18.txt captured on 2024-02-05 at 10:36:13.

View Raw

More Information

⬅️ Previous capture (2023-01-29)

-=-=-=-=-=-=-

[2022-09-18T02:24:41Z] <ioraff> yeah, both look like good ideas
[2022-09-18T04:28:36Z] <testuser[m]1> Hi
[2022-09-18T04:32:05Z] <ioraff> hi
[2022-09-18T04:36:23Z] <noocsharp> hi
[2022-09-18T04:53:17Z] <virutalmachineus> hi
[2022-09-18T05:22:09Z] <testuser[m]1> illiliti: is there an alternative to bind mounting thousands of paths for sandbox
[2022-09-18T05:27:17Z] <virutalmachineus> yes static link
[2022-09-18T05:27:42Z] <ioraff> what?
[2022-09-18T05:27:43Z] <virutalmachineus> do you bubblewrap all your programs?
[2022-09-18T06:33:23Z] <wael[m]> bubblewrap the kernel
[2022-09-18T06:43:12Z] <virutalmachineus> kiss should package each program in bubblewrap
[2022-09-18T06:44:19Z] <wael[m]> open a PR and try to implement that
[2022-09-18T06:44:36Z] <wael[m]> fun fact: a proposal has been opened to sandbox builds
[2022-09-18T06:44:56Z] <wael[m]> but not programs themselves
[2022-09-18T06:48:18Z] <virutalmachineus> i bubblewrap most of my packages, I don't how long will it take to bubblewrap the whole repository
[2022-09-18T06:48:49Z] <testuser[m]1> u dont need to bubblewrap anything that doesnt deal with stuff from the internet
[2022-09-18T06:49:36Z] <virutalmachineus> yeah you're right but, but some are easy to bubblewrap so i do it
[2022-09-18T06:49:45Z] <virutalmachineus> s/but//
[2022-09-18T13:51:06Z] <Ogromny> What's the best bin provider thing ? Snap ? Flatpak ? Appimage ?
[2022-09-18T13:51:47Z] <wael[m]> flatpak
[2022-09-18T13:53:11Z] <Ogromny> Ty
[2022-09-18T13:53:50Z] <Ogromny> is there any up to date repo with flatpak and his depedencies ?
[2022-09-18T13:54:00Z] <Ogromny> dylan's repo is lile 2 years old
[2022-09-18T13:55:14Z] <wael[m]> community
[2022-09-18T13:55:35Z] <wael[m]> https://github.com/kiss-community/community
[2022-09-18T13:57:06Z] <Ogromny> Oh yeah you're right I had forgotten to git pull it lol 
[2022-09-18T14:04:57Z] <wael[m]> did you not git pull for 2 years
[2022-09-18T14:15:58Z] <Beni> lmao
[2022-09-18T14:19:06Z] <Ogromny> wael[m]: nah but for like 2 weeks
[2022-09-18T14:22:09Z] <Beni> is there any repo with pulseaudio in it or do I install it myself
[2022-09-18T14:23:49Z] <wael[m]> you only need libsndfile and pulseaudio for pulseaudio
[2022-09-18T14:23:55Z] <wael[m]> i suggest you go with pipewire if you want audio
[2022-09-18T14:24:08Z] <wael[m]> pipewire is in community
[2022-09-18T14:24:28Z] <Beni> oh thanks
[2022-09-18T14:24:43Z] <Beni> never used pipewire, is there any special setup to do or does it just work?
[2022-09-18T14:24:49Z] <wael[m]> but if you want apps to have pulseaudio support you need the libraries
[2022-09-18T14:24:57Z] <wael[m]> tl;dr pipewire & pipewire-pulse &
[2022-09-18T14:25:09Z] <wael[m]> thats what i use and it works fine, you just need XDG_RUNTIME_DIR
[2022-09-18T14:25:16Z] <Beni> alright
[2022-09-18T14:25:20Z] <Beni> thanks
[2022-09-18T14:31:03Z] <Ogromny> Beni: I don't know what you use for your status bar, but if you use yambar, I've made a module for pipewire: https://codeberg.org/dnkl/yambar/pulls/224
[2022-09-18T14:38:13Z] <Beni> i'll keep that in mind
[2022-09-18T14:38:14Z] <rohan> yo
[2022-09-18T14:38:38Z] <rohan> someone have a asound.conf that works with HDMI???
[2022-09-18T14:39:50Z] <wael[m]> ~~alsa try to not make anything except set default devices challenge a headache~~
[2022-09-18T15:02:48Z] <testuser[m]1> I tried landlock with 70k files it seems to work fine
[2022-09-18T15:03:09Z] <testuser[m]1> in .1 second
[2022-09-18T15:25:30Z] <illiliti> testuser[m]1: landlock
[2022-09-18T15:25:53Z] <testuser[m]1> What
[2022-09-18T15:27:44Z] <illiliti> nvm
[2022-09-18T15:47:10Z] <wael[m]> Whar
[2022-09-18T16:07:29Z] <illiliti> it's insane that zip/unzip needs such amount of patches
[2022-09-18T16:31:27Z] <testuser[m]1> illiliti: p7zip implements both zip and unzip and doesn't need any patches
[2022-09-18T16:31:38Z] <testuser[m]1> But i don't think it has any common feature/flags other than zipping and unzipping
[2022-09-18T16:34:41Z] <illiliti> does it work with firefox?
[2022-09-18T16:35:03Z] <illiliti> tbh i still doubt that firefox needs zip/unzip
[2022-09-18T16:35:24Z] <testuser[m]1> I'm sure it needs zip
[2022-09-18T16:35:27Z] <testuser[m]1> for creating xpo
[2022-09-18T16:35:31Z] <testuser[m]1> I think unzip is useless
[2022-09-18T16:35:34Z] <testuser[m]1> Xpi
[2022-09-18T16:35:50Z] <testuser[m]1> illiliti: it'll work with anything if u just modify the flags and command
[2022-09-18T16:37:27Z] <illiliti> does it embed entire zip/unzip into itself at build time?
[2022-09-18T16:37:55Z] <testuser[m]1> Firefox?
[2022-09-18T16:37:56Z] <testuser[m]1> no
[2022-09-18T16:38:09Z] <illiliti> then i don't understand why it is "make" dependency
[2022-09-18T16:38:25Z] <testuser[m]1> For creating xpi
[2022-09-18T16:38:35Z] <testuser[m]1> Let me grep
[2022-09-18T16:40:04Z] <illiliti> can you run kiss-manifest firefox for me?
[2022-09-18T16:40:08Z] <illiliti> and post output
[2022-09-18T16:40:25Z] <testuser[m]1> im not at pc
[2022-09-18T16:40:42Z] <illiliti> ok
[2022-09-18T16:40:46Z] <illiliti> https://github.com/kiss-community/repo/blob/master/extra/firefox/build#L109-L113
[2022-09-18T16:44:24Z] <illiliti> ok, i checked
[2022-09-18T16:44:53Z] <illiliti> some xpis are still present
[2022-09-18T16:45:07Z] <illiliti> pictureinpicture@mozilla.org.xpi
[2022-09-18T16:45:15Z] <illiliti> formautofill@mozilla.org.xpi
[2022-09-18T16:45:19Z] <testuser[m]1> They're required
[2022-09-18T16:45:28Z] <illiliti> perhaps
[2022-09-18T16:45:31Z] <testuser[m]1> not basic but 
[2022-09-18T16:45:32Z] <testuser[m]1> for basic functionality
[2022-09-18T16:45:54Z] <testuser[m]1> I use pip 
[2022-09-18T16:45:59Z] <testuser[m]1> someone probably uses autofill
[2022-09-18T16:46:13Z] <testuser[m]1> That screenshots one should probably be added back aswell
[2022-09-18T16:46:17Z] <testuser[m]1> The rest is junk i think
[2022-09-18T16:46:38Z] <illiliti> wait what firefox uses to unpack them at runtime?
[2022-09-18T16:46:58Z] <illiliti> if unzip is "make" dep
[2022-09-18T16:52:59Z] <testuser[m]1> Some bundled library ig, but then they could make a binary of that at compile time for packing
[2022-09-18T16:55:45Z] <testuser[m]1> Can we go ahead with https://github.com/kiss-community/repo/issues/90#issuecomment-1249398812
[2022-09-18T17:15:43Z] <illiliti> i think yes
[2022-09-18T17:31:21Z] <illiliti> https://github.com/madler/zlib/tree/master/contrib/minizip
[2022-09-18T17:33:11Z] <illiliti> btw should we switch to zlib-ng?
[2022-09-18T17:33:20Z] <illiliti> or sortix libz
[2022-09-18T17:34:13Z] <illiliti> i'll create a proposal
[2022-09-18T17:35:34Z] <testuser[m]1> ng
[2022-09-18T17:36:15Z] <testuser[m]1> Sortix is dead
[2022-09-18T17:37:50Z] <testuser[m]1> ng is abi compatible?
[2022-09-18T17:41:23Z] <illiliti> no, sortix is alive
[2022-09-18T17:41:34Z] <illiliti> ng has compat mode
[2022-09-18T17:41:40Z] <illiliti> so yes
[2022-09-18T17:42:32Z] <testuser[m]1> illiliti: it's shitlab is inactive
[2022-09-18T17:42:35Z] <testuser[m]1> Is there a fork of it
[2022-09-18T17:42:58Z] <illiliti> https://gitlab.com/sortix/sortix/-/commits/staging/
[2022-09-18T17:44:14Z] <illiliti> or you mean libz?
[2022-09-18T17:45:11Z] <testuser[m]1> I mean sortix libz
[2022-09-18T17:47:57Z] <illiliti> ah i see. i suspect it's stable and done, so no further development is needed
[2022-09-18T17:48:31Z] <testuser[m]1> but sekurity
[2022-09-18T17:48:36Z] <testuser[m]1> 5 years
[2022-09-18T17:50:08Z] <virutalmachineus> is sortix the future of kiss linux?
[2022-09-18T17:51:00Z] <testuser[m]1> Yes
[2022-09-18T17:51:15Z] <testuser[m]1> sorkixx
[2022-09-18T18:03:44Z] <ioraff> testuser[m]1: care to share that landlock code?
[2022-09-18T18:10:40Z] <illiliti> forget about zlib-ng
[2022-09-18T18:10:44Z] <testuser[m]1> ioraff: It's on pc
[2022-09-18T18:10:53Z] <testuser[m]1> I just adapted the kernel example
[2022-09-18T18:10:53Z] <illiliti> they use bashisms and gnuisms in configure script
[2022-09-18T18:11:20Z] <testuser[m]1> we can patch that but does it even have any measurable difference than zlib
[2022-09-18T18:12:07Z] <testuser[m]1> Like its of no use if the performance tweaks are just in the new APIs or whatever
[2022-09-18T18:12:11Z] <illiliti> it supposed to have
[2022-09-18T18:12:22Z] <illiliti> SSSE, AVX stuff
[2022-09-18T18:12:29Z] <illiliti> should be faster at least
[2022-09-18T18:12:42Z] <testuser[m]1> ioraff: https://github.com/torvalds/linux/blob/master/samples/landlock/sandboxer.c
[2022-09-18T18:13:18Z] <testuser[m]1> Landlock can't restrict access() calls yet so I can see some issues cropping up with that
[2022-09-18T18:13:42Z] <illiliti> i can't even build it with tcc
[2022-09-18T18:13:47Z] <testuser[m]1> eg build system detects /usr/lib/libshit.so but later on it cant link cuz libshit.so can't even be opened
[2022-09-18T18:13:47Z] <illiliti> which is not a good sign
[2022-09-18T18:14:49Z] <illiliti> you must not use access() calls in the first place
[2022-09-18T18:15:00Z] <illiliti> because TOCTOU
[2022-09-18T18:15:38Z] <testuser[m]1> I'm talking about the build systems
[2022-09-18T18:16:00Z] <testuser[m]1> Isn't every build system broken then
[2022-09-18T18:17:07Z] <illiliti> if they use open() and then fstat(), then nothing shall break
[2022-09-18T18:20:21Z] <testuser[m]1> What about plain stat without open() and fstat
[2022-09-18T18:20:43Z] <testuser[m]1> chdir(2), truncate(2), stat(2), flock(2), chmod(2), chown(2), setxattr(2), utime(2), ioctl(2), fcntl(2), access(2)
[2022-09-18T18:23:18Z] <illiliti> i see
[2022-09-18T18:23:47Z] <illiliti> it's a problem yeah
[2022-09-18T18:27:28Z] <testuser[m]1> Ill check user namespaces approach too
[2022-09-18T18:27:56Z] <illiliti> these syscalls are too dangerous
[2022-09-18T18:28:06Z] <illiliti> truncate, chmod, chown
[2022-09-18T18:28:29Z] <illiliti> what the hell landlock
[2022-09-18T18:29:13Z] <testuser[m]1> Yeag
[2022-09-18T18:29:27Z] <testuser[m]1> Ig adding filtering for those would've taken another 2 years for patch review lol
[2022-09-18T18:31:17Z] <illiliti> usual thing
[2022-09-18T18:44:46Z] <testuser[m]1> What about seccomp
[2022-09-18T18:45:32Z] <virutalmachineus> seccomp is good
[2022-09-18T18:45:39Z] <illiliti> it sucks
[2022-09-18T18:45:48Z] <virutalmachineus> bubblewrap with seccomp is best
[2022-09-18T18:46:37Z] <illiliti> seccomp is the reason why we have landlock now
[2022-09-18T18:47:20Z] <illiliti> because it is overly-complicated and easy to misuse
[2022-09-18T18:47:57Z] <illiliti> i'd avoid it and anything BPF-based at all cost
[2022-09-18T18:48:38Z] <virutalmachineus> yeah bpf is not good for security
[2022-09-18T18:52:13Z] <illiliti> yep, if we're going to make secure sandbox, seccomp is not an option
[2022-09-18T18:52:30Z] <illiliti> how about we just restrict internet access for now
[2022-09-18T18:53:44Z] <illiliti> when landlock will be ready, we will use it to restrict paths
[2022-09-18T18:56:07Z] <illiliti> iirc soon landlock should be able to restrict network natively
[2022-09-18T18:56:14Z] <illiliti> without namespaces
[2022-09-18T18:57:04Z] <virutalmachineus> that's so awesome
[2022-09-18T19:00:23Z] <ioraff> i'm not seeing the problem in at least starting to use landlock to restrict reads and executes to dependencies
[2022-09-18T19:01:54Z] <ioraff> unless we just want to go straight to a full sandbox
[2022-09-18T19:09:57Z] <testuser[m]1> ioraff: I don't care much about the security point but the issue is that if gcc can stat() a library and believe that it can link to it, the final link will fail
[2022-09-18T19:10:11Z] <testuser[m]1> So the issue with automatic dependency detection is there
[2022-09-18T19:10:23Z] <testuser[m]1> i haven't tried this yet tho so not sure if it's even going to be an issie