💾 Archived View for gemini.ctrl-c.club › ~phoebos › logs › kisslinux-2022-09-18.txt captured on 2024-02-05 at 10:36:13.
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
[2022-09-18T02:24:41Z] <ioraff> yeah, both look like good ideas [2022-09-18T04:28:36Z] <testuser[m]1> Hi [2022-09-18T04:32:05Z] <ioraff> hi [2022-09-18T04:36:23Z] <noocsharp> hi [2022-09-18T04:53:17Z] <virutalmachineus> hi [2022-09-18T05:22:09Z] <testuser[m]1> illiliti: is there an alternative to bind mounting thousands of paths for sandbox [2022-09-18T05:27:17Z] <virutalmachineus> yes static link [2022-09-18T05:27:42Z] <ioraff> what? [2022-09-18T05:27:43Z] <virutalmachineus> do you bubblewrap all your programs? [2022-09-18T06:33:23Z] <wael[m]> bubblewrap the kernel [2022-09-18T06:43:12Z] <virutalmachineus> kiss should package each program in bubblewrap [2022-09-18T06:44:19Z] <wael[m]> open a PR and try to implement that [2022-09-18T06:44:36Z] <wael[m]> fun fact: a proposal has been opened to sandbox builds [2022-09-18T06:44:56Z] <wael[m]> but not programs themselves [2022-09-18T06:48:18Z] <virutalmachineus> i bubblewrap most of my packages, I don't how long will it take to bubblewrap the whole repository [2022-09-18T06:48:49Z] <testuser[m]1> u dont need to bubblewrap anything that doesnt deal with stuff from the internet [2022-09-18T06:49:36Z] <virutalmachineus> yeah you're right but, but some are easy to bubblewrap so i do it [2022-09-18T06:49:45Z] <virutalmachineus> s/but// [2022-09-18T13:51:06Z] <Ogromny> What's the best bin provider thing ? Snap ? Flatpak ? Appimage ? [2022-09-18T13:51:47Z] <wael[m]> flatpak [2022-09-18T13:53:11Z] <Ogromny> Ty [2022-09-18T13:53:50Z] <Ogromny> is there any up to date repo with flatpak and his depedencies ? [2022-09-18T13:54:00Z] <Ogromny> dylan's repo is lile 2 years old [2022-09-18T13:55:14Z] <wael[m]> community [2022-09-18T13:55:35Z] <wael[m]> https://github.com/kiss-community/community [2022-09-18T13:57:06Z] <Ogromny> Oh yeah you're right I had forgotten to git pull it lol [2022-09-18T14:04:57Z] <wael[m]> did you not git pull for 2 years [2022-09-18T14:15:58Z] <Beni> lmao [2022-09-18T14:19:06Z] <Ogromny> wael[m]: nah but for like 2 weeks [2022-09-18T14:22:09Z] <Beni> is there any repo with pulseaudio in it or do I install it myself [2022-09-18T14:23:49Z] <wael[m]> you only need libsndfile and pulseaudio for pulseaudio [2022-09-18T14:23:55Z] <wael[m]> i suggest you go with pipewire if you want audio [2022-09-18T14:24:08Z] <wael[m]> pipewire is in community [2022-09-18T14:24:28Z] <Beni> oh thanks [2022-09-18T14:24:43Z] <Beni> never used pipewire, is there any special setup to do or does it just work? [2022-09-18T14:24:49Z] <wael[m]> but if you want apps to have pulseaudio support you need the libraries [2022-09-18T14:24:57Z] <wael[m]> tl;dr pipewire & pipewire-pulse & [2022-09-18T14:25:09Z] <wael[m]> thats what i use and it works fine, you just need XDG_RUNTIME_DIR [2022-09-18T14:25:16Z] <Beni> alright [2022-09-18T14:25:20Z] <Beni> thanks [2022-09-18T14:31:03Z] <Ogromny> Beni: I don't know what you use for your status bar, but if you use yambar, I've made a module for pipewire: https://codeberg.org/dnkl/yambar/pulls/224 [2022-09-18T14:38:13Z] <Beni> i'll keep that in mind [2022-09-18T14:38:14Z] <rohan> yo [2022-09-18T14:38:38Z] <rohan> someone have a asound.conf that works with HDMI??? [2022-09-18T14:39:50Z] <wael[m]> ~~alsa try to not make anything except set default devices challenge a headache~~ [2022-09-18T15:02:48Z] <testuser[m]1> I tried landlock with 70k files it seems to work fine [2022-09-18T15:03:09Z] <testuser[m]1> in .1 second [2022-09-18T15:25:30Z] <illiliti> testuser[m]1: landlock [2022-09-18T15:25:53Z] <testuser[m]1> What [2022-09-18T15:27:44Z] <illiliti> nvm [2022-09-18T15:47:10Z] <wael[m]> Whar [2022-09-18T16:07:29Z] <illiliti> it's insane that zip/unzip needs such amount of patches [2022-09-18T16:31:27Z] <testuser[m]1> illiliti: p7zip implements both zip and unzip and doesn't need any patches [2022-09-18T16:31:38Z] <testuser[m]1> But i don't think it has any common feature/flags other than zipping and unzipping [2022-09-18T16:34:41Z] <illiliti> does it work with firefox? [2022-09-18T16:35:03Z] <illiliti> tbh i still doubt that firefox needs zip/unzip [2022-09-18T16:35:24Z] <testuser[m]1> I'm sure it needs zip [2022-09-18T16:35:27Z] <testuser[m]1> for creating xpo [2022-09-18T16:35:31Z] <testuser[m]1> I think unzip is useless [2022-09-18T16:35:34Z] <testuser[m]1> Xpi [2022-09-18T16:35:50Z] <testuser[m]1> illiliti: it'll work with anything if u just modify the flags and command [2022-09-18T16:37:27Z] <illiliti> does it embed entire zip/unzip into itself at build time? [2022-09-18T16:37:55Z] <testuser[m]1> Firefox? [2022-09-18T16:37:56Z] <testuser[m]1> no [2022-09-18T16:38:09Z] <illiliti> then i don't understand why it is "make" dependency [2022-09-18T16:38:25Z] <testuser[m]1> For creating xpi [2022-09-18T16:38:35Z] <testuser[m]1> Let me grep [2022-09-18T16:40:04Z] <illiliti> can you run kiss-manifest firefox for me? [2022-09-18T16:40:08Z] <illiliti> and post output [2022-09-18T16:40:25Z] <testuser[m]1> im not at pc [2022-09-18T16:40:42Z] <illiliti> ok [2022-09-18T16:40:46Z] <illiliti> https://github.com/kiss-community/repo/blob/master/extra/firefox/build#L109-L113 [2022-09-18T16:44:24Z] <illiliti> ok, i checked [2022-09-18T16:44:53Z] <illiliti> some xpis are still present [2022-09-18T16:45:07Z] <illiliti> pictureinpicture@mozilla.org.xpi [2022-09-18T16:45:15Z] <illiliti> formautofill@mozilla.org.xpi [2022-09-18T16:45:19Z] <testuser[m]1> They're required [2022-09-18T16:45:28Z] <illiliti> perhaps [2022-09-18T16:45:31Z] <testuser[m]1> not basic but [2022-09-18T16:45:32Z] <testuser[m]1> for basic functionality [2022-09-18T16:45:54Z] <testuser[m]1> I use pip [2022-09-18T16:45:59Z] <testuser[m]1> someone probably uses autofill [2022-09-18T16:46:13Z] <testuser[m]1> That screenshots one should probably be added back aswell [2022-09-18T16:46:17Z] <testuser[m]1> The rest is junk i think [2022-09-18T16:46:38Z] <illiliti> wait what firefox uses to unpack them at runtime? [2022-09-18T16:46:58Z] <illiliti> if unzip is "make" dep [2022-09-18T16:52:59Z] <testuser[m]1> Some bundled library ig, but then they could make a binary of that at compile time for packing [2022-09-18T16:55:45Z] <testuser[m]1> Can we go ahead with https://github.com/kiss-community/repo/issues/90#issuecomment-1249398812 [2022-09-18T17:15:43Z] <illiliti> i think yes [2022-09-18T17:31:21Z] <illiliti> https://github.com/madler/zlib/tree/master/contrib/minizip [2022-09-18T17:33:11Z] <illiliti> btw should we switch to zlib-ng? [2022-09-18T17:33:20Z] <illiliti> or sortix libz [2022-09-18T17:34:13Z] <illiliti> i'll create a proposal [2022-09-18T17:35:34Z] <testuser[m]1> ng [2022-09-18T17:36:15Z] <testuser[m]1> Sortix is dead [2022-09-18T17:37:50Z] <testuser[m]1> ng is abi compatible? [2022-09-18T17:41:23Z] <illiliti> no, sortix is alive [2022-09-18T17:41:34Z] <illiliti> ng has compat mode [2022-09-18T17:41:40Z] <illiliti> so yes [2022-09-18T17:42:32Z] <testuser[m]1> illiliti: it's shitlab is inactive [2022-09-18T17:42:35Z] <testuser[m]1> Is there a fork of it [2022-09-18T17:42:58Z] <illiliti> https://gitlab.com/sortix/sortix/-/commits/staging/ [2022-09-18T17:44:14Z] <illiliti> or you mean libz? [2022-09-18T17:45:11Z] <testuser[m]1> I mean sortix libz [2022-09-18T17:47:57Z] <illiliti> ah i see. i suspect it's stable and done, so no further development is needed [2022-09-18T17:48:31Z] <testuser[m]1> but sekurity [2022-09-18T17:48:36Z] <testuser[m]1> 5 years [2022-09-18T17:50:08Z] <virutalmachineus> is sortix the future of kiss linux? [2022-09-18T17:51:00Z] <testuser[m]1> Yes [2022-09-18T17:51:15Z] <testuser[m]1> sorkixx [2022-09-18T18:03:44Z] <ioraff> testuser[m]1: care to share that landlock code? [2022-09-18T18:10:40Z] <illiliti> forget about zlib-ng [2022-09-18T18:10:44Z] <testuser[m]1> ioraff: It's on pc [2022-09-18T18:10:53Z] <testuser[m]1> I just adapted the kernel example [2022-09-18T18:10:53Z] <illiliti> they use bashisms and gnuisms in configure script [2022-09-18T18:11:20Z] <testuser[m]1> we can patch that but does it even have any measurable difference than zlib [2022-09-18T18:12:07Z] <testuser[m]1> Like its of no use if the performance tweaks are just in the new APIs or whatever [2022-09-18T18:12:11Z] <illiliti> it supposed to have [2022-09-18T18:12:22Z] <illiliti> SSSE, AVX stuff [2022-09-18T18:12:29Z] <illiliti> should be faster at least [2022-09-18T18:12:42Z] <testuser[m]1> ioraff: https://github.com/torvalds/linux/blob/master/samples/landlock/sandboxer.c [2022-09-18T18:13:18Z] <testuser[m]1> Landlock can't restrict access() calls yet so I can see some issues cropping up with that [2022-09-18T18:13:42Z] <illiliti> i can't even build it with tcc [2022-09-18T18:13:47Z] <testuser[m]1> eg build system detects /usr/lib/libshit.so but later on it cant link cuz libshit.so can't even be opened [2022-09-18T18:13:47Z] <illiliti> which is not a good sign [2022-09-18T18:14:49Z] <illiliti> you must not use access() calls in the first place [2022-09-18T18:15:00Z] <illiliti> because TOCTOU [2022-09-18T18:15:38Z] <testuser[m]1> I'm talking about the build systems [2022-09-18T18:16:00Z] <testuser[m]1> Isn't every build system broken then [2022-09-18T18:17:07Z] <illiliti> if they use open() and then fstat(), then nothing shall break [2022-09-18T18:20:21Z] <testuser[m]1> What about plain stat without open() and fstat [2022-09-18T18:20:43Z] <testuser[m]1> chdir(2), truncate(2), stat(2), flock(2), chmod(2), chown(2), setxattr(2), utime(2), ioctl(2), fcntl(2), access(2) [2022-09-18T18:23:18Z] <illiliti> i see [2022-09-18T18:23:47Z] <illiliti> it's a problem yeah [2022-09-18T18:27:28Z] <testuser[m]1> Ill check user namespaces approach too [2022-09-18T18:27:56Z] <illiliti> these syscalls are too dangerous [2022-09-18T18:28:06Z] <illiliti> truncate, chmod, chown [2022-09-18T18:28:29Z] <illiliti> what the hell landlock [2022-09-18T18:29:13Z] <testuser[m]1> Yeag [2022-09-18T18:29:27Z] <testuser[m]1> Ig adding filtering for those would've taken another 2 years for patch review lol [2022-09-18T18:31:17Z] <illiliti> usual thing [2022-09-18T18:44:46Z] <testuser[m]1> What about seccomp [2022-09-18T18:45:32Z] <virutalmachineus> seccomp is good [2022-09-18T18:45:39Z] <illiliti> it sucks [2022-09-18T18:45:48Z] <virutalmachineus> bubblewrap with seccomp is best [2022-09-18T18:46:37Z] <illiliti> seccomp is the reason why we have landlock now [2022-09-18T18:47:20Z] <illiliti> because it is overly-complicated and easy to misuse [2022-09-18T18:47:57Z] <illiliti> i'd avoid it and anything BPF-based at all cost [2022-09-18T18:48:38Z] <virutalmachineus> yeah bpf is not good for security [2022-09-18T18:52:13Z] <illiliti> yep, if we're going to make secure sandbox, seccomp is not an option [2022-09-18T18:52:30Z] <illiliti> how about we just restrict internet access for now [2022-09-18T18:53:44Z] <illiliti> when landlock will be ready, we will use it to restrict paths [2022-09-18T18:56:07Z] <illiliti> iirc soon landlock should be able to restrict network natively [2022-09-18T18:56:14Z] <illiliti> without namespaces [2022-09-18T18:57:04Z] <virutalmachineus> that's so awesome [2022-09-18T19:00:23Z] <ioraff> i'm not seeing the problem in at least starting to use landlock to restrict reads and executes to dependencies [2022-09-18T19:01:54Z] <ioraff> unless we just want to go straight to a full sandbox [2022-09-18T19:09:57Z] <testuser[m]1> ioraff: I don't care much about the security point but the issue is that if gcc can stat() a library and believe that it can link to it, the final link will fail [2022-09-18T19:10:11Z] <testuser[m]1> So the issue with automatic dependency detection is there [2022-09-18T19:10:23Z] <testuser[m]1> i haven't tried this yet tho so not sure if it's even going to be an issie