[2022-09-18T02:24:41Z] yeah, both look like good ideas [2022-09-18T04:28:36Z] Hi [2022-09-18T04:32:05Z] hi [2022-09-18T04:36:23Z] hi [2022-09-18T04:53:17Z] hi [2022-09-18T05:22:09Z] illiliti: is there an alternative to bind mounting thousands of paths for sandbox [2022-09-18T05:27:17Z] yes static link [2022-09-18T05:27:42Z] what? [2022-09-18T05:27:43Z] do you bubblewrap all your programs? [2022-09-18T06:33:23Z] bubblewrap the kernel [2022-09-18T06:43:12Z] kiss should package each program in bubblewrap [2022-09-18T06:44:19Z] open a PR and try to implement that [2022-09-18T06:44:36Z] fun fact: a proposal has been opened to sandbox builds [2022-09-18T06:44:56Z] but not programs themselves [2022-09-18T06:48:18Z] i bubblewrap most of my packages, I don't how long will it take to bubblewrap the whole repository [2022-09-18T06:48:49Z] u dont need to bubblewrap anything that doesnt deal with stuff from the internet [2022-09-18T06:49:36Z] yeah you're right but, but some are easy to bubblewrap so i do it [2022-09-18T06:49:45Z] s/but// [2022-09-18T13:51:06Z] What's the best bin provider thing ? Snap ? Flatpak ? Appimage ? [2022-09-18T13:51:47Z] flatpak [2022-09-18T13:53:11Z] Ty [2022-09-18T13:53:50Z] is there any up to date repo with flatpak and his depedencies ? [2022-09-18T13:54:00Z] dylan's repo is lile 2 years old [2022-09-18T13:55:14Z] community [2022-09-18T13:55:35Z] https://github.com/kiss-community/community [2022-09-18T13:57:06Z] Oh yeah you're right I had forgotten to git pull it lol [2022-09-18T14:04:57Z] did you not git pull for 2 years [2022-09-18T14:15:58Z] lmao [2022-09-18T14:19:06Z] wael[m]: nah but for like 2 weeks [2022-09-18T14:22:09Z] is there any repo with pulseaudio in it or do I install it myself [2022-09-18T14:23:49Z] you only need libsndfile and pulseaudio for pulseaudio [2022-09-18T14:23:55Z] i suggest you go with pipewire if you want audio [2022-09-18T14:24:08Z] pipewire is in community [2022-09-18T14:24:28Z] oh thanks [2022-09-18T14:24:43Z] never used pipewire, is there any special setup to do or does it just work? [2022-09-18T14:24:49Z] but if you want apps to have pulseaudio support you need the libraries [2022-09-18T14:24:57Z] tl;dr pipewire & pipewire-pulse & [2022-09-18T14:25:09Z] thats what i use and it works fine, you just need XDG_RUNTIME_DIR [2022-09-18T14:25:16Z] alright [2022-09-18T14:25:20Z] thanks [2022-09-18T14:31:03Z] Beni: I don't know what you use for your status bar, but if you use yambar, I've made a module for pipewire: https://codeberg.org/dnkl/yambar/pulls/224 [2022-09-18T14:38:13Z] i'll keep that in mind [2022-09-18T14:38:14Z] yo [2022-09-18T14:38:38Z] someone have a asound.conf that works with HDMI??? [2022-09-18T14:39:50Z] ~~alsa try to not make anything except set default devices challenge a headache~~ [2022-09-18T15:02:48Z] I tried landlock with 70k files it seems to work fine [2022-09-18T15:03:09Z] in .1 second [2022-09-18T15:25:30Z] testuser[m]1: landlock [2022-09-18T15:25:53Z] What [2022-09-18T15:27:44Z] nvm [2022-09-18T15:47:10Z] Whar [2022-09-18T16:07:29Z] it's insane that zip/unzip needs such amount of patches [2022-09-18T16:31:27Z] illiliti: p7zip implements both zip and unzip and doesn't need any patches [2022-09-18T16:31:38Z] But i don't think it has any common feature/flags other than zipping and unzipping [2022-09-18T16:34:41Z] does it work with firefox? [2022-09-18T16:35:03Z] tbh i still doubt that firefox needs zip/unzip [2022-09-18T16:35:24Z] I'm sure it needs zip [2022-09-18T16:35:27Z] for creating xpo [2022-09-18T16:35:31Z] I think unzip is useless [2022-09-18T16:35:34Z] Xpi [2022-09-18T16:35:50Z] illiliti: it'll work with anything if u just modify the flags and command [2022-09-18T16:37:27Z] does it embed entire zip/unzip into itself at build time? [2022-09-18T16:37:55Z] Firefox? [2022-09-18T16:37:56Z] no [2022-09-18T16:38:09Z] then i don't understand why it is "make" dependency [2022-09-18T16:38:25Z] For creating xpi [2022-09-18T16:38:35Z] Let me grep [2022-09-18T16:40:04Z] can you run kiss-manifest firefox for me? [2022-09-18T16:40:08Z] and post output [2022-09-18T16:40:25Z] im not at pc [2022-09-18T16:40:42Z] ok [2022-09-18T16:40:46Z] https://github.com/kiss-community/repo/blob/master/extra/firefox/build#L109-L113 [2022-09-18T16:44:24Z] ok, i checked [2022-09-18T16:44:53Z] some xpis are still present [2022-09-18T16:45:07Z] pictureinpicture@mozilla.org.xpi [2022-09-18T16:45:15Z] formautofill@mozilla.org.xpi [2022-09-18T16:45:19Z] They're required [2022-09-18T16:45:28Z] perhaps [2022-09-18T16:45:31Z] not basic but [2022-09-18T16:45:32Z] for basic functionality [2022-09-18T16:45:54Z] I use pip [2022-09-18T16:45:59Z] someone probably uses autofill [2022-09-18T16:46:13Z] That screenshots one should probably be added back aswell [2022-09-18T16:46:17Z] The rest is junk i think [2022-09-18T16:46:38Z] wait what firefox uses to unpack them at runtime? [2022-09-18T16:46:58Z] if unzip is "make" dep [2022-09-18T16:52:59Z] Some bundled library ig, but then they could make a binary of that at compile time for packing [2022-09-18T16:55:45Z] Can we go ahead with https://github.com/kiss-community/repo/issues/90#issuecomment-1249398812 [2022-09-18T17:15:43Z] i think yes [2022-09-18T17:31:21Z] https://github.com/madler/zlib/tree/master/contrib/minizip [2022-09-18T17:33:11Z] btw should we switch to zlib-ng? [2022-09-18T17:33:20Z] or sortix libz [2022-09-18T17:34:13Z] i'll create a proposal [2022-09-18T17:35:34Z] ng [2022-09-18T17:36:15Z] Sortix is dead [2022-09-18T17:37:50Z] ng is abi compatible? [2022-09-18T17:41:23Z] no, sortix is alive [2022-09-18T17:41:34Z] ng has compat mode [2022-09-18T17:41:40Z] so yes [2022-09-18T17:42:32Z] illiliti: it's shitlab is inactive [2022-09-18T17:42:35Z] Is there a fork of it [2022-09-18T17:42:58Z] https://gitlab.com/sortix/sortix/-/commits/staging/ [2022-09-18T17:44:14Z] or you mean libz? [2022-09-18T17:45:11Z] I mean sortix libz [2022-09-18T17:47:57Z] ah i see. i suspect it's stable and done, so no further development is needed [2022-09-18T17:48:31Z] but sekurity [2022-09-18T17:48:36Z] 5 years [2022-09-18T17:50:08Z] is sortix the future of kiss linux? [2022-09-18T17:51:00Z] Yes [2022-09-18T17:51:15Z] sorkixx [2022-09-18T18:03:44Z] testuser[m]1: care to share that landlock code? [2022-09-18T18:10:40Z] forget about zlib-ng [2022-09-18T18:10:44Z] ioraff: It's on pc [2022-09-18T18:10:53Z] I just adapted the kernel example [2022-09-18T18:10:53Z] they use bashisms and gnuisms in configure script [2022-09-18T18:11:20Z] we can patch that but does it even have any measurable difference than zlib [2022-09-18T18:12:07Z] Like its of no use if the performance tweaks are just in the new APIs or whatever [2022-09-18T18:12:11Z] it supposed to have [2022-09-18T18:12:22Z] SSSE, AVX stuff [2022-09-18T18:12:29Z] should be faster at least [2022-09-18T18:12:42Z] ioraff: https://github.com/torvalds/linux/blob/master/samples/landlock/sandboxer.c [2022-09-18T18:13:18Z] Landlock can't restrict access() calls yet so I can see some issues cropping up with that [2022-09-18T18:13:42Z] i can't even build it with tcc [2022-09-18T18:13:47Z] eg build system detects /usr/lib/libshit.so but later on it cant link cuz libshit.so can't even be opened [2022-09-18T18:13:47Z] which is not a good sign [2022-09-18T18:14:49Z] you must not use access() calls in the first place [2022-09-18T18:15:00Z] because TOCTOU [2022-09-18T18:15:38Z] I'm talking about the build systems [2022-09-18T18:16:00Z] Isn't every build system broken then [2022-09-18T18:17:07Z] if they use open() and then fstat(), then nothing shall break [2022-09-18T18:20:21Z] What about plain stat without open() and fstat [2022-09-18T18:20:43Z] chdir(2), truncate(2), stat(2), flock(2), chmod(2), chown(2), setxattr(2), utime(2), ioctl(2), fcntl(2), access(2) [2022-09-18T18:23:18Z] i see [2022-09-18T18:23:47Z] it's a problem yeah [2022-09-18T18:27:28Z] Ill check user namespaces approach too [2022-09-18T18:27:56Z] these syscalls are too dangerous [2022-09-18T18:28:06Z] truncate, chmod, chown [2022-09-18T18:28:29Z] what the hell landlock [2022-09-18T18:29:13Z] Yeag [2022-09-18T18:29:27Z] Ig adding filtering for those would've taken another 2 years for patch review lol [2022-09-18T18:31:17Z] usual thing [2022-09-18T18:44:46Z] What about seccomp [2022-09-18T18:45:32Z] seccomp is good [2022-09-18T18:45:39Z] it sucks [2022-09-18T18:45:48Z] bubblewrap with seccomp is best [2022-09-18T18:46:37Z] seccomp is the reason why we have landlock now [2022-09-18T18:47:20Z] because it is overly-complicated and easy to misuse [2022-09-18T18:47:57Z] i'd avoid it and anything BPF-based at all cost [2022-09-18T18:48:38Z] yeah bpf is not good for security [2022-09-18T18:52:13Z] yep, if we're going to make secure sandbox, seccomp is not an option [2022-09-18T18:52:30Z] how about we just restrict internet access for now [2022-09-18T18:53:44Z] when landlock will be ready, we will use it to restrict paths [2022-09-18T18:56:07Z] iirc soon landlock should be able to restrict network natively [2022-09-18T18:56:14Z] without namespaces [2022-09-18T18:57:04Z] that's so awesome [2022-09-18T19:00:23Z] i'm not seeing the problem in at least starting to use landlock to restrict reads and executes to dependencies [2022-09-18T19:01:54Z] unless we just want to go straight to a full sandbox [2022-09-18T19:09:57Z] ioraff: I don't care much about the security point but the issue is that if gcc can stat() a library and believe that it can link to it, the final link will fail [2022-09-18T19:10:11Z] So the issue with automatic dependency detection is there [2022-09-18T19:10:23Z] i haven't tried this yet tho so not sure if it's even going to be an issie