| *** jjardon_matrix has quit IRC | 04:00 | |
| *** jjardon_matrix has joined #baserock | 04:45 | |
| *** toscalix has joined #baserock | 06:57 | |
| *** anahuelamo has quit IRC | 07:07 | |
| *** anahuelamo has joined #baserock | 07:08 | |
| paulsherwood | leeming: i don't think anyone expressly maintains it currently | 07:35 |
|---|---|---|
| *** paulwaters_ has joined #baserock | 07:42 | |
| *** rdale has joined #baserock | 07:54 | |
| *** CTtpollard has quit IRC | 08:31 | |
| *** CTtpollard has joined #baserock | 08:31 | |
| *** jonathanmaw has joined #baserock | 08:35 | |
| *** toscalix has quit IRC | 08:56 | |
| *** toscalix has joined #baserock | 08:57 | |
| leeming | paulsherwood, thought so. I might need to patch it later then =) just wondering who'd volunteer for code review/sanity check | 08:59 |
| *** CTtpollard has quit IRC | 09:05 | |
| paulsherwood | i can review | 09:07 |
| *** CTtpollard has joined #baserock | 09:08 | |
| leeming | ok cool, not promising anything yet though. just a possibility | 09:09 |
| *** locallycompact has joined #baserock | 09:28 | |
| jjardon | paulsherwood: to calculate the cache key; does ybd take the ref: value directly or it takes the commit sha in case the ref: is a branch? | 10:00 |
| locallycompact | neither | 10:01 |
| locallycompact | it takes the tree sha aiui | 10:01 |
| paulsherwood | jjardon: tree sha, as locallycompact says | 10:04 |
| paulsherwood | jjardon: so a tag, or a branch, or a rebase, or a squash can all point to the same tree, and no need for a rebuild | 10:04 |
| jjardon | mmm, Ive changed a commit for a branch name and I didnt get a rebuild, so I wonder what has happened (I built the same branch name before, but pointing to a different commit) | 10:06 |
| paulsherwood | did the change in commit actually change the tree? | 10:07 |
| paulsherwood | it's possible to get the same tree with different commits | 10:07 |
| richard_maw | it's very common to have the same tree with different commits (e.g. you reverted back to something you had already built, or you built a development branch that was then merged | 10:09 |
| paulsherwood | yup | 10:12 |
| jjardon | yeah, the contents of the repo are different from anything I built before | 10:14 |
| jjardon | what is the process to have images in https://download.baserock.org/baserock/ ? | 10:16 |
| paulsherwood | jjardon: if what you are saying is correct, this would be a serious bug... can i investigate somehow? | 10:16 |
| jjardon | paulsherwood: sure, let me recheck to be sure | 10:16 |
| pedroalvarez | jjardon: the process is to give the images to some member of baserock-ops team | 10:17 |
| jjardon | pedroalvarez: right, who is in the baserock-ops team? | 10:18 |
| pedroalvarez | jjardon: listed here http://wiki.baserock.org/team/ | 10:18 |
| pedroalvarez | I can help you this time | 10:19 |
| jjardon | pedroalvarez: I do not have anything yet; I was only curious . Thanks for the info | 10:19 |
| pedroalvarez | np | 10:20 |
| pedroalvarez | I believe this has been asked before, so feel free to put some info wherever you would have expected it to be | 10:20 |
| *** fay has joined #baserock | 10:48 | |
| *** fay is now known as Guest86071 | 10:48 | |
| *** faybrocklebank has quit IRC | 10:51 | |
| jjardon | paulsherwood: here: https://gitlab.com/baserock/definitions/pipelines/4018300 Ive changed fhs-dirs to a branch wich contents have not being built before but it doesn't get rebuild | 11:14 |
| pedroalvarez | jjardon: please, use personal branches when possible | 11:19 |
| pedroalvarez | and also, consider looking at https://storyboard.baserock.org/#!/story/11 | 11:22 |
| pedroalvarez | which points at http://git.baserock.org/cgi-bin/cgit.cgi/baserock/baserock/definitions.git/log/?h=baserock/pedroalvarez/usr-merge2 | 11:22 |
| jjardon | oh, nice | 11:26 |
| pedroalvarez | I found that modifiying build-essentials was enough, given that the unpacking would put things in the new place once the symliks were present | 11:29 |
| pedroalvarez | that is, a chunk that depends on build essential, and install things in /bin, will get its things unpacked in /usr/bin given that is unpacked after the symlinks are created (or fhs-dirs chunk unpacked) | 11:30 |
| jjardon | yeah, that was my plan | 11:31 |
| jjardon | Id like to fix all the chunks properly tough, so everything gets directly installed in /usr/lib / /usr/bin | 11:32 |
| pedroalvarez | I found that some of them don't support that in their configuration/build steps | 11:35 |
| *** Guest86071 has quit IRC | 11:35 | |
| *** Guest86071 has joined #baserock | 11:35 | |
| leeming | I have a patch for sandboxlib, but cautious of https://github.com/CodethinkLabs/sandboxlib/blob/master/HACKING.rst | 11:49 |
| persia | leeming: Which part of it? | 11:50 |
| leeming | I don't mind following though the steps, but most of it is unknowns for me | 11:50 |
| leeming | or is this only for official releases? :\ | 11:50 |
| persia | For releases, you'll need someone who has done a release (at least to get you access, and they can probably walk you through the process) | 11:51 |
| persia | For some value of official, but if on pypi, anyone who runs `pip install sandboxlib` will get the new version. | 11:51 |
| leeming | I'm happy to just submit a patch on github though | 11:51 |
| persia | The test suite is something you should be able to run safely. Doing stuff with tox is increasingly common, so if you haven't, it's worth learning the dance. | 11:52 |
| persia | I have no suggestions or recommendations about app container spec compliance. | 11:52 |
| leeming | just wanting to do things 'right' :) | 11:53 |
| leeming | tox is on my list of things to read up on | 11:53 |
| leeming | I'd like to learn the correct way of packaging up a python project, instead of just a hackjob :) | 11:53 |
| persia | Sadly, there are currently many correct ways, and new ones are introduced in PEPs regularly. The PyPI process documented for sandboxlib is sufficiently current to be a reasonable target unless you want to forge new ground especially. | 11:55 |
| leeming | oh yes, well I know that python has many approaches. but finding one that sticks is better than not having anything | 11:56 |
| leeming | hmm running tox.. that was a massive load of fail X( | 11:59 |
| leeming | ah, either I skipped over something, or linux-user-chroot not listed as a requirement | 12:02 |
| * leeming has the pypy version installed | 12:02 | |
| leeming | hmm.. I think I will add my PR and investigate some of these errors with tox... the master branch fails, so either mis-configured tox.ini or needs additional host setup | 12:08 |
| leeming | persia, paulsherwood sanity check/code review please - https://github.com/CodethinkLabs/sandboxlib/pull/21 | 12:15 |
| pedroalvarez | leeming: can you trim the first line of your commit message and then add further explanations in the following lines? | 12:17 |
| pedroalvarez | commit looks good to me | 12:18 |
| leeming | pedroalvarez, done commit amend | 12:20 |
| pedroalvarez | much better :) thanks | 12:22 |
| paulsherwood | merged | 12:25 |
| leeming | :) ta | 12:26 |
| leeming | unsure on the mystical powers of updating the pypy version, but at least it is added somewhere | 12:26 |
| paulsherwood | i think ssam is required for that | 12:27 |
| leeming | yes, thought so | 12:27 |
| * leeming pushes onto the stack of things to bug him about on his return | 12:27 | |
| *** fay has joined #baserock | 14:41 | |
| *** fay is now known as faybrocklebank | 14:41 | |
| *** Guest86071 has quit IRC | 14:43 | |
| *** fay has joined #baserock | 14:45 | |
| *** fay is now known as Guest72725 | 14:46 | |
| * paulsherwood wonders whether running ybd under fakeroot would work | 14:46 | |
| persia | Depends on why the build needs root. If it needs some capability not available to the user under fakeroot, things will fail. | 14:47 |
| persia | Most software can be built under fakeroot, so it ought work for many things. | 14:47 |
| paulsherwood | i think it all comes down to the device nodes | 14:48 |
| paulsherwood | but i may be wrong | 14:49 |
| *** faybrocklebank has quit IRC | 14:49 | |
| rjek | fakeroot can cope with device node creation | 14:49 |
| *** Guest72725 is now known as faybrocklebank | 14:49 | |
| richard_maw | deployment definitely won't work because you'll need to make disk images which involves mounting | 14:50 |
| richard_maw | fakeroot and linux-user-chroot don't work together, so you can't have sandboxing | 14:50 |
| richard_maw | or at least didn't work together | 14:51 |
| paulsherwood | thanks. i had to give up on l-u-c anyway, because of the 'too many mounts' problem | 14:52 |
| rjek | "deployment" using disc images is a problem | 14:52 |
| rjek | In general | 14:52 |
| rjek | There are non-rootly tools that can create drive images though if you really want that | 14:52 |
| paulsherwood | but it doesn't work for ordinary chroot either, it seems: 'RuntimeError: Unable to chroot: [Errno 1] Operation not permitted: '/'' | 14:53 |
| richard_maw | about 10 months ago I had another look at the mounts issue again, it is possible to do it with fewer if you bind-mount your staging area to somewhere in / | 14:53 |
| richard_maw | paulsherwood: there's some LD_PRELOAD hacks that fakeroot-like programs could attempt to fake a chroot, I don't recall whether there's any software that does them, and in either case it would be unsafe to rely on since it would be trivial to thwart and access your host system | 14:55 |
| leeming | what is the issue against just requesting sudo/root ? | 14:55 |
| paulsherwood | build tools shouldn't need root | 14:55 |
| leeming | shouldn't | 14:56 |
| paulsherwood | other build tools don't need root | 14:56 |
| richard_maw | hard to get people to trust your build tool if it builds arbitrary code under root | 14:56 |
| richard_maw | paulsherwood: unless you want to remove sandboxing (which would require changes to every component you want to build) you need linux-user-chroot/flatpak to do this without root | 14:57 |
| rjek | Hmm, Debian and Ubuntu are entirely built unrootly, aren't they? | 14:58 |
| rjek | But they do sometimes have extensive local patching because the majority of upstreams are mad | 14:59 |
| paulsherwood | richard_maw: i don't want to remove sandboxing | 15:00 |
| paulsherwood | could we achieve non-root with flatpak? | 15:00 |
| richard_maw | possibly, I haven't investigated whether it inherited the goal of running without root from linux-user-chroot | 15:01 |
| leeming | the sandboxlib uses linux-user-chroot? | 15:01 |
| richard_maw | yes | 15:01 |
| leeming | less of a question than a statement actually :D | 15:02 |
| paulsherwood | leeming: it falls back to chroot, if l-u-c is not found | 15:02 |
| richard_maw | but the version of linux-user-chroot that is packaged is so old that it has an arbitrary limit to the number of mounts it supports | 15:02 |
| leeming | ahright.. too far outside my knowledge | 15:02 |
| paulsherwood | mine too | 15:02 |
| rjek | Google Bazel has some sort of sandbox thingy | 15:03 |
| * rjek goes to dig it tout | 15:03 | |
| rjek | https://github.com/bazelbuild/bazel/tree/bce6fc5b19bf3a907497b8756a4ccabcb48e0873/src/main/tools | 15:03 |
| richard_maw | that doesn't require chrooting, but AIUI it uses seccomp and other rootly tricks to prevent builds from accessing files outside its build tree | 15:04 |
| richard_maw | paulsherwood: an alternaive would be to compile your own setuid-root helper, but that requires root to install, and it's notoriously difficult to secure, hence the peer verification which has been done on linux-user-chroot | 15:05 |
| * leeming thinks he should stop submitting trivial issues that turn into non-trivial ones :D | 15:07 | |
| paulsherwood | richard_maw: thanks. unfortunately i think i'm incapable of addressing any of this properly without significant help. a customer last week mistook me for a linux person | 15:07 |
| paulsherwood | leeming: i appreciate you raising the trivial issue, and your suggestion is easy enough to add. but as you can see, the real issue is my lack of linux fu :) | 15:08 |
| richard_maw | well, you know more than most CEOs of tech companies and know what you don't know | 15:19 |
| paulsherwood | i'll take a crumb of comfort from that :) | 15:20 |
| paulsherwood | in other news, ybd inside fakechroot inside fakeroot seems to be making headway :) | 15:21 |
| richard_maw | eh? running ybd in a fake chroot? surely it's the builds ybd runs which need to be fake chrooted | 15:21 |
| rjek | fakeroot is nestable, IIRC | 15:22 |
| paulsherwood | i think, but cannot be sure, that running fakechroot with no args has established its precedence for the actual calls to chroot that ybd is running | 15:23 |
| paulsherwood | ie i've done fakeroot ; fake chroot ; ybd target arch | 15:23 |
| paulsherwood | ie i've done fakeroot ; fakechroot ; ybd target arch | 15:24 |
| jonathanmaw | hrm, I'm building a specific version of libical as specified by a source rpm, and it lists byacc as a dependency. | 15:27 |
| jonathanmaw | looking at the history of definitions, I don't think we've ever built byacc, although we've built libical before | 15:27 |
| jonathanmaw | Is byacc provided by something else? | 15:27 |
| jjardon | about sandboxing: https://github.com/projectatomic/bubblewrap ? | 15:27 |
| jonathanmaw | ah, wikipedia says bison is a replacement for yacc | 15:28 |
| jonathanmaw | mystery solved | 15:29 |
| paulsherwood | jjardon: yes, possibly | 15:29 |
| richard_maw | ah, yes, bubblewrap is the bit of flatpak that evolved from linux-user-chroot | 15:42 |
| * richard_maw had forgotten the distinction | 15:42 | |
| *** jonathanmaw has quit IRC | 17:05 | |
| *** jonathanmaw has joined #baserock | 17:05 | |
| jonathanmaw | nk | 17:05 |
| jonathanmaw | oops | 17:05 |
| *** jonathanmaw has quit IRC | 17:05 | |
| *** faybrocklebank has quit IRC | 17:06 | |
| *** locallycompact has quit IRC | 17:25 | |
| *** anahuelamo has quit IRC | 17:33 | |
| *** toscalix has quit IRC | 18:09 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!