Tuesday, 2021-11-02

rinigus@hnj: it is impossible to keep API keys secret on OBS, to my knowledge.05:21
Thaodanhnj, rinigus: You can hide certain areas depending on the way obs is set up like e.g. prjconf. Defining API keys in the macros section is a good way to do it but its public in the prjconf06:34
rinigusThaodan: it is not very clear from your reply - to my understanding, prjconf is publicly readable. so, in this respect, it is not really hidden. or can we make it private somehow?06:36
Thaodanrinigus: It's the only area to define macros in obs, using ACLs you could restrict access I think.07:05
rinigusThaodan: can those ACLs be set by us at OBS? I am not aware of any ACL settings for project...07:39
dcalisteHello chriadam, sorry to be late today.08:13
chriadamhi dcaliste, no problem of course08:13
chriadamI hope that you had a nice vacation last week08:13
dcalisteYes, it was really great. The weather was still gentle for the Autumn and sailing along the Italian riviera was marvelous.08:15
dcalisteThank you for the two merges in CalDAV repo.08:15
chriadamsounds great08:15
chriadamno worries, I finally got around to testing and reviewing those08:15
chriadamand Pekka has been busy merging various other PRs we discussed last meeting, also, I believe08:16
dcalisteYes, I thank him also. All recent MRs have been merged now.08:17
dcalisteBefore my vacations, I looked at allowing GnuPG integration with jailed applications.08:17
dcalisteThe result is scattered among comments in various MRs, but here is the essence:08:17
dcalistewe have three possibilities actually:08:17
dcaliste- currently, a gpg-agent is run in pipe mode at each time an application wants to access GnuPG data. This gpg-agent may have to run the pinentry provided by sailfish secrets. To do so, sailfish-secrets socket should be visible from the jail and the jailed application should be granted DBus talk to the daemon.08:19
dcalisteThis is PR https://github.com/sailfishos/sailfish-secrets/pull/178 and https://github.com/sailfishos/sailjail-permissions/pull/10808:20
dcalistethaodan commented on those (and I agree with hiw view) that the gpg-agent should be run in daemon mode instead and outside the jail.08:21
chriadamI wonder if inz  or tomi have any comments ^ they know about sailjail stuff more than I do.  or abr maybe ^08:22
dcaliste- second possibility: run the gpg-agent in daemon mode. I've tried to use systemd socket listening to run the gpg-agent on demand, but our GnuPG stack is too old for this, I believe, and we always miss the first acess. If the gpg-agent is run unconditionnaly at user session startup it's alright.08:22
dcalisteThese are PRs https://github.com/sailfishos/gnupg2/pull/1 and https://github.com/sailfishos/pth/pull/108:23
dcaliste(the pth stuff is a dirty fix for running gpg-agent in daemon mode, they have moved away from pth upstream since a long time)08:24
dcaliste- third possibility: upgrade the GnuPG stack to latest. This is gplv3, so it should not be installed by default.08:24
dcalistethis possibility is the nicest in my opinion.08:24
dcalisteIt requires to create some new repositories to support both gnupg-legacy and gnupg-latest. (the same for libassuan and gpgme)08:25
dcalisteI've begun to propose MR to upgrade the stack where possible: https://github.com/sailfishos/libgpg-error/pull/2 and https://github.com/sailfishos/libgcrypt/pull/208:26
dcalisteBut some dependencies may raise an issue : GnuTLS must be moved to version 3… I don't know what GnuTLS is a dependency of at the moment, but moving from version 2 to 3 may break them.08:27
chriadamlbt: do you know how this could be checked ^ (dependencies of GnuTLS I mean)08:27
dcaliste(plus the build system of version 3 is strange and I don't fully understand at the moment how to build it from git without it pulling openssl in the autogen.sh stage for instance, but that's another story).08:28
dcalisteTo summarize, choosing among these three possibilities requires some decision from Jolla side than just bug fixing. I can provide as many technical detail as required to help taking the decision.08:30
chriadamhow does upgrading the stack to the latest help us solve this problem, out of interest?08:31
chriadamis it that we could then run the gpg-agent on demand via systemd dbus-activated unit? or?08:31
dcalistelatest gpg-agent is supporting systemd integration. So we can have a smooth experience like on desktop, where systemd is responsible of a socket under /run/user and launch the gpg-agent in daemon mode on demand.08:32
chriadamok.  but what would be required in terms of permissions between gpg-agent and sailfish-secretsd?08:32
chriadamfrom sailjail perspective, I mean08:33
dcalisteThen the daemon is outisde the jail and the already existing GnuPG.permission are enough for a jailed application to access GnuPG functionalities including password demands...08:33
dcalisteCurrently the gpg-agent in pipe mode (i.e. launched by the jailed app) is inside the jail and cannot talk to the secret daemon.08:33
dcalisteThere are two possible modes:08:35
chriadamAh!  I see.  the issue is that currently it's run with same sandbox permissions as the app.  In future, we will run it as a separate daemon and can specify its own specific sandbox (e.g. allowing dbus access to sailfish-secretsd)08:35
dcaliste- jailed:(app->gpg-agent-pipe)->secret-daemon (thjis is propositin one)08:35
dcaliste- jailed:(app)->gpg-agent-daemon->secret-daemon (this is proposition 2 with current stack, or propistion 3 with latest stack)08:36
chriadamoption (3) is clearly best, but it might not be possible.  need lbt's feedback I guess.  maybe pvuorela knows how to check what might depend on GnuTLS also?08:37
Renaud[m]<chriadam> "lbt: do you know how this..." <- Hi, I have added an updated gnutls on chum but on official sfos it is only needed for cups08:37
dcalisteProposition one is simple and work out of the box but is different from desktop choices.08:37
Renaud[m]I wanted to do a pull request for sfos but didn't have time yet08:38
dcalisteRenaud[m], wouh, that's great..08:38
chriadamif option (3) is not possible, I am still leaning toward (2) just because I would prefer completely separate sailjail for the daemon, and it is conceptually separate from any specific application which may wish to make use of it, IMO.08:38
dcalisteI can help if you agree to create the PR from your work in chum.08:38
chriadamRenaud[m]: how do you check what the dependencies are?  is some rpm reversedepends thing enough?  or?08:38
Renaud[m]zypper search --requires gnutls08:39
chriadamand ... I didn't know we had cups on the device.  do we connect to printers?  etc08:39
chriadamRenaud[m]: ah, that might only find things in certain public repositories, though, I guess.08:39
Renaud[m]Yes, I guess08:40
chriadamwell, it is still a good indicator that we don't depend on it for other things08:40
Renaud[m]dcaliste: Yes, I'll do it eventually. I'll try to find time this week08:40
chriadambut will lbt to check08:40
* lbt has a glance through the backlog but it'll take a while to context-switch & absorb... and I have a meeting coming up that I need to prep for... so I'll look at it later today08:40
chriadamlbt: thanks very much, no rush08:40
lbtthe dependency thing... that's not so tough08:41
chriadamif you have an answer before the same time next week, that would be appreciated!08:41
lbtrpm gives install time dependencies and has a whatdependson option iirc08:41
Renaud[m]For context on why and how I submitted it to chum, see https://github.com/sailfishos-chum/main/issues/2608:42
lbtOBS provides build time info like that08:42
lbtrpm -q --whatrequires <packagename>08:42
dcaliste(sorry I'm busy for 5 minutes)08:42
chriadamRenaud[m]: thanks for that.  also, thanks for mentioning in this chat, I hope it helps dcaliste with his exploration of that possibility08:42
lbtto get those pages navigate to https://build.sailfishos.org/package/show/sailfishos:chum/gnutls08:47
lbtThen in the box on the right pick a build repo - eg  (left column 2nd from bottom)08:47
lbtyou see a list of rpms - eg the src rpm shows the BR... the gnutls37-3.7.2-1.1.1.jolla.armv7hl.rpm shows the runtime deps and reverse deps for apps in this repo08:48
chriadampvuorela: aside from possible dependencies to GnuTLS, do you see any other reason why option (3) wouldn't be possible?08:48
* lbt idly wonders if we're sidestepping a security barrier by using dbus ... is there an ACL mechanism to limit access so only certain apps can use the secrets? (I may have misunderstood)08:50
chriadamthere is a socket path which must be allowed for the specific app to access08:53
chriadamand then the daemon enforces its own ACL on a per-application basis, to ensure that an app cannot access secrets it shouldn't08:53
chriadambut note: we should get rid of that "sailfish secrets daemon does ACL" nonsense, and move that work into the plugins08:54
dcalisteTalking about the secret socket, at the moment, this socket is under /run/user directly, so not visible to any jailed application.08:54
chriadamenabling us to remove the bookkeeping db from the daemon altogether.  but that's "future work" once there's stronger use cases for it at all...08:54
dcalisteSo disregarding the GnuPG case, if any jailed application would like to access the secret daemon, one need first to accept PR https://github.com/sailfishos/sailfish-secrets/pull/178 and create a dedicated secrets.permission file.08:56
pvuorelachriadam: need to check all this more closely. but i'm a bit afraid how the dependencies all go.08:56
dcalisteAbout the path to proposition 3 (assuming GnuTLS upgrade is not an issue) one new to create new repo for libassuan, gpgme and gnupg.08:56
chriadamdcaliste: unfortunately I have to go to another meeting in a couple of minutes, so we might need to wrap up for today08:58
dcalistepvuorela, yes I agree, even besides direct dependencies, like GnuTLS, gpg-error, gcrypt and friends, it is creating an additional burden to check that code depending on GnuPG (or gpgme) will work for both stack, legacy and latest.08:58
chriadamhopefully I will be able to discuss with lbt and pvuorela during this week about whether option (3) is possible08:59
dcalistechriadam, sure, no problem. We can continue the discussion next week.08:59
chriadamthank you very much08:59
chriadamhave a great week!08:59
* chriadam -> away, gnight08:59
dcalisteEnjoy your week, too.08:59
*** ggabriel is now known as Guest469709:04
riniguslbt: would you mind to check out why sailtrix build is blocked (which dod packages are missing) at https://build.sailfishos.org/package/show/sailfishos:chum/harbour-sailtrix ?12:44
lbtthere's a problem with a server - raised a support request14:29
Thaodandcaliste: About legacy and latest compabilty is indirectly already taken care of since we fix legacy vs. upstream only test against latest gnupg.14:30
ThaodanOnly of the sailfish secrets side there will be more testing however I don't think users that want to use gnupg with sailfish secrets want to use legacy gnupg14:32
lal883[m]rinigus: if you have open camera in waydroid and enabled Camera2 API in there, Tama flash works properly when shooting in manual exposure mode.15:40
lal883[m]rinigus: and if you further enabled alternative flash mode in photo settings, flash works properly in all modes. Now that is some what profit.15:41
riniguslal883: does it get "exported" to SFOS or is limited to opencamera?16:26
lal883[m]rinigus I wish it did. But doesn't look like that. Flash isn't in sync still in SFOS apps.16:35
riniguslal883: would have been too lucky :)16:37
hnjThaodan, rinigus: thanks for your feedback so far16:40
hnjThaodan: can you answer rinigus’ question? »rinigus | Thaodan: can those ACLs be set by us at OBS? I am not aware of any ACL settings for project...«16:40
riniguslbt: that "problem" response was regarding OBS and related to the issue with sailtrix, right? or is it a wishful thinking...18:01
HengYeDev[m]Is it a known issue that the search in OBS is broken?18:30
rinigusHengYeDev: I am not sure whether it was working after OBS update, but it was broken before. you could use `osc` command client for search19:19
piggzhnj: i imagine it would be hard to keep such things secret19:27
hnjpiggz: yeah, probably is … but I guess I also understand why it’s being needed and should be kept secret /-:20:40
piggzhnj: one option is to scramble it ... far from ideal, but better than nothing ... probably someone who is determined could get it either way21:20
hnjpiggz: hm, scramble it? but the routine to unscramble it would sit in the same code, right?21:23
piggzhnj: sure21:25
piggzits what i do for my strava api keys21:25
hnjpiggz: ah ok, any chance I can get you to answering on https://github.com/walokra/sailimgur/issues/26? (:21:32
poetasterhnj: walokra responded pretty promptly when I asked him about submitting to chum. And it looks like he's going to update the store. So I'd say just be patient. Or practice reading binary ;)21:46
poetasterhnj: I just read the issue, but I sadly can't help at the moment.21:47
hnjpoetaster: hehe, no worries, thanks for looking into it (:21:59
poetasterhnj: I'm sort of on a bender. It's a few too many sticks in different fires, but, hey! I hope your having some fun :)22:01

Generated by irclog2html.py 2.17.1 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!