[gentoo-user] Gentoo is supporting officially Snap packages?

[gentoo-user] Gentoo is supporting officially Snap packages?

[José Maldonado]

Hi everybody!

The last days, ArsTechnica publish this new:

http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/

"Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu,
Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu,"
Canonical's announcement says. "They are currently being validated on
CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are
easy to enable on other Linux distributions." (Ubuntu will continue to
support deb packages, but developers can choose to package applications
as snaps instead of or in addition to debs.)"

Gentoo is supporting officially Snap packages? Why not Flatpak?

Thank you very much for your responses! Bye! :)

-- 
Dios en su cielo, todo bien en la Tierra

[gentoo-user] Re: Gentoo is supporting officially Snap packages?

[James]

José Maldonado <josemald89 <at> gmail.com> writes:


> The last days, ArsTechnica publish this new:

>
http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/
>
> "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu,
> Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu,"
> Canonical's announcement says. "They are currently being validated on
> CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are
> easy to enable on other Linux distributions." (Ubuntu will continue to
> support deb packages, but developers can choose to package applications
> as snaps instead of or in addition to debs.)"
> 
> Gentoo is supporting officially Snap packages? Why not Flatpak?
> 
> Thank you very much for your responses! Bye! :)
> 


One word SECURITY?  Trust but verify does come to mind.

Containers are not exactly the most secure apparatus, imho.
"Clair is an open source project for the static analysis of vulnerabilities
in appc and docker containers." [1]. So, I want to hear about the robustness
of the security on these 'self containerd packages.
What exactly creates the codes necessary for the container ?

Is their a version that works on gentoo-hardened?

Suggestions for firewalling off a system for routine, deep examination
and profiling of port activities, would be most welcome. Prima facia,
I just have no trust in wonderful ideas from the *buntu crowd, ymmv.

Also, it's a really good idea; now maybe *DALE* can get his security
VM, in a snap (snapple?, snapit?, snapper?), that is gentoo-hardened
blessed? Maybe the snhap designation for secured (Hardeded) snaps?
Maybe if it's a hardened, entertainment (video snap) we call them schnapps?

I've been bantering about for a couple of years now how clusters (hpc and
containers) are going to change everything. Security is the main obstacle
now.  You know, I'm ready to sip this Kool_aid and ponder the possibilities....

Were are all the security gurus on at on snaps? Do snaps require systemd
or are they PID-1 agnostic?



James





[1] https://github.com/coreos/clair

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 2391 bytes --]

On Thursday 16 Jun 2016 15:27:29 James wrote:
> José Maldonado <josemald89 <at> gmail.com> writes:
> > The last days, ArsTechnica publish this new:
> http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ub
> untus-snap-apps-are-coming-to-distros-everywhere/
> > "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu,
> > Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu,"
> > Canonical's announcement says. "They are currently being validated on
> > CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are
> > easy to enable on other Linux distributions." (Ubuntu will continue to
> > support deb packages, but developers can choose to package applications
> > as snaps instead of or in addition to debs.)"
> > 
> > Gentoo is supporting officially Snap packages? Why not Flatpak?
> > 
> > Thank you very much for your responses! Bye! :)
> 
> One word SECURITY?  Trust but verify does come to mind.

Keylogger in a snap anyone?


> Containers are not exactly the most secure apparatus, imho.
> "Clair is an open source project for the static analysis of vulnerabilities
> in appc and docker containers." [1]. So, I want to hear about the robustness
> of the security on these 'self containerd packages.
> What exactly creates the codes necessary for the container ?
> 
> Is their a version that works on gentoo-hardened?
> 
> Suggestions for firewalling off a system for routine, deep examination
> and profiling of port activities, would be most welcome. Prima facia,
> I just have no trust in wonderful ideas from the *buntu crowd, ymmv.
> 
> Also, it's a really good idea; now maybe *DALE* can get his security
> VM, in a snap (snapple?, snapit?, snapper?), that is gentoo-hardened
> blessed? Maybe the snhap designation for secured (Hardeded) snaps?
> Maybe if it's a hardened, entertainment (video snap) we call them schnapps?
> 
> I've been bantering about for a couple of years now how clusters (hpc and
> containers) are going to change everything. Security is the main obstacle
> now.  You know, I'm ready to sip this Kool_aid and ponder the
> possibilities....
> 
> Were are all the security gurus on at on snaps? Do snaps require systemd
> or are they PID-1 agnostic?
> 
> 
> 
> James
> 
> 
> 
> 
> 
> [1] https://github.com/coreos/clair

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Tom H]

On Wed, Jun 15, 2016 at 11:53 PM, José Maldonado <josemald89@gmail.com> wrote:
>
> The last days, ArsTechnica publish this new:
>
> http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/
>
> "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu,
> Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu,"
> Canonical's announcement says. "They are currently being validated on
> CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are
> easy to enable on other Linux distributions." (Ubuntu will continue to
> support deb packages, but developers can choose to package
> applications as snaps instead of or in addition to debs.)"
>
> Gentoo is supporting officially Snap packages? Why not Flatpak?

When I first saw this, I thought "strange, maybe if Gentoo develops an
'esnap' in order to build the container-package locally" but then I
remembered that we have docker and lxc/lxd, so why not another method?

When Flatpak's ready, someone'll make it available and/or package it.

[AFAIK, Flatpak's for GUI apps accessed via Gnome Software so it's not
quite a Snap competitor.]

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Dale]

James wrote:
> José Maldonado <josemald89 <at> gmail.com> writes:
>
>
>> The last days, ArsTechnica publish this new:
> http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/
>> "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu,
>> Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu,"
>> Canonical's announcement says. "They are currently being validated on
>> CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are
>> easy to enable on other Linux distributions." (Ubuntu will continue to
>> support deb packages, but developers can choose to package applications
>> as snaps instead of or in addition to debs.)"
>>
>> Gentoo is supporting officially Snap packages? Why not Flatpak?
>>
>> Thank you very much for your responses! Bye! :)
>>
>
> One word SECURITY?  Trust but verify does come to mind.
>
> Containers are not exactly the most secure apparatus, imho.
> "Clair is an open source project for the static analysis of vulnerabilities
> in appc and docker containers." [1]. So, I want to hear about the robustness
> of the security on these 'self containerd packages.
> What exactly creates the codes necessary for the container ?
>
> Is their a version that works on gentoo-hardened?
>
> Suggestions for firewalling off a system for routine, deep examination
> and profiling of port activities, would be most welcome. Prima facia,
> I just have no trust in wonderful ideas from the *buntu crowd, ymmv.
>
> Also, it's a really good idea; now maybe *DALE* can get his security
> VM, in a snap (snapple?, snapit?, snapper?), that is gentoo-hardened
> blessed? Maybe the snhap designation for secured (Hardeded) snaps?
> Maybe if it's a hardened, entertainment (video snap) we call them schnapps?
>
> I've been bantering about for a couple of years now how clusters (hpc and
> containers) are going to change everything. Security is the main obstacle
> now.  You know, I'm ready to sip this Kool_aid and ponder the possibilities....
>
> Were are all the security gurus on at on snaps? Do snaps require systemd
> or are they PID-1 agnostic?
>
>
>
> James
>
>
>
>
>
> [1] https://github.com/coreos/clair


I saw this and was curious as well.  I'm needing to google a bit on just
what this is about.  Given the name, it should be interesting.  I
suspect I'll get a lot of hits about a energy drink thingy.  lol  Oh,
and this thread too.  ;-)

Dale

:-)  :-) 

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 2132 bytes --]

On Thu, 16 Jun 2016 15:27:29 +0000 (UTC) James wrote:
> José Maldonado <josemald89 <at> gmail.com> writes:
> 
> 
> > The last days, ArsTechnica publish this new:
> 
> >
> http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/
> >
> > "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu,
> > Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu,"
> > Canonical's announcement says. "They are currently being validated on
> > CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are
> > easy to enable on other Linux distributions." (Ubuntu will continue to
> > support deb packages, but developers can choose to package applications
> > as snaps instead of or in addition to debs.)"
> > 
> > Gentoo is supporting officially Snap packages? Why not Flatpak?
>>
>> Thank you very much for your responses! Bye! :)
>>
>
> One word SECURITY?  Trust but verify does come to mind.

+1
It looks like C:/Program Files/ for Linux to me.

It is a complete bundle with all dependency libs, thus
vulnerabilities can't be fixed by a regular emerge and users will
need to update _each_ snap separately. If updates will be
available, but likely they will not be, at least not in time.

I'm not talking about tremendous RAM waste (due to shared objects
duplication) and disk space waste as well. Both of them can be
mitigated by deduplication of RAM and disk pages, but this will eat
lots of CPU and users should be quite advanced to do that.

> Containers are not exactly the most secure apparatus, imho.
> "Clair is an open source project for the static analysis of vulnerabilities
> in appc and docker containers." [1]. So, I want to hear about the robustness
> of the security on these 'self containerd packages.

There is a security audit of the snap already available:
http://kmkeen.com/maintainers-matter/2016-06-15-11-51-16-472.html

It is quite lengthy, but worth reading.
Tl;dr: if you care about security of your box, stay away of this
stuff.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Alan McKinnon]

On 16/06/2016 21:11, Andrew Savchenko wrote:
> On Thu, 16 Jun 2016 15:27:29 +0000 (UTC) James wrote:
>> José Maldonado <josemald89 <at> gmail.com> writes:
>>
>>
>>> The last days, ArsTechnica publish this new:
>>
>>>
>> http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/
>>>
>>> "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu,
>>> Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu,"
>>> Canonical's announcement says. "They are currently being validated on
>>> CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are
>>> easy to enable on other Linux distributions." (Ubuntu will continue to
>>> support deb packages, but developers can choose to package applications
>>> as snaps instead of or in addition to debs.)"
>>>
>>> Gentoo is supporting officially Snap packages? Why not Flatpak?
>>>
>>> Thank you very much for your responses! Bye! :)
>>>
>>
>> One word SECURITY?  Trust but verify does come to mind.
>
> +1
> It looks like C:/Program Files/ for Linux to me.
>
> It is a complete bundle with all dependency libs, thus
> vulnerabilities can't be fixed by a regular emerge and users will
> need to update _each_ snap separately. If updates will be
> available, but likely they will not be, at least not in time.

So it's like macs then?

>
> I'm not talking about tremendous RAM waste (due to shared objects
> duplication) and disk space waste as well. Both of them can be
> mitigated by deduplication of RAM and disk pages, but this will eat
> lots of CPU and users should be quite advanced to do that.
>
>> Containers are not exactly the most secure apparatus, imho.
>> "Clair is an open source project for the static analysis of vulnerabilities
>> in appc and docker containers." [1]. So, I want to hear about the robustness
>> of the security on these 'self containerd packages.
>
> There is a security audit of the snap already available:
> http://kmkeen.com/maintainers-matter/2016-06-15-11-51-16-472.html
>
> It is quite lengthy, but worth reading.
> Tl;dr: if you care about security of your box, stay away of this
> stuff.

I don't see the part where all these latest fancy container 
thingymagicies are not really just "embed everything in everything"

We've known for years the dangers of embedding stuff in packages (it 
hardly ever gets updated properly)

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Rich Freeman]

On Thu, Jun 16, 2016 at 4:11 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>
> I don't see the part where all these latest fancy container thingymagicies
> are not really just "embed everything in everything"
>
> We've known for years the dangers of embedding stuff in packages (it hardly
> ever gets updated properly)
>

Well, that strikes me as being true of these self-contained packages,
but it isn't necessarily true of containers in general.

I run most of my services in containers, and they're just Gentoo
installations with a really small world file.  Things are just as
up-to-date as they would be if I ran it all in a single host.

Now, if you're the sort of person who just grabs some random docker
image from who knows where, then sure you're getting a big bundle of
stuff that may or may not be maintained for security.  This is no
different.

I'm sure there will be people who provide these all-in-one packages
and carefully update them for upstream security flaws.  And there will
be a lot more providers who don't.

Chromium is a good example of this.  Gentoo tries to unbundle as much
as it can, but if you just do a make install on it you end up with a
bazillion bundled libraries.  Google does a very good job of keeping
them all up to date, but they're not a typical case.

FWIW - the subject of this thread suggests that this is some kind of
"official" Gentoo thing.  As far as I can tell somebody took it upon
themselves to make this available for Gentoo, but it is not in any way
endorsed by the distro.  Of course, if somebody wanted to package it
up and maintain it we probably wouldn't have any issues with having
the package manager in the repository.  After all have other binary
distro package managers in there.  That doesn't mean that Gentoo is
doing anything to ensure that whatever random repository you point it
at is up to date, any more than if you emerge debootstrap.

Oh, and while I generally agree with everything in the linked
Maintainers Matter blog post, I'd hardly call it a security audit.  It
just points out in general terms the sorts of problems that this kind
of approach can lead to.

-- 
Rich

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[José Maldonado]

El 16/06/16 a las 12:36, Mick escribió:
> 
> Keylogger in a snap anyone?
> 

It is possible, who knows. Especially when the server-side is proprietary .


-- 
Dios en su cielo, todo bien en la Tierra

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[José Maldonado]

El 16/06/16 a las 11:27, James escribió:
> One word SECURITY?  Trust but verify does come to mind.
> 

The snaps come to "replace" a lack of security that is in Linux, in
addition to facilitating the installation of all applications from the
user-space without root privileges.

> 
> Is their a version that works on gentoo-hardened?
> 

Hardened or not ... it's matter? What I see here is the "beloved" Mark
talking about a Snap support in Gentoo, and there Gentoo developers
working to make it official.

It's true? I don't know.


> Were are all the security gurus on at on snaps? Do snaps require systemd
> or are they PID-1 agnostic?
> 


Supposedly it is agnostic to PID, asking only have some active features
in the kernel and SELinux or AppArmor using.

Currently, none of the mentioned MACs work as expected with Snap, even
in the Ubuntu itself.

-- 
Dios en su cielo, todo bien en la Tierra

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[José Maldonado]

El 16/06/16 a las 13:32, Tom H escribió:

> 
> When I first saw this, I thought "strange, maybe if Gentoo develops an
> 'esnap' in order to build the container-package locally" but then I
> remembered that we have docker and lxc/lxd, so why not another method?
> 

That is possible, but the goal is to serve Snap container for
applications that can be downloaded and used by the user, down a single
binary that will have all the dependencies in that binary. Docker and
LXC obviously can do this, but its scope and possibilities are much
larger and are not addressed within the scope of normal user of a PC.


> When Flatpak's ready, someone'll make it available and/or package it.

Flatpak is ready for use now.

> 
> [AFAIK, Flatpak's for GUI apps accessed via Gnome Software so it's not
> quite a Snap competitor.]
> 

Flatpak and Snap, have GUI and command-line. In addition, Flatpak
packages weigh less than their counterparts Snap, and right now several
free software projects officially support it, including LibreOffice.

-- 
Dios en su cielo, todo bien en la Tierra

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[José Maldonado]

El 16/06/16 a las 16:33, Rich Freeman escribió:
> FWIW - the subject of this thread suggests that this is some kind of
> "official" Gentoo thing.  As far as I can tell somebody took it upon
> themselves to make this available for Gentoo, but it is not in any way
> endorsed by the distro.  Of course, if somebody wanted to package it
> up and maintain it we probably wouldn't have any issues with having
> the package manager in the repository.  After all have other binary
> distro package managers in there.  That doesn't mean that Gentoo is
> doing anything to ensure that whatever random repository you point it
> at is up to date, any more than if you emerge debootstrap.

The truth is that there is not even overlay system to install Gentoo.
What if there is a ebuild, built by a developer Canonical for use in
Gentoo, and I can hardly call that "official support" and "Gentoo
community support".

-- 
Dios en su cielo, todo bien en la Tierra

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Alan McKinnon]

On 17/06/2016 02:02, José Maldonado wrote:
> El 16/06/16 a las 16:33, Rich Freeman escribió:
>> FWIW - the subject of this thread suggests that this is some kind of
>> "official" Gentoo thing.  As far as I can tell somebody took it upon
>> themselves to make this available for Gentoo, but it is not in any way
>> endorsed by the distro.  Of course, if somebody wanted to package it
>> up and maintain it we probably wouldn't have any issues with having
>> the package manager in the repository.  After all have other binary
>> distro package managers in there.  That doesn't mean that Gentoo is
>> doing anything to ensure that whatever random repository you point it
>> at is up to date, any more than if you emerge debootstrap.
>
> The truth is that there is not even overlay system to install Gentoo.
> What if there is a ebuild, built by a developer Canonical for use in
> Gentoo, and I can hardly call that "official support" and "Gentoo
> community support".
>


The headlines means that Snaps support Gentoo.
It doesn't mean that Gentoo supports Snaps.

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[waltdnes]

On Thu, Jun 16, 2016 at 04:33:12PM -0400, Rich Freeman wrote
> On Thu, Jun 16, 2016 at 4:11 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> >
> > I don't see the part where all these latest fancy container thingymagicies
> > are not really just "embed everything in everything"
> >
> > We've known for years the dangers of embedding stuff in packages (it hardly
> > ever gets updated properly)
> >
> 
> Well, that strikes me as being true of these self-contained packages,
> but it isn't necessarily true of containers in general.
> 
> I run most of my services in containers, and they're just Gentoo
> installations with a really small world file.  Things are just as
> up-to-date as they would be if I ran it all in a single host.
> 
> Now, if you're the sort of person who just grabs some random docker
> image from who knows where, then sure you're getting a big bundle of
> stuff that may or may not be maintained for security.  This is no
> different.

  I don't follow this stuff, so this may be a stupid question... how
does a "container" or "docker" differ from a chroot or a QEMU VM with a
minimal set of applications?

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[J. García]

El jue, 16-06-2016 a las 19:40 -0400, José Maldonado escribió:
> That is possible, but the goal is to serve Snap container for
> applications that can be downloaded and used by the user, down a
> single
> binary that will have all the dependencies in that binary. Docker and
> LXC obviously can do this, but its scope and possibilities are much
> larger and are not addressed within the scope of normal user of a PC.
> 
Docker doesn't get the applications down to a single binary, it's a
package containing everything. A single binary would be something like
what Go does by default, as it compiles every source package imported
into the final binary, that's why even a "hello world" takes ~2MB.

> 
> > 
> > [AFAIK, Flatpak's for GUI apps accessed via Gnome Software so it's
> > not
> > quite a Snap competitor.]
> > 
They say it's not a GNOME thing only, but born in the GNOME project,
Quote from their FAQ:

"Is Flatpak tied to GNOME?

No. While Flatpak has been developed by people with a long involvement
in the GNOME community it is not tied to any desktop. In fact, it was
designed with the explicit goal of allowing it to build applications
using any library stack or programming language an application author
might want."

I would say is the implementation of something that Lennart P. wrote in
his blog a while back[1](I don't know to what extent is 'his' idea, or
if it just happens that he wrote about it after discussing it with
others), but it seems that he didn't write code for it(I looked at the
contributors in GitHub)


> Flatpak and Snap, have GUI and command-line. In addition, Flatpak
> packages weigh less than their counterparts Snap, and right now
> several
> free software projects officially support it, including LibreOffice.
> 
The flatpak packages take less space because there's a separation
between runtimes and applications, with the runtime(s) containing many
of the libraries/packages required by an application, and intended to
be used by many of these, and the application package only containing
the remaining required libraries, or maybe only the app, so it could
reduce but not eliminate the problem previously discussed of
dependencies being left unmaintained and not upgraded with security
fixes. IMHO Flatpak seems a better option than Snap, and certainly
reducing file system and device access is a good thing about both, but
with these advantages some other problems are created, so it's a trade-
off.
As Andrew Savchenko said previously Snap seems like C:\Program Files
for Linux, but I would add 'with sandboxing' and other security
features, and that certainly makes it better than than Windows to be
fair.
Maybe we will see Snaps/Flatpaks of popular proprietary software that's
only available for Windows and MacOS right now that has no real FOSS
competitor e.g. AutoCAD and family, I often hear the excuse of these
vendors not supporting Linux because of the many distributions. Getting
LibreCAD to the level of AutoCAD would take a decade or more at the
pace it is going, right know it reminds me of AutoCAD 2004, and it
isn't even a that level. Trying to be optimistic maybe we'll see a new
wave of users in Linux as a result of these new packaging systems, and
in the long run if the GNU/Linux user base grows and learns about the
Free Software philosophy and get tired of having to pay large sums of
money to Autodesk and other companies for a yearly permission to use
their software, they would contribute to the FOSS alternatives with
money to get people working full time on these, and we could see them
grow to be real competitors.
That said I hope upstreams don't start bundling libraries into their
software as a result of this(at least not more than some already do
now), that's really annoying and it could create a nightmare of the
likes of java(I mean most java developers seemingly putting every jar
they come across in their 'source' trees and then forget about it for
the rest of their lifes, or at least until Oracle breaks them, after
years and years of deprecation).

[1] http://0pointer.net/blog/revisiting-how-we-put-together-linux-syste
ms.html
 

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 2662 bytes --]

On Thu, 16 Jun 2016 22:35:24 -0400 waltdnes@waltdnes.org wrote:
> On Thu, Jun 16, 2016 at 04:33:12PM -0400, Rich Freeman wrote
> > On Thu, Jun 16, 2016 at 4:11 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> > >
> > > I don't see the part where all these latest fancy container thingymagicies
> > > are not really just "embed everything in everything"
> > >
> > > We've known for years the dangers of embedding stuff in packages (it hardly
> > > ever gets updated properly)
> > >
> > 
> > Well, that strikes me as being true of these self-contained packages,
> > but it isn't necessarily true of containers in general.
> > 
> > I run most of my services in containers, and they're just Gentoo
> > installations with a really small world file.  Things are just as
> > up-to-date as they would be if I ran it all in a single host.
> > 
> > Now, if you're the sort of person who just grabs some random docker
> > image from who knows where, then sure you're getting a big bundle of
> > stuff that may or may not be maintained for security.  This is no
> > different.
> 
>   I don't follow this stuff, so this may be a stupid question... how
> does a "container" or "docker" differ from a chroot or a QEMU VM with a
> minimal set of applications?

There is one common misconception, that chroot is security measure.
This is wrong! Chroot is not a security function at all. It is
extremely easy to exit chroot [1] if you have root access inside
chroot (AFAIK with PAX/GRSecurity it is possible to deny this, but
this is another story.) So if you are using chroot for security,
forget about security, you have no security at all. This syscall was
designed for another needs.
Tl;dr; Inside chroot do as a root:
  mkdir foo; chroot foo; cd ..

QEMU VM (as well as other VM) can provide you some degree of
security at the cost of performance and system resources. Inside VM
you have independent (fully or paravirtualized) kernel and
environment. But it is still possible to exit it using hypervisor
bugs or hardware-based attacks like L3 cache attack[2]. Yes, if one
have modern Intel or AMD CPU with SSE2 and L3 cache enabled, forget
about tight security too.

Due to reasons above I prefer container solutions like LXC over VM
for security: they give approximately the same level of protection
as VM, but resources cost is much lower. Of course it is still
possible to break any container through L3 cache or some kernel
bugs, so for really tight security independent hardware and OS must
be used.

[1] https://lwn.net/Articles/252794/
[2] https://www.usenix.org/node/184416

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 533 bytes --]

On Thu, 16 Jun 2016 19:30:49 -0400 José Maldonado wrote:
> 
> 
> El 16/06/16 a las 11:27, James escribió:
> > One word SECURITY?  Trust but verify does come to mind.
> > 
> 
> The snaps come to "replace" a lack of security that is in Linux, in
> addition to facilitating the installation of all applications from the
> user-space without root privileges.

Replace lack of security, really? It will create it in the long
run due to outdated unmaintained third-party bundled software.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Volker Armin Hemmann]

[-- Attachment #1: Type: text/plain, Size: 719 bytes --]

soo... why not compile everything statically in the first place? and put it
in HOME?

2016-06-17 9:18 GMT+02:00 Andrew Savchenko <bircoph@gentoo.org>:

> On Thu, 16 Jun 2016 19:30:49 -0400 José Maldonado wrote:
> >
> >
> > El 16/06/16 a las 11:27, James escribió:
> > > One word SECURITY?  Trust but verify does come to mind.
> > >
> >
> > The snaps come to "replace" a lack of security that is in Linux, in
> > addition to facilitating the installation of all applications from the
> > user-space without root privileges.
>
> Replace lack of security, really? It will create it in the long
> run due to outdated unmaintained third-party bundled software.
>
> Best regards,
> Andrew Savchenko
>

[-- Attachment #2: Type: text/html, Size: 1108 bytes --]

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 301 bytes --]

On Fri, 17 Jun 2016 10:28:10 +0200, Volker Armin Hemmann wrote:

> soo... why not compile everything statically in the first place? and
> put it in HOME?

Because that's not new and shiny with a catchy name!


-- 
Neil Bothwick

Windows Error #02: Multitasking attempted. System confused.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Volker Armin Hemmann]

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]

oh yeah, forgot the catchy name. Mea culpa.

2016-06-17 10:52 GMT+02:00 Neil Bothwick <neil@digimed.co.uk>:

> On Fri, 17 Jun 2016 10:28:10 +0200, Volker Armin Hemmann wrote:
>
> > soo... why not compile everything statically in the first place? and
> > put it in HOME?
>
> Because that's not new and shiny with a catchy name!
>
>
> --
> Neil Bothwick
>
> Windows Error #02: Multitasking attempted. System confused.
>

[-- Attachment #2: Type: text/html, Size: 843 bytes --]

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Rich Freeman]

On Fri, Jun 17, 2016 at 3:16 AM, Andrew Savchenko <bircoph@gentoo.org> wrote:
> On Thu, 16 Jun 2016 22:35:24 -0400 waltdnes@waltdnes.org wrote:
>>   I don't follow this stuff, so this may be a stupid question... how
>> does a "container" or "docker" differ from a chroot or a QEMU VM with a
>> minimal set of applications?
>
> Due to reasons above I prefer container solutions like LXC over VM
> for security: they give approximately the same level of protection
> as VM, but resources cost is much lower. Of course it is still
> possible to break any container through L3 cache or some kernel
> bugs, so for really tight security independent hardware and OS must
> be used.

Containers on Linux aren't nearly as secure as a VM right now.
Certainly the intent is for them to get there, and if you find a way
to break out of a container the kernel team would certainly accept it
as a bug and fix it.  However, I don't think most of the big names in
linux would rate it on the same level as a VM.  As you've pointed out,
VMs aren't perfect, though I'm not aware of any way to actually defeat
any of the popular ones (and if there were, they'd almost certainly
patch it).  I'll certainly acknowledge that there is a larger attack
surface than separate hosts (and it isn't like those are invulnerable
either - who knows what bug exists in an ethernet card somewhere).

Containers are a lot more secure than chroots though.  Non-root in a
container is generally considered to be fairly secure - it is an
additional layer on top of normal user privilege isolation.
Containers are generally a lot more convenient than chroots as well,
simply because there are fewer compatibility issues and constraints
inside.  If you want to run sysvinit/openrc or systemd inside your
container you can, and that isn't really possible inside a chroot.  Of
course, you don't have to, but at least you have the option.

The biggest selling point for a container is the resource
requirements.  The overhead to run a container with systemd inside is
only a few MB.  If you're running a container without a service
manager the overhead is even less.  You could never run a VM with only
a few MB of RAM.  The main constraint on RAM use for a container is
the fact that you're not sharing libraries with the host.  Otherwise
they're just processes with different namespace values in the kernel
(EVERY process runs in a set of namespaces, even if you're not using
containers - by default they just all have the same set of values).
Any solution that bundles the libraries with the package is going to
use a similar amount of RAM.  Also, launching a process in a new
namespace takes the same amount of time as launching a process in the
same namespace, minus the trivial time required to page in libraries
and such.  A VM takes seconds to boot, vs the milliseconds for a
container.  In terms of overhead containers and chroots are almost
identical.

The biggest selling point for not just running everything on the host
is isolation.  I have a container that just runs mariadb.  When I do
an emerge -u world it is like updating any other Gentoo host, but when
I'm done I fire off a bunch of tests to make sure mariadb is working,
and if it works I know I'm done.  When I was running everything on a
single host I'd inevitably do an emerge -u world and occasionally have
something random break.  Short of testing everything every time I do
an update it is hard to avoid that sort of thing.  Of course, I end up
having to run a lot more updates, but I don't have to do them all at
once and I can update the container for each service on an appropriate
schedule.

-- 
Rich

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 4599 bytes --]

On Thursday 16 Jun 2016 21:25:01 J. García wrote:
> El jue, 16-06-2016 a las 19:40 -0400, José Maldonado escribió:
> > That is possible, but the goal is to serve Snap container for
> > applications that can be downloaded and used by the user, down a
> > single
> > binary that will have all the dependencies in that binary. Docker and
> > LXC obviously can do this, but its scope and possibilities are much
> > larger and are not addressed within the scope of normal user of a PC.
> >
> > 
> 
> Docker doesn't get the applications down to a single binary, it's a
> package containing everything. A single binary would be something like
> what Go does by default, as it compiles every source package imported
> into the final binary, that's why even a "hello world" takes ~2MB.
> 
> > 
> >
> > > 
> > >
> > > [AFAIK, Flatpak's for GUI apps accessed via Gnome Software so it's
> > > not
> > > quite a Snap competitor.]
> > >
> > > 
> 
> They say it's not a GNOME thing only, but born in the GNOME project,
> Quote from their FAQ:
> 
> "Is Flatpak tied to GNOME?
> 
> No. While Flatpak has been developed by people with a long involvement
> in the GNOME community it is not tied to any desktop. In fact, it was
> designed with the explicit goal of allowing it to build applications
> using any library stack or programming language an application author
> might want."
> 
> I would say is the implementation of something that Lennart P. wrote in
> his blog a while back[1](I don't know to what extent is 'his' idea, or
> if it just happens that he wrote about it after discussing it with
> others), but it seems that he didn't write code for it(I looked at the
> contributors in GitHub)
> 
> > Flatpak and Snap, have GUI and command-line. In addition, Flatpak
> > packages weigh less than their counterparts Snap, and right now
> > several
> > free software projects officially support it, including LibreOffice.
> >
> > 
> 
> The flatpak packages take less space because there's a separation
> between runtimes and applications, with the runtime(s) containing many
> of the libraries/packages required by an application, and intended to
> be used by many of these, and the application package only containing
> the remaining required libraries, or maybe only the app, so it could
> reduce but not eliminate the problem previously discussed of
> dependencies being left unmaintained and not upgraded with security
> fixes. IMHO Flatpak seems a better option than Snap, and certainly
> reducing file system and device access is a good thing about both, but
> with these advantages some other problems are created, so it's a trade-
> off.
> As Andrew Savchenko said previously Snap seems like C:\Program Files
> for Linux, but I would add 'with sandboxing' and other security
> features, and that certainly makes it better than than Windows to be
> fair.
> Maybe we will see Snaps/Flatpaks of popular proprietary software that's
> only available for Windows and MacOS right now that has no real FOSS
> competitor e.g. AutoCAD and family, I often hear the excuse of these
> vendors not supporting Linux because of the many distributions. Getting
> LibreCAD to the level of AutoCAD would take a decade or more at the
> pace it is going, right know it reminds me of AutoCAD 2004, and it
> isn't even a that level. Trying to be optimistic maybe we'll see a new
> wave of users in Linux as a result of these new packaging systems, and
> in the long run if the GNU/Linux user base grows and learns about the
> Free Software philosophy and get tired of having to pay large sums of
> money to Autodesk and other companies for a yearly permission to use
> their software, they would contribute to the FOSS alternatives with
> money to get people working full time on these, and we could see them
> grow to be real competitors.
> That said I hope upstreams don't start bundling libraries into their
> software as a result of this(at least not more than some already do
> now), that's really annoying and it could create a nightmare of the
> likes of java(I mean most java developers seemingly putting every jar
> they come across in their 'source' trees and then forget about it for
> the rest of their lifes, or at least until Oracle breaks them, after
> years and years of deprecation).
> 
> [1] http://0pointer.net/blog/revisiting-how-we-put-together-linux-syste
> ms.html
>  

How does Nix compare to flatpack, docker, snap, et al. from a gentoo 
perspective?

https://nixos.org/nix/about.html

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Rich Freeman]

On Sat, Jun 18, 2016 at 4:01 AM, Mick <michaelkintzios@gmail.com> wrote:
> On Thursday 16 Jun 2016 21:25:01 J. García wrote:
>
> How does Nix compare to flatpack, docker, snap, et al. from a gentoo
> perspective?
>

Nix is a similar sort of approach.  I don't think they run apps in
containers (though they probably could if they wanted to do the work
and a lot of bind mounting).  The reality is that they're a form of
bundling, but the bundled libs can be shared.  Basically everything is
linked to uniquely identified dependencies.  So, a package isn't just
linked to zlib, or even a particular version of zlib, but a particular
build of zlib.  However, 15 different packages could all depend on
that same build.  So, you potentially don't get the same kind of
memory duplication that you do with outright bundling.  However, if
you install a new version of zlib on your system, nothing will
actually use it, unless those packages are themselves updated.  So, in
that respect it is just like bundling.

Since the libraries you're running with on your box are exact copies
of the binaries the packager was using, you're going to get the same
experience the packager did when they were testing their package.  So,
that's the big upside.  There are no conflicts or collisions either,
since every package is installed in what amounts to a private
namespace.  You can have 14 different packaged builds of zlib-1.2.3 if
you want to, with different builds being used by different
applications.

This is just my understanding based on having looked into NixOS a bit
out of curiosity.  Somebody closer to the project should feel free to
correct any errors I made.  There are obviously pros and cons to this
approach.

-- 
Rich

Re: [gentoo-user] Gentoo is supporting officially Snap packages?

[Andreas K. Huettel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


> 
> Gentoo is supporting officially Snap packages? Why not Flatpak?
> 

Gentoo support for Snap is roughly as "official" as RedHat/Fedora support. 

See also
https://www.happyassassin.net/2016/06/16/on-snappy-and-flatpak-business-as-usual-in-the-canonical-propaganda-department/

Quoting from there:
"The sum total of communication between Canonical and Fedora before the 
release of this press release was that they mailed us asking about the process 
of packaging snappy for Fedora, and we told them about the main packaging 
process and COPR. They certainly did not in any way inform Fedora that they 
were going to send out a press release strongly implying that Fedora, along 
with every other distro in the world, was now a happy traveler on the Snappy 
bandwagon."

- -- 

Andreas K. Huettel
Gentoo Linux developer 
dilfridge@gentoo.org
http://www.akhuettel.de/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1

iQJ8BAEBCgBmBQJXZwilXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDMjhGQ0IwRjdCRUQxMzdBQUNCMDJEODlB
NDRDRjM3M0U3RUU5OUU0AAoJEKRM83Pn7pnkEBwP/AsWgBFxM4ycw7abuASz3ENP
n2EF7oxvp2cIYDjKmyfhCkLHsGMYj6PmreFIE7Gb8dQI3FlAxqvt15fOasqL89x3
PXmLIqEuYsWVFWpuFjXOZbOad2D/qOBOta1bkBKDKoxZ4eBoGrplRdQpdf0E1fpm
/3EaTh4mrgHBwuISI61QhsO5EHFZb5WBiQPwi7FNTjnGr35cPuyTzyjj7XF2wdfC
8Roc+d9VTdM9goB5ZQEZxKNMqpfSUjWcs4cwtknNCr+n2p+J9Hqs1rGdleNGS3FV
VkCmCeLADlD20VrBRXxxop8e+NTFjJ5akRTIzM7JxnbcWXX7US5IcjO4u7ZRsDcQ
LaYhLnJHGWXHWaGsiwytS3oCnrQIxORAfgkgSwa9+ioJb5ijSp3nEMfLxHwX+Bh4
Mu7Xb5JwnOLn8RK6Ygor64Wh16jhWk/yCoNUga2NSQt5DPnnGCaug+NleGeGpyWz
usy0dsDeRY4khJEQsN2VOZ73CtDi78qGg8PkuFwdcQlOirdi5ox+t3tuaRhcYHLP
W8F2c4yKc75NHui9f8ZZv5pytFGL5c86aNBh8U5K/FJxgpFdZC98JG3UuSUmCobC
UkfHlGJnxvrBMRDgtJMNfRrDCIU3vn0zw+yO2sQxzAjVYfSVa6sHLkV/2b1z1U4I
yShvdML92FrqhYo68yJ+
=nSym
-----END PGP SIGNATURE-----

[gentoo-user] Re: Gentoo is supporting officially Snap packages?

[James]

Andreas K. Huettel <dilfridge <at> gentoo.org> writes:

> > Gentoo is supporting officially Snap packages? Why not Flatpak?

> Gentoo support for Snap is roughly as "official" as RedHat/Fedora support. 

Still, if gentoo images can be customized at one's favorite cloud service
provider, it may serve as a way to easily evaluate new codes, particularly
codes that will require some effort to create a stable ebuild. That's what
I'm hoping for is just a quick shot packager where the host is very secured,
or outsourced, so security is somebody else's time_sink.

What bummed me out is that Canonical is the only one that can create these
packages for other distros? That's going to fly like a lead balloon, if that
is the case. 

So the idea of a packges that also creates a (secure) container on a gentoo
system that is otherwise, containerless, does get folks into the
container/clusterr world rather quickly....


James

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Tom H]

On Thu, Jun 16, 2016 at 7:40 PM, José Maldonado <josemald89@gmail.com> wrote:
> El 16/06/16 a las 13:32, Tom H escribió:
>>
>> When I first saw this, I thought "strange, maybe if Gentoo develops an
>> 'esnap' in order to build the container-package locally" but then I
>> remembered that we have docker and lxc/lxd, so why not another method?
>
> That is possible, but the goal is to serve Snap container for
> applications that can be downloaded and used by the user, down a single
> binary that will have all the dependencies in that binary. Docker and
> LXC obviously can do this, but its scope and possibilities are much
> larger and are not addressed within the scope of normal user of a PC.

With docker/lxc/lxd, you can use your own images so you should be able
to do so with snap. You lose the ability simply to add a repo and pull
an image from it.


>> When Flatpak's ready, someone'll make it available and/or package it.
>
> Flatpak is ready for use now.

Not fully.

From fedora-devel@:

<begin>
> Isn't flatpak in gnome-software pushed back to F25 ?

It partly supports Flatpak in F24. You can manage already installed
apps, but you still need to use flatpak command to install them. In
F25, you will be able to just download .flatpak file, double-click it
and Software will install it and set its repo.
</end>

and

<begin>
I think that once the full sandboxing / portal system is in place,
there _will_ be a tangible reason to prefer Flatpak.
</end>


>> [AFAIK, Flatpak's for GUI apps accessed via Gnome Software so it's not
>> quite a Snap competitor.]
>
> Flatpak and Snap, have GUI and command-line. In addition, Flatpak
> packages weigh less than their counterparts Snap, and right now several
> free software projects officially support it, including LibreOffice.

i wasn't referring to the "installer." The Flatpak intention's to
package GUI apps only.

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

[Tom H]

On Thu, Jun 16, 2016 at 11:25 PM, J. <jyo.garcia@gmail.com> wrote:


> They say it's not a GNOME thing only, but born in the GNOME project,
> Quote from their FAQ:
>
> "Is Flatpak tied to GNOME?
>
> No. While Flatpak has been developed by people with a long involvement
> in the GNOME community it is not tied to any desktop. In fact, it was
> designed with the explicit goal of allowing it to build applications
> using any library stack or programming language an application author
> might want."

Marketing's-speak is marketing speak...

AFAIK, the only current implementation of a GUI from which to install
a Flatpak is Gnome Software, with KDE apparently working on something
similar.

So, unless you want to download a file and double-click on it, it's
Gnome for now and KDE soon.


> The flatpak packages take less space because there's a separation
> between runtimes and applications, with the runtime(s) containing many
> of the libraries/packages required by an application, and intended to
> be used by many of these, and the application package only containing
> the remaining required libraries, or maybe only the app, so it could
> reduce but not eliminate the problem previously discussed of
> dependencies being left unmaintained and not upgraded with security
> fixes. IMHO Flatpak seems a better option than Snap, and certainly
> reducing file system and device access is a good thing about both, but
> with these advantages some other problems are created, so it's a trade-
> off.

If you start relying on too many libraries in the runtimes, you end up
with the same "problem" as non-Flatpak, non-Snap packages.


> Maybe we will see Snaps/Flatpaks of popular proprietary software that's
> only available for Windows and MacOS right now that has no real FOSS
> competitor e.g. AutoCAD and family, I often hear the excuse of these
> vendors not supporting Linux because of the many distributions. Getting
> LibreCAD to the level of AutoCAD would take a decade or more at the
> pace it is going, right know it reminds me of AutoCAD 2004, and it
> isn't even a that level.

Linus has complained that the dive software that he created had
nightly or weekly (I forget) builds for macOS and Windows but not for
Linux because of the multitude of distributions. So he and those now
maintaining that app'll be happy.

Re: [gentoo-user] Gentoo is supporting officially Snap packages?

[Tom H]

On Sun, Jun 19, 2016 at 5:03 PM, Andreas K. Huettel
<dilfridge@gentoo.org> wrote:
>
> Gentoo support for Snap is roughly as "official" as RedHat/Fedora support.
>
> See also
> https://www.happyassassin.net/2016/06/16/on-snappy-and-flatpak-business-as-usual-in-the-canonical-propaganda-department/
>
> Quoting from there:
> "The sum total of communication between Canonical and Fedora before the
> release of this press release was that they mailed us asking about the process
> of packaging snappy for Fedora, and we told them about the main packaging
> process and COPR. They certainly did not in any way inform Fedora that they
> were going to send out a press release strongly implying that Fedora, along
> with every other distro in the world, was now a happy traveler on the Snappy
> bandwagon."

By a Gnome dev on fedora-devel@:

<begin>
Just for the record... the Softpedia article doesn't actually say
"Canonical state that they have been working with Fedora developers to
make this the universal packaging format." It does say they've been
"working for some time with developers from various major GNU/Linux
distributions" and that "the Snap package format is working natively on
popular GNU/Linux operating systems like [...] Fedora [...]," so it's
clear why there was confusion, but it doesn't say that they've been
working with Fedora specifically.
</end>

There's one thing that's not addressed in the marketing and that's
Snap's are secure on Ubuntu because it uses AppArmor - and I've read a
post that said that they've patched AppArmor specifically to contain
Snaps better but I can't find that reference.

[gentoo-user] Gentoo Flatpak github Re: Gentoo is supporting officially Snap packages?

[James]

José Maldonado <josemald89 <at> gmail.com> writes:


> Gentoo is supporting officially Snap packages? Why not Flatpak?

Just ran across this::


https://github.com/fosero/flatpak-overlay


I have not tested this at all::
caveat emptor.

James