Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Thu, Jun 16, 2016 at 11:25 PM, J.wrote: > They say it's not a GNOME thing only, but born in the GNOME project, > Quote from their FAQ: > > "Is Flatpak tied to GNOME? > > No. While Flatpak has been developed by people with a long involvement > in the GNOME community it is not tied to any desktop. In fact, it was > designed with the explicit goal of allowing it to build applications > using any library stack or programming language an application author > might want." Marketing's-speak is marketing speak... AFAIK, the only current implementation of a GUI from which to install a Flatpak is Gnome Software, with KDE apparently working on something similar. So, unless you want to download a file and double-click on it, it's Gnome for now and KDE soon. > The flatpak packages take less space because there's a separation > between runtimes and applications, with the runtime(s) containing many > of the libraries/packages required by an application, and intended to > be used by many of these, and the application package only containing > the remaining required libraries, or maybe only the app, so it could > reduce but not eliminate the problem previously discussed of > dependencies being left unmaintained and not upgraded with security > fixes. IMHO Flatpak seems a better option than Snap, and certainly > reducing file system and device access is a good thing about both, but > with these advantages some other problems are created, so it's a trade- > off. If you start relying on too many libraries in the runtimes, you end up with the same "problem" as non-Flatpak, non-Snap packages. > Maybe we will see Snaps/Flatpaks of popular proprietary software that's > only available for Windows and MacOS right now that has no real FOSS > competitor e.g. AutoCAD and family, I often hear the excuse of these > vendors not supporting Linux because of the many distributions. Getting > LibreCAD to the level of AutoCAD would take a decade or more at the > pace it is going, right know it reminds me of AutoCAD 2004, and it > isn't even a that level. Linus has complained that the dive software that he created had nightly or weekly (I forget) builds for macOS and Windows but not for Linux because of the multitude of distributions. So he and those now maintaining that app'll be happy.
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Thu, Jun 16, 2016 at 7:40 PM, José Maldonadowrote: > El 16/06/16 a las 13:32, Tom H escribió: >> >> When I first saw this, I thought "strange, maybe if Gentoo develops an >> 'esnap' in order to build the container-package locally" but then I >> remembered that we have docker and lxc/lxd, so why not another method? > > That is possible, but the goal is to serve Snap container for > applications that can be downloaded and used by the user, down a single > binary that will have all the dependencies in that binary. Docker and > LXC obviously can do this, but its scope and possibilities are much > larger and are not addressed within the scope of normal user of a PC. With docker/lxc/lxd, you can use your own images so you should be able to do so with snap. You lose the ability simply to add a repo and pull an image from it. >> When Flatpak's ready, someone'll make it available and/or package it. > > Flatpak is ready for use now. Not fully. >From fedora-devel@: > Isn't flatpak in gnome-software pushed back to F25 ? It partly supports Flatpak in F24. You can manage already installed apps, but you still need to use flatpak command to install them. In F25, you will be able to just download .flatpak file, double-click it and Software will install it and set its repo. and I think that once the full sandboxing / portal system is in place, there _will_ be a tangible reason to prefer Flatpak. >> [AFAIK, Flatpak's for GUI apps accessed via Gnome Software so it's not >> quite a Snap competitor.] > > Flatpak and Snap, have GUI and command-line. In addition, Flatpak > packages weigh less than their counterparts Snap, and right now several > free software projects officially support it, including LibreOffice. i wasn't referring to the "installer." The Flatpak intention's to package GUI apps only.
[gentoo-user] Re: Gentoo is supporting officially Snap packages?
Andreas K. Huettel gentoo.org> writes: > > Gentoo is supporting officially Snap packages? Why not Flatpak? > Gentoo support for Snap is roughly as "official" as RedHat/Fedora support. Still, if gentoo images can be customized at one's favorite cloud service provider, it may serve as a way to easily evaluate new codes, particularly codes that will require some effort to create a stable ebuild. That's what I'm hoping for is just a quick shot packager where the host is very secured, or outsourced, so security is somebody else's time_sink. What bummed me out is that Canonical is the only one that can create these packages for other distros? That's going to fly like a lead balloon, if that is the case. So the idea of a packges that also creates a (secure) container on a gentoo system that is otherwise, containerless, does get folks into the container/clusterr world rather quickly James
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Sat, Jun 18, 2016 at 4:01 AM, Mickwrote: > On Thursday 16 Jun 2016 21:25:01 J. García wrote: > > How does Nix compare to flatpack, docker, snap, et al. from a gentoo > perspective? > Nix is a similar sort of approach. I don't think they run apps in containers (though they probably could if they wanted to do the work and a lot of bind mounting). The reality is that they're a form of bundling, but the bundled libs can be shared. Basically everything is linked to uniquely identified dependencies. So, a package isn't just linked to zlib, or even a particular version of zlib, but a particular build of zlib. However, 15 different packages could all depend on that same build. So, you potentially don't get the same kind of memory duplication that you do with outright bundling. However, if you install a new version of zlib on your system, nothing will actually use it, unless those packages are themselves updated. So, in that respect it is just like bundling. Since the libraries you're running with on your box are exact copies of the binaries the packager was using, you're going to get the same experience the packager did when they were testing their package. So, that's the big upside. There are no conflicts or collisions either, since every package is installed in what amounts to a private namespace. You can have 14 different packaged builds of zlib-1.2.3 if you want to, with different builds being used by different applications. This is just my understanding based on having looked into NixOS a bit out of curiosity. Somebody closer to the project should feel free to correct any errors I made. There are obviously pros and cons to this approach. -- Rich
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Thursday 16 Jun 2016 21:25:01 J. García wrote: > El jue, 16-06-2016 a las 19:40 -0400, José Maldonado escribió: > > That is possible, but the goal is to serve Snap container for > > applications that can be downloaded and used by the user, down a > > single > > binary that will have all the dependencies in that binary. Docker and > > LXC obviously can do this, but its scope and possibilities are much > > larger and are not addressed within the scope of normal user of a PC. > > > > > > Docker doesn't get the applications down to a single binary, it's a > package containing everything. A single binary would be something like > what Go does by default, as it compiles every source package imported > into the final binary, that's why even a "hello world" takes ~2MB. > > > > > > > > > > > > > > [AFAIK, Flatpak's for GUI apps accessed via Gnome Software so it's > > > not > > > quite a Snap competitor.] > > > > > > > > They say it's not a GNOME thing only, but born in the GNOME project, > Quote from their FAQ: > > "Is Flatpak tied to GNOME? > > No. While Flatpak has been developed by people with a long involvement > in the GNOME community it is not tied to any desktop. In fact, it was > designed with the explicit goal of allowing it to build applications > using any library stack or programming language an application author > might want." > > I would say is the implementation of something that Lennart P. wrote in > his blog a while back[1](I don't know to what extent is 'his' idea, or > if it just happens that he wrote about it after discussing it with > others), but it seems that he didn't write code for it(I looked at the > contributors in GitHub) > > > Flatpak and Snap, have GUI and command-line. In addition, Flatpak > > packages weigh less than their counterparts Snap, and right now > > several > > free software projects officially support it, including LibreOffice. > > > > > > The flatpak packages take less space because there's a separation > between runtimes and applications, with the runtime(s) containing many > of the libraries/packages required by an application, and intended to > be used by many of these, and the application package only containing > the remaining required libraries, or maybe only the app, so it could > reduce but not eliminate the problem previously discussed of > dependencies being left unmaintained and not upgraded with security > fixes. IMHO Flatpak seems a better option than Snap, and certainly > reducing file system and device access is a good thing about both, but > with these advantages some other problems are created, so it's a trade- > off. > As Andrew Savchenko said previously Snap seems like C:\Program Files > for Linux, but I would add 'with sandboxing' and other security > features, and that certainly makes it better than than Windows to be > fair. > Maybe we will see Snaps/Flatpaks of popular proprietary software that's > only available for Windows and MacOS right now that has no real FOSS > competitor e.g. AutoCAD and family, I often hear the excuse of these > vendors not supporting Linux because of the many distributions. Getting > LibreCAD to the level of AutoCAD would take a decade or more at the > pace it is going, right know it reminds me of AutoCAD 2004, and it > isn't even a that level. Trying to be optimistic maybe we'll see a new > wave of users in Linux as a result of these new packaging systems, and > in the long run if the GNU/Linux user base grows and learns about the > Free Software philosophy and get tired of having to pay large sums of > money to Autodesk and other companies for a yearly permission to use > their software, they would contribute to the FOSS alternatives with > money to get people working full time on these, and we could see them > grow to be real competitors. > That said I hope upstreams don't start bundling libraries into their > software as a result of this(at least not more than some already do > now), that's really annoying and it could create a nightmare of the > likes of java(I mean most java developers seemingly putting every jar > they come across in their 'source' trees and then forget about it for > the rest of their lifes, or at least until Oracle breaks them, after > years and years of deprecation). > > [1] http://0pointer.net/blog/revisiting-how-we-put-together-linux-syste > ms.html > How does Nix compare to flatpack, docker, snap, et al. from a gentoo perspective? https://nixos.org/nix/about.html -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Fri, Jun 17, 2016 at 3:16 AM, Andrew Savchenkowrote: > On Thu, 16 Jun 2016 22:35:24 -0400 waltd...@waltdnes.org wrote: >> I don't follow this stuff, so this may be a stupid question... how >> does a "container" or "docker" differ from a chroot or a QEMU VM with a >> minimal set of applications? > > Due to reasons above I prefer container solutions like LXC over VM > for security: they give approximately the same level of protection > as VM, but resources cost is much lower. Of course it is still > possible to break any container through L3 cache or some kernel > bugs, so for really tight security independent hardware and OS must > be used. Containers on Linux aren't nearly as secure as a VM right now. Certainly the intent is for them to get there, and if you find a way to break out of a container the kernel team would certainly accept it as a bug and fix it. However, I don't think most of the big names in linux would rate it on the same level as a VM. As you've pointed out, VMs aren't perfect, though I'm not aware of any way to actually defeat any of the popular ones (and if there were, they'd almost certainly patch it). I'll certainly acknowledge that there is a larger attack surface than separate hosts (and it isn't like those are invulnerable either - who knows what bug exists in an ethernet card somewhere). Containers are a lot more secure than chroots though. Non-root in a container is generally considered to be fairly secure - it is an additional layer on top of normal user privilege isolation. Containers are generally a lot more convenient than chroots as well, simply because there are fewer compatibility issues and constraints inside. If you want to run sysvinit/openrc or systemd inside your container you can, and that isn't really possible inside a chroot. Of course, you don't have to, but at least you have the option. The biggest selling point for a container is the resource requirements. The overhead to run a container with systemd inside is only a few MB. If you're running a container without a service manager the overhead is even less. You could never run a VM with only a few MB of RAM. The main constraint on RAM use for a container is the fact that you're not sharing libraries with the host. Otherwise they're just processes with different namespace values in the kernel (EVERY process runs in a set of namespaces, even if you're not using containers - by default they just all have the same set of values). Any solution that bundles the libraries with the package is going to use a similar amount of RAM. Also, launching a process in a new namespace takes the same amount of time as launching a process in the same namespace, minus the trivial time required to page in libraries and such. A VM takes seconds to boot, vs the milliseconds for a container. In terms of overhead containers and chroots are almost identical. The biggest selling point for not just running everything on the host is isolation. I have a container that just runs mariadb. When I do an emerge -u world it is like updating any other Gentoo host, but when I'm done I fire off a bunch of tests to make sure mariadb is working, and if it works I know I'm done. When I was running everything on a single host I'd inevitably do an emerge -u world and occasionally have something random break. Short of testing everything every time I do an update it is hard to avoid that sort of thing. Of course, I end up having to run a lot more updates, but I don't have to do them all at once and I can update the container for each service on an appropriate schedule. -- Rich
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
oh yeah, forgot the catchy name. Mea culpa. 2016-06-17 10:52 GMT+02:00 Neil Bothwick: > On Fri, 17 Jun 2016 10:28:10 +0200, Volker Armin Hemmann wrote: > > > soo... why not compile everything statically in the first place? and > > put it in HOME? > > Because that's not new and shiny with a catchy name! > > > -- > Neil Bothwick > > Windows Error #02: Multitasking attempted. System confused. >
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Fri, 17 Jun 2016 10:28:10 +0200, Volker Armin Hemmann wrote: > soo... why not compile everything statically in the first place? and > put it in HOME? Because that's not new and shiny with a catchy name! -- Neil Bothwick Windows Error #02: Multitasking attempted. System confused. pgpxMIMMyyWcD.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
soo... why not compile everything statically in the first place? and put it in HOME? 2016-06-17 9:18 GMT+02:00 Andrew Savchenko: > On Thu, 16 Jun 2016 19:30:49 -0400 José Maldonado wrote: > > > > > > El 16/06/16 a las 11:27, James escribió: > > > One word SECURITY? Trust but verify does come to mind. > > > > > > > The snaps come to "replace" a lack of security that is in Linux, in > > addition to facilitating the installation of all applications from the > > user-space without root privileges. > > Replace lack of security, really? It will create it in the long > run due to outdated unmaintained third-party bundled software. > > Best regards, > Andrew Savchenko >
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Thu, 16 Jun 2016 19:30:49 -0400 José Maldonado wrote: > > > El 16/06/16 a las 11:27, James escribió: > > One word SECURITY? Trust but verify does come to mind. > > > > The snaps come to "replace" a lack of security that is in Linux, in > addition to facilitating the installation of all applications from the > user-space without root privileges. Replace lack of security, really? It will create it in the long run due to outdated unmaintained third-party bundled software. Best regards, Andrew Savchenko pgpoy4EWTrn3I.pgp Description: PGP signature
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Thu, 16 Jun 2016 22:35:24 -0400 waltd...@waltdnes.org wrote: > On Thu, Jun 16, 2016 at 04:33:12PM -0400, Rich Freeman wrote > > On Thu, Jun 16, 2016 at 4:11 PM, Alan McKinnon> > wrote: > > > > > > I don't see the part where all these latest fancy container thingymagicies > > > are not really just "embed everything in everything" > > > > > > We've known for years the dangers of embedding stuff in packages (it > > > hardly > > > ever gets updated properly) > > > > > > > Well, that strikes me as being true of these self-contained packages, > > but it isn't necessarily true of containers in general. > > > > I run most of my services in containers, and they're just Gentoo > > installations with a really small world file. Things are just as > > up-to-date as they would be if I ran it all in a single host. > > > > Now, if you're the sort of person who just grabs some random docker > > image from who knows where, then sure you're getting a big bundle of > > stuff that may or may not be maintained for security. This is no > > different. > > I don't follow this stuff, so this may be a stupid question... how > does a "container" or "docker" differ from a chroot or a QEMU VM with a > minimal set of applications? There is one common misconception, that chroot is security measure. This is wrong! Chroot is not a security function at all. It is extremely easy to exit chroot [1] if you have root access inside chroot (AFAIK with PAX/GRSecurity it is possible to deny this, but this is another story.) So if you are using chroot for security, forget about security, you have no security at all. This syscall was designed for another needs. Tl;dr; Inside chroot do as a root: mkdir foo; chroot foo; cd .. QEMU VM (as well as other VM) can provide you some degree of security at the cost of performance and system resources. Inside VM you have independent (fully or paravirtualized) kernel and environment. But it is still possible to exit it using hypervisor bugs or hardware-based attacks like L3 cache attack[2]. Yes, if one have modern Intel or AMD CPU with SSE2 and L3 cache enabled, forget about tight security too. Due to reasons above I prefer container solutions like LXC over VM for security: they give approximately the same level of protection as VM, but resources cost is much lower. Of course it is still possible to break any container through L3 cache or some kernel bugs, so for really tight security independent hardware and OS must be used. [1] https://lwn.net/Articles/252794/ [2] https://www.usenix.org/node/184416 Best regards, Andrew Savchenko pgpqsUrMrvX2K.pgp Description: PGP signature
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
El jue, 16-06-2016 a las 19:40 -0400, José Maldonado escribió: > That is possible, but the goal is to serve Snap container for > applications that can be downloaded and used by the user, down a > single > binary that will have all the dependencies in that binary. Docker and > LXC obviously can do this, but its scope and possibilities are much > larger and are not addressed within the scope of normal user of a PC. > Docker doesn't get the applications down to a single binary, it's a package containing everything. A single binary would be something like what Go does by default, as it compiles every source package imported into the final binary, that's why even a "hello world" takes ~2MB. > > > > > [AFAIK, Flatpak's for GUI apps accessed via Gnome Software so it's > > not > > quite a Snap competitor.] > > They say it's not a GNOME thing only, but born in the GNOME project, Quote from their FAQ: "Is Flatpak tied to GNOME? No. While Flatpak has been developed by people with a long involvement in the GNOME community it is not tied to any desktop. In fact, it was designed with the explicit goal of allowing it to build applications using any library stack or programming language an application author might want." I would say is the implementation of something that Lennart P. wrote in his blog a while back[1](I don't know to what extent is 'his' idea, or if it just happens that he wrote about it after discussing it with others), but it seems that he didn't write code for it(I looked at the contributors in GitHub) > Flatpak and Snap, have GUI and command-line. In addition, Flatpak > packages weigh less than their counterparts Snap, and right now > several > free software projects officially support it, including LibreOffice. > The flatpak packages take less space because there's a separation between runtimes and applications, with the runtime(s) containing many of the libraries/packages required by an application, and intended to be used by many of these, and the application package only containing the remaining required libraries, or maybe only the app, so it could reduce but not eliminate the problem previously discussed of dependencies being left unmaintained and not upgraded with security fixes. IMHO Flatpak seems a better option than Snap, and certainly reducing file system and device access is a good thing about both, but with these advantages some other problems are created, so it's a trade- off. As Andrew Savchenko said previously Snap seems like C:\Program Files for Linux, but I would add 'with sandboxing' and other security features, and that certainly makes it better than than Windows to be fair. Maybe we will see Snaps/Flatpaks of popular proprietary software that's only available for Windows and MacOS right now that has no real FOSS competitor e.g. AutoCAD and family, I often hear the excuse of these vendors not supporting Linux because of the many distributions. Getting LibreCAD to the level of AutoCAD would take a decade or more at the pace it is going, right know it reminds me of AutoCAD 2004, and it isn't even a that level. Trying to be optimistic maybe we'll see a new wave of users in Linux as a result of these new packaging systems, and in the long run if the GNU/Linux user base grows and learns about the Free Software philosophy and get tired of having to pay large sums of money to Autodesk and other companies for a yearly permission to use their software, they would contribute to the FOSS alternatives with money to get people working full time on these, and we could see them grow to be real competitors. That said I hope upstreams don't start bundling libraries into their software as a result of this(at least not more than some already do now), that's really annoying and it could create a nightmare of the likes of java(I mean most java developers seemingly putting every jar they come across in their 'source' trees and then forget about it for the rest of their lifes, or at least until Oracle breaks them, after years and years of deprecation). [1] http://0pointer.net/blog/revisiting-how-we-put-together-linux-syste ms.html
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Thu, Jun 16, 2016 at 04:33:12PM -0400, Rich Freeman wrote > On Thu, Jun 16, 2016 at 4:11 PM, Alan McKinnon> wrote: > > > > I don't see the part where all these latest fancy container thingymagicies > > are not really just "embed everything in everything" > > > > We've known for years the dangers of embedding stuff in packages (it hardly > > ever gets updated properly) > > > > Well, that strikes me as being true of these self-contained packages, > but it isn't necessarily true of containers in general. > > I run most of my services in containers, and they're just Gentoo > installations with a really small world file. Things are just as > up-to-date as they would be if I ran it all in a single host. > > Now, if you're the sort of person who just grabs some random docker > image from who knows where, then sure you're getting a big bundle of > stuff that may or may not be maintained for security. This is no > different. I don't follow this stuff, so this may be a stupid question... how does a "container" or "docker" differ from a chroot or a QEMU VM with a minimal set of applications? -- Walter Dnes I don't run "desktop environments"; I run useful applications
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On 17/06/2016 02:02, José Maldonado wrote: El 16/06/16 a las 16:33, Rich Freeman escribió: FWIW - the subject of this thread suggests that this is some kind of "official" Gentoo thing. As far as I can tell somebody took it upon themselves to make this available for Gentoo, but it is not in any way endorsed by the distro. Of course, if somebody wanted to package it up and maintain it we probably wouldn't have any issues with having the package manager in the repository. After all have other binary distro package managers in there. That doesn't mean that Gentoo is doing anything to ensure that whatever random repository you point it at is up to date, any more than if you emerge debootstrap. The truth is that there is not even overlay system to install Gentoo. What if there is a ebuild, built by a developer Canonical for use in Gentoo, and I can hardly call that "official support" and "Gentoo community support". The headlines means that Snaps support Gentoo. It doesn't mean that Gentoo supports Snaps.
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
El 16/06/16 a las 16:33, Rich Freeman escribió: > FWIW - the subject of this thread suggests that this is some kind of > "official" Gentoo thing. As far as I can tell somebody took it upon > themselves to make this available for Gentoo, but it is not in any way > endorsed by the distro. Of course, if somebody wanted to package it > up and maintain it we probably wouldn't have any issues with having > the package manager in the repository. After all have other binary > distro package managers in there. That doesn't mean that Gentoo is > doing anything to ensure that whatever random repository you point it > at is up to date, any more than if you emerge debootstrap. The truth is that there is not even overlay system to install Gentoo. What if there is a ebuild, built by a developer Canonical for use in Gentoo, and I can hardly call that "official support" and "Gentoo community support". -- Dios en su cielo, todo bien en la Tierra
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
El 16/06/16 a las 13:32, Tom H escribió: > > When I first saw this, I thought "strange, maybe if Gentoo develops an > 'esnap' in order to build the container-package locally" but then I > remembered that we have docker and lxc/lxd, so why not another method? > That is possible, but the goal is to serve Snap container for applications that can be downloaded and used by the user, down a single binary that will have all the dependencies in that binary. Docker and LXC obviously can do this, but its scope and possibilities are much larger and are not addressed within the scope of normal user of a PC. > When Flatpak's ready, someone'll make it available and/or package it. Flatpak is ready for use now. > > [AFAIK, Flatpak's for GUI apps accessed via Gnome Software so it's not > quite a Snap competitor.] > Flatpak and Snap, have GUI and command-line. In addition, Flatpak packages weigh less than their counterparts Snap, and right now several free software projects officially support it, including LibreOffice. -- Dios en su cielo, todo bien en la Tierra
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
El 16/06/16 a las 11:27, James escribió: > One word SECURITY? Trust but verify does come to mind. > The snaps come to "replace" a lack of security that is in Linux, in addition to facilitating the installation of all applications from the user-space without root privileges. > > Is their a version that works on gentoo-hardened? > Hardened or not ... it's matter? What I see here is the "beloved" Mark talking about a Snap support in Gentoo, and there Gentoo developers working to make it official. It's true? I don't know. > Were are all the security gurus on at on snaps? Do snaps require systemd > or are they PID-1 agnostic? > Supposedly it is agnostic to PID, asking only have some active features in the kernel and SELinux or AppArmor using. Currently, none of the mentioned MACs work as expected with Snap, even in the Ubuntu itself. -- Dios en su cielo, todo bien en la Tierra
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
El 16/06/16 a las 12:36, Mick escribió: > > Keylogger in a snap anyone? > It is possible, who knows. Especially when the server-side is proprietary . -- Dios en su cielo, todo bien en la Tierra
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Thu, Jun 16, 2016 at 4:11 PM, Alan McKinnonwrote: > > I don't see the part where all these latest fancy container thingymagicies > are not really just "embed everything in everything" > > We've known for years the dangers of embedding stuff in packages (it hardly > ever gets updated properly) > Well, that strikes me as being true of these self-contained packages, but it isn't necessarily true of containers in general. I run most of my services in containers, and they're just Gentoo installations with a really small world file. Things are just as up-to-date as they would be if I ran it all in a single host. Now, if you're the sort of person who just grabs some random docker image from who knows where, then sure you're getting a big bundle of stuff that may or may not be maintained for security. This is no different. I'm sure there will be people who provide these all-in-one packages and carefully update them for upstream security flaws. And there will be a lot more providers who don't. Chromium is a good example of this. Gentoo tries to unbundle as much as it can, but if you just do a make install on it you end up with a bazillion bundled libraries. Google does a very good job of keeping them all up to date, but they're not a typical case. FWIW - the subject of this thread suggests that this is some kind of "official" Gentoo thing. As far as I can tell somebody took it upon themselves to make this available for Gentoo, but it is not in any way endorsed by the distro. Of course, if somebody wanted to package it up and maintain it we probably wouldn't have any issues with having the package manager in the repository. After all have other binary distro package managers in there. That doesn't mean that Gentoo is doing anything to ensure that whatever random repository you point it at is up to date, any more than if you emerge debootstrap. Oh, and while I generally agree with everything in the linked Maintainers Matter blog post, I'd hardly call it a security audit. It just points out in general terms the sorts of problems that this kind of approach can lead to. -- Rich
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On 16/06/2016 21:11, Andrew Savchenko wrote: On Thu, 16 Jun 2016 15:27:29 + (UTC) James wrote: José Maldonado gmail.com> writes: The last days, ArsTechnica publish this new: http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/ "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu," Canonical's announcement says. "They are currently being validated on CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are easy to enable on other Linux distributions." (Ubuntu will continue to support deb packages, but developers can choose to package applications as snaps instead of or in addition to debs.)" Gentoo is supporting officially Snap packages? Why not Flatpak? Thank you very much for your responses! Bye! :) One word SECURITY? Trust but verify does come to mind. +1 It looks like C:/Program Files/ for Linux to me. It is a complete bundle with all dependency libs, thus vulnerabilities can't be fixed by a regular emerge and users will need to update _each_ snap separately. If updates will be available, but likely they will not be, at least not in time. So it's like macs then? I'm not talking about tremendous RAM waste (due to shared objects duplication) and disk space waste as well. Both of them can be mitigated by deduplication of RAM and disk pages, but this will eat lots of CPU and users should be quite advanced to do that. Containers are not exactly the most secure apparatus, imho. "Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers." [1]. So, I want to hear about the robustness of the security on these 'self containerd packages. There is a security audit of the snap already available: http://kmkeen.com/maintainers-matter/2016-06-15-11-51-16-472.html It is quite lengthy, but worth reading. Tl;dr: if you care about security of your box, stay away of this stuff. I don't see the part where all these latest fancy container thingymagicies are not really just "embed everything in everything" We've known for years the dangers of embedding stuff in packages (it hardly ever gets updated properly)
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Thu, 16 Jun 2016 15:27:29 + (UTC) James wrote: > José Maldonado gmail.com> writes: > > > > The last days, ArsTechnica publish this new: > > > > http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/ > > > > "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu, > > Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu," > > Canonical's announcement says. "They are currently being validated on > > CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are > > easy to enable on other Linux distributions." (Ubuntu will continue to > > support deb packages, but developers can choose to package applications > > as snaps instead of or in addition to debs.)" > > > > Gentoo is supporting officially Snap packages? Why not Flatpak? >> >> Thank you very much for your responses! Bye! :) >> > > One word SECURITY? Trust but verify does come to mind. +1 It looks like C:/Program Files/ for Linux to me. It is a complete bundle with all dependency libs, thus vulnerabilities can't be fixed by a regular emerge and users will need to update _each_ snap separately. If updates will be available, but likely they will not be, at least not in time. I'm not talking about tremendous RAM waste (due to shared objects duplication) and disk space waste as well. Both of them can be mitigated by deduplication of RAM and disk pages, but this will eat lots of CPU and users should be quite advanced to do that. > Containers are not exactly the most secure apparatus, imho. > "Clair is an open source project for the static analysis of vulnerabilities > in appc and docker containers." [1]. So, I want to hear about the robustness > of the security on these 'self containerd packages. There is a security audit of the snap already available: http://kmkeen.com/maintainers-matter/2016-06-15-11-51-16-472.html It is quite lengthy, but worth reading. Tl;dr: if you care about security of your box, stay away of this stuff. Best regards, Andrew Savchenko pgpoD77neN2b_.pgp Description: PGP signature
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
James wrote: > José Maldonado gmail.com> writes: > > >> The last days, ArsTechnica publish this new: > http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/ >> "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu, >> Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu," >> Canonical's announcement says. "They are currently being validated on >> CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are >> easy to enable on other Linux distributions." (Ubuntu will continue to >> support deb packages, but developers can choose to package applications >> as snaps instead of or in addition to debs.)" >> >> Gentoo is supporting officially Snap packages? Why not Flatpak? >> >> Thank you very much for your responses! Bye! :) >> > > One word SECURITY? Trust but verify does come to mind. > > Containers are not exactly the most secure apparatus, imho. > "Clair is an open source project for the static analysis of vulnerabilities > in appc and docker containers." [1]. So, I want to hear about the robustness > of the security on these 'self containerd packages. > What exactly creates the codes necessary for the container ? > > Is their a version that works on gentoo-hardened? > > Suggestions for firewalling off a system for routine, deep examination > and profiling of port activities, would be most welcome. Prima facia, > I just have no trust in wonderful ideas from the *buntu crowd, ymmv. > > Also, it's a really good idea; now maybe *DALE* can get his security > VM, in a snap (snapple?, snapit?, snapper?), that is gentoo-hardened > blessed? Maybe the snhap designation for secured (Hardeded) snaps? > Maybe if it's a hardened, entertainment (video snap) we call them schnapps? > > I've been bantering about for a couple of years now how clusters (hpc and > containers) are going to change everything. Security is the main obstacle > now. You know, I'm ready to sip this Kool_aid and ponder the > possibilities > > Were are all the security gurus on at on snaps? Do snaps require systemd > or are they PID-1 agnostic? > > > > James > > > > > > [1] https://github.com/coreos/clair I saw this and was curious as well. I'm needing to google a bit on just what this is about. Given the name, it should be interesting. I suspect I'll get a lot of hits about a energy drink thingy. lol Oh, and this thread too. ;-) Dale :-) :-)
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Wed, Jun 15, 2016 at 11:53 PM, José Maldonadowrote: > > The last days, ArsTechnica publish this new: > > http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/ > > "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu, > Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu," > Canonical's announcement says. "They are currently being validated on > CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are > easy to enable on other Linux distributions." (Ubuntu will continue to > support deb packages, but developers can choose to package > applications as snaps instead of or in addition to debs.)" > > Gentoo is supporting officially Snap packages? Why not Flatpak? When I first saw this, I thought "strange, maybe if Gentoo develops an 'esnap' in order to build the container-package locally" but then I remembered that we have docker and lxc/lxd, so why not another method? When Flatpak's ready, someone'll make it available and/or package it. [AFAIK, Flatpak's for GUI apps accessed via Gnome Software so it's not quite a Snap competitor.]
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Thursday 16 Jun 2016 15:27:29 James wrote: > José Maldonado gmail.com> writes: > > The last days, ArsTechnica publish this new: > http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ub > untus-snap-apps-are-coming-to-distros-everywhere/ > > "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu, > > Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu," > > Canonical's announcement says. "They are currently being validated on > > CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are > > easy to enable on other Linux distributions." (Ubuntu will continue to > > support deb packages, but developers can choose to package applications > > as snaps instead of or in addition to debs.)" > > > > Gentoo is supporting officially Snap packages? Why not Flatpak? > > > > Thank you very much for your responses! Bye! :) > > One word SECURITY? Trust but verify does come to mind. Keylogger in a snap anyone? > Containers are not exactly the most secure apparatus, imho. > "Clair is an open source project for the static analysis of vulnerabilities > in appc and docker containers." [1]. So, I want to hear about the robustness > of the security on these 'self containerd packages. > What exactly creates the codes necessary for the container ? > > Is their a version that works on gentoo-hardened? > > Suggestions for firewalling off a system for routine, deep examination > and profiling of port activities, would be most welcome. Prima facia, > I just have no trust in wonderful ideas from the *buntu crowd, ymmv. > > Also, it's a really good idea; now maybe *DALE* can get his security > VM, in a snap (snapple?, snapit?, snapper?), that is gentoo-hardened > blessed? Maybe the snhap designation for secured (Hardeded) snaps? > Maybe if it's a hardened, entertainment (video snap) we call them schnapps? > > I've been bantering about for a couple of years now how clusters (hpc and > containers) are going to change everything. Security is the main obstacle > now. You know, I'm ready to sip this Kool_aid and ponder the > possibilities > > Were are all the security gurus on at on snaps? Do snaps require systemd > or are they PID-1 agnostic? > > > > James > > > > > > [1] https://github.com/coreos/clair -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] Re: Gentoo is supporting officially Snap packages?
José Maldonado gmail.com> writes: > The last days, ArsTechnica publish this new: > http://arstechnica.com/information-technology/2016/06/goodbye-apt-and-yum-ubuntus-snap-apps-are-coming-to-distros-everywhere/ > > "Snaps now work natively on Arch, Debian, Fedora, Kubuntu, Lubuntu, > Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Unity, and Xubuntu," > Canonical's announcement says. "They are currently being validated on > CentOS, Elementary, Gentoo, Mint, OpenSUSE, OpenWrt and RHEL, and are > easy to enable on other Linux distributions." (Ubuntu will continue to > support deb packages, but developers can choose to package applications > as snaps instead of or in addition to debs.)" > > Gentoo is supporting officially Snap packages? Why not Flatpak? > > Thank you very much for your responses! Bye! :) > One word SECURITY? Trust but verify does come to mind. Containers are not exactly the most secure apparatus, imho. "Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers." [1]. So, I want to hear about the robustness of the security on these 'self containerd packages. What exactly creates the codes necessary for the container ? Is their a version that works on gentoo-hardened? Suggestions for firewalling off a system for routine, deep examination and profiling of port activities, would be most welcome. Prima facia, I just have no trust in wonderful ideas from the *buntu crowd, ymmv. Also, it's a really good idea; now maybe *DALE* can get his security VM, in a snap (snapple?, snapit?, snapper?), that is gentoo-hardened blessed? Maybe the snhap designation for secured (Hardeded) snaps? Maybe if it's a hardened, entertainment (video snap) we call them schnapps? I've been bantering about for a couple of years now how clusters (hpc and containers) are going to change everything. Security is the main obstacle now. You know, I'm ready to sip this Kool_aid and ponder the possibilities Were are all the security gurus on at on snaps? Do snaps require systemd or are they PID-1 agnostic? James [1] https://github.com/coreos/clair