Re: Using xdg-open from snap

[Sergio Schvezov]

El 21/09/16 a las 08:18, Gustavo Niemeyer escribió:

That was a good explanation indeed, thanks John.

Can we do something better than just recommend it on classic?  The 
feature is common enough that this should be a requirement, I think.


Even though Recommends doesn't sound like a fit, this is its use:

   This declares a strong, but not absolute, dependency.

   The Recommends field should list packages that would be found
   together with this one in all but unusual installations.[1]

Suggests would be the wrong dependency declaration though:

   This is used to declare that one package may be more useful with one
   or more others. Using this field tells the packaging system and the
   user that the listed packages are related to this one and can
   perhaps enhance its usefulness, but that installing this one without
   them is perfectly reasonable.[1]



The problem then is how to drop the package when building the Ubuntu 
Core image.


If things are still the same, images are built with --no-recommends.

Cheers
Sergio

[1] https://www.debian.org/doc/debian-policy/ch-relationships.html

-- 
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft

Re: Using xdg-open from snap

[Gustavo Niemeyer]

That was a good explanation indeed, thanks John.

Can we do something better than just recommend it on classic?  The feature
is common enough that this should be a requirement, I think.

The problem then is how to drop the package when building the Ubuntu Core
image.

On Wed, Sep 21, 2016 at 5:39 AM, John Lenton 
wrote:

> Eloy, Spencer, Otfried,
>
> The xdg-open we ship in /usr/local in the snap-core snap failing like
> that is a bug; it seems we weren't covering this use case in our
> tests.
>
> jdstrand has now addressed this, and although with his fix right now
> you'll need to ask for the unity7 interface it is expected to grow
> into a more fine-grained interface at some point, it was put there to
> unblock people (i.e. you). We expect this fix to be part of the 2.15
> release, but it might slip to 2.16.
>
> This is not the whole story, however. You'll also need the
> snapd-xdg-open package (or a dbus service providing OpenURL on the
> com.canonical.SafeLauncher interfacee) in your classic system. You can
> install that in yakkety, or get it from -proposed for xenial
> (https://launchpad.net/ubuntu/+source/snapd-xdg-open), or get the
> source from https://github.com/snapcore/snapd-xdg-open. As soon as it
> gets out of -proposed and into -updates we'll have snapd recommend it,
> but this might not be ready for 2.15.
>
> On 21 September 2016 at 08:18, Eloy García (PC Actual)
>  wrote:
> > Hi all.
> >
> > I have the same problem in my snap java-based application. I use xdg-open
> > command to launch the default browser so, it would be great a solution :)
> >
> > Best,
> >
> > Eloy
> >
> > 2016-09-20 15:46 GMT+02:00 Spencer Parkin :
> >>
> >> This is related to a question I had as well.  I have a program that uses
> >> wxLaunchDefaultBrowser which, looking at its implementation, tries to
> make
> >> the system call "exec()" to launch the default browser with a URL.
> >>
> >> If snap programs are not allowed to start other processes, that's fine;
> >> but if enough people need to launch the default browser with a URL,
> then I'm
> >> sure a secure solution just for this could somehow be implemented for
> snaps.
> >>
> >> I gather that one design goal of snaps, however, is the ability for
> people
> >> to write programs for any environment, but also have them work as snaps
> so
> >> that the programmer doesn't have to write snap-specific code, or make
> >> snap-specific considerations in their code.  In other words, your code
> >> should be "none-the-wiser" that it is running in the confined area.
> >>
> >> So with that in mind, I'm not sure how to solve the problem.  Any secure
> >> API exposed to snap applications already breaks the above design goal.
> >>
> >> Of course, it's not unreasonable for my program to have "#ifdef WIN32"
> or
> >> "#ifdef UNIX", and in the latter case, I may be looking to utilize
> something
> >> in a standard unix environment which, I believe, is synthesized in
> Unbuntu
> >> Core.  That's where I believe the snap environment can intercept what an
> >> application is doing and provide a secure solution, and this may be the
> >> "xdg-open" thing Otfried was talking about.
> >>
> >>
> >> On Mon, Sep 19, 2016 at 2:37 AM, Otfried Cheong <
> otfr...@ipe.airpost.net>
> >> wrote:
> >>>
> >>> Hello,
> >>>
> >>> my app has a manual in html.  I normally show this using "xdg-open
> >>> ", but from the snap this results in "xdg-open: Permission
> denied",
> >>> leaving this log:
> >>>
> >>> [21249.231634] audit: type=1400 audit(1474273861.873:383):
> >>> apparmor="DENIED" operation="exec" profile="snap.ipe.sh"
> >>> name="/usr/local/bin/xdg-open" pid=9551 comm="sh" requested_mask="x"
> >>> denied_mask="x" fsuid=1000 ouid=0
> >>>
> >>> According to
> >>> https://lists.ubuntu.com/archives/snapcraft/2016-September/001048.html
> >>> this should work.
> >>> I did refresh ubuntu-core from the beta channel and currently have
> >>> revision 636 of ubuntu-core.
> >>>
> >>>
> >>> Slightly related:  If I understand
> >>> https://lists.ubuntu.com/archives/snapcraft/2016-September/001118.html
> >>> correctly, the host filesystem should be exposed to the snap as
> >>> /var/lib/snapd/hostfs in devmode?It isn't on my system.
> >>>
> >>> Cheers,
> >>>  Otfried
> >>>
> >>>
> >>> --
> >>> Snapcraft mailing list
> >>> Snapcraft@lists.snapcraft.io
> >>> Modify settings or unsubscribe at:
> >>> https://lists.ubuntu.com/mailman/listinfo/snapcraft
> >>
> >>
> >>
> >> --
> >> Snapcraft mailing list
> >> Snapcraft@lists.snapcraft.io
> >> Modify settings or unsubscribe at:
> >> https://lists.ubuntu.com/mailman/listinfo/snapcraft
> >>
> >
> >
> >
> > --
> > Eloy García Almadén
> >
> > --
> > Snapcraft mailing list
> > Snapcraft@lists.snapcraft.io
> > Modify settings or unsubscribe at:
> > https://lists.ubuntu.com/mailman/listinfo/snapcraft
> >
>
> --
> Snapcraft mailing list
> Snapcraft@lists.snapcraft.io
> Modify settings or 

Re: Using xdg-open from snap

[John Lenton]

Eloy, Spencer, Otfried,

The xdg-open we ship in /usr/local in the snap-core snap failing like
that is a bug; it seems we weren't covering this use case in our
tests.

jdstrand has now addressed this, and although with his fix right now
you'll need to ask for the unity7 interface it is expected to grow
into a more fine-grained interface at some point, it was put there to
unblock people (i.e. you). We expect this fix to be part of the 2.15
release, but it might slip to 2.16.

This is not the whole story, however. You'll also need the
snapd-xdg-open package (or a dbus service providing OpenURL on the
com.canonical.SafeLauncher interfacee) in your classic system. You can
install that in yakkety, or get it from -proposed for xenial
(https://launchpad.net/ubuntu/+source/snapd-xdg-open), or get the
source from https://github.com/snapcore/snapd-xdg-open. As soon as it
gets out of -proposed and into -updates we'll have snapd recommend it,
but this might not be ready for 2.15.

On 21 September 2016 at 08:18, Eloy García (PC Actual)
 wrote:
> Hi all.
>
> I have the same problem in my snap java-based application. I use xdg-open
> command to launch the default browser so, it would be great a solution :)
>
> Best,
>
> Eloy
>
> 2016-09-20 15:46 GMT+02:00 Spencer Parkin :
>>
>> This is related to a question I had as well.  I have a program that uses
>> wxLaunchDefaultBrowser which, looking at its implementation, tries to make
>> the system call "exec()" to launch the default browser with a URL.
>>
>> If snap programs are not allowed to start other processes, that's fine;
>> but if enough people need to launch the default browser with a URL, then I'm
>> sure a secure solution just for this could somehow be implemented for snaps.
>>
>> I gather that one design goal of snaps, however, is the ability for people
>> to write programs for any environment, but also have them work as snaps so
>> that the programmer doesn't have to write snap-specific code, or make
>> snap-specific considerations in their code.  In other words, your code
>> should be "none-the-wiser" that it is running in the confined area.
>>
>> So with that in mind, I'm not sure how to solve the problem.  Any secure
>> API exposed to snap applications already breaks the above design goal.
>>
>> Of course, it's not unreasonable for my program to have "#ifdef WIN32" or
>> "#ifdef UNIX", and in the latter case, I may be looking to utilize something
>> in a standard unix environment which, I believe, is synthesized in Unbuntu
>> Core.  That's where I believe the snap environment can intercept what an
>> application is doing and provide a secure solution, and this may be the
>> "xdg-open" thing Otfried was talking about.
>>
>>
>> On Mon, Sep 19, 2016 at 2:37 AM, Otfried Cheong 
>> wrote:
>>>
>>> Hello,
>>>
>>> my app has a manual in html.  I normally show this using "xdg-open
>>> ", but from the snap this results in "xdg-open: Permission denied",
>>> leaving this log:
>>>
>>> [21249.231634] audit: type=1400 audit(1474273861.873:383):
>>> apparmor="DENIED" operation="exec" profile="snap.ipe.sh"
>>> name="/usr/local/bin/xdg-open" pid=9551 comm="sh" requested_mask="x"
>>> denied_mask="x" fsuid=1000 ouid=0
>>>
>>> According to
>>> https://lists.ubuntu.com/archives/snapcraft/2016-September/001048.html
>>> this should work.
>>> I did refresh ubuntu-core from the beta channel and currently have
>>> revision 636 of ubuntu-core.
>>>
>>>
>>> Slightly related:  If I understand
>>> https://lists.ubuntu.com/archives/snapcraft/2016-September/001118.html
>>> correctly, the host filesystem should be exposed to the snap as
>>> /var/lib/snapd/hostfs in devmode?It isn't on my system.
>>>
>>> Cheers,
>>>  Otfried
>>>
>>>
>>> --
>>> Snapcraft mailing list
>>> Snapcraft@lists.snapcraft.io
>>> Modify settings or unsubscribe at:
>>> https://lists.ubuntu.com/mailman/listinfo/snapcraft
>>
>>
>>
>> --
>> Snapcraft mailing list
>> Snapcraft@lists.snapcraft.io
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/snapcraft
>>
>
>
>
> --
> Eloy García Almadén
>
> --
> Snapcraft mailing list
> Snapcraft@lists.snapcraft.io
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/snapcraft
>

-- 
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft

Re: Using xdg-open from snap

[PC Actual]

Hi all.

I have the same problem in my snap java-based application. I use xdg-open
command to launch the default browser so, it would be great a solution :)

Best,

Eloy

2016-09-20 15:46 GMT+02:00 Spencer Parkin :

> This is related to a question I had as well.  I have a program that uses
> wxLaunchDefaultBrowser which, looking at its implementation, tries to make
> the system call "exec()" to launch the default browser with a URL.
>
> If snap programs are not allowed to start other processes, that's fine;
> but if enough people need to launch the default browser with a URL, then
> I'm sure a secure solution just for this could somehow be implemented for
> snaps.
>
> I gather that one design goal of snaps, however, is the ability for people
> to write programs for any environment, but also have them work as snaps so
> that the programmer doesn't have to write snap-specific code, or make
> snap-specific considerations in their code.  In other words, your code
> should be "none-the-wiser" that it is running in the confined area.
>
> So with that in mind, I'm not sure how to solve the problem.  Any secure
> API exposed to snap applications already breaks the above design goal.
>
> Of course, it's not unreasonable for my program to have "#ifdef WIN32" or
> "#ifdef UNIX", and in the latter case, I may be looking to utilize
> something in a standard unix environment which, I believe, is synthesized
> in Unbuntu Core.  That's where I believe the snap environment can intercept
> what an application is doing and provide a secure solution, and this may be
> the "xdg-open" thing Otfried was talking about.
>
>
> On Mon, Sep 19, 2016 at 2:37 AM, Otfried Cheong 
> wrote:
>
>> Hello,
>>
>> my app has a manual in html.  I normally show this using "xdg-open
>> ", but from the snap this results in "xdg-open: Permission denied",
>> leaving this log:
>>
>> [21249.231634] audit: type=1400 audit(1474273861.873:383):
>> apparmor="DENIED" operation="exec" profile="snap.ipe.sh"
>> name="/usr/local/bin/xdg-open" pid=9551 comm="sh" requested_mask="x"
>> denied_mask="x" fsuid=1000 ouid=0
>>
>> According to
>> https://lists.ubuntu.com/archives/snapcraft/2016-September/001048.html
>> this should work.
>> I did refresh ubuntu-core from the beta channel and currently have
>> revision 636 of ubuntu-core.
>>
>>
>> Slightly related:  If I understand
>> https://lists.ubuntu.com/archives/snapcraft/2016-September/001118.html
>> correctly, the host filesystem should be exposed to the snap as
>> /var/lib/snapd/hostfs in devmode?It isn't on my system.
>>
>> Cheers,
>>  Otfried
>>
>>
>> --
>> Snapcraft mailing list
>> Snapcraft@lists.snapcraft.io
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm
>> an/listinfo/snapcraft
>>
>
>
> --
> Snapcraft mailing list
> Snapcraft@lists.snapcraft.io
> Modify settings or unsubscribe at: https://lists.ubuntu.com/
> mailman/listinfo/snapcraft
>
>


-- 
Eloy García Almadén
-- 
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft

Re: Using xdg-open from snap

[Spencer Parkin]

This is related to a question I had as well.  I have a program that uses
wxLaunchDefaultBrowser which, looking at its implementation, tries to make
the system call "exec()" to launch the default browser with a URL.

If snap programs are not allowed to start other processes, that's fine; but
if enough people need to launch the default browser with a URL, then I'm
sure a secure solution just for this could somehow be implemented for snaps.

I gather that one design goal of snaps, however, is the ability for people
to write programs for any environment, but also have them work as snaps so
that the programmer doesn't have to write snap-specific code, or make
snap-specific considerations in their code.  In other words, your code
should be "none-the-wiser" that it is running in the confined area.

So with that in mind, I'm not sure how to solve the problem.  Any secure
API exposed to snap applications already breaks the above design goal.

Of course, it's not unreasonable for my program to have "#ifdef WIN32" or
"#ifdef UNIX", and in the latter case, I may be looking to utilize
something in a standard unix environment which, I believe, is synthesized
in Unbuntu Core.  That's where I believe the snap environment can intercept
what an application is doing and provide a secure solution, and this may be
the "xdg-open" thing Otfried was talking about.


On Mon, Sep 19, 2016 at 2:37 AM, Otfried Cheong 
wrote:

> Hello,
>
> my app has a manual in html.  I normally show this using "xdg-open
> ", but from the snap this results in "xdg-open: Permission denied",
> leaving this log:
>
> [21249.231634] audit: type=1400 audit(1474273861.873:383):
> apparmor="DENIED" operation="exec" profile="snap.ipe.sh"
> name="/usr/local/bin/xdg-open" pid=9551 comm="sh" requested_mask="x"
> denied_mask="x" fsuid=1000 ouid=0
>
> According to
> https://lists.ubuntu.com/archives/snapcraft/2016-September/001048.html
> this should work.
> I did refresh ubuntu-core from the beta channel and currently have
> revision 636 of ubuntu-core.
>
>
> Slightly related:  If I understand
> https://lists.ubuntu.com/archives/snapcraft/2016-September/001118.html
> correctly, the host filesystem should be exposed to the snap as
> /var/lib/snapd/hostfs in devmode?It isn't on my system.
>
> Cheers,
>  Otfried
>
>
> --
> Snapcraft mailing list
> Snapcraft@lists.snapcraft.io
> Modify settings or unsubscribe at: https://lists.ubuntu.com/
> mailman/listinfo/snapcraft
>
-- 
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft