ChanServ changed the topic of #kisslinux to: Unnofficial KISS Linux community channel | https://kisscommunity.bvnf.space | post logs or else | song of the day https://vid.puffyan.us/H7PvgY65OxA
brassado has joined #kisslinux
brassado is now known as sam_sepi0l
<ioraff> yeah, both look like good ideas
ella-0_ has joined #kisslinux
ella-0 has quit [Ping timeout: 265 seconds]
fitrh has joined #kisslinux
<testuser[m]1> Hi
<ioraff> hi
<noocsharp> hi
<virutalmachineus> hi
<testuser[m]1> illiliti: is there an alternative to bind mounting thousands of paths for sandbox
<virutalmachineus> yes static link
<ioraff> what?
<virutalmachineus> do you bubblewrap all your programs?
jslick5 has joined #kisslinux
jslick has quit [Ping timeout: 255 seconds]
jslick5 is now known as jslick
<wael[m]> bubblewrap the kernel
ioraff has quit [Quit: ioraff]
<virutalmachineus> kiss should package each program in bubblewrap
<wael[m]> open a PR and try to implement that
<wael[m]> fun fact: a proposal has been opened to sandbox builds
<wael[m]> but not programs themselves
<virutalmachineus> i bubblewrap most of my packages, I don't how long will it take to bubblewrap the whole repository
<testuser[m]1> u dont need to bubblewrap anything that doesnt deal with stuff from the internet
<virutalmachineus> yeah you're right but, but some are easy to bubblewrap so i do it
<virutalmachineus> s/but//
ejjdhfjsu has joined #kisslinux
ejjdhfjsu has quit [Remote host closed the connection]
ejjdhfjsu has joined #kisslinux
fitrh has quit [Quit: fitrh]
Beni has joined #kisslinux
testuser[m]1 has quit [Quit: Reconnecting]
testuser[m]1 has joined #kisslinux
testuser[m]1 has quit [Client Quit]
testuser[m]1 has joined #kisslinux
Beni has quit [Quit: Client closed]
phinxy has quit [Quit: WeeChat 3.5-dev]
phinxy has joined #kisslinux
Beni has joined #kisslinux
ejjdhfjsu has quit [Remote host closed the connection]
ejjdhfjsu has joined #kisslinux
ejjdhfjsu has quit [Ping timeout: 268 seconds]
midfavila has quit [Remote host closed the connection]
phinxy has quit [Quit: WeeChat 3.5-dev]
phinxy has joined #kisslinux
phinxy has quit [Client Quit]
phinxy has joined #kisslinux
phinxy has quit [Quit: WeeChat 3.5-dev]
phinxy has joined #kisslinux
<Ogromny> What's the best bin provider thing ? Snap ? Flatpak ? Appimage ?
<wael[m]> flatpak
<Ogromny> Ty
<Ogromny> is there any up to date repo with flatpak and his depedencies ?
<Ogromny> dylan's repo is lile 2 years old
<wael[m]> community
<Ogromny> Oh yeah you're right I had forgotten to git pull it lol
phinxy has quit [Quit: WeeChat 3.5-dev]
phinxy has joined #kisslinux
<wael[m]> did you not git pull for 2 years
phinxy has quit [Quit: WeeChat 3.5-dev]
phinxy has joined #kisslinux
<Beni> lmao
<Ogromny> wael[m]: nah but for like 2 weeks
<Beni> is there any repo with pulseaudio in it or do I install it myself
<wael[m]> you only need libsndfile and pulseaudio for pulseaudio
<wael[m]> i suggest you go with pipewire if you want audio
phinxy has quit [Quit: WeeChat 3.5-dev]
<wael[m]> pipewire is in community
phinxy has joined #kisslinux
<Beni> oh thanks
<Beni> never used pipewire, is there any special setup to do or does it just work?
<wael[m]> but if you want apps to have pulseaudio support you need the libraries
<wael[m]> tl;dr pipewire & pipewire-pulse &
<wael[m]> thats what i use and it works fine, you just need XDG_RUNTIME_DIR
<Beni> alright
<Beni> thanks
<Ogromny> Beni: I don't know what you use for your status bar, but if you use yambar, I've made a module for pipewire: https://codeberg.org/dnkl/yambar/pulls/224
<Beni> i'll keep that in mind
<rohan> yo
<rohan> someone have a asound.conf that works with HDMI???
<wael[m]> ~~alsa try to not make anything except set default devices challenge a headache~~
<testuser[m]1> I tried landlock with 70k files it seems to work fine
<testuser[m]1> in .1 second
<illiliti> testuser[m]1: landlock
<testuser[m]1> What
<illiliti> nvm
phinxy has quit [Quit: WeeChat 3.5-dev]
phinxy has joined #kisslinux
rohan has quit [Ping timeout: 252 seconds]
rohan has joined #kisslinux
<wael[m]> Whar
phinxy has quit [Quit: WeeChat 3.5-dev]
<illiliti> it's insane that zip/unzip needs such amount of patches
phinxy has joined #kisslinux
phinxy has quit [Client Quit]
<testuser[m]1> illiliti: p7zip implements both zip and unzip and doesn't need any patches
<testuser[m]1> But i don't think it has any common feature/flags other than zipping and unzipping
<illiliti> does it work with firefox?
<illiliti> tbh i still doubt that firefox needs zip/unzip
<testuser[m]1> I'm sure it needs zip
<testuser[m]1> for creating xpo
<testuser[m]1> I think unzip is useless
<testuser[m]1> Xpi
<testuser[m]1> illiliti: it'll work with anything if u just modify the flags and command
<illiliti> does it embed entire zip/unzip into itself at build time?
<testuser[m]1> Firefox?
<testuser[m]1> no
<illiliti> then i don't understand why it is "make" dependency
<testuser[m]1> For creating xpi
<testuser[m]1> Let me grep
<illiliti> can you run kiss-manifest firefox for me?
<illiliti> and post output
<testuser[m]1> im not at pc
<illiliti> ok
<illiliti> ok, i checked
<illiliti> some xpis are still present
<illiliti> pictureinpicture@mozilla.org.xpi
<illiliti> formautofill@mozilla.org.xpi
<testuser[m]1> They're required
<illiliti> perhaps
<testuser[m]1> not basic but
<testuser[m]1> for basic functionality
<testuser[m]1> I use pip
<testuser[m]1> someone probably uses autofill
<testuser[m]1> That screenshots one should probably be added back aswell
<testuser[m]1> The rest is junk i think
<illiliti> wait what firefox uses to unpack them at runtime?
<illiliti> if unzip is "make" dep
<testuser[m]1> Some bundled library ig, but then they could make a binary of that at compile time for packing
midfavila has joined #kisslinux
<illiliti> i think yes
phinxy has joined #kisslinux
phinxy has quit [Quit: WeeChat 3.5-dev]
<illiliti> btw should we switch to zlib-ng?
<illiliti> or sortix libz
<illiliti> i'll create a proposal
<testuser[m]1> ng
<testuser[m]1> Sortix is dead
<testuser[m]1> ng is abi compatible?
<illiliti> no, sortix is alive
<illiliti> ng has compat mode
<illiliti> so yes
phinxy has joined #kisslinux
<testuser[m]1> illiliti: it's shitlab is inactive
<testuser[m]1> Is there a fork of it
<illiliti> or you mean libz?
<testuser[m]1> I mean sortix libz
<illiliti> ah i see. i suspect it's stable and done, so no further development is needed
<testuser[m]1> but sekurity
<testuser[m]1> 5 years
phinxy has quit [Quit: WeeChat 3.5-dev]
<virutalmachineus> is sortix the future of kiss linux?
<testuser[m]1> Yes
<testuser[m]1> sorkixx
phinxy has joined #kisslinux
ioraff has joined #kisslinux
<ioraff> testuser[m]1: care to share that landlock code?
<illiliti> forget about zlib-ng
<testuser[m]1> ioraff: It's on pc
<testuser[m]1> I just adapted the kernel example
<illiliti> they use bashisms and gnuisms in configure script
<testuser[m]1> we can patch that but does it even have any measurable difference than zlib
<testuser[m]1> Like its of no use if the performance tweaks are just in the new APIs or whatever
<illiliti> it supposed to have
<illiliti> SSSE, AVX stuff
<illiliti> should be faster at least
<testuser[m]1> Landlock can't restrict access() calls yet so I can see some issues cropping up with that
<illiliti> i can't even build it with tcc
<testuser[m]1> eg build system detects /usr/lib/libshit.so but later on it cant link cuz libshit.so can't even be opened
<illiliti> which is not a good sign
<illiliti> you must not use access() calls in the first place
<illiliti> because TOCTOU
<testuser[m]1> I'm talking about the build systems
<testuser[m]1> Isn't every build system broken then
<illiliti> if they use open() and then fstat(), then nothing shall break
<testuser[m]1> What about plain stat without open() and fstat
<testuser[m]1> chdir(2), truncate(2), stat(2), flock(2), chmod(2), chown(2), setxattr(2), utime(2), ioctl(2), fcntl(2), access(2)
<illiliti> i see
<illiliti> it's a problem yeah
phinxy has quit [Quit: WeeChat 3.5-dev]
<testuser[m]1> Ill check user namespaces approach too
<illiliti> these syscalls are too dangerous
<illiliti> truncate, chmod, chown
<illiliti> what the hell landlock
<testuser[m]1> Yeag
<testuser[m]1> Ig adding filtering for those would've taken another 2 years for patch review lol
<illiliti> usual thing
<testuser[m]1> What about seccomp
<virutalmachineus> seccomp is good
<illiliti> it sucks
<virutalmachineus> bubblewrap with seccomp is best
sam_sepi0l has quit [Quit: Textual IRC Client: www.textualapp.com]
<illiliti> seccomp is the reason why we have landlock now
<illiliti> because it is overly-complicated and easy to misuse
<illiliti> i'd avoid it and anything BPF-based at all cost
<virutalmachineus> yeah bpf is not good for security
<illiliti> yep, if we're going to make secure sandbox, seccomp is not an option
<illiliti> how about we just restrict internet access for now
<illiliti> when landlock will be ready, we will use it to restrict paths
<illiliti> iirc soon landlock should be able to restrict network natively
<illiliti> without namespaces
<virutalmachineus> that's so awesome
<ioraff> i'm not seeing the problem in at least starting to use landlock to restrict reads and executes to dependencies
<ioraff> unless we just want to go straight to a full sandbox
<testuser[m]1> ioraff: I don't care much about the security point but the issue is that if gcc can stat() a library and believe that it can link to it, the final link will fail
<testuser[m]1> So the issue with automatic dependency detection is there
<testuser[m]1> i haven't tried this yet tho so not sure if it's even going to be an issie
phinxy has joined #kisslinux
phinxy has quit [Client Quit]
ioraff has quit [Remote host closed the connection]
ioraff has joined #kisslinux
Beni has quit [Quit: Client closed]
phinxy has joined #kisslinux
phinxy has quit [Quit: WeeChat 3.5-dev]
soliwilos has quit [Remote host closed the connection]
soliwilos has joined #kisslinux
Torr has joined #kisslinux
ioraff has quit [Quit: ioraff]