-
Notifications
You must be signed in to change notification settings - Fork 720
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the packaging metadata to build the mosh snap #854
base: master
Are you sure you want to change the base?
Conversation
You can find more information about snapcraft here: http://snapcraft.io/ To test it in an Ubuntu 16.04 machine:
dangerous because the snap you build yourself doesn't come signed from the trusted store. classic because mosh can't use strict confinement as it requires to launch other binaries, and those will need to touch even system files Once you push it to the store, your users will just have to do $ sudo snap install mosh --classic Now, in order to achieve independence, every snap can have only one top level command. So with this you would have to call mosh.mosh-server and mosh.mosh-client.
Final caveat is that in order to connect to a machine with mosh installed from a snap, for now you would have to calal it like this:
This is a bug already fixed, soon to be released: https://bugs.launchpad.net/snappy/+bug/1659719 If you have any questions or doubts, please let me know. |
Thanks, @ElOpio! This build configuration looks about as complex as I expected it to be from reading the Snapcraft documentation (which is to say, not very complex at all). This looks like a plausible add to mosh, but I do notice a few things in trying this:
I'm not sure we'll get this in for 1.3.0, and if we do it'll be labeled highly experimental-- but it should be easy to resolve issues quickly thereafter. |
Hello @cgull! Thanks for the review :) I don't see any harm on keeping the yaml during the build. In fact, we are discussing about keeping the yaml inside of the snap, a step closer to reproducible builds. Can you please report a bug? https://bugs.launchpad.net/snapcraft/+filebug The alias puts the command in /snap/bin, and then it wins the one that it's first in $PATH. By default, /snap/bin comes last in the path, but any user can change that of course. With the alias, users will not have to know about mosh.mosh-server vrs mosh-server. However, currently they will have to manually enable the alias. It's work in progress to have alias auto-assigned during installation. That has required some discussion on our side because there will be more name disputes with aliases than with package names, so as I said before, all your opinions about this are very useful. I reported this bug about pthread_create failed: https://bugs.launchpad.net/snapd/+bug/1661863 snap/snapcraft.yaml is acutally the new default location as of last week ^_^ I've pushed another commit. And I find your last point really interesting. If we split it in two, the client can be fully confined and the server is the only one that needs to be classic and risky. I don't think it's possible to keep sandboxing on the server though, but I'm not an expert on that. If you have any ideas, please share. I'm +1 on the highly experimental tag. That's what the edge channel in the store is for. If you push it we can get more feedback and maybe more hands to help polishing the snap. And it won't be visible on the store, only the users who know about it will install it. I've shared all your comments with my teammates. pura vida. |
I've spent a little more time on this.
|
Hi! I was asked to comment on the last bullet point: "As for sandboxing and security: I'm not so sure Snappy is a good solution for Mosh, which is very much a systems app. I realized that only mosh-client can be effectively sandboxed by Snappy; both mosh and mosh-server do need wider access to the host system. Additionally as a Perl script, mosh seemed particularly unhappy under Snappy-- it wasn't able to find a standard module when I ran it in devmode, is the Perl story really fully in place yet? I also noticed that snapcraft stripped the setgid bit off /usr/lib/x86_64-linux-gnu/utempter/utempter (but it still seems to work, I don't know how). I think some finer grained sandboxing with AppArmor and/or seccomp may be a better solution for Mosh." I'll respond to the individual points raised in this bullet:
Snappy can be a nice solution for mosh even when using classic confinement IMHO in that it can provide a nice delivery mechanism that you control and this can be tied to things such as travis or Launchpad builds, etc. While the security stance is no different than a deb or rpm in this case, you are able to deliver your software on your terms to multiple distributions with one snap. |
This is a package for the installation of apps that works in most Linux distributions.
Landing it upstream will enable frequent builds that then can be distributed to many users through the Ubuntu store.