Monday, February 20, 2023
apps@conference.yunohost.org
February
Mon Tue Wed Thu Fri Sat Sun
    1 2
 3
 4
 5
6
 7
 8
 9
 10
 11
 12
13
 14
 15
 16
 17
 18
 19
20
 21
 22
 23
 24
 25
 26
27
 28
          
             

[08:50:31] <florent> I announced the release of ElasticSearch / OpenSearch packages:
https://forum.yunohost.org/t/elasticsearch-7-elasticsearch-8-opensearch-packaged/23730
[08:51:19] <florent> Can anyone help me on that? That's probably silly as hell, but I could not figure how to do that…
[08:51:38] <florent> However, i have had difficulties to set new tags for this topic on discourse (and especially relevant ones)
[09:23:04] <tituspijean> No problem, standard users cannot create new tags
[09:23:54] <tituspijean> florent: done!
[09:24:59] <tituspijean> Mmmmh no. They are being removed upon validation :/
[09:25:53] <tituspijean> Aaaand done. :)
[09:51:23] <florent> \o/ Manifest v2 offers an entry to see which type of db is used by the packaged app. That's awesome!
[15:07:38] <Salamandar> Hi, i got a small question for a new package
[15:07:49] <Salamandar> systemd hardening gets in the way
[15:07:49] <Salamandar> ("restart nginx" -> sudo systemctl restart nginx)
[15:07:49] <Salamandar> buuuuuuuuuuuuuuut
[15:07:50] <Salamandar> i'm packaging OliveTin, it's a "thing" that allows to run commands via buttons on a web page
[15:10:04] <Salamandar> like, i added a sudoer file with this :

```
Cmnd_Alias RESTART_NGINX_CMD = /usr/bin/systemctl restart nginx
olivetin ALL = NOPASSWD: RESTART_NGINX_CMD
```
[15:10:08] <Salamandar> so i can run `sudo -u olivetin sudo systemctl restart nginx`
[15:10:42] <Salamandar> but when it's ran by my systemd service :

```
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
```
[15:11:55] <Salamandar> it's because systemd creates a sandbox if the service has any `Private*`, `Restrict*`, or `Protect*` options
[15:12:28] <Salamandar> Do you think it's "very bad" to remove those options for this app ?
[15:15:18] <Aleks (he/him/il/lui)> uuuuuuh
[15:15:18] <Aleks (he/him/il/lui)> is "systemctl restart nginx" really the core use case of this x_X
[15:16:41] <Aleks (he/him/il/lui)> i'm confused x_x
[15:16:41] <Aleks (he/him/il/lui)> does this sandbox thing even gets in the way if you have `User=olivetin` in the conf o_O ?
[15:17:27] <Aleks (he/him/il/lui)> ah, the sandboxing thing affects the way the `/usr/bin/sudo` is available ? Like it's mounted with some weird option stuff on the sandbox FS or something ?
[15:18:07] <Aleks (he/him/il/lui)> i'm confused because if i recall correctly, the borg app does use sudoers stuff too, but maybe it doesnt have the Private etc config bits
[15:18:39] <Aleks (he/him/il/lui)> https://github.com/YunoHost-Apps/borg_ynh/blob/master/conf/systemd.service#L7 uuuuh wat :|
[15:18:55] <Aleks (he/him/il/lui)> ah yes it's the `borg` user running `sudo /path/to/script` nvm
[15:19:12] <Aleks (he/him/il/lui)> thouuuuugh
[15:19:13] <Aleks (he/him/il/lui)> hmmmm
[15:19:26] <Aleks (he/him/il/lui)> thinking intensifies
[15:20:54] <Aleks (he/him/il/lui)> yeah it's definitely fishy ...
[15:21:18] <Aleks (he/him/il/lui)> Salamandar: anyway yeah it's not such a huge deal to not sandbox it though you should be extra careful imho ...
[15:22:12] <Salamandar> > <@Alekswag:matrix.org> ah, the sandboxing thing affects the way the `/usr/bin/sudo` is available ? Like it's mounted with some weird option stuff on the sandbox FS or something ?

Yes
[15:22:46] <Salamandar> It removes the visibility of SUID, so sudo is a "normal" executable that doesn't allow privilege escalation
[15:22:48] <Aleks (he/him/il/lui)> in a perfect world where YunoHost would have similar permission system than Android, there would be something warning the admin that "This app requires unsandboxed runtime which increases the security risk for this app" or something idk
[15:23:14] <Salamandar> > <@Alekswag:matrix.org> https://github.com/YunoHost-Apps/borg_ynh/blob/master/conf/systemd.service#L7 uuuuh wat :|

ah yes weird
[15:23:54] <Salamandar> > <@Alekswag:matrix.org> in a perfect world where YunoHost would have similar permission system than Android, there would be something warning the admin that "This app requires unsandboxed runtime which increases the security risk for this app" or something idk

eh eh
[15:24:26] <Aleks (he/him/il/lui)> still not sure to understand the usual use case for this app, like, do you really want to run `systemctl restart nginx` ?
[15:24:53] <Aleks (he/him/il/lui)> `systemctl restart nginx` has other implications like ... if you restart nginx via some sort of API running behind nginx, you're effectively curring the branch you're sitting on
[15:26:21] <Aleks (he/him/il/lui)> and then you can expect to have like a 500 / 502 / 504 error
[15:26:45] <Aleks (he/him/il/lui)> like, A client enters the bar, orders a beer, therefore the waitress kicks everybody out of the bar including the new client, now the bar is closed, but it opens back up just a few seconds after that, and now all clients are confused as hell
[15:35:38] <eric_G> I understood the last part 😄 🍻
[16:18:10] <Salamandar> > <@Alekswag:matrix.org> still not sure to understand the usual use case for this app, like, do you really want to run `systemctl restart nginx` ?

Yes that's the idea
[16:18:30] <Salamandar> > <@Alekswag:matrix.org> like, A client enters the bar, orders a beer, therefore the waitress kicks everybody out of the bar including the new client, now the bar is closed, but it opens back up just a few seconds after that, and now all clients are confused as hell

hahaha
[16:18:31] <Salamandar> Well i tried and it works :p
[16:18:47] <Salamandar> I just don't get the reply until i reload the web page to get the stdout stderr logs
[16:18:51] <Aleks (he/him/il/lui)> > <@Salamandar:matrix.org> Yes that's the idea

but *why*
[16:18:53] <Salamandar> BECAUSE
[16:19:02] <Salamandar> home assistant is doing shit when behind a reverse proxy
[16:19:16] <Salamandar> so i find myself restarting nginx when graphs don't load anymore
[16:19:17] <Salamandar>
[16:19:23] <Aleks (he/him/il/lui)> :|
[16:19:29] <Salamandar> can't find the culprit
[16:20:04] <Salamandar> the other use case proposed is "restart plex" when the family wants to watch a movie but plex just crashed
[16:20:09] <Salamandar> and the owner of the server isn't here
[16:20:24] <Aleks (he/him/il/lui)> okay but if I understand correctly that's just your personal use case, not the general use case for that app 😅
[16:20:33] <Salamandar> > <@Alekswag:matrix.org> okay but if I understand correctly that's just your personal use case, not the general use case for that app 😅

ah yes no
[16:20:35] <Salamandar> indeed
[16:20:41] <Aleks (he/him/il/lui)> alright :P
[16:21:44] <Salamandar> the use case is "run bash commands" from web page
[16:21:45] <Salamandar> but not any bash commands : just the ones selected by the web server admin
[16:24:17] <Aleks (he/him/il/lui)> ok
[17:13:40] <Yunohost Git/Infra notifications> [package_linter] @alexAubin pushed 1 commit to master: Moving warnings from the core about consistency for apt resources vs database requirement ([1b4f9957](https://github.com/YunoHost/package_linter/commit/1b4f99575ee9f8ca19d7acfa9d1cd2ff974bccc2))
[17:39:40] <Yunohost Git/Infra notifications> [apps] @alexAubin pushed 1 commit to master: appsv2: add tricks to adapt change_url script ([56ffb0aa](https://github.com/YunoHost/apps/commit/56ffb0aabe2fd7aaaa34b3c7a34a1b2bc6416334))
[17:49:36] <Yunohost Git/Infra notifications> [example_ynh] @alexAubin pushed 1 commit to simplify-change-url: Simplify change_url syntax ([da9efedb](https://github.com/YunoHost/example_ynh/commit/da9efedb6aeea699a8e19fd65da82d1ea63417ca))
[17:49:36] <Yunohost Git/Infra notifications> [example_ynh] @alexAubin created new branch simplify-change-url
[17:57:59] <Yunohost Git/Infra notifications> [example_ynh] @alexAubin opened [pull request #201](https://github.com/YunoHost/example_ynh/pull/201): Simplify change_url syntax
[18:15:59] <Yunohost Git/Infra notifications> [example_ynh] @alexAubin merged [pull request #200](https://github.com/YunoHost/example_ynh/pull/200): Add dummies
[18:16:00] <Yunohost Git/Infra notifications> [example_ynh] @alexAubin pushed 9 commits to master ([f93c42019dfc...88b3072a4bfd](https://github.com/YunoHost/example_ynh/compare/f93c42019dfc...88b3072a4bfd))
[18:16:04] <Yunohost Git/Infra notifications> [example_ynh/master] Update upgrade - Éric Gaspar
[18:16:13] <Yunohost Git/Infra notifications> [example_ynh/master] Free doc tree - Éric Gaspar
[18:16:57] <Yunohost Git/Infra notifications> [example_ynh/master] Merge pull request #200 from ericgaspar/add-dummies Add dummies - Alexandre Aubin
[18:34:35] <Yunohost Git/Infra notifications> [package_linter] @alexAubin pushed 1 commit to master: Complain about dummy/placeholder messages in the doc/ folder ([f0b1c81a](https://github.com/YunoHost/package_linter/commit/f0b1c81a9aa462bbd1d094695127fb0d77a50f01))
[18:41:22] <Yunohost Git/Infra notifications> [wordpress_ynh] @alexAubin pushed 1 commit to cleanup: Cleanup old actions / useless config panel stuff ... ([bf14d3cd](https://github.com/YunoHost-Apps/wordpress_ynh/commit/bf14d3cdd81d3419291cc1574eed74bfe04816b3))
[18:41:59] <Yunohost Git/Infra notifications> [wordpress_ynh] @alexAubin opened [pull request #210](https://github.com/YunoHost-Apps/wordpress_ynh/pull/210): Cleanup old actions / useless config panel stuff ...
[18:42:49] <Yunohost Git/Infra notifications> [wordpress_ynh] @ericgaspar approved [pull request #210](https://github.com/YunoHost-Apps/wordpress_ynh/pull/210#pullrequestreview-1306224580) Cleanup old actions / useless config panel stuff ...
[18:43:09] <Yunohost Git/Infra notifications> [wordpress_ynh] @ericgaspar merged [pull request #210](https://github.com/YunoHost-Apps/wordpress_ynh/pull/210): Cleanup old actions / useless config panel stuff ...
[18:43:09] <Yunohost Git/Infra notifications> [wordpress_ynh] @ericgaspar deleted branch cleanup
[18:43:09] <Yunohost Git/Infra notifications> [wordpress_ynh] @ericgaspar pushed 2 commits to testing ([3ac4d78edb96...cfcf822cdf53](https://github.com/YunoHost-Apps/wordpress_ynh/compare/3ac4d78edb96...cfcf822cdf53))
[18:43:11] <Yunohost Git/Infra notifications> [wordpress_ynh/testing] Cleanup old actions / useless config panel stuff ... - Alexandre Aubin
[18:43:13] <Yunohost Git/Infra notifications> [wordpress_ynh] @yunohost-bot pushed 1 commit to testing: Auto-update README ([64ec144c](https://github.com/YunoHost-Apps/wordpress_ynh/commit/64ec144cc7092f8140db0c013b81fabc40fa2417))
[18:43:15] <Yunohost Git/Infra notifications> [wordpress_ynh/testing] Merge pull request #210 from YunoHost-Apps/cleanup Cleanup old actions / useless config panel stuff ... - Éric Gaspar
[18:54:04] <Yunohost Git/Infra notifications> [nextcloud_ynh] @kicroc2000 [commented](https://github.com/YunoHost-Apps/nextcloud_ynh/issues/554#issuecomment-1437429085) on [issue #554](https://github.com/YunoHost-Apps/nextcloud_ynh/issues/554) upgrade 22.2.10 ->25.0.3 error : PHP version: Hello, after a reboot of the server and a retry, I have still an error : the upgrade 22-> 23 seems ok, but 23-> 24 ends ...
[19:17:06] <Yunohost Git/Infra notifications> [apps] @alexAubin opened [pull request #1636](https://github.com/YunoHost/apps/pull/1636): Flag simple torrent as deprecated / upstream not maintained
[19:17:06] <Yunohost Git/Infra notifications> [apps] @ericgaspar pushed 2 commits to master ([56ffb0aabe2f...38b6e6f517ab](https://github.com/YunoHost/apps/compare/56ffb0aabe2f...38b6e6f517ab))
[19:17:06] <Yunohost Git/Infra notifications> [nextcloud_ynh] @ericgaspar [commented](https://github.com/YunoHost-Apps/nextcloud_ynh/issues/554#issuecomment-1437436457) on [issue #554](https://github.com/YunoHost-Apps/nextcloud_ynh/issues/554) upgrade 22.2.10 ->25.0.3 error : PHP version: try to deactivate fulltextsearch app before upgrading
[19:17:06] <Yunohost Git/Infra notifications> [apps/master] Flag simple torrent as deprecated / upstream not maintained - Alexandre Aubin
[19:23:20] <Yunohost Git/Infra notifications> [apps] @ericgaspar merged [pull request #1636](https://github.com/YunoHost/apps/pull/1636): Flag simple torrent as deprecated / upstream not maintained
[19:23:21] <Yunohost Git/Infra notifications> [apps] @ericgaspar pushed 2 commits to master ([38b6e6f517ab...0280c7813b0f](https://github.com/YunoHost/apps/compare/38b6e6f517ab...0280c7813b0f))
[19:23:21] <Yunohost Git/Infra notifications> [apps] @alexAubin created new branch simple-torrent-deprecated
[19:23:21] <Yunohost Git/Infra notifications> [apps] @ericgaspar created new branch set-simple-torrent-as-not-maintained
[19:23:21] <Yunohost Git/Infra notifications> [apps] @ericgaspar approved [pull request #1636](https://github.com/YunoHost/apps/pull/1636#pullrequestreview-1306245618) Flag simple torrent as deprecated / upstream not maintained
[19:23:21] <Yunohost Git/Infra notifications> [apps] @alexAubin pushed 1 commit to simple-torrent-deprecated: Flag simple torrent as deprecated / upstream not maintained ([19d79f9f](https://github.com/YunoHost/apps/commit/19d79f9f7900ca5459edab9393a8b9fb5f54c0cb))
[19:23:21] <Yunohost Git/Infra notifications> [apps] @ericgaspar pushed 1 commit to set-simple-torrent-as-not-maintained: Update apps.toml ([5f79556c](https://github.com/YunoHost/apps/commit/5f79556c600c4903a51060d9fd29851ca6c57d8a))
[19:23:21] <Yunohost Git/Infra notifications> [apps/master] Update app levels according to CI results - root
[19:23:21] <Yunohost Git/Infra notifications> [apps/master] Merge pull request #1635 from YunoHost/update_app_levels Update app levels according to CI results - Éric Gaspar
[19:23:21] <Yunohost Git/Infra notifications> [apps] @ericgaspar approved [pull request #1635](https://github.com/YunoHost/apps/pull/1635#pullrequestreview-1306246192) Update app levels according to CI results
[19:23:21] <Yunohost Git/Infra notifications> [apps] @ericgaspar deleted branch set-simple-torrent-as-not-maintained
[19:23:21] <Yunohost Git/Infra notifications> [apps] @ericgaspar merged [pull request #1635](https://github.com/YunoHost/apps/pull/1635): Update app levels according to CI results
[19:23:33] <Yunohost Git/Infra notifications> [apps/master] Merge pull request #1636 from YunoHost/simple-torrent-deprecated Flag simple torrent as deprecated / upstream not maint... - Éric Gaspar
[21:38:43] <gredin67> any clue ? https://github.com/YunoHost-Apps/opensondage_ynh/issues/89
[21:49:33] <Aleks (he/him/il/lui)> 😐
[21:52:20] <Krakinou> Hello, I'm working on moving my package to v2 and I have a question : I have a few packages where dependency are "If machin = truc; then pkg_dependency = "$pkg_dependency somelib-dev someotherlib"; fi"
[21:52:29] <Krakinou> how can I achieve this with the v2?
[21:55:28] <Aleks (he/him/il/lui)> @_@
[21:56:06] <eric_G> like in Etherpad
[21:58:50] <Krakinou> yep, seems to be the same case, but I don't see where it's handled in the v2?
[22:00:01] <Krakinou> should I wait for the v3? 😀
[23:24:42] <Aleks (he/him/il/lui)> let me think / reread the code, there might be a way to use $FOOBAR variable that would be defined in _common.sh .. or maybe it's easy to implement
[23:25:06] <Aleks (he/him/il/lui)> Krakinou: can you provide more context ? what app is this exactly ?