<paulproteus>
er wait, reload, that version had all sorts of nonsense
<dwrensha>
are you going to talk about SSL certificates at all?
<paulproteus>
Client certificates or server?
<paulproteus>
Server, not in this post. (Maybe that means I should use a different non-activist example?)
<kenton>
Hmm, I like the flow of the introduction, but I wonder if talking about domestic protesters risks turning people off or being hard to identify with?
<paulproteus>
I could be convinced either way.
<paulproteus>
I find the example fascinating and attractive, but I know I'm not everyone.
<paulproteus>
Also the lack of HTTPS in Sandcats-enabled Sandstorm services does make it a bit farfetched.
<paulproteus>
I was then going to use the example of people who want to run their own health-related software, but maybe it's cruel to not have HTTPS for them, either.
<kenton>
hmm, it might also be a bit of a stretch to claim that this is accessible to non-techies as-is... it does still require a Linux machine and a shell.
<paulproteus>
I was thinking that, yeah.
<paulproteus>
The thing about the activists is that the _real_ sell is that the one tech person can set it up and then others can use it without having to ask for permission as much as with a less sandboxing-oriented system.
<paulproteus>
Which is IMHO the same attractive thing as for any other organization.
<paulproteus>
(because e.g. installing apps / creating new instances is supposed to be a basically safe thing for people to do)
<kenton>
yes... but sandcats is only simplifying life for the one tech person...
<paulproteus>
Yeah, exactly.
<paulproteus>
I'm agree with your disagreeing with me.
<paulproteus>
(-:
<paulproteus>
s/ agree / agreeing /
decipherstatic has joined #sandstorm
<kenton>
I kind of feel like sandcats is a thing that is unusually easy for us to explain (it's "Free automatic dynamic DNS for your Sandstorm server"). It may make sense for us to get that across as quickly as possible at the start of the article, before going into the background for why it's so great.
<paulproteus>
That's a possibly good idea. I'll try a rewrite with that in mind.
<paulproteus>
Random idea for you zarvox w/r/t vagrant-spk: For each *.deb that is installed on a system with vagrant-spk, Sandstorm could publish a corresponding files list, which is the subset of that package that will get included.
<zarvox>
Yeah, so you should be able to take that and just change up the syscalls a little ;)
<paulproteus>
Note that this may be the first Rust program I'll have ever written.
<paulproteus>
These yaks will be so finely shorn.
<kenton>
err are you writing the userns test in Rust?
<paulproteus>
Er yeah why what else was I going to do?
<kenton>
I guess mainly because they have a nice syscall wrapper macro
<kenton>
my usual expectation is that trying to use one relatively obscure thing (Rust) together with another relatively obscure thing (unshare() syscall) is likely to go badly
<kenton>
but I suppose it might work here
<paulproteus>
"what's the worst that could happen" (yeah, I'm timeboxing myself an hour to see how far I get)
<zarvox>
Well, it turns out there's a little more to it than that. A lot of things use optional modules, or need to build native code, or so on and so forth.
<kenton>
(for the userns detection)
<zarvox>
paulproteus: ^ re: files.list
<paulproteus>
zarvox: ya
<paulproteus>
I think it's possible to extend what I'm saying into something that makes more sense and handles some of those problems you've mentioned but will only attempt to do so later, rather than right now.
<zarvox>
For instance, I probably want to install composer, and composer may want to pull source from git (as it does for Piwik), and composer's build flow may want a toolchain, and I think all these things are reasonable, but I don't think I want to ship git or the toolchain in the spk
<zarvox>
So perhaps we need to distinguish "build-requires" and "runtime-requires" some day? And both get installed in the VM, but only the runtime-requires get included in the SPK by default?
<zarvox>
(suddenly, php5-cli pulls in an entire userspace, and it's hard to distinguish that which is needed from that which is not)
natea has joined #sandstorm
bengo has joined #sandstorm
jadewang_ has quit [Remote host closed the connection]
natea has quit [Quit: natea]
decipherstatic has joined #sandstorm
<paulproteus>
OK, not totally done, but nearly done.
<zarvox>
Close enough that it's better to stay on this horse to finish the race?
<paulproteus>
I think so yeah.
<paulproteus>
I guess what I'm doing doesn't handle EAGAIN very well for now.
<paulproteus>
I think that's fine.
<zarvox>
Heh.
<kenton>
EAGAIN?
<kenton>
paulproteus: how does EAGAIN come into play?
<paulproteus>
man 2 setuid says setuid() maybe can error with EGAIN.
<paulproteus>
(and then I should try again or something.) (I think this is not a big deal; I just noticed it while reading the man page. I could decide to handle it, but currently I plan to brazenly ignore it.)
<paulproteus>
You should read my source in a few seconds.
<paulproteus>
Or later.
<kenton>
paulproteus: how does EAGAIN come into play?
<kenton>
err
<kenton>
what just happened
<paulproteus>
<up> <enter>
<kenton>
why did it repeat the same thing I said already?
<kenton>
dammit
<paulproteus>
sorry!
<kenton>
I had typed out a whole sentence
<kenton>
but my enter key is right above my up key
<kenton>
grr
<paulproteus>
You can maybe <down> and get it back!