mnutt has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
azirbel has joined #sandstorm
mnutt has joined #sandstorm
<quickQuestion>
hey guys I got another question. Hypothetically if some evil person managed to gain access sandcats.io would they be able to man in the middle all of the connections by opening up two seperate https connections one with the person and one with their home server athen proxying all the information between those two connections. While the person just
<quickQuestion>
thinks he has a single https connection directly to his server? Please forgive me if this sounds ignorant or uneducated, but im still wrapping my head around how https works.
<asheesh>
Hey quickQuestion
<asheesh>
You have the only private key that is valid for your server.
<asheesh>
That is to say, we don't store a copy of your private key.
<asheesh>
So overall - no, if they compromise sandcats.io, they can't man-in-the-middle the connection the way you describe.
<asheesh>
Having said that, if they compromise sandcats.io, they can request a new certificate that is also valid to be yourserver.sandcats.io.
<asheesh>
I'd like to, in the long run, offer a service for Sandstorm/sandcats users where they can check if a rogue party has gotten certificates for their domain.
<asheesh>
But that's a fundamental issue with the way DNS and certificates get bound together, I think.
<dwrensha>
then I accidentally restarted the server :(
<kentonv>
it restarts itself after 60 seconds when it hits that state
<dwrensha>
hmm... actually it looks like it got a SIGABRT
<dwrensha>
is that what you would expect?
<kentonv>
yes
<dwrensha>
ok
<kentonv>
it aborts itself
<kentonv>
that said, we haven't seen that bug in months. I thought it was gone. :/
<dwrensha>
do you still get notifications about it?
<kentonv>
I haven't seen it in prod for months.
<dwrensha>
like, if it's automatically restarting, maybe you just didn't notice it
<kentonv>
we have logs
<kentonv>
like, it definitely hasn't happened in the last 30 days in Oasis
<kentonv>
anything unusual about your build?
<dwrensha>
I don't think so
<dwrensha>
I was in ./run-dev.sh mode
<dwrensha>
and I think the server had just restarted
<quickQuestion>
Hey asheesh thanks for the helpfull reply, makes me feel much better :-) I guess if rogue party has gotten certificates for my domain they can redirect me to their own server and start phishing me for my details so that they can then log into my server and steal stuff, but that sort of thing maybe could be mittigated with some sort of ip whitelist
<quickQuestion>
on my server that only acceps connections from trusted ip's. Anyway thanks for the help
jadewang has quit [Remote host closed the connection]
frigginglorious1 has joined #sandstorm
jadewang has joined #sandstorm
BigShip has quit [Remote host closed the connection]
jadewang has quit [Remote host closed the connection]
jadewang has joined #sandstorm
TwoJames has quit [Ping timeout: 244 seconds]
TwoJames has joined #sandstorm
sydney_untangle has quit [Ping timeout: 252 seconds]
neynah has joined #sandstorm
sydney_untangle has joined #sandstorm
frigginglorious1 has quit [Quit: frigginglorious1]
jadewang has quit [Remote host closed the connection]
frigginglorious has quit [Quit: frigginglorious]
frigginglorious has joined #sandstorm
<nwf>
Pardon a dumb question, channel, but what's so special about port 23136? ;)
<nwf>
(supervisor.c++ goes to great lengths to bring up a dummy network interface within the container and wire it so that iptables sends all traffic to port 23136 locally. I don't see the other half of that transparent proxy?)
<kentonv>
nwf: it's up to the app to provide the other half
<kentonv>
the app could spawn a background process that listens on 23136 and then forwards to the interfaces defined in ip.capnp (IP-over-Cap'n Proto)
<kentonv>
however, in practice we didn't quite get this to work
<kentonv>
possibly we should delete the supervisor code
<nwf>
*Oh*, that's 23136 in the container, not in the root namespace.
<kentonv>
indeed
<nwf>
OK, then I will not discuss it in the langsec paper.
jemc has quit [Quit: WeeChat 1.4]
<kentonv>
we're basically tricking Linux into providing a loopback thingy, so that existing code that tries to connect out could be intercepted by a ship in the app
<kentonv>
shim*
preilly has quit [Excess Flood]
preilly has joined #sandstorm
preilly is now known as Guest76293
<kentonv>
a good app should use the capnp interfaces directly but that could require rewriting a lot
<kentonv>
anyway, yeah, probably not interesting for the paper
<nwf>
Understood. Why iptables-based forwarding on a dummy device rather than a tun device?
<nwf>
(If you tell me that /dev/net/tun is not namespace aware I will chortle but understand.)
<kentonv>
tun seemed like more work because the proxy would need to understand the tun protocol rather than receiving regular-old TCP connections. But we may very well go that way when we pick this work up again later.
jemc has joined #sandstorm
* nwf
nod
<nwf>
Thanks!
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 246 seconds]
frigginglorious has quit [Quit: frigginglorious]
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 244 seconds]
mnutt has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
frigginglorious has joined #sandstorm
TwoJames2 has joined #sandstorm
TwoJames has quit [Read error: Connection reset by peer]
frigginglorious has quit [Quit: frigginglorious]
jadewang has joined #sandstorm
sydney_untangle has quit [Ping timeout: 252 seconds]
TwoJames2 has quit [Read error: Connection reset by peer]
<asheesh>
I think that quickquestion, if you end up reading these archives - someone could in fact steal your Meteor resumeToken to impersonate you.
jadewang has joined #sandstorm
sydney_untangle has quit [Ping timeout: 240 seconds]
jadewang has quit [Ping timeout: 276 seconds]
sydney_untangle has joined #sandstorm
synchrone has joined #sandstorm
raoulzecat has quit [Ping timeout: 246 seconds]
Try`0xff is now known as Tryum
jemc has quit [Ping timeout: 248 seconds]
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 244 seconds]
dcb has quit [Ping timeout: 260 seconds]
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 244 seconds]
dcb has joined #sandstorm
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 260 seconds]
aggelos_ has joined #sandstorm
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 248 seconds]
sydney_untangle has quit [Remote host closed the connection]
sydney_untangle has joined #sandstorm
asmyers has joined #sandstorm
asmyers has quit [Remote host closed the connection]
asmyers has joined #sandstorm
sydney_untangle has quit [Ping timeout: 268 seconds]
sydney_untangle has joined #sandstorm
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 248 seconds]
Tryum is now known as Try`0xff
raoulzecat has joined #sandstorm
decipherstatic has quit [Quit: Leaving]
Try`0xff is now known as Tryum
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 244 seconds]
frigginglorious has joined #sandstorm
NOTevil has joined #sandstorm
synchrone has quit [Quit: Leaving.]
synchrone has joined #sandstorm
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 240 seconds]
sydney_untangle has quit [Ping timeout: 252 seconds]
sydney_untangle has joined #sandstorm
tdfischer_ has joined #sandstorm
dlitz_ has joined #sandstorm
phildini_ has joined #sandstorm
iangreenleaf_ has joined #sandstorm
sydney_untangle has quit [*.net *.split]
tdfischer has quit [*.net *.split]
dlitz has quit [*.net *.split]
XgF has quit [*.net *.split]
iangreenleaf has quit [*.net *.split]
nicolagreco has quit [*.net *.split]
phildini has quit [*.net *.split]
xet7 has quit [Quit: Leaving]
iangreenleaf_ is now known as iangreenleaf
sydney_untangle has joined #sandstorm
BigShip has joined #sandstorm
* BigShip
waves good morning
jadewang has joined #sandstorm
XgF has joined #sandstorm
jadewang has quit [Ping timeout: 248 seconds]
jemc has joined #sandstorm
sydney_untangle has quit [Ping timeout: 264 seconds]
sydney_untangle has joined #sandstorm
rustyrazorblade has joined #sandstorm
mnutt has joined #sandstorm
jemc has quit [Quit: WeeChat 1.4]
jemc has joined #sandstorm
Tryum is now known as Try`0xff
jadewang has joined #sandstorm
eternaleye has quit [Remote host closed the connection]
M-eternaleye has joined #sandstorm
<BigShip>
It is possible to upload to davros from terminal?
neynah has joined #sandstorm
xet7 has joined #sandstorm
<asheesh>
Howdy BigShip
<BigShip>
Hello!
<asheesh>
Yeah - if you use the "owncloudcmd" program.
<asheesh>
Or other WebDAV clients.
<asheesh>
And good morning!
<BigShip>
I tried using owncloudcmd and it came back with some "https scheme" error
<asheesh>
Oh, interesting.
<BigShip>
It told me to "get outa here"
<BigShip>
:D
IceQUICK has joined #sandstorm
<asheesh>
It's worked for me in the past. Can you try with a new grain with no important information in it, and paste the error into a github issue for Davros?
<BigShip>
Sure! I was just setting it up so it doesn't have anything in it yet. I'll get a better idea after work. Off my lunch break now
<asheesh>
(thanks to kentonv for helping me think through that)
<asheesh>
Well most of that is stuff that doesn't take a super huge amount of time. But yes! I guess I have.
<BigShip>
Oh! I saw that a couple of times and when I refreshed the page it went away and never came back :D
<asheesh>
You might have seen the other warning, the one about wildcard host.
<BigShip>
yeah, wildcard host
<asheesh>
I also doubled the amount of time it waits, per zarvox's request, since it was showing up for people whose servers were configured fine.
<BigShip>
Ah, that would make sense then
<asheesh>
So hopefully since Monday, you don't see it at all anymore if your server is configured fine.
jemc has left #sandstorm ["WeeChat 1.4"]
<BigShip>
I haven't seen it since the initial setup :)
IceQUICK has quit [Read error: Connection reset by peer]
asmyers has quit [Ping timeout: 260 seconds]
rustyrazorblade has quit [Quit: rustyrazorblade]
wolcen_ has quit [Remote host closed the connection]
mnutt has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
asmyers has joined #sandstorm
<mrdomino>
dwrensha: in gitlab's sandstorm-pkgdef.capnp, start.sh and continue.sh are referred to with relative paths. however, my pwd appears to be /, and the files aren't there for me. i don't see any significant difference between the gitlab setup and mine.
<mrdomino>
it looks like pwd should be /opt/app but it isn't for me for some reason... i wonder why
<mrdomino>
nvm think i found it, i'll get my source online too in a bit
asmyers has quit [Remote host closed the connection]
asmyers has joined #sandstorm
<dwrensha>
mrdomino: the sourceMap thing can be confusing
<mrdomino>
yeah
<asheesh>
It probably doesn't help that I hardly understand it and I co-wrote vagrant-spk.
<mrdomino>
currently it takes over a minute to get to an exception after starting... gonna look into a rubygems shim to try to speed it up a bit
jadewang has quit [Remote host closed the connection]
<asheesh>
mrdomino: If you're in 'spk dev' mode, then you could try dwrensha's secret patch that makes ruby load 10x faster.
<mrdomino>
i'm in vagrant-spk dev mode
<mrdomino>
does that patch also work in production?
<dwrensha>
I could give you a sandstorm binary that you could drop into your vagrant box
<mrdomino>
i certainly wouldn't complain
<mrdomino>
hmm how can i get a shell in a grain's sandbox? i want to see if something really dumb is happening like rails server listening on the wrong port or something
<asheesh>
There's some semi-unsupported hackery called "vagrant-spk devjoin" and a similar trick with "nsenter".
<asheesh>
I guess people really do want that stuff so I really should make it work for people soon.
<asheesh>
Anyway, for now, let me dig you up the issue so you can use the hack.
<mrdomino>
ok, git submodules are never the answer
<mrdomino>
at least in this case, the -sandstorm and upstream fork projects are so tightly coupled that it's insane to have to push to two repos just to update the upstream
<dwrensha>
mrdomino: to try my faster `spk dev`
<dwrensha>
first, make sure UPDATE_CHANNEL=none in /opt/sandstorm/sandstorm.conf
<dwrensha>
then `sudo sandstorm update sandstorm-faster-fuse.tar.xz`
<mrdomino>
all in the guest i'm assuming?
<dwrensha>
and let me know how it goes!
<dwrensha>
yes, in the guest
<asheesh>
BTW hi mrdomino!
<mrdomino>
hmm and what's the performance issue it addresses?
<mrdomino>
hi asheesh!
<asheesh>
C++ exceptions on ENOENT mean 70% CPU time is spent in exception handling.
<asheesh>
ENOENT should be fast & cheap, but it wasn't, so dwrensha made it fast & cheap.
<mrdomino>
ohhhhh
<mrdomino>
oh dang that might be it
<asheesh>
Keep in mind that when the app runs in 'vagrant-spk dev' aka 'spk dev' mode, the filesystem mappings described in sandstorm-pkgdef.capnp are implemented via a FUSE filesystem that Sandstorm provides.
<asheesh>
This FUSE filesystem is implemented in C++ and you can read its source etc., but that's where the above optimization happens.
<asheesh>
Now it does happen to be true that many sandstorm-pkgdef.capnp filesystem mappings can be implemented via filesystem namespaces or something, but we always use this FUSE filesystem 100% of the time in 'spk dev' aka 'vagrant-spk dev' mode, so performance problems in it will affect all 'vagrant-spk dev' aka 'spk dev' use.
<mrdomino>
ok so perhaps i should give it a shot before i spend a lot of time trying to rip rubygems out of this app
<asheesh>
btw cc: phildini_, I believe you were running into this a while ago.
mnutt has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
frigginglorious has quit [Quit: frigginglorious]
frigginglorious has joined #sandstorm
asmyers has quit [Ping timeout: 276 seconds]
fkautz has quit [Ping timeout: 240 seconds]
fkautz has joined #sandstorm
<dlitz_>
Hey, is there anyone looking at the Sandstorm UX for Android users? Even just a wiki of Android apps that are known to work with Sandstorm?
dlitz_ is now known as dlitz
dlitz has quit [Quit: Quitting]
mnutt has joined #sandstorm
dlitz has joined #sandstorm
BigShip has quit [Quit: Page closed]
<dlitz>
Hey, is there anyone looking at the Sandstorm UX for Android users? Even just a wiki of Android apps that are known to work with Sandstorm?
<dlitz>
(sorry if that's a dupe; connectivity issues)
<mrdomino>
wow, webrick is dying on getaddrinfo failing now
<asheesh>
Aw, poor webrick mrdomino
<asheesh>
/etc/hosts might be its friend.
jemc has joined #sandstorm
<mrdomino>
indeed
<mrdomino>
hrm this is still slow as hell even with the patched sandstorm
<dwrensha>
mrdomino: is there a noticeable difference?
<mrdomino>
it does seem a bit faster, but i also switched from unicorn to webrick at the same time
<mrdomino>
holy shit it booted
<mrdomino>
wow
<mrdomino>
my first sandstorm app page other than the spinner
<asheesh>
I misunderstood the question and thought you were asking about the Sandstorm web app's mobile UI, but I now believe you are talking about "native" installable-onto-a-phone Android apps that can communicate with a grain running within Sandstorm.
NOTevil has quit [Quit: Leaving]
<mrdomino>
aw man, these guys don't use devise
<mrdomino>
wow, they've written kind of a big user and auth thing
BigShip has joined #sandstorm
BigShip has quit [Changing host]
BigShip has joined #sandstorm
xet7 has quit [*.net *.split]
XgF has quit [*.net *.split]
TC01 has quit [Ping timeout: 276 seconds]
TC01 has joined #sandstorm
xet7 has joined #sandstorm
XgF has joined #sandstorm
raoulzecat has quit [Ping timeout: 244 seconds]
mnutt has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
neynah has joined #sandstorm
raoulzecat has joined #sandstorm
TwoJames has quit [Ping timeout: 240 seconds]
TwoJames has joined #sandstorm
frigginglorious has quit [Ping timeout: 276 seconds]
TwoJames has quit [Ping timeout: 268 seconds]
TwoJames has joined #sandstorm
rustyrazorblade has quit [Quit: rustyrazorblade]
chuan has quit [Remote host closed the connection]
<ocdtrekkie>
dlitz, off the top of my head, Tiny Tiny RSS (with it's embedded forked Android client) and Davros (using the ownCloud client) are the only two Sandstorm apps with native Android clients. Also, Radicale uses CalDAV and CardDAV, and should work with most calendar and contacts apps, I believe.
<ocdtrekkie>
So, from the Ports In Dev Wekan about like... OpenStreetMap data being large. I had a ponder.
<ocdtrekkie>
The problem with dumping a large repository of data in the SPK, is every app update that a user might have would have a duplicate copy on your Sandstorm server. So while like, your map data might be the same between your SPKs, you might have three times that data on your server if it's in the SPK file. Which is bad.
<ocdtrekkie>
And in something like mapping data, there is no reason for different users to have different versions, and if your format doesn't change (it shouldn't), there's no reason for your users to have old versions of it.
rustyrazorblade has joined #sandstorm
<ocdtrekkie>
So you'd almost want like a single repository for OSM data, one per server, always with the latest data available to it.
<ocdtrekkie>
The previous time I thought about an app that might want a metric crudton of static data was like... a customizeable card game, which might have a few thousand card images in it, and occasionally you might add to that. You wouldn't want a bug fix to dump a whole extra copy of that data on your server, and there'd be little reason for SPKs to need the older version.
<BigShip>
asheesh: okay, so it turns out the davros error was because ubuntu ships a owncloudcm version that's just too damn old.