<liam>
I'm porting an application, and it's injecting `(top == self) || top.location.replace(self.location.href);`
<liam>
My choice is either, hunt down and replace that in their codebase, or find a solution in SS.
<liam>
I manually injected into the SS grain view, `document.querySelector("iframe").sandbox = "";` and that did resolve it. (which enables all restrictions, although that's a bit much)
<kentonv>
we intend to apply iframe sandboxing at some point, but haven't done it yet. Unfortunately it does indeed break some things, so we have to be cautious.
<kentonv>
I think blocking top-navigation is something we should do by default
<liam>
well, +1 from me. if it's developer-toggleable (capnp?), that should make it a lot safer
<kentonv>
so rather than adding a way for your app to manipulate that setting, perhaps we should go ahead and turn it on for everyone
<kentonv>
maybe we can get away without breaking anything
<kentonv>
in the meantime, though, you should probably patch out that line from the app code.
<liam>
mk, thanks
<kentonv>
it's pretty common to patch out things like that when packaging for Sandstorm, FWIW
frigginglorious has quit [Quit: frigginglorious]
<liam>
Probably equally as common as people use that as a security measure :P
<kentonv>
it's a broken security measure though -- as you can tell since the parent page can block it using iframe sandbox.
<liam>
yeah, i know. CORS and server-side checking is the right way. This app lacks that. lol
jemc has quit [Ping timeout: 250 seconds]
Salt has quit [Ping timeout: 265 seconds]
ftoad has quit [Ping timeout: 265 seconds]
ftoad has joined #sandstorm
n8a has quit [Quit: Leaving]
n8a has joined #sandstorm
n8a has quit [Read error: Connection reset by peer]
n8a has joined #sandstorm
Salt has joined #sandstorm
frigginglorious has joined #sandstorm
frigginglorious has quit [Quit: frigginglorious]
<asheesh>
liam: Uh wow, you added iframe sandboxing as part of avoiding top navigation? Well that is one thing you can do. : D
<liam>
well, i mean, unless everyone starts using exactly my sandstorm install, i don't think it will work out xD
<liam>
i already worked out just modifying their codebase, so maybe i was just overengineering
<asheesh>
Oh, I see - I thought you meant that you were going to do it from inside the app. :)
<asheesh>
BTW what app?
<liam>
that was my question. turns out, can't do that.
<liam>
Phabricator
<asheesh>
: D
<liam>
I just have two more bits to do. Auto-registering users in their DB upon their login event. Auto-updating permissions upon login.
<zarvox>
liam: when I was playing with Phabricator on Sandstorm last, I commented out phabricator/src/view/page/PhabricatorBarePageView.php "$framebust" and phabricator/src/aphront/response/AphrontResponse.php the line with X-Frame-Options Deny
<liam>
hmmm that X-Frame-Options Deny wasn't giving me any problems
frigginglorious has joined #sandstorm
<liam>
(because it wasn't showing up in the headers)
<zarvox>
oh, it's possible Sandstorm strips that out or replaces it
<liam>
nginx inside the grain maybe?
<liam>
hm, don't see it there
<kentonv>
Sandstorm doesn't pass through those kinds of headers from apps
<zarvox>
I guess I took it out to be sure :P
<zarvox>
liam: do you plan to implement a separate "sandstorm" auth adapter? I think that's the path I'd recommend
<liam>
I've already done that.
<zarvox>
oh rad
frigginglorious has quit [Client Quit]
<liam>
You need a PhabricatorSandstormAuthProvider, PhabricatorSandstormAuthAdapter, and PhutilSandstormAuthAdapter
<liam>
all of the docs i could find were out of date, had to figure out out based on the *PasswordAuth[Adapter|Provider] files
<zarvox>
and regenerating the __phutil_library_map__.php, right?
<liam>
yes, but instead of using `arc liberate` which takes ages, i'm just dumping them in the extensions folder
<liam>
it /is/ slower but (only marginally and) it should only impact when those files are actually used, eg, new grain, login/registration
<zarvox>
Heh. :)
<liam>
The login time is really bad though
<liam>
I think that's just my cheap hardware and old hdd though
<liam>
because the performance overall is pretty bad
<zarvox>
I never got a Sandstorm auth adapter working, so you're further along than I got, so I can't really judge if the perf is reasonable
frigginglorious has joined #sandstorm
<zarvox>
but in any event what you're doing is great :)
<asheesh>
I kinda wonder if PHP APC has a way to serialize cached APC to disk.
<asheesh>
Also I agree with mr. zarvox
<asheesh>
that what you're doing is great
<asheesh>
Admittedly my PHP optimization knowledge is trapped in 2006.
<asheesh>
I wonder if HHVM improves performance.
<liam>
My understanding is relatively surface level, it's been years since i've been paid to write PHP -- but my understanding is that, when Phabricator is looking for a class or file, it looks in those map files to find where it is on disk. Which is a giant associative array with 100k+ entries
<liam>
So, if your entry is in that file, it can stop the search when it finds it. By not regenerating that and instead using the extensions 'backfill', we pretty much guarantee it searches the entire file and then fails
<liam>
s/file/hashmap/
<asheesh>
Giant associative array with 100K+ entries doesn't have to be slow necessarily.
<liam>
>PHP
<asheesh>
I... er... right.
<liam>
:D
<liam>
i'm just using the autogenned LEMP stack, so, once it's "done" i'll try swapping out php-fpm for hhvm and see how it goes
<asheesh>
+1
<liam>
yeah i know the docs also said to definitely use APC and i'm not, so
isd1 has joined #sandstorm
<ocdtrekkie>
Interesting.
<ocdtrekkie>
So I updated and packaged EtherDraw.
<ocdtrekkie>
And it saw fit to embed like every font on my Linux VM.
<liam>
licensing nightmare
<asheesh>
Honestly enabling APC (wait, does LEMP not do that? if not, why not?) is usually free-of-cost and a 5x performance improvement.
<asheesh>
Also liam BTW the Sandstorm "spk dev" mode is a total filesystem performance hog and things are vastly better outside of 'spk dev'.
<liam>
because of the file monitoring for creating that uh... distribution file?
<liam>
forget the name
<asheesh>
sandstorm-files.list
<asheesh>
aka yes
<liam>
also, pretty sure APC is opt in with php-fpm, and i didn't see it in build
<asheesh>
Things I love, partial list:
<asheesh>
- Answering boolean questions with a non-empty string, to pun on the fact that non-empty strings are true
<ocdtrekkie>
I suspect what happened, is in previous builds, I never tried to add text to EtherDraw when running under spk dev.
isd has quit [Ping timeout: 240 seconds]
<ocdtrekkie>
And at some point, doing so caused it this time to query all the system fonts.
<asheesh>
ragesoss: ^ since Piwik got tested, maybe you? :)
<asheesh>
liam: I'd be enthusiastic if you'd go submit a bug report to github.com/sandstorm-io/vagrant-spk requesting APC by default for lemp
<ocdtrekkie>
Okay, deleted all the font stuff from sandstorm-files.list and repackaged, and now the EtherDraw package is flavored the way it's supposed to.
<asheesh>
Aw, I love fonts.
<asheesh>
But: +1 to new version updates for things packaged similarly to their previous versions, ocdtrekkie
<asheesh>
Glad you were able to package that.
<ocdtrekkie>
As liam pointed out, I am pretty sure shoving 40 MB of fonts into the package would've been a licensing issue. ;)
<asheesh>
Moreover, thanks for taking the time to video-chat + screenshare with me a few weeks ago to help me understand the problems you were having.
<asheesh>
Meh, I think the licensing issue could have been overcome. :)
<ocdtrekkie>
Also, EtherDraw doesn't ACTUALLY let you change the font AFAICT.
<asheesh>
Now we have a good reason :)
<ragesoss>
asheesh: how can I get this build?
dlitz has quit [Remote host closed the connection]
<asheesh>
Well then I will blindly click approve and believe you!
<ragesoss>
wait wait.
<ragesoss>
hold on.
<asheesh>
waiting
<ragesoss>
all those things worked on build 0.36.0 that I had.
<asheesh>
: )
<ragesoss>
I wasn't trying the experimental build, apparently.
<asheesh>
Yeah - it's semi-tough to use the actual experimental build.
<asheesh>
That's good that they all work on 0.36.0 though :D
<asheesh>
Also hi! I hope life is good, ragesoss
<kentonv>
FWIW you can tell if you're using the new build because the attach-file and attach-grain (plus) buttons have moved to the right (used to be on the left)
frigginglorious has quit [Quit: frigginglorious]
<kentonv>
since the upgrade-existing-grains button is broken right now, the easiest way to test upgrade is probably to download and restore a backup
<asheesh>
kentonv: It's too bad we don't have daily Sandstorm updates! (?) (!)
xobs has quit [Ping timeout: 244 seconds]
<liam>
you can set up your own buildbot from github :P
<kentonv>
well, I could push a release at any time, but honestly this is a problem that probably only affects us
<kentonv>
most people get updates via auto-update notifications, which work fine
<asheesh>
us = app authors? or us = Sandstorm core dev team?
<kentonv>
us = people trying to test app updates
<kentonv>
app authors probably test in dev mode which works
<ragesoss>
asheesh: tested again with version 0.39.0. It took several tries before the profile pick updated. (it took two tries on 0.36.0, so it's probably the same bugginess that was there before)
<ragesoss>
otherwise, everything works.
xobs has joined #sandstorm
frigginglorious has joined #sandstorm
<liam>
is there an easy way to get a file out of a sandstorm instance? eg, something like, `vagrant-spk enter-grain [id] exec cat /path/to/file > localfile.txt`
<liam>
s/sandstorm instance/grain instance/
<asheesh>
liam: At the moment enter-grain doesn't have any such "exec" feature, though +1 that sounds great
<asheesh>
Also I had the idea today that I should make a github.com/sandstorm-io/app-alpha-testers github repo where GitHub issues would get auto-file when a new version of an app is ready. Curious if you have any thoughts.
<ocdtrekkie>
I am not sure there is a lot of value in it right now for EtherDraw, asheesh. It's a very, very unchanging codebase. There were like three commits that affected the code in the last seven months.
<asheesh>
Hah, okay.
<liam>
it looks like the sandbox folder doesn't contain a true copy of the filesystem. I'm trying to get /etc/php/fpm/php.ini
<ocdtrekkie>
Someone asked me to update the EtherDraw package back in January, and it's finally done. >.<
<liam>
find .../grains/id/sandbox | grep fpm --< no hits
<liam>
i guess i can just copy from my terminal buffer lol
<asheesh>
For the rest, you need /opt/sandstorm/var/sandstorm/apps/{{appId}}
<liam>
Interesting. So, sandstorm relies on this to distinguish between 'app data' and 'grain data?'
<asheesh>
Ya; app code is mounted read-only; grain data is available read-write
<liam>
not there either. :/ just gonna copy from buffer
<liam>
RIP formatting
<liam>
Phabricator also relies upon always-running daemons. This... doesn't fit the grain model very well. What should I do about it?
xobs has quit [Remote host closed the connection]
<asheesh>
Your options are:
<asheesh>
- Discover that daemons only _really_ need to be running when users are making requests - if so, "just" make sure to start them with every inbound request
<liam>
hm, well i know the daemon is used for eg automatic buildbots and event timers/notifications. Things independent of a request
<liam>
whooo wakelock
<asheesh>
"automatic buildbots" sound like the kind of thing that _could_ rely on an inbound request - an API request from the buildbot, in particular.
<liam>
the buildbot is within phabricator
<asheesh>
"event timers/notifications" don't sound like the kind of thing that could rely on an inbound request, though.
<asheesh>
Oh, interesting.
<liam>
and operates on the aforementioned timer
<liam>
it also has an internal search cache which is rebuilt... whenever it feels like it? not sure exactly
<liam>
but i see that in the "daemon work queue" already
<liam>
tbh never used Phabricator in a production enviornment before, just decided to do this because i was bored
<asheesh>
ocdtrekkie: If you write up a doc that includes sentences like "Drag and click and you'll see the line moving around" then that would be totally OK. And if you don't feel like it, OK, but I thought I'd at least clarify what the minimum bar is.
<ocdtrekkie>
I am also unsure how much people care, because only one person has asked me about the app in a year. :P
<asheesh>
Well OK but the more you write up, the more I can get other random people on IRC to tell me to approve your app :)
frigginglorious has quit [Quit: frigginglorious]
frigginglorious has joined #sandstorm
isd1 is now known as isd
jemc has joined #sandstorm
frigginglorious has quit [Quit: frigginglorious]
xobs has quit [Quit: No Ping reply in 180 seconds.]
xobs has joined #sandstorm
jemc has quit [Ping timeout: 240 seconds]
<digitalcircuit>
asheesh, pardon my late reply (got sidetracked by classes, then fixing what I maybe broke in Quassel). Feel free to ask/ping in the future if you need stuff tested again!
prettyvanilla has quit [Quit: Konversation terminated!]
sh_smith has quit [Read error: Connection reset by peer]
sh_smith has joined #sandstorm
afuentes has joined #sandstorm
wuch has joined #sandstorm
wuch has quit [Client Quit]
xet7 has quit [Quit: Leaving]
wuch has joined #sandstorm
wuch has quit [Client Quit]
wuch has joined #sandstorm
wuch has quit [Quit: WeeChat 1.6-rc1]
wuch has joined #sandstorm
lukexj has quit [Ping timeout: 252 seconds]
lukexj has joined #sandstorm
pie__ has joined #sandstorm
pie_ has quit [Ping timeout: 240 seconds]
wuch has quit [Quit: WeeChat 1.6-rc1]
wuch has joined #sandstorm
wuch has quit [Client Quit]
dwrensha_ has joined #sandstorm
dwrensha has quit [Ping timeout: 250 seconds]
dwrensha_ is now known as dwrensha
wuch has joined #sandstorm
wuch has quit [Client Quit]
wuch has joined #sandstorm
Tryum_ has joined #sandstorm
<Tryum_>
Hello there ! Any sandstorm/piwik users here ?
amyers has joined #sandstorm
amyers has quit [Read error: Connection reset by peer]
amyers has joined #sandstorm
xet7 has joined #sandstorm
ecloud is now known as ecloud_wfh
frigginglorious has joined #sandstorm
tantalum has joined #sandstorm
sh_smith has quit [*.net *.split]
TheJH has quit [*.net *.split]
dograt has quit [*.net *.split]
TheJH_ has joined #sandstorm
wuch has quit [Quit: WeeChat 1.5]
TheJH_ is now known as TheJH
rolig has quit [Ping timeout: 265 seconds]
jemc has joined #sandstorm
sh_smith has joined #sandstorm
dograt has joined #sandstorm
rolig has joined #sandstorm
jemc has quit [Quit: WeeChat 1.4]
jemc_ has joined #sandstorm
pie__ has quit [Changing host]
pie__ has joined #sandstorm
wuch has joined #sandstorm
<asheesh>
Hi Tryum_ !
<asheesh>
Yes - sup?
zeroish has joined #sandstorm
prettyvanilla has joined #sandstorm
wuch has quit [Quit: WeeChat 1.5]
wuch has joined #sandstorm
afuentes has quit [Ping timeout: 240 seconds]
ThePurgingPanda has joined #sandstorm
ThePurgingPanda_ has quit [Ping timeout: 244 seconds]
dwrensha has quit [Read error: Connection reset by peer]
<dwrensha>
isd1: the fix has landed on master, but there has been now release yet
<dwrensha>
isd1: usually releases happen once a week, saturdayish
<isd1>
noted.
wuch has quit [Quit: WeeChat 1.5]
decipherstatic has quit [Quit: Leaving]
isd has joined #sandstorm
isd1 has quit [Ping timeout: 264 seconds]
Telesight has joined #sandstorm
n8a has joined #sandstorm
xet7 has quit [Remote host closed the connection]
xet7 has joined #sandstorm
lukexj has quit [Ping timeout: 265 seconds]
Telesight has quit [Quit: Leaving.]
afuentes has joined #sandstorm
tantalum has left #sandstorm [#sandstorm]
frigginglorious has quit [Quit: frigginglorious]
lukexj has joined #sandstorm
sydney_u1tangle has quit [Read error: Connection reset by peer]
sydney_untangle has joined #sandstorm
frigginglorious has joined #sandstorm
<liam>
When my SS grain starts, it wants an application configuration variable set to the Base URI (protocol + :// + FQDN + : + port). Is it possible for me to access this information in launcher.sh ?
<asheesh>
It has some answers; I can discuss more, too.
<asheesh>
"answers", well, more like "strategies"
<liam>
I hadn't seen this page but I knew of the header. I was hoping i could resolve it in launcher.sh though. If it's generating a base URL for every distinct user viewing the same grain, that's problematic lol
<asheesh>
FWIW it's even worse than that. It's every session from every user.
<liam>
oh boy rick
<liam>
i could probably just create a custom hook on every request to set the config like... within RAM? lol
<liam>
not onto disk, but inject myself into the parser somehow
<asheesh>
liam: Can you possibly set the config to the empty string? :)
<zarvox>
I vaguely remember you having to revert some fuse-related kernel patch or something?
<liam>
asheesh: it's empty string by default and the "Unresolved Setup Issues" says that "major features will not work properly until you configure it"
<asheesh>
Yeah - it's probably going to be sad about e.g. outbound email not making sense because it can't make a link to itself.
<liam>
hm. it's probably used for emailing. Willing to bet that won't work for me
<zarvox>
A lot of the email-related functionality is not going to fly, yet.
<liam>
if there was a way i could link to a specific... grain... either unique to the user or otherwise, i could get around it
<liam>
but meh. seems better to just wait for proper support on the SS end since trying to get the urls to generate good is practically impossible
<mokomull>
zarvox: I believe I did, yes. Ubuntu sauce specific.
<liam>
resolved as: wontfix ;)
<asheesh>
liam: :)
<zarvox>
mokomull: did you find a workaround, besides recompiling the kernel?
<zarvox>
mokomull: and/or did you file a bug anywhere about it?
<mokomull>
zarvox: asheesh: I don't know if any of us wrote up a bug report for it, so you should drive over and smack me on the head sometime.
<zarvox>
will do
<zarvox>
in the meantime, I'll nudge David to try vagrant-spk, which will pull in a Debian VM with a kernel that doesn't trip over this