kentonv changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things sandstorm.io. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev
frigginglorious1 has joined #sandstorm
frigginglorious has quit [Ping timeout: 268 seconds]
frigginglorious1 is now known as frigginglorious
ill_logic has joined #sandstorm
frigginglorious has quit [Ping timeout: 268 seconds]
imdeni has quit []
imdeni has joined #sandstorm
abliss has joined #sandstorm
<abliss> CaptainCalliope: are you still using the matrix gateway to chat here? do you self-host your matrix server
frigginglorious has joined #sandstorm
<abliss> i'm curious about (a) which of the self-hostable next-gen chat platforms has the best story for migrating off IRC, and (b) whether it can be sandstormized. (did rocket.chat ever go anywhere? why do there have to be so many next-gen chat plaftorms?)
ill_logic has quit [Ping timeout: 265 seconds]
abliss has quit [Quit: Quit]
abliss has joined #sandstorm
abliss has quit [Quit: authenticating]
abliss has joined #sandstorm
<abliss> Hello, testing from inside riot.im connected to matrix.org through the freenode irc gateway...
frigginglorious has quit [Read error: Connection reset by peer]
frigginglorious has joined #sandstorm
ill_logic has joined #sandstorm
strugee has joined #sandstorm
<isd> abliss: re: rocket.chat, I know the inkscape project is using it (though not via sandstorm...)
<isd> Apps that use federated protocols on sandstorm are hard, in that they really do need to ask for the ability to contact any server up front, which is unfortunate.
<isd> The sandstorm rocket.chat port had a really neat feature where you could share grains via the chat.
<isd> I think that shows some real potential for sandstorm-first apps.
<isd> I'd love to put some thought into how sandstorm can better support federation, both of itself and apps that run on it.
<abliss> yeah, I loved the grain-sharing feature in rocket.chat. Though IIRC the mobile app never worked, right?
<isd> Not sure whether it ever worked, but I do remember a lot of discussion of it not working.
<TimMc> heh
ill_logic has quit [Ping timeout: 265 seconds]
<isd> I'm re-reading https://gitlab.com/spritely/ocappub/blob/master/README.org and thinking about how that might work in the context of sandstorm.
<isd> In particular, it uses bear: urls for capabilities. That still clashes with sandstorm's model, since even though they do represent a capability model, you still need net access to fetch them.
<isd> Maybe sandstorm (or some app that provides a "driver" for ocappub) could membraneify those, so that the app sees urls that sandstorm knows about, and it re-maps them on the way in and out?
<isd> !!! idea: could we provide a driver app (or build it into sandstorm) that understands html/json/etc and proxies for apps, substituting urls it sees in those formats for cap urls that point at itself? If it maintains the mapping it could allow apps to transitively crawl the web without running afoul of not having a cap to something it sees a link to.
<isd> (this is independent of ocappub)
<abliss> what's the main reason to restrict grains from arbitrary net access? is the threat model that they'll phone home with user's private data and leak it?
<isd> That's the one that gets talked about, yeah
<abliss> what if we just make all requests go through an auditable logging MITM proxy (by installing a trusted cert into its HTTPS stack)? then users could see everything that goes in and out. if users detected leakage of private data (or suspicious encrypted blocks) they could retaliate with low market ratings.
<isd> Probably a good idea for apps that request full network access anyway, but I don't thik that's sufficient to just say to heck with it and let apps access whatever.
<isd> I mean, some apps may still legitimately require full nework access.
<abliss> there's also the idea that users could choose to only install open-source apps and/or apps signed by someone they trust.
<abliss> i feel like if you really don't trust the app or its author or its packager, nothing short of total tnet
<abliss> ...network isolation can possibly save you
ill_logic has joined #sandstorm
<isd> sure, but the plan is for that to be the default.
<abliss> with sufficient cleverness, any kind of access you can imagine granting can probably be abused to leak private data
<isd> I think granting access to specific hosts does a bit better than that.
<isd> For example, if my threat model is I don't want Facebook to see my stuff, but I trust $website not to share my data with them, if $app requests access to $website, I don't really have to trust $app not to leak data to Facebook, I just have to trust $website
<isd> hosts/urls
<abliss> ok, so then make it transitive? $website publishes some statement saying "i share stuff with $other_website but it's cool, you can trust it not to contact $facebook" ?
<abliss> like maybe you pass it a list of sites you don't trust (facebook, google) and it passes you back a list of sites it trusts not to talk to them?
<isd> Hm, worry: all of this assumes the target is itself not sandboxed. I could see this being abused to allow grains to collude to get to the outside world.
<isd> Besides the phoning home angle, I also worry about apps being compromised and used as part of botnets; we have this problem with IoT devices right now
<isd> But if they only have network access to specific targets, that makes them not very useful as part of a botnet.
frigginglorious has quit [Ping timeout: 265 seconds]
frigginglorious has joined #sandstorm
ill_logic_ has joined #sandstorm
ill_logic has quit [Ping timeout: 240 seconds]
ill_logic_ has quit [Ping timeout: 265 seconds]
ocdtr_web has joined #sandstorm
<ocdtr_web> One thing that\u2019s always scared me is third party clients.
<ocdtr_web> If I get a GitHub client, how do I know it won\u2019t exfiltrate my data to the developer?
<ocdtr_web> Unless the app can only talk to GitHub.
ill_logic_ has joined #sandstorm
ocdtr_web has quit [Remote host closed the connection]
ill_logic_ has quit [Ping timeout: 240 seconds]
ill_logic has joined #sandstorm
frigginglorious has quit [Ping timeout: 268 seconds]
<xet7> ocdtr_web: Even if app can only talk to GitHub, it can in secret post your private repo data to also some other private repo
frigginglorious has joined #sandstorm
ill_logic has quit [Ping timeout: 272 seconds]
<isd> I'd really like to be able to experiment with level 3 (fedrated, basically) capnp rpc. It wouldn't solve legacy protocols, but would allow pretty seamless federation for sandstorm-first apps without sacrificing ocap benefits.
<isd> Ug, caffine, why aren't you working :(
frigginglorious has quit [Ping timeout: 240 seconds]
frigginglorious has joined #sandstorm
frigginglorious has quit [Ping timeout: 260 seconds]
frigginglorious has joined #sandstorm
<CcxWrk> Yeah, you would have to build the ActivityPub/OCapPub part outside of grains. The very same way SMTP is handled.
frigginglorious has quit [Ping timeout: 240 seconds]
frigginglorious has joined #sandstorm
frigginglorious1 has joined #sandstorm
frigginglorious has quit [Ping timeout: 265 seconds]
frigginglorious1 is now known as frigginglorious
frigginglorious has quit [Read error: Connection reset by peer]
frigginglorious has joined #sandstorm