09:00:16 <jdieter> #startmeeting Towards an Atomic Workstation
09:00:16 <zodbot> Meeting started Tue Aug  2 09:00:16 2016 UTC.  The chair is jdieter. Information about MeetBot at http://wiki.debian.org/MeetBot.
09:00:16 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
09:00:16 <zodbot> The meeting name has been set to 'towards_an_atomic_workstation'
09:00:30 <jdieter> #meetingname flock2016
09:00:30 <zodbot> The meeting name has been set to 'flock2016'
09:00:56 <jdieter> So, what's the Fedora workstation?
09:01:00 <jdieter> Christian gave a talk an hour ago about it
09:01:09 <jdieter> Basically, it's a developer workstation
09:01:30 <jdieter> It's a traditional desktop, but slanted towards developers
09:01:40 <jdieter> We use lots of stuff from freedesktop.org
09:01:56 <jdieter> It's not just the graphical environment
09:02:03 <jdieter> Lots of other additional applications
09:02:06 <jdieter> Libreoffice is the big one
09:02:13 <jdieter> Mostly a pretty stock GNOME installation
09:02:18 <jdieter> With some other things
09:02:25 <jdieter> So what do we want to do next?
09:02:45 <jdieter> A lot of what we're doing right now is potentially changing how we distribute applications
09:03:08 <sgallagh> You can think of it as a way to sandbox applications
09:03:15 <jdieter> Flatpak is a way of sandboxing and distributing applications
09:03:23 <jdieter> Sandboxing isn't quite there yet
09:03:32 <sgallagh> A lot of the sandboxing features aren't finished. They depend on Wayland and cgroups features that are still being worked on
09:03:44 <jdieter> It has a concept of runtimes
09:04:02 <jdieter> A collection of libraries and dependencies which a application needs to run
09:04:15 <sgallagh> A collection of libraries and features like Cairo, gstreamers etc. that an application might expect to have available is a runtime
09:04:30 <sgallagh> There might be different layers: base, freedesktop, gnome, etc.
09:04:33 <jdieter> We don't anticipate that there will be too many runtimes available
09:04:47 <sgallagh> You also have applications that may include some pieces that are traditionally part of the runtime
09:05:02 <jdieter> You can include a library with an applications
09:05:17 <jdieter> Graphical support is ready right now
09:05:19 <sgallagh> Such as bundling different versions of software from the runtime or packages that would have reasons not to be in the runtime (such as legal)
09:05:50 <jdieter> Most of the stuff has been backported to F24, so it's pretty usable
09:06:11 <jdieter> Right now, any application has access to anything the user has access to
09:06:49 <jdieter> What FlatPak does is use user-namespaces, cgroups, etc and bind-mounts an empty system to give the application very limited acccess
09:06:53 <sgallagh> Flatpak uses kernel namespaces to give applications access to very limited capabilities
09:07:26 <jdieter> We have special interfaces to dbus
09:07:40 <jdieter> Sandboxing isn't quite fully fledged yet
09:07:41 <sgallagh> Sandbox isn't fully fleshed yet, but it's coming along.
09:07:51 <sgallagh> Using gsettings is complicated and still being worked on
09:08:01 <sgallagh> The code doesn't exist in usable form ye
09:08:02 <sgallagh> *yet
09:08:21 <sgallagh> We will take later about Portals which will give access to things that would normally be prevented.
09:08:23 <jdieter> I'll talk about portals, which is how users get access to the system
09:09:21 <jdieter> Questions about liability if patent-encumbered libraries in a Flatpak
09:09:33 <sgallagh> Security updates haven't really been solved yet.
09:09:53 <sgallagh> Person who ships the runtime is responsible for maintaining it (e.g. distribution vs the application)
09:10:18 <jdieter> This is a social problem
09:10:50 <sgallagh> As an application developer, you can override anything on the system that you need to. It remains to be seen what an acceptable level of overlap is.
09:10:50 <jdieter> You can override system libraries by putting different versions of libraries in your Flatpak
09:11:09 <jdieter> This does somewhat lessen the impact of the distribution as a whole
09:12:06 <jdieter> Flatpak may be safer than a distribution package as they don't have access to everything
09:12:37 <sgallagh> The reason for having the runtime as a single blob is to remove the situation where packages updated individually causes other packages to fail. Things will be tested and updated as a unit.
09:13:17 <jdieter> We're not sure what updates will look like.
09:13:23 <jdieter> We hope they'll be more stable
09:13:39 <jdieter> #topic An ostree Fedora
09:14:14 <jdieter> An ostree workstation uses ostree for filesystem versioning
09:14:16 <sgallagh> An ostree workstation is going to use ostree for producing versioned, bootable filesystem trs
09:14:18 <sgallagh> *trees
09:14:26 <jdieter> It's like git for a full filesystem
09:14:53 <jdieter> rpm-ostree takes RPMs and puts them into an ostree repository
09:14:59 <sgallagh> Something that's useful from the Fedora side is rpm-ostree, which takes packages from the distribution and puts them into the repo
09:15:40 <jdieter> THis is done on the server
09:16:13 <jdieter> THe filesystem is mostly read-only
09:16:32 <jdieter> The RPM database is read-only
09:17:00 <sgallagh> You can use package layering to inject whatever packages you want into your local system (but not on the server side)
09:17:00 <jdieter> There's package layering support to add things on top of rpm-ostree
09:17:11 <jdieter> Q: Why would you need the RPM database
09:17:13 <sgallagh> Q: Why would you need an RPM database?
09:17:25 <jdieter> A: Lots of things in Fedora expect it
09:17:26 <sgallagh> A: Many things in Fedora require the database.
09:17:40 <jdieter> Can get changelogs
09:17:49 <jdieter> Lots of enterprises use the RPM database for inventory
09:17:57 <jdieter> And it's a well-known API
09:18:38 <jdieter> Will be composed from ostree for base OS
09:18:47 <sgallagh> We think that you're going to be using flatpaks for applications in the future
09:19:23 <jdieter> Users get to test applications without affecting rest of OS
09:19:53 <jdieter> This can be tested in Fedora 24
09:20:09 <jdieter> It *doesn't* work in Fedora 24
09:20:15 <jdieter> But we're planning to backport it
09:20:18 <jdieter> * from audience
09:20:55 <jdieter> #topics improvements over traditional package management
09:21:04 <jdieter> #topic #meetingname flock2016
09:21:26 <jdieter> #topic improvements over traditional package management
09:22:03 <jdieter> The first advantage is that the whole update is done at once
09:22:18 <jdieter> Compose is done on the server, the updates/rollback on the client
09:23:05 <jdieter> Updates only happen on reboot
09:23:47 <jdieter> From a developer's point of view, it's really good
09:24:09 <jdieter> Currently constrained by distributions for which version of application you use
09:24:39 <jdieter> With this, you can get a newer application into user's hands much easier
09:24:50 <jdieter> Or get users to try development version
09:25:35 <jdieter> If you ever want to use Flatpak to bundle an application, it's actually pretty easy
09:25:53 <jdieter> Some small changes, but it's not very difficult
09:26:06 <jdieter> There's a trust model as well
09:26:14 <jdieter> Flatpak uses GPG signatures in repositories
09:26:48 <jdieter> Not sure how it will scale
09:27:35 <jdieter> If you want to make sure users are using *your* version of the application, Flatpak allows you to do that
09:27:49 <jdieter> Helps with QA
09:28:20 <jdieter> #topic rpm-ostree basics
09:28:30 <jdieter> I'm going to throw some random commands on the screen
09:28:53 <jdieter> https://pagure.io/workstation-ostree-config
09:28:58 <jdieter> This is a configuration I've put up
09:29:11 <jdieter> It's basically the workstation package set
09:29:17 <jdieter> Mostly everything works
09:29:54 <jdieter> You can also convert an existing filesystem to use ostree
09:30:05 <jdieter> There's a list of commands
09:30:23 <jdieter> It's ugly at the moment, but we hope people will be using an installer in the future
09:30:37 <jdieter> There are quite a few ways to create an install image
09:31:06 <jdieter> rpm-ostree-toolbox is a set of scripts on top of rpm-ostree which is on top of ostree
09:31:31 <jdieter> Koji doesn't use rpm-ostree-toolbox.  It uses lorax
09:32:17 <jdieter> It's not really clear which method we're going to actually use
09:32:37 <jdieter> We want to keep anaconda, but there might be some things we don't want in it
09:32:47 <jdieter> #topic Current weak points in flatpak
09:33:01 <jdieter> Some applications are available as Flatpak, most are not
09:33:10 <jdieter> It's only been available since F24
09:33:26 <jdieter> I think the number of bundles will continue to increase
09:33:41 <jdieter> GNOME is doing continuous integration for testing
09:34:06 <jdieter> A portal sits between the sandbox and the host system
09:34:15 <jdieter> And allows you to poke holes in the sandbox
09:34:28 <jdieter> For instance, get access to webcams, joysticks, etc.
09:34:53 <jdieter> There's a lot of development, but it's not ready yet
09:35:03 <jdieter> File choosers are ready now
09:35:13 <jdieter> I think an audio portal is ready, so you can output sounds
09:35:40 <jdieter> Luckily mobile platforms have already blazed the trail for sensible defaults
09:36:01 <jdieter> The kernel sandboxing features haven't been heavily tested
09:36:15 <jdieter> Only a month ago, a vulnerability was found there
09:36:39 <jdieter> Depends on systemd -user sessions, so it's not available in RHEL 7
09:37:56 <jdieter> #topic Problems with an ostree Workstation
09:38:16 <jdieter> Alternatives don't work
09:38:33 <jdieter> We'll need to come up with new ways of doing those things
09:38:51 <jdieter> Packaging layering doesn't run %post scripts
09:38:57 <jdieter> Other limitations
09:39:10 <jdieter> Some people won't like needing to reboot for a new system.
09:39:43 <jdieter> SELinux updates cause breakages on a regular basis
09:39:59 <jdieter> There will be plenty more surprises, so we need more users and testers
09:40:15 <jdieter> Patrick will give a talk tomorrow about using it on his home system.
09:40:32 <jdieter> #topic Problems with creating ostree artifacts in Fedora
09:40:45 <jdieter> Koji doesn't yet know how to produce flatpak bundles
09:40:57 <jdieter> There isn't yet an easy way to create an ostree installer
09:41:42 <jdieter> rpm-ostree doesn't use comps as input for the package manifest
09:41:55 <jdieter> #topic Further resources
09:42:15 <jdieter> ostree: https://github.com/ostreedev/ostree
09:42:23 <jdieter> flatpak: http://flatpak.org
09:42:42 <jdieter> IRC: #fedora-workstation on freenode, #gnome-os on irc.gnome.org
09:43:06 <jdieter> Mailing List: https://lists.fedoraproject.org/archives/list/desktop@lists.fedoraproject.org/
09:43:25 <jdieter> #topic Questions
09:44:59 <jdieter> There are plans to create Flatpak bundles out of rpms.
09:45:41 <jdieter> The idea is to give Koji the ability to create a Flatpak out of a spec file
11:29:47 <zodbot> michalrud: Error: Can't start another meeting, one is in progress.
11:30:01 <michalrud> #endmeeting
11:30:09 <zodbot> michalrud: Error: Can't start another meeting, one is in progress.
11:32:01 <michalrud> #endmeeting
11:33:19 <michalrud> #topic
11:36:48 <michalrud> #endmeeting