15:53 <jimmyjones_thorn> Hey everyone, I've been trying out some Mirage skeletons and it looks very promising. I'm currently testing on Qubes, which works quite well. Has anyone considered tighter integration of Mirage + Qubes? It seems to me that this is a match made in heaven: disposable, stateless Mirage unikernels can narrow the attack surface of 'traditional' AppVM

15:53 <jimmyjones_thorn> s and due to their small footprint, can be deployed extensively throughout the system.

15:54 <avsm> jimmyjones_thorn: yep, but noone's actively working on it. reports of success or failure most welcome on mirageos-devel@lists.xenproject.org

15:54 <jimmyjones_thorn> I see.

15:55 <jimmyjones_thorn> I have a few ideas for how these two projects can be integrated, but I don't have much time to work on it (as with everyone else, presumably).

15:55 <jimmyjones_thorn> If I get anything working 'manually' to prove the concept, though, I'll post to the list.

15:56 <avsm> absolutely; would be met with interest, no matter how manual

15:57 <jimmyjones_thorn> Cool, nice to hear. I'll play around with it for a few weeks at least, so don't expect anything groundbreaking tomorrow ;)

15:57 <jimmyjones_thorn> Part of that is that I am new to OCaml (though I have done some minor stuff in SML a few years back and am familiar with FP), so if anyone has any good tutorial suggestions other than "Real World OCaml", I'm all ears.

15:58 <avsm> https://ocaml.org/learn/tutorials/ is good

16:00 <jimmyjones_thorn> Actually, clicking that link brings up a major sticking point I see with integrating Mirage and Qubes--and more generally, just for any use of Mirage

16:01 <jimmyjones_thorn> As far as I can tell, Mirage OS's security infrastructure is abysmal

16:02 <jimmyjones_thorn> There are no signed packages, OPAM updates build your unikernel (gotta hope that hopelessly-broken TLS works!), and no clear statement of what components actually must be trusted

16:03 <jimmyjones_thorn> (and also, getting OCaml and OPAM set up on Fedora 20 was an adventure, though this is not Mirage's problem, per se)

16:05 <avsm> jimmyjones_thorn: signing is something thats on on the roadmap post OPAM 1.2: https://github.com/ocaml/opam/issues/423

16:05 <avsm> jimmyjones_thorn: re Fedora 20, binary RPMs are available from http://software.opensuse.org/download.html?project=home%3Aocaml&package=ocaml

16:06 <jimmyjones_thorn> Oh thanks, I never found references to that repo in my Google-fu

16:06 <jimmyjones_thorn> And I didn't see this issue in the tracker ;)

16:06 <avsm> bug reports about missing hints in the documentation are also welcome :-)

16:08 <jimmyjones_thorn> I'll try to document everything from now on so I can reference any hiccups later

16:08 <avsm> that'd be very helpful!

16:08 <jimmyjones_thorn> But bug report #1: Mirage / OPAM install guides should also suggest that Fedora repo for Fedora folks :)

16:09 <jimmyjones_thorn> Anyway, I have to leave now, but I will continue my exploration and check back sometime later if I make any progress

16:09 <jimmyjones_thorn> Thanks!

16:09 <avsm> enjoy!

16:10 <hannes> hmm, opam signing..

16:11 <avsm> see signify in openbsd.

16:11 <hannes> yes, sure.

16:12 <hannes> but now that I have x509 everything looks like x500 ;)

16:12 <avsm> you need corrective glasses ;)

16:12 <avsm> ASN.1 goggles

16:13 <hannes> oh, and its really good to have ted, who does ressl, which is much smaller to target (API footprint is so small compared to openssl)