Hackers' Pub

Syntax	Description	Examples
`"` keyword `"`	Finds the string within quotes, including spaces. Case-insensitive. (Escape quotes inside with `\"`)	`"Hackers' Pub"`
`from:` handle	Finds content written by the specified user.	`from:hongminhee` `from:hongminhee@hollo.social`
`lang:` ISO 639-1	Finds content written in the specified language.	`lang:en`
`#` tag	Finds content with the specified tag. Case-insensitive.	`#HackersPub`
condition condition	Finds content that satisfies both conditions on either side of the space (logical AND).	`"Hackers' Pub" lang:en`
condition `OR` condition	Finds content that satisfies at least one of the conditions on either side of the OR operator (logical OR).	`#HackersPub OR "Hackers' Pub" lang:en`
`(` condition `)`	Combines the operators within the parentheses first.	`(#HackersPub OR "Hackers' Pub" OR "Hackers Pub") lang:en`

Olivier Forget @teleclimber@social.tchncs.de

9/4/2025, 6:01:39 PM

Public

I confirmed this is a different problem than on Ubuntu. Or at least the solution for Ubuntu doesn't work on Debian. I hate to leave things broken but I've spent days on this and I have no more left to give.

The writing is on the wall: using bubblewrap this way is a minefield. Since the goal of Dropserver is to be easy to install (eventually) having to troubleshoot this is going to be a pain. I'd rather focus on a blast-radius sandbox at the service level. Besides, when I make releases for Mac and maybe even Windows, there likely won't be the option to do this level of sandboxing? So I think it's best to focus on Deno as the only sandbox for individual appspaces, and a ds-host level sandbox (hardened systemd service for example) to contain any escapes.

https://social.tchncs.de/@teleclimber/115141982542092834

Olivier Forget (@teleclimber@social.tchncs.de)

So it turns out I was likely wrong about this. It's not the same problem as on ubuntu. On Debian I can run ds-host from the command line and it launches deno in bubblewrap just fine. But it's when ds-host is running as a systemd service that it stops working. I don't seem to be able to get a useful error message, nor have I been able to get a core dump. Nothing in logs. Are there any #Debian / #systemd people out there who can think of why bubblewrap would not work from a systemd service? I set this in my service "SystemCallFilter=@known" but it did not help. I also tried adding the ambient capability CAP_SYS_CHROOT to no avail. What should I try next? The same service works fine in Arch Linux. I am using Debian 12. https://social.tchncs.de/@teleclimber/115113510173949785

social.tchncs.de · Mastodon

If you have a fediverse account, you can quote this note from your own instance. Search https://social.tchncs.de/users/teleclimber/statuses/115147335252694594 on your instance and quote it. (Note that quoting is not supported in Mastodon.)