Mastodawn

the esoteric programmer

I got interesting news from the fedora accessibility room today! this concerns blind and visually impaired #linux users exclusively, however:

For a bit of time, specifically pipewire >=1.4, one can start pipewire as root. That includes the regular daemon and the alsa layer, because jack emulation is a library loaded inside programs. Anyway, more recently than that, pipewire-pulse got the ability to be launched via root, as a system service:

https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/dea6fa7f4c3053050d2819afa80265e5ffb39730

I'm not sure if ubuntu can use any of this yet, I suppose not, but most other distros which aren't debian based should be able to do so, for example arch, gentoo, probably nix and fedora starting with 42. This means that your system can start talking much, much sooner without the use of scripts, as long as you enable the system services instead of the user ones, or well, apparently the user units don't conflict, weird as that might sound. Either way, the same security is achieved, because who cares if root apps can listen to your microphone, the battle is lost if those apps are already root anyway!

In particular, this means that one can start espeakup with the system and it'll speak as soon as possible. Not in the initramfs, not at the enter decryption key prompt, but that's still huge progress in case your system crashes and so on.

What do y'all think, does this change anything, or it's still the same for you because you use scripts anyway, or because your systems rarely crash in such a way where that'd be required?

systemd: add systemwide pipewire-pulse files (dea6fa7f) · Commits · PipeWire / pipewire · GitLab

We can and it works, so why not.

GitLab

the esoteric programmer 4d ago

@fireborn I presume this is news you might want to hear :p

@esoteric_programmer I’ll be intercted to try this. I wonderif it will fix fedora hotplug.

@esoteric_programmer I assume it also requires why a plumber as root as well, otherwise sound can’t be routed automatically

the esoteric programmer 4d ago

@fireborn hotplug, what's the issue with hotplugging, it always worked here. Yeah, I believe all affected services have system variants, however user units don't conflict with the system ones, so probably it's fine, for our use case, to run wireplumber as user, except indeed in the case that the user session crashed and whatnot

@esoteric_programmer plugging in an audio device with a Fedora system won’t auto switch to it.

the esoteric programmer 4d ago

@fireborn audio output, really? interesting, will report that too, since we're at it

shironeko 3d ago

@esoteric_programmer curious, I would think that bundling this into initramfs would be possible as well?

the esoteric programmer 3d ago

@shironeko bundling pipewire? hmm, possible, but unlikely. However, there's a dracut plugin for brltty, and brltty has an audio component that works there, so maybe that. Putting espeakup, the userland side of the speakup kernel driver, in initramfs could also be done and would be very useful, we gotta convince at least one distro to try it, because I don't even know how it'd sound like or what it'd speak in those early boot stages to be honest. What's printed to tty during initramfs loading anyway? is that unencrypted, I don't think so

@esoteric_programmer and you can probably now run it more easily as a audio server

the esoteric programmer 3d ago

@sandro umm yes, although this was always possible, even without root. Pipewire is a really great concept and implementation of such, imo better than jack. I used the native pipewire API to make the speech dispatcher audio output method, and yes, it's more complicated than jack because it deals with a lot more, including video, however all in all, it's not too much of a terrible API to use, and it could be even better if one spoke the raw pipewire protocol instead of using libpipewire which was made for C

@esoteric_programmer I only ever got it working with lingering which I am not so happy about.

the esoteric programmer 3d ago

@sandro ahh, lingering, that's how I have it working too, but yeah, no longer. But the general thing is though, we don't usually need the server to be in root, except if you do the lingering stuff for espeakup and such too?

@esoteric_programmer we do audio streaming over TCP

the esoteric programmer 3d ago

@sandro ahh, interesting! there are a lot of protocols pipewire supports for that

[66178] Not Sparkles in Twilight 3d ago

@esoteric_programmer (Sparkles) now we need to get espeakup up and running right in the initial ramdisk

and if (god forbid) pipewire breaks? we need a fallback!

the esoteric programmer 3d ago

@Sparky I mean, from what I know, if pipewire breaks, the kernel uses alsa as usual, either that, or the samples just fall into void, I'm a bit unclear on that one

Christian Hergert 3d ago

@esoteric_programmer

There is hope with systemd-homed that we can do the encryption on a per-user basis so you'll be able to have voice/input assistants before any password is necessary.

There is also work to make virtual terminals done in user-space w/ a minimal kiosk-mode wayland compositor which would allow for a11y even on a "VT".

I actually hope to make Ptyxis work like that for Fedora in the not-distant future.

the esoteric programmer 3d ago

@chergert I mean...FDE is still very much useful, because one never knows what attackers might want to do, and having your system exposed unencrypted could still be pretty bad

Christian Hergert 3d ago

@esoteric_programmer

These are not mutually exclusive. You can prime your FDE with secrets from TPM.

the esoteric programmer 3d ago

@chergert which is...erm, kinda not something I like to do, but if other people do so, good for them. That's the thing though, yes, homed is awesome, but I'm not sure it's a good idea to make different encrypted allocations so to speak, per user folder, especially in systems where like, the only user the person interacts with is their user.

Christian Hergert 3d ago

@esoteric_programmer

That's totally fine. Just take heed the TPM approach is likely the safer approach and thusly the direction we'd want to go for vast majority of installations.

As for "allocations" here we're really just talking subvolumes in the default case. Nothing special. In fact, you'd probably have the same number of volumes in this case (1 for $HOME, rather than 1 for /home).

@chergert @esoteric_programmer Yeah, I've been hearing about this on and off. I like all of these ideas and think they could really benefit users if implemented correctly. Fedora is getting better and better for accessibility, especially in workstation. Other spins still need work, MATE being the one I can think of off-hand, but WS is stable and functional on the systems I run it on.

the esoteric programmer 3d ago

@fireborn @chergert hmm, perhaps you should write a blog post in that series about what workstation got right and that it's not like, all ashes or going there?

@esoteric_programmer @chergert There will be one, when I can really dig into it and install it on the system I actually use every day. That's impossible at the moment because it refuses to see the audio device I need (USB) but maybe I can work around it. There are still things I want to see, such as enabling Orca on boot if installed with it enabled, automatically enabling speakup and letting it speak in the vt (until that system is replaced), that sort of thing. Again, just some way of detecting if Fedora was installed with a screen reader on and then setting up sane defaults for that would be a giant step. Windows doesn't do that. Mac OS doesn't do that. I can absolutely see people really appreciating that UX improvement.

the esoteric programmer 3d ago

@fireborn @chergert yes, from what I know, that's already a thing, technically. You can install it with orca enabled, then press alt+windows+s on the login screen to turn it on, and maybe again in the desktop? not sure. But yeah, definitely something that can be done, something I talked about with them before. No usb audio recognised and such, yeah, now that's a huge issue, that requires some serious troubleshooting. Maybe post about it in the a11y room, or in fedora's general support channel?

@esoteric_programmer @chergert You can enable it yourself yes, that wasn't the issue. But it's not automatically done and you're not given any indication that the system is ready for input at all unless you scan with OCR from a phone.

the esoteric programmer 3d ago

@fireborn @chergert ahh yeah, that's an issue indeed, and I don't think it's particularly hard to add indeed. I never ever looked at anaconda, maybe it's sane enough to the point I can try to add it? hmm, problem for future self

Haelwenn /элвэн/

@esoteric_programmer Also one nice thing about pipewire running as a system service is you can use the "switch users" feature without having to close sessions to still have audio in the next session.

Which can be nice for say a personal session and a work session, or maybe a test session.

the esoteric programmer 3d ago

@lanodan ahh, so that's why orca went silent whenever I logged out or switched users?

Haelwenn /элвэн/

@esoteric_programmer Probably yeah