[PATCH 01/13] pkgs: gtk3: backport fix for unset XDG_RUNTIME_DIR

[PATCH 01/13] pkgs: gtk3: backport fix for unset XDG_RUNTIME_DIR

[Alyssa Ross]

As part of running services as different users we'll be giving
services dedicated places to put their sockets, rather than a single
shared directory they all need to be able to write to.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 pkgs/gtk3/default.nix | 13 +++++++++++++
 pkgs/overlay.nix      |  2 ++
 2 files changed, 15 insertions(+)
 create mode 100644 pkgs/gtk3/default.nix

diff --git a/pkgs/gtk3/default.nix b/pkgs/gtk3/default.nix
new file mode 100644
index 0000000..72445c9
--- /dev/null
+++ b/pkgs/gtk3/default.nix
@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
+# SPDX-License-Identifier: MIT
+
+import ../../lib/overlay-package.nix [ "gtk3" ] ({ final, super }:
+
+super.gtk3.overrideAttrs ({ patches ? [], ... }: {
+  patches = patches ++ [
+    (final.fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/8569e206badbee1b27ff0e27316391b8d8c3f987.patch";
+      hash = "sha256-OdBhCGtz+3HS8LRhp+GCj3dL4pntybiI9b3A3kc5+OY=";
+    })
+  ];
+}))
diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix
index 0ca196c..0910bf3 100644
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -4,5 +4,7 @@
 (final: super: {
   cloud-hypervisor = import ./cloud-hypervisor { inherit final super; };
 
+  gtk3 = import ./gtk3 { inherit final super; };
+
   skawarePackages = import ./skaware-packages { inherit final super; };
 })

base-commit: c43e5c63a028994d5f66a15db19f415bf3cb7736
-- 
2.51.0

[PATCH 02/13] pkgs: s6: backport s6-softlimit -P

[Alyssa Ross]

We'll need this to run PipeWire as non-root.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 pkgs/skaware-packages/default.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkgs/skaware-packages/default.nix b/pkgs/skaware-packages/default.nix
index f0d924b..e248201 100644
--- a/pkgs/skaware-packages/default.nix
+++ b/pkgs/skaware-packages/default.nix
@@ -4,6 +4,15 @@
 import ../../lib/overlay-package.nix [ "skawarePackages" ] ({ final, super }:
 
 super.skawarePackages.overrideScope (_: prev: {
+  s6 = prev.s6.overrideAttrs ({ patches ? [], ... }: {
+    patches = patches ++ [
+      (final.fetchpatch {
+        url = "https://git.skarnet.org/cgi-bin/cgit.cgi/s6/patch/?id=c3a8ef7034fb2bc02f35381a8970ac026822a810";
+        hash = "sha256-lgCoPbEYru6/a2bpVpLsZ2Rq2OHhNVs0lDgFO/df1Aw=";
+      })
+    ];
+  });
+
   mdevd = prev.mdevd.overrideAttrs ({ patches ? [], ... }: {
     patches = patches ++ [
       (final.fetchpatch {
-- 
2.51.0

[PATCH 03/13] img/app: wayland-proxy-virtwl: move Wayland socket

[Alyssa Ross]

I didn't realise this could be an absolute path outside of
XDG_RUNTIME_DIR.  This will make it much more convenient to run
services as different users, which isn't really
XDG_RUNTIME_DIR-friendly.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY         | 2 +-
 img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY.license | 2 +-
 img/app/image/etc/s6-rc/wayland-proxy-virtwl/run            | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY b/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
index 7be60bf..bbd390c 100644
--- a/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
+++ b/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
@@ -1 +1 @@
-wayland-0
+/run/wayland
diff --git a/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY.license b/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY.license
index d705e97..0d3d47c 100644
--- a/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY.license
+++ b/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY.license
@@ -1,2 +1,2 @@
 SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is>
+SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
diff --git a/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run b/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run
index df9173a..380a833 100755
--- a/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run
+++ b/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run
@@ -8,7 +8,7 @@
 
 foreground { mkdir /tmp/.X11-unix }
 
-s6-ipcserver-socketbinder -B /run/user/0/wayland-0
+s6-ipcserver-socketbinder -B /run/wayland
 fdmove -c 3 0
 
 s6-ipcserver-socketbinder -B /tmp/.X11-unix/X0
-- 
2.51.0

[PATCH 04/13] img/app: wayland-proxy-virtwl: run as non-root

[Alyssa Ross]

nsswitch.conf needs to exist for s6-envuidgid to be able to find
supplementary groups.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 img/app/file-list.mk                             | 2 ++
 img/app/image/etc/group                          | 1 +
 img/app/image/etc/group.license                  | 2 ++
 img/app/image/etc/mdev.conf                      | 2 +-
 img/app/image/etc/nsswitch.conf                  | 0
 img/app/image/etc/passwd                         | 1 +
 img/app/image/etc/s6-rc/wayland-proxy-virtwl/run | 2 ++
 7 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 img/app/image/etc/group
 create mode 100644 img/app/image/etc/group.license
 create mode 100644 img/app/image/etc/nsswitch.conf

diff --git a/img/app/file-list.mk b/img/app/file-list.mk
index 6934975..c7cd82a 100644
--- a/img/app/file-list.mk
+++ b/img/app/file-list.mk
@@ -4,11 +4,13 @@
 FILES = \
 	image/etc/dbus-1/session.conf \
 	image/etc/fstab \
+	image/etc/group \
 	image/etc/mdev.conf \
 	image/etc/mdev/iface \
 	image/etc/mdev/listen \
 	image/etc/mdev/virtiofs \
 	image/etc/mdev/wait \
+	image/etc/nsswitch.conf \
 	image/etc/passwd \
 	image/etc/pipewire/pipewire.conf \
 	image/etc/resolv.conf \
diff --git a/img/app/image/etc/group b/img/app/image/etc/group
new file mode 100644
index 0000000..4add88f
--- /dev/null
+++ b/img/app/image/etc/group
@@ -0,0 +1 @@
+wayland:x:1:wayland
diff --git a/img/app/image/etc/group.license b/img/app/image/etc/group.license
new file mode 100644
index 0000000..0d3d47c
--- /dev/null
+++ b/img/app/image/etc/group.license
@@ -0,0 +1,2 @@
+SPDX-License-Identifier: CC0-1.0
+SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
diff --git a/img/app/image/etc/mdev.conf b/img/app/image/etc/mdev.conf
index df215b9..b7c0c5b 100644
--- a/img/app/image/etc/mdev.conf
+++ b/img/app/image/etc/mdev.conf
@@ -4,7 +4,7 @@
 -$MODALIAS=.* 0:0 0 ! +importas -Siu MODALIAS modprobe -q $MODALIAS
 $INTERFACE=.* 0:0 0 ! +/etc/mdev/iface
 $MODALIAS=virtio:d0000001Av.* 0:0 0 ! +/etc/mdev/virtiofs
-dri/card0 0:0 660 +background { /etc/mdev/listen card0 }
+dri/card0 wayland:wayland 660 +background { /etc/mdev/listen card0 }
 snd/controlC0 0:0 660 +background { /etc/mdev/listen controlC0 }
 
 # Don't change mode of other device nodes created by devtmpfs.
diff --git a/img/app/image/etc/nsswitch.conf b/img/app/image/etc/nsswitch.conf
new file mode 100644
index 0000000..e69de29
diff --git a/img/app/image/etc/passwd b/img/app/image/etc/passwd
index 5d35578..31e5773 100644
--- a/img/app/image/etc/passwd
+++ b/img/app/image/etc/passwd
@@ -1 +1,2 @@
 root:x:0:0:System administrator:/run/root:/bin/sh
+wayland:x:1:1:wayland-proxy-virtwl service user:/:/usr/bin/nologin
diff --git a/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run b/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run
index 380a833..86d7f63 100755
--- a/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run
+++ b/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run
@@ -26,4 +26,6 @@ export LISTEN_FDS 2
 export LISTEN_FDNAMES wayland:x11
 getpid LISTEN_PID
 
+s6-setuidgid wayland
+
 wayland-proxy-virtwl --virtio-gpu --x-display=0
-- 
2.51.0

[PATCH 05/13] img/app: pipewire: move sockets out of XDG_RUNTIME_DIR

[Alyssa Ross]

This will make it easier to run PipeWire and WirePlumber as dedicated
service users, because they won't have to be able to access
XDG_RUNTIME_DIR.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 img/app/Makefile                                              | 1 +
 img/app/file-list.mk                                          | 2 ++
 img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR      | 1 +
 .../image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR.license  | 2 ++
 img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH        | 1 +
 .../image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH.license    | 2 ++
 img/app/image/etc/s6-rc/pipewire/run                          | 4 ++--
 7 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR
 create mode 100644 img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR.license
 create mode 100644 img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH
 create mode 100644 img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH.license

diff --git a/img/app/Makefile b/img/app/Makefile
index 48eba87..2838554 100644
--- a/img/app/Makefile
+++ b/img/app/Makefile
@@ -31,6 +31,7 @@ $(imgdir)/appvm/blk/root.img: ../../scripts/make-gpt.sh ../../scripts/sfdisk-fie
 	mv $@.tmp $@
 
 DIRS = dev run proc sys tmp \
+	etc/s6-linux-init/run-image/pipewire \
 	etc/s6-linux-init/run-image/service \
 	etc/s6-linux-init/run-image/user \
 	etc/s6-linux-init/run-image/wait
diff --git a/img/app/file-list.mk b/img/app/file-list.mk
index c7cd82a..d63ee76 100644
--- a/img/app/file-list.mk
+++ b/img/app/file-list.mk
@@ -18,6 +18,8 @@ FILES = \
 	image/etc/s6-linux-init/env/DISPLAY \
 	image/etc/s6-linux-init/env/GTK_USE_PORTAL \
 	image/etc/s6-linux-init/env/NIX_XDG_DESKTOP_PORTAL_DIR \
+	image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR \
+	image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH \
 	image/etc/s6-linux-init/env/WAYLAND_DISPLAY \
 	image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT \
 	image/etc/s6-linux-init/env/XDG_RUNTIME_DIR \
diff --git a/img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR b/img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR
new file mode 100644
index 0000000..8cb2f46
--- /dev/null
+++ b/img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR
@@ -0,0 +1 @@
+/run/pipewire
diff --git a/img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR.license b/img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR.license
new file mode 100644
index 0000000..0d3d47c
--- /dev/null
+++ b/img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR.license
@@ -0,0 +1,2 @@
+SPDX-License-Identifier: CC0-1.0
+SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
diff --git a/img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH b/img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH
new file mode 100644
index 0000000..8cb2f46
--- /dev/null
+++ b/img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH
@@ -0,0 +1 @@
+/run/pipewire
diff --git a/img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH.license b/img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH.license
new file mode 100644
index 0000000..0d3d47c
--- /dev/null
+++ b/img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH.license
@@ -0,0 +1,2 @@
+SPDX-License-Identifier: CC0-1.0
+SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
diff --git a/img/app/image/etc/s6-rc/pipewire/run b/img/app/image/etc/s6-rc/pipewire/run
index ab46901..1774b91 100644
--- a/img/app/image/etc/s6-rc/pipewire/run
+++ b/img/app/image/etc/s6-rc/pipewire/run
@@ -3,10 +3,10 @@
 # SPDX-FileCopyrightText: 2023-2024 Alyssa Ross <hi@alyssa.is>
 # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
 
-s6-ipcserver-socketbinder -B /run/user/0/pipewire-0
+s6-ipcserver-socketbinder -B /run/pipewire/pipewire-0
 fdmove -c 3 0
 
-s6-ipcserver-socketbinder -B /run/user/0/pipewire-0-manager
+s6-ipcserver-socketbinder -B /run/pipewire/pipewire-0-manager
 fdmove -c 4 0
 
 redirfd -r 0 /dev/null
-- 
2.51.0

[PATCH 06/13] img/app: remove XDG_RUNTIME_DIR

[Alyssa Ross]

Nothing uses this any more, and let's hope it stays that way, because
it makes it difficult to run services as different users.  Maybe we
end up finding something that really needs it in the future, but it
makes things much easier to avoid it for as long as we can.

Older applications might not support WAYLAND_DISPLAY being absolute,
but this has been changed in libwayland and GTK.  We don't need to
support arbitrarily old applications, and this problem will resolve
itself over time.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 img/app/file-list.mk                                        | 1 -
 img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR         | 1 -
 img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license | 2 --
 img/app/image/etc/s6-linux-init/scripts/rc.init             | 3 ---
 4 files changed, 7 deletions(-)
 delete mode 100644 img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR
 delete mode 100644 img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license

diff --git a/img/app/file-list.mk b/img/app/file-list.mk
index d63ee76..d452ebd 100644
--- a/img/app/file-list.mk
+++ b/img/app/file-list.mk
@@ -22,7 +22,6 @@ FILES = \
 	image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH \
 	image/etc/s6-linux-init/env/WAYLAND_DISPLAY \
 	image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT \
-	image/etc/s6-linux-init/env/XDG_RUNTIME_DIR \
 	image/etc/s6-linux-init/run-image/service/getty-hvc0/run \
 	image/etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/notification-fd \
 	image/etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/run \
diff --git a/img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR b/img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR
deleted file mode 100644
index 70a6671..0000000
--- a/img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR
+++ /dev/null
@@ -1 +0,0 @@
-/run/user/0
diff --git a/img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license b/img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license
deleted file mode 100644
index a941ca4..0000000
--- a/img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is>
diff --git a/img/app/image/etc/s6-linux-init/scripts/rc.init b/img/app/image/etc/s6-linux-init/scripts/rc.init
index 0bf350a..762081f 100755
--- a/img/app/image/etc/s6-linux-init/scripts/rc.init
+++ b/img/app/image/etc/s6-linux-init/scripts/rc.init
@@ -13,7 +13,4 @@ if { s6-rc-init -c /etc/s6-rc /run/service }
 if { modprobe overlay }
 if { mount -a --mkdir }
 
-# /run/user/0: "$XDG_RUNTIME_DIR"
-if { mkdir -m 0700 /run/user/0 }
-
 s6-rc change ok-all
-- 
2.51.0

[PATCH 07/13] img/app: wireplumber: run as non-root

[Alyssa Ross]

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 img/app/image/etc/group                 | 1 +
 img/app/image/etc/passwd                | 1 +
 img/app/image/etc/s6-rc/wireplumber/run | 3 +++
 3 files changed, 5 insertions(+)

diff --git a/img/app/image/etc/group b/img/app/image/etc/group
index 4add88f..5eafb82 100644
--- a/img/app/image/etc/group
+++ b/img/app/image/etc/group
@@ -1 +1,2 @@
 wayland:x:1:wayland
+wireplumber:x:2:wireplumber
diff --git a/img/app/image/etc/passwd b/img/app/image/etc/passwd
index 31e5773..5557240 100644
--- a/img/app/image/etc/passwd
+++ b/img/app/image/etc/passwd
@@ -1,2 +1,3 @@
 root:x:0:0:System administrator:/run/root:/bin/sh
 wayland:x:1:1:wayland-proxy-virtwl service user:/:/usr/bin/nologin
+wireplumber:x:2:2:WirePlumber service user:/:/usr/bin/nologin
diff --git a/img/app/image/etc/s6-rc/wireplumber/run b/img/app/image/etc/s6-rc/wireplumber/run
index d58f197..a514c40 100644
--- a/img/app/image/etc/s6-rc/wireplumber/run
+++ b/img/app/image/etc/s6-rc/wireplumber/run
@@ -1,4 +1,7 @@
 #!/bin/execlineb -P
 # SPDX-License-Identifier: EUPL-1.2+
 # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+
+s6-setuidgid wireplumber
+
 wireplumber --profile spectrum
-- 
2.51.0

[PATCH 08/13] img/app: pipewire: disable D-Bus

[Alyssa Ross]

We don't currently use this for anything.  Disabling it means that
PipeWire doesn't have to be able to access the system bus.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 img/app/image/etc/pipewire/pipewire.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/img/app/image/etc/pipewire/pipewire.conf b/img/app/image/etc/pipewire/pipewire.conf
index 6e946b5..f7ebb35 100644
--- a/img/app/image/etc/pipewire/pipewire.conf
+++ b/img/app/image/etc/pipewire/pipewire.conf
@@ -38,8 +38,11 @@ context.properties = {
     link.max-buffers = 16
     core.daemon = true
     core.name   = pipewire-0
+
     # Account for running in a VM
     default.clock.min-quantum = 1024
+
+    support.dbus = false
 }
 
 # Upstream defaults, with support for AVB, V4L2, libcamera
@@ -62,7 +65,6 @@ context.modules = [
     { name = libpipewire-module-client-node }
     { name = libpipewire-module-access }
     { name = libpipewire-module-client-device }
-    { name = libpipewire-module-portal }
     { name = libpipewire-module-adapter }
     { name = libpipewire-module-link-factory }
     { name = libpipewire-module-session-manager }
-- 
2.51.0

[PATCH 09/13] img/app: pipewire: stop fighting s6 over lockfiles

[Alyssa Ross]

This causes a particular problem when PipeWire is not run as root,
because it can't overwrite the root-owned lockfiles from s6.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 img/app/image/etc/s6-rc/pipewire/run | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/img/app/image/etc/s6-rc/pipewire/run b/img/app/image/etc/s6-rc/pipewire/run
index 1774b91..afaada1 100644
--- a/img/app/image/etc/s6-rc/pipewire/run
+++ b/img/app/image/etc/s6-rc/pipewire/run
@@ -1,12 +1,21 @@
 #!/bin/execlineb -P
 # SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2023-2024 Alyssa Ross <hi@alyssa.is>
+# SPDX-FileCopyrightText: 2023-2025 Alyssa Ross <hi@alyssa.is>
 # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
 
-s6-ipcserver-socketbinder -B /run/pipewire/pipewire-0
+if { chown pipewire:pipewire /run/pipewire }
+if { chmod 0755 /run/pipewire }
+
+# PipeWire likes to create its own .lock files for its sockets,
+# so we have to disable lockfile creation in s6-ipcserver-socketbinder
+# by disabling SO_REUSEADDR, and work around that by removing potential
+# previous instances of the sockets first.
+if { rm -f /run/pipewire/pipewire-0 /run/pipewire/pipewire-0-manager }
+
+s6-ipcserver-socketbinder -BD /run/pipewire/pipewire-0
 fdmove -c 3 0
 
-s6-ipcserver-socketbinder -B /run/pipewire/pipewire-0-manager
+s6-ipcserver-socketbinder -BD /run/pipewire/pipewire-0-manager
 fdmove -c 4 0
 
 redirfd -r 0 /dev/null
-- 
2.51.0

[PATCH 10/13] img/app: pipewire: run as non-root

[Alyssa Ross]

Set the real-time scheduling priority hard limit globally at boot, as
recommended by the s6-softlimit documentation.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 img/app/image/etc/group              | 1 +
 img/app/image/etc/mdev.conf          | 4 +++-
 img/app/image/etc/passwd             | 1 +
 img/app/image/etc/s6-rc/pipewire/run | 4 ++++
 img/app/image/usr/bin/init           | 4 +++-
 5 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/img/app/image/etc/group b/img/app/image/etc/group
index 5eafb82..0bf6579 100644
--- a/img/app/image/etc/group
+++ b/img/app/image/etc/group
@@ -1,2 +1,3 @@
 wayland:x:1:wayland
 wireplumber:x:2:wireplumber
+pipewire:x:3:pipewire
diff --git a/img/app/image/etc/mdev.conf b/img/app/image/etc/mdev.conf
index b7c0c5b..d4cd825 100644
--- a/img/app/image/etc/mdev.conf
+++ b/img/app/image/etc/mdev.conf
@@ -5,7 +5,9 @@
 $INTERFACE=.* 0:0 0 ! +/etc/mdev/iface
 $MODALIAS=virtio:d0000001Av.* 0:0 0 ! +/etc/mdev/virtiofs
 dri/card0 wayland:wayland 660 +background { /etc/mdev/listen card0 }
-snd/controlC0 0:0 660 +background { /etc/mdev/listen controlC0 }
+
+-SUBSYSTEM=sound;.* pipewire:pipewire 660
+snd/controlC0 pipewire:pipewire 660 +background { /etc/mdev/listen controlC0 }
 
 # Don't change mode of other device nodes created by devtmpfs.
 .* 0:0 0 !
diff --git a/img/app/image/etc/passwd b/img/app/image/etc/passwd
index 5557240..631554c 100644
--- a/img/app/image/etc/passwd
+++ b/img/app/image/etc/passwd
@@ -1,3 +1,4 @@
 root:x:0:0:System administrator:/run/root:/bin/sh
 wayland:x:1:1:wayland-proxy-virtwl service user:/:/usr/bin/nologin
 wireplumber:x:2:2:WirePlumber service user:/:/usr/bin/nologin
+pipewire:x:3:3:PipeWire service user:/:/usr/bin/nologin
diff --git a/img/app/image/etc/s6-rc/pipewire/run b/img/app/image/etc/s6-rc/pipewire/run
index afaada1..3925f08 100644
--- a/img/app/image/etc/s6-rc/pipewire/run
+++ b/img/app/image/etc/s6-rc/pipewire/run
@@ -27,6 +27,10 @@ fdclose 5
 # Wait for sound devices to be available
 if { /etc/mdev/wait controlC0 }
 
+nice -n -11
+s6-softlimit -P 88
+s6-setuidgid pipewire
+
 export LISTEN_FDS 2
 getpid LISTEN_PID
 pipewire
diff --git a/img/app/image/usr/bin/init b/img/app/image/usr/bin/init
index 6424e22..aca6efa 100755
--- a/img/app/image/usr/bin/init
+++ b/img/app/image/usr/bin/init
@@ -1,5 +1,7 @@
 #!/bin/execlineb -s0
 # SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
+# SPDX-FileCopyrightText: 2022, 2025 Alyssa Ross <hi@alyssa.is>
+
+/bin/s6-softlimit -HP 88
 
 /bin/s6-linux-init -Bc /etc/s6-linux-init -- $@
-- 
2.51.0

[PATCH 11/13] img/app: dbus: create socket outside daemon

[Alyssa Ross]

This will enable dropping privileges for the daemon.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 img/app/image/etc/s6-rc/dbus/notification-fd        |  2 +-
 .../image/etc/s6-rc/dbus/notification-fd.license    |  2 +-
 img/app/image/etc/s6-rc/dbus/run                    | 13 +++++++++++--
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/img/app/image/etc/s6-rc/dbus/notification-fd b/img/app/image/etc/s6-rc/dbus/notification-fd
index 00750ed..b8626c4 100644
--- a/img/app/image/etc/s6-rc/dbus/notification-fd
+++ b/img/app/image/etc/s6-rc/dbus/notification-fd
@@ -1 +1 @@
-3
+4
diff --git a/img/app/image/etc/s6-rc/dbus/notification-fd.license b/img/app/image/etc/s6-rc/dbus/notification-fd.license
index a941ca4..0d3d47c 100644
--- a/img/app/image/etc/s6-rc/dbus/notification-fd.license
+++ b/img/app/image/etc/s6-rc/dbus/notification-fd.license
@@ -1,2 +1,2 @@
 SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is>
+SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
diff --git a/img/app/image/etc/s6-rc/dbus/run b/img/app/image/etc/s6-rc/dbus/run
index 75e9cab..a609e86 100644
--- a/img/app/image/etc/s6-rc/dbus/run
+++ b/img/app/image/etc/s6-rc/dbus/run
@@ -1,8 +1,17 @@
 #!/bin/execlineb -P
 # SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is>
+# SPDX-FileCopyrightText: 2023, 2025 Alyssa Ross <hi@alyssa.is>
+
+s6-ipcserver-socketbinder -Ba 0770 /run/session-bus
+
+export LISTEN_FDS 1
+getpid LISTEN_PID
+
+fdmove -c 3 0
+redirfd -r 0 /dev/null
 
 dbus-daemon
+  --address systemd:
   --config-file /etc/dbus-1/session.conf
   --nofork
-  --print-address 3
+  --print-address 4
-- 
2.51.0

[PATCH 12/13] img/app: add application user

[Alyssa Ross]

We should stop running applications as root, and for applications
like Firefox, we'll need a writable home directory.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 img/app/Makefile         |  2 +-
 img/app/image/etc/fstab  | 13 +++++++------
 img/app/image/etc/group  |  1 +
 img/app/image/etc/passwd |  1 +
 4 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/img/app/Makefile b/img/app/Makefile
index 2838554..ddfc8ef 100644
--- a/img/app/Makefile
+++ b/img/app/Makefile
@@ -30,7 +30,7 @@ $(imgdir)/appvm/blk/root.img: ../../scripts/make-gpt.sh ../../scripts/sfdisk-fie
 	    build/rootfs.erofs:root:5460386f-2203-4911-8694-91400125c604:root
 	mv $@.tmp $@
 
-DIRS = dev run proc sys tmp \
+DIRS = dev home/user run proc sys tmp \
 	etc/s6-linux-init/run-image/pipewire \
 	etc/s6-linux-init/run-image/service \
 	etc/s6-linux-init/run-image/user \
diff --git a/img/app/image/etc/fstab b/img/app/image/etc/fstab
index a466dcc..edd2d7f 100644
--- a/img/app/image/etc/fstab
+++ b/img/app/image/etc/fstab
@@ -1,7 +1,8 @@
 # SPDX-License-Identifier: CC0-1.0
-# SPDX-FileCopyrightText: 2020-2022 Alyssa Ross <hi@alyssa.is>
-proc		/proc		proc	defaults		0	0
-devpts		/dev/pts	devpts	gid=5,mode=620		0	0
-tmpfs		/dev/shm	tmpfs	defaults		0	0
-sysfs		/sys		sysfs	defaults		0	0
-tmpfs		/tmp		tmpfs	defaults		0	0
+# SPDX-FileCopyrightText: 2020-2022, 2025 Alyssa Ross <hi@alyssa.is>
+proc		/proc		proc	defaults			0	0
+devpts		/dev/pts	devpts	gid=5,mode=620			0	0
+tmpfs		/dev/shm	tmpfs	defaults			0	0
+sysfs		/sys		sysfs	defaults			0	0
+tmpfs		/tmp		tmpfs	defaults			0	0
+tmpfs		/home/user	tmpfs	mode=0700,uid=1000,gid=1000	0	0
diff --git a/img/app/image/etc/group b/img/app/image/etc/group
index 0bf6579..b2c3a2e 100644
--- a/img/app/image/etc/group
+++ b/img/app/image/etc/group
@@ -1,3 +1,4 @@
 wayland:x:1:wayland
 wireplumber:x:2:wireplumber
 pipewire:x:3:pipewire
+user:x:1000:user
diff --git a/img/app/image/etc/passwd b/img/app/image/etc/passwd
index 631554c..08324b0 100644
--- a/img/app/image/etc/passwd
+++ b/img/app/image/etc/passwd
@@ -2,3 +2,4 @@ root:x:0:0:System administrator:/run/root:/bin/sh
 wayland:x:1:1:wayland-proxy-virtwl service user:/:/usr/bin/nologin
 wireplumber:x:2:2:WirePlumber service user:/:/usr/bin/nologin
 pipewire:x:3:3:PipeWire service user:/:/usr/bin/nologin
+user:x:1000:1000:Spectrum application user:/home/user:/bin/sh
-- 
2.51.0

[PATCH 13/13] img/app: run applications as non-root

[Alyssa Ross]

The session bus has to run as the same user as the application,
because xdg-desktop-portal expects to be able to open the
application's /proc/pid/root to check if it's a Flatpak.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 img/app/image/etc/s6-rc/app/run        | 13 ++++---------
 img/app/image/etc/s6-rc/dbus-vsock/run |  2 ++
 img/app/image/etc/s6-rc/dbus/run       |  3 +++
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/img/app/image/etc/s6-rc/app/run b/img/app/image/etc/s6-rc/app/run
index 601926b..5ce5b3a 100755
--- a/img/app/image/etc/s6-rc/app/run
+++ b/img/app/image/etc/s6-rc/app/run
@@ -4,15 +4,8 @@
 
 export TMPDIR /run
 
-backtick USER { id -un }
-backtick HOME {
-  importas -i user USER
-  homeof $user
-}
-
-importas -i home HOME
-if { mkdir -p -- $home }
-cd $home
+export HOME /home/user
+cd /home/user
 
 if { /etc/mdev/wait virtiofs0 }
 
@@ -22,6 +15,7 @@ foreground {
   case $type {
     appimage {
       if { modprobe fuse }
+      s6-setuidgid user
       export LD_LIBRARY_PATH /lib64
       /run/virtiofs/virtiofs0/config/run
     }
@@ -32,6 +26,7 @@ foreground {
 	  store /nix/store
       }
 
+      s6-setuidgid user
       /run/virtiofs/virtiofs0/config/run
     }
   }
diff --git a/img/app/image/etc/s6-rc/dbus-vsock/run b/img/app/image/etc/s6-rc/dbus-vsock/run
index 37fae7d..4733bae 100755
--- a/img/app/image/etc/s6-rc/dbus-vsock/run
+++ b/img/app/image/etc/s6-rc/dbus-vsock/run
@@ -14,4 +14,6 @@ systemd-socket-activate -l vsock::219 --now
 if { fdmove 1 3 echo }
 fdclose 3
 
+s6-setuidgid user
+
 socat ACCEPT-FD:4,fork UNIX-CONNECT:/run/session-bus
diff --git a/img/app/image/etc/s6-rc/dbus/run b/img/app/image/etc/s6-rc/dbus/run
index a609e86..031d730 100644
--- a/img/app/image/etc/s6-rc/dbus/run
+++ b/img/app/image/etc/s6-rc/dbus/run
@@ -3,6 +3,9 @@
 # SPDX-FileCopyrightText: 2023, 2025 Alyssa Ross <hi@alyssa.is>
 
 s6-ipcserver-socketbinder -Ba 0770 /run/session-bus
+if { chown user: /run/session-bus }
+
+s6-setuidgid user
 
 export LISTEN_FDS 1
 getpid LISTEN_PID
-- 
2.51.0

Re: [PATCH 06/13] img/app: remove XDG_RUNTIME_DIR

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 971 bytes --]

On 11/26/25 16:33, Alyssa Ross wrote:
> Nothing uses this any more, and let's hope it stays that way, because
> it makes it difficult to run services as different users.  Maybe we
> end up finding something that really needs it in the future, but it
> makes things much easier to avoid it for as long as we can.
> 
> Older applications might not support WAYLAND_DISPLAY being absolute,
> but this has been changed in libwayland and GTK.  We don't need to
> support arbitrarily old applications, and this problem will resolve
> itself over time.

Applications may use XDG_RUNTIME_DIR for their own purposes.  I believe
gpg-agent might use it to place its sockets.  This does not mean
that Spectrum-provided sockets need to be in this directory, though.
I would set it to the standard /run/user/$UID where $UID is the user
ID of the application.

If compatibility is a problem, bind mounts are an option.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 13/13] img/app: run applications as non-root

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 446 bytes --]

On 11/26/25 16:34, Alyssa Ross wrote:
> The session bus has to run as the same user as the application,
> because xdg-desktop-portal expects to be able to open the
> application's /proc/pid/root to check if it's a Flatpak.

I recommend having the session bus socket in the standard location
in case applications have hard-coded it.  Non-standard locations are
probably not tested at all.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 06/13] img/app: remove XDG_RUNTIME_DIR

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1334 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 11/26/25 16:33, Alyssa Ross wrote:
>> Nothing uses this any more, and let's hope it stays that way, because
>> it makes it difficult to run services as different users.  Maybe we
>> end up finding something that really needs it in the future, but it
>> makes things much easier to avoid it for as long as we can.
>> 
>> Older applications might not support WAYLAND_DISPLAY being absolute,
>> but this has been changed in libwayland and GTK.  We don't need to
>> support arbitrarily old applications, and this problem will resolve
>> itself over time.
>
> Applications may use XDG_RUNTIME_DIR for their own purposes.  I believe
> gpg-agent might use it to place its sockets.  This does not mean
> that Spectrum-provided sockets need to be in this directory, though.
> I would set it to the standard /run/user/$UID where $UID is the user
> ID of the application.
>
> If compatibility is a problem, bind mounts are an option.

	If $XDG_RUNTIME_DIR is not set applications should fall back to
	a replacement directory with similar capabilities and print a
	warning message.

We certainly can still set it, but with no definitively known
regressions, and the specification indicating it doesn't have to exist,
I'm not going to block these changes on it.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 13/13] img/app: run applications as non-root

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 828 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 11/26/25 16:34, Alyssa Ross wrote:
>> The session bus has to run as the same user as the application,
>> because xdg-desktop-portal expects to be able to open the
>> application's /proc/pid/root to check if it's a Flatpak.
>
> I recommend having the session bus socket in the standard location
> in case applications have hard-coded it.  Non-standard locations are
> probably not tested at all.

We'll tie ourselves in knots if we try to accomodate every compatibility
problem that could possibly exist without knowing that it actually does.
In this case I wouldn't expect it to be very commonly hardcoded because
reading DBUS_SESSION_BUS_ADDRESS is easier than either reading
XDG_RUNTIME_DIR and appending to it, or checking uid and constructing
the path based on that.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 06/13] img/app: remove XDG_RUNTIME_DIR

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 1482 bytes --]

On 12/1/25 06:24, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> On 11/26/25 16:33, Alyssa Ross wrote:
>>> Nothing uses this any more, and let's hope it stays that way, because
>>> it makes it difficult to run services as different users.  Maybe we
>>> end up finding something that really needs it in the future, but it
>>> makes things much easier to avoid it for as long as we can.
>>>
>>> Older applications might not support WAYLAND_DISPLAY being absolute,
>>> but this has been changed in libwayland and GTK.  We don't need to
>>> support arbitrarily old applications, and this problem will resolve
>>> itself over time.
>>
>> Applications may use XDG_RUNTIME_DIR for their own purposes.  I believe
>> gpg-agent might use it to place its sockets.  This does not mean
>> that Spectrum-provided sockets need to be in this directory, though.
>> I would set it to the standard /run/user/$UID where $UID is the user
>> ID of the application.
>>
>> If compatibility is a problem, bind mounts are an option.
> 
> 	If $XDG_RUNTIME_DIR is not set applications should fall back to
> 	a replacement directory with similar capabilities and print a
> 	warning message.
> 
> We certainly can still set it, but with no definitively known
> regressions, and the specification indicating it doesn't have to exist,
> I'm not going to block these changes on it.

+1 on not blocking.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 01/13] pkgs: gtk3: backport fix for unset XDG_RUNTIME_DIR

[Alyssa Ross]

This patch has been committed as fc036a3ba19b78740c8f4ad97f050f131a953ab4,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=fc036a3ba19b78740c8f4ad97f050f131a953ab4.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 02/13] pkgs: s6: backport s6-softlimit -P

[Alyssa Ross]

This patch has been committed as 11edc61629134b7359c86935648494162af835ba,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=11edc61629134b7359c86935648494162af835ba.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 03/13] img/app: wayland-proxy-virtwl: move Wayland socket

[Alyssa Ross]

This patch has been committed as 471bb54a5ef37a0ef1da2d72e0ac7fddc1bd6b37,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=471bb54a5ef37a0ef1da2d72e0ac7fddc1bd6b37.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 05/13] img/app: pipewire: move sockets out of XDG_RUNTIME_DIR

[Alyssa Ross]

This patch has been committed as c207d6df61474ca48eba99ec91e4c8bf20c09744,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=c207d6df61474ca48eba99ec91e4c8bf20c09744.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 04/13] img/app: wayland-proxy-virtwl: run as non-root

[Alyssa Ross]

This patch has been committed as cb27e3a573f90004116fa6c02cd46185fa7f8c54,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=cb27e3a573f90004116fa6c02cd46185fa7f8c54.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 06/13] img/app: remove XDG_RUNTIME_DIR

[Alyssa Ross]

This patch has been committed as 81dbaeb1b06dc51f3d245cc0d0c2be770fbbf1e0,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=81dbaeb1b06dc51f3d245cc0d0c2be770fbbf1e0.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 07/13] img/app: wireplumber: run as non-root

[Alyssa Ross]

This patch has been committed as 8cf9bb50edab12ece53884930600ef6d03b09507,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=8cf9bb50edab12ece53884930600ef6d03b09507.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 08/13] img/app: pipewire: disable D-Bus

[Alyssa Ross]

This patch has been committed as 4aecca7bdad0e493295e22b10644bff62812e891,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=4aecca7bdad0e493295e22b10644bff62812e891.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 10/13] img/app: pipewire: run as non-root

[Alyssa Ross]

This patch has been committed as decd54105e6a54fee737ea436fcb1642141b337e,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=decd54105e6a54fee737ea436fcb1642141b337e.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 09/13] img/app: pipewire: stop fighting s6 over lockfiles

[Alyssa Ross]

This patch has been committed as d85f84df025c55c6e6f708b15ee9eba08bd27826,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=d85f84df025c55c6e6f708b15ee9eba08bd27826.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 11/13] img/app: dbus: create socket outside daemon

[Alyssa Ross]

This patch has been committed as bf9578ff3a95db14c71b73239c1493aad0e4422f,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=bf9578ff3a95db14c71b73239c1493aad0e4422f.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 12/13] img/app: add application user

[Alyssa Ross]

This patch has been committed as 7069da49f7240424487c2b3ec34aa477f0d0f2cc,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=7069da49f7240424487c2b3ec34aa477f0d0f2cc.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 13/13] img/app: run applications as non-root

[Alyssa Ross]

This patch has been committed as 8bfcbf9014f0405edfd712c9cc367f20f7dbe0c2,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=8bfcbf9014f0405edfd712c9cc367f20f7dbe0c2.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>