[maemo-developers] [maemo-developers] 'Locking down' software installation

From: Marius Vollmer marius.vollmer at nokia.com
Date: Thu Feb 15 13:07:45 EET 2007

we are planning to put some features into the Application Manager that
will make it more restrictive when handling the packages that make up
the operating system itself (as opposed to third party applications).

We would like to get your feedback on these plans, both from the
end-user point of view and from the point of view of package

In the future, we hope to be able to provide official updates to the
operating system itself via packages, and we need to give the
end-users the confidence that when they intend to install a Nokia
provided operating system update, they actually get what they think
they are getting.

As for the concrete plan:

There is going to be a 'meta' package that represents the whole
operating system.  Updates to the OS are done by updating this meta
package in the Application Manager.  The meta package will have
dependencies on all packages with their exact versions that make up
the official OS releases.  The Application Manager will not allow the
removal of the meta package.

This means that the Application Manager will not allow you to update
individual OS packages (or to install third party applications that
require this), since you would have to remove the meta package for
that.  It is still possible to install additional 'system' packages,
just not to upgrade already installed ones.

A second new feature is that the Application Manager will distinguish
between "trusted sources" and "non-trusted sources" (based on the key
used to sign the corresponding repository).  A package that has
originally been installed from a trusted source will only be allowed
to be updated (or replaced) from a trusted source.  The flash image is
also treated as a trusted source, so you will only be able to update
packages that are pre-installed in the device from trusted sources.

This makes it easier for the user to be sure that he doesn't pick up
unwanted system software updates by accident.

The set of trusted sources will be under control of a power-user: you
can just add some GPG keys to the right place, but there is no UI to
do it.  You can also switch the whole lock-down machinery off by going
to red-pill mode.

So whaddaya think?  Useful?  Too painful?  Too difficult to escape

Some variants that come to mind:

The meta package could depend on 'this version or later' of a package
instead of on "exactly this version'.  That would allow it to control
the update just as much, but would not lock down the configuration of
the device so much.  The motivation for this lock-down of the device
configuration is that Nokia (probably, IANAL) doesn't want to support
any other configuration, and having to 'hack' your system via the
red-pill mode or similar is a good indication that you are now on your

The locked-down upgrade path could support more than one set of
trusted sources down to the granularity of repositories.  This would
allow other parties than Nokia to make use of this feature.  That's
just a smop and might be done.

(And please understand that all this has nothing to do with preventing
bad software from doing bad things on your device; it is just about
giving the user an indication that something fishy is happening (by
accident) that he probably didn't intend to happen.)


More information about the maemo-developers mailing list