[maemo-developers] [maemo-developers] 'Locking down' software installation

[From: José Dapena Paz]

El jue, 15-02-2007 a las 13:07 +0200, Marius Vollmer escribió:

> There is going to be a 'meta' package that represents the whole
> operating system.  Updates to the OS are done by updating this meta
> package in the Application Manager.  The meta package will have
> dependencies on all packages with their exact versions that make up
> the official OS releases.  The Application Manager will not allow the
> removal of the meta package.

	Good point. This package installation can be even enforced through
Debian package system so even apt/dpkg warns when trying to remove it
(marking the package Priority as "required" maybe?).

	In general, the idea of identifying with this package version the exact
set of packages running should make life easier for debugging, or even
for third parties that could simply depend on the expected minimum
required version of this package.

> The set of trusted sources will be under control of a power-user: you
> can just add some GPG keys to the right place, but there is no UI to
> do it.  You can also switch the whole lock-down machinery off by going
> to red-pill mode.

	Disabling lock down from red pill mode is ok. But I don't agree on
forcing to add the GPG keys without UI. In Ubuntu, this method is used,
and then you find that every third party instructs end-users to add they
key without thinking about what they're doing (opening a shell and
running apt-key tools).

	At least adding key management in red pill mode and recommending it as
the standard way for adding new trusted sources will enable app manager
to show at least warning messages. Then third party developers should be
encouraged to suggest this method if they want anyone to add trusted
sources.

	Of course, it doesn't solve the problem of someone suggesting to use
the shell methods, but at least there's a GUI path.

> So whaddaya think?  Useful?  Too painful?  Too difficult to escape
> from?

	Useful, yes. Not very painful.

	It's important to state that software in general shouldn't depend on
the metapackage, as it will prevent power users from being able to
install the proper software if they've removed the metapackage to run
their own setups.

> Some variants that come to mind:
> 
> The meta package could depend on 'this version or later' of a package
> instead of on "exactly this version'.  That would allow it to control
> the update just as much, but would not lock down the configuration of
> the device so much.  The motivation for this lock-down of the device
> configuration is that Nokia (probably, IANAL) doesn't want to support
> any other configuration, and having to 'hack' your system via the
> red-pill mode or similar is a good indication that you are now on your
> own.

	It wouldn't do the work. Then it's no use.

	One important point. It's not the same the set of libraries and the
basic desktop (gtk, maemo af desktop, ...), and the basic apps (web
browser, etc) installed, and the complementary tools (calculator, etc).
Different "system" metapackages should be provided for all of them, so
the power user can decide to maintain on Nokia baseline for libraries
and desktop, but not on some specific tools. Deciding which system
metapackages are good will probably be a key decission to make the idea
work.

> (And please understand that all this has nothing to do with preventing
> bad software from doing bad things on your device; it is just about
> giving the user an indication that something fishy is happening (by
> accident) that he probably didn't intend to happen.)

	Yes. All of this is related with root privilege operations. If there's
some way to only add sudoable software or software that modify certain
setup directories from trusted sources or in red pill mode, it will
help. But it's definitely a different problem, and very complex.

	Br
-- 
José Dapena Paz <jdapena at igalia.com>
Igalia