Package Management Blows Goats (use cases)

Alan Cox alan at redhat.com
Tue Jul 31 09:18:13 UTC 2007 

On Tue, Jul 31, 2007 at 09:51:33AM +0100, Richard Hughes wrote:
> Toby logs into his desktop. A notification area icon with a critical
> icon appears in the top right and a libnotify popup tells him there are
> 3 three critical security updates. The libnotify popup has three

Who is Toby, is he authorised to install updates ?

One big problem throughout the Fedora and RHEL code is that nobody has
been willing to actually distinguish between install types at install
time. That is what causes the limits on automounting file systems, it is
what stops us doing Ubuntu type sudo and it is what breaks this.

We need to know if the system is
	- User managed
	- Centrally managed
	- Physical access implies control (typical home PC)

and ask that in a sane fashion

User managed means Toby gets icons, su is the normal path to root etc
Centrally managed means Toby gets no say, ...
Physical access implies control means less restrictive automounting of
USB and other devices, implicit management and control by console user etc

> Downloading an Unknown Application
> 
> Suzanne wants to open a word file. She opens the software finder tool
> and types "office file" into the search box. A list of software appears,

You've got a high opinion of end users. Your 'Susan' user may well know
what an office file is but Bob in packing probably doesn't.

I'd argue the model is

	Click file
	
	No application is installed which can handle: Microsoft Worm

	Would you like me to search for one to install

	Two applications can handle this document

		OpenOffice.org (recommended)
		Abiword

	..


> highlight it, and clicks "Install now". Suzanne is not an administrator,
> but because she is locally logged in and the package is from the "fedora
> GPG signed repository" the root password is not required. A notification

You're security model is wrong. Badly wrong actually. You've
elevated every single "system with obscure package X can be compromised"
to "any system the user has access to can be compromised" - which takes us
back to 'who is toby'. If Toby is the owner/sole real user of a home
PC system then its probably a non-issue. If the system is a corporate
desktop then its bad news.

> Simon wants to borrow the computer while Suzanne waits for OpenOffice to
> download. He uses fast-user switching to switch to a new login. He

Needs revoke which is getting very slow progress in the kernel side 
alas but eventually may get there. I have it on my kernel summit big stick
including some interesting (non public) demonstrations of why we need it.

> Suzannes' download is still in progress. He starts Pidgin which then
> crashes. The bug-buddy window appears which prompts him to install the
> debuginfo so a valid backtrace can be detected. He clicks yes, and a
> libnotify windows appears telling Simon that the request has been queued
> and that he will be notified when the debuginfo has been installed. When
> installed, the bug-buddy helper continues and submits a valid bug.

Yep

> Suzanne switches back to her session and wants to add some clipart to
> the word file she has just opened. She clicks "Insert" and then
> "Clipart" and then a windows pops up telling her that clipart is not
> installed. She clicks "Install" and a progress bar appears and moves
> across as the clipart is downloaded and then installs. When finished,
> the dialog disappears and she chooses a picture of a cat.
> 
> Comments?

Very much the right model but not pushed far enough. I'd also expect to be
able to see a variety of free web clip art sources offered and usable
automatically, along with a youtube or similar video source of tutorials
and examples.

Alan

More information about the fedora-devel-list mailing list