Package Management Blows Goats (use cases)

Richard Hughes hughsient at gmail.com
Tue Jul 31 09:36:41 UTC 2007 

On Tue, 2007-07-31 at 05:18 -0400, Alan Cox wrote:
> On Tue, Jul 31, 2007 at 09:51:33AM +0100, Richard Hughes wrote:
> > Toby logs into his desktop. A notification area icon with a critical
> > icon appears in the top right and a libnotify popup tells him there are
> > 3 three critical security updates. The libnotify popup has three
> 
> Who is Toby, is he authorised to install updates ?

I figured security updates could be installed by anyone.

> One big problem throughout the Fedora and RHEL code is that nobody has
> been willing to actually distinguish between install types at install
> time. That is what causes the limits on automounting file systems, it is
> what stops us doing Ubuntu type sudo and it is what breaks this.
> 
> We need to know if the system is
> 	- User managed
> 	- Centrally managed
> 	- Physical access implies control (typical home PC)

Sure. Using PolicyKit we can make this type of distinction, although I
admit we'll probably need something profile based to avoid having 40
billion checkboxes for each policy decision.

> and ask that in a sane fashion

Sure.

> User managed means Toby gets icons, su is the normal path to root etc
> Centrally managed means Toby gets no say, ...
> Physical access implies control means less restrictive automounting of
> USB and other devices, implicit management and control by console user etc

So we define the "management state" of the machine - either locked down
restricted priv library type machine, or normal workstation.

> > Downloading an Unknown Application
> > 
> > Suzanne wants to open a word file. She opens the software finder tool
> > and types "office file" into the search box. A list of software appears,
> 
> You've got a high opinion of end users. Your 'Susan' user may well know
> what an office file is but Bob in packing probably doesn't.

Well, Bob in packaging probably shouldn't be using the computer and
installing software. Even my parents who are complete non-geeks know
they need a spreadsheet program to do "tables and stuff".

> I'd argue the model is
> 
> 	Click file
> 	No application is installed which can handle: Microsoft Worm
> 	Would you like me to search for one to install
> 	Two applications can handle this document
> 
> 		OpenOffice.org (recommended)
> 		Abiword

Yes, this makes a lot of sense in my book.

> > highlight it, and clicks "Install now". Suzanne is not an administrator,
> > but because she is locally logged in and the package is from the "fedora
> > GPG signed repository" the root password is not required. A notification
> 
> You're security model is wrong. Badly wrong actually. You've
> elevated every single "system with obscure package X can be compromised"
> to "any system the user has access to can be compromised" - which takes us
> back to 'who is toby'. If Toby is the owner/sole real user of a home
> PC system then its probably a non-issue. If the system is a corporate
> desktop then its bad news.

Sure, this stuff has to be easily configurable by the admin else we are
breaking lots of security models. Maybe a better policy would be "any
LDAP logged in user is allowed to install software from
acme-corporate-rpms but not from fedora" - but you get the idea.

> > Simon wants to borrow the computer while Suzanne waits for OpenOffice to
> > download. He uses fast-user switching to switch to a new login. He
> 
> Needs revoke which is getting very slow progress in the kernel side 
> alas but eventually may get there. I have it on my kernel summit big stick
> including some interesting (non public) demonstrations of why we need it.

Yes. Take a stapler gun and start firing it into the air until it's
merged. Seriously tho, even without revoke we can still do 90% of the
fast user switch stuff.

> > Suzanne switches back to her session and wants to add some clipart to
> > the word file she has just opened. She clicks "Insert" and then
> > "Clipart" and then a windows pops up telling her that clipart is not
> > installed. She clicks "Install" and a progress bar appears and moves
> > across as the clipart is downloaded and then installs. When finished,
> > the dialog disappears and she chooses a picture of a cat.
> > 
> > Comments?
> 
> Very much the right model but not pushed far enough. I'd also expect to be
> able to see a variety of free web clip art sources offered and usable
> automatically, along with a youtube or similar video source of tutorials
> and examples.

Sure, but feature creep :-)

Thanks for your feedback, appreciated.

Richard.

More information about the fedora-devel-list mailing list