[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DEITY TEAM -- REQUEST FOR FUNCTIONALITY and COMMENTS

Peter,

	Thank you for request for ideas and desires regarding the next
improvement to the debian package management system.

	1. Scripts provided by the package writer should only have access to
		files and directories specifically approved by the installer.
	2. Most packages do not need to alter existing system directories
		or files, and should be installed and tested by an
		unprivelaged user (specified by the installer) in a directory
		chosen by the installer, and under which package scripts can
		create and modify files.
	3. After testing, the installer should use ln -s, ln, or cp (as chosen
		by the installer) to integrate the package executables and
		files into the system.

	Ray Ingles and I, have spent some time discussing improvements
to dpkg/dselect to permit users to take advantage of its dependency
tracking without the security vulnerability entailed in always running it
as root.  The following is a first draft of a processing model (similar
to the ISO network model) that hopes to provide the following:

	1. Host selectable security - the installer chooses what level of
		trust (unprivelaged, privelaged, root) to grant to the
		package scripts.
	2. Host testing - before the package is seen by other users, the
		installer can test the package
	3. Portability - package writer can assume a single (or small number)
		of directories in which to create, modify, compile, configure,
		files and executables, independent of the platform or host

			---- cut here ----
* Project: debian
  File:    RFC: dpkg target model
  Author:  Raymond A. Ingles
           Dr. Robert J. Meier, Jr.
  History: 97-04-03 -rjm- file creation



* Goals


** ease of use
The package provider and the installation process should automate as much
of the installation and removal as feasible for ease of use.
All operations should have defaults to support ease of use.


** security
As far as possible, malicious or buggy package installation should not
endanger existing installations.
All default operations should be defined by the install procedure so as not
to endanger existing installations.
All package-suggested operation parameters must be individually approvable
by the human installer.
Successful or unsuccessful installation is completely reversible.


** flexibility
As far as possible, package installation should be configurable by the
host to meet individual user needs and concerns.
As far as possible, package installation should be configurable by the
host to meet individual package needs and concerns.
All install operation parameters should be selectable by the installer.
All install operation parameters should be suggestible by the package.


** repeatability
As far as possible, package installation should produce the same behavior
on different hosts (e.g. the package provider and the user).
By default, installation will be done under a single host-selected directory
with an image equivalent on the user host to that to the package provider host.



* For design purposes, installation is divided into the following phases.


** (Template)
	Each phase needs to answer the provide answers to each
of the following questions.  The answers must express the
minimum/default/maximum supplied by/required from the package/host.

*** System privileges

*** Host information

*** Package information

*** Intended results

*** Prior assumptions

*** Actions

*** Validation

*** Customization


** Download

*** System privileges
Minimum supplied by host: write a host-specified file as $DOWNLOADER.
Default supplied by host: write a host-specified file as $DOWNLOADER.
Maximum supplied by host: write host-specified files as $DOWNLOADER

*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Maximum supplied by package: filenames

*** Package information
Minimum supplied by package: number and description of required files and directories.
Default supplied by package: number and description of required files (1) and directories (1)

*** Intended results
Minimum supplied by host: transfer the package to local file system
Default supplied by host: transfer the package to local file system
Maximum supplied by host: transfer the package to local file system
Minimum supplied by package: from package file
Default supplied by package: ftp, cd-read, floppy-read
Maximum supplied by package: from net, cd, floppies, tape, etc.

*** Prior assumptions
Minimum supplied by package: the complete package is transferrable as a
	single file
Default supplied by package: the complete package is a compressed tar file

*** Actions
Minimum supplied by host: Create a specified file in (a directory chosen by host) writable by $DOWNLOADER.
Default supplied by host: Create the $PACKAGEROOT directory under $INSTALLER ownership.
Default supplied by host: Create a specified file in $PACKAGEROOT writable by $DOWNLOADER.
Maximum supplied by host: Create other directories under $INSTALLER ownership.
Maximum supplied by host: Create specified files in specific directories writable by $DOWNLOADER.

*** Validation
Minimum supplied by host: none
Default supplied by host: file length verification
Minimum required by package: none
Default supplied by package: none

*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: none
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: none



** Extraction

*** System privileges
Minimum supplied by host: create files and directories under $PACKAGEROOT as $INSTALLER.
Default supplied by host: create files and directories under $PACKAGEROOT as $INSTALLER.
Maximum supplied by host: create files and directories under host-specified directories $INSTALLER.
Default required by package: create files and directories under $PACKAGEROOT as $INSTALLER.

*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Maximum supplied by package: filenames and directories relative to host-specified roots

*** Package information
Minimum supplied by package: extraction method (tar -zxvf)
Minimum supplied by package: licensing restrictions (tar -zxvf)
Default supplied by package: number of required directories (1) and human description of extra directories
Default supplied by package: extraction method (tar -zxvf)
Default supplied by package: minimum hardware/firmware requirements
Default supplied by package: licensing restrictions (tar -zxvf)

*** Intended results
Minimum supplied by host: duplicate image of the package providers local file system under single host-chosen root directory
Default supplied by host: duplicate image of the package providers local file system under single host-chosen root directory
Maximum supplied by host: duplicate image of the package providers local file system under single host-chosen root directory

*** Prior assumptions
Minimum supplied by package: buildable from local file system under a few host-chosen root directories
Maximum supplied by package: buildable from local file system under single host-chosen root directory
Default supplied by package: buildable from local file system under single host-chosen root directory

*** Actions
Minimum supplied by host: Decompress and expand a specified file as $EXTRACTOR under $PACKAGEROOT.
Default supplied by host: Decompress and expand a specified file as $EXTRACTOR under $PACKAGEROOT.
Maximum supplied by host: Decompress and expand specified files as $EXTRACTOR under host-chosen directories.

*** Validation
Minimum supplied by host: none
Default supplied by host: file size and list verification
Minimum supplied by package: none
Maximum supplied by package: file size and manifest

*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: prompt for operator approval with description
	deny script authority, pause installation (default), examine script
	execute script as $INSTALLER
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: script and description


** Setup
This will normally be a no-op, since by default, the extracted file system
image is sufficient.

*** System privileges
Minimum supplied by host: create files and directories under $PACKAGEROOT as $INSTALLER.
Default supplied by host: create files, links, nodes, directories, etc. under $PACKAGEROOT as $INSTALLER.
Maximum supplied by host: create files, links, nodes, directories, etc. under $PACKAGEROOT as $INSTALLER.
Default required by package: create files, links, nodes, directories, etc. under $PACKAGEROOT as $INSTALLER.

*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Default supplied by package: none

*** Package information
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: script to execute as $INSTALLER.

*** Intended results
Minimum supplied by host: duplicate build environment designed by package provider
Default supplied by host: duplicate build environment designed by package provider
Maximum supplied by host: duplicate build environment designed by package provider

*** Prior assumptions
Minimum supplied by package: duplicated environment limitted by the installation procedure is sufficient to build the package
Default supplied by package: duplicated environment limitted by the installation procedure is sufficient to build the package

*** Actions
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: execute script as $INSTALLER

*** Validation
Minimum supplied by host: none
Default supplied by host: file size and list verification
Minimum supplied by package: none
Maximum supplied by package: file size and manifest

*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: prompt for operator approval with description
	deny script authority, pause installation (default), examine script
	execute script
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: perl script and description


** Configuration

*** System privileges
Minimum supplied by host: execute scripts relative to $PACKAGEROOT as $INSTALLER.
Default supplied by host: execute scripts relative to $PACKAGEROOT as $INSTALLER.
Maximum supplied by host: execute scripts relative to host-specified directories as $INSTALLER.
Default required by package: execute scripts relative to $PACKAGEROOT as $INSTALLER.

*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: sh, perl, bash
Default supplied by package: none

*** Package information
Minimum supplied by package: none
Default supplied by package: make config
Maximum supplied by package: script to execute as $INSTALLER.

*** Intended results
Minimum supplied by package: generate default Makefiles
Default supplied by package: probe machine for common configuration variations
Default supplied by package: generate human readable configuration file
Maximum supplied by package: interactively query human for all configuration variations

*** Prior assumptions
Maximum required by package: build environment is duplicated correctly
Default required by package: build environment is duplicated correctly

*** Actions
Minimum supplied by host: execute script as $INSTALLER
Default supplied by host: execute script as $INSTALLER
Maximum supplied by host: execute script as $INSTALLER

*** Validation
Minimum supplied by host: none
Default supplied by host: none
Minimum supplied by package: none
Default supplied by package: none

*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: prompt for operator approval with description
	deny script authority, pause installation (default), examine script
	execute script
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: script and description


** Customization
This will normally be a no-op, since by default, configuration should
be sufficient.

*** System privileges
Minimum supplied by host: create files and directories under $PACKAGEROOT as $INSTALLER.
Default supplied by host: create files, links, nodes, directories, etc. under $PACKAGEROOT as $INSTALLER.
Maximum supplied by host: create files, links, nodes, directories, etc. under $PACKAGEROOT as $INSTALLER.
Default required by package: none

*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Default supplied by package: none

*** Package information
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: human readable procedure

*** Intended results
Minimum supplied by host: none
Default supplied by host: none

*** Prior assumptions
Minimum supplied by package: duplicated environment ready for automatic build
Default supplied by package: duplicated environment ready for automatic build

*** Actions
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: execute script as $INSTALLER

*** Validation
Minimum supplied by host: none
Default supplied by host: none
Minimum supplied by package: none
Maximum supplied by package: none

*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: prompt for operator approval with description
	deny script authority, pause installation (default), examine script
	execute script
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: perl script and description


** Build
This will normally be a totally automatic after proper configuration.

*** System privileges
Minimum supplied by host: execute scripts under $PACKAGEROOT as $INSTALLER.
Default supplied by host: execute scripts under $PACKAGEROOT as $INSTALLER.
Maximum supplied by host: execute scripts under $PACKAGEROOT as $INSTALLER.
Default required by package: execute scripts under $PACKAGEROOT as $INSTALLER.

*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Default supplied by package: none

*** Package information
Minimum supplied by package: Makefile(s)
Default supplied by package: Makefile(s)
Maximum supplied by package: executable scripts

*** Intended results
Minimum supplied by host: testable installation of package
Default supplied by host: usable installation of package

*** Prior assumptions
Minimum supplied by package: duplicated environment ready for automatic build
Default supplied by package: duplicated environment ready for automatic build

*** Actions
Minimum supplied by host: make under $PACKAGEROOT as $INSTALLER.
Default supplied by host: make under $PACKAGEROOT as $INSTALLER.
Maximum supplied by host: make under $PACKAGEROOT as $INSTALLER.

*** Validation
Minimum supplied by host: none
Default supplied by host: make under $PACKAGEROOT as $INSTALLER.
Minimum supplied by package: none
Default supplied by package: Makefiles
Maximum supplied by package: complete regression suite

*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: prompt for operator approval with description
	deny script authority, pause installation (default), examine script
	execute script
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: perl script and description


** Soak
This will normally be a totally non-automatic check by the human installer
before integration.
The human installer will usually change username and group to an unprivileged
user otherwise typical of the expected user community.
Temporary environment variables (e.g. $PATH) will point the test user to
$PACKAGEROOT/...

*** System privileges
Minimum supplied by host: execute scripts under $PACKAGEROOT as $INSTALLER.
Default supplied by host: execute scripts under $PACKAGEROOT as $INSTALLER.
Maximum supplied by host: execute scripts under $PACKAGEROOT as $INSTALLER.
Maximum supplied by package: none

*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Maximum supplied by package: none

*** Package information
Maximum supplied by package: none

*** Intended results
Minimum supplied by host: confidence that the package is non-destructive
Default supplied by host: confidence that the package is non-destructive
Default supplied by host: confidence that the package is fit for use

*** Prior assumptions
Minimum supplied by host: package is completely built
Default supplied by host: package is completely built

*** Actions
Minimum supplied by host: pause installation procedure
Default supplied by host: pause installation procedure
Maximum supplied by host: pause installation procedure

*** Validation
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by package: none

*** Customization
Maximum supplied by host: none
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: human readable description


** Integration
This will normally be totally automatic according to local configuration
files.

*** System Privileges
Minimum supplied by host: execute scripts under $PACKAGEROOT as $TOOLMANAGER
Default supplied by host: execute scripts under $PACKAGEROOT as $TOOLMANAGER
Maximum supplied by host: tools are not writable by group bin or other.
	(lest they be vulnerable during installation by tool.bin)
Maximum required by package: none

*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Default supplied by package: none

*** Package information
Maximum supplied by package: none

*** Intended results
Minimum supplied by host: package ready for use
Default supplied by host: package ready for use

*** Prior assumptions
Minimum supplied by package: package tested and found satisfactory
Default supplied by package: package tested and found satisfactory

*** Actions
Minimum supplied by host: recursively walk $PACKAGEROOT/[bin doc lib etc]
			  and create matching directory under $TOOLROOT
Minimum supplied by host: create symbolic links from files under
			  $PACKAGEROOT/[bin doc lib etc] to matching files
			  under $TOOLROOT
Default supplied by host: recursively walk $PACKAGEROOT/$STDDIRS
			  and create matching directory under $TOOLROOT
Default supplied by host: create symbolic links from files under
			  $PACKAGEROOT/$STDDIRS to matching files
			  under $TOOLROOT
Maximum supplied by package: none

*** Validation
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by package: none

*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by package: human readable description


** Cleanup
This will normally be totally automatic according to local configuration
files.

*** System Privileges
Minimum supplied by host: write directories under $PACKAGEROOT as $INSTALLER
Default supplied by host:  write directories under $PACKAGEROOT as $INSTALLER
Maximum required by package: write directories under $PACKAGEROOT as $INSTALLER

*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Default supplied by package: none

*** Package information
Maximum supplied by package: list of files, nodes, directories, ... under $PACKAGEROOT to remove

*** Intended results
Minimum supplied by host: reclaim disk space no longer necessary for package use
Default supplied by host: reclaim disk space no longer necessary for package use

*** Prior assumptions
Minimum supplied by package: package integrated and found satisfactory
Default supplied by package: package integrated and found satisfactory

*** Actions
Minimum supplied by host: remove named files, nodes, directories, ... under $PACKAGEROOT
Default supplied by host: remove named files, nodes, directories, ... under $PACKAGEROOT
Maximum supplied by host: remove named files, nodes, directories, ... under $PACKAGEROOT
Maximum supplied by package: none

*** Validation
Minimum supplied by host: none
Default supplied by host: check for .o's, .olds, ... directories other than those linked during integration
Maximum supplied by package: none

*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by package: human readable description


** Removal
This should remove everything safely even if installation fails.

*** System Privileges
Default supplied by host: write $PACKAGEROOT and the other install-specified directories as $TOOLMANAGER

*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Default supplied by package: none

*** Package information
Maximum supplied by package: none

*** Intended results
Minimum supplied by host: reclaim disk space used by the package
Default supplied by host: cleanly reverse installation

*** Prior assumptions
Default supplied by host: everything was installed under $PACKAGEROOT or specified directories
Default supplied by host: everything else was linked/copied by the installer

*** Actions
Default supplied by host: remove $PACKAGEROOT and the other install-specified directories
Default supplied by host: remove symlinks into $PACKAGEROOT and the other install-specified directories
Maximum supplied by package: none

*** Validation
Minimum supplied by host: verify absence of $PACKAGEROOT and install-specified directories
Default supplied by host: verify absence of symlinks into $PACKAGEROOT and install-specified directories
Maximum supplied by package: none

*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by package: human readable description



* For design purposes, installation information is divided into the following
groups.


** Host information

***defaults
	PACKAGEDIR = /usr/package
	PACKAGEROOT = $PACKAGEDIR/<package>
	STDDIRS = bin lib doc etc
	TOOLROOT = /usr/local
	TOOLMANAGER = bin.bin
	DOWNLOADER = $TOOLMANAGER
	EXTRACTOR = $TOOLMANAGER
	INSTALLER = tool.bin
	INTEGRATOR = $TOOLMANAGER

***primary installation directory (PACKAGEROOT)
	default: $PACKAGEROOT

***primary usage directory
	default: $TOOLROOT


** Package information

*** number of independent directory roots required
	default: 1


** Installer information

*** owner of primary installation directory root
	default: $TOOLMANAGER
	
*** owner of primary installation directory
	default $INSTALLER
			---- cut here ----

						Reporting,
-- 
						Robert Meier

FANUC Robotics North America, Inc.	Internet: meierrj@frc.com
Voice: 1-810-377-7469			Fax:      1-810-377-7363
Reply to: