Peter,
Thank you for request for ideas and desires regarding the next
improvement to the debian package management system.
1. Scripts provided by the package writer should only have access to
files and directories specifically approved by the installer.
2. Most packages do not need to alter existing system directories
or files, and should be installed and tested by an
unprivelaged user (specified by the installer) in a directory
chosen by the installer, and under which package scripts can
create and modify files.
3. After testing, the installer should use ln -s, ln, or cp (as chosen
by the installer) to integrate the package executables and
files into the system.
Ray Ingles and I, have spent some time discussing improvements
to dpkg/dselect to permit users to take advantage of its dependency
tracking without the security vulnerability entailed in always running it
as root. The following is a first draft of a processing model (similar
to the ISO network model) that hopes to provide the following:
1. Host selectable security - the installer chooses what level of
trust (unprivelaged, privelaged, root) to grant to the
package scripts.
2. Host testing - before the package is seen by other users, the
installer can test the package
3. Portability - package writer can assume a single (or small number)
of directories in which to create, modify, compile, configure,
files and executables, independent of the platform or host
---- cut here ----
* Project: debian
File: RFC: dpkg target model
Author: Raymond A. Ingles
Dr. Robert J. Meier, Jr.
History: 97-04-03 -rjm- file creation
* Goals
** ease of use
The package provider and the installation process should automate as much
of the installation and removal as feasible for ease of use.
All operations should have defaults to support ease of use.
** security
As far as possible, malicious or buggy package installation should not
endanger existing installations.
All default operations should be defined by the install procedure so as not
to endanger existing installations.
All package-suggested operation parameters must be individually approvable
by the human installer.
Successful or unsuccessful installation is completely reversible.
** flexibility
As far as possible, package installation should be configurable by the
host to meet individual user needs and concerns.
As far as possible, package installation should be configurable by the
host to meet individual package needs and concerns.
All install operation parameters should be selectable by the installer.
All install operation parameters should be suggestible by the package.
** repeatability
As far as possible, package installation should produce the same behavior
on different hosts (e.g. the package provider and the user).
By default, installation will be done under a single host-selected directory
with an image equivalent on the user host to that to the package provider host.
* For design purposes, installation is divided into the following phases.
** (Template)
Each phase needs to answer the provide answers to each
of the following questions. The answers must express the
minimum/default/maximum supplied by/required from the package/host.
*** System privileges
*** Host information
*** Package information
*** Intended results
*** Prior assumptions
*** Actions
*** Validation
*** Customization
** Download
*** System privileges
Minimum supplied by host: write a host-specified file as $DOWNLOADER.
Default supplied by host: write a host-specified file as $DOWNLOADER.
Maximum supplied by host: write host-specified files as $DOWNLOADER
*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Maximum supplied by package: filenames
*** Package information
Minimum supplied by package: number and description of required files and
directories.
Default supplied by package: number and description of required files (1) and
directories (1)
*** Intended results
Minimum supplied by host: transfer the package to local file system
Default supplied by host: transfer the package to local file system
Maximum supplied by host: transfer the package to local file system
Minimum supplied by package: from package file
Default supplied by package: ftp, cd-read, floppy-read
Maximum supplied by package: from net, cd, floppies, tape, etc.
*** Prior assumptions
Minimum supplied by package: the complete package is transferrable as a
single file
Default supplied by package: the complete package is a compressed tar file
*** Actions
Minimum supplied by host: Create a specified file in (a directory chosen by
host) writable by $DOWNLOADER.
Default supplied by host: Create the $PACKAGEROOT directory under $INSTALLER
ownership.
Default supplied by host: Create a specified file in $PACKAGEROOT writable by
$DOWNLOADER.
Maximum supplied by host: Create other directories under $INSTALLER ownership.
Maximum supplied by host: Create specified files in specific directories
writable by $DOWNLOADER.
*** Validation
Minimum supplied by host: none
Default supplied by host: file length verification
Minimum required by package: none
Default supplied by package: none
*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: none
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: none
** Extraction
*** System privileges
Minimum supplied by host: create files and directories under $PACKAGEROOT as
$INSTALLER.
Default supplied by host: create files and directories under $PACKAGEROOT as
$INSTALLER.
Maximum supplied by host: create files and directories under host-specified
directories $INSTALLER.
Default required by package: create files and directories under $PACKAGEROOT as
$INSTALLER.
*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Maximum supplied by package: filenames and directories relative to
host-specified roots
*** Package information
Minimum supplied by package: extraction method (tar -zxvf)
Minimum supplied by package: licensing restrictions (tar -zxvf)
Default supplied by package: number of required directories (1) and human
description of extra directories
Default supplied by package: extraction method (tar -zxvf)
Default supplied by package: minimum hardware/firmware requirements
Default supplied by package: licensing restrictions (tar -zxvf)
*** Intended results
Minimum supplied by host: duplicate image of the package providers local file
system under single host-chosen root directory
Default supplied by host: duplicate image of the package providers local file
system under single host-chosen root directory
Maximum supplied by host: duplicate image of the package providers local file
system under single host-chosen root directory
*** Prior assumptions
Minimum supplied by package: buildable from local file system under a few
host-chosen root directories
Maximum supplied by package: buildable from local file system under single
host-chosen root directory
Default supplied by package: buildable from local file system under single
host-chosen root directory
*** Actions
Minimum supplied by host: Decompress and expand a specified file as $EXTRACTOR
under $PACKAGEROOT.
Default supplied by host: Decompress and expand a specified file as $EXTRACTOR
under $PACKAGEROOT.
Maximum supplied by host: Decompress and expand specified files as $EXTRACTOR
under host-chosen directories.
*** Validation
Minimum supplied by host: none
Default supplied by host: file size and list verification
Minimum supplied by package: none
Maximum supplied by package: file size and manifest
*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: prompt for operator approval with description
deny script authority, pause installation (default), examine script
execute script as $INSTALLER
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: script and description
** Setup
This will normally be a no-op, since by default, the extracted file system
image is sufficient.
*** System privileges
Minimum supplied by host: create files and directories under $PACKAGEROOT as
$INSTALLER.
Default supplied by host: create files, links, nodes, directories, etc. under
$PACKAGEROOT as $INSTALLER.
Maximum supplied by host: create files, links, nodes, directories, etc. under
$PACKAGEROOT as $INSTALLER.
Default required by package: create files, links, nodes, directories, etc.
under $PACKAGEROOT as $INSTALLER.
*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Default supplied by package: none
*** Package information
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: script to execute as $INSTALLER.
*** Intended results
Minimum supplied by host: duplicate build environment designed by package
provider
Default supplied by host: duplicate build environment designed by package
provider
Maximum supplied by host: duplicate build environment designed by package
provider
*** Prior assumptions
Minimum supplied by package: duplicated environment limitted by the
installation procedure is sufficient to build the package
Default supplied by package: duplicated environment limitted by the
installation procedure is sufficient to build the package
*** Actions
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: execute script as $INSTALLER
*** Validation
Minimum supplied by host: none
Default supplied by host: file size and list verification
Minimum supplied by package: none
Maximum supplied by package: file size and manifest
*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: prompt for operator approval with description
deny script authority, pause installation (default), examine script
execute script
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: perl script and description
** Configuration
*** System privileges
Minimum supplied by host: execute scripts relative to $PACKAGEROOT as
$INSTALLER.
Default supplied by host: execute scripts relative to $PACKAGEROOT as
$INSTALLER.
Maximum supplied by host: execute scripts relative to host-specified
directories as $INSTALLER.
Default required by package: execute scripts relative to $PACKAGEROOT as
$INSTALLER.
*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: sh, perl, bash
Default supplied by package: none
*** Package information
Minimum supplied by package: none
Default supplied by package: make config
Maximum supplied by package: script to execute as $INSTALLER.
*** Intended results
Minimum supplied by package: generate default Makefiles
Default supplied by package: probe machine for common configuration variations
Default supplied by package: generate human readable configuration file
Maximum supplied by package: interactively query human for all configuration
variations
*** Prior assumptions
Maximum required by package: build environment is duplicated correctly
Default required by package: build environment is duplicated correctly
*** Actions
Minimum supplied by host: execute script as $INSTALLER
Default supplied by host: execute script as $INSTALLER
Maximum supplied by host: execute script as $INSTALLER
*** Validation
Minimum supplied by host: none
Default supplied by host: none
Minimum supplied by package: none
Default supplied by package: none
*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: prompt for operator approval with description
deny script authority, pause installation (default), examine script
execute script
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: script and description
** Customization
This will normally be a no-op, since by default, configuration should
be sufficient.
*** System privileges
Minimum supplied by host: create files and directories under $PACKAGEROOT as
$INSTALLER.
Default supplied by host: create files, links, nodes, directories, etc. under
$PACKAGEROOT as $INSTALLER.
Maximum supplied by host: create files, links, nodes, directories, etc. under
$PACKAGEROOT as $INSTALLER.
Default required by package: none
*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Default supplied by package: none
*** Package information
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: human readable procedure
*** Intended results
Minimum supplied by host: none
Default supplied by host: none
*** Prior assumptions
Minimum supplied by package: duplicated environment ready for automatic build
Default supplied by package: duplicated environment ready for automatic build
*** Actions
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: execute script as $INSTALLER
*** Validation
Minimum supplied by host: none
Default supplied by host: none
Minimum supplied by package: none
Maximum supplied by package: none
*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: prompt for operator approval with description
deny script authority, pause installation (default), examine script
execute script
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: perl script and description
** Build
This will normally be a totally automatic after proper configuration.
*** System privileges
Minimum supplied by host: execute scripts under $PACKAGEROOT as $INSTALLER.
Default supplied by host: execute scripts under $PACKAGEROOT as $INSTALLER.
Maximum supplied by host: execute scripts under $PACKAGEROOT as $INSTALLER.
Default required by package: execute scripts under $PACKAGEROOT as $INSTALLER.
*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Default supplied by package: none
*** Package information
Minimum supplied by package: Makefile(s)
Default supplied by package: Makefile(s)
Maximum supplied by package: executable scripts
*** Intended results
Minimum supplied by host: testable installation of package
Default supplied by host: usable installation of package
*** Prior assumptions
Minimum supplied by package: duplicated environment ready for automatic build
Default supplied by package: duplicated environment ready for automatic build
*** Actions
Minimum supplied by host: make under $PACKAGEROOT as $INSTALLER.
Default supplied by host: make under $PACKAGEROOT as $INSTALLER.
Maximum supplied by host: make under $PACKAGEROOT as $INSTALLER.
*** Validation
Minimum supplied by host: none
Default supplied by host: make under $PACKAGEROOT as $INSTALLER.
Minimum supplied by package: none
Default supplied by package: Makefiles
Maximum supplied by package: complete regression suite
*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by host: prompt for operator approval with description
deny script authority, pause installation (default), examine script
execute script
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: perl script and description
** Soak
This will normally be a totally non-automatic check by the human installer
before integration.
The human installer will usually change username and group to an unprivileged
user otherwise typical of the expected user community.
Temporary environment variables (e.g. $PATH) will point the test user to
$PACKAGEROOT/...
*** System privileges
Minimum supplied by host: execute scripts under $PACKAGEROOT as $INSTALLER.
Default supplied by host: execute scripts under $PACKAGEROOT as $INSTALLER.
Maximum supplied by host: execute scripts under $PACKAGEROOT as $INSTALLER.
Maximum supplied by package: none
*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Maximum supplied by package: none
*** Package information
Maximum supplied by package: none
*** Intended results
Minimum supplied by host: confidence that the package is non-destructive
Default supplied by host: confidence that the package is non-destructive
Default supplied by host: confidence that the package is fit for use
*** Prior assumptions
Minimum supplied by host: package is completely built
Default supplied by host: package is completely built
*** Actions
Minimum supplied by host: pause installation procedure
Default supplied by host: pause installation procedure
Maximum supplied by host: pause installation procedure
*** Validation
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by package: none
*** Customization
Maximum supplied by host: none
Minimum supplied by package: none
Default supplied by package: none
Maximum supplied by package: human readable description
** Integration
This will normally be totally automatic according to local configuration
files.
*** System Privileges
Minimum supplied by host: execute scripts under $PACKAGEROOT as $TOOLMANAGER
Default supplied by host: execute scripts under $PACKAGEROOT as $TOOLMANAGER
Maximum supplied by host: tools are not writable by group bin or other.
(lest they be vulnerable during installation by tool.bin)
Maximum required by package: none
*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Default supplied by package: none
*** Package information
Maximum supplied by package: none
*** Intended results
Minimum supplied by host: package ready for use
Default supplied by host: package ready for use
*** Prior assumptions
Minimum supplied by package: package tested and found satisfactory
Default supplied by package: package tested and found satisfactory
*** Actions
Minimum supplied by host: recursively walk $PACKAGEROOT/[bin doc lib etc]
and create matching directory under $TOOLROOT
Minimum supplied by host: create symbolic links from files under
$PACKAGEROOT/[bin doc lib etc] to matching files
under $TOOLROOT
Default supplied by host: recursively walk $PACKAGEROOT/$STDDIRS
and create matching directory under $TOOLROOT
Default supplied by host: create symbolic links from files under
$PACKAGEROOT/$STDDIRS to matching files
under $TOOLROOT
Maximum supplied by package: none
*** Validation
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by package: none
*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by package: human readable description
** Cleanup
This will normally be totally automatic according to local configuration
files.
*** System Privileges
Minimum supplied by host: write directories under $PACKAGEROOT as $INSTALLER
Default supplied by host: write directories under $PACKAGEROOT as $INSTALLER
Maximum required by package: write directories under $PACKAGEROOT as $INSTALLER
*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Default supplied by package: none
*** Package information
Maximum supplied by package: list of files, nodes, directories, ... under
$PACKAGEROOT to remove
*** Intended results
Minimum supplied by host: reclaim disk space no longer necessary for package use
Default supplied by host: reclaim disk space no longer necessary for package use
*** Prior assumptions
Minimum supplied by package: package integrated and found satisfactory
Default supplied by package: package integrated and found satisfactory
*** Actions
Minimum supplied by host: remove named files, nodes, directories, ... under
$PACKAGEROOT
Default supplied by host: remove named files, nodes, directories, ... under
$PACKAGEROOT
Maximum supplied by host: remove named files, nodes, directories, ... under
$PACKAGEROOT
Maximum supplied by package: none
*** Validation
Minimum supplied by host: none
Default supplied by host: check for .o's, .olds, ... directories other than
those linked during integration
Maximum supplied by package: none
*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by package: human readable description
** Removal
This should remove everything safely even if installation fails.
*** System Privileges
Default supplied by host: write $PACKAGEROOT and the other install-specified
directories as $TOOLMANAGER
*** Host information
Minimum supplied by host: $PACKAGEROOT
Default supplied by host: $PACKAGEROOT
Default supplied by package: none
*** Package information
Maximum supplied by package: none
*** Intended results
Minimum supplied by host: reclaim disk space used by the package
Default supplied by host: cleanly reverse installation
*** Prior assumptions
Default supplied by host: everything was installed under $PACKAGEROOT or
specified directories
Default supplied by host: everything else was linked/copied by the installer
*** Actions
Default supplied by host: remove $PACKAGEROOT and the other install-specified
directories
Default supplied by host: remove symlinks into $PACKAGEROOT and the other
install-specified directories
Maximum supplied by package: none
*** Validation
Minimum supplied by host: verify absence of $PACKAGEROOT and install-specified
directories
Default supplied by host: verify absence of symlinks into $PACKAGEROOT and
install-specified directories
Maximum supplied by package: none
*** Customization
Minimum supplied by host: none
Default supplied by host: none
Maximum supplied by package: human readable description
* For design purposes, installation information is divided into the following
groups.
** Host information
***defaults
PACKAGEDIR = /usr/package
PACKAGEROOT = $PACKAGEDIR/<package>
STDDIRS = bin lib doc etc
TOOLROOT = /usr/local
TOOLMANAGER = bin.bin
DOWNLOADER = $TOOLMANAGER
EXTRACTOR = $TOOLMANAGER
INSTALLER = tool.bin
INTEGRATOR = $TOOLMANAGER
***primary installation directory (PACKAGEROOT)
default: $PACKAGEROOT
***primary usage directory
default: $TOOLROOT
** Package information
*** number of independent directory roots required
default: 1
** Installer information
*** owner of primary installation directory root
default: $TOOLMANAGER
*** owner of primary installation directory
default $INSTALLER
---- cut here ----
Reporting,
--
Robert Meier
FANUC Robotics North America, Inc. Internet: [EMAIL PROTECTED]
Voice: 1-810-377-7469 Fax: 1-810-377-7363
