On Tue, Oct 14, 2014, at 07:05 AM, Alexander Larsson wrote: > So, i updated gnome-sdk (https://github.com/alexlarsson/gnome-sdk/) to > use ostree to store and fetch apps. > > For instance, if you build latest gnome-sdk you can: > > gnome-sdk-repo add-remote alexl https://people.gnome.org/~alexl/repo/ > gnome-sdk-repo install-runtime alexl org.gnome.Platform 3.14 > gnome-sdk-repo install alexl org.gnome.GEdit > gnome-sdk-run org.gnome.GEdit gedit
I'm trying to clone this, but the repository needs to be on some HTTP server with KeepAlive on at least =) Can you request access to build.gnome.org? > Checking out means hardlinking to the repo, so any files > shared between modules is shared (via the hard links) both on disk and > in page cache. But not between users. Which is going to matter a lot in some scenarios. I think I agree with Lennart here in that the default architecture should use polkit and talk to the system. That doesn't mean that we couldn't also support per-user apps. Things get really interesting of course if we're really thinking about production because > There are some issues: > > * We don't clean up old versions on update yet ostree prune --repo=repo --refs-only --depth=0 is what "ostree admin upgrade" uses. > * Ownership of files is problematic. This issue goes away if apps are stored as branches in the system repo. On the other hand - again stuff like setuid. You said you filter them while running, but I'm not sure that's good enough; I'd say we really don't want potential privilege escalation binaries lying around at all. Think about the workstation case where the desktop shell + terminal is running as "un-sandboxed non-root" (i.e. the desktop default today), but I don't have root access. If I can pull down a sandboxed app but it can drop a setuid binary down, then I can become root by executing it from the desktop shell (outside of the app). Say I create a guest account for someone else to use my laptop, or a server hosting desktop remote displays. _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
