Re: [Rpm-maint] FSM hooks for rpm plugin

[Panu Matilainen]

On 03/12/2013 03:15 PM, Reshetova, Elena wrote:

Setting the permissions before moving would fix that and also avoid
replacing a previous file at all in case we fail to in one of the
metadata steps. For the stock metadata the actual path makes no
difference, but for security labels you'd want the final path though
(to avoid having to figure out and strip the temp extension from the
file), so it'd require passing two paths to the pre-commit hook: current
and final.


Maybe it is the fact that I had to wake up 3am today to come back to
Helsinki, but I don't understand why do we need to know the final path
for security labels labelling? I don't think file is labelled based on
its destination: it is more like based on what is inside package,
manifest,  device security policies and etc.



It's needed for things where the label does not come from the package but
system policy, exactly because we lay the disk on temporary name first. At
least with SELinux the label is (automatically) set at file/directory
creation time based on its path, and rename() does not automatically relabel
it. And because rpm creates the files with temporary names, the initial
labels are always wrong and we need to manually adjust them for the final
path.


Ok, I guess you are right, assigning label by path is also a valid way, and
there can be restrictions on this.


Of course it would be possible to just leave such things for post-commit
where we already have the final path, that would be exactly the same as what
currently happens. It just means missing the opportunity to get it right
early, eliminating one window of live-update breakage (and an opportunity to
bail before committing the file at all on errors).


No, I think we agreed already that I would be better to do it before commit,
so we can do it right from beginning :)

So, should we then conclude on having just two more hooks (pre and post
commit) in addition to already existing hooks? I guess your previous exercise
on it can be a base and then we can add additional parameters, like path and
etc.


I guess that'd be the conclusion. At least until we find the next 
wrinkle in the theory :)



Do you want to do the changes? I can also try to do it tomorrow if they aren't
objections.


I probably should merge (at least some of) the study and link count 
patches first, as those change the landscape quite a bit. I'll try to do 
that as soon as the caffeine kicks in for good.


On a somewhat related note, I'm pondering about changing fsm to do 
staged removals too, ie rename before actually removing. It doesn't make 
much difference as things are now, but I've also started seriously 
thinking about changing the fsm to the model we discussed earlier where 
unpacking and setting permissions etc is first done for all files, and 
only if that succeeds completely we actually commit to renaming them all 
to the final target, and undo the whole lot if anything in unpacking failed.


...which of course would actually fundamentally change the landscape 
again: if commit is changed to consist only of renaming a file, then 
commit hooks would no longer the right place to do security labeling 
etc. Argh! :) In that model we'd be back to the set metadata hook, or 
actually two of them to preserve the possibility of doing something 
after rpm did its own business. And in that model, both pre and post 
metadata hooks should get the temp and final path as separate arguments.


- Panu -
___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] FSM hooks for rpm plugin

[Reshetova, Elena]

 Do you want to do the changes? I can also try to do it tomorrow if
 they aren't objections.

I probably should merge (at least some of) the study and link count patches 
first, as those change the landscape quite a bit. I'll try to do that as soon 
as the caffeine kicks in for good.

Sure, I will wait for changes.

On a somewhat related note, I'm pondering about changing fsm to do staged 
removals too, ie rename before actually removing. It doesn't make much 
difference as things are now, but I've also started seriously thinking about 
changing the fsm to the model we discussed earlier where unpacking and 
setting permissions etc is first done for all files, and only if that 
succeeds completely we actually commit to renaming them all to the final 
target, and undo the whole lot if anything in unpacking failed.

I think this would be the safest way not only from security,  but also from 
correctness and also makes installation more robust in case of sudden power 
cuts and etc.

...which of course would actually fundamentally change the landscape
again: if commit is changed to consist only of renaming a file, then commit 
hooks would no longer the right place to do security labeling etc. Argh! :) 
In that model we'd be back to the set metadata hook, or actually two of 
them to preserve the possibility of doing something after rpm did its own 
business. And in that model, both pre and post metadata hooks should get the 
temp and final path as separate arguments.

Yeah, but I guess maybe we can first finish with the current system and check 
that it works for whatever test cases we have (I can start using new hooks in 
msm plugin) and then change it when you move rpm to a new fsm model. I think 
this would be a big change for fsm, so won't be possible to do it fast anyway.

Best Regards,
Elena.


smime.p7s
Description: S/MIME cryptographic signature
___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] Rpm Database musings

[Michael Schroeder]

On Fri, Mar 08, 2013 at 03:37:12PM +0100, Michael Schroeder wrote:
 I kind of like to have all the data in one file.
 
 Anyway, attached is a little Packages database implementation I did yesterday
 and today.

Attached is the current version of my little experiments. The main
changes are:

- I switched to adler32 instead of md5sum
- I added a little index database implementation, rpmidx.[ch]

The index database is using mmap to map the database into memory.
It uses the main rpmpkg database for locking.

Performance and database sizes seem to be promising.

Things I'm not happy about:

- resizing currently works by rebuilding a new database and
  calling rename(). I can change this to be inplace, though, 
  it just makes to code a little bit slower because I don't
  want to simply overwrite the old data. I basically want an
  atomic switch to the new data.

- The generation count in idxdb is currently not used. My goal
  is to detect crashed database updates somehow.

Cheers,
  Michael.

-- 
Michael Schroeder   m...@suse.de
SUSE LINUX Products GmbH,  GF Jeff Hawn, HRB 16746 AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}


rpmpkg.tar.bz2
Description: application/bzip-compressed-tar
___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint