Hi, we are planning to put some features into the Application Manager that will make it more restrictive when handling the packages that make up the operating system itself (as opposed to third party applications). We would like to get your feedback on these plans, both from the end-user point of view and from the point of view of package developers. In the future, we hope to be able to provide official updates to the operating system itself via packages, and we need to give the end-users the confidence that when they intend to install a Nokia provided operating system update, they actually get what they think they are getting. As for the concrete plan: There is going to be a 'meta' package that represents the whole operating system. Updates to the OS are done by updating this meta package in the Application Manager. The meta package will have dependencies on all packages with their exact versions that make up the official OS releases. The Application Manager will not allow the removal of the meta package. This means that the Application Manager will not allow you to update individual OS packages (or to install third party applications that require this), since you would have to remove the meta package for that. It is still possible to install additional 'system' packages, just not to upgrade already installed ones. A second new feature is that the Application Manager will distinguish between "trusted sources" and "non-trusted sources" (based on the key used to sign the corresponding repository). A package that has originally been installed from a trusted source will only be allowed to be updated (or replaced) from a trusted source. The flash image is also treated as a trusted source, so you will only be able to update packages that are pre-installed in the device from trusted sources. This makes it easier for the user to be sure that he doesn't pick up unwanted system software updates by accident. The set of trusted sources will be under control of a power-user: you can just add some GPG keys to the right place, but there is no UI to do it. You can also switch the whole lock-down machinery off by going to red-pill mode. So whaddaya think? Useful? Too painful? Too difficult to escape from? Some variants that come to mind: The meta package could depend on 'this version or later' of a package instead of on "exactly this version'. That would allow it to control the update just as much, but would not lock down the configuration of the device so much. The motivation for this lock-down of the device configuration is that Nokia (probably, IANAL) doesn't want to support any other configuration, and having to 'hack' your system via the red-pill mode or similar is a good indication that you are now on your own. The locked-down upgrade path could support more than one set of trusted sources down to the granularity of repositories. This would allow other parties than Nokia to make use of this feature. That's just a smop and might be done. (And please understand that all this has nothing to do with preventing bad software from doing bad things on your device; it is just about giving the user an indication that something fishy is happening (by accident) that he probably didn't intend to happen.) Thanks!
