> > As for the concrete plan: > > There is going to be a 'meta' package that represents the whole > operating system. Updates to the OS are done by updating this meta > package in the Application Manager. The meta package will have > dependencies on all packages with their exact versions that make up > the official OS releases. The Application Manager will not allow the > removal of the meta package. I have found through experience this is a very powerful way to use standard distribution tools and still hold control. I've implimented a mechanism like this and it works well. We made it such that (and from the sounds of it this will be the same) a developer could remove the meta lock package and wreak havoc on the system. This was a good thing. Hardcore devels could do bad things, but they will always do bad things. This gave them the last hurdle to say, you are now out of control. It also means that support can easily tell when a user has willfully removed the meta lock and thus absolve themselevs of some level of support. > > This means that the Application Manager will not allow you to update > individual OS packages (or to install third party applications that > require this), since you would have to remove the meta package for > that. It is still possible to install additional 'system' packages, > just not to upgrade already installed ones. > > A second new feature is that the Application Manager will distinguish > between "trusted sources" and "non-trusted sources" (based on the key > used to sign the corresponding repository). A package that has > originally been installed from a trusted source will only be allowed > to be updated (or replaced) from a trusted source. The flash image is > also treated as a trusted source, so you will only be able to update > packages that are pre-installed in the device from trusted sources. > > This makes it easier for the user to be sure that he doesn't pick up > unwanted system software updates by accident. > > The set of trusted sources will be under control of a power-user: you > can just add some GPG keys to the right place, but there is no UI to > do it. You can also switch the whole lock-down machinery off by going > to red-pill mode. > > So whaddaya think? Useful? Too painful? Too difficult to escape > from? Presonally I think the one or two one-time extra steps will not be a burdne for hackers and yet provide some safety to users. Overall I think it solves much of the 'rouge' package concerns. As you said it does not solve all the problems. But no single solution will solve everything, but this is a strong first step. Thanks Brian
