[packagekit] PackageKit PolicyKit actions

David Zeuthen david at fubar.dk
Wed Jul 16 11:22:30 PDT 2008 

Hey Richard,

I just looked at the PackageKit actions from the 20080618 snapshot
(which is in Rawhide) and here are some comments. Keep in mind that
these actions are what system administrators see so 

 a) it needs to be very self-evident what the action means

 b) really need to keep the number of actions down

 c) two actions should never overlap

 d) it helps overview if prefixing common actions with the same
    prefix; for example

    package-*: for actions that deals with packages
    system-*: for actions that deals with the entire system

 e) use <noun>-<verb> rather than <verb>-<noun> to in naming, e.g.

     package-install
     package-uninstall
     package-remove

    is a lot easier to mentally deal with than

     install-package
     uninstall-package
     remove-package

    and they'll also show up close to each other due to sorting.

FWIW, my plan is (at some points) to include these few guidelines in the
polkit documentation on how to choose/name polkit actions. Comments
welcome on the general guidelines.

On to the specifics:

$ for i in $(polkit-action |grep packagekit) ; do polkit-action --action $i ; done

        action_id:        org.freedesktop.packagekit.install
        description:      Install package
        message:          Authentication is required to install a package
        default_any:      no
        default_inactive: no
        default_active:   auth_admin_keep_always
        
        action_id:        org.freedesktop.packagekit.localinstall-untrusted
        description:      Install untrusted local file
        message:          Further authentication is required to install an untrusted local file
        default_any:      no
        default_inactive: no
        default_active:   auth_admin
        
        action_id:        org.freedesktop.packagekit.localinstall-trusted
        description:      Install local file
        message:          Authentication is required to install a local file
        default_any:      no
        default_inactive: no
        default_active:   auth_admin_keep_always
        
Why the distinction between localinstall and install? That doesn't make
sense if the distinction you make is whether the package comes from a
repository or a local file on the system. What really matters is only
whether the package is signed by a trusted entity or not.

So I think it should just be

 .package-install (w/ auth_admin_keep_always)
 .package-install-untrusted (w/ auth_admin)

        action_id:        org.freedesktop.packagekit.install-signature
        description:      Install security signature
        message:          Authentication is required to install a security signature
        default_any:      no
        default_inactive: no
        default_active:   auth_admin
        
My guess is that this has to do with deciding to trust a key that signs
packages. If this is true shouldn't it have a better name to reflect
this? 

Suggestion to use

 .system-trust-signing-key
 description:                Trust a key used for signing packages
 message:                    Authentication is required to consider a
                             key used for signing packages as trusted

        action_id:        org.freedesktop.packagekit.accept-eula
        description:      Accept EULA
        message:          Authentication is required to accept a EULA
        default_any:      no
        default_inactive: no
        default_active:   auth_admin_keep_always
        
Suggest to use package-eula-accept. Also, suggest to default to "yes"; I
can't think of a case where we would want admin authentication by
default here?

        action_id:        org.freedesktop.packagekit.update-package
        description:      Update package
        message:          Authentication is required to update packages
        default_any:      no
        default_inactive: no
        default_active:   auth_admin_keep_always
        
        action_id:        org.freedesktop.packagekit.update-system
        description:      Update all packages
        message:          Authentication is required to update all packages
        default_any:      no
        default_inactive: no
        default_active:   auth_admin_keep_always
        
Why is this split into two actions? I think it would be a lot easier on
administrators if this was just a single action, e.g. system-update.

I know there's the hypothetical use case where an admin only wants the
user to update the entire system at once and not piecemeal; presumably
to avoid the user from botching the system. But that really sounds like
you're trying to protect someone from a badly packaged OS; e.g. I don't
think the added confusion of having two separate PolicyKit actions
really outweighs the gain.

(Btw, what happens if one of the packages in the update set isn't
signed?)

        action_id:        org.freedesktop.packagekit.remove
        description:      Remove package
        message:          Authentication is required to remove packages
        default_any:      no
        default_inactive: no
        default_active:   auth_admin_keep_always
        
Suggest package-remove.
        
        action_id:        org.freedesktop.packagekit.rollback
        description:      Rollback to a previous transaction
        message:          Authentication is required to rollback a transaction
        default_any:      no
        default_inactive: no
        default_active:   auth_admin_keep_always
        
Who else than Foresight does this now or will in the future? Does it
really warrant a separate action or could you use an existing one
instead? In a very real sense this is similar to updating so maybe just
use 'system-update'? Or if you decide to keep it, perhaps use
'system-rollback'.
        
        action_id:        org.freedesktop.packagekit.repo-change
        description:      Change software source parameters
        message:          Authentication is required to change software source parameters
        default_any:      no
        default_inactive: no
        default_active:   auth_admin_keep_always
        
Maybe it would be useful to rename this to "systems-sources-configure".
        
        action_id:        org.freedesktop.packagekit.refresh-cache
        description:      Refresh package lists
        message:          Authentication is required to refresh the package lists
        default_any:      no
        default_inactive: no
        default_active:   yes
        
Maybe rename to "system-sources-refresh" and also use term software
sources in the description + messages.

(right now you're using "repo", "software source" and "package list" to
refer to pretty much the same thing.)
        
        action_id:        org.freedesktop.packagekit.set-proxy
        description:      Set network proxy
        message:          Authentication is required to set the network proxy used for downloading packages
        default_any:      no
        default_inactive: no
        default_active:   yes
        
Suggest system-network-proxy-configure and s/set/configure/.

Here's the suggested list

 org.freedesktop.packagekit.package-install
 org.freedesktop.packagekit.package-install-untrusted
 org.freedesktop.packagekit.package-remove
 org.freedesktop.packagekit.package-eula-accept
 org.freedesktop.packagekit.system-update
 org.freedesktop.packagekit.system-trust-signing-key
 org.freedesktop.packagekit.system-sources-configure
 org.freedesktop.packagekit.system-sources-refresh
 org.freedesktop.packagekit.system-network-proxy-configure

Which I think is a lot easier on the eyes. Your thoughts on this?

      David

More information about the PackageKit mailing list