[Sugar-devel] Future of Rainbow + Sugar?
bert at freudenbergs.de
Tue Feb 24 12:47:16 EST 2009
you make it sound as if Rainbow was new and unknown and Michael was
pushing it. That's a bit unfair. Rainbow has been shipping in the OLPC
releases for quite a while, and activity authors in general do know
that they simply have to respect the designated directories for saving
files. For example, they do know that SUGAR_ACTIVITY_ROOT (provided by
Rainbow for runtime use) is something else altogether than
SUGAR_BUNDLE_PATH (set by Sugar to the installation directory).
Rainbow is one of the most generally useful things brought into being
by OLPC. Since Sugar activities were specifically designed to work
with it, it would be a shame to not use this enhanced security
framework. In particular since Sugar aims at users who need all the
protection they can get.
Integration with jhbuild has been problematic since the rainbow demon
needs to run with super user privileges, and it would need to mess
with the user management of the host machine. But it should work very
well in SoaS and I for one would appreciate if it was integrated and
- Bert -
On 24.02.2009, at 17:56, Carol Farlow Lerche wrote:
> Michael, I think your work on Rainbow is very important, but I think
> it is a bit opaque. Perhaps you could improve your documentation
> and as well write a tutorial about it that would make it more
> apparent how much is actually implemented and what an activity can
> do with it.
> So here's an example. In the Rainbow page on w.l.o you refer to http://dev.laptop.org/git?p=security;a=blob;f=rainbow.txt;hb=HEAD
> for more information. Yet this file has several locutions of the
> form "This can be implemented" and "I believe but have not
> confirmed" which leave the reader unclear as to which services have
> actually been implemented. Hopping over to Low-Level Activity API
> the information about security doesn't correlate with the
> permissions referred to in the txt file.
> Also you leave ambiguities for the reader by using the passive voice
> throughout these articles. Changing from passive to active voice
> answers many questions for the reader. Here is an example:
> "All writing to the file system is restricted to subdirectories of
> the path given in the SUGAR_ACTIVITY_ROOT environment variable."
> Well, we know that isn't true in all cases, because activities get
> installed by Sugar outside that subtree. So possibly you mean
> "Rainbow prevents any activity launched by the Sugar shell from
> writing to any directories except those under
> SUGAR_ACTIVITY_ROOT". Or do you? Any exceptions? What about
> reading files elsewhere in the file system?
> The scattershot documentation within several wiki pages and text
> files of unknown currency is also a problem. How about a unified
> document befitting such an important aspect of the Sugar architecture.
> I think demystifying Rainbow within a comprehensive document
> containing a section specifically aimed at the concerns of activity
> developers would go a long way toward expanding its use.
> Carol Lerche
> On Tue, Feb 24, 2009 at 8:24 AM, Michael Stone <michael at laptop.org>
> On Tue, Feb 24, 2009 at 01:47:01AM -0500, Mikus Grinbergs wrote:
> >[Also, I'm hearing whispers of 'no Rainbow' after Joyride.]
> In my view, it's up to the SugarLabs folks to use Rainbow or to drop
> it. I have
> tried to clear the way for them to use it on all the platforms they
> care about
> by simplifying it, by making it more generically useful, by writing
> some basic
> .deb and .rpm packaging in order to ease testing, and by writing
> Sugar patches
> which cause Sugar to use it. Unfortunately, in the two months since I
> announced this work:
> and since I spoke about it at Fudcon Boston in January, I have
> received no
> feedback more serious than a (kind) thank-you note from Walter, let
> testing, bug reports, or patches. As you might imagine, this
> response leaves me more than a little bit discouraged.
> Now, it could certainly be the case that there's more work that I
> need to do in
> the form of documenting, testing, or pushing my recent rainbows
> before people
> will be excited about trying them out and, if that's the case,
> someone should
> tell me. Since no one has done so to date, despite repeated
> overtures, I've
> mostly come to believe that no one cares.
> Do you know differently?
> P.S. - I find this state of affairs particularly sad, since I think
> there's an
> /increasing/ amount of awesomeness that Rainbow can provide, e.g.,
> bringing all
> the recent hard work the kernel folks have been putting in on network
> containerization and memory-resource cgroups "to the masses".
> Sugar-devel mailing list
> Sugar-devel at lists.sugarlabs.org
More information about the Devel