0:00:11i'm going to do talk about ten bucks application for gonna i did pretty much
0:00:16the same talk already you know major safety of the pen and that one
0:00:21that's the other talk which might be more interesting
0:00:24and that's panel with this but anyway we have made little bit of the resistance
0:00:29gonna major so that's and you stuff
0:00:33sandbox applications for brno
0:00:37so let me first introduce a we are
0:00:40so i'm gonna paddling and i one of the guys to behind system the project
0:00:45and actually have to more people that that's kind of us and that you cut
0:00:49and if of course everybody here actually we're pretty much and we all work together
0:00:57and system you project system the is a little bit like it used to be
0:01:01just a minute system but grew a little bit and that's perspective what supposed to
0:01:05be a nowadays this little bit like the basic building block to build an operating
0:01:10system problem so brings a lot of components are probably not too interesting for deaf
0:01:14a test on france but it does cover lot of ground that is relevant for
0:01:19the desktop then
0:01:23going back to the actual topic this is about the actual applications we think
0:01:29linux needs a strong way how we can do access
0:01:33and we believe that much of how that's implementing needs to live in the lower
0:01:37levels of the stack because we believe that the concepts the basic building blocks but
0:01:42use there should be kernel things rather than just something that is created user space
0:01:47right so the isa nation for example for the extra sent boxing part is something
0:01:52we believe is to be in the lowest level which kernel object and not just
0:01:56something that is boulder to boulder top and not part of the actual
0:02:05so only general goal of the system the project it that we want
0:02:11you know or in the more general case linux do we the modern general-purpose alas
0:02:18we believe that acts on absolutely crucial part of it i mean nobody use an
0:02:22operating system for the purpose of using an operating system people use an operating system
0:02:27because they have to do to achieve something that actually interesting for them so how
0:02:31do you choose that because you run some apps the do what you want on
0:02:35the rating system and hands operating system is just the thing that should be there
0:02:39and work for the apps and the apps environment is actually the most important thing
0:02:44we probably have enough
0:02:46so if i talk about by the way i know is be very far to
0:02:50give any is just with that is sure not that's the down if you have
0:02:53any questions totally interrupt me right away i would tell you prefer this becomes more
0:02:58of a discussion and just me talking stuff so you have any questions totally drop
0:03:02me i love that
0:03:04so we are talking about apps what actually a wraps so from our perspective from
0:03:09the coming from the lower levels of the stack apps or sandbox use applications ship
0:03:15in a single file crap no privileges for execution which table a P R S
0:03:19and reliability reliable testability so
0:03:24take this apart sandbox to use application so this is about use applications first of
0:03:29all so it's not about i don't know running apache on my server because that
0:03:33a service that will really only talking here in the centre that's of use application
0:03:37meeting firefox mean game all these
0:03:41sent boxed mean that there is isolation
0:03:45of the have towards operating system so that
0:03:50what we have does cannot be exploited and the attack as cannot get access to
0:03:56the rest of the operating systems of
0:03:58so that nothing from the operating system leaks into the apple in the other way
0:04:03around to that nothing from the apply to the right
0:04:07ship in a single file or at the something then we are really interested in
0:04:11so that it becomes easy handling apps because right now on linux have so usually
0:04:17ship in our P M or something like that and they distribute file all over
0:04:20the place in the file system
0:04:21this is not the i don't think that particular useful or friendly way to do
0:04:26what we want is that people can considered have
0:04:30and something like and could attach to it to tell you know right so that's
0:04:34just one file and that's all you need and we'll just work
0:04:38other operating systems that's have little bit something like that for example macros you have
0:04:43these you have folders and that case that's or would you feels a little bit
0:04:48like a file isn't but we actually wanna go for one
0:04:53in one
0:04:55no privileges articulation which is very important after all this is about user stuff right
0:05:00so users stuff should not require privileges of all of the operating system to run
0:05:05this is systematically different from anything like R P M that existed before because and
0:05:10R P and to install an R P and you need system privileges and in
0:05:17because R P M's also powerful you can like there's no way to distinguish and
0:05:22an R P M
0:05:24well them and package for the matter that interferes was the closest with the operating
0:05:31system and are him that actually really just a matter
0:05:34so it is absolutely crucial event no privileges for the installation for the activation
0:05:42and then the next thing is stable at arts which i think is probably the
0:05:45most complex thing of them all we in linux are keeping stable at arts i
0:05:51mean there are different
0:05:53api surround and some of better than others like for example currently you know it's
0:05:57usually pretty good it's not perfect but it's pretty like you have a chance of
0:06:01being able to run stuff that was written against the currently pi for from the
0:06:06nineties and will still work on the current linux kernels not everything will the best
0:06:13gonna has not been as good with that like i don't know a can on
0:06:18one applications don't work on three that a lot of reasons for the for that
0:06:21and i think it's a good thing that is that way that we can make
0:06:24a T I but it is a substantial problem for sub pop members if they
0:06:30if they wanna one right that application they don't wanna constantly be caught in that
0:06:35cycle that we have that is really fast and updating right
0:06:40so we need some say it to do need to do something about that
0:06:43and reliable testability means them
0:06:46well let's darla most a stable areas for us it also means that
0:06:52the differences between the best distribution or minimise
0:06:55because currently the distributions all to in mass of ways for example
0:07:02one of them my favourite examples this is there's on the door and row systems
0:07:07insist directly called use a lib X like which is something where you're supposed to
0:07:13put internal binaries
0:07:15at least that's how most people understand it and this directory only exists like that
0:07:20of the door and row and nowhere else
0:07:26what is that
0:07:28well a to make there's a lot of things but they with it know what
0:07:31do use all the mug like that i mean all the make and stuff like
0:07:33mark home and things like that like the com the and things like that i
0:07:37wouldn't blame all make for that i do planned route for that right at that
0:07:48i mean we don't follow the gonna world all anyway
0:07:51i mean if we did than everything would and then use the local right
0:07:56i don't know it is i think because this is recorded we probably should if
0:08:01we have discussions to that with the with the
0:08:05anyway i think it's a i personally blame more room for door and browse that
0:08:10it's in the fedora packaging policy that should be you right also it i mean
0:08:14it that's kind of cool about this thing out because then we are to blame
0:08:18we as the door but other than everybody else
0:08:21but anyway this is that's a speciality we got this house came into existence at
0:08:27the speciality of the door and well and it makes things difficult because depending on
0:08:32how which operating system you compiled stuff for sixty to be light out that way
0:08:37and this gets worse and worse and worse i mean for example some them distributions
0:08:42you system the others use up and it's kind of things many of this we
0:08:45will never be able to do however we need to think more about unifying the
0:08:50A B A V I you're operating system and we need to make sure that
0:08:54we somehow even with we are incapable of all with guaranteeing our
0:09:00main supportive at i am to be stable we need to stop somehow make it
0:09:04possible to relatively easily run all that with the labia
0:09:10reliable testability that means
0:09:13what is absolutely i'm horrible for third party application mentors who want to write software
0:09:18for linux is that's because there are so many distributions and because there are so
0:09:23many different ways to run them because they you always have a different set of
0:09:27our cans and so on it is incredibly difficult to actually systematically test a software
0:09:32against that right because i mean linux kind of provide the same at eyes and
0:09:37all the distribution regardless of you run then you know if you run ribbon to
0:09:41if you run so door organ two whatnot they don't have the same at the
0:09:45eyes however if you actually want to test against that and it's not sufficient that
0:09:48they provide the same in the eyes you need to also know that the work
0:09:51exactly the same and it is it like a test metric explodes by if you
0:09:57multiply that by the and different distributions and the different versions of the distributions and
0:10:03the different architectures and things like that which is like for project like firefox they
0:10:08can still do that for a couple of distributions but as soon as us you
0:10:14only all this little application developer and you wanna know that your stuff works
0:10:19how you should you ever i mean it would basically require you to install any
0:10:23fedora version you wanna test again with many every woodworking and then you testing
0:10:27yourself so we need to do something that
0:10:31to make testability easy a
0:10:33like reducing variables and the whole equation
0:10:41this of course
0:10:44means we need to ask yourself what the purpose of R P M's and that's
0:10:48and well we wanna cheap all that
0:10:53rbms and that is already mentioned that something is installed only by road
0:10:57eleven a common name space mentor at have
0:11:00i can have access to all kinds of mentor at art because they're basically unrestricted
0:11:05and they have this huge task metrics
0:11:09we don't wanna get rid of our cans adapts or anything like that right we
0:11:12saying they're really useful things but then not useful for actually packaging set up use
0:11:18that because they have way too much power so what the way we see it
0:11:23is rbm that's fine that's how you build you operating system but it's not what
0:11:28you actually then run on top of that operating system that's a different for one
0:11:33that does not have to deal with all the problems about that's that
0:11:42our teams that's a primarily focused around distributions a single provide able to test out
0:11:47of programs this is something about
0:11:49but then strands they can R P M's because they have so many so many
0:11:53i'm dependency specifications for example would you expect that the name space of the dependencies
0:11:59expressed in the R P M's or something all of the unified name space right
0:12:03like if somebody depends on a library by the name look for something then you
0:12:09need to maybe make sure knock in that this lip foo mead exactly one library
0:12:14not another one however lip food that is very generic name so everybody might a
0:12:18have something different that even if they have the same like the end of the
0:12:21name they might have it in the different avi
0:12:24so are can that's a fine but the and apply that that's only one when
0:12:28they're in and how to manage the and i a name space and provide every
0:12:33single R P M with you as soon as you depart from that and you
0:12:37have multiple but then as in the game not everything coming from for door and
0:12:41then our peons at the and that's a really
0:12:44strange things because the name space clashes
0:12:50so that's on the other hand should be the opposite of that right
0:12:54we want people to have many sources on the and we want to make sure
0:12:59that you know there can be multiple providers of that people can compile there and
0:13:03just provide them on their website things like that and we want to allow them
0:13:08that this can be untrusted code because this is like the next thing if you
0:13:12have a distribution the makes then
0:13:16you do trust the distribution to a certain level and then expect from the distribution
0:13:20that it will actually take the code from the various applications look at them figure
0:13:24out that they're the codas okay didn't do anything evil will package it from you
0:13:29so that you don't have to trust every single act developer and you can instead
0:13:34of just trust the distribution of the whole as soon as we go to the
0:13:37apps model where we wanna have lots of energy and this becomes much more of
0:13:41a problem because suddenly if you get everything directly from them and that you have
0:13:44to press every single one of them and that's a lot of cost now so
0:13:49this is a problem but it's a problem then we can deal with technical solutions
0:13:54by making sure as mentioned with the sandbox thing that even if you don't trust
0:13:59that and then are so much that whatever you can do with the system isn't
0:14:04too bad actually break
0:14:12so apps
0:14:14and the key feature that they have isolated from the surrounding those west and are
0:14:19and you the private data for security reasons for a pi stability reasons testability reasons
0:14:25building we
0:14:26and that's an exception with extensions
0:14:29so the isolation from surrounding los it's like the key thing here we want to
0:14:35make sure that if you install again that game does not can access the address
0:14:40and if you install i don't know
0:14:44it what rather it should not get access to your friends list on the on
0:14:51the with pitch and these things like that this it's like this is something that
0:14:54we did not have a it never had on a non unix it's isolation all
0:14:59the ads between them that you run on the same user id on unix classically
0:15:03access control is
0:15:05exclusively a user right as soon as you have some code that runs it as
0:15:09you use the get access to everything you have and that it's just i mean
0:15:13is a little bit of a
0:15:15so it's about that the reason for that is a security reasons but also as
0:15:21mentioned we wanna isolating from the from them
0:15:24so running O S what api stability reasons right because i'm currently if you have
0:15:29packages software you see the and I P R A S R P M's if
0:15:33you if you see the entirety are operating system and that is a bad thing
0:15:36right you need to make sure that that's the at actually only see that was
0:15:41a P R is the jeans table
0:15:44and the and then supportable but do not see anything else and do not end
0:15:50up pulling in blinds dependencies that you cannot see like for example this the problem
0:15:56think about G stream alright this tree might has a stable api if you application
0:16:01pulled that in that's totally fine but you create a lot of problems but because
0:16:06i just you meant based around a plug ins
0:16:09so these individual plug-ins are content like eyes of G stream of so you would
0:16:13think that wouldn't mind and that wouldn't be a problem however ultimately these plug ins
0:16:18will pull in other libraries and those i and we have position that they do
0:16:22not have any stable that yet very frequently like for example i usually
0:16:27so anyway this means we need to somehow isolate the operating system so that the
0:16:32not some dirty code running on the operating system can you can to the at
0:16:36and not some stuff you don't want from the at and you get to the
0:16:41the colours thank X exceptions for that
0:16:44which are extensions like stuff that really extends existing software for example can i'm shelley
0:16:50have javascript extend for that is very different thing because it will actually it must
0:16:56a be able to run in the same sandbox and same context as gonna shell
0:17:00itself so which means securities is very important but there are some exceptions where we
0:17:07actually kind of
0:17:08take benefit all that secure
0:17:11so i already mentioned that we want on level oscillation we want this isolation that
0:17:15we need for reasons of api stability testability and am security we want that on
0:17:21the kernel that
0:17:23why do we want to work on level first and foremost for the security reasons
0:17:28decreases a complex thing where there's so many different things like ice a linux and
0:17:32capabilities and blah it stuff that people shouldn't think about it stuff that
0:17:40i guess leaks into quite a few so subsystems i don't know it's a lot
0:17:44this process man was use them and all these kind of things if we ever
0:17:48do isolation excuse them in user space and have user base components to this then
0:17:52there's no way how this can be integrated with all that stuff that we really
0:17:56don't wanna care about but need to have
0:17:58so for us it's really important that everything that is enforced is kernel estimation
0:18:04and this is all the something we one was no apps solution we want something
0:18:07that is three is community based so we want something but is not bound to
0:18:12one single at store but it's something that people can set up their own after
0:18:16this that want to and is men diagnostic so that not only i don't know
0:18:21it it's not supposed to be something that where at had set up a naps
0:18:24don't nobody else can take benefit of that it's supposed to be something where everybody
0:18:28can send a napster and people can even
0:18:30i have not around so it's supposed to be something that truly free and the
0:18:36way how linux itself
0:18:39this is so for a little bit about this other do one and recharge about
0:18:43security about them free nice about a couple of other things the next part of
0:18:49the slide focuses mostly on how we think we can get that we have been
0:18:55working on a couple of things already we group everything that we wanna do than
0:19:00nine steps it's a lot of work is likely to happen tomorrow or something like
0:19:04that but we have a lot of things already encode another couple of things we
0:19:10have like sort about and have plans about but until we have the full thing
0:19:15the egg
0:19:22we think is actually necessary to make linux i'm strive as an echo system because
0:19:27quite frankly it's and
0:19:28possibly hard to write good at the linux simply because you can distribute them
0:19:34so any questions to this point you got to thirty drop me if you have
0:19:40that's question
0:19:42the microphone
0:19:51i don't know it's like it's casey and maybe it is
0:19:57if i have like one machine shower by Q people
0:20:00so like it would be very nice or write it installs it's a two people
0:20:05in the same itching would i just all insane a like a right so i
0:20:09mean it is our mission and like a part of our mission statement is that
0:20:12use like a should be able to install these apps without requiring privileges but that
0:20:16does not mean that that's the only way how outside still so far example administrator
0:20:21could just drop something into the system and every user
0:20:24so it's just about that we want to allow users to do this with our
0:20:28break fine
0:20:30from that minutes
0:20:31but administrative
0:20:44if you any application use just the single file what about shared libraries
0:20:53that's a good question will probably come to that later though that is available
0:20:58no anyway i mean so far it's just about the mission statement why we believe
0:21:02this is necessary and how what we think that's all should be providing the nine
0:21:06steps a bit about the technical implementation of things but anyway i don't see any
0:21:11for the question so let's just proceed with the technical stuff there is one way
0:21:21minimal mobile applications come in a client server the version of all the usually internally
0:21:28and the just is a is a gift that scene out so we stopped things
0:21:34or what we only focusing on
0:21:37single a single focus
0:21:39so this is explicitly about use that's right use that's meaning apps of the use
0:21:44themselves like the end user himself plays around was it's not about so i think
0:21:50much of that stuff that we had designing here will ultimately be useful on the
0:21:53service well but this clearly out of focus for the stuff that we collapse here
0:21:57okay thank you
0:22:06but nine steps
0:22:07that's all the questions right now right okay so the first one that we currently
0:22:11working on this is make E D that's work i can us is approach that
0:22:15is kind i have been working on together with donny american great crop couple of
0:22:19other it's a
0:22:21the part of the class people system for this it to the crown the us
0:22:25i hope you all know is like this i can see this really basics thing
0:22:29how process can talk to each other since this is about processes talking to each
0:22:35other we believe it is absolutely essential that this core component is aware of sent
0:22:40boxing meaning that because we need to limit what apps can talk to we need
0:22:47to have the send boxing right in the i see so for us because we
0:22:51again want all these things to be enforced by the kernel it is absolutely essential
0:22:55that we make at once where
0:22:57katie was work where the other thing is because we believe that the katie basically
0:23:04was in general is like a really nice way how communication out and of the
0:23:08sandbox can work
0:23:09so it is far as important that's if we want to
0:23:15it katie less or do that's to be do single i'm interface in and out
0:23:20of the sandbox you need to be capable of actually exchanging large amounts of data
0:23:26with that because i mean it suppose with the one and only thing i don't
0:23:29know that sandbox the need to be really good and cover all use cases that
0:23:32we need from the now he was classically is not useful for exchanging
0:23:38substantial data it's focused and that is in the resume some statement only in control
0:23:43data right short message call which will parameters
0:23:48if we wanna make it like the single thing then we should be able you
0:23:51do also use it for exchanging things like J peg file document file or anything
0:23:57so for us this meant if we wanna have to be device the central i
0:24:02think we need to get sex sixty thing first that sent boxing things like that
0:24:06the current state of katie that's is that we have a lot of carrot and
0:24:10it kind of works but we have not like it's part of the system you
0:24:15project like the user space part of the system the kernel space part is kind
0:24:20in a repository
0:24:24we're not far from actually making a work altogether what basically the last missing made
0:24:29a missing sync for us this is that we actually port system the in its
0:24:32entirety to the U I P i just that katie bells and that's this but
0:24:37and provide which is basically i mean it that something so difficult it's just a
0:24:42lot of work like moving from one like that
0:24:46we hope that this that we have something really presentable like putting up an entire
0:24:52system was and look at less and by the end of the year you have
0:24:56submitted to talk to linux company you about katie us so and i better have
0:25:01something presentable by then so that's my way to get
0:25:06push on that so that we actually have something
0:25:10so much about katie but it's a huge project it's going to be awesome because
0:25:14it's we finally get a really good i can see you know linux that is
0:25:18far that is provide everything we ever wanted from sent boxing to the broadcasting to
0:25:27that was step one step two is we want this accent porpoise build only next
0:25:33negative second see goods become abilities
0:25:37so i depending in like if you if you ever that was the lower levels
0:25:42of stacking them that
0:25:43then the next name is basis second see good together but it is something you
0:25:48might have run into suffice to say these are very generic tool that the kernel
0:25:55it provides for isolating and then men do like that bows than any kind of
0:26:00what the what them a certain set of programs can see but also in what
0:26:04they can do
0:26:07and well these are completely generic we need to make them very specific for somewhere
0:26:13for the axes case just like that if you use linux the name space second
0:26:18figured it abilities you can build anything out of it you can secure service and
0:26:21whatnot but to actually match the don't absent boxes and we need to use it
0:26:26one very special way of course name spaces and stuff like that
0:26:33this also like to look at that stuff which where they name spacing is built
0:26:38in from day one right now
0:26:41couple of things about this i'm really interesting like for example was a single stuff
0:26:45we want that every act runs inside of a C group so that it we
0:26:49can put results limits on them so that know how can bring down the system
0:26:52but this has a lot of interesting effects of beyond that as well because it
0:26:57suddenly allows us to manage runtime apps in a way that only androids and mitra
0:27:03when these kind of things could for example and that we give the foreground at
0:27:08the boost in terms of us if you know and we can even like the
0:27:13background have gets them like a medals for time accuracy and we could even freeze
0:27:19the background apps this has been done in minutes before for things like memo had
0:27:23something like that but with this model if we if we have the definition of
0:27:28apps and we suddenly have all these options open where we can make use of
0:27:33define some things the net effect of all of that is a separate it that's
0:27:37a little bit more robust but primarily about them how management
0:27:41so and in the field little bit nice of the foreground up gets more secure
0:27:47so second per se M sandbox as we have the
0:27:51part of this is actually
0:27:55is something that john
0:27:59in the past we've for those two but you a little bit disappointed with the
0:28:01results we believe what is essential for this actually that we get a strict a
0:28:06file reich specification for this
0:28:08i mentioned this before was a lib X thing if we want to make this
0:28:12happen that these send boxes can work on every machine then we need to make
0:28:17sure that the decision machines do not
0:28:21no and all sorts things and different directories all the time but we also need
0:28:26to kind of give the and developer and idea how he himself was supposed to
0:28:32places data so that it does not clash with his operating system or any other
0:28:37operating system that followed these guidelines this is a complex thing because there's already and
0:28:43then F H S round which is tries to standardise how the entirety of unix
0:28:47works for this at stuff we probably need to reinvest get that you get that
0:28:52and that topic and focus exclusively on what acts use that sun lit apps what
0:28:58they need
0:28:59this is not a job for necessary so much from brno and sell but it
0:29:04is actually job for the entirety of the minutes well that they actually accept that
0:29:10the differences on minimised and that
0:29:14fedora stops doing that something's we got back second and some
0:29:29and that this is something very important that we currently all distributions actually take you
0:29:33know and acted differently right if you if you have a you know money want
0:29:37to and will not use the backs of if you have the same good on
0:29:41for dora it will use look back second that's a big problem because it's on
0:29:46the average thing is looks differently so while i sing that them the distributions need
0:29:51to fix the issue it is there's also something for can on to do like
0:29:55you know the release team or somewhere like that have to define exactly how the
0:30:02finals all located i have placed how the avionics look on the a different operating
0:30:07system is going to be top of course we don't have anything like a certification
0:30:11system where you could actually for these kind of things but it's still it's of
0:30:15major importance that this is clearly community can communicated to the to the distributions that
0:30:20they stopped doing that and saying if they wanna have something that is compatible what
0:30:25is with you know right you know needs to document this is how you package
0:30:29it and you don't targeted anyway else and if you don't acted that way then
0:30:33you out of the game and you have no compatibility with what we that so
0:30:37it's something to fix for the distributions but they need to do it according to
0:30:41the recommendations and then top language that you know needs to use the whole thing
0:30:48by the way if you have any further questions that question
0:30:52but that's the mikes coming
0:31:04once we and needs basis and this E groups a would it be possible to
0:31:10enforce and find a higher he by and my name spaces
0:31:16so when i speak of nice basis you this usually applies to filesystem name spaces
0:31:22but name space design and they sent to isolate sings big thing they cannot be
0:31:27used in for anything right and also it's a different thing like for example what
0:31:32the apple inside of the container does is relatively relevant like they have more freedom
0:31:38than operating system has because the apps are not at i operating system however is
0:31:44so it's them we will not be able to enforce much i mean i'm sure
0:31:49that the operating board of going home could supply tool that can linda the operating
0:31:54system make sure that a big part of the right up writing i am the
0:31:58bright if you guys could even and provided tool that you can run on a
0:32:02nap to make sure that at does not put something in a place where would
0:32:06clash with what operating system with like
0:32:09but some boxes not really to for
0:32:16there is the question
0:32:29sorry i didn't get the question i was wondering what usable at a distribution not
0:32:35just to do knowledge
0:32:37well might make sense but i don't think that really matters too much for the
0:32:42F stuff because
0:32:47in the libraries all the it's a good question actually but
0:32:59well you do you do read the file see
0:33:05but i mean it's a so what kind of thing is that is that there
0:33:08that this is about using traps right and i highlighted the cover that once already
0:33:13so it is not essential like that the stuff that is required only prudent stuff
0:33:19reason why the old distribution still have that split off
0:33:22it's not necessarily navy either the apps need so it's not of that but maybe
0:33:27there's a little bit of chicken we hope you have to the some of tools
0:33:30probably simply we need
0:33:33we don't is late
0:33:38absolutely and stuff
0:33:44okay so i think it's a problem but i don't think it that
0:33:50okay any best
0:34:00i'm assuming that the new strict fell hard specifications something that we all want but
0:34:06has there just be not planner just get everybody like at ian X F C
0:34:10E in a moment at the end and so you say all together and to
0:34:13say okay let's came out the specs here "'cause" it seems like it sort of
0:34:16a pipe dream we don't have a plan about where to go with it i
0:34:19just get everybody on the same page you know you know what they say about
0:34:24committees and standards i'm not sure that will work that way i don't know we
0:34:29should get the right people involved absolutely i don't think we should get everybody involved
0:34:33because then you get all should i mean if you as soon as he'd like
0:34:37for example if you if you include on the but are people they will fight
0:34:40for the backside anything to the other with hated so
0:34:44actually a lot
0:34:47i got like ten minutes of the right
0:34:50okay so let's you we can have discussions about all this later on so let
0:34:54me i'm still it but that step to let that go for the other seven
0:34:58steps in the next ten minutes
0:35:03the next thing is that it but we want something called portals and portal to
0:35:07something that the time or something we came up with a to access than and
0:35:10brussels early this year it's supposed to be something how apps can interface with each
0:35:18other without having to know about each other it's a something that's probably going to
0:35:22maybe based on top of katie but it's a very interesting technology so it's basically
0:35:29something that is focus it that is based on an idea from android where they
0:35:33call that
0:35:36a what
0:35:37intense of course intense and what windows called contract right and these things are these
0:35:43i think the really interesting things and because they basically or a way how you
0:35:48can isolate apps from
0:35:52from the rest of the operating system without having that concept of security isolation you
0:35:58can be visible that's so to give an example what a portal i'm should be
0:36:02doing that say you have an act and that have like it's an e-mail have
0:36:06any and you want to be able to send a picture that you just took
0:36:09over to another machine on traditional linux this would mean that this email i would
0:36:15have to have access to the camera device and then would take picture from the
0:36:19camera device and attach it to the email and centre the way our that's a
0:36:23big a big but quite a bit of a security problem because you don't really
0:36:27want to give access to the camera to email program so the idea of portals
0:36:33and intense on and right is to always have that's related to different send boxes
0:36:39and require interactivity between those two things
0:36:42so the idea in that case is that if you have an e-mail application you
0:36:45wanna send a date pick picture over what happened is that the email a program
0:36:49goes to systems as i would like to have a picture here please help me
0:36:54this system and says okay then goes and she's checks which programs could actually provide
0:37:00a picture it could be like the gallery you have thing of could be actually
0:37:03the camera to
0:37:04then the camera tool would be activated or the gal review and you would select
0:37:08you take a picture that i see interactivity which has this nice effect that ultimately
0:37:14the you was the didn't wanna now that you would say why do my camera
0:37:19application actually get started there was no reason for the simple press can't one okay
0:37:23so in a way
0:37:26there's a security question hidden behind this interactivity so that you only grant access to
0:37:33the camera indirectly and always hasn't activity but use that so that if that action
0:37:38was not supposed to take place you will say can so maybe a little bit
0:37:43confused but not allow
0:37:46it is wonderful technology because it's one way about integration of that's right because if
0:37:52you sent an email and you get the camera application running you get the same
0:37:56everywhere you can replicate running is always but it's also the security technology saying that
0:38:01that's also the security technologies like a something about their other cases for portals for
0:38:06example just think about open office currently open office needs to be able to access
0:38:11your home directory and all other directory so that you can open a file at
0:38:15any one of them but it really sucks because open offices a gigantic piece of
0:38:19code and you don't really wanna give it access to everything that could ever like
0:38:23you and we spoke like you private banking data like you firefox cash and whatnot
0:38:28so ways portal to console the problem again because the open office would just tell
0:38:33the operating system haiti so i'm living the sandbox and i would like to have
0:38:37a file please give me one and then the application in the operating system would
0:38:41again interactively you something out of the sandbox look for the file and we try
0:38:46to back to sandbox and the sample together but it would only get access to
0:38:50that specific file would not have seen any other file of the operating system so
0:38:56it's the portal some things about be very generic how the security transition there is
0:39:02hidden each wine between behind user interactivity instead of having questions like last week it
0:39:08usually ask them like should this ad get access to this device you just do
0:39:12the action but because requirement activity the usable make the decision just at the side
0:39:18of it without actually
0:39:24so the portal select or something that you know i'm really to care about of
0:39:27that's nothing something not nothing the castle come from system decided things from the lower
0:39:32level this can happen basic you know
0:39:34number for a i mean just as compressed file system with multiple petitions will back
0:39:39file so the idea for us as we wanted to have this after one image
0:39:44at all but also wanna have a only but we want to make sure that
0:39:49everything's on the kernel levels idea then is that applications are actually shipped and in
0:39:54a single file that is look back mounted with a couple of petitions in them
0:39:59that will include everything like and real files that the application means that money applications
0:40:04executed will be merged according to very specific rules with the A P I file
0:40:09that the and the at shell be able to access and so that it basically
0:40:15the nazis a real operating system that is a real filesystem rightly that is emerge
0:40:20version of what it it's itself ship
0:40:23plus everything that has been white listed as a and system if you are from
0:40:29so i'm going through the little bit five because they're like less than five minute
0:40:34number five as an extended search five logic and you live in friends this is
0:40:38something and we really need if you if we have these apps and the contents
0:40:42of the apps are not a viable in the normal system and study you get
0:40:46this problems that let's say gonna know shall should be able to enumerate all the
0:40:51apps that are installed at means that needs to look for the best of files
0:40:54then something you have the problem well it's not sufficient anymore to look into user
0:41:00share applications for the best of file because suddenly that's not well all the and
0:41:05that's the file will be they will be inside of these a single file look
0:41:08back mounted simple filesystem thank you so the net result of that is
0:41:15we really would like to see the search pathologic extended so that do that is
0:41:19capable of automatically finding these things also in the apps instead of just use okay
0:41:25this applies not only to finding after the price to quite a few other things
0:41:28like looking for i can looking for music files using for whatever scenes and this
0:41:34kind of thing
0:41:38then the next thing is a sample to where display manager this is real important
0:41:41us because X eleven this is this gigantic saying if you as soon as you
0:41:45get access to X eleven to the so that you can do anything with that
0:41:48you can talk to read applications fake input other picketing the kind of thing if
0:41:52we wanna have sandbox applications this means that second really be acts that is in
0:41:58the makes that the good thing is whale and has been designed already in a
0:42:02way so that applications can never ever access the input and output of other applications
0:42:08that always you only that and by for nothing else
0:42:12so that is point six point seven the something we still need to discuss was
0:42:17ryan it's D com means need like the considerations needs to be and be able
0:42:24to understand send boxing
0:42:26meaning that it needs to be able to access control on the napkin and you
0:42:32get access to the keys it should get to and nothing else
0:42:36number eight it system for building apps
0:42:40and profile is the that's kind of related that's a simple building out of course
0:42:44is not sufficient to justifying this we also need to be P getting a tools
0:42:48to develop is to actually make building these apps easily i think ultimately with system
0:42:53that we defined it's relatively easy to do minimal ports of existing have like open
0:42:57office into the scheme because inside of the name space container that i mentioned earlier
0:43:02everything looks like a real operating system except one that is very minimal so they
0:43:07do not have to make many changes they only have to make many changes in
0:43:11of that's about security and portal something like that you
0:43:15how we think that the that the compatibility situation should be handled is with these
0:43:19called profiles profile to basically something if you have to dora it would implement i
0:43:26profile called you know and maybe one profile called L is be and that's about
0:43:30it and application would specify exactly one profile that's developed for the profile would basically
0:43:36a superset of libraries or D bus interfaces and about a couple of other things
0:43:41that need to exist
0:43:42so the idea spending that if somebody writes an application you can pick one of
0:43:47these profiles and has freedom i they can chase a okay i wanna focus on
0:43:51the gnomes we don't be or that's a relatively you then he has to deal
0:43:56with the fact that you has to rely on the gnomes capabilities to make stable
0:44:00api some kittens and this table and or you can say i don't care about
0:44:06them gonna i care about that is be only i don't trust again about because
0:44:09the break api all the time then you can do that of course you will
0:44:12not be able to get access to the economic the eyes that way but you
0:44:16can still include them in as an image because after all the image includes pretty
0:44:20much something that looks like a real operating system
0:44:23so this gives basically developers the option like how much do they trust upstream how
0:44:28often do they expect that they want to update application and the deal is basically
0:44:33it's like firefox they're constantly updated they would like i mean and five releases and
0:44:40you really is every three months or so if i correctly on so there could
0:44:44but basically say we always check the news you know and always we can use
0:44:48gonna profile and then they do than everything will work on the other hands i
0:44:52have no time anymore but there is games and stuff like that games usually of
0:44:56written once released immediately then there's maybe one update and that's it so they would
0:45:01focus on a different profile like that'd be profile they would get less integration would
0:45:06have to rely less on the on the stability guarantees by the operating system winner
0:45:11but we get something out of the door there's my last slide have stores this
0:45:16completely out of for before system the we have stores of course as soon as
0:45:19we have that of course the last
0:45:21they have between all these nine step there's lot of other things this box just
0:45:26supposed to give you a little bit of an overview what we working on as
0:45:29mentioned we're kind of it was a katie that stuff and we work was see
0:45:33group of things like that and try to make session system you working which will
0:45:37give us a definition of the but this is still a lot of stuff and
0:45:41i have to do anyways thank you very much for your time if you have
0:45:45any further questions maybe we have time for one question
0:45:50so or one of his like you can ask one question otherwise that's
0:45:56do something outside
0:45:59so you are lucky one so she studies
0:46:03i'm sorry she or one liabilities into supplements that's a good a question shepherds is
0:46:09bundle libraries the distribution people they tape on the libraries for those it and don't
0:46:14know the details about this is basically firefox and all these things they tend to
0:46:18ship as shed light like a couple of shared libraries that we otherwise a part
0:46:23of the operating system was there i'm application and distribution people to be hide that
0:46:28application developers always do that but is think they're absolutely rights i think that actually
0:46:34are and we need to technically solve the problem so i think ultimately this means
0:46:39we need to support bundled libraries however we need to deal with the fact that
0:46:44they saw they suck for security reasons
0:46:47but i saying that the best way to deal with security series that by security
0:46:51technology so that's again something where the send boxing is relevant right if you want
0:46:56to allow firefox to ship is own S L library and you need to make
0:47:00sure that whatever happens and inside of firefox now we can get out of the
0:47:03and you need to be tightly sandbox
0:47:05right but i think ultimately there is really strong we my firefox doesn't model things
0:47:11it's a testability thing it's about they want exactly that version that they know with
0:47:15the A P I and the bug fixes i know instead of something that is
0:47:19it's about that somebody else but i don't know which is the up and
0:47:23so this idea this is that stuff as opposed to provide support about the libraries
0:47:30and i don't think there's any way around that how much is bundled and how
0:47:34much assisted by the operating system is something you decide what profiles if you think
0:47:39i was be profile with very low level and you have to should and problem
0:47:42or if you pick we can own profile you have to ship but alas but
0:47:46i don't think that's the way around hunting at least the
0:47:51the middle ground a framework it's
0:47:54well timers a profile so you're supposed to promote
0:47:58but i don't know if you if you wanna new version of G stream or
0:48:01you have to bundle
0:48:04everything that's not products operating system profile and you have more about
0:48:12there is no possibility that you know if an operating system doesn't have some very
0:48:16popular third party like you've been everybody has to bundle their own copy of that
0:48:19we pretty like green instead of using show and then they should talk to the
0:48:22operating system vendor maybe ship the library
0:48:26okay anyway this was already one question more than i promise so anyway single but
0:48:30i'm if you i