Video in TIB AV-Portal: Listaller

Formal Metadata

A simple and secure way to distribute 3rd-party applications
Title of Series
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Listaller is a new approach for making 3rd-party software installations on Linux possible, without interfering with the native package manager. Listaller's primary focus is system-integration, so users will not notice that they are using the tool, as it integrates with existing PackageKit-based software management frontends. The installer also contains a new approach to dependency-handling, and makes use of existing specifications, such as AppStream. Software management on Linux is traditionally done using packages, although Linux desktop users are more interested in applications instead and do not care much about how something is packaged. Also, users often want to install software which is not available in the repositories (e.g. new applications or new versions of them), without having to upgrade the whole distribution. Listaller extends the package manager with the ability to install 3rd-party applications. It is built on top of the AppStream specs and PackageKit and focuses on system-integration. This means no additional UI must be added in order to install applications packages using Listaller. Listaller apps can be managed using existing tools like GNOME-Software or Apper. Because software from 3rd-party sources is a potential security risk, Listaller also tries to give users a hint if they can trust a certain application, and makes it possible to run these applications in a sandbox automatically. For developers, it contains some helper tools to make applications work on multiple distributions
Mathematics Momentum Software developer Student's t-test Computer Number
Area Word Computer animation Personal digital assistant Physical law Distribution (mathematics) Videoconferencing Cartesian coordinate system
Scripting language Installation art Wage labour Open source Distribution (mathematics) Projective plane Fitness function Cartesian coordinate system System call Component-based software engineering Process (computing) Computer animation Software Repository (publishing) Personal digital assistant Computer configuration Distribution (mathematics) Operating system Spacetime Physical system Stability theory
Installation art Latent heat Service (economics) Computer animation Software Open source Computer file Different (Kate Ryan album) Code Distribution (mathematics)
Computer animation Systems integrator Object (grammar) Cartesian coordinate system God Physical system
Installation art Component-based software engineering Computer animation Open source Software Cartesian coordinate system Physical system Software development kit
Implementation Web portal Smoothing INTEGRAL Cellular automaton Software developer Projective plane Distribution (mathematics) Sampling (statistics) Database Solid geometry Cartesian coordinate system Electronic signature Computer animation Distribution (mathematics)
Demon Trail Group action Service (economics) Computer file Open source Distribution (mathematics) Solid geometry Student's t-test Client (computing) Front and back ends Root Natural number File system Bus (computing) Plug-in (computing) Condensation Installation art Electric generator Information Interface (computing) Cellular automaton Instance (computer science) Digital rights management Computer animation Repository (publishing) File viewer
Multiplication Computer animation Order (biology) Distribution (mathematics)
Mobile app Service (economics) Computer file Link (knot theory) Decision theory Distribution (mathematics) Product (business) Component-based software engineering Energy level Extension (kinesiology) Information security Graph (mathematics) Physical system Vulnerability (computing) Multiplication Interface (computing) Software developer Projective plane Binary code Database Cartesian coordinate system Symbol table Digital rights management Process (computing) Tower Order (biology) Writing Library (computing)
Addition Home page Context awareness Computer file Open source Wrapper (data mining) Projective plane Distribution (mathematics) Electronic mailing list Bit Database Mereology Cartesian coordinate system Rule of inference Metadata Computer animation Software Descriptive statistics Physical system
Installation art Theory of relativity Computer animation Computer file Electronic mailing list Cartesian coordinate system
Computer file Open source Multiplication sign System administrator Streaming media Revision control Component-based software engineering Computer configuration Data structure Extension (kinesiology) Address space Distribution (mathematics) Oracle Standard deviation Matching (graph theory) Validity (statistics) Interface (computing) Projective plane Planning Cartesian coordinate system Message passing Digital rights management Process (computing) Computer animation Personal digital assistant Order (biology) Writing
Computer animation Open source Repository (publishing) Order (biology) Musical ensemble Cartesian coordinate system
Computer animation Divisor Repository (publishing) Software developer Order (biology)
Link (knot theory) Direction (geometry) Student's t-test Cartesian coordinate system Measurement Theory Digital rights management Message passing Different (Kate Ryan album) Order (biology) Normal (geometry) Right angle Traffic reporting Library (computing) Physical system Graph (mathematics)
the when it was victories and didn't the work there is interesting develops student because 2 to developments in its similar contribution to adjust the momentum of the studio number and today we didn't do this which is the way to the distributed computation so that is another but it's due to the end of that there those was a change in the
videos that this can I I a case that the fall the area of law and thank you it is is a better idea across and I want to introduce you to use which is and situated distribute
filopodia applications as was said before or in other words it is another solution for the to create cross distribution packages so 1st of
all you might although this 1 the soul of a created with some other space because distribution packaging system that they already have packaging systems we have 1 in these distribution and we also have some of you are aiming for a similar goal so um 1st of all I should that answer the question why do we need a cost is 0 insulation system at all
so the 1st the main reason is that people want new software which is not available in their distributions they have a stable base distribution and want the latest and greatest stuff to be installed and to try it out now rolling release distributions that they don't fit everyone of use cases because there's so many people want of a stable operating system operating system which does not exchange the camera or other components ways and also but they could be backwards but so the distributed resources are usually limited and less people are interested in and then back 40 stuff to stable distribution so there's a great lack of manpower and it also has some other issues when you try to back or something and they'll call it's third project repositories which are called in the winter Walt PPH personal package artist of adults are insecure and they can potentially wages system for example if the PGA packager introduces new packages which um than other get replaced by other packages from the distributor which are slightly different during an upgrade all applicable fail and you will have a booking system which is a very difficult to recover at least 4 of them for users were don't have a technical back also every of packaging solution has the option to come to to run around scripts as with fruit permission so if you install an application from a malicious source you on you really don't know what this thing is doing on this you looked into it but it usually users don't do that before themselves offer because they want to see the software running and don't bother with the installation process and with that of reviewing a package also last but no least PDA so
distribution specific that many pdis for his software which are only available for Ubuntu but door and deadly and needs different sources so it's not yet doesn't sperm its lots of duplication the open since Bill service sold that party that you still have to write lots of
different aspect files to package everything and also if you have a because you want to ship yourself as a binary installer you again have a problem that this will execute code during installation of which often happens with were permission so it's not something we should should be wanting to do so I why is the scholar better than
that you're God in 1st of all it was built with system integration in mind that's means that the user should never noticed that the solid is used when the song applications as so applications should when they are installed integrates them seamlessly with every existing applications system so
they should not look like the following objects to the to the system was to the user
and also software updates to be retrieved automatically using the same user interfaces that the system uses itself because of sometimes if you are installing third-party stuff on Linux you half of like another update your application and this is really not a good user-friendly to do that to happen with multiple sources to install software or to update a system and of course it should because this strong could ever professor compatible
and it should be simple which means that the star is not able to install basic system components like for example in in that system or some of the tool kit or something which has reversed dependencies
on itself because the style of the muscle solely for applications for locally leave packages and everything else which really requires integration by the distributed should be handled by the distribution and not by the upstream project which is creating a solid packages Of course the should be secure which means that every of packages usually assigned a signature such checked against against database to see if if the smoothness of malicious signature or if the signature is known to be malicious and every application installed with the solid will be sandboxed which is soon will soon be possible using the k-d best Accra cells of pushing large chunks of data into a sandbox using portals but that's a different technology which is pending implementation this also provides developer tools which means
that happen developers get helpers to make application running multiple distributions and the packaging of Israel a simple for them which means they all you need to write a small fire usually and then they can start you can get started with packaging so um after telling you all of that uh you can imagine that the solid consists of multiple schools which are can be divided into end-user applications which offer of for example as an application which sets up the sample that runs the application a new application to manage the database of atrocities lots of developer tools which have different things from tracing dependencies to what to making the application relocatable which is that they can place it
anywhere on the file system and will still find its are dependent data files and and also of course a generator for the sole packages and 1 the tools to generate update sources and repositories to follow the creation if you read of of of the solid packages of stellar repositories with with of which target the whole Linux market so you set up repository with the style packages and every Linux distribution can amended and can use it so how does this work
the cell is actually a package kid climbing which means that it runs inside packets get that is geared for those people if you don't know what it is is a tool with which some a city bus service which takes requests from client via suffer centers of package managers are updated viewers uh and then performs an action on the nature of a distribution interface which is a package condensed plug-ins which get cold by uh the deepest and demon running as root and but then they get asked to perform the actual action on the on on the native distribution package management interface so this tolerant our hearts were hooks into this by creating some kind of metal back in between the native back and and the package kids the obstruction so in fact it's student receives the request install Estela package them and the solid notices that the inside track student will perform on the installation of the new package and send all information about this new package of the packets to package gives the bus interface back to the client so for the clients it doesn't matter if they so the stellar package for a native distribution package because for they for them it's just it's just not doesn't matter at all and if there is a major package of courses that will make it through and come down at the at the back and perform the appropriate action on the solid can also query the backend instance directly which means that the solidarity has the opportunity to talk directly to the native distribution package manager and some well resolved dependencies and install of some missing dependencies if necessary but on about
dependencies them in order to make a
fella work on multiple distributions and still have dependencies which is something we want at least for a basic of basic dependencies IG decay of an because if you think the whole toolkit statically and the distributed put on pushes and of an
update which fixes the critical security hole and you have an application running on a system which has for some of the toolkit statically linked you won't get that security fits into a production because the steadily Link Library services and applications will still use that hold library so that it is a good idea to have at least some base level of dependencies and in order to resolve dependencies using the native distribution package manager on multiple decision so this tower relies on so-called components which defines the interfaces and upstream of predict provides which binaries which libraries and in which were which were genes suggests that ideally it also ships a symbol size so we can check if they're ABI compatibility is given and then the follow reduces component files to actually find the right dependency of the distribution database so it to some extent depends on apps projects to write component files but there are some work-arounds but because this is a lightning talk I can go into detail and so let's walk
through the process and package of all after reading the globe developer documentation already the developer decides that this is a good idea to create a package for that In order to do
that we need to do them to do a few things 1st of all right and happy to fire at data is part of the upstream efforts to create cost us additional software senders and efficient and that file your application will be represented better in any suffer center because we will have more metadata to take into account so some in the end update a file is just a small bit of XML which defines the the project summary description of the name and file at home page of essential and some some other stuff that follows take this file into presented the application to the user and say yes you're installing this sticker thing right now and then later it will also inject that data into the upstream database so every passing awareness of center is able to display the list all applications that just like any other applications was installed from a native distribution source then you need to write a few rules
home in how to compile application this can be done using up compiled in Europe because they have a because a small wrapper which were detectable system and the stuff that works with a few build system so far but yeah you
can also add up all instructions on how to build your applications manually there then you need a file listing with Stella does not use any of
absolute 5 said it uses relative file path where you can place your application under this and during installation the solid then decided
depending on the distributions policy where to put that in the application files and therefore the distributed in the and controls however everything is installed you also need to write days ago pk options file which justifies the holder of text creates creation process will be done and which version of the packaging standards you will want to use then you just need to generate you package which will automatically run desk and which is a small tool to detect all dependencies your application half and then match them into components using the Component Interface Definition match I've shown you before in this case the we for example detected decay 3 G where x oracle and I can see him as the stream of course this thing is called pass but then it will just generate the packets structure inside the package and run with it was a small tool to validate of validates of pieces of the upstream work in order to get a high-quality package and to say they tell us to maybe you're doing this long maybe the next time and so we're doing that we can that's 1 of the concerns of the City address that upstream projects might create crappy packages because the style of want OWL doing that and if there are some minor minor treats which can be done it 1 the option of a lot of so in the end you have a package this can then be installed by
the user using the native packaged up and execute package management tools on or using an tools which are dedicated for selling solid packages and the of the long-term plans are added to get rid of these there are is an extension to practice cues which will be done in a few weeks which might render of the additional interface completely obsolete and he was solid than a search for native packages which declared that they support the missing components and install them if they if with others unable to satisfy dependencies using data facts in the case of a package manager it can also fall back to get defense is some other sources if it is configured to be allowed to do that because the systems administrator might not want
that a solid tries to get satisfy the dependency from up potentially untrusted sources like the uh third-party repositories in order to satisfy the application dependencies and then in the end
the user wants to run a full possibly executes on a book that which is set up the sandbox and to some of some other crazy stuff so the application is able to find dependencies and yeah bands the end of this thing right now only supports holders of unjustified older this a faster it sooner but will also support the new deepest activated applications which has some of the new way to start applications in at least in
future developers consecrated updates repositories which is also pretty simple and straightforward and in order to generate an out so like future and that are in our example of a user decides to remove the removal passages opened factor on KDD the tool is used to work to use to use to work with packages finds what had entered the uninstall button and it's just gone without without any problems they
and that's it that and
if the question will be that see that would be so if I understand you correctly you should put by these but how would you look and solve the problem of instilling in norm through that I could use it you don't specify is that he has to be solved within you have only libraries and you don't know where to find libraries and things like that and where there are 2 approaches to that in the summer of what has past self which will change the al-Qaeda of binary which is really aqueous so the preferred way right now is that the right application sets the library paths for the new libraries and therefore makes the application find its libraries if they are living in a different direction I'd be interested to talk to you about that the if you look the question item of you already started but then you use and that these package management system like maybe to get students to understand the packages and had no you can't because then the other on the native packets measurement system which Hesselink link against was tolerant in order to be able to do the same as that sketched that answer right now it is a theory it's possible that I don't think that the upstream self-made text messages want to do that right now at least the last question that is that is reduced to model the understood to warning you December think this is going to have students there was an incident report that