1 00:00:09,880 --> 00:00:10,260 i 2 00:00:11,750 --> 00:00:16,640 i'm going to do talk about ten bucks application for gonna i did pretty much 3 00:00:16,640 --> 00:00:20,270 the same talk already you know major safety of the pen and that one 4 00:00:21,700 --> 00:00:23,710 that's the other talk which might be more interesting 5 00:00:24,310 --> 00:00:29,270 and that's panel with this but anyway we have made little bit of the resistance 6 00:00:29,270 --> 00:00:30,770 gonna major so that's and you stuff 7 00:00:33,600 --> 00:00:36,750 sandbox applications for brno 8 00:00:37,670 --> 00:00:40,120 so let me first introduce a we are 9 00:00:40,400 --> 00:00:45,760 so i'm gonna paddling and i one of the guys to behind system the project 10 00:00:45,760 --> 00:00:49,050 and actually have to more people that that's kind of us and that you cut 11 00:00:49,510 --> 00:00:57,410 and if of course everybody here actually we're pretty much and we all work together 12 00:00:57,410 --> 00:01:01,410 and system you project system the is a little bit like it used to be 13 00:01:01,410 --> 00:01:05,990 just a minute system but grew a little bit and that's perspective what supposed to 14 00:01:05,990 --> 00:01:10,030 be a nowadays this little bit like the basic building block to build an operating 15 00:01:10,030 --> 00:01:14,590 system problem so brings a lot of components are probably not too interesting for deaf 16 00:01:14,590 --> 00:01:19,400 a test on france but it does cover lot of ground that is relevant for 17 00:01:19,400 --> 00:01:22,390 the desktop then 18 00:01:23,200 --> 00:01:28,740 going back to the actual topic this is about the actual applications we think 19 00:01:29,840 --> 00:01:32,680 linux needs a strong way how we can do access 20 00:01:33,200 --> 00:01:37,490 and we believe that much of how that's implementing needs to live in the lower 21 00:01:37,490 --> 00:01:42,960 levels of the stack because we believe that the concepts the basic building blocks but 22 00:01:42,960 --> 00:01:47,750 use there should be kernel things rather than just something that is created user space 23 00:01:47,750 --> 00:01:52,140 right so the isa nation for example for the extra sent boxing part is something 24 00:01:52,140 --> 00:01:56,860 we believe is to be in the lowest level which kernel object and not just 25 00:01:56,860 --> 00:02:01,880 something that is boulder to boulder top and not part of the actual 26 00:02:05,800 --> 00:02:11,110 so only general goal of the system the project it that we want 27 00:02:11,720 --> 00:02:16,540 you know or in the more general case linux do we the modern general-purpose alas 28 00:02:18,490 --> 00:02:22,710 we believe that acts on absolutely crucial part of it i mean nobody use an 29 00:02:22,710 --> 00:02:27,200 operating system for the purpose of using an operating system people use an operating system 30 00:02:27,200 --> 00:02:31,990 because they have to do to achieve something that actually interesting for them so how 31 00:02:31,990 --> 00:02:35,220 do you choose that because you run some apps the do what you want on 32 00:02:35,220 --> 00:02:39,560 the rating system and hands operating system is just the thing that should be there 33 00:02:39,560 --> 00:02:44,520 and work for the apps and the apps environment is actually the most important thing 34 00:02:44,520 --> 00:02:45,410 we probably have enough 35 00:02:46,570 --> 00:02:50,280 so if i talk about by the way i know is be very far to 36 00:02:50,280 --> 00:02:53,590 give any is just with that is sure not that's the down if you have 37 00:02:53,590 --> 00:02:58,270 any questions totally interrupt me right away i would tell you prefer this becomes more 38 00:02:58,270 --> 00:03:02,900 of a discussion and just me talking stuff so you have any questions totally drop 39 00:03:02,900 --> 00:03:03,930 me i love that 40 00:03:04,530 --> 00:03:09,720 so we are talking about apps what actually a wraps so from our perspective from 41 00:03:09,720 --> 00:03:15,680 the coming from the lower levels of the stack apps or sandbox use applications ship 42 00:03:15,680 --> 00:03:19,820 in a single file crap no privileges for execution which table a P R S 43 00:03:19,820 --> 00:03:23,430 and reliability reliable testability so 44 00:03:24,850 --> 00:03:29,290 take this apart sandbox to use application so this is about use applications first of 45 00:03:29,290 --> 00:03:33,170 all so it's not about i don't know running apache on my server because that 46 00:03:33,170 --> 00:03:37,740 a service that will really only talking here in the centre that's of use application 47 00:03:37,740 --> 00:03:40,170 meeting firefox mean game all these 48 00:03:41,200 --> 00:03:44,670 sent boxed mean that there is isolation 49 00:03:45,270 --> 00:03:48,610 of the have towards operating system so that 50 00:03:50,730 --> 00:03:56,520 what we have does cannot be exploited and the attack as cannot get access to 51 00:03:56,520 --> 00:03:58,030 the rest of the operating systems of 52 00:03:58,930 --> 00:04:03,770 so that nothing from the operating system leaks into the apple in the other way 53 00:04:03,770 --> 00:04:06,300 around to that nothing from the apply to the right 54 00:04:07,410 --> 00:04:11,810 ship in a single file or at the something then we are really interested in 55 00:04:11,810 --> 00:04:17,170 so that it becomes easy handling apps because right now on linux have so usually 56 00:04:17,170 --> 00:04:20,190 ship in our P M or something like that and they distribute file all over 57 00:04:20,190 --> 00:04:21,530 the place in the file system 58 00:04:21,930 --> 00:04:26,400 this is not the i don't think that particular useful or friendly way to do 59 00:04:26,400 --> 00:04:29,730 what we want is that people can considered have 60 00:04:30,480 --> 00:04:34,670 and something like and could attach to it to tell you know right so that's 61 00:04:34,670 --> 00:04:37,410 just one file and that's all you need and we'll just work 62 00:04:38,280 --> 00:04:43,780 other operating systems that's have little bit something like that for example macros you have 63 00:04:43,780 --> 00:04:48,310 these you have folders and that case that's or would you feels a little bit 64 00:04:48,310 --> 00:04:52,150 like a file isn't but we actually wanna go for one 65 00:04:52,840 --> 00:04:53,370 at 66 00:04:53,970 --> 00:04:54,610 in one 67 00:04:55,340 --> 00:05:00,660 no privileges articulation which is very important after all this is about user stuff right 68 00:05:00,660 --> 00:05:05,220 so users stuff should not require privileges of all of the operating system to run 69 00:05:05,220 --> 00:05:10,950 this is systematically different from anything like R P M that existed before because and 70 00:05:10,950 --> 00:05:17,770 R P and to install an R P and you need system privileges and in 71 00:05:17,770 --> 00:05:22,950 because R P M's also powerful you can like there's no way to distinguish and 72 00:05:22,950 --> 00:05:23,850 an R P M 73 00:05:24,480 --> 00:05:31,340 well them and package for the matter that interferes was the closest with the operating 74 00:05:31,340 --> 00:05:34,220 system and are him that actually really just a matter 75 00:05:34,660 --> 00:05:41,540 so it is absolutely crucial event no privileges for the installation for the activation 76 00:05:42,520 --> 00:05:45,720 and then the next thing is stable at arts which i think is probably the 77 00:05:45,720 --> 00:05:51,810 most complex thing of them all we in linux are keeping stable at arts i 78 00:05:51,810 --> 00:05:52,940 mean there are different 79 00:05:53,450 --> 00:05:57,440 api surround and some of better than others like for example currently you know it's 80 00:05:57,440 --> 00:06:01,650 usually pretty good it's not perfect but it's pretty like you have a chance of 81 00:06:01,650 --> 00:06:06,310 being able to run stuff that was written against the currently pi for from the 82 00:06:06,310 --> 00:06:11,080 nineties and will still work on the current linux kernels not everything will the best 83 00:06:11,080 --> 00:06:12,010 channel 84 00:06:13,220 --> 00:06:18,160 gonna has not been as good with that like i don't know a can on 85 00:06:18,160 --> 00:06:21,700 one applications don't work on three that a lot of reasons for the for that 86 00:06:21,700 --> 00:06:24,210 and i think it's a good thing that is that way that we can make 87 00:06:24,210 --> 00:06:30,200 a T I but it is a substantial problem for sub pop members if they 88 00:06:30,200 --> 00:06:35,910 if they wanna one right that application they don't wanna constantly be caught in that 89 00:06:35,910 --> 00:06:39,650 cycle that we have that is really fast and updating right 90 00:06:40,280 --> 00:06:43,050 so we need some say it to do need to do something about that 91 00:06:43,530 --> 00:06:45,630 and reliable testability means them 92 00:06:46,310 --> 00:06:51,010 well let's darla most a stable areas for us it also means that 93 00:06:52,140 --> 00:06:54,900 the differences between the best distribution or minimise 94 00:06:55,490 --> 00:07:01,460 because currently the distributions all to in mass of ways for example 95 00:07:02,170 --> 00:07:07,770 one of them my favourite examples this is there's on the door and row systems 96 00:07:07,770 --> 00:07:13,190 insist directly called use a lib X like which is something where you're supposed to 97 00:07:13,190 --> 00:07:14,710 put internal binaries 98 00:07:15,190 --> 00:07:20,030 at least that's how most people understand it and this directory only exists like that 99 00:07:20,030 --> 00:07:23,480 of the door and row and nowhere else 100 00:07:26,320 --> 00:07:26,680 what is that 101 00:07:28,960 --> 00:07:31,650 well a to make there's a lot of things but they with it know what 102 00:07:31,650 --> 00:07:33,910 do use all the mug like that i mean all the make and stuff like 103 00:07:33,910 --> 00:07:37,320 mark home and things like that like the com the and things like that i 104 00:07:37,320 --> 00:07:41,090 wouldn't blame all make for that i do planned route for that right at that 105 00:07:48,430 --> 00:07:51,250 i mean we don't follow the gonna world all anyway 106 00:07:51,860 --> 00:07:54,750 i mean if we did than everything would and then use the local right 107 00:07:56,560 --> 00:08:01,100 i don't know it is i think because this is recorded we probably should if 108 00:08:01,100 --> 00:08:03,940 we have discussions to that with the with the 109 00:08:05,850 --> 00:08:10,340 anyway i think it's a i personally blame more room for door and browse that 110 00:08:10,340 --> 00:08:14,320 it's in the fedora packaging policy that should be you right also it i mean 111 00:08:14,320 --> 00:08:18,130 it that's kind of cool about this thing out because then we are to blame 112 00:08:18,130 --> 00:08:21,060 we as the door but other than everybody else 113 00:08:21,800 --> 00:08:27,150 but anyway this is that's a speciality we got this house came into existence at 114 00:08:27,150 --> 00:08:32,980 the speciality of the door and well and it makes things difficult because depending on 115 00:08:32,980 --> 00:08:37,980 how which operating system you compiled stuff for sixty to be light out that way 116 00:08:37,980 --> 00:08:42,280 and this gets worse and worse and worse i mean for example some them distributions 117 00:08:42,280 --> 00:08:45,480 you system the others use up and it's kind of things many of this we 118 00:08:45,480 --> 00:08:50,710 will never be able to do however we need to think more about unifying the 119 00:08:50,710 --> 00:08:54,980 A B A V I you're operating system and we need to make sure that 120 00:08:54,980 --> 00:08:59,600 we somehow even with we are incapable of all with guaranteeing our 121 00:09:00,380 --> 00:09:04,340 main supportive at i am to be stable we need to stop somehow make it 122 00:09:04,340 --> 00:09:08,810 possible to relatively easily run all that with the labia 123 00:09:10,170 --> 00:09:13,150 reliable testability that means 124 00:09:13,470 --> 00:09:18,470 what is absolutely i'm horrible for third party application mentors who want to write software 125 00:09:18,470 --> 00:09:23,840 for linux is that's because there are so many distributions and because there are so 126 00:09:23,840 --> 00:09:27,430 many different ways to run them because they you always have a different set of 127 00:09:27,430 --> 00:09:32,680 our cans and so on it is incredibly difficult to actually systematically test a software 128 00:09:32,680 --> 00:09:37,860 against that right because i mean linux kind of provide the same at eyes and 129 00:09:37,860 --> 00:09:41,100 all the distribution regardless of you run then you know if you run ribbon to 130 00:09:41,100 --> 00:09:45,200 if you run so door organ two whatnot they don't have the same at the 131 00:09:45,200 --> 00:09:48,920 eyes however if you actually want to test against that and it's not sufficient that 132 00:09:48,920 --> 00:09:51,630 they provide the same in the eyes you need to also know that the work 133 00:09:51,630 --> 00:09:57,380 exactly the same and it is it like a test metric explodes by if you 134 00:09:57,380 --> 00:10:03,300 multiply that by the and different distributions and the different versions of the distributions and 135 00:10:03,300 --> 00:10:08,850 the different architectures and things like that which is like for project like firefox they 136 00:10:08,850 --> 00:10:14,470 can still do that for a couple of distributions but as soon as us you 137 00:10:14,470 --> 00:10:19,160 only all this little application developer and you wanna know that your stuff works 138 00:10:19,810 --> 00:10:23,100 how you should you ever i mean it would basically require you to install any 139 00:10:23,100 --> 00:10:27,720 fedora version you wanna test again with many every woodworking and then you testing 140 00:10:27,940 --> 00:10:30,450 yourself so we need to do something that 141 00:10:31,130 --> 00:10:33,090 to make testability easy a 142 00:10:33,710 --> 00:10:37,750 like reducing variables and the whole equation 143 00:10:38,910 --> 00:10:39,560 so 144 00:10:41,350 --> 00:10:42,350 this of course 145 00:10:44,300 --> 00:10:47,970 means we need to ask yourself what the purpose of R P M's and that's 146 00:10:48,790 --> 00:10:50,500 and well we wanna cheap all that 147 00:10:53,050 --> 00:10:57,300 rbms and that is already mentioned that something is installed only by road 148 00:10:57,710 --> 00:10:59,850 eleven a common name space mentor at have 149 00:11:00,550 --> 00:11:04,650 i can have access to all kinds of mentor at art because they're basically unrestricted 150 00:11:05,240 --> 00:11:06,930 and they have this huge task metrics 151 00:11:07,590 --> 00:11:08,560 so 152 00:11:09,130 --> 00:11:12,570 we don't wanna get rid of our cans adapts or anything like that right we 153 00:11:12,570 --> 00:11:18,740 saying they're really useful things but then not useful for actually packaging set up use 154 00:11:18,740 --> 00:11:23,150 that because they have way too much power so what the way we see it 155 00:11:23,150 --> 00:11:28,050 is rbm that's fine that's how you build you operating system but it's not what 156 00:11:28,050 --> 00:11:33,390 you actually then run on top of that operating system that's a different for one 157 00:11:33,390 --> 00:11:36,830 that does not have to deal with all the problems about that's that 158 00:11:37,680 --> 00:11:38,220 so 159 00:11:40,650 --> 00:11:42,140 so 160 00:11:42,660 --> 00:11:47,000 our teams that's a primarily focused around distributions a single provide able to test out 161 00:11:47,000 --> 00:11:48,330 of programs this is something about 162 00:11:49,130 --> 00:11:53,200 but then strands they can R P M's because they have so many so many 163 00:11:53,200 --> 00:11:59,160 i'm dependency specifications for example would you expect that the name space of the dependencies 164 00:11:59,160 --> 00:12:03,880 expressed in the R P M's or something all of the unified name space right 165 00:12:03,880 --> 00:12:09,380 like if somebody depends on a library by the name look for something then you 166 00:12:09,380 --> 00:12:14,170 need to maybe make sure knock in that this lip foo mead exactly one library 167 00:12:14,170 --> 00:12:18,370 not another one however lip food that is very generic name so everybody might a 168 00:12:18,370 --> 00:12:21,350 have something different that even if they have the same like the end of the 169 00:12:21,350 --> 00:12:23,350 name they might have it in the different avi 170 00:12:24,120 --> 00:12:28,880 so are can that's a fine but the and apply that that's only one when 171 00:12:28,880 --> 00:12:33,830 they're in and how to manage the and i a name space and provide every 172 00:12:33,830 --> 00:12:37,140 single R P M with you as soon as you depart from that and you 173 00:12:37,140 --> 00:12:41,590 have multiple but then as in the game not everything coming from for door and 174 00:12:41,590 --> 00:12:43,530 then our peons at the and that's a really 175 00:12:44,210 --> 00:12:47,030 strange things because the name space clashes 176 00:12:50,210 --> 00:12:54,160 so that's on the other hand should be the opposite of that right 177 00:12:54,390 --> 00:12:59,480 we want people to have many sources on the and we want to make sure 178 00:12:59,480 --> 00:13:03,720 that you know there can be multiple providers of that people can compile there and 179 00:13:03,720 --> 00:13:08,730 just provide them on their website things like that and we want to allow them 180 00:13:08,730 --> 00:13:12,840 that this can be untrusted code because this is like the next thing if you 181 00:13:12,840 --> 00:13:14,760 have a distribution the makes then 182 00:13:16,000 --> 00:13:20,230 you do trust the distribution to a certain level and then expect from the distribution 183 00:13:20,230 --> 00:13:24,680 that it will actually take the code from the various applications look at them figure 184 00:13:24,680 --> 00:13:29,740 out that they're the codas okay didn't do anything evil will package it from you 185 00:13:29,740 --> 00:13:34,590 so that you don't have to trust every single act developer and you can instead 186 00:13:34,590 --> 00:13:37,520 of just trust the distribution of the whole as soon as we go to the 187 00:13:37,520 --> 00:13:41,270 apps model where we wanna have lots of energy and this becomes much more of 188 00:13:41,270 --> 00:13:44,400 a problem because suddenly if you get everything directly from them and that you have 189 00:13:44,400 --> 00:13:49,010 to press every single one of them and that's a lot of cost now so 190 00:13:49,670 --> 00:13:54,310 this is a problem but it's a problem then we can deal with technical solutions 191 00:13:54,880 --> 00:13:59,420 by making sure as mentioned with the sandbox thing that even if you don't trust 192 00:13:59,420 --> 00:14:04,430 that and then are so much that whatever you can do with the system isn't 193 00:14:04,430 --> 00:14:05,850 too bad actually break 194 00:14:12,000 --> 00:14:13,770 so apps 195 00:14:14,440 --> 00:14:19,230 and the key feature that they have isolated from the surrounding those west and are 196 00:14:19,230 --> 00:14:25,120 and you the private data for security reasons for a pi stability reasons testability reasons 197 00:14:25,120 --> 00:14:26,000 building we 198 00:14:26,850 --> 00:14:29,470 and that's an exception with extensions 199 00:14:29,800 --> 00:14:35,200 so the isolation from surrounding los it's like the key thing here we want to 200 00:14:35,200 --> 00:14:39,800 make sure that if you install again that game does not can access the address 201 00:14:39,800 --> 00:14:40,300 book 202 00:14:40,680 --> 00:14:42,880 and if you install i don't know 203 00:14:44,940 --> 00:14:51,150 it what rather it should not get access to your friends list on the on 204 00:14:51,150 --> 00:14:54,990 the with pitch and these things like that this it's like this is something that 205 00:14:54,990 --> 00:14:59,620 we did not have a it never had on a non unix it's isolation all 206 00:14:59,620 --> 00:15:03,430 the ads between them that you run on the same user id on unix classically 207 00:15:03,430 --> 00:15:04,860 access control is 208 00:15:05,460 --> 00:15:09,710 exclusively a user right as soon as you have some code that runs it as 209 00:15:09,710 --> 00:15:13,290 you use the get access to everything you have and that it's just i mean 210 00:15:13,290 --> 00:15:14,460 is a little bit of a 211 00:15:15,560 --> 00:15:21,230 so it's about that the reason for that is a security reasons but also as 212 00:15:21,230 --> 00:15:24,360 mentioned we wanna isolating from the from them 213 00:15:24,950 --> 00:15:29,450 so running O S what api stability reasons right because i'm currently if you have 214 00:15:29,450 --> 00:15:33,320 packages software you see the and I P R A S R P M's if 215 00:15:33,320 --> 00:15:36,980 you if you see the entirety are operating system and that is a bad thing 216 00:15:36,980 --> 00:15:41,690 right you need to make sure that that's the at actually only see that was 217 00:15:41,690 --> 00:15:43,890 a P R is the jeans table 218 00:15:44,310 --> 00:15:50,330 and the and then supportable but do not see anything else and do not end 219 00:15:50,330 --> 00:15:56,060 up pulling in blinds dependencies that you cannot see like for example this the problem 220 00:15:56,060 --> 00:16:01,190 think about G stream alright this tree might has a stable api if you application 221 00:16:01,190 --> 00:16:06,450 pulled that in that's totally fine but you create a lot of problems but because 222 00:16:06,450 --> 00:16:08,570 i just you meant based around a plug ins 223 00:16:09,060 --> 00:16:13,210 so these individual plug-ins are content like eyes of G stream of so you would 224 00:16:13,210 --> 00:16:18,580 think that wouldn't mind and that wouldn't be a problem however ultimately these plug ins 225 00:16:18,580 --> 00:16:22,140 will pull in other libraries and those i and we have position that they do 226 00:16:22,140 --> 00:16:26,500 not have any stable that yet very frequently like for example i usually 227 00:16:27,400 --> 00:16:32,610 so anyway this means we need to somehow isolate the operating system so that the 228 00:16:32,610 --> 00:16:36,500 not some dirty code running on the operating system can you can to the at 229 00:16:36,500 --> 00:16:40,440 and not some stuff you don't want from the at and you get to the 230 00:16:40,440 --> 00:16:40,710 house 231 00:16:41,470 --> 00:16:44,290 the colours thank X exceptions for that 232 00:16:44,850 --> 00:16:50,310 which are extensions like stuff that really extends existing software for example can i'm shelley 233 00:16:50,310 --> 00:16:56,170 have javascript extend for that is very different thing because it will actually it must 234 00:16:56,170 --> 00:17:00,370 a be able to run in the same sandbox and same context as gonna shell 235 00:17:00,370 --> 00:17:07,430 itself so which means securities is very important but there are some exceptions where we 236 00:17:07,430 --> 00:17:08,330 actually kind of 237 00:17:08,950 --> 00:17:10,530 take benefit all that secure 238 00:17:11,440 --> 00:17:15,580 so i already mentioned that we want on level oscillation we want this isolation that 239 00:17:15,580 --> 00:17:21,030 we need for reasons of api stability testability and am security we want that on 240 00:17:21,030 --> 00:17:22,240 the kernel that 241 00:17:23,470 --> 00:17:27,040 why do we want to work on level first and foremost for the security reasons 242 00:17:27,040 --> 00:17:27,430 because 243 00:17:28,110 --> 00:17:32,560 decreases a complex thing where there's so many different things like ice a linux and 244 00:17:32,560 --> 00:17:38,550 capabilities and blah it stuff that people shouldn't think about it stuff that 245 00:17:40,440 --> 00:17:44,330 i guess leaks into quite a few so subsystems i don't know it's a lot 246 00:17:44,330 --> 00:17:48,500 this process man was use them and all these kind of things if we ever 247 00:17:48,500 --> 00:17:52,750 do isolation excuse them in user space and have user base components to this then 248 00:17:52,750 --> 00:17:56,010 there's no way how this can be integrated with all that stuff that we really 249 00:17:56,010 --> 00:17:58,070 don't wanna care about but need to have 250 00:17:58,400 --> 00:18:02,980 so for us it's really important that everything that is enforced is kernel estimation 251 00:18:04,300 --> 00:18:07,780 and this is all the something we one was no apps solution we want something 252 00:18:07,780 --> 00:18:12,070 that is three is community based so we want something but is not bound to 253 00:18:12,070 --> 00:18:16,920 one single at store but it's something that people can set up their own after 254 00:18:16,920 --> 00:18:21,660 this that want to and is men diagnostic so that not only i don't know 255 00:18:21,660 --> 00:18:24,500 it it's not supposed to be something that where at had set up a naps 256 00:18:24,500 --> 00:18:28,140 don't nobody else can take benefit of that it's supposed to be something where everybody 257 00:18:28,140 --> 00:18:29,980 can send a napster and people can even 258 00:18:30,660 --> 00:18:36,070 i have not around so it's supposed to be something that truly free and the 259 00:18:36,070 --> 00:18:37,080 way how linux itself 260 00:18:38,190 --> 00:18:38,630 so 261 00:18:39,300 --> 00:18:43,850 this is so for a little bit about this other do one and recharge about 262 00:18:43,850 --> 00:18:49,800 security about them free nice about a couple of other things the next part of 263 00:18:49,800 --> 00:18:55,390 the slide focuses mostly on how we think we can get that we have been 264 00:18:55,390 --> 00:19:00,610 working on a couple of things already we group everything that we wanna do than 265 00:19:00,610 --> 00:19:04,670 nine steps it's a lot of work is likely to happen tomorrow or something like 266 00:19:04,670 --> 00:19:10,890 that but we have a lot of things already encode another couple of things we 267 00:19:10,890 --> 00:19:15,050 have like sort about and have plans about but until we have the full thing 268 00:19:15,050 --> 00:19:15,540 the egg 269 00:19:16,720 --> 00:19:17,130 how 270 00:19:19,870 --> 00:19:20,150 but 271 00:19:22,550 --> 00:19:27,480 we think is actually necessary to make linux i'm strive as an echo system because 272 00:19:27,480 --> 00:19:28,670 quite frankly it's and 273 00:19:28,960 --> 00:19:32,830 possibly hard to write good at the linux simply because you can distribute them 274 00:19:34,800 --> 00:19:38,040 so any questions to this point you got to thirty drop me if you have 275 00:19:38,040 --> 00:19:38,560 questions 276 00:19:40,840 --> 00:19:41,590 that's question 277 00:19:42,660 --> 00:19:43,780 the microphone 278 00:19:44,510 --> 00:19:45,320 mike 279 00:19:51,460 --> 00:19:55,390 i don't know it's like it's casey and maybe it is 280 00:19:57,040 --> 00:19:59,780 if i have like one machine shower by Q people 281 00:20:00,290 --> 00:20:05,590 so like it would be very nice or write it installs it's a two people 282 00:20:05,590 --> 00:20:09,620 in the same itching would i just all insane a like a right so i 283 00:20:09,620 --> 00:20:12,420 mean it is our mission and like a part of our mission statement is that 284 00:20:12,420 --> 00:20:16,600 use like a should be able to install these apps without requiring privileges but that 285 00:20:16,600 --> 00:20:21,060 does not mean that that's the only way how outside still so far example administrator 286 00:20:21,060 --> 00:20:23,980 could just drop something into the system and every user 287 00:20:24,470 --> 00:20:28,990 so it's just about that we want to allow users to do this with our 288 00:20:28,990 --> 00:20:29,520 break fine 289 00:20:30,250 --> 00:20:30,980 from that minutes 290 00:20:31,290 --> 00:20:32,550 but administrative 291 00:20:44,580 --> 00:20:52,490 if you any application use just the single file what about shared libraries 292 00:20:53,110 --> 00:20:57,580 that's a good question will probably come to that later though that is available 293 00:20:58,050 --> 00:21:02,300 no anyway i mean so far it's just about the mission statement why we believe 294 00:21:02,300 --> 00:21:06,530 this is necessary and how what we think that's all should be providing the nine 295 00:21:06,530 --> 00:21:11,130 steps a bit about the technical implementation of things but anyway i don't see any 296 00:21:11,130 --> 00:21:14,630 for the question so let's just proceed with the technical stuff there is one way 297 00:21:17,690 --> 00:21:18,060 okay 298 00:21:21,060 --> 00:21:28,960 minimal mobile applications come in a client server the version of all the usually internally 299 00:21:28,960 --> 00:21:34,250 and the just is a is a gift that scene out so we stopped things 300 00:21:34,250 --> 00:21:36,700 or what we only focusing on 301 00:21:37,110 --> 00:21:38,790 single a single focus 302 00:21:39,400 --> 00:21:44,530 so this is explicitly about use that's right use that's meaning apps of the use 303 00:21:44,530 --> 00:21:50,180 themselves like the end user himself plays around was it's not about so i think 304 00:21:50,180 --> 00:21:53,640 much of that stuff that we had designing here will ultimately be useful on the 305 00:21:53,640 --> 00:21:57,990 service well but this clearly out of focus for the stuff that we collapse here 306 00:21:57,990 --> 00:21:59,020 okay thank you 307 00:22:02,060 --> 00:22:02,550 okay 308 00:22:06,410 --> 00:22:07,320 but nine steps 309 00:22:07,790 --> 00:22:11,610 that's all the questions right now right okay so the first one that we currently 310 00:22:11,610 --> 00:22:15,470 working on this is make E D that's work i can us is approach that 311 00:22:15,470 --> 00:22:19,210 is kind i have been working on together with donny american great crop couple of 312 00:22:19,210 --> 00:22:21,220 other it's a 313 00:22:21,940 --> 00:22:25,570 the part of the class people system for this it to the crown the us 314 00:22:25,570 --> 00:22:29,390 i hope you all know is like this i can see this really basics thing 315 00:22:29,390 --> 00:22:35,160 how process can talk to each other since this is about processes talking to each 316 00:22:35,160 --> 00:22:40,520 other we believe it is absolutely essential that this core component is aware of sent 317 00:22:40,520 --> 00:22:47,110 boxing meaning that because we need to limit what apps can talk to we need 318 00:22:47,110 --> 00:22:51,520 to have the send boxing right in the i see so for us because we 319 00:22:51,520 --> 00:22:55,720 again want all these things to be enforced by the kernel it is absolutely essential 320 00:22:55,720 --> 00:22:57,050 that we make at once where 321 00:22:57,500 --> 00:23:04,030 katie was work where the other thing is because we believe that the katie basically 322 00:23:04,030 --> 00:23:08,400 was in general is like a really nice way how communication out and of the 323 00:23:08,400 --> 00:23:09,310 sandbox can work 324 00:23:09,840 --> 00:23:15,220 so it is far as important that's if we want to 325 00:23:15,690 --> 00:23:20,130 it katie less or do that's to be do single i'm interface in and out 326 00:23:20,130 --> 00:23:26,060 of the sandbox you need to be capable of actually exchanging large amounts of data 327 00:23:26,060 --> 00:23:29,100 with that because i mean it suppose with the one and only thing i don't 328 00:23:29,100 --> 00:23:32,530 know that sandbox the need to be really good and cover all use cases that 329 00:23:32,530 --> 00:23:37,890 we need from the now he was classically is not useful for exchanging 330 00:23:38,690 --> 00:23:43,400 substantial data it's focused and that is in the resume some statement only in control 331 00:23:43,400 --> 00:23:47,340 data right short message call which will parameters 332 00:23:48,460 --> 00:23:51,250 if we wanna make it like the single thing then we should be able you 333 00:23:51,250 --> 00:23:56,480 do also use it for exchanging things like J peg file document file or anything 334 00:23:56,480 --> 00:23:57,030 else 335 00:23:57,800 --> 00:24:02,720 so for us this meant if we wanna have to be device the central i 336 00:24:02,720 --> 00:24:06,440 think we need to get sex sixty thing first that sent boxing things like that 337 00:24:06,960 --> 00:24:10,130 the current state of katie that's is that we have a lot of carrot and 338 00:24:10,130 --> 00:24:15,220 it kind of works but we have not like it's part of the system you 339 00:24:15,220 --> 00:24:20,230 project like the user space part of the system the kernel space part is kind 340 00:24:20,230 --> 00:24:21,740 in a repository 341 00:24:24,220 --> 00:24:29,010 we're not far from actually making a work altogether what basically the last missing made 342 00:24:29,010 --> 00:24:32,890 a missing sync for us this is that we actually port system the in its 343 00:24:32,890 --> 00:24:37,410 entirety to the U I P i just that katie bells and that's this but 344 00:24:37,410 --> 00:24:42,850 and provide which is basically i mean it that something so difficult it's just a 345 00:24:42,850 --> 00:24:45,490 lot of work like moving from one like that 346 00:24:46,630 --> 00:24:52,040 we hope that this that we have something really presentable like putting up an entire 347 00:24:52,040 --> 00:24:56,040 system was and look at less and by the end of the year you have 348 00:24:56,040 --> 00:25:01,560 submitted to talk to linux company you about katie us so and i better have 349 00:25:01,560 --> 00:25:05,370 something presentable by then so that's my way to get 350 00:25:06,090 --> 00:25:08,700 push on that so that we actually have something 351 00:25:10,010 --> 00:25:14,370 so much about katie but it's a huge project it's going to be awesome because 352 00:25:14,370 --> 00:25:18,440 it's we finally get a really good i can see you know linux that is 353 00:25:18,440 --> 00:25:23,650 far that is provide everything we ever wanted from sent boxing to the broadcasting to 354 00:25:23,650 --> 00:25:26,110 activation 355 00:25:27,520 --> 00:25:33,530 that was step one step two is we want this accent porpoise build only next 356 00:25:33,530 --> 00:25:36,110 negative second see goods become abilities 357 00:25:37,720 --> 00:25:42,100 so i depending in like if you if you ever that was the lower levels 358 00:25:42,100 --> 00:25:43,160 of stacking them that 359 00:25:43,610 --> 00:25:48,060 then the next name is basis second see good together but it is something you 360 00:25:48,060 --> 00:25:55,140 might have run into suffice to say these are very generic tool that the kernel 361 00:25:55,140 --> 00:26:00,290 it provides for isolating and then men do like that bows than any kind of 362 00:26:00,290 --> 00:26:04,950 what the what them a certain set of programs can see but also in what 363 00:26:04,950 --> 00:26:06,170 they can do 364 00:26:07,490 --> 00:26:13,650 and well these are completely generic we need to make them very specific for somewhere 365 00:26:13,650 --> 00:26:18,410 for the axes case just like that if you use linux the name space second 366 00:26:18,410 --> 00:26:21,440 figured it abilities you can build anything out of it you can secure service and 367 00:26:21,440 --> 00:26:26,410 whatnot but to actually match the don't absent boxes and we need to use it 368 00:26:26,410 --> 00:26:32,020 one very special way of course name spaces and stuff like that 369 00:26:33,250 --> 00:26:38,540 this also like to look at that stuff which where they name spacing is built 370 00:26:38,540 --> 00:26:40,750 in from day one right now 371 00:26:41,910 --> 00:26:45,550 couple of things about this i'm really interesting like for example was a single stuff 372 00:26:45,550 --> 00:26:49,510 we want that every act runs inside of a C group so that it we 373 00:26:49,510 --> 00:26:52,880 can put results limits on them so that know how can bring down the system 374 00:26:52,880 --> 00:26:57,470 but this has a lot of interesting effects of beyond that as well because it 375 00:26:57,470 --> 00:27:03,400 suddenly allows us to manage runtime apps in a way that only androids and mitra 376 00:27:03,400 --> 00:27:08,270 when these kind of things could for example and that we give the foreground at 377 00:27:08,270 --> 00:27:13,420 the boost in terms of us if you know and we can even like the 378 00:27:13,420 --> 00:27:19,820 background have gets them like a medals for time accuracy and we could even freeze 379 00:27:19,820 --> 00:27:23,850 the background apps this has been done in minutes before for things like memo had 380 00:27:23,850 --> 00:27:28,520 something like that but with this model if we if we have the definition of 381 00:27:28,520 --> 00:27:33,140 apps and we suddenly have all these options open where we can make use of 382 00:27:33,140 --> 00:27:37,140 define some things the net effect of all of that is a separate it that's 383 00:27:37,140 --> 00:27:40,550 a little bit more robust but primarily about them how management 384 00:27:41,320 --> 00:27:45,680 so and in the field little bit nice of the foreground up gets more secure 385 00:27:46,220 --> 00:27:46,480 right 386 00:27:47,890 --> 00:27:50,840 so second per se M sandbox as we have the 387 00:27:51,990 --> 00:27:54,340 part of this is actually 388 00:27:55,230 --> 00:27:57,910 is something that john 389 00:27:58,570 --> 00:27:59,160 cost 390 00:27:59,280 --> 00:28:01,910 in the past we've for those two but you a little bit disappointed with the 391 00:28:01,910 --> 00:28:06,250 results we believe what is essential for this actually that we get a strict a 392 00:28:06,250 --> 00:28:08,100 file reich specification for this 393 00:28:08,460 --> 00:28:12,980 i mentioned this before was a lib X thing if we want to make this 394 00:28:12,980 --> 00:28:17,220 happen that these send boxes can work on every machine then we need to make 395 00:28:17,220 --> 00:28:20,550 sure that the decision machines do not 396 00:28:21,800 --> 00:28:26,840 no and all sorts things and different directories all the time but we also need 397 00:28:26,840 --> 00:28:32,640 to kind of give the and developer and idea how he himself was supposed to 398 00:28:32,640 --> 00:28:37,580 places data so that it does not clash with his operating system or any other 399 00:28:37,580 --> 00:28:43,690 operating system that followed these guidelines this is a complex thing because there's already and 400 00:28:43,690 --> 00:28:47,410 then F H S round which is tries to standardise how the entirety of unix 401 00:28:47,410 --> 00:28:52,430 works for this at stuff we probably need to reinvest get that you get that 402 00:28:52,430 --> 00:28:58,000 and that topic and focus exclusively on what acts use that sun lit apps what 403 00:28:58,000 --> 00:28:58,540 they need 404 00:28:59,030 --> 00:29:04,140 this is not a job for necessary so much from brno and sell but it 405 00:29:04,140 --> 00:29:10,860 is actually job for the entirety of the minutes well that they actually accept that 406 00:29:10,860 --> 00:29:13,450 the differences on minimised and that 407 00:29:14,450 --> 00:29:17,900 fedora stops doing that something's we got back second and some 408 00:29:22,650 --> 00:29:23,050 yep 409 00:29:29,320 --> 00:29:33,770 and that this is something very important that we currently all distributions actually take you 410 00:29:33,770 --> 00:29:37,720 know and acted differently right if you if you have a you know money want 411 00:29:37,720 --> 00:29:41,820 to and will not use the backs of if you have the same good on 412 00:29:41,820 --> 00:29:46,040 for dora it will use look back second that's a big problem because it's on 413 00:29:46,040 --> 00:29:51,550 the average thing is looks differently so while i sing that them the distributions need 414 00:29:51,550 --> 00:29:55,810 to fix the issue it is there's also something for can on to do like 415 00:29:55,810 --> 00:30:02,030 you know the release team or somewhere like that have to define exactly how the 416 00:30:02,030 --> 00:30:07,940 finals all located i have placed how the avionics look on the a different operating 417 00:30:07,940 --> 00:30:11,740 system is going to be top of course we don't have anything like a certification 418 00:30:11,740 --> 00:30:15,580 system where you could actually for these kind of things but it's still it's of 419 00:30:15,580 --> 00:30:20,780 major importance that this is clearly community can communicated to the to the distributions that 420 00:30:20,780 --> 00:30:25,120 they stopped doing that and saying if they wanna have something that is compatible what 421 00:30:25,120 --> 00:30:29,390 is with you know right you know needs to document this is how you package 422 00:30:29,390 --> 00:30:33,830 it and you don't targeted anyway else and if you don't acted that way then 423 00:30:33,830 --> 00:30:37,430 you out of the game and you have no compatibility with what we that so 424 00:30:37,430 --> 00:30:41,700 it's something to fix for the distributions but they need to do it according to 425 00:30:41,700 --> 00:30:45,760 the recommendations and then top language that you know needs to use the whole thing 426 00:30:48,340 --> 00:30:50,630 by the way if you have any further questions that question 427 00:30:52,220 --> 00:30:54,470 but that's the mikes coming 428 00:30:55,310 --> 00:30:55,570 but 429 00:31:04,240 --> 00:31:10,050 once we and needs basis and this E groups a would it be possible to 430 00:31:10,050 --> 00:31:14,860 enforce and find a higher he by and my name spaces 431 00:31:16,720 --> 00:31:22,730 so when i speak of nice basis you this usually applies to filesystem name spaces 432 00:31:22,730 --> 00:31:27,060 but name space design and they sent to isolate sings big thing they cannot be 433 00:31:27,060 --> 00:31:32,020 used in for anything right and also it's a different thing like for example what 434 00:31:32,020 --> 00:31:38,820 the apple inside of the container does is relatively relevant like they have more freedom 435 00:31:38,820 --> 00:31:44,060 than operating system has because the apps are not at i operating system however is 436 00:31:44,060 --> 00:31:49,920 so it's them we will not be able to enforce much i mean i'm sure 437 00:31:49,920 --> 00:31:54,530 that the operating board of going home could supply tool that can linda the operating 438 00:31:54,530 --> 00:31:58,080 system make sure that a big part of the right up writing i am the 439 00:31:58,080 --> 00:32:02,200 bright if you guys could even and provided tool that you can run on a 440 00:32:02,200 --> 00:32:06,610 nap to make sure that at does not put something in a place where would 441 00:32:06,610 --> 00:32:09,130 clash with what operating system with like 442 00:32:09,640 --> 00:32:13,320 but some boxes not really to for 443 00:32:16,360 --> 00:32:17,410 there is the question 444 00:32:23,440 --> 00:32:24,020 chance 445 00:32:25,710 --> 00:32:26,490 use 446 00:32:29,590 --> 00:32:35,080 sorry i didn't get the question i was wondering what usable at a distribution not 447 00:32:35,080 --> 00:32:36,190 just to do knowledge 448 00:32:37,130 --> 00:32:42,360 well might make sense but i don't think that really matters too much for the 449 00:32:42,360 --> 00:32:43,320 F stuff because 450 00:32:46,580 --> 00:32:47,110 i 451 00:32:47,820 --> 00:32:51,090 in the libraries all the it's a good question actually but 452 00:32:59,780 --> 00:33:02,080 well you do you do read the file see 453 00:33:05,800 --> 00:33:08,790 but i mean it's a so what kind of thing is that is that there 454 00:33:08,790 --> 00:33:13,610 that this is about using traps right and i highlighted the cover that once already 455 00:33:13,610 --> 00:33:19,570 so it is not essential like that the stuff that is required only prudent stuff 456 00:33:19,570 --> 00:33:22,060 reason why the old distribution still have that split off 457 00:33:22,630 --> 00:33:27,440 it's not necessarily navy either the apps need so it's not of that but maybe 458 00:33:27,440 --> 00:33:30,040 there's a little bit of chicken we hope you have to the some of tools 459 00:33:30,040 --> 00:33:30,200 could 460 00:33:30,540 --> 00:33:32,720 probably simply we need 461 00:33:33,610 --> 00:33:35,750 we don't is late 462 00:33:36,270 --> 00:33:36,580 to 463 00:33:38,950 --> 00:33:40,930 absolutely and stuff 464 00:33:43,810 --> 00:33:44,250 yep 465 00:33:44,950 --> 00:33:48,060 okay so i think it's a problem but i don't think it that 466 00:33:50,330 --> 00:33:51,860 okay any best 467 00:34:00,320 --> 00:34:06,330 i'm assuming that the new strict fell hard specifications something that we all want but 468 00:34:06,330 --> 00:34:10,100 has there just be not planner just get everybody like at ian X F C 469 00:34:10,100 --> 00:34:13,280 E in a moment at the end and so you say all together and to 470 00:34:13,280 --> 00:34:16,490 say okay let's came out the specs here "'cause" it seems like it sort of 471 00:34:16,490 --> 00:34:19,990 a pipe dream we don't have a plan about where to go with it i 472 00:34:19,990 --> 00:34:24,270 just get everybody on the same page you know you know what they say about 473 00:34:24,270 --> 00:34:29,420 committees and standards i'm not sure that will work that way i don't know we 474 00:34:29,420 --> 00:34:33,910 should get the right people involved absolutely i don't think we should get everybody involved 475 00:34:33,910 --> 00:34:37,040 because then you get all should i mean if you as soon as he'd like 476 00:34:37,040 --> 00:34:40,220 for example if you if you include on the but are people they will fight 477 00:34:40,220 --> 00:34:43,130 for the backside anything to the other with hated so 478 00:34:44,920 --> 00:34:46,120 actually a lot 479 00:34:47,770 --> 00:34:49,200 i got like ten minutes of the right 480 00:34:50,080 --> 00:34:54,300 okay so let's you we can have discussions about all this later on so let 481 00:34:54,300 --> 00:34:58,230 me i'm still it but that step to let that go for the other seven 482 00:34:58,230 --> 00:34:59,910 steps in the next ten minutes 483 00:35:03,010 --> 00:35:07,160 the next thing is that it but we want something called portals and portal to 484 00:35:07,160 --> 00:35:10,280 something that the time or something we came up with a to access than and 485 00:35:10,280 --> 00:35:18,900 brussels early this year it's supposed to be something how apps can interface with each 486 00:35:18,900 --> 00:35:22,940 other without having to know about each other it's a something that's probably going to 487 00:35:22,940 --> 00:35:29,210 maybe based on top of katie but it's a very interesting technology so it's basically 488 00:35:29,210 --> 00:35:33,670 something that is focus it that is based on an idea from android where they 489 00:35:33,670 --> 00:35:34,310 call that 490 00:35:36,010 --> 00:35:37,020 a what 491 00:35:37,690 --> 00:35:43,840 intense of course intense and what windows called contract right and these things are these 492 00:35:43,840 --> 00:35:48,870 i think the really interesting things and because they basically or a way how you 493 00:35:48,870 --> 00:35:50,510 can isolate apps from 494 00:35:52,080 --> 00:35:58,490 from the rest of the operating system without having that concept of security isolation you 495 00:35:58,490 --> 00:36:02,560 can be visible that's so to give an example what a portal i'm should be 496 00:36:02,560 --> 00:36:06,400 doing that say you have an act and that have like it's an e-mail have 497 00:36:06,400 --> 00:36:09,670 any and you want to be able to send a picture that you just took 498 00:36:09,670 --> 00:36:15,430 over to another machine on traditional linux this would mean that this email i would 499 00:36:15,430 --> 00:36:19,320 have to have access to the camera device and then would take picture from the 500 00:36:19,320 --> 00:36:23,730 camera device and attach it to the email and centre the way our that's a 501 00:36:23,730 --> 00:36:27,170 big a big but quite a bit of a security problem because you don't really 502 00:36:27,170 --> 00:36:33,390 want to give access to the camera to email program so the idea of portals 503 00:36:33,390 --> 00:36:39,260 and intense on and right is to always have that's related to different send boxes 504 00:36:39,260 --> 00:36:41,970 and require interactivity between those two things 505 00:36:42,330 --> 00:36:45,220 so the idea in that case is that if you have an e-mail application you 506 00:36:45,220 --> 00:36:49,510 wanna send a date pick picture over what happened is that the email a program 507 00:36:49,510 --> 00:36:54,230 goes to systems as i would like to have a picture here please help me 508 00:36:54,230 --> 00:37:00,280 this system and says okay then goes and she's checks which programs could actually provide 509 00:37:00,280 --> 00:37:03,290 a picture it could be like the gallery you have thing of could be actually 510 00:37:03,290 --> 00:37:04,250 the camera to 511 00:37:04,820 --> 00:37:08,620 then the camera tool would be activated or the gal review and you would select 512 00:37:08,620 --> 00:37:14,760 you take a picture that i see interactivity which has this nice effect that ultimately 513 00:37:14,760 --> 00:37:19,270 the you was the didn't wanna now that you would say why do my camera 514 00:37:19,270 --> 00:37:23,170 application actually get started there was no reason for the simple press can't one okay 515 00:37:23,170 --> 00:37:24,800 so in a way 516 00:37:26,040 --> 00:37:33,200 there's a security question hidden behind this interactivity so that you only grant access to 517 00:37:33,200 --> 00:37:38,900 the camera indirectly and always hasn't activity but use that so that if that action 518 00:37:38,900 --> 00:37:43,360 was not supposed to take place you will say can so maybe a little bit 519 00:37:43,360 --> 00:37:44,700 confused but not allow 520 00:37:46,790 --> 00:37:52,600 it is wonderful technology because it's one way about integration of that's right because if 521 00:37:52,600 --> 00:37:56,670 you sent an email and you get the camera application running you get the same 522 00:37:56,670 --> 00:38:01,150 everywhere you can replicate running is always but it's also the security technology saying that 523 00:38:01,150 --> 00:38:06,420 that's also the security technologies like a something about their other cases for portals for 524 00:38:06,420 --> 00:38:11,180 example just think about open office currently open office needs to be able to access 525 00:38:11,180 --> 00:38:15,020 your home directory and all other directory so that you can open a file at 526 00:38:15,020 --> 00:38:19,070 any one of them but it really sucks because open offices a gigantic piece of 527 00:38:19,070 --> 00:38:23,320 code and you don't really wanna give it access to everything that could ever like 528 00:38:23,320 --> 00:38:28,140 you and we spoke like you private banking data like you firefox cash and whatnot 529 00:38:28,140 --> 00:38:33,870 so ways portal to console the problem again because the open office would just tell 530 00:38:33,870 --> 00:38:37,480 the operating system haiti so i'm living the sandbox and i would like to have 531 00:38:37,480 --> 00:38:41,650 a file please give me one and then the application in the operating system would 532 00:38:41,650 --> 00:38:46,660 again interactively you something out of the sandbox look for the file and we try 533 00:38:46,660 --> 00:38:50,130 to back to sandbox and the sample together but it would only get access to 534 00:38:50,130 --> 00:38:56,070 that specific file would not have seen any other file of the operating system so 535 00:38:56,070 --> 00:39:02,120 it's the portal some things about be very generic how the security transition there is 536 00:39:02,120 --> 00:39:08,210 hidden each wine between behind user interactivity instead of having questions like last week it 537 00:39:08,210 --> 00:39:12,990 usually ask them like should this ad get access to this device you just do 538 00:39:12,990 --> 00:39:18,090 the action but because requirement activity the usable make the decision just at the side 539 00:39:18,090 --> 00:39:19,170 of it without actually 540 00:39:20,440 --> 00:39:21,080 so 541 00:39:24,450 --> 00:39:27,910 so the portal select or something that you know i'm really to care about of 542 00:39:27,910 --> 00:39:32,040 that's nothing something not nothing the castle come from system decided things from the lower 543 00:39:32,040 --> 00:39:33,450 level this can happen basic you know 544 00:39:34,490 --> 00:39:39,100 number for a i mean just as compressed file system with multiple petitions will back 545 00:39:39,100 --> 00:39:44,760 file so the idea for us as we wanted to have this after one image 546 00:39:44,760 --> 00:39:49,090 at all but also wanna have a only but we want to make sure that 547 00:39:49,090 --> 00:39:54,500 everything's on the kernel levels idea then is that applications are actually shipped and in 548 00:39:54,500 --> 00:39:59,060 a single file that is look back mounted with a couple of petitions in them 549 00:39:59,060 --> 00:40:04,350 that will include everything like and real files that the application means that money applications 550 00:40:04,350 --> 00:40:09,880 executed will be merged according to very specific rules with the A P I file 551 00:40:09,880 --> 00:40:15,460 that the and the at shell be able to access and so that it basically 552 00:40:15,460 --> 00:40:20,320 the nazis a real operating system that is a real filesystem rightly that is emerge 553 00:40:20,320 --> 00:40:23,050 version of what it it's itself ship 554 00:40:23,560 --> 00:40:28,050 plus everything that has been white listed as a and system if you are from 555 00:40:28,050 --> 00:40:28,590 outside 556 00:40:29,350 --> 00:40:33,290 so i'm going through the little bit five because they're like less than five minute 557 00:40:33,290 --> 00:40:33,750 left 558 00:40:34,140 --> 00:40:38,170 number five as an extended search five logic and you live in friends this is 559 00:40:38,170 --> 00:40:42,640 something and we really need if you if we have these apps and the contents 560 00:40:42,640 --> 00:40:46,620 of the apps are not a viable in the normal system and study you get 561 00:40:46,620 --> 00:40:51,060 this problems that let's say gonna know shall should be able to enumerate all the 562 00:40:51,060 --> 00:40:54,560 apps that are installed at means that needs to look for the best of files 563 00:40:54,560 --> 00:41:00,130 then something you have the problem well it's not sufficient anymore to look into user 564 00:41:00,130 --> 00:41:05,350 share applications for the best of file because suddenly that's not well all the and 565 00:41:05,350 --> 00:41:08,950 that's the file will be they will be inside of these a single file look 566 00:41:08,950 --> 00:41:14,160 back mounted simple filesystem thank you so the net result of that is 567 00:41:15,630 --> 00:41:19,590 we really would like to see the search pathologic extended so that do that is 568 00:41:19,590 --> 00:41:24,970 capable of automatically finding these things also in the apps instead of just use okay 569 00:41:25,530 --> 00:41:28,720 this applies not only to finding after the price to quite a few other things 570 00:41:28,720 --> 00:41:34,160 like looking for i can looking for music files using for whatever scenes and this 571 00:41:34,160 --> 00:41:34,580 kind of thing 572 00:41:38,100 --> 00:41:41,440 then the next thing is a sample to where display manager this is real important 573 00:41:41,440 --> 00:41:45,270 us because X eleven this is this gigantic saying if you as soon as you 574 00:41:45,270 --> 00:41:48,780 get access to X eleven to the so that you can do anything with that 575 00:41:48,780 --> 00:41:52,520 you can talk to read applications fake input other picketing the kind of thing if 576 00:41:52,520 --> 00:41:58,080 we wanna have sandbox applications this means that second really be acts that is in 577 00:41:58,080 --> 00:42:02,320 the makes that the good thing is whale and has been designed already in a 578 00:42:02,320 --> 00:42:08,630 way so that applications can never ever access the input and output of other applications 579 00:42:08,630 --> 00:42:12,100 that always you only that and by for nothing else 580 00:42:12,680 --> 00:42:17,670 so that is point six point seven the something we still need to discuss was 581 00:42:17,670 --> 00:42:24,720 ryan it's D com means need like the considerations needs to be and be able 582 00:42:24,720 --> 00:42:26,370 to understand send boxing 583 00:42:26,900 --> 00:42:32,650 meaning that it needs to be able to access control on the napkin and you 584 00:42:32,650 --> 00:42:35,900 get access to the keys it should get to and nothing else 585 00:42:36,430 --> 00:42:40,110 number eight it system for building apps 586 00:42:40,480 --> 00:42:44,140 and profile is the that's kind of related that's a simple building out of course 587 00:42:44,140 --> 00:42:48,620 is not sufficient to justifying this we also need to be P getting a tools 588 00:42:48,620 --> 00:42:53,030 to develop is to actually make building these apps easily i think ultimately with system 589 00:42:53,030 --> 00:42:57,070 that we defined it's relatively easy to do minimal ports of existing have like open 590 00:42:57,070 --> 00:43:02,010 office into the scheme because inside of the name space container that i mentioned earlier 591 00:43:02,010 --> 00:43:07,630 everything looks like a real operating system except one that is very minimal so they 592 00:43:07,630 --> 00:43:11,240 do not have to make many changes they only have to make many changes in 593 00:43:11,240 --> 00:43:13,590 of that's about security and portal something like that you 594 00:43:14,420 --> 00:43:15,230 anyway 595 00:43:15,830 --> 00:43:19,940 how we think that the that the compatibility situation should be handled is with these 596 00:43:19,940 --> 00:43:26,020 called profiles profile to basically something if you have to dora it would implement i 597 00:43:26,020 --> 00:43:30,770 profile called you know and maybe one profile called L is be and that's about 598 00:43:30,770 --> 00:43:36,670 it and application would specify exactly one profile that's developed for the profile would basically 599 00:43:36,670 --> 00:43:41,180 a superset of libraries or D bus interfaces and about a couple of other things 600 00:43:41,180 --> 00:43:42,170 that need to exist 601 00:43:42,540 --> 00:43:47,170 so the idea spending that if somebody writes an application you can pick one of 602 00:43:47,170 --> 00:43:51,590 these profiles and has freedom i they can chase a okay i wanna focus on 603 00:43:51,590 --> 00:43:56,040 the gnomes we don't be or that's a relatively you then he has to deal 604 00:43:56,040 --> 00:44:00,370 with the fact that you has to rely on the gnomes capabilities to make stable 605 00:44:00,370 --> 00:44:06,560 api some kittens and this table and or you can say i don't care about 606 00:44:06,560 --> 00:44:09,870 them gonna i care about that is be only i don't trust again about because 607 00:44:09,870 --> 00:44:12,640 the break api all the time then you can do that of course you will 608 00:44:12,640 --> 00:44:16,040 not be able to get access to the economic the eyes that way but you 609 00:44:16,040 --> 00:44:20,420 can still include them in as an image because after all the image includes pretty 610 00:44:20,420 --> 00:44:22,370 much something that looks like a real operating system 611 00:44:23,000 --> 00:44:28,420 so this gives basically developers the option like how much do they trust upstream how 612 00:44:28,420 --> 00:44:33,890 often do they expect that they want to update application and the deal is basically 613 00:44:33,890 --> 00:44:40,340 it's like firefox they're constantly updated they would like i mean and five releases and 614 00:44:40,340 --> 00:44:44,190 you really is every three months or so if i correctly on so there could 615 00:44:44,190 --> 00:44:48,150 but basically say we always check the news you know and always we can use 616 00:44:48,150 --> 00:44:52,730 gonna profile and then they do than everything will work on the other hands i 617 00:44:52,730 --> 00:44:56,350 have no time anymore but there is games and stuff like that games usually of 618 00:44:56,350 --> 00:45:01,630 written once released immediately then there's maybe one update and that's it so they would 619 00:45:01,630 --> 00:45:06,030 focus on a different profile like that'd be profile they would get less integration would 620 00:45:06,030 --> 00:45:11,090 have to rely less on the on the stability guarantees by the operating system winner 621 00:45:11,090 --> 00:45:16,200 but we get something out of the door there's my last slide have stores this 622 00:45:16,200 --> 00:45:19,490 completely out of for before system the we have stores of course as soon as 623 00:45:19,490 --> 00:45:21,060 we have that of course the last 624 00:45:21,640 --> 00:45:26,320 they have between all these nine step there's lot of other things this box just 625 00:45:26,320 --> 00:45:29,490 supposed to give you a little bit of an overview what we working on as 626 00:45:29,490 --> 00:45:33,300 mentioned we're kind of it was a katie that stuff and we work was see 627 00:45:33,300 --> 00:45:37,310 group of things like that and try to make session system you working which will 628 00:45:37,310 --> 00:45:41,440 give us a definition of the but this is still a lot of stuff and 629 00:45:41,440 --> 00:45:45,670 i have to do anyways thank you very much for your time if you have 630 00:45:45,670 --> 00:45:48,480 any further questions maybe we have time for one question 631 00:45:49,270 --> 00:45:49,850 no 632 00:45:50,790 --> 00:45:55,820 so or one of his like you can ask one question otherwise that's 633 00:45:56,920 --> 00:45:58,580 do something outside 634 00:45:59,550 --> 00:46:03,290 so you are lucky one so she studies 635 00:46:03,890 --> 00:46:09,420 i'm sorry she or one liabilities into supplements that's a good a question shepherds is 636 00:46:09,420 --> 00:46:14,840 bundle libraries the distribution people they tape on the libraries for those it and don't 637 00:46:14,840 --> 00:46:18,850 know the details about this is basically firefox and all these things they tend to 638 00:46:18,850 --> 00:46:23,190 ship as shed light like a couple of shared libraries that we otherwise a part 639 00:46:23,190 --> 00:46:28,410 of the operating system was there i'm application and distribution people to be hide that 640 00:46:28,410 --> 00:46:34,710 application developers always do that but is think they're absolutely rights i think that actually 641 00:46:34,710 --> 00:46:39,730 are and we need to technically solve the problem so i think ultimately this means 642 00:46:39,730 --> 00:46:44,340 we need to support bundled libraries however we need to deal with the fact that 643 00:46:44,340 --> 00:46:47,490 they saw they suck for security reasons 644 00:46:47,990 --> 00:46:51,380 but i saying that the best way to deal with security series that by security 645 00:46:51,380 --> 00:46:56,470 technology so that's again something where the send boxing is relevant right if you want 646 00:46:56,470 --> 00:47:00,070 to allow firefox to ship is own S L library and you need to make 647 00:47:00,070 --> 00:47:03,270 sure that whatever happens and inside of firefox now we can get out of the 648 00:47:03,270 --> 00:47:04,880 and you need to be tightly sandbox 649 00:47:05,510 --> 00:47:11,020 right but i think ultimately there is really strong we my firefox doesn't model things 650 00:47:11,020 --> 00:47:15,790 it's a testability thing it's about they want exactly that version that they know with 651 00:47:15,790 --> 00:47:19,230 the A P I and the bug fixes i know instead of something that is 652 00:47:19,540 --> 00:47:22,530 it's about that somebody else but i don't know which is the up and 653 00:47:23,580 --> 00:47:30,190 so this idea this is that stuff as opposed to provide support about the libraries 654 00:47:30,190 --> 00:47:34,620 and i don't think there's any way around that how much is bundled and how 655 00:47:34,620 --> 00:47:39,010 much assisted by the operating system is something you decide what profiles if you think 656 00:47:39,010 --> 00:47:42,570 i was be profile with very low level and you have to should and problem 657 00:47:42,570 --> 00:47:46,250 or if you pick we can own profile you have to ship but alas but 658 00:47:46,250 --> 00:47:49,260 i don't think that's the way around hunting at least the 659 00:47:51,170 --> 00:47:53,320 the middle ground a framework it's 660 00:47:54,540 --> 00:47:57,710 well timers a profile so you're supposed to promote 661 00:47:58,480 --> 00:48:01,840 but i don't know if you if you wanna new version of G stream or 662 00:48:01,840 --> 00:48:02,650 you have to bundle 663 00:48:04,530 --> 00:48:08,470 everything that's not products operating system profile and you have more about 664 00:48:12,060 --> 00:48:16,000 there is no possibility that you know if an operating system doesn't have some very 665 00:48:16,000 --> 00:48:19,870 popular third party like you've been everybody has to bundle their own copy of that 666 00:48:19,870 --> 00:48:22,650 we pretty like green instead of using show and then they should talk to the 667 00:48:22,650 --> 00:48:24,810 operating system vendor maybe ship the library 668 00:48:26,170 --> 00:48:30,540 okay anyway this was already one question more than i promise so anyway single but 669 00:48:30,540 --> 00:48:31,630 i'm if you i