RFC - Salt formula - distribution and package removal

[unman]

I've been working on issue#1939 - method for distributing salt formulas.

At the moment, I think a simple approach is to use a repository - it has
the advantage that it leverages an existing mechanism, packages will be
signed, and it's simple to apply the state after installing the package.
Another advantage is that instead of creating a new interface to an app
store we can hack about with an existing package manager - that's the
approach I've taken, and have a working prototype.

Here's the thing - a package drops salt formula into /srv/salt and
installs the state using qubesctl as final step. (Could provide
non-installer packages that just drop formula without installing).
What is appropriate action if a user removes the package - just remove
the salt files? Remove the effect of the state as best we can?

Thoughts?

[Sven Semmler]

On 5/16/21 7:13 AM, unman wrote:
> Remove the effect of the state as best we can?

That sounds messy to impossible as you already point out with "as best
we can".

I don't think a (non-technical) user would anticipate this to happen or
be able to accurately predict the consequences.

/Sven

--
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6

[unman]

Thanks for the input Sven. Those are my thoughts.
On the other hand, a non-technical user might be surprised that
removing the package that installed (e.g) a VPN set-up did not remove
it also.
For non-technical users there would be the advantage that they are
unlikely (and would not be encouraged) to change the configuration
themselves.

[Jason Barrett]

when do you think we might see Nvidia support, my pc has no integrated GPU and i have a 3080

--
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20210517121413.GC29379%40thirdeyesecurity.org.

[Sven Semmler]

On 5/17/21 7:14 AM, unman wrote:
> user might be surprised that removing the package that installed
> (e.g) a VPN set-up did not remove it also.

We could re-frame "formula" as "action" and the packages contain them.

In this concrete example there would be distinct actions contained in
the package "VPN qube":

- create VPN qube
- remove VPN qube

* the package makes the action available
* the action when executed does the changes

In this context it would be critical that the formula are not executed
automatically when the respective package is installed. Rather there
would be a GUI where those installed actions show up and can then be
executed.

Would that fit with what you are already working on?

[unman]

On Tue, May 18, 2021 at 09:57:42AM +1000, Jason Barrett wrote:
> when do you think we might see Nvidia support, my pc has no integrated GPU
> and i have a 3080
>
>
> On Mon, May 17, 2021 at 10:14 PM unman <un...@thirdeyesecurity.org> wrote:
>
> > On Sun, May 16, 2021 at 11:09:03PM -0500, Sven Semmler wrote:
> > > On 5/16/21 7:13 AM, unman wrote:
> > > > Remove the effect of the state as best we can?
> > >
> > > That sounds messy to impossible as you already point out with "as best we
> > > can".
> > >
> > > I don't think a (non-technical) user would anticipate this to happen or
> > be
> > > able to accurately predict the consequences.
> > >
> > > /Sven
> > >
> > > --
> > > public key: https://www.svensemmler.org/0x8F541FB6.asc
> > > fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
> > >
> >
> > Thanks for the input Sven. Those are my thoughts.
> > On the other hand, a non-technical user might be surprised that
> > removing the package that installed (e.g) a VPN set-up did not remove
> > it also.
> > For non-technical users there would be the advantage that they are
> > unlikely (and would not be encouraged) to change the configuration
> > themselves.
> >

I'll answer here, although I'm not convinced you're in the right thread.

It's not as if there is **no** Nvidia support - just as with CPUs, the
problem is that you are working with newly released hardware, and it's
not feasible for Qubes to play continuous catch up.
An added problem is the (notoriously) bad Nvidia support for Linux,
although I have read good reports of the drivers for the 3080.

With the changes coming in 4.1 you may find that some of issues will
disappear.

[unman]

I have toyed with that idea, particularly where a state might be
applicable to many templates or qubes. (E.g install office packages, or
splt-gpg.)
My simple use case would be for packages with states like the default
ones available on start up. They produce a definite outcome with little
interaction.
Should this be a generic GUI or one for each package?

[Sven Semmler]

On 5/18/21 9:53 AM, unman wrote:
> Should this be a generic GUI or one for each package?

Ideally there would be both.

1) "Configuration Wizard"

- main view shows a list of available actions (from installed packages)
- [add/remove actions] dialog that shows a list of available packages
and allows to install/uninstall them.
- [run] ... runs the selected action
- [close] ... exits the "wizard"

2) "action" -specific GUI

- some formula might need parameters (e.g. VPN config) before or during
execution ... I don't see how that can be done with a generic GUI.


Sorry for the late response, I've been fighting a strange issue (#6227)

[unman]

Thanks for these suggestions.