Gambas self-extracting installer (4)

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Gambas self-extracting installer (4)

Benoît Minisini
Hi,

I tested and found that using an embedded web application is as
difficult as using a normal installer, so... let's back to an installer
based on gb.qt4!

But I don't think it's a good idea to ask for the root or sudo password
to installed Gambas package, for security reasons (can you really trust
that self-extracting installer?)

Instead, I think I will just tell the user which packages he must
install himself before being able to complete the installation.

Moreover, I will try to provide the installed program with all needed
Gambas components inside. So, provided that the dependencies of these
components are already installed, nothing will need to be installed.

In other words, the idea is the following:

1) The self-extracting installer has all Gambas components needed by the
project inside.

2) He will try to load each component one by one.

3) As soon as one fails, it usually means that a package is missing.

4) Tells the user which packages he must install.

5) Or just go on and install the program.

If the user decide to install the Gambas components from the binary
packages later, maybe I should use them instead of the embedded ones. Or
maybe I shouldn't? Or maybe this decision is up to the package creator?

For security reasons, maybe this packager should be able to install the
program locally only. For global programs, a normal binary package must
be made.

What do you think? Should that packager install the program globally if
run by root (for example)?

Waiting for your remarks... :-)

--
Benoît Minisini

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Gambas-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gambas-user
Reply | Threaded
Open this post in threaded view
|

Re: Gambas self-extracting installer (4)

Kendek
My Gambas application requires root privileges. So if the user doesn't
trust the installer, then the hell ate the whole thing. :D

If you want to install an application on Linux system, you will need
root access. This is quite natural. Therefore, we use a controlled
repository. But true, the PPA's are not controlled, just open source.
But do not ask, wait for root privileges.

Or installer and installed program can be it completely portable. User
do not need to be root. But this is not natural on Linux system. These
applications size are too big.

What happens if compatible packages are not available in repository (or
anywhere)? Example, my app created in Gambas 3.5, but only available
version 3.4 or older.
How to upgrade an existing installation?
How to completely remove installed applications?

2013-10-27 13:27 keltezéssel, Benoît Minisini írta:

> Hi,
>
> I tested and found that using an embedded web application is as
> difficult as using a normal installer, so... let's back to an installer
> based on gb.qt4!
>
> But I don't think it's a good idea to ask for the root or sudo password
> to installed Gambas package, for security reasons (can you really trust
> that self-extracting installer?)
>
> Instead, I think I will just tell the user which packages he must
> install himself before being able to complete the installation.
>
> Moreover, I will try to provide the installed program with all needed
> Gambas components inside. So, provided that the dependencies of these
> components are already installed, nothing will need to be installed.
>
> In other words, the idea is the following:
>
> 1) The self-extracting installer has all Gambas components needed by the
> project inside.
>
> 2) He will try to load each component one by one.
>
> 3) As soon as one fails, it usually means that a package is missing.
>
> 4) Tells the user which packages he must install.
>
> 5) Or just go on and install the program.
>
> If the user decide to install the Gambas components from the binary
> packages later, maybe I should use them instead of the embedded ones. Or
> maybe I shouldn't? Or maybe this decision is up to the package creator?
>
> For security reasons, maybe this packager should be able to install the
> program locally only. For global programs, a normal binary package must
> be made.
>
> What do you think? Should that packager install the program globally if
> run by root (for example)?
>
> Waiting for your remarks... :-)
>


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Gambas-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gambas-user
Reply | Threaded
Open this post in threaded view
|

Re: Gambas self-extracting installer (4)

Benoît Minisini
Le 27/10/2013 18:33, Kende Krisztián a écrit :

> My Gambas application requires root privileges. So if the user doesn't
> trust the installer, then the hell ate the whole thing. :D
>
> If you want to install an application on Linux system, you will need
> root access. This is quite natural. Therefore, we use a controlled
> repository. But true, the PPA's are not controlled, just open source.
> But do not ask, wait for root privileges.
>
> Or installer and installed program can be it completely portable. User
> do not need to be root. But this is not natural on Linux system. These
> applications size are too big.
>
> What happens if compatible packages are not available in repository (or
> anywhere)? Example, my app created in Gambas 3.5, but only available
> version 3.4 or older.
> How to upgrade an existing installation?
> How to completely remove installed applications?
>

Good questions. This has to be thought. :-)

--
Benoît Minisini

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Gambas-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gambas-user
Reply | Threaded
Open this post in threaded view
|

Re: Gambas self-extracting installer (4)

Kendek

2013-10-27 18:42 keltezéssel, Benoît Minisini írta:

> Le 27/10/2013 18:33, Kende Krisztián a écrit :
>> My Gambas application requires root privileges. So if the user doesn't
>> trust the installer, then the hell ate the whole thing. :D
>>
>> If you want to install an application on Linux system, you will need
>> root access. This is quite natural. Therefore, we use a controlled
>> repository. But true, the PPA's are not controlled, just open source.
>> But do not ask, wait for root privileges.
>>
>> Or installer and installed program can be it completely portable. User
>> do not need to be root. But this is not natural on Linux system. These
>> applications size are too big.
>>
>> What happens if compatible packages are not available in repository (or
>> anywhere)? Example, my app created in Gambas 3.5, but only available
>> version 3.4 or older.
>> How to upgrade an existing installation?
>> How to completely remove installed applications?
>>
> Good questions. This has to be thought. :-)
>

And what if you create a new installer component (gambas3-installer)? No
self-installing files, only archived gambas source files with specific
extension (compressed binary with bash header). If click on the file, it
opens in the global installer (or you can browse in the installer). If
gambas3-installer is not installed, it will give an error message. This
installer compiling source and install files in user dir (like Steam).
If any dependency is missing, tells you what you need to install.
This installer could be uninstaller too with database of installed
applications (~/.config/gambas3/database_file).

What do you think? Well, it would solve a number of questions, is not
it? You can fine-tune it. :-)


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Gambas-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gambas-user
Reply | Threaded
Open this post in threaded view
|

Gambas self-extracting installer (4)

Ian Haywood
In reply to this post by Benoît Minisini
On Sunday, October 27, 2013, Benoit Minisini
<[hidden email] <mailto:[hidden email]>> wrote:
> But I don't think it's a good idea to ask for the root or sudo password
> to installed Gambas package, for security reasons (can you really trust
> that self-extracting installer?)
>
> Instead, I think I will just tell the user which packages he must
> install himself before being able to complete the installation.

An installer without root access doesn't seem that useful IMHO as it
would end up just displaying a long list of complex commands to enter
into a terminal.
Most people using it wouldn't understand the commands (otherwise they
wouldn't need the installer) so from a security point of view you gain
nothing by making them cut and paste into a terminal window - they still
have to trust that you haven't embedded a "rm -f /" in there.
 I suggest detecting gksu or kdesu on the system and using those, this
means your code doesn't have to handle the root password.

> Moreover, I will try to provide the installed program with all needed
> Gambas components inside. So, provided that the dependencies of these
> components are already installed, nothing will need to be installed.
If you can automatically install whatever library you might as well
install its gambas binding as a package too.

> For security reasons, maybe this packager should be able to install the
> program locally only.
I don't think "installing locally" is a good idea or particularly useful
IMHO. In practice you will almost always need root access to install
some dependency, so you might as well install the program itself the
normal way in /usr/bin while you're at it.

Ian
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Gambas-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gambas-user
Reply | Threaded
Open this post in threaded view
|

Re: Gambas self-extracting installer (4)

B Bruen
On Mon, 2013-10-28 at 13:06 +1100, Ian Haywood wrote:
> On Sunday, October 27, 2013, Benoit Minisini
> <[hidden email] <mailto:[hidden email]>> wrote:
> > But I don't think it's a good idea to ask for the root or sudo password
> > to installed Gambas package, for security reasons (can you really trust
> > that self-extracting installer?)
> >
>  I suggest detecting gksu or kdesu on the system and using those, this
> means your code doesn't have to handle the root password.

pkexec also (for XFCE based systems)!

Our autotools installer uses the following. I know its' not bash but it
might offer some clues.

          Select Case Desktop.Type
            Case "LXDE"
              Print "Installing - " & Subst("gksu -D Installer 'cd &1;
        pwd; make install'", User.Home &/ workdir &/
        Replace(File.BaseName(wkitem), ".tar", ""))
              Shell Subst("gksu -D Installer 'cd &1; pwd; make
        install'", User.Home &/ workdir &/
        Replace(File.BaseName(wkitem), ".tar", "")) To logger
              Print logger
            Case "KDE", "KDE4"
              Print "Installing - " & Subst("kdesu -n 'cd &1; pwd; make
        install'", User.Home &/ workdir &/
        Replace(File.BaseName(wkitem), ".tar", ""))
              Shell Subst("kdesu -n 'cd &1; pwd; make install'",
        User.Home &/ workdir &/ Replace(File.BaseName(wkitem), ".tar",
        "")) To logger
              Print logger
            Case "GNOME", "XFCE"
              Print "Installing - " & Subst("'cd &1; pwd; pkexec make
        install'", User.Home &/ workdir &/
        Replace(File.BaseName(wkitem), ".tar", ""))
              Shell Subst("'cd &1; pwd; pkexec make install'", User.Home
        &/ workdir &/ Replace(File.BaseName(wkitem), ".tar", "")) To
        logger
            Case Else
              Print Desktop.Type
  End Select

Bruce


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Gambas-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gambas-user
Reply | Threaded
Open this post in threaded view
|

Re: Gambas self-extracting installer (4)

Tobias Boege-2
In reply to this post by Ian Haywood
On Mon, 28 Oct 2013, Ian Haywood wrote:

> On Sunday, October 27, 2013, Benoit Minisini
> <[hidden email] <mailto:[hidden email]>> wrote:
> > But I don't think it's a good idea to ask for the root or sudo password
> > to installed Gambas package, for security reasons (can you really trust
> > that self-extracting installer?)
> >
> > Instead, I think I will just tell the user which packages he must
> > install himself before being able to complete the installation.
>
> An installer without root access doesn't seem that useful IMHO as it
> would end up just displaying a long list of complex commands to enter
> into a terminal.

I seem to have lost track of the *what* which we want to install.
Originally, Benoit wanted an installer for official Gambas packages. Then
Kendek came and suggested a gambas3-installer component.

So, are we still at "installing Gambas3 packages" or at "installing
something that depends on Gambas3, like applications written in Gambas?"

In the latter case (and even sometimes in the first case, still), I can
imagine that we don't need root privileges: Personally, I tend to keep some
stable version of Gambas under $HOME/bin next to trunk in /usr/bin. If you
want to install software for your local user, you would likely do it in your
home directory, under something like $HOME/bin and this doesn't need root
privileges.

Well, most people will not have a second Gambas under $HOME/bin, I think,
and this is definitely nothing the self-extracting installer should do (or
even offer) when installing Gambas3 official packages from a repository.
Since, if people use the installer, they don't have Gambas3 and don't know
how to set it up correctly.

But especially for Gambas applications, I could imagine that people want
them to install to $HOME, instead of /usr because it is sometimes less
hassle to maintain - or they have got a program from a friend and don't want
to mess up their /usr or something. I myself do it like this, at least.

I hope, I got the situation right :-)

Regards,
Tobi

--
"There's an old saying: Don't change anything... ever!" -- Mr. Monk

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Gambas-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gambas-user