gnome-control-center/archiver/future-spec

Changes to the Helix Configuration Manager
Copyright (C) 2000 Ximian, Inc.
Written by Bradford Hovinen <hovinen@ximian.com>

As it stands, capplets and Ximian Setup Tools are both run as separate
processes through the exec() facility. It is planned that the capplets 
shall become Bonobo controls in the future, once the OAF/gnorba
compatibility problems are worked out. This changes the design of the
configuration system considerably, and several things should be done
to take full advantage of these changes.

1. Capplets become Bonobo controls

It stands to reason that the front ends for Ximian Setup Tools should
become Bonobo controls at the same time as capplets. They can each
implement the same interface (say, Bonobo::Capplet) with methods
getXML(), setXML(), ok(), cancel(), and init() and hence look the same
to the shell. This means that the front ends for the Ximian Setup Tools
run as the same user as XCM and respond in the same way as capplets do
to requests to embed them in the XCM shell window. This is essential
for a consistent user interface that will not result in end-user
confusion [1]. XCM itself may then export an interface that includes
the method runBackend(), to which the frontend supplies a stream of
XML that XCM passes through the root manager to the backend via a
standard pipe [2]. The backend is then responsible for running the
program that archives the XML -- there is no other way to place that
XML in a central, system-wide repository. I suggest, therefore, that
we modify the design of the current system to make that change, so
that we do not have to undo existing work later.

2. Backends get CORBA interfaces through Perl/ORBit

At this point, there must be a way for the root manager to forward
CORBA sockets to the user securely. This could be done by modifying
ORBit so as to give the running program very precise control over the
nature of the socket. Access could be granted specifically to the user 
running the root manager by placing the socket in a directory owned by 
that user with permissions no more lax than 0700. When the CORBA
interfaces are created, applications will be able to make use of it to 
make system-wide changes as necessary (say, to add a new user during
the installation of a piece of software). This means that the
traditional rollback facilities must be extended to allow users to
roll back changes made by applications. In addition, the application
must treat the backend as a black box -- it should never be expected
to do anything unusual to support rollback, since buggy or
poorly-written applications would otherwise cause trouble for
unsuspecting users.

At this point I suggest that each backend export two interfaces: one
that is universal to all backends and one that is specific to that
particular tool. The former may include the methods getXML(),
setXML(), and commit(). When changes are made through the
tool-specific interface, the tool decides whether or not to apply
those changes immediately or to queue them up until a commit() is
invoked. If changes are made through the backend's CORBA interface and 
it is deactivated before a commit(), the backend must roll back those
changes under the assumption that they are not intended to be
permanent.

Of course, this makes implementation of the cancel() interface on the
frontends very easy -- simply deactivate the backend without
commit()ing. ok() can be implemented by flushing any remaining
changes, calling commit(), and then deactivating the backend. The
frontend can and should use the CORBA interface to invoke changes
whenever they are made, as long as it makes sense. It is then the
backend that sets the policy of whether or not the updates are live,
as described above. The frontend must still be able to read XML,
though, since it is through that that it will get an initial
description of the setup with which to fill in the dialog. In
addition, since the frontend may be invoked to make changes to an
inactive location, it should be able to write out an XML description
of the dialog's contents so that those changes may be archived rather
than applied immediately.

Notes

[1] A visual cue that signals to the user that he is running a
system-wide configuration tool rather than a personal one would be
advantageous. Such could take the form of an icon on the dialog, a
layout or formatting convention for the dialog proper, or some sort of
coloring convention of some of the controls. However, simply having
the tool run with root's Gtk+ theme and ignoring the embedding
preference, as would be the case if we do not Bonobize the HST
frontends, is inconsistent as many users will leave their themes as
the default and elect not to embed capplets -- eliminating all visual
cues. In addition, it is not particularly lucid and many users will
merely be confused by the inconsistent interface. One may imagine many
users filing bug reports in the belief that the behavior is
erroneous. Hence, that solution is insufficient.

[2] There must then be a method of multiplexing I/O throught the root
manager, as there may be multiple backends running concurrently. A
simple protocol could be implemented to do this, or a named pipe could 
be created if done very carefully as to ensure a high degree of
security.
Added archiver directory Imported archiver for time travel, location Tue Dec 19 09:04:00 2000 Bradford Hovinen <hovinen@helixcode.com> * Makefile.am (SUBDIRS): Added archiver directory * archiver/*: Imported archiver for time travel, location management 2000-12-19 14:05:04 +00:00			`Changes to the Helix Configuration Manager`
More Helix to Ximian. Also, the new network code - untested - and a fix for backends/Makefile.am 2001-01-24 20:40:25 +00:00			`Copyright (C) 2000 Ximian, Inc.`
			`Written by Bradford Hovinen <hovinen@ximian.com>`
Added archiver directory Imported archiver for time travel, location Tue Dec 19 09:04:00 2000 Bradford Hovinen <hovinen@helixcode.com> * Makefile.am (SUBDIRS): Added archiver directory * archiver/*: Imported archiver for time travel, location management 2000-12-19 14:05:04 +00:00
More Helix to Ximian. Also, the new network code - untested - and a fix for backends/Makefile.am 2001-01-24 20:40:25 +00:00			`As it stands, capplets and Ximian Setup Tools are both run as separate`
Added archiver directory Imported archiver for time travel, location Tue Dec 19 09:04:00 2000 Bradford Hovinen <hovinen@helixcode.com> * Makefile.am (SUBDIRS): Added archiver directory * archiver/*: Imported archiver for time travel, location management 2000-12-19 14:05:04 +00:00			`processes through the exec() facility. It is planned that the capplets`
			`shall become Bonobo controls in the future, once the OAF/gnorba`
			`compatibility problems are worked out. This changes the design of the`
			`configuration system considerably, and several things should be done`
			`to take full advantage of these changes.`

			`1. Capplets become Bonobo controls`

More Helix to Ximian. Also, the new network code - untested - and a fix for backends/Makefile.am 2001-01-24 20:40:25 +00:00			`It stands to reason that the front ends for Ximian Setup Tools should`
Added archiver directory Imported archiver for time travel, location Tue Dec 19 09:04:00 2000 Bradford Hovinen <hovinen@helixcode.com> * Makefile.am (SUBDIRS): Added archiver directory * archiver/*: Imported archiver for time travel, location management 2000-12-19 14:05:04 +00:00			`become Bonobo controls at the same time as capplets. They can each`
			`implement the same interface (say, Bonobo::Capplet) with methods`
			`getXML(), setXML(), ok(), cancel(), and init() and hence look the same`
More Helix to Ximian. Also, the new network code - untested - and a fix for backends/Makefile.am 2001-01-24 20:40:25 +00:00			`to the shell. This means that the front ends for the Ximian Setup Tools`
			`run as the same user as XCM and respond in the same way as capplets do`
			`to requests to embed them in the XCM shell window. This is essential`
Added archiver directory Imported archiver for time travel, location Tue Dec 19 09:04:00 2000 Bradford Hovinen <hovinen@helixcode.com> * Makefile.am (SUBDIRS): Added archiver directory * archiver/*: Imported archiver for time travel, location management 2000-12-19 14:05:04 +00:00			`for a consistent user interface that will not result in end-user`
More Helix to Ximian. Also, the new network code - untested - and a fix for backends/Makefile.am 2001-01-24 20:40:25 +00:00			`confusion [1]. XCM itself may then export an interface that includes`
Added archiver directory Imported archiver for time travel, location Tue Dec 19 09:04:00 2000 Bradford Hovinen <hovinen@helixcode.com> * Makefile.am (SUBDIRS): Added archiver directory * archiver/*: Imported archiver for time travel, location management 2000-12-19 14:05:04 +00:00			`the method runBackend(), to which the frontend supplies a stream of`
More Helix to Ximian. Also, the new network code - untested - and a fix for backends/Makefile.am 2001-01-24 20:40:25 +00:00			`XML that XCM passes through the root manager to the backend via a`
Added archiver directory Imported archiver for time travel, location Tue Dec 19 09:04:00 2000 Bradford Hovinen <hovinen@helixcode.com> * Makefile.am (SUBDIRS): Added archiver directory * archiver/*: Imported archiver for time travel, location management 2000-12-19 14:05:04 +00:00			`standard pipe [2]. The backend is then responsible for running the`
			`program that archives the XML -- there is no other way to place that`
			`XML in a central, system-wide repository. I suggest, therefore, that`
			`we modify the design of the current system to make that change, so`
			`that we do not have to undo existing work later.`

			`2. Backends get CORBA interfaces through Perl/ORBit`

			`At this point, there must be a way for the root manager to forward`
			`CORBA sockets to the user securely. This could be done by modifying`
			`ORBit so as to give the running program very precise control over the`
			`nature of the socket. Access could be granted specifically to the user`
			`running the root manager by placing the socket in a directory owned by`
			`that user with permissions no more lax than 0700. When the CORBA`
			`interfaces are created, applications will be able to make use of it to`
			`make system-wide changes as necessary (say, to add a new user during`
			`the installation of a piece of software). This means that the`
			`traditional rollback facilities must be extended to allow users to`
			`roll back changes made by applications. In addition, the application`
			`must treat the backend as a black box -- it should never be expected`
			`to do anything unusual to support rollback, since buggy or`
			`poorly-written applications would otherwise cause trouble for`
			`unsuspecting users.`

			`At this point I suggest that each backend export two interfaces: one`
			`that is universal to all backends and one that is specific to that`
			`particular tool. The former may include the methods getXML(),`
			`setXML(), and commit(). When changes are made through the`
			`tool-specific interface, the tool decides whether or not to apply`
			`those changes immediately or to queue them up until a commit() is`
			`invoked. If changes are made through the backend's CORBA interface and`
			`it is deactivated before a commit(), the backend must roll back those`
			`changes under the assumption that they are not intended to be`
			`permanent.`

			`Of course, this makes implementation of the cancel() interface on the`
			`frontends very easy -- simply deactivate the backend without`
			`commit()ing. ok() can be implemented by flushing any remaining`
			`changes, calling commit(), and then deactivating the backend. The`
			`frontend can and should use the CORBA interface to invoke changes`
			`whenever they are made, as long as it makes sense. It is then the`
			`backend that sets the policy of whether or not the updates are live,`
			`as described above. The frontend must still be able to read XML,`
			`though, since it is through that that it will get an initial`
			`description of the setup with which to fill in the dialog. In`
			`addition, since the frontend may be invoked to make changes to an`
			`inactive location, it should be able to write out an XML description`
			`of the dialog's contents so that those changes may be archived rather`
			`than applied immediately.`

			`Notes`

			`[1] A visual cue that signals to the user that he is running a`
			`system-wide configuration tool rather than a personal one would be`
			`advantageous. Such could take the form of an icon on the dialog, a`
			`layout or formatting convention for the dialog proper, or some sort of`
			`coloring convention of some of the controls. However, simply having`
			`the tool run with root's Gtk+ theme and ignoring the embedding`
			`preference, as would be the case if we do not Bonobize the HST`
			`frontends, is inconsistent as many users will leave their themes as`
			`the default and elect not to embed capplets -- eliminating all visual`
			`cues. In addition, it is not particularly lucid and many users will`
			`merely be confused by the inconsistent interface. One may imagine many`
			`users filing bug reports in the belief that the behavior is`
			`erroneous. Hence, that solution is insufficient.`

			`[2] There must then be a method of multiplexing I/O throught the root`
			`manager, as there may be multiple backends running concurrently. A`
			`simple protocol could be implemented to do this, or a named pipe could`
			`be created if done very carefully as to ensure a high degree of`
			`security.`