[EROS-Arch] Installers

[Jonathan S. Shapiro]

> The  declarations  probably has  been  computed  some  time ago  (when
> generating the package, be it by software or by wetware). Therefore, I
> don't  see the  difference and  the  advantage to  request a  _static_
> declaration of  the authorities the  installer needs over  having some
> installation program or script compute them at installation time. What
> did I missed?

You missed a social (human) problem.

As the person installing the software on a system, I want to know in advance
what authority is required and make active decisions about whether I will
agree to grant that authority. This should be done at install time, not
incrementally as the software comes to realize that it needs more authority.

The problem with the incremental strategy is that over time I will forget
what authority a program holds, and I might slowly give it combinations of
authorities that are well-suited to misuse or abuse.

In fact, I want to give it all dangerous authorities in a way that can be
disabled, because I may later decide that this software cannot be trusted
due to a security flaw, but after fixing that flaw I may want to restore the
software to operation.

In any case, knowing (in advance) the authority required by a program is
part of my decision about whether to install it or not. Therefore, a static
list is appropriate.

Finally, note that a dynamically generated list is unlikely to be useful. As
a practical matter, most dynamic decisions concern resource *allocation* as
distinct from the *authority to allocate*. Access to exceptional authorities
can certainly be captured by prior static description.

Jonathan