[EROS-Arch] Installers

Jonathan S. Shapiro shap@cs.jhu.edu
Wed, 28 Mar 2001 08:08:47 -0500 

> I'd like to _very_ cleanly seperate them:
> 
> phase 1:
>    building a factory for a configuration/setup application. IMHO this
>    should be done without active constructors.
>    A system supplied service could do this.
> 
> phase 2:
>    running this setup application. It is nothing more than an ordinary
>    application. This application of course is turing-complete.
>    It may be used to export constructors which are applications to other
>    users.

To put this in context with my previous proposal, I would characterize
these as phases 1a and 1b. Joerg's proposal here is exactly what I had
in mind -- the installable image from the distribution media is written
in some standard format that is interpreted by a standard installation
program.

What this installation program does is create a new constructor and
install the installation image into that constructor according to a
standard method. It also installs any "extra" authorities needed (with
consent of administrator). Finally, it asks the constructor to
instantiate a new object.

Ordinarily, constructors instantiate programs, but there is no
requirement in the design that the capability returned to the invoker
must be a start capability. In fact, what happens is that the
constructor runs the new program, and the new program replies.

Therefore, my original phases would work as follows:

[phase 0] build constructor as above

[phase 1] installer invokes this constructor

[phase 1.1] installed program runs within confinement boundary, performs
initialization, fabricates a per-user constructor (that is, a
constructor that is invoked in turn by each user to install the program
for that user). returns capability to this constructor and exits

[phase 1.2] installer verifies that returned constructor capability is
confined modulo the originally authorized holes, places capability to
this constructor in some directory object accessable from user shells.

The rest proceeds similarly, and we can certainly debate the need for
per-user installation, but is the intended bootstrap a bit clearer now?