Re: [Usability] Content Separation in GNOME

From: Ivan Gyurdiev <ivg2 cornell edu>
To: Matthew Thomas <mpt myrealbox com>
Cc: usability gnome org, sds tycho nsa gov
Subject: Re: [Usability] Content Separation in GNOME
Date: Mon, 04 Apr 2005 13:08:54 -0400

You have a valid point - I agree that forcing directories to contain
homogenous content will reduce the usefulness of the filesystem. Perhaps
this can be done on the file-granularity level then - still documents
need to be separated from settings, I think, to allow SElinux to 
do automatic type transitions. Right now it can't choose which file type
to auto-transition to at /home, when it has to write both settings and
content. 

I like the division into Settings/Documents/Downloads as a start.
I suggested the lowercase names, because that's consistent w/ existing
Unix conventions. People who access those things from the shell might
be annoyed at uppercase and verbose names, such as the ones used on
Windows. The Settings folder can be avoided for now if the documents are
moved - I ask for separation of content and settings, and if you move
the content there's no need to move the settings.

> Perhaps this could be achieved more simply with a "Settings" folder and
> a "Downloads" folder.
> 
> The Settings folder could work like this: Programs would be allowed to
> read from anywhere in ~/Settings (to access settings shared between
> programs, or to import settings from competing programs), 

I don't like this. This should be done per-program in the program's
policy if it's really necessary. 

> (Nautilus -- or a program Nautilus delegated to -- could present the
> ~/Settings folder by default as an integrated control panel for Gnome
> settings and application-specific settings. Double-clicking an
> application's subfolder would ideally launch that application with a
> command to show its preferences window and nothing else.

That's interesting. In that case the Settings folder might prove useful
- at that point settings are no longer to be hidden away from the user.
I'm not sure how that related to GConf. By the way , Colin Walters from
Redhat mentioned that integration with GConf is planned, where
individual keys can be labeled with a security context.

> Aunt Tillie says: "'Relabel'? 'Hostile'? 'Content'? ... What is it
> talking about, dear?" Confirmation alerts are not the best way of
> providing security anyway, because people tend not to read them.
> 
> Instead, the Downloads folder could work like this: Nautilus wouldn't
> let you open a file directly from the folder, but the folder window
> would have a panel along the top saying "To open a file you trust, move
> it out of this folder first." (This is comparable to the Trash in Mac OS
> and the Recycle Bin in Windows: if you want to open a file in either of
> those, you have to take it out first.) This would make elevating a
> file's trustedness a deliberate action, without using an alert. If you
> had a virus scanner installed, it would automatically be called on to
> scan a file whenever it was moved or copied out of ~/Downloads.

...but that's so annoying. If you had a virus scanner there should be a
way to trigger automatic scan and relabel without going through so much
trouble. 

-- 
Ivan Gyurdiev <ivg2 cornell edu>
Cornell University

Follow-Ups:
- Re: [Usability] Content Separation in GNOME
  - From: Matthew Thomas

References:
- [Usability] Content Separation in GNOME
  - From: Ivan Gyurdiev
- Re: [Usability] Content Separation in GNOME
  - From: Matthew Thomas

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]