privileged helper to pull ostree repos

[Alexander Larsson <alexl redhat com>]

For xdg-app we currently support two repos, one system-wide and one in
your homedirectory. The plan for the future is that most things will be
installed in the system-wide repo, and the per-user one is mostly a
devel/testing feature.

However, for this to be easy to user we want some kind of policy-kit
enabled privileged helper so that users can run gnome-software in their
session as a regular user and install/update apps, similar to how it
currently does this for rpms.

However, I would like to keep the privileged helper very simple. For
instance, it would be nice if it didn't do any network i/o, since that
is complex for several reasons (security, proxies, etc).

So, my idea was that the user side would make a new local repo with
parent_repo set in the config to point to the system repo, and a copy
of the repo config. Then one could do the pull operation into that, and
it will avoid downloading any object that are already downloaded. When
we have a local repo we would invoke the privileged helper with a
pointer to the local repo, and it would verify that its ok, pull from
it and then deploy the new version.

There are some possible problems I can see:

* If the remote has gpg disabled you can push anything into the repo.
But we can probably just not support that.

* Any signed commit is ok to pull, so we can pull app2 from the remote,
and push as app1 locally. One approach to avoid this is to download the
remote summary file and summary signatures, and make the service verify
that the branch name is ok. If that is so, we're at least the right
app, and *probably* the right repo (assuming one gpg key is used per
repo).

* A user can back-rev the branch to an older (signed) version. We
should probably verify that commit timestamps are increasing.

* ostree seems to trust the integrity of a local pull. For instance, if
the remote repo mode matches the current one (bare-user for xdg-app)
then source objects are just hardlinked. This is not good, because
you'll be hardlinking a user-owned file into the repo, and the user can
later change it. One way of avoiding this is to use a archive-z2 repo,
but that seems kind of excessive. Another alternative is to teach
ostree about untrusted pull locations.

Does this make sense? Do you forsee any other problems with this
approach?


-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl redhat com            alexander larsson gmail com 
He's a lonely Catholic master criminal on the wrong side of the law. 
She's a supernatural hypochondriac soap star with an MBA from Harvard. 
They fight crime!