[yast-devel] almost-fixing zero eulas
Here is a patch that I am not sure is right, so it is not committed. If I use this, it is still broken, and every controller says: You must accept all EULAs before using this product! Accept End User Licence Agreement All licenses have already been accepted OK -- Martin Vidner, YaST developer http://en.opensuse.org/User:Mvidner Kuracke oddeleni v restauraci je jako fekalni oddeleni v bazenu
* Martin Vidner <mvidner@suse.cz> [Oct 16. 2009 15:12]:
Here is a patch that I am not sure is right, so it is not committed. If I use this, it is still broken, and every controller says:
You must accept all EULAs before using this product! Accept End User Licence Agreement All licenses have already been accepted OK -- Martin Vidner, YaST developer http://en.opensuse.org/User:Mvidner
Kuracke oddeleni v restauraci je jako fekalni oddeleni v bazenu
From a4d3a161f6691e1d50bc311c4cea6d86fc8f6a2e Mon Sep 17 00:00:00 2001 From: Martin Vidner <mvidner@suse.cz> Date: Fri, 16 Oct 2009 15:07:14 +0200 Subject: [PATCH] Attempting to fix the eula code if the config specifies no licenses.
Like echo "licenses:" >/etc/YaST2/eula.yml --- plugins/eulas/app/models/license.rb | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/plugins/eulas/app/models/license.rb b/plugins/eulas/app/models/license.rb index fe2003b..be94037 100644 --- a/plugins/eulas/app/models/license.rb +++ b/plugins/eulas/app/models/license.rb @@ -71,7 +71,7 @@ class License def self.license_names config = YaST::ConfigFile.new(:eula) begin - config["licenses"] + config["licenses"] || [] rescue Exception => e raise CorruptedFileException.new config.path end
Hmm, the begin..rescue..end encloses accessing the config hash only. I guess it should catch YaST::ConfigFile.new exceptions also ?! Klaus --- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
On Monday 19 October 2009 14:56:35 Klaus Kaempf wrote:
* Martin Vidner <mvidner@suse.cz> [Oct 16. 2009 15:12]:
Here is a patch that I am not sure is right, so it is not committed. If I use this, it is still broken, and every controller says:
You must accept all EULAs before using this product! Accept End User Licence Agreement All licenses have already been accepted OK
From a4d3a161f6691e1d50bc311c4cea6d86fc8f6a2e Mon Sep 17 00:00:00 2001
From: Martin Vidner <mvidner@suse.cz> Date: Fri, 16 Oct 2009 15:07:14 +0200 Subject: [PATCH] Attempting to fix the eula code if the config specifies no licenses.
Like echo "licenses:" >/etc/YaST2/eula.yml --- plugins/eulas/app/models/license.rb | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/plugins/eulas/app/models/license.rb b/plugins/eulas/app/models/license.rb index fe2003b..be94037 100644 --- a/plugins/eulas/app/models/license.rb +++ b/plugins/eulas/app/models/license.rb @@ -71,7 +71,7 @@ class License def self.license_names config = YaST::ConfigFile.new(:eula) begin - config["licenses"] + config["licenses"] || [] rescue Exception => e raise CorruptedFileException.new config.path end
Hmm, the begin..rescue..end encloses accessing the config hash only. I guess it should catch YaST::ConfigFile.new exceptions also ?!
Ok, if we want to treat non-existing/corrupted eulas.yml as blank licenses list. The main problem fix: def self.all_accepted? - find_all.collect{|license| license.accepted}.inject{|a,b| a and b} + find_all.collect{|license| license.accepted}.inject(true){|a,b| a and b} end absence of default value in inject + blank list = problem. Martin
Klaus
--- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
-- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
Hi, I have had the same problem, so I checked in the fix meanwhile. The general question has raised if the EULA acceptance is really needed on service side while every other service REST call? Isn't enough to check the EULA in the installation workflow only? Greetings Stefan Martin Vidner schrieb:
Here is a patch that I am not sure is right, so it is not committed. If I use this, it is still broken, and every controller says:
You must accept all EULAs before using this product! Accept End User Licence Agreement All licenses have already been accepted OK
-- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
On Tuesday 20 October 2009 10:22:42 Stefan Schubert wrote:
Hi, I have had the same problem, so I checked in the fix meanwhile. The general question has raised if the EULA acceptance is really needed on service side while every other service REST call? Isn't enough to check the EULA in the installation workflow only?
Yes, it is enough, BUT there is no installation workflow on the service side. Webservice can be asked just to mark basesystem as finished (without processing its workflow). And this basesystem-finished flag is never checked on backend. It is only checked in UI (controlpanel). When doing real installation, eula has to be accepted. The "flag" (that eula was accepted) is "saved" by installing the product. When the eula was not accepted, the installation did not run. There is no problem. In our case we have an already installed product and we have to save the "flag" explicitly. Simply because user is allowed to skip the installation workflow. Cheers, Martin
Greetings Stefan
-- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
* Martin Kudlvasr <mkudlvasr@suse.cz> [Oct 20. 2009 15:03]:
On Tuesday 20 October 2009 10:22:42 Stefan Schubert wrote:
Hi, I have had the same problem, so I checked in the fix meanwhile. The general question has raised if the EULA acceptance is really needed on service side while every other service REST call? Isn't enough to check the EULA in the installation workflow only?
Yes, it is enough, BUT there is no installation workflow on the service side. Webservice can be asked just to mark basesystem as finished (without processing its workflow). And this basesystem-finished flag is never checked on backend. It is only checked in UI (controlpanel).
Which is completely fine from my pov. If someone has enough knowledge to bypass the WebYaST UI, we can't stop him anyways ;-) Klaus --- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
On Tuesday 20 October 2009 15:07:03 Klaus Kaempf wrote:
* Martin Kudlvasr <mkudlvasr@suse.cz> [Oct 20. 2009 15:03]:
On Tuesday 20 October 2009 10:22:42 Stefan Schubert wrote:
Hi, I have had the same problem, so I checked in the fix meanwhile. The general question has raised if the EULA acceptance is really needed on service side while every other service REST call? Isn't enough to check the EULA in the installation workflow only?
Yes, it is enough, BUT there is no installation workflow on the service side. Webservice can be asked just to mark basesystem as finished (without processing its workflow). And this basesystem-finished flag is never checked on backend. It is only checked in UI (controlpanel).
Which is completely fine from my pov.
If someone has enough knowledge to bypass the WebYaST UI, we can't stop him anyways ;-)
This is news to me. Until now I though, that webservice should be usable (and secure) on its own. Including accepting eulas and telling the user, that he has to accept eulas first. This is not about bypassing security, this is about telling the user, that there is an eula to accept, even if he is using only command-line. If we leave eulas only in UI and basesystem, some users (in some completely valid use-cases) simply won't realize there is an eula to accept. When user skips basesystem setup, it is his problem. When the user does not accept eula, it's license violation (also 3rd party vendors may have problem with that). I don't know, maybe it is just me seeing this problem as too serious. From the performance POV ... the check for detecting, if eula was accepted, has 1-2 file touches. I don't see it as speed bottleneck (in comparison to dbus call for instance). I understand that this decision is for the project managers to make, so I'll change the implementation to whatever the decision is going to be. The amount of work needed is minimal. Cheers, Martin
Klaus --- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
-- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
* Martin Kudlvasr <mkudlvasr@suse.cz> [Oct 20. 2009 15:51]:
On Tuesday 20 October 2009 15:07:03 Klaus Kaempf wrote:
If someone has enough knowledge to bypass the WebYaST UI, we can't stop him anyways ;-)
This is news to me. Until now I though, that webservice should be usable (and secure) on its own. Including accepting eulas and telling the user, that he has to accept eulas first. This is not about bypassing security, this is about telling the user, that there is an eula to accept, even if he is using only command-line. If we leave eulas only in UI and basesystem, some users (in some completely valid use-cases) simply won't realize there is an eula to accept. When user skips basesystem setup, it is his problem. When the user does not accept eula, it's license violation (also 3rd party vendors may have problem with that). I don't know, maybe it is just me seeing this problem as too serious.
I see your point and tend to agree. However, I want to keep things simple for now. I can imagine a lot of things the service side could enforce (password for root, existance of a non-root user, registration, ...) adding up in a pile of validations every service request has to check.
From the performance POV ... the check for detecting, if eula was accepted, has 1-2 file touches. I don't see it as speed bottleneck (in comparison to dbus call for instance).
I understand that this decision is for the project managers to make, so I'll change the implementation to whatever the decision is going to be. The amount of work needed is minimal.
For now, I see enforcement of the EULAs in the webclient-eula module as sufficient. Klaus --- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
participants (4)
-
Klaus Kaempf -
Martin Kudlvasr -
Martin Vidner -
Stefan Schubert