Compare commits
2 Commits
49af197f7b
...
5106425b3c
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
5106425b3c | ||
|
|
9ca5e8922c |
@ -1,13 +1,15 @@
|
|||||||
# LibrePortal — Updates, Improvements & Distribution (Roadmap / Vision)
|
# LibrePortal — Updates, Improvements & Distribution (Roadmap / Vision)
|
||||||
|
|
||||||
**Status:** §0–§7 are the brainstorm (vision). **§8 is the committed format spec** and the open forks (§6) are resolved there. · **Audience:** us, future-self · **Scope:** the updater feature, "hotfixes", and how third-party themes/apps/components get distributed · **Origin:** brainstorm 2026-05-30/31 → format decided & Phase 1 built 2026-05-31
|
**Status:** §0–§7 are the brainstorm (vision). **§8 is the committed format spec** and the open forks (§6) are resolved there. · **Audience:** us, future-self · **Scope:** the updater feature, "hotfixes", and how third-party themes/apps/components get distributed · **Origin:** brainstorm 2026-05-30/31 → format decided & the hotfix product (Phases 1–5) built 2026-05-31
|
||||||
|
|
||||||
> Sections 0–7 below are the original thinking doc — kept verbatim so the
|
> Sections 0–7 below are the original thinking doc — kept verbatim so the
|
||||||
> reasoning isn't lost. **The conclusion of that brainstorm is §8: the concrete
|
> reasoning isn't lost. **The conclusion of that brainstorm is §8: the concrete
|
||||||
> artifact format**, designed so apps/themes/components slot into the same pipe a
|
> artifact format**, designed so apps/themes/components slot into the same pipe a
|
||||||
> hotfix uses. Phase 1 of it (the signed-fetch+verify read primitive) is already
|
> hotfix uses. The hotfix product (Phases 1–5: signed fetch+verify, the reversible
|
||||||
> built — see §8.7. The forks in §6 are no longer open; §8.5 records how each was
|
> apply/revert pipeline, severity-split auto-apply, the WebUI Improvements stream,
|
||||||
> resolved.
|
> and the `make_hotfix.sh` publisher tool) is **built** — see §8.7. Only the
|
||||||
|
> registry/marketplace is deferred. The forks in §6 are no longer open; §8.5
|
||||||
|
> records how each was resolved.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@ -73,8 +75,8 @@ bold default.
|
|||||||
- [x] Define the declarative hotfix schema (the allowed operations + checksum preconditions). → **§8.2**
|
- [x] Define the declarative hotfix schema (the allowed operations + checksum preconditions). → **§8.2**
|
||||||
- [x] Decide auto-apply policy (uniform vs severity-split). → **§8.5 fork 2** (severity-split)
|
- [x] Decide auto-apply policy (uniform vs severity-split). → **§8.5 fork 2** (severity-split)
|
||||||
- [x] Fetch + verify the signed manifest on the same channel as the version check. → **§8.7 Phase 1 (built)**
|
- [x] Fetch + verify the signed manifest on the same channel as the version check. → **§8.7 Phase 1 (built)**
|
||||||
- [ ] Apply pipeline for the ops (snapshot → apply → verify → rollback → History). → §8.7 Phase 2
|
- [x] Apply pipeline for the ops (snapshot → apply → verify → rollback → History). → **§8.7 Phase 2 (built)**
|
||||||
- [ ] Surface applied/available hotfixes as a stream in the updater + History audit trail. → §8.7 Phase 3
|
- [x] Surface applied/available hotfixes as a stream in the updater + History audit trail. → **§8.7 Phase 4 (built)**
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@ -424,26 +426,31 @@ This is exactly the §3 "registry, not marketplace" shape, now expressed in the
|
|||||||
that fetches + verifies + lists. Runs directly (no mutation), like `updater check`.
|
that fetches + verifies + lists. Runs directly (no mutation), like `updater check`.
|
||||||
- Self-tested: trust core fails closed (real key + no minisign → refuse), happy path,
|
- Self-tested: trust core fails closed (real key + no minisign → refuse), happy path,
|
||||||
stale-refused, rollback-refused, signature-refused, jq + grep parsing — 12/12.
|
stale-refused, rollback-refused, signature-refused, jq + grep parsing — 12/12.
|
||||||
- ⬜ **Phase 2 — the ops applier + apply verb (the heart, *next*).** `artifactApply`
|
- ✅ **Phase 2 — the ops applier + apply/revert verb (BUILT 2026-05-31).** `artifactApply`
|
||||||
(steps 0–9) + `artifactApplyOps` (the §8.2 vocabulary with dry-precheck-all + per-op
|
/ `artifactRevert` (`cli_artifact_apply.sh`): resolve+gate → fetch+verify payload →
|
||||||
`undo[]`), the **publishers-map two-tier sig check + canonical-envelope verification**,
|
dry-precheck-all → snapshot → apply (each op records a precise `undo`) → bring up →
|
||||||
snapshot → apply → verify → auto-rollback → History, wired as `artifact_apply` /
|
auto-rollback → applied-record + History. Bounded op vocabulary (`set-config-key`,
|
||||||
`artifact_revert` tasks. Reuse `updateConfigOption` / `dockerComposeUp` /
|
`set-compose-image`, `patch-file-if-checksum-matches`, `set-data-file`; unsupported op
|
||||||
`updaterComposePull` / `backup app` / `updaterRollbackApp` verbatim. Extend `history.json`
|
rejects the whole artifact). Two-tier trust (index verified vs footprint key + payload
|
||||||
(`artifact_id`, `serial`, `undo`) **and fix the `updaterRecordHistory` jq-silent-skip
|
sha256-pinned + minisig + publishers-map role gate). Write-target firewall + value/path
|
||||||
(fail-closed + bash-native fallback)** — the "nothing silent" guarantee depends on it.
|
charset guards. Routed as `artifact_apply`/`artifact_revert` tasks. `updaterRecordHistory`
|
||||||
Makes the Vaultwarden killer use case real, first-party.
|
jq-silent-skip **fixed** (fail-closed + bash-native fallback) + extended. The
|
||||||
- ⬜ **Phase 3 — auto-apply policy.** `CFG_HOTFIX_AUTO`, the periodic-check auto-apply of
|
updater's own broken snapshot/rollback calls fixed too. Hardened against a 17-finding
|
||||||
`security`/`breakage` (queue `compat`/`tweak` as suggestions), staged rollout + delay.
|
adversarial security review. Unit-tested 35/35.
|
||||||
- ⬜ **Phase 4 — WebUI "Updates & Improvements".** Extend `webuiUpdaterScan` to fetch +
|
- ✅ **Phase 3 — severity-split auto-apply (BUILT 2026-05-31).** `CFG_HOTFIX_AUTO`
|
||||||
verify the index into a **temp then atomically write** `artifacts_available.json` (never
|
(`security-breakage`|`all`|`off`, default `security-breakage`); `webui_artifact_scan.sh`
|
||||||
emit broken JSON; keep the prior file on failure) — **no second phone-home**. Add the
|
writes `artifacts_available.json` atomically (keep-prior-on-failure); `artifactApplyAuto`
|
||||||
Hotfixes/Improvements stream (why / severity / source, one-click revert, per-app chip).
|
(`artifact apply-auto`) enqueues eligible signed hotfixes (verified-index-only, in-policy,
|
||||||
*User-visible → verify with `lp-shot` on the updater route before calling it done.*
|
applicable, not-applied) from the `updater check`. Unit-tested 13/13.
|
||||||
- ⬜ **Phase 5 — publisher tooling.** `make_hotfix.sh` (sibling of `make_release.sh`) emits
|
- ✅ **Phase 4 — WebUI "Improvements" stream + per-app chip (BUILT 2026-05-31).** New
|
||||||
a payload + sha256 + minisig + the index entry, then re-signs the index bumping
|
Improvements tab in the updater (severity badges, apply/revert via the task system,
|
||||||
`index_serial`. The piece that lets a maintainer actually ship one.
|
unsigned = apply-disabled) + overview stat card + an amber per-app chip on the App detail
|
||||||
- ⬜ **Deferred (registry; additive, demand-gated).** `payload.kind:"bundle"` applier (verify
|
page. Task icons/labels added. Verified visually with `lp-shot`.
|
||||||
tarball → extract into the app tree → scan/regen) + `type:"app"|"theme"|"component"` +
|
- ✅ **Phase 5 — publisher tooling (BUILT 2026-05-31).** `make_hotfix.sh` turns a spec into
|
||||||
the `app_add` task + community trust-tier **host-script quarantine** (§3.2) + multi-source
|
the signed payload + index entry (serial bump, freshness, publishers map), minisign-signs
|
||||||
"tap" UX + the warrant-canary countersigning `index_serial`.
|
with `LP_MINISIGN_SECKEY`. Verified end-to-end in unsigned/local mode.
|
||||||
|
- ⬜ **Deferred (registry; additive, demand-gated — intentionally NOT built).**
|
||||||
|
`payload.kind:"bundle"` applier (verify tarball → extract into the app tree → scan/regen) +
|
||||||
|
`type:"app"|"theme"|"component"` + the `app_add` task + community trust-tier **host-script
|
||||||
|
quarantine** (§3.2) + multi-source "tap" UX + the warrant-canary countersigning
|
||||||
|
`index_serial`. The hotfix product (Phases 1–5) is complete; the registry waits for demand.
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user