Changes to the Helix Configuration Manager Copyright (C) 2000 Ximian, Inc. Written by Bradford Hovinen As it stands, capplets and Ximian Setup Tools are both run as separate processes through the exec() facility. It is planned that the capplets shall become Bonobo controls in the future, once the OAF/gnorba compatibility problems are worked out. This changes the design of the configuration system considerably, and several things should be done to take full advantage of these changes. 1. Capplets become Bonobo controls It stands to reason that the front ends for Ximian Setup Tools should become Bonobo controls at the same time as capplets. They can each implement the same interface (say, Bonobo::Capplet) with methods getXML(), setXML(), ok(), cancel(), and init() and hence look the same to the shell. This means that the front ends for the Ximian Setup Tools run as the same user as XCM and respond in the same way as capplets do to requests to embed them in the XCM shell window. This is essential for a consistent user interface that will not result in end-user confusion [1]. XCM itself may then export an interface that includes the method runBackend(), to which the frontend supplies a stream of XML that XCM passes through the root manager to the backend via a standard pipe [2]. The backend is then responsible for running the program that archives the XML -- there is no other way to place that XML in a central, system-wide repository. I suggest, therefore, that we modify the design of the current system to make that change, so that we do not have to undo existing work later. 2. Backends get CORBA interfaces through Perl/ORBit At this point, there must be a way for the root manager to forward CORBA sockets to the user securely. This could be done by modifying ORBit so as to give the running program very precise control over the nature of the socket. Access could be granted specifically to the user running the root manager by placing the socket in a directory owned by that user with permissions no more lax than 0700. When the CORBA interfaces are created, applications will be able to make use of it to make system-wide changes as necessary (say, to add a new user during the installation of a piece of software). This means that the traditional rollback facilities must be extended to allow users to roll back changes made by applications. In addition, the application must treat the backend as a black box -- it should never be expected to do anything unusual to support rollback, since buggy or poorly-written applications would otherwise cause trouble for unsuspecting users. At this point I suggest that each backend export two interfaces: one that is universal to all backends and one that is specific to that particular tool. The former may include the methods getXML(), setXML(), and commit(). When changes are made through the tool-specific interface, the tool decides whether or not to apply those changes immediately or to queue them up until a commit() is invoked. If changes are made through the backend's CORBA interface and it is deactivated before a commit(), the backend must roll back those changes under the assumption that they are not intended to be permanent. Of course, this makes implementation of the cancel() interface on the frontends very easy -- simply deactivate the backend without commit()ing. ok() can be implemented by flushing any remaining changes, calling commit(), and then deactivating the backend. The frontend can and should use the CORBA interface to invoke changes whenever they are made, as long as it makes sense. It is then the backend that sets the policy of whether or not the updates are live, as described above. The frontend must still be able to read XML, though, since it is through that that it will get an initial description of the setup with which to fill in the dialog. In addition, since the frontend may be invoked to make changes to an inactive location, it should be able to write out an XML description of the dialog's contents so that those changes may be archived rather than applied immediately. Notes [1] A visual cue that signals to the user that he is running a system-wide configuration tool rather than a personal one would be advantageous. Such could take the form of an icon on the dialog, a layout or formatting convention for the dialog proper, or some sort of coloring convention of some of the controls. However, simply having the tool run with root's Gtk+ theme and ignoring the embedding preference, as would be the case if we do not Bonobize the HST frontends, is inconsistent as many users will leave their themes as the default and elect not to embed capplets -- eliminating all visual cues. In addition, it is not particularly lucid and many users will merely be confused by the inconsistent interface. One may imagine many users filing bug reports in the belief that the behavior is erroneous. Hence, that solution is insufficient. [2] There must then be a method of multiplexing I/O throught the root manager, as there may be multiple backends running concurrently. A simple protocol could be implemented to do this, or a named pipe could be created if done very carefully as to ensure a high degree of security.