Stephan, There are no plans to do so that I am aware of.
Auto-update functionality raises a variety of issues:
* Privacy - Call home capabilities provide someone the
ability to monitor where the software is installed.
* Trust - Who do you trust to provide the software?
How will it be verified?
* Support - Is the entity distributing the software going
to support the end user if a problem occurs?
* Cost - Who is going to pay to run the servers and develop
the update service?
Four or five years ago Secure Endpoints described an update service that
was implemented based upon Google's Project Omaha. In the end the
effort was abandoned because there was insufficient interest from
organizations willing to subscribe to the service. On Windows in
particular there are additional issues related to the need to distribute
and update multiple packages in a synchronized manner:
* 64-bit or 32-bit OpenAFS MSI
* 32-bit Tools OpenAFS MSI on 64-bit systems
* A Kerberos distribution
* A credentials manager (Network Identity Manager or other)
* Cell / Realm / Organization Configuration packages
As a file system an update when applied disables access to AFS until the
next reboot. If this is performed in an automated fashion while the
user is running other applications it can result in data loss.
At the moment OpenAFS packages for Windows are signed by Your File
System Inc. OSX packages are not signed at all. Signing costs money
both for access to the appropriate signing certificates approved by or
provided by the OS vendor and for the Professional Liability Insurance
that should be held by any entity that is issuing signed binaries.
In theory this is a service that the OpenAFS Foundation can provide to
the community once it figures out its business plan, fund raising
strategy and governance model.
In the meantime I do not expect to see a free update service be
incorporated into the OSX and Windows distributions.
Jeffrey Altman
P.S. - You might ask why Your File System Inc. signs the Windows
installers but does not sign the OSX installers. In the absence of a
legal entity representing OpenAFS the choice effectively was between
YFSI signing the packages and the file system drivers with its
certificate that is cross-signed by Microsoft or requiring that all
users of OpenAFS on Windows configure their systems to run in developer
mode which disables driver validation checks. The latter was an
unacceptable option since it would have put the vast majority of end
users systems running OpenAFS at risk. In my former capacity as OpenAFS
Elder I had a moral obligation to maintain the viability of OpenAFS for
the community. I permitted that obligation to pursuade myself wearing
the CEO hat of Your File System Inc. to accept the on-going costs and
associated liabilities.
There is no requirement for OSX that kernel extensions be signed by a
certificate issued to by Apple to an approved organization. At least
not yet. Although I suspect that OSX Maverick will be the last release
on which kernel extensions will be loadable without signature. In
Maverick end users are presented with a rather scary dialog for unsigned
kernel extensions.
On 10/12/2013 12:51 PM, [email protected] wrote:
> What's the current thinking (plans?) regarding auto-update functionality
> for the Windows and Mac OpenAFS client packages?
>
> The ability to check and optionally download & install new versions
> seems pretty basic. Maybe something like some popular browsers and other
> non-Microsoft-update software already provide? I think this would be a
> desirable feature to add.
>
> Cheers,
> Stephen
>
> _______________________________________________
> OpenAFS-info mailing list
> [email protected]
> https://lists.openafs.org/mailman/listinfo/openafs-info
smime.p7s
Description: S/MIME Cryptographic Signature
