From Fedora Project Wiki

Application For Project Atomic

Contact Information

Questions to answer

Why do you want to work with the Fedora Project?

I’ve been working on the NixOS GNU/Linux Distribution, submitting some packages, packaging improvements, and patches to the package manager. The package manager is nice (it allows installing multiple versions of packages at once), but it's still not as mature as Fedora, and various project management issues suggest this will not change in the near future. And the use of symlinks as opposed to OSTree's hardlinks has caused a lot of interesting problems (for example KDE's KWin does not follow symlinks when loading Plasma plugins).

Fedora is working on the Modularization project, which is very similar in goals to NixOS, I think Fedora has a better chance of success, long-term, so I would like to work with them.

Do you have any past involvement with the Fedora Project or another open-source project as a contributor?

I've contributed to SuperTux, a popular FLOSS game, since 2008. In particular, I created the introductory cutscene (video) and fixed bugs in the worldmap save system (which is completely script-driven, for flexibility), as well as the usual play-testing and level design. I’ve also patched the Re-pagination extension to support the sites I use, it’s been an ongoing adventure. I have upstreamed the more useful patches to the main developer. According to Mozilla it has 5,013 users.

Have you participated in GSoC in the past? If so, what year(s) and which organization(s)?

In 2014 I did a GSOC as part of the organization. I implemented a constraint-based layout library using Microsoft's z3 SMT solver.

Do you plan to continue contributing to the Fedora Project after GSoC? If yes, what sub-project(s) are you interested with?

Yes; I plan to keep contributing to Fedora and Project Atomic in particular until it is at least as good as NixOS in terms of package management functionality.

Why should we choose you over other applicants?

I am probably the only applicant who has used NixOS on a daily basis for the past few years, and can articulate its benefits and disadvantages.

Have you contributed to any other open source organizations or projects? If so, do you have artifacts you can show so we can see your skill set(s)?

See previous questions. My Nixpkgs contributions are here, SuperTux is here, and my Re-pagination fork is here.

Do you have any other open source experience (even if not coding-related)?

I did a Mozilla Litmus testcase-writing week, it was fun and I got a T-shirt :-).

Proposal Description

OSTree: Drop privileges for HTTP fetches

Overview and The Need

OSTree currently runs as root while doing all operations, including doing fetches from external repositories over HTTP. But libsoup is not exactly a secure well-tested library, and few projects use it. Running the fetch operations in a separate low-privileged process will add more security, as will switching to libcurl.

Furthermore, the aria2 project implements a feature not found in Curl or LibSoup, namely multiplexing downloads from multiple servers. (e.g. for file A, aria2 can download 50% from server 1 and 50% from server 2). Moving to an external process will allow a pluggable fetching implementation, allowing the use of aria2's features for those who want it.

Any relevant experience you have

I have worked on the SuperTux Addon manager, which uses libcurl to fetch addons, and I have also done some work on the Nix code, which uses a shell script wrapper around curl.

How do you intend to implement your proposal

The fetcher will be refactored as a separate program, and the build system will be modified to build it. Then the call to the fetching code will be changed to a fork / drop privileges / exec. Finally I will modify the configuration system to allow configuring which fetcher is executed, and ensure that aria2 works (possibly through a wrapper shell script).

A rough timeline for your progress

  • Bonding period: Modify build system to build fetcher externally
  • First half: Implement forking
  • Second half: Implement aria2 support

The school year starts August 22nd, during which I expect to be incredibly busy, and I have to do various related tasks before then (finding an apartment, attending the week-long orientation starting Aug 15th, etc.). But other than that I have no conflicts with working on GSOC.

Final deliverable

Support for aria2 and curl working in ostree as a separate process