JOIN/SIGN UP
Already a Member? |
GET INVOLVED
Understanding and Engaging in COVESA Expert Groups & Projects |
COLLABORATIVE PROJECTS
HISTORICAL
SDV Telemetry Project - On Hold |
We use cookies on this site to enhance your user experience. By using this site, you are giving your consent for us to set cookies. |
Wiki page for logging review comments and discussions.
Base version:
Concept document
GENIVI Application Framework
7th July 2016
Document Author: Simon McVittie
Document Reviewer: Sjoerd Simons
Document Reviewer: Philip Withnall
Document Reviewer: Guy Lunardi
Document Owner: Collabora - Guy Lunardi
E-mail: guy.lunardi@collabora.com
Tel: : \+1-801-200-3848
Collabora Document Number: GEN0001
Collabora Document Version: v0.3 (draft)
Author Date Version Change Approved
SM 29-06-2016 0.1 Initial version SM
SM 04-07-2016 0.2 Revised internal version SS
GL 23-06-2016 0.3 First draft shared with GENIVI GL
link to the document : Application Framework scope and requirements
This document outlines requirements relevant to the GENIVI Application Framework effort. However some of these requirements may well be considered out of scope for requirements to the GENIVI Application Framework due to overlap with other GENIVI initiatives. They are included here as they are perceived to be within the context of an application framework. This document does not aim to specify a particular implementation for any requirement. The terms privilege, privilege boundary, confidentiality, integrity and availability have their usual information-security meanings (for definitions, please refer to Apertis Security design). This document is authored by Collabora. The content of this document is made available under the Attribution-ShareAlike 4.0 International license (CC BY-SA 4.0).
NOTE: Initial IDs are assigned equal to the line number in the original document.
copy here
ID | Text |
---|---|
25 | There are two commonly-used definitions of an "app": either a user-facing launchable program (an entry point) such as would appear in launcher menus, or a user-installable package or bundle such as would appear in an app store. |
Comments: GN - info - Within GENIVI scope, 'Managed Apps' and 'Native Applications' has been defined GA: A fair assumption is that a bundle will never contain both managed and native apps and an app is either native or managed. I think we are fine with the current definitions and they can be used in combination with the defintions here without any conflict between them. GA: A clear definition of "bundle" would help here (because of later usage e.g. entry-points) GM: Please clarify how this definition is related to "Managed Applications" and "Native Applications" as defined inside the GENIVI Reference Architecture GM: Also "package or bundle" should be better defined (notice that the GENIVI Compliance Specification already defines a "Package Manager") PW: ‘bundle’ is defined on line 27 as a concept similar to an app on Android, for example. The definition is refined over the course of the document. We could try and expand the summary here a bit. GA: This week 2016-11-08 it seems we said that Bundle = A collection of zero or more executable files, zero or more libraries and zero or more meta-data files (for the last case imagine for example a "Skinning/theming bundle containing Icon graphics and configuration files only.". In an app store what would be presented to the user as one app would technically be downloaded as one bundle of files. | |
Extracted requirement: |
ID | Text |
---|---|
28 | A user-installable bundle would most commonly have exactly one entry point. However, it might not have any entry points at all, for example if it is a theme or some other extension for the operating system. Conversely, it might have more than one entry point: for example, a user-installable bundle for an audio player might contain separate menu items for music and audiobooks, launching different executables or the same executable in different modes to provide an appropriate UX for each use-case. |
Comments: GN : Ok, Multi entry points for Apps need to be translated into requirement. GA: Put definitions at top, e.g. what is a bundle according to our previous discussions. | |
Extracted requirement: |
ID | Text |
---|---|
34 | In this document, when we need to distinguish between the two meanings, we will say that a user-installable bundle contains zero or more entry points. Entry points are similar in scope to Android activities. |
Comments: GN :OK GA: I am still not sure that the Android comment helps. From android docs: "An Android Activity is an application component that provides a screen with which users can interact in order to do something". Activity requires a graphical view? Is that also required for each entry point? Let's put down an actual definition table at the start of this document - for bundles, entry-points, etc. PW: You're right. Entry points do not require a graphical view. I agree with putting a definition of entry points at the start of the document. | |
Extracted requirement: |
ID | Text |
---|---|
37 | Some vendors might decide to restrict the apps available in their app stores to have at most one entry point, but that is a policy decision by those vendors and should not be reflected in the more general app framework. |
Comments: GN : Should vendor specific config be a part of manifest? PW: Vendor-specific configuration should be a part of the vendor’s platform policy, which will be encoded in their app store guidelines, and implementations of vendor-specific components in the platform. Manifests contain metadata, which should be kept separate from policy. It would be redundant to encode a general vendor-wide policy of “maximum number of entry points” in the manifest for each app. Type: INFO. | |
Extracted requirement: |
ID | Text |
---|---|
40 | Entry points might be written as native code (for example compiled from C or C++), or they might run under an interpreter or JIT in a runtime environment that provides GUI functionality analogous to native code (for example if the app is written in Java, Python, or JavaScript for the node.js, gjs or seed runtime environments), or they might run in a HTML5 runtime environment. We treat all of these as fundamentally similar: they result in the execution of app-author-chosen code. |
Comments: GN : OK GA: OK GM: OK Type: INFO | |
Extracted requirement: |
ID | Text |
---|---|
46 | (Note that whether an app is written in native code has no bearing on whether it is what GENIVI calls a native application, which is an app that is built into the platform, or a managed application, which is one of the user-installable apps discussed here: either may be written in either native code or an interpreted/JITted environment.) |
Comments: GA: Good paragraph but I would consider if the words "compiled code" are any help here. PW: I suspect that ‘compiled code’ was chosen against, because a large variety of programming languages are ‘compiled’, even if the end result is managed or native code. The term ‘native code’ is loosely defined on line 40 — does the definition need to be bolstered? | |
Extracted requirement: |
ID | Text |
---|---|
50 | The app framework must be capable of running native-code (C or C++) executables. |
Comments: GA: Policy decision? If we're aiming for one framework to rule them all, I guess I agree. If we are aiming for a shared requirement set for many different environments, it might not be true. PW: The approach we’ve taken is that applications written in interpreted or managed languages are treated as the combination of their interpreter and the code, where the interpreter is invariably native code. So native code support is always required. However, this would be an unnecessary complication on systems which only have managed/interpreted apps. This could be changed to be a policy detail; I don’t know what the consequences would be for the rest of the document. GN : OK | |
Extracted requirement: |
ID | Text |
---|---|
51 | The app framework must be capable of running programs that require an interpreter/JIT-based runtime environment such as Java or Python. It may require that the runtime environment provides suitable library functionality to work with the framework (for example, if the framework uses D-Bus for IPC, then it does not need to support runtime environments that do not have a D-Bus implementation or binding). |
Comments: GA: See previous GN : OK | |
Extracted requirement: |
ID | Text |
---|---|
56 |
|
Comments: GA: See previous GN : OK | |
Extracted requirement: |
ID | Text |
---|---|
59 |
|
Comments: GA: See below | |
Extracted requirement: |
ID | Text |
---|---|
64 |
|
Comments: GA: So the definition is that these are not entry-points. Entry-points require a GUI is the definition PW: No, the definition on line 59 is that entry points may be GUIs or background services. The definition on line 26 does not contradict this, but could be clarified as it currently sounds like an entry point must have a GUI. That’s not the case. PW: Note that we could cross-reference this to ~line 28. | |
Extracted requirement: |
ID | Text |
---|---|
69 |
|
Comments: GA: OK GM: OK | |
Extracted requirement: |
ID | Text |
---|---|
71 | Some vendors might decide to restrict the apps available in their app stores to have at most one executable, or to have at most one GUI and one non-GUI executable, but that is a policy decision by those vendors and should not be reflected in the more general app framework. |
Comments: GA: OK GN : OK GM : OK Type: INFO | |
Extracted requirement: |
ID | Text |
---|---|
75 | Each bundle should have bundle metadata to represent the app in situations like an app store, a system settings GUI or a prompt requesting app permissions. |
Comments: GA: OK GN : OK GM : OK Type: Requirement | |
Extracted requirement: |
ID | Text |
---|---|
77 |
|
Comments: GA: OK GN : Need to define a minimum set as mandatory requirement including privileges/permissions Type: REQ | |
Extracted requirement: |
ID | Text |
---|---|
79 |
|
Comments: GA: OK GN : OK GM : OK Type : REQ | |
Extracted requirement: |
ID | Text |
---|---|
83 |
|
Comments: GA: OK GN: OK | |
Extracted requirement: |
ID | Text |
---|---|
87 |
|
Comments: GA: OK GN:OK Type:REQ | |
Extracted requirement: |
ID | Text |
---|---|
91 |
|
Comments: GA: OK GN:OK Type:REQ | |
Extracted requirement: |
ID | Text |
---|---|
95 |
|
Comments: GA: Discussion point. Shall we define this and if so what to choose? PW: It should be standardised if and only if the metadata format is standardised, as discussed on line 87. If so, we recommend AppStream XML, plus ancillary files for custom metadata. GA: OK. I propose we make AppStream XML a recommended format. Are there any other format proposals? PW: None from me. For reference, here's the Apertis specification for it: https://appdev.apertis.org/documentation/bundle-spec.html#bundle-metadata | |
Extracted requirement: |
ID | Text |
---|---|
99 | Apps are expected to be numerous.
|
Comments: GA: OK GN: OK Type: REQ | |
Extracted requirement: |
ID | Text |
---|---|
103 |
|
Comments: GA: OK GN: OK GM: OK Type: REQ | |
Extracted requirement: |
ID | Text |
---|---|
107 | The app framework must provide a location where app programs can write their private data. |
Comments: GA: I would rephrase "location" to mechanism. There are several ways to do this, one would be through a defined interface, like GENIVI Persistence Client Library GN : Is this expected to have a separate set of API's. PW: We used ‘location’ because Apertis does not require use of a persistence library (robustness is left to the file system and kernel to implement), but it could be rephrased to ‘mechanism’. The only API defined here is the existence and path of the shared location. | |
Extracted requirement: |
ID | Text |
---|---|
109 | Open question: is this in-scope for the app framework, or is there some other platform component that does it? |
Comments: GA: The deep implementation of persistence must be a platform issue. The API for applications should be defined here. We must discuss the solution and the app-to-platform interface
| |
Extracted requirement: |
ID | Text |
---|---|
111 | The framework should provide a location that is treated as private data in which to store cached data, defined as data that can be recovered in a straightforward way by downloading it from the Internet or computing it from non-cached data. |
Comments: GA: OK GN: should be ok. | |
Extracted requirement: |
ID | Text |
---|---|
114 |
|
Comments: GA: OK. (This is a requirement on the framework but also needs to also go into app writing guidelines) GN : OK. GM : OK | |
Extracted requirement: |
ID | Text |
---|---|
116 |
|
Comments: GN : OK | |
Extracted requirement: |
ID | Text |
---|---|
121 | The app framework must provide a mechanism by which an app program's private data can all be deleted by another system component, for example as part of removal or a factory reset. |
Comments: GN : Ok as requirement. GA: OK | |
Extracted requirement: |
ID | Text |
---|---|
124 | The app framework should provide a mechanism by which all app programs' private data can be deleted in a single operation during a factory reset, so that the factory reset procedure does not need to enumerate app programs and iterate through them. |
Comments: GA: OK | |
Extracted requirement: |
ID | Text |
---|---|
127 | Deleting per-user data and per-device data during a factory reset is also anticipated to be necessary, but is outside the scope of this framework. |
Comments: | |
Extracted requirement: |
ID | Text |
---|---|
130 | App processes should run in a sandbox which partially isolates them from the rest of the system. |
Comments: GA: OK GN : OK GM : OK Type : Info ? | |
Extracted requirement: |
ID | Text |
---|---|
132 | We anticipate that each app bundle will act as a security domain, similar to the concept of an origin on the Web: in other words, there is a security boundary between each pair of appbundles, but for simplicity there is no privilege boundary within an app bundle (for example between two programs in the same app bundle). |
Comments: GA: OK GN: OK GM: OK | |
Extracted requirement: |
ID | Text |
---|---|
136 | Each app is assumed to store private data which is specific to that app. On a multi-user system, this private data is also specific to a user: in other words, there is one private data location per (app, user) pair. |
Comments: GA: The later descriptions are clearer. I might suggest rewriting this first paragraph. GN: same as above Type : REQ | |
Extracted requirement: |
ID | Text |
---|---|
139 |
|
Comments: GN : Is this list final or only an example? PW: It’s meant as an example. Type : | |
Extracted requirement: |
ID | Text |
---|---|
143 |
|
Comments: GN :OK type : REQ | |
Extracted requirement: |
ID | Text |
---|---|
145 |
|
Comments: GN :OKtype : REQ | |
Extracted requirement: |
ID | Text |
---|---|
149 | Note that the App confidentiality requirement below imposes a stronger requirement than this: the first app must not even be able to know that the second app's private data exists. |
Comments: GN :OKtype : REQ | |
Extracted requirement: |
ID | Text |
---|---|
152 | Some categories of data might be specific to a single app but common to all users. We call these per-app data. |
Comments: GN :OKtype : Info | |
Extracted requirement: |
ID | Text |
---|---|
154 |
|
Comments: GN :OK | |
Extracted requirement: |
ID | Text |
---|---|
162 |
|
Comments: GN : Is this list final or only set of way of handling? PW: It’s an example. Type : | |
Extracted requirement: |
ID | Text |
---|---|
166 |
|
Comments: GN : OK | |
Extracted requirement: |
ID | Text |
---|---|
170 |
|
Comments: GN : OK | |
Extracted requirement: |
ID | Text |
---|---|
174 |
|
Comments: GN: OK GA: "Write" is general. As requirements go, additional precision might be needed, e.g. delete != modify? | |
Extracted requirement: |
ID | Text |
---|---|
178 |
|
Comments: GN : OK type : REQ | |
Extracted requirement: |
ID | Text |
---|---|
183 |
|
Comments: GN : OK | |
Extracted requirement: |
ID | Text |
---|---|
188 | Some categories of data are not necessarily specific to a single app or to a single user; instead, they might be shared between all apps and between all users, like Android's /sdcard. We call these per-device data. |
Comments: GN: OK | |
Extracted requirement: |
ID | Text |
---|---|
191 |
|
Comments: GN: OK | |
Extracted requirement: |
ID | Text |
---|---|
198 |
|
Comments: | |
Extracted requirement: |
ID | Text |
---|---|
200 |
|
Comments: GN : OK type : REQ | |
Extracted requirement: |
ID | Text |
---|---|
202 |
|
Comments: GN:OK type : REQ | |
Extracted requirement: |
ID | Text |
---|---|
208 |
|
Comments: GN: OK | |
Extracted requirement: |
ID | Text |
---|---|
215 |
|
Comments: GN: OK type: REQ GA: Needs some more details. Eg. is (direct) communication between apps even possible? User consent is a policy question? PW: We could expand on this a bit, but since this section is about file system access, it would be a bit distracting to devote a lot of discussion to inter-app communication. The idea in Apertis is that apps cannot talk directly to each other — any communication is mediated via an IPC service for ‘data sharing’ which can enforce permissions on which apps can talk to each other. These permissions might involve user consent (the precise policy is, as you say, a question of vendor policy). GA: OK, I think that makes sense. | |
Extracted requirement: |
ID | Text |
---|---|
218 |
|
Comments: GN : OK type : REQ | |
Extracted requirement: |
ID | Text |
---|---|
221 | Resource limits: A malicious, compromised or buggy app might use more than its fair share of system resources, including CPU cycles, RAM, storage (flash) or network bandwidth. |
Comments: GN : OKtype : REQ | |
Extracted requirement: |
ID | Text |
---|---|
223 |
|
Comments: | |
Extracted requirement: |
ID | Text |
---|---|
225 |
|
Comments: | |
Extracted requirement: |
ID | Text |
---|---|
229 | A very simple app, for example a calculator or a simple to-do list, might not need to do anything other than the operations allowed to all apps: display a GUI when launched, run code in a sandbox, store its own private data up to some reasonable limit, and so on. |
Comments: | |
Extracted requirement: |
ID | Text |
---|---|
232 | To carry out its designed purpose, a more complex app might need permission to carry out actions that can compromise confidentiality (user privacy), integrity, or availability (the absence of denial-of-service). For example, a more elaborate to-do list app might be able to synchronize the to-do list to a cloud service, requiring it to have Internet access which would make it technically able to copy whatever data it can read to a location not under the user's control; it might ask to read the user's geographical location, to provide locationbased reminders; and it might support attaching photos to its to-do items, requiring it to read files that are not its private data. |
Comments: | |
Extracted requirement: |
ID | Text |
---|---|
240 | Some permissions have technical constraints that makes it impractical to request user permission before they are used. For example, one possible permission flag is "has unrestricted Internet access", which might be used for a voice-over-IP client app. To support this control, the life-cycle manager would need to launch the app program with unrestricted Internet access either allowed or forbidden: it cannot be adjusted later. |
Comments: GA: "before they are used" really means "on-demand" or "interactively"? Internet access, system might also ask consent on first use. PW: Yes. In this case, we’re talking about situations where an entire session in an app would need to be torn down and recreated in order to change its behaviour after being granted/denied permission. [App FW telco - 15-11-2016] Its agreed to change to "on demand". Provide possibility for having permissions before launch and after launch. | |
Extracted requirement: |
ID | Text |
---|---|
245 |
|
Comments: | |
Extracted requirement: |
ID | Text |
---|---|
251 |
|
Comments: | |
Extracted requirement: |
ID | Text |
---|---|
254 |
|
Comments: | |
Extracted requirement: |
ID | Text |
---|---|
258 | Some operations that cross privilege boundaries naturally include an opportunity for the user to reject the operation. To minimize driver distraction, the system should provide that opportunity instead of having a separate permission prompt. |
Comments: | |
Extracted requirement: |
ID | Text |
---|---|
261 |
|
Comments: | |
Extracted requirement: |
ID | Text |
---|---|
267 |
|
Comments: GA: I would say framework shall require all privilege-boundary-crossing operations to be declared... (why not?). I mean they need to be declared - not every operation might be in the category that requires user acceptance. User acceptance and declaration are orthogonal concepts in my view of this. PW: I see no problem with declaring them all in advance. As you say, declaring which permissions an application might request is orthogonal to whether those permissions are actually granted at request time. [App FW telco - 15-11-2016] : agreed | |
Extracted requirement: |
ID | Text |
---|---|
273 |
|
Comments: Type: Information | |
Extracted requirement: |
ID | Text |
---|---|
277 |
|
Comments: GA: As indicated above, I would change "declared in advance" to "require user acceptance" or similar. Discuss and improve. PW: I think we can treat declaring permissions as orthogonal to user authorisation of an app requesting those permissions in this case too. In this case, an example permission would be “let this app use my Facebook account to upload a photo”. If the permission is declared for the app, there are several policies which could be used at the time the app actually tries to start the upload: unconditionally allow the request, unconditionally deny the request, always ask the user, or ask the user if this is the first time the permission has been requested and use the answer from last time otherwise. I would agree with you, but I suspect that we should leave the exact policy to the vendors. [App FW telco - 15-11-2016] similar to ID-267 | |
Extracted requirement: |
ID | Text |
---|---|
283 | A bundle may contain zero or more entry points. These are typically started from a launcher, which might take the form of a home screen, main menu or application list.| |
Comments: GA: OK, although I think it's a little unclear with reference to the defintion. OpenDocument(mimetype) is also an entry point right? At least if it brings up a GUI, but it won't be on the home screen. Only some entrypoints will? PW: Correct, that’s why it says ‘typically’ rather than ‘always’. We could rephrase this to ‘for example, these might be started from…’? [App FW telco - 15-11-2016] : Have the entry point topic collated together and make it explicit. | |
Extracted requirement: |
ID | Text |
---|---|
285 |
|
Comments: GA: Only those entrypoints that are not OpenDocument() type... PW: There seems to be some confusion here over entry points which handle opening content by its content type (equivalently, its MIME type). Any entry point, including those which are listed in the launcher, can declare that it handles a list of content types. An entry point does not have to be listed in the launcher to declare that it handles a list of content types, either. For example, the Apertis music application has four entry points: three (artists, songs, albums) are listed in the launcher and don’t handle opening content; and a fourth (the ‘now playing’ view) is not listed in the launcher but does handle opening content (audio/mpeg, etc.). Different entry points within the same applications bundle can advertise different lists of content types they handle. Phrased differently, the set of entry points which handle opening content and the set of entry points listed in the launcher do not have to be disjoint or equal. [App FW telco - 15-11-2016] : As agreed above wrt to entry points. | |
Extracted requirement: |
ID | Text |
---|---|
290 |
|
Comments: GA: OK | |
Extracted requirement: |
ID | Text |
---|---|
293 |
|
Comments: GA: First part is OK but decision needs discussion. Does .desktop imply also the syntax? E.g. ini-file style...? PW: .desktop implies the syntax, standard field names and semantics, and rules for defining custom fields. http://standards.freedesktop.org/desktop-entry-spec/latest/ GA: OK. Let's make .desktop format a recommended format. Are there any other proposals? PW: I have no other proposals. For reference, here's the Apertis specification for it: https://appdev.apertis.org/documentation/bundle-spec.html#entry-points [App FW telco - 15-11-2016] : agreed. | |
Extracted requirement: |
ID | Text |
---|---|
297 |
|
Comments: | |
Extracted requirement: |