Notifications: Out of the comfort zone?
garro last edited by
@Flohack Exactly, when the phone connects to it asking for them
Bastos last edited by
@NeoTheThird Sorry, I misunderstood your words - it's not your fault - I just thought micro-services -> daemons.
That's something that would allow us to effectively keep control of what's running in background.
However, some of my observations are still valid; I suggest you to give a look at the "Headless apps" for BBOS10, it's worth a read.
We'd need to limit CPU and memory usage for background services, a network bandwidth limitation would be desirable too. Also, services should be forced to complete their tasks within 20 seconds, in order to preserve battery life.
However that wouldn't solve some security concerns - we'd still need to provide a certain amount of isolation between the micro-service/headless-app and the main GUI. This would require a change in the Click package specifications, and we come back to the (infamous) question we still have to answer: Click, Snap or what else?
If there's something I like of the Maemo/Meego/SailfishOS implementation, that is its simplicity. It's pretty straightfoward to implement "local" notifications that way.
I still prefer a BBOS-like solution, but I think that we should initially focus on how to get dekko and telegram-app notifications working, understand their requirements, and then see which solution fits better.
-- About ContentHub,
I've been using it in almost all of my projects, from the DocumentViewer to InstantFX, with the authorization from the Canonical Security Team to use the "extra" permissions granted to Core Apps, or even fighting for sorting out a good user experience for an application (InstantFX) that requires a persistent access to user's Pictures folder.
There's for sure some problem with ContentHub: although it has seen an increase of its capabilities (e.g. print and clipboard support), its model has never changed since 2013. I recall that a mime type filtering (instead of those "well-known" content types) has been promised some years ago, but never landed.
I believe that user's public data (in "~/<xdg_user_directories>") should be consumed by any app or device that requires it. Otherwise there wouldn't be any need for data to be saved there, but we'd use apps private folders instead.
However I still think that ContentHub might be useful for those applications that doesn't require a persistent access to user's folder.
In any case, we might also want to change the ContentHub experience a bit:
- We may want to keep the current "peers model" for accessing private data owned by a single application. This is how it works now, and it's perfect for such scenario.
- We may want to add a file picker UI directly in the ContentHub - like in Android. That'd be useful with public data, once we have mime type support.
Canonical wanted to enhance security. That came at a cost: applications can only access to their local copy of a file.
I think the keyword here should be "privacy": applications can access user's data, but we explicitly inform the user of any change or access to her folder.
I think we should get in touch with previous ContentHub maintainer: if there's a way to change AppArmor restriction during the app executions, adding some temporary read permission, that would be great.
Generally speaking: major issues are:
- Content export: the app loses focus, therefore the user flow is interrupted.
- Content peer UI: e.g. gallery-app, it's not much usable, IMHO
- Well-known content types: not something really flexible.
Content import is annoying - that's true - and I'd like things to be handle differently. However receiving a copy of the original file is not so traumatic yet, if well handled.
garro last edited by garro
@sverzegnassi What about using links instead of local copies? This would solve the space issue while still keeping almost the same granularity that UT currently ships and that I really appreciate a lot.
@garro That's how ContentHub already works, when it's possible. However there are apps that performs a local copy. The first example I can think of is DocViewer: if an app requires to export a document in ~/Documents, it needs to copy the file, since it has to be publicly available even if the other app is uninstalled, or its private data are deleted.
mardy last edited by
I think that everyone would be happy with a notification server, if we were 100% sure that it was secure and that no one would have access to our notifications. Unfortunately, in real life this is very different to achieve.
Here's my brainstorming on the subject:
the notifications will be sent in encrypted form from then originating service (e.g., telegram) to the notification server. Only the ID of the destination user account will be left in clear (or encrypted with a key provided by the notification server), so that the notification server can read it and push the notification to the proper device. But the notification server should not have access to the contents of the notification, which will be encrypted in a way that only the destination device can decrypt.
if the option above is too difficult to implement, then I propose that the messages sent to the notification server should only contain the ID of the destination user: so, Telegram (for example) will inform the notification server that user X has something new, without specifying any further information. Then, the notification server will send a push notification to user X's device, telling it that there's something new in Telegram. The Telegram app will have to implement a push notification client consisting of a UI-less binary which will connect to the telegram servers, check what's new, and generate the JSON notification messages. If we plan this right, it should be possible to use the same binaries for this goal and for account-polld, which would make developers' life easier when switching between account-polld and the push notifications.
Leppa last edited by
Could we not have notifications locally stored in RAM? If an app wants to generate a notification, it simply needs to instantiate it and add it to some array. Simply regulate that array, limit the amount of notifications an app can have at one time, and there you go.
@Leppa Its already made like this, basically, you got a local notifications API that you can call. The text messaging is made like this, SD card status etc. But what all people seem to forget, it´s not about how to display the notifications locall but how to send them to the device in case they come from a remote service.
So how in your case you deal with pending notifications on the telegram server? Or other services like that? Imagine a trading App that monitors your stocks, and gives you alerts every lets say 10mins?
By not having a push server infrastructure we need to let all Apps run in foreground so that they are able to see smth has changed.
@sverzegnassi regarding the headless app... Can´t we work with DBus to communicate between all these things? The Apps should have access there?
@Flohack I know that any DBus call - except for some - is by default denied by AppArmor, therefore we should for sure update the confinement AA templates.
I think we'd probably need to define a new AppArmor profile for headless apps, in order to prevent e.g. usage of the UriHandler service