[Cryptography] Transactional software updates

[Dan McDonald]

On Tue, Oct 24, 2017 at 09:37:53AM -0400, Phillip Hallam-Baker wrote:
> I don't know about you, but I am fed up of the time it takes for
> software updates on my desktop. First the update has to be downloaded
> and then it has to be installed. Why can't this be instantaneous?
> 
> What I would like is to download the software update and then tell the
> O/S to simply overlay the update on top of the file system as an
> atomic operation. So installing a software update takes a millisecond,
> no more.
> 
> Rolling back a software update is just a matter of telling the O/S to
> stop applying the overlay.

Not QUITE what you're proposing, but the concept of "boot environments" has
been around in Solarish (Oracle Solaris & some illumos distros) for almost a
decade.

Essentially, a boot environment (BE) is a ZFS filesystem that contains that
which the OS needs to boot.  You have a current one, and any number of old or
new ones.  The trick with BEs is to separate what is configuration vs. what
is OS.  I know Oracle Solaris made some progress in this area after the great
barn door closing of 2010, while the illumos distros that use BEs
(OpenIndiana and OmniOS) might not have.

Such a scheme would likely work for any sort of filesystem that allows
easily-instantiable datasets, not just ZFS.  (If I understand correctly, both
btrfs and APFS would also allow implementation of BEs. But I *am* very
ZFS-biased.)

You run updates on a new BE in the background while you plow forward (on the
two illumos distros, you may lose some state if it's stored on the BE's
filesystem... this is where Oracle Solaris may have improved things).  Once
you reboot, the newly active BE does its thing.  The old BE can remain until
you destroy it for free disk space.

One thing such a scheme needs to consider is that sometimes an update is a
no-going-back update.  Often these involve changing an on-disk format, but
this isn't always the case.

Dan
xz