GNOME OS promises fast and secure updates with systemd-sysupdate

GNOME OS, an experimental distribution for developers to evaluate the development status of the desktop environment

With the launching systemd 251, which took place in May 2022, marked the introduction of systemd-sysupdate, a new update system that promises deeper integration with systemd, support for image-based layouts, and a complete chain of trust from the start of the system, both online and offline.

This systemd-sysupdate approach I caught the attention of GNOME OS developers (the experimental distribution that introduces the latest in desktop development), which have announced the transition to the use of systemd-sysupdate component to organize systems atomic updates.

systemd
Related article:
Systemd 251 has already been released and these are its news

The developers mention that this change aims to port GNOME OS nightly builds to perform daily quality control of GNOME development. As part of the project, the migration involves the boot process and file system, as well as integrating systemd-sysupdate with GNOME via a D-Bus service and polkit to enable update management by non-privileged software .

It is mentioned that Currently, the OSTree system is used to create and update the contents of the GNOME OS root partition, updating the system image atomically from a Git-like repository.

The system partition is mounted in read-only mode, and updates are delivered in the form of small chunks containing changes related to the previous state (delta updates). This allows, for example, during the GNOME testing process, to easily roll back the system to previous versions and check if an identified error appears in them.

One of the advantages changing GNOME OS from OSTree to systemd-sysupdate is the ability to use a verified startup process, where the chain of trust extends from the bootloader to the system components of the distribution. Additionally, the use of systemd-sysupdate will allow for a more complete integration with systemd and an architecture that manipulates pre-built system images as indivisible components.

Now to complete this migration, there are two main jobs involved.

The first is migrating the boot process and root file system… The second part is sysupdate integration with GNOME. Currently, system updates can only be managed with a command line tool, which must be run as root. 

In the Last quarter of last year experiments were carried out to create sysupdate images with support for UEFI Secure Boot. Currently, two versions of GNOME OS builds are available: one based on OSTree and one based on systemd-sysupdate. It remains to ensure that sysupdate fully integrates with GNOME and provides a graphical interface for updating the system.

At this time, sysupdate based updates can only be managed from the command line and require root privileges. For integration with GNOME, a D-Bus service has already been developed that, in combination with Polkit, allows updates to be managed with a non-privileged user. The developed D-Bus service and the associated updatectl utility are intended to be included in the major release of systemd.

Among the still unresolved issues are the need to add support for delta updates to systemd-sysupdate (currently, images are loaded in their entirety) and the creation of tools to simultaneously maintain multiple versions of the operating system based on the stable branches and on GNOME development. Additionally, work has begun on a new installer for GNOME OS, which is still in an early stage and whose repository has not yet been created.

Finally, it is mentioned that in the future it is planned to add sysupdate-based update management functionality to the GNOME software application. For this, an experimental plugin called gs-plugin-systemd-sysupdate has been prepared, which implements the ability to update the operating system via the D-Bus service for system update.

According to the official announcement, Gnome OS will also see tighter integration with systemd and advanced support for image-based layout, providing immutability, automatic updates, factory resets, and more.

If you are interested in knowing more about it, you can consult the details in the following link


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.