A persistent non-GUI process launched automatically at boot time, immediately after application installation or by D-Bus activation.

See: Creating a Canterbury agent

application bundle

Also known as: app bundle, bundle

A group of functionally related components (be they services, data, or programs), installed as a unit. This matches the sense with which “app” is typically used on mobile platforms such as Android and iOS; for example, we would say that an Android .apk file contains a bundle. Some systems refer to this concept as a package, but that term is strongly associated with dpkg/apt (.deb) packages in Debian-derived systems, so we have avoided that term.

See: Applications

automotive domain

Also known as: , blue world

A security domain (potentially a virtualised OS, or a separate OS on a separate computer) which runs automotive processes, with direct access to hardware such as audio output or the CAN bus; contrast with the infotainment domain.

See: Inter-Domain Communication


The property of being accessible and usable upon demand by an authorized entity.

See: Security

built-in application bundle

An application bundle providing basic user-facing functionality, presented as a modular “app” resembling a store application. These are part of the system image (/usr/Applications), cannot be removed, and are updated by system updates.

See: Applications Design

bundle ID

The string identifying an application bundle. This should take the form of a reversed domain name, such as org.apertis.Frampton or


The property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information.

See: Security

consumer–electronics domain

Also known as: CE domain, CD, red world, infotainment domain, IVI domain

A security domain (potentially a virtualised OS, or a separate OS on a separate computer) which runs the user’s infotainment processes, including downloaded applications and processing of untrusted content such as downloaded media; contrast with the automotive domain; Apertis is one implementation of the CE domain.

See: Inter-Domain Communication


Also known as: dialog A specialised form of window which is modal and typically used to prompt the user for a response to a specific question (such as ‘do you want to save changes to this document before closing’); this is used in the same sense as on desktop systems.

essential software

The platform and built-in applications.

See: Applications Design


The on-disk representation of a program.

graphical program

A program with its own UI drawing surface, managed by the system’s window manager. This matches the sense with which “application” is traditionally used on desktop/laptop operating systems, for instance referring to Notepad or to Microsoft Word.


Human Machine Interface


The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.

See: Security

Independent Software Vendor (ISV)

An organisation or individual who produces third-party software for Apertis, in the form of a store application. ISVs are identified by a reversed domain name such as


A transient message or alert from a process to a user, displayed for a short period of time; user interaction with the notification can launch a dialogue with follow-up options for the message; if the notification is ignored it will eventually disappear; this is used in the same sense as on desktop systems. Desktop Nofifications


A vendor such as a vehicle manufacturer who installs an Apertis variant on their products.


Software that is not an application bundle. This includes all the facilities used to boot up the device and perform basic system checks and restorations. It also includes the infrastructural services on which the applications rely, such as the session manager, window manager, message bus and configuration storage service, and the software libraries shared between components.

See: Applications

pre-installed application bundle

A store application which could conceivably be removed, but is installed on the device by default (e.g. weather might be a pre-installed application).

See: Applications

privilege, privilege boundary

A component that is able to access data that other components cannot is said to be privileged. If two components have different privileges – that is, at least one of them can do something that the other cannot – then there is said to be a privilege boundary between them.

See: Security


A running instance of a program.


A runnable piece of software, which could be either a compiled binary or a script.

reversed domain name

A DNS domain name controlled by an organisation or individual, written with its components reversed, so that the conceptually largest component is first. For example, Collabora Ltd. controls all names within the scope of, so we might use as the reversed domain name of an application bundle. This style of naming is used in contexts such as D-Bus, Android and Java, as well as in Apertis.

store account

An account on an “app store”, analogous to Google Play accounts on Android or Apple Store accounts on iOS, not necessarily corresponding 1:1 to a user.

store application bundle

An application bundle that is not built-in: that is, either a pre-installed application bundle, or an ordinary application that is not preinstalled.

See: Applications

system extension

An application bundle that is not an graphical program, i.e. a user-installable bundle of content or code (services, themes, plugins, DLC, etc.) available from an app store.

See: Applications

Would it be better to define system extensions in terms of putting files in /var/lib/apertis_extensions, and say that each app bundle may contain an agent, a graphical program, a system extension and/or future forms of content?

system service

A background program that is run on behalf of the system as a whole, not a specific user; normally part of the platform, but potentially part of an application bundle.


Also known as: trusted computing base, TCB

A trusted component is a component that is technically able to violate the security model (i.e. it is relied on to enforce a privilege boundary), such that errors or malicious actions in that component could undermine the security model. The TCB is the set of trusted components for a particular privilege boundary. Not automatically the same thing as being trustworthy!

See: Security


A person who uses the system.

user account

The software representation of a user.


The numeric Unix identifier that is a property of each process, as returned by e.g. getuid(), potentially representing a user, multiple users, a system component and/or a subset of a user’s processes.

user service

A background program that is run on behalf of a specific user, regardless of whether it is part of the platform like systemd --user, or part of an application bundle.


An OEM-specific version of Apertis, with their customisations and default applications; the UI and main interface (application launcher, status bar, etc.) may be customised


The main user interface container for a graphical program, used in the same sense as in traditional desktop UIs, though perhaps rendered with different window decoration and with the system restricted to only rendering the main window from one focused program at once.