Re: About 8.2.2 unlocking
I think for the case of Cambodia with many small deployments (educational NGOs got XOs donated from G1G1/OLPC or other donors), no signed builds probably means that the XOs don't get updated anymore. Are you trying to say that the Cambodian OLPC recipients don't have any serious chance of jailbreaking their laptops? Installing an OS release is a fifteen minute process, whether it's signed or not, once you disable the DRM. The DRM is the only constraint (other than losing all the data you had in the laptop). Perhaps instead of coming with a signed build, new releases should come with a monster keyring that will unlock any known laptop and then install the release on it. Hmm, another way to do this would be for OLPC to sign one last build, which installs new firmware that unlocks any laptop except those built for specific large-scale deployments (which have internally decided to continue the DRM and sign their own builds). But whether the unlock is automatic or must be done manually, at least every new installation on a random XO will leave that machine unlocked, thereby reducing the long-term problem. John ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: About 8.2.2
On Wed, Dec 2, 2009 at 8:49 AM, Philipp Kocher philipp.koc...@gmx.net wrote: What is the plan for the Fedora 11 build for XO-1, will OLPC sign such a build or is 802 the last build signed by OLPC? I think the F11 images will follow the policy I outlined: no more signed builds. I don't think one of the two options is a good solution for small deployments without a tech team. I am working on making it easier for small tech teams. Your help is welcome on this track... cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: About 8.2.2
Philipp - I would prefer not to speculate about what is happening or not happening in various locations; if small XO situations want updates they can obtain developer keys for them. I'm not aware of any requests from Cambodia for software updates they don't have, or for signed builds. It's important to remember that we added considerable support for signing autonomy to the XO-1 and OFW, in order to avoid the perpetual unfunded mandate of having OLPC provide signed builds and related signature tasks. - Ed On Dec 2, 2009, at 2:49 AM, Philipp Kocher wrote: Hi Ed, Martin What is the plan for the Fedora 11 build for XO-1, will OLPC sign such a build or is 802 the last build signed by OLPC? I don't think one of the two options is a good solution for small deployments without a tech team. I think for the case of Cambodia with many small deployments (educational NGOs got XOs donated from G1G1/OLPC or other donors), no signed builds probably means that the XOs don't get updated anymore. Best regards, Philipp On 12/01/2009 08:04 PM, Ed McNierney wrote: Philipp - An OS image signed by OLPC can be booted by any XO-1.0 laptop in the world, except for those which have been reconfigured by a deployment to only respect software signed by other security keys. That implies a higher level of testing and certification than an image that can be selectively adopted by specific deployments who can do their own testing to decide whether that release is suitable for their application. As OLPC's deployments grow both in number of total laptops deployed and in the number of different localities supported, it becomes increasingly burdensome / difficult to package and test One Image to Boot Them All worldwide. As Martin points out, we are continuing to try to move users toward either (a) using machines with boot-image security disabled, so they can run any software, or (b) using locally-developed and locally-maintained signature authorities to sign OS images for secure boot in local deployments. - Ed On Dec 1, 2009, at 4:14 AM, Philipp Kocher wrote: - It won't be signed by OLPC. You have to be on an unlocked XO, or be a deployment signing your own builds. Is there a reason why 8.2.2 doesn't get signed by OLPC? I do understand that the main target group are big deployments which can sign the build, but why are others excluded? In the past even release candidates like build 800 got signed by OLPC. Cheers Philipp ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: About 8.2.2
- It won't be signed by OLPC. You have to be on an unlocked XO, or be a deployment signing your own builds. Is there a reason why 8.2.2 doesn't get signed by OLPC? I do understand that the main target group are big deployments which can sign the build, but why are others excluded? In the past even release candidates like build 800 got signed by OLPC. Cheers Philipp ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: About 8.2.2
On Tue, Dec 1, 2009 at 10:14 AM, Philipp Kocher philipp.koc...@gmx.net wrote: - It won't be signed by OLPC. You have to be on an unlocked XO, or be a deployment signing your own builds. Is there a reason why 8.2.2 doesn't get signed by OLPC? I do understand that the main target group are big deployments which can sign the build, but why are others excluded? Nobody is excluded :-) OLPC wants to encourage deployments large and small to have their own keys and sign the OSs they decide they want to use. I am working to make this easier for deployments with small tech teams. Everyone else should disable the antitheft stuff (except when helping us test it!). m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: About 8.2.2
Philipp - An OS image signed by OLPC can be booted by any XO-1.0 laptop in the world, except for those which have been reconfigured by a deployment to only respect software signed by other security keys. That implies a higher level of testing and certification than an image that can be selectively adopted by specific deployments who can do their own testing to decide whether that release is suitable for their application. As OLPC's deployments grow both in number of total laptops deployed and in the number of different localities supported, it becomes increasingly burdensome / difficult to package and test One Image to Boot Them All worldwide. As Martin points out, we are continuing to try to move users toward either (a) using machines with boot-image security disabled, so they can run any software, or (b) using locally-developed and locally-maintained signature authorities to sign OS images for secure boot in local deployments. - Ed On Dec 1, 2009, at 4:14 AM, Philipp Kocher wrote: - It won't be signed by OLPC. You have to be on an unlocked XO, or be a deployment signing your own builds. Is there a reason why 8.2.2 doesn't get signed by OLPC? I do understand that the main target group are big deployments which can sign the build, but why are others excluded? In the past even release candidates like build 800 got signed by OLPC. Cheers Philipp ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: About 8.2.2
Hi Ed, Martin What is the plan for the Fedora 11 build for XO-1, will OLPC sign such a build or is 802 the last build signed by OLPC? I don't think one of the two options is a good solution for small deployments without a tech team. I think for the case of Cambodia with many small deployments (educational NGOs got XOs donated from G1G1/OLPC or other donors), no signed builds probably means that the XOs don't get updated anymore. Best regards, Philipp On 12/01/2009 08:04 PM, Ed McNierney wrote: Philipp - An OS image signed by OLPC can be booted by any XO-1.0 laptop in the world, except for those which have been reconfigured by a deployment to only respect software signed by other security keys. That implies a higher level of testing and certification than an image that can be selectively adopted by specific deployments who can do their own testing to decide whether that release is suitable for their application. As OLPC's deployments grow both in number of total laptops deployed and in the number of different localities supported, it becomes increasingly burdensome / difficult to package and test One Image to Boot Them All worldwide. As Martin points out, we are continuing to try to move users toward either (a) using machines with boot-image security disabled, so they can run any software, or (b) using locally-developed and locally-maintained signature authorities to sign OS images for secure boot in local deployments. - Ed On Dec 1, 2009, at 4:14 AM, Philipp Kocher wrote: - It won't be signed by OLPC. You have to be on an unlocked XO, or be a deployment signing your own builds. Is there a reason why 8.2.2 doesn't get signed by OLPC? I do understand that the main target group are big deployments which can sign the build, but why are others excluded? In the past even release candidates like build 800 got signed by OLPC. Cheers Philipp ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: About 8.2.2
On 30.11.2009, at 12:30, Martin Langhoff wrote: On Mon, Nov 30, 2009 at 12:11 PM, Bert Freudenberg b...@freudenbergs.de wrote: What's the 8.2.2 schedule? What is changing? Very succintly: - It won't be signed by OLPC. You have to be on an unlocked XO, or be a deployment signing your own builds. - Improvements in antitheft and tools related to deployment (activity updater, etc). - Various bugfixes -- full list in link below. - It may contain some driver tweaks for the touchpads -- - It will be released together with the exact image-builder script and configuration, so you it is very easy to re-spin it. I am adding several tweaks in the customisation script, but disabled. The idea is that a deployment can grab image-builder, look at the example customisation script, enable / comment out useful things, and make their local image. - When? Depends on the touchpad driver -- it takes a new kernel so I am not too crazy about it. Without kernel rebuild, it's cooked, we need a round of testing to check that we're not regressing. With a new kernel, it'd give it more time... Trac query with the full story: http://dev.laptop.org/query?status=assignedstatus=closedstatus=newstatus=reopenedorder=prioritycol=idcol=summarycol=statuscol=typecol=prioritycol=componentmilestone=8.2.2 hth, It does. So a deployment could customize the image-builder script to include a newer RPM, e.g. if they wanted a more recent version of Etoys. - Bert - ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: About 8.2.2
On Mon, Nov 30, 2009 at 12:43 PM, Bert Freudenberg b...@freudenbergs.de wrote: So a deployment could customize the image-builder script to include a newer RPM, e.g. if they wanted a more recent version of Etoys. Bingo. It actually supports an rpms dir. Drop something there and go. And I am looking at using the same curl trick that we use in the F11 builds to grab activities from ASLO (latest vs specific version). m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: About 8.2.2
On Mon, Nov 30, 2009 at 1:32 PM, Martin Langhoff martin.langh...@gmail.comwrote: On Mon, Nov 30, 2009 at 12:43 PM, Bert Freudenberg b...@freudenbergs.de wrote: So a deployment could customize the image-builder script to include a newer RPM, e.g. if they wanted a more recent version of Etoys. Bingo. It actually supports an rpms dir. Drop something there and go. And I am looking at using the same curl trick that we use in the F11 builds to grab activities from ASLO (latest vs specific version). Martin, all those proposed changes and bux-fixes look great, based on my experiences with the small Austrian pilot project I'm particularly excited about anything related to activity updates, touchpad behaviour and maybe I can even get around to play with image-builder and do some more customizations at some point. Thanks a lot for all your hard work on this! :-) Christoph -- Christoph Derndorfer co-editor, olpcnews url: www.olpcnews.com e-mail: christ...@olpcnews.com ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel