Re: Walter Bender: Re: devkeys, prettyboot, and G1G1
I'm glad that people are trying to think of ways to improve the lot of G1G1 users. The fundamental problem doesn't go away, though, unless you make it go away. The plan in November's G1G1, as I understand it, is to build in unnecessary restrictions on the people you should be most grateful for the support of. Another way to say it is that you're setting precedents for how a supposedly-responsible donor-supported nonprofit free-as-in-freedom organization can nevertheless end up being a fully Tivoized DRM shop. If that's world you want to live in, you're teaching people just how to do it. You're acting just like Canter Siegel in a world without spam. John Watlington said: How about providing dev. keys for G1G1 laptops with no delay ?Would you consider it an improvement ? It would absolutely be an improvement, and I'm all for improvements. How about providing dev. keys for *last year's* G1G1 laptops with no delay, too? Those were already shipped in jails -- there's no going back and changing that decision. The least you could do is immediate unlocks when requested. You have all the data to do so. At the San Francisco OLPCnews meetup tonight, someone wanted to upgrade to 8.2.0-767, which I had on my handy USB memory -- but they had never gotten a devkey. So we ordered one, it wasn't ready, it will take a day (or so), and meanwhile the meeting's over and I'm at home and their laptop went home with them -- so they won't test 767. They're still running 650. Michael Stone said: ... a compromise position that would seem very reasonable to me would be to make the software shipped to G1G1 'happy to boot or NAND-flash anything' but unwilling to write the SPI flash without authorization. Adding an unrestricted ability to rewrite the filesystem in NAND flash would be a further improvement over the current situation. I don't think that particular improvement would be worth a 3-week slip, tho. You can get a much bigger improvement with a much smaller slip. protecting OLPC from most of the risk presented by making it trivial to brick laptops manually (let alone in an automated, networked fashion, which I suspect would be doable in your current proposal). I don't think it significantly alters the risk of a automated bricking. For example, today, anyone who wanted to make a network worm that bricked B2 laptops could just install a signed Q2E12 into their filesystems; they'd brick on the next reboot. When C3 laptops come out, you can probably brick one by merely loading any of the first ten signed firmware images. There are enough bugs and security holes in signed, released software that attackers don't need unrestricted ability to craft their own software; they can attack your weakest *signed, certified good* systems instead. Martin Langhoff said: _many_ things on G1G1 are not there for the G1G1 donors, and would be hard to justify if we looked at them as primary targets. So this is not 'backwards', it's our modus operandi. You're right that laptops designed for a more upscale market would have more RAM, more Flash, better keyboards, ethernet jacks, no DRM at all, etc. (Look at the netbook market; that's what they've done.) For G1G1 hardware and software, you're shipping basically what you designed for your primary market in developing countries. Your existing hardware and software already provide for laptops that have no need for developer keys, though. Quanta customizes the manufacturing data for every build, e.g. setting the language preference. There's no cost to OLPC to have Quanta ship the manufacturing data with the disable-security bits set. You're ready, willing, and able to ship such laptops to any country that orders them that way. Why shouldn't G1G1 users be testing *that* configuration? If G1G1 was aimed at fully debugging the configuration for your largest deployments, you'd be shipping them with Spanish keyboards and Spanish-language messages (and with school server install CDs). Michael: P.S. - As others have suggested, please do not assume that any individual on this list speaks for everyone else involved; in almost all cases, they speak only for themselves (but for their clique with whatever measure of authority they happen to hold). I assume the reason we're having this discussion is because the silent decider, whoever that is, decided (or defaulted) to jail the upcoming G1G1 laptops. If not, they could end it rather quickly by merely announcing that our concern was merely a problem of communication. John ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Walter Bender: Re: devkeys, prettyboot, and G1G1
On Fri, 2008-10-03 at 00:27 -0400, John Watlington wrote: How about providing dev. keys for G1G1 laptops with no delay ?Would you consider it an improvement ? Clearly an improvement, as is the prettyboot patch, which I think we should also do. - Jim wad On Oct 1, 2008, at 10:15 PM, John Gilmore wrote: Mitch and I have come up with a way to ship G1G1 laptops so that they will pretty-boot, but still come from the factory without any need for developer keys (in the Forth disable-security setting). This requires a small edit to /boot/olpc.fth in the OS build, to load the XO child image, freeze the screen, and put the first progress dot down just before jumping to Linux. It's detailed here: http://dev.laptop.org/ticket/7896 I know the support crew would be much happier if G1G1 laptops were shipped able to run test builds and patched software, if users could interact with Forth to diagnose their hardware, if they could run unsigned Forth code from USB collector keys, etc. Unfortunately, an IRC discussion with Scott today revealed that the engineering team has decided that we *must* ship G1G1 laptops with a requirement for development keys. The reason: because too many kids in the third world will be getting lockdown laptops, and we want the G1G1 recipients to be guinea pigs to debug the laptops, to be sure the laptops work even when locked down (and that they unlock properly when the kid requests a jailbreak key). I see this is utterly backwards. The countries that want DRM on their laptops should be paying the price in support problems and infrastructure. Not the donors who sponsor a G1G1 laptop, and not the free software community who donate to help push this project along. As believers in freedom, we shouldn't be defaulting EVERY laptop to being locked by its manufacturer. Yet that's the argument: because some of them are locked, all of them must be locked. Or perhaps it's slightly more nuanced: A country that orders thousands can order them without DRM, but G1G1 users can't. That sounds reasonable, but I've interacted with several country teams (Nepal and South Pacific), who had come away from OLPC with the impression that it would be incredibly dangerous to turn off the security of the laptops. In Nepal's case I was unable to disabuse them of this odd notion. So no country asks for freedom in their laptop shipments, and no G1G1 is shipped with freedom, and thus every OLPC laptop is jailed, like every iPhone. John Date: Wed, 1 Oct 2008 08:34:09 -0400 From: Walter Bender [EMAIL PROTECTED] To: John Gilmore [EMAIL PROTECTED] Subject: Re: devkeys, prettyboot, and G1G1 Cc: Mitch Bradley [EMAIL PROTECTED] If Mitch is comfortable with his fix, I cannot see any reason not to ship developer keys with G1G1 machines--it would save everyone headaches, especially on support; but of course I cannot speak for OLPC these days. -walter On Tue, Sep 30, 2008 at 7:26 PM, John Gilmore [EMAIL PROTECTED] wrote: I recall discussing this last time but don't recall the reasons not to do it this way. We did ship them all pre-activated. I questioned people after the fateful meeting, and it seemed to me that the problem was that Nicholas wanted pretty-boot, and Mitch was unwilling to try to disentangle pretty-boot from secure-boot. Secure-boot was already a tangle of ugly Forth code, and he was sure that adding more complexity there would result in security holes or bugs. Since then, he has figured out the one-line circumvention that's documented in bug #7896. The circumvention is in the OS (since OFW keeps no state). John -- Walter Bender Sugar Labs http://www.sugarlabs.org [gnu: I also cc'd this to support-gang, but that required sending it from a different email address, due to how I am subscribed there.] ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel -- Jim Gettys [EMAIL PROTECTED] One Laptop Per Child ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Walter Bender: Re: devkeys, prettyboot, and G1G1
On Fri, Oct 3, 2008 at 3:49 AM, John Gilmore [EMAIL PROTECTED] wrote: There's no cost to OLPC to have Quanta ship the manufacturing data with the disable-security bits set. If this is true, I'd like to see us ship g1g1 laptops with security disabled. The one persuasive argument I have seen for /not/ doing this is that there might be increased support costs. As Ian mentions, and from my own limited exposure to people requesting support, having security turned on leads to greater support costs than having it off would. The only people who see any support costs one way or another are the fairly technical people who know what it means to try to update their system. --SJ You're ready, willing, and able to ship such laptops to any country that orders them that way. Why shouldn't G1G1 users be testing *that* configuration? If G1G1 was aimed at fully debugging the configuration for your largest deployments, you'd be shipping them with Spanish keyboards and Spanish-language messages (and with school server install CDs). Michael: P.S. - As others have suggested, please do not assume that any individual on this list speaks for everyone else involved; in almost all cases, they speak only for themselves (but for their clique with whatever measure of authority they happen to hold). I assume the reason we're having this discussion is because the silent decider, whoever that is, decided (or defaulted) to jail the upcoming G1G1 laptops. If not, they could end it rather quickly by merely announcing that our concern was merely a problem of communication. John ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Walter Bender: Re: devkeys, prettyboot, and G1G1
On Thu, Oct 02, 2008 at 12:07:51AM -0400, Bobby Powers wrote: On Wed, Oct 1, 2008 at 10:35 PM, Edward Cherlin [EMAIL PROTECTED] wrote: I don't mind if the G1G1 donors have the option to participate in testing secured laptops, but I utterly reject the notion that we can jerk customer/donors around like this without their permission in advance. They _will_ complain publicly. While it is a SMALL hassle, I don't understand how it is jerking customers around before they've even bought a machine. As long as the policy (whatever it turns out to be) is clearly stated on the wiki/amazon site, by purchasing a laptop they are consenting to this. With that said, I would probably lean towards preferring unsecured machines (with pretty boot enabled, of course). Such small hassles, when repeated across hundreds of thousands of people, tend to eat up a lot of time. We should be trying to save users this time. I think we have sufficiently utilized G1G1 users to test our security system. My general perception is this test demonstrated that a significant fraction of users want unlocked laptops so that they can do interesting things. Even if the average user doesn't care about what an unlocked laptop allows them to do, what is the harm in shipping developer keys on all the G1G1 laptops? We'll save everyone who wants to install non-standard builds the time required to learn about and obtain developer keys. We'll save the support costs required to process and answer all the queries about developer keys. And we'll reduce the infrastructural costs of managing the generation of the keys. Erik ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Walter Bender: Re: devkeys, prettyboot, and G1G1
+1 On Thu, Oct 2, 2008 at 9:45 AM, Erik Garrison [EMAIL PROTECTED] wrote: On Thu, Oct 02, 2008 at 12:07:51AM -0400, Bobby Powers wrote: On Wed, Oct 1, 2008 at 10:35 PM, Edward Cherlin [EMAIL PROTECTED] wrote: I don't mind if the G1G1 donors have the option to participate in testing secured laptops, but I utterly reject the notion that we can jerk customer/donors around like this without their permission in advance. They _will_ complain publicly. While it is a SMALL hassle, I don't understand how it is jerking customers around before they've even bought a machine. As long as the policy (whatever it turns out to be) is clearly stated on the wiki/amazon site, by purchasing a laptop they are consenting to this. With that said, I would probably lean towards preferring unsecured machines (with pretty boot enabled, of course). Such small hassles, when repeated across hundreds of thousands of people, tend to eat up a lot of time. We should be trying to save users this time. I think we have sufficiently utilized G1G1 users to test our security system. My general perception is this test demonstrated that a significant fraction of users want unlocked laptops so that they can do interesting things. Even if the average user doesn't care about what an unlocked laptop allows them to do, what is the harm in shipping developer keys on all the G1G1 laptops? We'll save everyone who wants to install non-standard builds the time required to learn about and obtain developer keys. We'll save the support costs required to process and answer all the queries about developer keys. And we'll reduce the infrastructural costs of managing the generation of the keys. Erik ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel -- Walter Bender Sugar Labs http://www.sugarlabs.org ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Walter Bender: Re: devkeys, prettyboot, and G1G1
On Thu, Oct 2, 2008 at 9:45 AM, Erik Garrison [EMAIL PROTECTED] wrote: On Thu, Oct 02, 2008 at 12:07:51AM -0400, Bobby Powers wrote: With that said, I would probably lean towards preferring unsecured machines (with pretty boot enabled, of course). Such small hassles, when repeated across hundreds of thousands of people, tend to eat up a lot of time. We should be trying to save users this time. As I said in June, afaic G1G1 machines should all be sent out with developer keys. http://lists.laptop.org/pipermail/security/2008-June/000426.html Kim made two related points: 1 - Assuming we get to the point where upgrading is an easy click from the G1G1 machine, then we want to be sure that people don't mistakenly load non-signed images. If you are not a developer; doesn't this add a level of protection that we want for 90% of G1G1 recipients? I don't think this is the sort of security people need -- again, those 90% aren't going to be trying updates in the first place. If we want to add a required --security=off flag to the olpc-update command to indicate that you recognize you are installing an unsecured build, that's fine. 2 - I believe our support issues will go up significantly as people who have little or no experience are encouraged to download all sorts of untested builds with no easy way to get back to a working system. To feel better about the support issues, I would like the one-button push that restores a laptop to factory default. I don't know about the former; the latter is a great idea. These feel to me like useful things to address for 8.2.1, though not for the initial g1g1 images. SJ We'll save everyone who wants to install non-standard builds the time required to learn about and obtain developer keys. We'll save the support costs required to process and answer all the queries about developer keys. And we'll reduce the infrastructural costs of managing the generation of the keys. Erik ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Walter Bender: Re: devkeys, prettyboot, and G1G1
How about providing dev. keys for G1G1 laptops with no delay ?Would you consider it an improvement ? wad On Oct 1, 2008, at 10:15 PM, John Gilmore wrote: Mitch and I have come up with a way to ship G1G1 laptops so that they will pretty-boot, but still come from the factory without any need for developer keys (in the Forth disable-security setting). This requires a small edit to /boot/olpc.fth in the OS build, to load the XO child image, freeze the screen, and put the first progress dot down just before jumping to Linux. It's detailed here: http://dev.laptop.org/ticket/7896 I know the support crew would be much happier if G1G1 laptops were shipped able to run test builds and patched software, if users could interact with Forth to diagnose their hardware, if they could run unsigned Forth code from USB collector keys, etc. Unfortunately, an IRC discussion with Scott today revealed that the engineering team has decided that we *must* ship G1G1 laptops with a requirement for development keys. The reason: because too many kids in the third world will be getting lockdown laptops, and we want the G1G1 recipients to be guinea pigs to debug the laptops, to be sure the laptops work even when locked down (and that they unlock properly when the kid requests a jailbreak key). I see this is utterly backwards. The countries that want DRM on their laptops should be paying the price in support problems and infrastructure. Not the donors who sponsor a G1G1 laptop, and not the free software community who donate to help push this project along. As believers in freedom, we shouldn't be defaulting EVERY laptop to being locked by its manufacturer. Yet that's the argument: because some of them are locked, all of them must be locked. Or perhaps it's slightly more nuanced: A country that orders thousands can order them without DRM, but G1G1 users can't. That sounds reasonable, but I've interacted with several country teams (Nepal and South Pacific), who had come away from OLPC with the impression that it would be incredibly dangerous to turn off the security of the laptops. In Nepal's case I was unable to disabuse them of this odd notion. So no country asks for freedom in their laptop shipments, and no G1G1 is shipped with freedom, and thus every OLPC laptop is jailed, like every iPhone. John Date: Wed, 1 Oct 2008 08:34:09 -0400 From: Walter Bender [EMAIL PROTECTED] To: John Gilmore [EMAIL PROTECTED] Subject: Re: devkeys, prettyboot, and G1G1 Cc: Mitch Bradley [EMAIL PROTECTED] If Mitch is comfortable with his fix, I cannot see any reason not to ship developer keys with G1G1 machines--it would save everyone headaches, especially on support; but of course I cannot speak for OLPC these days. -walter On Tue, Sep 30, 2008 at 7:26 PM, John Gilmore [EMAIL PROTECTED] wrote: I recall discussing this last time but don't recall the reasons not to do it this way. We did ship them all pre-activated. I questioned people after the fateful meeting, and it seemed to me that the problem was that Nicholas wanted pretty-boot, and Mitch was unwilling to try to disentangle pretty-boot from secure-boot. Secure-boot was already a tangle of ugly Forth code, and he was sure that adding more complexity there would result in security holes or bugs. Since then, he has figured out the one-line circumvention that's documented in bug #7896. The circumvention is in the OS (since OFW keeps no state). John -- Walter Bender Sugar Labs http://www.sugarlabs.org [gnu: I also cc'd this to support-gang, but that required sending it from a different email address, due to how I am subscribed there.] ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Walter Bender: Re: devkeys, prettyboot, and G1G1
On Fri, Oct 03, 2008 at 12:27:48AM -0400, John Watlington wrote: How about providing dev. keys for G1G1 laptops with no delay ?Would you consider it an improvement ? I would consider it a mediocre usability improvement in exchange for a moderate security risk -- it fails to permit any simplification of the testing instructions while permanently increasing the opportunity for Murphy to strike by causing us to treat some SNs separately from others and by removing opportunity for review and intervention. At best, it provides 'instant gratification' by taking the currently manual process of 'asking for your devkey quickly' to its logical extreme. On the other hand, I suppose it's worth considering since it's only an administrative change. Do you have a different analysis of its merits? Do you weigh the risk of autogenerating devkeys for stolen laptops differently than I do? Michael ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Walter Bender: Re: devkeys, prettyboot, and G1G1
On Thu, Oct 2, 2008 at 1:59 PM, John Gilmore [EMAIL PROTECTED] wrote: I see this is utterly backwards. The countries that want $feature on their laptops should be paying the price in support problems and infrastructure. I've edited your quote a bit. G1G1 participants support us is many ways, one of them being early users of many features that are mainly targetted to our XO users in deployment/pilot countries. The DRM stuff is a feature of many that falls within this list. That's all I wanted to clarify, _many_ things on G1G1 are not there for the G1G1 donors, and would be hard to justify if we looked at them as primary targets. So this is not 'backwards', it's our modus operandi. You can argue for an exception here -- perhaps this feature is specially painful or burdensome for G1G1. Let's keep the perspective straight. Note: I don't have an opinion either way WRT DRM on G1G1 machines, and haven't participated in any discussions about it, so not familiar with the arguments pro and against. cheers, m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Walter Bender: Re: devkeys, prettyboot, and G1G1
On Wed, 2008-10-01 at 19:15 -0700, John Gilmore wrote: I know the support crew would be much happier if G1G1 laptops were shipped able to run test builds and patched software, if users could interact with Forth to diagnose their hardware, if they could run unsigned Forth code from USB collector keys, etc. FWIW, it also would be a huge benefit to those that want to run any sort of Fedora build on their XO. Having to request the developer key and wait a day for that is probably going to be somewhat off-putting. Jeremy ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Walter Bender: Re: devkeys, prettyboot, and G1G1
On Wed, Oct 1, 2008 at 10:35 PM, Edward Cherlin [EMAIL PROTECTED] wrote: I don't mind if the G1G1 donors have the option to participate in testing secured laptops, but I utterly reject the notion that we can jerk customer/donors around like this without their permission in advance. They _will_ complain publicly. While it is a SMALL hassle, I don't understand how it is jerking customers around before they've even bought a machine. As long as the policy (whatever it turns out to be) is clearly stated on the wiki/amazon site, by purchasing a laptop they are consenting to this. With that said, I would probably lean towards preferring unsecured machines (with pretty boot enabled, of course). bobby Engineering and marketing should never have the authority to trump customer service or product quality. On Wed, Oct 1, 2008 at 7:15 PM, John Gilmore [EMAIL PROTECTED] wrote: Mitch and I have come up with a way to ship G1G1 laptops so that they will pretty-boot, but still come from the factory without any need for developer keys (in the Forth disable-security setting). This requires a small edit to /boot/olpc.fth in the OS build, to load the XO child image, freeze the screen, and put the first progress dot down just before jumping to Linux. It's detailed here: http://dev.laptop.org/ticket/7896 I know the support crew would be much happier if G1G1 laptops were shipped able to run test builds and patched software, if users could interact with Forth to diagnose their hardware, if they could run unsigned Forth code from USB collector keys, etc. Unfortunately, an IRC discussion with Scott today revealed that the engineering team has decided that we *must* ship G1G1 laptops with a requirement for development keys. The reason: because too many kids in the third world will be getting lockdown laptops, and we want the G1G1 recipients to be guinea pigs to debug the laptops, to be sure the laptops work even when locked down (and that they unlock properly when the kid requests a jailbreak key). I see this is utterly backwards. The countries that want DRM on their laptops should be paying the price in support problems and infrastructure. Not the donors who sponsor a G1G1 laptop, and not the free software community who donate to help push this project along. As believers in freedom, we shouldn't be defaulting EVERY laptop to being locked by its manufacturer. Yet that's the argument: because some of them are locked, all of them must be locked. Or perhaps it's slightly more nuanced: A country that orders thousands can order them without DRM, but G1G1 users can't. That sounds reasonable, but I've interacted with several country teams (Nepal and South Pacific), who had come away from OLPC with the impression that it would be incredibly dangerous to turn off the security of the laptops. In Nepal's case I was unable to disabuse them of this odd notion. So no country asks for freedom in their laptop shipments, and no G1G1 is shipped with freedom, and thus every OLPC laptop is jailed, like every iPhone. John Date: Wed, 1 Oct 2008 08:34:09 -0400 From: Walter Bender [EMAIL PROTECTED] To: John Gilmore [EMAIL PROTECTED] Subject: Re: devkeys, prettyboot, and G1G1 Cc: Mitch Bradley [EMAIL PROTECTED] If Mitch is comfortable with his fix, I cannot see any reason not to ship developer keys with G1G1 machines--it would save everyone headaches, especially on support; but of course I cannot speak for OLPC these days. -walter On Tue, Sep 30, 2008 at 7:26 PM, John Gilmore [EMAIL PROTECTED] wrote: I recall discussing this last time but don't recall the reasons not to do it this way. We did ship them all pre-activated. I questioned people after the fateful meeting, and it seemed to me that the problem was that Nicholas wanted pretty-boot, and Mitch was unwilling to try to disentangle pretty-boot from secure-boot. Secure-boot was already a tangle of ugly Forth code, and he was sure that adding more complexity there would result in security holes or bugs. Since then, he has figured out the one-line circumvention that's documented in bug #7896. The circumvention is in the OS (since OFW keeps no state). John -- Walter Bender Sugar Labs http://www.sugarlabs.org [gnu: I also cc'd this to support-gang, but that required sending it from a different email address, due to how I am subscribed there.] ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel -- Don't panic.--HHGTTG, Douglas Adams fivethirtyeight.com, 3bluedudes.com Obama still moving ahead in EC! http://www.obamapedia.org/ Join us! http://wiki.sugarlabs.org/go/User:Mokurai For the children ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list