#6432 NORM Never A: Autoinstallation of RPMs
Zarro Boogs per Child
bugtracker at laptop.org
Mon Jun 30 16:53:24 EDT 2008
#6432: Autoinstallation of RPMs
-------------------------+--------------------------------------------------
Reporter: cscott | Owner: cscott
Type: defect | Status: new
Priority: normal | Milestone: Never Assigned
Component: distro | Version:
Resolution: | Keywords:
Next_action: never set | Verified: 0
Blockedby: | Blocking:
-------------------------+--------------------------------------------------
Comment(by cscott):
Replying to [comment:7 cscott]:
> In mail to devel@ I've proposed limiting this mechanism to machines with
dev keys installed, in order to manage the deployment risk I mentioned in
the bug summary above.
>
> Michael has implemented a first draft of this mechanism as a patch to
olpc-configure. The draft does not consult external devices, and does not
check a dev key:
> http://lists.laptop.org/pipermail/devel/2008-March/011554.html
I'm attaching a slight variant of Michael's patch, which does check dev
keys. It doesn't check external devices, since udev/sugar haven't mounted
any at this point in the initscripts. =(
As mikus has pointed out, 'yumdownloader --resolve' might be used to
create this cache. What does 'yum localinstall *.rpm' buy you over 'yum
-yt --nogpgcheck install $pkgs'?
The original proposal had a signing step to prevent a cache on removable
media becoming an easy/sneaky trojan mechanism. Restricting to 'at first
boot', dev keys, and the onboard NAND seems to be enough for the moment:
all we can do it make it more difficult to install a trojan by this means
than it is to switch to vt 1 and type 'rpm -Uvh /media/*/*.rpm', as mikus
correctly notes.
Comments? Thoughts?
--
Ticket URL: <http://dev.laptop.org/ticket/6432#comment:14>
One Laptop Per Child <http://laptop.org/>
OLPC bug tracking system
More information about the Bugs
mailing list