[OLPC Security] G1G1: Security, to enable or disable...

[Paul Fox]

SJ wrote:
 > I continue to be uncomfortable that we are sending out restricted /
 > locked-down machines without a clear need.  The arguments made so far for
 > this are
 > 
 >  1. "Getting G1G1 people to test security steps"
 >  2. "Protecting G1G1 donors from installing anything but signed builds"
 >  3. "Showing a pretty boot screen"
 > 
 > 3. represents a bug that should be fixed.  Tying pretty boot to
 > machine-lockdown is arbitrary.

agreed.  as a G1G1 owner i wanted to see the boot messages quite
a long time before i needed or wanted a dev key.

 > 
 > 2.  assumes that this is the best result for G1G1 donors,
 > which seems unlikely to me.  Discovering how to update to
 > anything but the most aggressively promoted builds is already
 > a sign of tech savvy. 

and that technical savvy will lead them to the developer key,
won't it?

 > This
 > protection would still effectively be in place for the vast majority of
 > users for whom it matters if we aggressively recommended to users (say,
 > after a couple of days of use) that they get a developers key if they want
 > full control of their machines for any reason.

how would you aggressively recommend anything to a G1G1 user
"after a couple of days of use"?

in any case, trust me -- figuring out how to get ofw to boot a
new kernel is _way_ harder and scarier than getting the dev key
in the first place.  :-)

 > 
 > 1.  is an interesting argument.  As with 2, it would still
 > hold if recipients were actively encouraged to get developers
 > keys if they have any interest in having full control of their
 > machines (indeed you could say that they we would have a much
 > better test of the dev-key acquisition process, which
 > currently works more clearly in large batches for countries
 > than for individuals).

i would have thought G1G1 proved that dev-key acquisition works
just fine.

paul
=---------------------
 paul fox, pgf at foxharp.boston.ma.us (arlington, ma, where it's 64.9 degrees)