"Walter Bender": Re: devkeys, prettyboot, and G1G1

Jim Gettys jg at laptop.org
Fri Oct 3 10:02:45 EDT 2008


On Fri, 2008-10-03 at 00:27 -0400, John Watlington wrote:
> How about providing dev. keys for G1G1 laptops with
> no delay ?    Would you consider it an improvement ?

Clearly an improvement, as is the prettyboot patch, which I think we
should also do.
                  - Jim

> 
> wad
> 
> On Oct 1, 2008, at 10:15 PM, John Gilmore wrote:
> 
> > Mitch and I have come up with a way to ship G1G1 laptops so that they
> > will pretty-boot, but still come from the factory without any need
> > for developer keys (in the Forth "disable-security" setting).
> >
> > This requires a small edit to /boot/olpc.fth in the OS build,
> > to load the XO child image, freeze the screen, and put the
> > first "progress dot" down just before jumping to Linux.  It's
> > detailed here:
> >
> >   http://dev.laptop.org/ticket/7896
> >
> > I know the support crew would be much happier if G1G1 laptops were
> > shipped able to run test builds and patched software, if users could
> > interact with Forth to diagnose their hardware, if they could run
> > unsigned Forth code from USB collector keys, etc.
> >
> > Unfortunately, an IRC discussion with Scott today revealed that the
> > engineering team has decided that we *must* ship G1G1 laptops with a
> > requirement for development keys.  The reason: because too many kids
> > in the third world will be getting lockdown laptops, and we want the
> > G1G1 recipients to be guinea pigs to debug the laptops, to be sure the
> > laptops work even when locked down (and that they unlock properly when
> > the kid requests a jailbreak key).
> >
> > I see this is utterly backwards.  The countries that want DRM on their
> > laptops should be paying the price in support problems and
> > infrastructure.  Not the donors who sponsor a G1G1 laptop, and not the
> > free software community who donate to help push this project along.
> > As believers in freedom, we shouldn't be defaulting EVERY laptop to
> > being locked by its manufacturer.  Yet that's the argument: because
> > some of them are locked, all of them must be locked.  Or perhaps it's
> > slightly more nuanced: A country that orders thousands can order them
> > without DRM, but G1G1 users can't.  That sounds reasonable, but I've
> > interacted with several country teams (Nepal and South Pacific), who
> > had come away from OLPC with the impression that it would be
> > incredibly dangerous to turn off the "security" of the laptops.  In
> > Nepal's case I was unable to disabuse them of this odd notion.  So no
> > country asks for freedom in their laptop shipments, and no G1G1 is
> > shipped with freedom, and thus every OLPC laptop is jailed, like every
> > iPhone.
> >
> > 	John
> >
> > Date: Wed, 1 Oct 2008 08:34:09 -0400
> > From: "Walter Bender" <walter.bender at gmail.com>
> > To: "John Gilmore" <gnu at toad.com>
> > Subject: Re: devkeys, prettyboot, and G1G1
> > Cc: "Mitch Bradley" <wmb at laptop.org>
> >
> > If Mitch is comfortable with his fix, I cannot see any reason not to
> > ship developer keys with G1G1 machines--it would save everyone
> > headaches, especially on support; but of course I cannot speak for
> > OLPC these days.
> >
> > -walter
> >
> > On Tue, Sep 30, 2008 at 7:26 PM, John Gilmore <gnu at toad.com> wrote:
> >>> I recall discussing this last time but  don't recall the reasons not
> >>> to do it this way. We did ship them all pre-activated.
> >>
> >> I questioned people after the fateful meeting, and it seemed to me
> >> that the problem was that Nicholas wanted pretty-boot, and Mitch was
> >> unwilling to try to disentangle pretty-boot from secure-boot.   
> >> Secure-boot
> >> was already a tangle of ugly Forth code, and he was sure that adding
> >> more complexity there would result in security holes or bugs.
> >>
> >> Since then, he has figured out the one-line circumvention that's
> >> documented in bug #7896.  The circumvention is in the OS (since OFW
> >> keeps no state).
> >>
> >>        John
> >
> >
> > -- 
> > Walter Bender
> > Sugar Labs
> > http://www.sugarlabs.org
> >
> >
> > [gnu: I also cc'd this to support-gang, but that required sending it
> > from a different email address, due to how I am subscribed there.]
> > _______________________________________________
> > Devel mailing list
> > Devel at lists.laptop.org
> > http://lists.laptop.org/listinfo/devel
> 
> _______________________________________________
> Devel mailing list
> Devel at lists.laptop.org
> http://lists.laptop.org/listinfo/devel
-- 
Jim Gettys <jg at laptop.org>
One Laptop Per Child



More information about the Devel mailing list