ed at laptop.org
Wed Dec 2 08:09:55 EST 2009
I would prefer not to speculate about what is happening or not happening in various locations; if small XO situations want updates they can obtain developer keys for them. I'm not aware of any requests from Cambodia for software updates they don't have, or for signed builds. It's important to remember that we added considerable support for signing autonomy to the XO-1 and OFW, in order to avoid the perpetual unfunded mandate of having OLPC provide signed builds and related signature tasks.
On Dec 2, 2009, at 2:49 AM, Philipp Kocher wrote:
> Hi Ed, Martin
> What is the plan for the Fedora 11 build for XO-1, will OLPC sign such a build or is 802 the last build signed by OLPC?
> I don't think one of the two options is a good solution for small deployments without a tech team.
> I think for the case of Cambodia with many small deployments (educational NGOs got XOs donated from G1G1/OLPC or other donors), no signed builds probably means that the XOs don't get updated anymore.
> Best regards,
> On 12/01/2009 08:04 PM, Ed McNierney wrote:
>> Philipp -
>> An OS image signed by OLPC can be booted by any XO-1.0 laptop in the world, except for those which have been reconfigured by a deployment to only respect software signed by other security keys. That implies a higher level of testing and certification than an image that can be selectively adopted by specific deployments who can do their own testing to decide whether that release is suitable for their application. As OLPC's deployments grow both in number of total laptops deployed and in the number of different localities supported, it becomes increasingly burdensome / difficult to package and test One Image to Boot Them All worldwide.
>> As Martin points out, we are continuing to try to move users toward either (a) using machines with boot-image security disabled, so they can run any software, or (b) using locally-developed and locally-maintained signature authorities to sign OS images for secure boot in local deployments.
>> - Ed
>> On Dec 1, 2009, at 4:14 AM, Philipp Kocher wrote:
>>>> - It won't be signed by OLPC. You have to be on an unlocked XO, or be
>>>> a deployment signing your own builds.
>>> Is there a reason why 8.2.2 doesn't get signed by OLPC?
>>> I do understand that the main target group are big deployments which can
>>> sign the build, but why are others excluded?
>>> In the past even release candidates like build 800 got signed by OLPC.
>>> Cheers Philipp
>>> Devel mailing list
>>> Devel at lists.laptop.org
More information about the Devel