[Sugar-devel] Problem downloading a lease.sig file on an XO

Samuel Greenfeld greenfeld at laptop.org
Wed Sep 12 21:22:42 EDT 2012

This might be a better question for the OLPC development lists.

On Wed, Sep 12, 2012 at 8:39 PM, Juan Cubillo <jcubillo at fundacionqt.org>wrote:

> Hello,
> Our project would like to give kids the posibility of downloading a
> lease.sig file and unlock a friends or family XO without having to contact
> our tech support team. In order to do this, I setup a public dropbox link
> to a nightly generated lease.sig file that gives the XOs some extra
> activation time.
> Problem is that when an XO downloads the file, its name gets and extra
> .asc extension so it ends up as  lease.sig.asc.
> Since kids will be doing this, I wanted to give them only the basic steps
> to be able to re-activate laptops: 1-Download file. 2-place it on an empty
> usb memory. 3-Conect to xo and turn on.
> Re-naming the file would mean that they have to go to terminal, cd into
> the thumbdrive directory, change filename, etc... it's just way too much.
> So... couple questions:
> 1. Is there a security problem/concern with having our project's lease.sig
> file publicly available? (we only generate activations for non-stolen XOs)

I will leave it this to deployment staff to answer authoritatively, but the
only practical attack I can think of is thieves will know where to find a
lease if a XO is not reported stolen, or before it is reported stolen.
They can then use this lease to use or sell the XO.

Theoretically it might be possible to reverse engineer your private lease
key given lots and lots of sample leases but I seriously doubt any real
thief can do that.  The mathematics skills required to do this are not

2. Why is the XO adding this .asc extension or how can it be avoided?

Are you having the students download the lease in Browse from within
Sugar?  If so Sugar's journal internally uses mime types, not file
extensions, until a file is written to an external device or folder.  The
extension ".asc" is one possible choice for plain text.(*)   I was able to
reproduce this problem given this approach.

I agree that this is not the best behavior, especially if Browse can
potentially determine the original extension while downloading.

If your XO images have the GNOME desktop in them, using the web browser
included for GNOME (Firefox or Epiphany) to download the file to USB should
not alter the file name.  Just make sure the kids know how to "eject" the
USB stick when they are done.

(*) The ".asc" choice could be due to

> Regards,
>  - Juan Cubillo
> ______________________________**_________________
> Sugar-devel mailing list
> Sugar-devel at lists.sugarlabs.**org <Sugar-devel at lists.sugarlabs.org>
> http://lists.sugarlabs.org/**listinfo/sugar-devel<http://lists.sugarlabs.org/listinfo/sugar-devel>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/devel/attachments/20120912/f55eae83/attachment.html>

More information about the Devel mailing list