[Server-devel] Roadblocks for a central OATS server

[Daniel Drake]

Hi Martin,

As discussed we're planning on putting a central internet-accessible
OATS server in La Rioja, in addition to the ones in the schools.
The purpose is to be able to deactivate stolen laptops before their
lease expiry (assuming the thief doesn't take the laptop to the
school, but does put it online somewhere else).

We're not yet in the stages of implementing this part of the system
(still working on the in-school OATS server and delegation
technicalities, obviously more important) but our discussions have
brought up some things which you'd probably be interested in
commenting on:

1. Our central internet-accessible server for this task runs Fedora 12
and will need to be kept up to date with any security fixes, distro
EOLs, etc.
Your olpc-bios-crypto package does not install on F12 (dependency hell).
While me doing a F12 rebuild is any easy option for me, I don't feel
comfortable leaving that process with the deployment team. So we've
showed them how to install it from git in a home directory, which is
easy, documented, and sufficient for these tasks. Problem solved, for
now, but OLPC really needs to get olpc-bios-crypto into Fedora...

2. Installing an OATS server
We need to actually install an OATS server on this F12 system and...well...how?
I assume installing the xs-activation RPM would pull in a lot of XS
packages, and perhaps has implicit dependencies on certain XS elements
(moodle?).
Another option is oatslite, but that doesn't support stolen
notifications and doesn't support delegations -- Guillermo decided
that we can't put the OATS master key on this server so we have to
produce keys for it, and give it delegations for all 60k laptops.
(trivial to add this code to oatslite, but this point remains as
something undecided and uninvestigated for now)

Daniel