maemo.org - Talk

maemo.org - Talk (https://talk.maemo.org/index.php)
-   MeeGo / Harmattan (https://talk.maemo.org/forumdisplay.php?f=45)
-   -   [Alert] PR1.2 install bug - take action now! (https://talk.maemo.org/showthread.php?t=82495)

itsnotabigtruck 2012-02-21 19:51

[Alert] PR1.2 install bug - take action now!
 
THE ISSUE

In the upcoming PR1.2 release, the installer contains an issue that will block packages from custom APT repositories from being installed unless they contain Secure APT signatures.

This means that it will become rather complicated to install packages from:

  • Nokia's Harmattan Platform SDK repository
  • rzr/djszapi's temporary community repository
  • Most other repositories

These repositories contain ports of important utilities that are useful for developers and advanced N9 users.

WHAT YOU CAN DO

It's most likely too late to fix this, and Nokia might consider it to be more of a feature than a bug. However, you can still take action:

  • Register on the Harmattan bug tracker and vote for Bug 978 to encourage Nokia to sign the SDK repository.
  • If you maintain an APT repository, add signatures now so you won't be caught by surprise when PR1.2 arrives for the general public. Even if it weren't a necessity, Secure APT is a good idea that can help protect against sabotaged packages when you use untrusted networks (like WiFi hotspots). You can read more on the Debian wiki.
    • If you use the MeeGo Open Build Service to host your repository, you can enable automatic signing using osc signkey - see the OpenSUSE OBS documentation for more info.

mikecomputing 2012-02-21 20:18

Re: [Alert] PR1.2 install bug - take action now!
 
"Secure APT signatures."

So whats wrong withg securing my N9!? Do you want to install untrusted sources you should get an crappy android device with lots of Viruses and Malware.

If devs to lazy set up certs. I dont want such packages installed on my device anyway.

Its there for good reason.

EDIT: Sorry my mistake, readed it as you meant the Secure APT signature thing was something that was bad...

pycage 2012-02-21 20:22

Re: [Alert] PR1.2 install bug - take action now!
 
Quote:

Originally Posted by itsnotabigtruck (Post 1167960)
  • If you use the MeeGo Open Build Service to host your repository, you can enable automatic signing using osc signkey - see the OpenSUSE OBS documentation for more info.
[/list]

Or just submit a request to publish on apps.formeego.org, as that would be just a click away on the public MeeGo OBS.

itsnotabigtruck 2012-02-21 20:26

Re: [Alert] PR1.2 install bug - take action now!
 
Quote:

Originally Posted by mikecomputing (Post 1167972)
"Secure APT signatures."

So whats securing my N9!?!?

If devs to lazy set up certs. I dont want such packages installed on my device anyway.

Its there for good reason.

Because one of those devs that is "to lazy" is Nokia - this issue breaks one of Nokia's own repositories. If you want that to change, vote for Nokia to fix Bug 978.

Also, setting up Secure APT signing won't actually make much of anything more secure by itself. The root problem is a mistake in Aegis, not some sort of well-thought-out security measure. However, this is the easiest way to curtail the damage.

Quote:

Originally Posted by pycage (Post 1167973)
Or just submit a request to publish on apps.formeego.org, as that would be just a click away on the public MeeGo OBS.

The problem is that apps.formeego.org prohibits anything other than standalone apps - such as shared libraries - so in many/most cases things that would be eligible for that repository could be and are distributed through Ovi Store instead.

joerg_rw 2012-02-21 20:27

Re: [Alert] PR1.2 install bug - take action now!
 
Quote:

Originally Posted by mikecomputing (Post 1167972)
"Secure APT signatures."

So whats wrong withg securing my N9!? Do you want to install untrusted sources you should get an crappy android device with lots of Viruses and Malware.

If devs to lazy set up certs. I dont want such packages installed on my device anyway.

Its there for good reason.


PFFF, if you don't want those packages installed, you shouldn't install them. Simple as that. Please don't troll here about forcefeeding other users your notion - if anybody else wants to install those packages, it's rather irrelevant if you don't like to install pkgs that can't get installed.

:-(
/j

mikecomputing 2012-02-21 20:31

Re: [Alert] PR1.2 install bug - take action now!
 
Quote:

Originally Posted by itsnotabigtruck (Post 1167976)
Because one of those devs that is "to lazy" is Nokia - this issue breaks one of Nokia's own repositories. If you want that to change, vote for Nokia to fix Bug 978.

Also, setting up Secure APT signing won't actually make much of anything more secure by itself. The root problem is a mistake in Aegis, not some sort of well-thought-out security measure. However, this is the easiest way to curtail the damage.



The problem is that apps.formeego.org prohibits anything other than standalone apps - such as shared libraries - so in many/most cases things that would be eligible for that repository could be and are distributed through Ovi Store instead.

Yup dumb me readed to fast and took it as the Secure APT was something you thougt was bad.

But I still think its good choice to only support trusted keys. But ofcourse Nokia should fix SDK repo key...

mikecomputing 2012-02-21 20:38

Re: [Alert] PR1.2 install bug - take action now!
 
Quote:

Originally Posted by joerg_rw (Post 1167977)
PFFF, if you don't want those packages installed, you shouldn't install them. Simple as that. Please don't troll here about forcefeeding other users your notion - if anybody else wants to install those packages, it's rather irrelevant if you don't like to install pkgs that can't get installed.

:-(
/j

Well as already stated I was mistaking his post in a way. But still I think its good to point too only support trusted keys atleastr for normal users.

I guess they could add an option to in rootmode to ask if not trusted.

But personally I am sick and tired of "untrusted" keys both in Linux and on many https:// sites. The more you have to "entyer untrusted" the more you ignore those warnings.

So my point was more like get the damn key/certs etc.. in place...

jalyst 2012-02-21 20:43

Re: [Alert] PR1.2 install bug - take action now!
 
Quote:

Originally Posted by joerg_rw (Post 1167977)
PFFF, if you don't want those packages installed, you shouldn't install them. Simple as that. Please don't troll here about forcefeeding other users your notion - if anybody else wants to install those packages, it's rather irrelevant if you don't like to install pkgs that can't get installed.

:-(
/j

OFF-TOPIC

@joerg_rw, could you please update folks on what's happening here?
H-E-N9 USB hostmode enabler N9
http://forum.meego.com/showthread.php?t=4610&page=3

Been awfully quiet for mths, it'd be great know if any progress or none has been made.
If you no longer have time, then we need to find someone else who can take-it-on.

TY.

itsnotabigtruck 2012-02-21 20:45

Re: [Alert] PR1.2 install bug - take action now!
 
Quote:

Originally Posted by mikecomputing (Post 1167985)
Well as already stated I was mistaking his post in a way. But still I think its good to point too only support trusted keys atleastr for normal users.

I guess they could add an option to in rootmode to ask if not trusted.

But personally I am sick and tired of "untrusted" keys both in Linux and on many https:// sites. The more you have to "entyer untrusted" the more you ignore those warnings.

So my point was more like get the damn key/certs etc.. in place...

This isn't the same as SSL certificates - APT security doesn't even use SSL, or certificates. While APT signatures can make things more secure for expert users, this isn't going to provide any benefit to anyone in most cases. Instead, it'll just make it harder to set up repositories distributing additional N9 apps, and confuse users with strange error messages.

Deploying APT signatures also does nothing to protect against malware in any realistic scenario - though since malware follows the money, I highly doubt such programs will ever be a serious threat on Harmattan.

However, in order to have things continue to work smoothly on PR1.2, it's going to be necessary to use APT signatures anyway, so it's time to get started.

caco3 2012-02-21 21:26

Re: [Alert] PR1.2 install bug - take action now!
 
@itsnotabigtruck:
Do you have any source for your statements?


Also, I am wondering, do apps in the OVI store somehow get signed?
I pack my (Python) apps in scratchbox, so I am sure there is no signing there, especially since I never generated a key.
I have a N9 for testing my apps with a quite up to date PR 1.2 beta and haven’t seen any issues with this.


All times are GMT. The time now is 11:05.

vBulletin® Version 3.8.8