Active Topics

 


Page 2 of 3 1 2 3
Reply
Thread Tools
itsnotabigtruck is offline itsnotabigtruck
2012-02-21 , 22:17
Posts: 245 | Thanked: 915 times | Joined on Feb 2012
#11
Originally Posted by caco3 View Post
@itsnotabigtruck:
Do you have any source for your statements?
This is all based on tests by N950 PR1.2beta users on the #harmattan IRC - you can see an example of exactly what happens when the problem hits in the attachments of Harmattan Bug 978.

Note that the bug doesn't affect installing .debs that aren't part of an unsigned APT repository - so you won't experience this if you're running dpkg -i on your own packages.

If you want to try testing on your N9, I've sent you my IM info in PM.

Originally Posted by caco3 View Post
Also, I am wondering, do apps in the OVI store somehow get signed?
I pack my (Python) apps in scratchbox, so I am sure there is no signing there, especially since I never generated a key.
I have a N9 for testing my apps with a quite up to date PR 1.2 beta and haven’t seen any issues with this.
Apps submitted to the Ovi Store get signed when published. Try downloading a .deb from the store and running ar tv package.deb - the _x509sig file is the signature. However, that's a different system from what I'm talking about; with APT repository signing, the list of packages is signed instead of each individual .deb. Unlike the other system, repository signing is part of APT itself and is used on other distros like Debian, Ubuntu, etc.
Last edited by itsnotabigtruck; 2012-02-21 at 22:24.
 

The Following User Says Thank You to itsnotabigtruck For This Useful Post:
www.rzr.online.fr's Avatar
www.rzr.online.fr is offline www.rzr.online.fr
2012-02-21 , 23:38
Posts: 1,348 | Thanked: 1,863 times | Joined on Jan 2009 @ fr/35/rennes
#12
hi

Can you tell us how could obs been setup to handle signed package ?

it looks this need to be configured server side isnt it ?


# rzr@lap:home:rzr/ # [1] # osc signkey
home:rzr has no key, trying home
Server returned an error: HTTP Error 404: Not Found
home
# rzr@lap:home:rzr/ # [1] # osc signkey --create
Server returned an error: HTTP Error 400: Bad Request
don't know how to create a key
__________________
Current obsession:

https://purl.org/rzr/abandonware

Please help to list all maemo existing apps :

https://github.com/abandonware/aband...ment-578143760

https://wiki.maemo.org/Apps#

I am looking for " 4 inch TFT LCD display screen " for Nokia n950 HandSet

http://rzr.online.fr/q/lcd


Also, I need online storage to archive files :

http://db.tt/gn5Qffd6#

https://my.pcloud.com/#page=register...e=g8ikZmcfEJy#
 
Zoxir is offline Zoxir
2012-02-22 , 00:15
Posts: 273 | Thanked: 463 times | Joined on May 2011 @ Athens
#13
What about the packages we have already installed from the SDK repo????? I have quite a few. If this breaks or removes something I will be very very pissed.
 
itsnotabigtruck is offline itsnotabigtruck
2012-02-22 , 00:18
Posts: 245 | Thanked: 915 times | Joined on Feb 2012
#14
Originally Posted by Zoxir View Post
What about the packages we have already installed from the SDK repo????? I have quite a few. If this breaks or removes something I will be very very pissed.
Those should be left alone during the upgrade - this only affects new installations. Also, the bug can be worked around, so you'll still be able to install SDK packages if you need to post-upgrade...it just won't be a matter of a simple apt-get anymore.
 

The Following User Says Thank You to itsnotabigtruck For This Useful Post:
Zoxir is offline Zoxir
2012-02-22 , 01:08
Posts: 273 | Thanked: 463 times | Joined on May 2011 @ Athens
#15
Originally Posted by itsnotabigtruck View Post
Those should be left alone during the upgrade - this only affects new installations. Also, the bug can be worked around, so you'll still be able to install SDK packages if you need to post-upgrade...it just won't be a matter of a simple apt-get anymore.
Ok man thanx I already saw the workaround but I was worried about the already installed packages. hopefully you are right
 
ibrakalifa's Avatar
ibrakalifa is offline ibrakalifa
2012-02-22 , 02:11
Posts: 1,583 | Thanked: 1,203 times | Joined on Dec 2011 @ Everywhere
#16
really limited N9, maybe this device is not that good, *sigh
__________________
~$
~#
 
itsnotabigtruck is offline itsnotabigtruck
2012-02-22 , 02:13
Posts: 245 | Thanked: 915 times | Joined on Feb 2012
#17
Originally Posted by ibrakalifa View Post
really limited N9, maybe this device is not that good, *sigh
Not to worry...for every limitation, there's always an unlimitation.
 

The Following 2 Users Say Thank You to itsnotabigtruck For This Useful Post:
ibrakalifa's Avatar
ibrakalifa is offline ibrakalifa
2012-02-22 , 02:28
Posts: 1,583 | Thanked: 1,203 times | Joined on Dec 2011 @ Everywhere
#18
i still cant find 64gb version here in Indonesia, ty sir, N900 also limited one, but became an unlimited when came to the right hand,
__________________
~$
~#
 
munozferna is offline munozferna
2012-02-22 , 17:47
Posts: 203 | Thanked: 538 times | Joined on Oct 2009 @ Colombia
#19
Originally Posted by itsnotabigtruck View Post
THE ISSUE

In the upcoming PR1.2 release, the installer contains an issue that will block packages from custom APT repositories from being installed unless they contain Secure APT signatures.
I suppose they don't want us to use the SDK repo on the devices, we should be allowed if we wanted though. Just a question, if they release an updated Harmattan Scratchbox (for PR1.2) with the new apt, wouldn't it be affected by the same issue?
 
mikecomputing is offline mikecomputing
2012-02-22 , 19:03
Posts: 3,464 | Thanked: 5,107 times | Joined on Feb 2010 @ Gothenburg in Sweden
#20
Originally Posted by itsnotabigtruck View Post
This isn't the same as SSL certificates - APT security doesn't even use SSL, or certificates. While APT signatures can make things more secure for expert users, this isn't going to provide any benefit to anyone in most cases. Instead, it'll just make it harder to set up repositories distributing additional N9 apps, and confuse users with strange error messages.

Deploying APT signatures also does nothing to protect against malware in any realistic scenario - though since malware follows the money, I highly doubt such programs will ever be a serious threat on Harmattan.

However, in order to have things continue to work smoothly on PR1.2, it's going to be necessary to use APT signatures anyway, so it's time to get started.
I know apt security is no SSL... My point was moe about allow/deny dialogs etc...

But why would debian implement apt security framework if everyone setting up a repo decided to not use it!? I see is as an ENDUSER not as dev. Endusers doesnt understand all those security warnings and better not include all those damn warnings and just deny them.

I am way from an expert on this but to me it looks like no issue.

Because devs(and nokia) SHOULD provide "the keys" and the problem is gone.

To me there is more important stuff that should be fixed...
Last edited by mikecomputing; 2012-02-22 at 19:22.
 
Reply
Page 2 of 3 1 2 3

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 21:02.

Contact Us - Home - Archive - Top