Reply
Thread Tools
Posts: 245 | Thanked: 891 times | Joined on Feb 2012
#1
THE ISSUE

In the upcoming PR1.2 release, the installer contains an issue that will block packages from custom APT repositories from being installed unless they contain Secure APT signatures.

This means that it will become rather complicated to install packages from:

  • Nokia's Harmattan Platform SDK repository
  • rzr/djszapi's temporary community repository
  • Most other repositories

These repositories contain ports of important utilities that are useful for developers and advanced N9 users.

WHAT YOU CAN DO

It's most likely too late to fix this, and Nokia might consider it to be more of a feature than a bug. However, you can still take action:

  • Register on the Harmattan bug tracker and vote for Bug 978 to encourage Nokia to sign the SDK repository.
  • If you maintain an APT repository, add signatures now so you won't be caught by surprise when PR1.2 arrives for the general public. Even if it weren't a necessity, Secure APT is a good idea that can help protect against sabotaged packages when you use untrusted networks (like WiFi hotspots). You can read more on the Debian wiki.
    • If you use the MeeGo Open Build Service to host your repository, you can enable automatic signing using osc signkey - see the OpenSUSE OBS documentation for more info.

Last edited by itsnotabigtruck; 02-21-2012 at 03:56 PM.
 

The Following 20 Users Say Thank You to itsnotabigtruck For This Useful Post:
mikecomputing's Avatar
Posts: 3,115 | Thanked: 3,537 times | Joined on Feb 2010 @ Sweden
#2
"Secure APT signatures."

So whats wrong withg securing my N9!? Do you want to install untrusted sources you should get an crappy android device with lots of Viruses and Malware.

If devs to lazy set up certs. I dont want such packages installed on my device anyway.

Its there for good reason.

EDIT: Sorry my mistake, readed it as you meant the Secure APT signature thing was something that was bad...

Last edited by mikecomputing; 02-21-2012 at 04:29 PM.
 
pycage's Avatar
Posts: 3,225 | Thanked: 3,588 times | Joined on Oct 2005 @ Germany
#3
Originally Posted by itsnotabigtruck View Post
  • If you use the MeeGo Open Build Service to host your repository, you can enable automatic signing using osc signkey - see the OpenSUSE OBS documentation for more info.
[/list]
Or just submit a request to publish on apps.formeego.org, as that would be just a click away on the public MeeGo OBS.
__________________
Apps For MeeGo - Graphical Client for N9/N950 and other devices
- http://apps.formeego.org

MediaBox Media Center - music, videos, pictures, UPnP, etc. for N8(10) and N900
- http://garage.maemo.org/projects/mediabox

pyFMRadio - control the FM radio on N800 and N900 with Python
- http://garage.maemo.org/projects/pyfmradio
 

The Following 3 Users Say Thank You to pycage For This Useful Post:
Posts: 245 | Thanked: 891 times | Joined on Feb 2012
#4
Originally Posted by mikecomputing View Post
"Secure APT signatures."

So whats securing my N9!?!?

If devs to lazy set up certs. I dont want such packages installed on my device anyway.

Its there for good reason.
Because one of those devs that is "to lazy" is Nokia - this issue breaks one of Nokia's own repositories. If you want that to change, vote for Nokia to fix Bug 978.

Also, setting up Secure APT signing won't actually make much of anything more secure by itself. The root problem is a mistake in Aegis, not some sort of well-thought-out security measure. However, this is the easiest way to curtail the damage.

Originally Posted by pycage View Post
Or just submit a request to publish on apps.formeego.org, as that would be just a click away on the public MeeGo OBS.
The problem is that apps.formeego.org prohibits anything other than standalone apps - such as shared libraries - so in many/most cases things that would be eligible for that repository could be and are distributed through Ovi Store instead.

Last edited by itsnotabigtruck; 02-21-2012 at 04:28 PM.
 

The Following 2 Users Say Thank You to itsnotabigtruck For This Useful Post:
joerg_rw's Avatar
Community Council | Posts: 1,749 | Thanked: 9,378 times | Joined on Mar 2010 @ SOL 3
#5
Originally Posted by mikecomputing View Post
"Secure APT signatures."

So whats wrong withg securing my N9!? Do you want to install untrusted sources you should get an crappy android device with lots of Viruses and Malware.

If devs to lazy set up certs. I dont want such packages installed on my device anyway.

Its there for good reason.

PFFF, if you don't want those packages installed, you shouldn't install them. Simple as that. Please don't troll here about forcefeeding other users your notion - if anybody else wants to install those packages, it's rather irrelevant if you don't like to install pkgs that can't get installed.

:-(
/j
__________________
Maemo Community Council member [2012-10, 2013-05, 2013-11 terms]
Hildon Foundation Council inaugural member.

EX Hildon Foundation approved
Maemo Administration Coordinator (stepped down due to bullying 2014-04-05)
aka "techstaff" - the guys who keep your infra running - Devotion to Duty http://xkcd.com/705/

IRC(freenode): DocScrutinizer*
First USB hostmode fanatic, father of H-E-N
 

The Following User Says Thank You to joerg_rw For This Useful Post:
mikecomputing's Avatar
Posts: 3,115 | Thanked: 3,537 times | Joined on Feb 2010 @ Sweden
#6
Originally Posted by itsnotabigtruck View Post
Because one of those devs that is "to lazy" is Nokia - this issue breaks one of Nokia's own repositories. If you want that to change, vote for Nokia to fix Bug 978.

Also, setting up Secure APT signing won't actually make much of anything more secure by itself. The root problem is a mistake in Aegis, not some sort of well-thought-out security measure. However, this is the easiest way to curtail the damage.



The problem is that apps.formeego.org prohibits anything other than standalone apps - such as shared libraries - so in many/most cases things that would be eligible for that repository could be and are distributed through Ovi Store instead.
Yup dumb me readed to fast and took it as the Secure APT was something you thougt was bad.

But I still think its good choice to only support trusted keys. But ofcourse Nokia should fix SDK repo key...
 
mikecomputing's Avatar
Posts: 3,115 | Thanked: 3,537 times | Joined on Feb 2010 @ Sweden
#7
Originally Posted by joerg_rw View Post
PFFF, if you don't want those packages installed, you shouldn't install them. Simple as that. Please don't troll here about forcefeeding other users your notion - if anybody else wants to install those packages, it's rather irrelevant if you don't like to install pkgs that can't get installed.

:-(
/j
Well as already stated I was mistaking his post in a way. But still I think its good to point too only support trusted keys atleastr for normal users.

I guess they could add an option to in rootmode to ask if not trusted.

But personally I am sick and tired of "untrusted" keys both in Linux and on many https:// sites. The more you have to "entyer untrusted" the more you ignore those warnings.

So my point was more like get the damn key/certs etc.. in place...
 
Posts: 5,038 | Thanked: 3,896 times | Joined on Oct 2009
#8
Originally Posted by joerg_rw View Post
PFFF, if you don't want those packages installed, you shouldn't install them. Simple as that. Please don't troll here about forcefeeding other users your notion - if anybody else wants to install those packages, it's rather irrelevant if you don't like to install pkgs that can't get installed.

:-(
/j
OFF-TOPIC

@joerg_rw, could you please update folks on what's happening here?
H-E-N9 USB hostmode enabler N9
http://forum.meego.com/showthread.php?t=4610&page=3

Been awfully quiet for mths, it'd be great know if any progress or none has been made.
If you no longer have time, then we need to find someone else who can take-it-on.

TY.
 

The Following User Says Thank You to jalyst For This Useful Post:
Posts: 245 | Thanked: 891 times | Joined on Feb 2012
#9
Originally Posted by mikecomputing View Post
Well as already stated I was mistaking his post in a way. But still I think its good to point too only support trusted keys atleastr for normal users.

I guess they could add an option to in rootmode to ask if not trusted.

But personally I am sick and tired of "untrusted" keys both in Linux and on many https:// sites. The more you have to "entyer untrusted" the more you ignore those warnings.

So my point was more like get the damn key/certs etc.. in place...
This isn't the same as SSL certificates - APT security doesn't even use SSL, or certificates. While APT signatures can make things more secure for expert users, this isn't going to provide any benefit to anyone in most cases. Instead, it'll just make it harder to set up repositories distributing additional N9 apps, and confuse users with strange error messages.

Deploying APT signatures also does nothing to protect against malware in any realistic scenario - though since malware follows the money, I highly doubt such programs will ever be a serious threat on Harmattan.

However, in order to have things continue to work smoothly on PR1.2, it's going to be necessary to use APT signatures anyway, so it's time to get started.

Last edited by itsnotabigtruck; 02-21-2012 at 05:28 PM.
 

The Following 2 Users Say Thank You to itsnotabigtruck For This Useful Post:
caco3's Avatar
Posts: 559 | Thanked: 410 times | Joined on May 2010 @ Switzerland
#10
@itsnotabigtruck:
Do you have any source for your statements?


Also, I am wondering, do apps in the OVI store somehow get signed?
I pack my (Python) apps in scratchbox, so I am sure there is no signing there, especially since I never generated a key.
I have a N9 for testing my apps with a quite up to date PR 1.2 beta and haven’t seen any issues with this.
__________________
On N9 check out this:
CacheMe 4 the N9, a geocaching client / MiniBible, a bible viewer / TheWord brings daily bible verses onto your phone / BatteryGraph to monitor the battery drainage / doublepress2unlock to unlock your phone with a double press onto the power button / GPRS Data Usage to monitor your GPRS data usage /
and more...

On N900 check out this: SleepAnalyser to analyse your sleep movements / PasswordMaker a for a password generator
 
Reply

Thread Tools

 
Forum Jump


All times are GMT -4. The time now is 01:12 PM.