[Alert] PR1.2 install bug - take action now!
 

THE ISSUE

In the upcoming PR1.2 release, the installer contains an issue that will block packages from custom APT repositories from being installed unless they contain Secure APT signatures.

This means that it will become rather complicated to install packages from:

• Nokia's Harmattan Platform SDK repository
• rzr/djszapi's temporary community repository
• Most other repositories

These repositories contain ports of important utilities that are useful for developers and advanced N9 users.

WHAT YOU CAN DO

It's most likely too late to fix this, and Nokia might consider it to be more of a feature than a bug. However, you can still take action:

• Register on the Harmattan bug tracker and vote for Bug 978 to encourage Nokia to sign the SDK repository.
• If you maintain an APT repository, add signatures now so you won't be caught by surprise when PR1.2 arrives for the general public. Even if it weren't a necessity, Secure APT is a good idea that can help protect against sabotaged packages when you use untrusted networks (like WiFi hotspots). You can read more on the Debian wiki.
  • If you use the MeeGo Open Build Service to host your repository, you can enable automatic signing using osc signkey - see the OpenSUSE OBS documentation for more info.

Re: [Alert] PR1.2 install bug - take action now!
 

"Secure APT signatures."

So whats wrong withg securing my N9!? Do you want to install untrusted sources you should get an crappy android device with lots of Viruses and Malware.

If devs to lazy set up certs. I dont want such packages installed on my device anyway.

Its there for good reason.

EDIT: Sorry my mistake, readed it as you meant the Secure APT signature thing was something that was bad...

Re: [Alert] PR1.2 install bug - take action now!
 

Or just submit a request to publish on apps.formeego.org, as that would be just a click away on the public MeeGo OBS.

Re: [Alert] PR1.2 install bug - take action now!
 

Because one of those devs that is "to lazy" is Nokia - this issue breaks one of Nokia's own repositories. If you want that to change, vote for Nokia to fix Bug 978.

Also, setting up Secure APT signing won't actually make much of anything more secure by itself. The root problem is a mistake in Aegis, not some sort of well-thought-out security measure. However, this is the easiest way to curtail the damage.

The problem is that apps.formeego.org prohibits anything other than standalone apps - such as shared libraries - so in many/most cases things that would be eligible for that repository could be and are distributed through Ovi Store instead.

Re: [Alert] PR1.2 install bug - take action now!
 

PFFF, if you don't want those packages installed, you shouldn't install them. Simple as that. Please don't troll here about forcefeeding other users your notion - if anybody else wants to install those packages, it's rather irrelevant if you don't like to install pkgs that can't get installed.

:-(
/j

Re: [Alert] PR1.2 install bug - take action now!
 

Yup dumb me readed to fast and took it as the Secure APT was something you thougt was bad.

But I still think its good choice to only support trusted keys. But ofcourse Nokia should fix SDK repo key...

Re: [Alert] PR1.2 install bug - take action now!
 

Well as already stated I was mistaking his post in a way. But still I think its good to point too only support trusted keys atleastr for normal users.

I guess they could add an option to in rootmode to ask if not trusted.

But personally I am sick and tired of "untrusted" keys both in Linux and on many https:// sites. The more you have to "entyer untrusted" the more you ignore those warnings.

So my point was more like get the damn key/certs etc.. in place...

Re: [Alert] PR1.2 install bug - take action now!
 

OFF-TOPIC

@joerg_rw, could you please update folks on what's happening here?
H-E-N9 USB hostmode enabler N9
http://forum.meego.com/showthread.php?t=4610&page=3

Been awfully quiet for mths, it'd be great know if any progress or none has been made.
If you no longer have time, then we need to find someone else who can take-it-on.

TY.

Re: [Alert] PR1.2 install bug - take action now!
 

This isn't the same as SSL certificates - APT security doesn't even use SSL, or certificates. While APT signatures can make things more secure for expert users, this isn't going to provide any benefit to anyone in most cases. Instead, it'll just make it harder to set up repositories distributing additional N9 apps, and confuse users with strange error messages.

Deploying APT signatures also does nothing to protect against malware in any realistic scenario - though since malware follows the money, I highly doubt such programs will ever be a serious threat on Harmattan.

However, in order to have things continue to work smoothly on PR1.2, it's going to be necessary to use APT signatures anyway, so it's time to get started.

Re: [Alert] PR1.2 install bug - take action now!
 

@itsnotabigtruck:
Do you have any source for your statements?


Also, I am wondering, do apps in the OVI store somehow get signed?
I pack my (Python) apps in scratchbox, so I am sure there is no signing there, especially since I never generated a key.
I have a N9 for testing my apps with a quite up to date PR 1.2 beta and haven’t seen any issues with this.

Re: [Alert] PR1.2 install bug - take action now!
 

This is all based on tests by N950 PR1.2beta users on the #harmattan IRC - you can see an example of exactly what happens when the problem hits in the attachments of Harmattan Bug 978.

Note that the bug doesn't affect installing .debs that aren't part of an unsigned APT repository - so you won't experience this if you're running dpkg -i on your own packages.

If you want to try testing on your N9, I've sent you my IM info in PM.

Apps submitted to the Ovi Store get signed when published. Try downloading a .deb from the store and running ar tv package.deb - the _x509sig file is the signature. However, that's a different system from what I'm talking about; with APT repository signing, the list of packages is signed instead of each individual .deb. Unlike the other system, repository signing is part of APT itself and is used on other distros like Debian, Ubuntu, etc.

Re: [Alert] PR1.2 install bug - take action now!
 

hi

Can you tell us how could obs been setup to handle signed package ?

it looks this need to be configured server side isnt it ?


# rzr@lap:home:rzr/ # [1] # osc signkey
home:rzr has no key, trying home
Server returned an error: HTTP Error 404: Not Found
home
# rzr@lap:home:rzr/ # [1] # osc signkey --create
Server returned an error: HTTP Error 400: Bad Request
don't know how to create a key

Re: [Alert] PR1.2 install bug - take action now!
 

What about the packages we have already installed from the SDK repo????? I have quite a few. If this breaks or removes something I will be very very pissed.

Re: [Alert] PR1.2 install bug - take action now!
 

Those should be left alone during the upgrade - this only affects new installations. Also, the bug can be worked around, so you'll still be able to install SDK packages if you need to post-upgrade...it just won't be a matter of a simple apt-get anymore.

Re: [Alert] PR1.2 install bug - take action now!
 

Ok man thanx I already saw the workaround but I was worried about the already installed packages. hopefully you are right :D

Re: [Alert] PR1.2 install bug - take action now!
 

really limited N9, maybe this device is not that good, *sigh

Re: [Alert] PR1.2 install bug - take action now!
 

Not to worry...for every limitation, there's always an unlimitation. ;)

Re: [Alert] PR1.2 install bug - take action now!
 

i still cant find 64gb version here in Indonesia, ty sir, N900 also limited one, but became an unlimited when came to the right hand, :)

Re: [Alert] PR1.2 install bug - take action now!
 

I suppose they don't want us to use the SDK repo on the devices, we should be allowed if we wanted though. Just a question, if they release an updated Harmattan Scratchbox (for PR1.2) with the new apt, wouldn't it be affected by the same issue?

I know apt security is no SSL... My point was moe about allow/deny dialogs etc...

But why would debian implement apt security framework if everyone setting up a repo decided to not use it!? I see is as an ENDUSER not as dev. Endusers doesnt understand all those security warnings and better not include all those damn warnings and just deny them.

I am way from an expert on this but to me it looks like no issue.

Because devs(and nokia) SHOULD provide "the keys" and the problem is gone.

To me there is more important stuff that should be fixed...

Re: [Alert] PR1.2 install bug - take action now!
 

Sounds like you need to re-read the thread & bug-report & understand the entire issue fully ;)