Ticket #6432 (closed defect: fixed)
Autoinstallation of RPMs
|Reported by:||cscott||Owned by:||cscott|
|Keywords:||cjbfor9.1.0||Cc:||mstone, cjb, krstic, jg, dgilmore, bemasc, mikus@…, isforinsects|
|Deployments affected:||Blocked By:||#7595|
Developers have a peculiar use case: they often want to install multiple additional packages on top of the base build, and they are willing to do maintenance to fix things that break.
A proposed mechanism is to have a signed script on an attached USB or SD device which is run by olpc-configure on reconfigurations (first boot of a new OS build). The script may be signed by the public/private keypair of the XO to tie it to a specific machine, minimizing use of this vector for trojans. (Reflashes nuke the keypair; an alternative is to simply incorporate a hash of the SN and (hidden) UUID to equivalently tie the script to a specific machine.)
Ultimately, the desired use case is something like the following:
# olpc-install emacs # olpc-sign-cache
This hypothetically would use yum and the network to download emacs and its dependent RPMs and store them on an appropriate USB/SD device. The olpc-sign-cache command would create an appropriate script to install these RPMs, 'sign' it to tie it to the current machine, and install it under the appropriate filename on the USB/SD device.
First step, however, is just to provide the basic mechanism; the friendly tools can come later.
To think about: in addition to an attached USB or SD device, we could also consider looking in /home/olpc/.foobar-cache, which may be appropriate for 'small' customizations.
This mechanism is dangerous: countries should be discouraged from using this in school deployments because updates may break kids' laptops in arbitrary ways.