[maemo-community] BIG problem with Maemo repositories!

From: robert bauer nybauer at gmail.com
Date: Fri Dec 21 14:41:43 EET 2012
On Mon, Dec 17, 2012 at 4:51 AM, Kenneth Kasilag <kenneth at meta.mm.am> wrote:

> We can ask Nokia to point maemo.nokia.org's DNS records to whatever is
> set up in the future - they'll likely oblige, as we'll be taking the
> problem off their hands. (Hopefully. If they don't, then the N900 users who
> don't browse Maemo.org are in for quite some trouble)
>
We can ask, but Nokia probably will not do that.


> As for the repo signing keys, can we get Nokia to push out an update
> (mp-fremantle-pr) signed with *their* keys, and whose purpose it is to
> change the APT signing key to Maemo.org's new signing key.
>
Nokia will probably be even more reluctant to push out any update than to
do a DNS redirect.


> CSSU team and other packagers of alternative mp-fremantle-pr metapackage
> can follow suit.
>
Do you know whether there are in fact other packagers of alternative
mp-fremantle-pr metapackages?  If so, please identify them so they can be
contacted about this problem.


> That's how we can get signing keys changed with the least user interaction.
>
> Neither of the above proposals are likely to happen.  We should prepare a
Plan B to address this problem through maemo.org.  Do we need any thing
from Nokia (other than handover of maemo.org) in order to be able to solve
this problem?

Rob



>
> On Mon, Dec 17, 2012 at 5:40 PM, Iván Gálvez Junquera <ivgalvez at gmail.com>wrote:
>
>> I have informed Nokia about the problem to try to have a short term
>> solution for the signature expiration.
>>
>> In any case, a long term solution needs to be planned. As Joerg
>> commented, even if we can host all files in the future (which is still
>> unclear, specially for third party binaries), keys and URLs would need to
>> be updated.
>>
>> In the meantime, backuping is essential.
>>
>> Regards
>>
>> 2012/12/17 Pali Rohár <pali.rohar at gmail.com>
>>
>>> On Sunday 16 December 2012 18:57:03 robert bauer wrote:
>>> > On Sun, Dec 16, 2012 at 4:51 PM, joerg reisenweber
>>> <reisenweber at web.de>wrote:
>>> > > So  16. Dezember 2012
>>> > >
>>> > > > Hello Maemo Community!
>>> > > >
>>> > > > We have big problem with repositories. Two months ago GPG
>>> > > > key for downloads.maemo.nokia.com expired and Hildon
>>> > > > Application Manager refusing to install or reinstall
>>> > > > packages from these
>>> > > > repositories. Part of downloads.maemo.nokia.com is OTA and
>>> > > > OVI
>>> > > > Store repository. This means that OVI Store not working
>>> > > > anymore and OTA updates (from PR1.1 or PR1.2) to PR1.3.1
>>> > > > not working too.
>>> > > >
>>> > > > Possible solution could be change expiration of this key,
>>> > > > but
>>> > > > only owner of private GPG key can do that (so only Nokia).
>>> > > >
>>> > > > GPG key used for all OTA & Ovi store repositories is:
>>> > > >
>>> > > > pub   1024D/13FA4ED6 2007-10-05 [expired: 2012-10-03]
>>> > > > uid                  Nokia repository signing key 4v1
>>> > > >
>>> > > > OVI apt repo:
>>> > > > https://downloads.maemo.nokia.com/fremantle1.2/ovi/
>>> > > >
>>> > > > OTA apt repos:
>>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/apps/
>>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/mr0
>>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/002
>>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/003
>>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/004
>>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/203
>>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/204
>>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/205
>>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/206
>>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/207
>>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/208
>>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/210
>>> > > >
>>> > > > BCCing council & board about this, because Hildon
>>> > > > Application
>>> > > > Manager not working without proper gpg signature and non
>>> > > > working OVI store and OTA repositories are big problem for
>>> > > > N900 users.>
>>> > > the more 'interesting' aspect of this problem: it gets
>>> > > *worse* with migration/handover of maemo.org to
>>> > > community/board. Since a) it's unclear if
>>> > > Nokia is planning to continue hosting of those fremantle
>>> > > repos under maemo.nokia.com, and b) even if community
>>> > > inherits those repos too, we neither
>>> > > can keep the URL nor manage the keys since both is explicitly
>>> > > nokia.
>>> > >
>>> > > /j
>>> > >
>>> > >
>>> > > Nokia does not plan to continue hosting of any maemo repos.
>>> > > Do those
>>> > repos contain 3rd party paid apps?  There may be agreements
>>> > between app developers and OVI store, but is there any
>>> > technical reason why we can't make those repos available at
>>> > downloads.maemo.org and get our own GPG key?
>>>
>>> Problem is that if you generate new GPG key and sign with it OVI
>>> store and OTA repos, you must install that GPG key to *every*
>>> N900 device to Hildon Application Manager settings (somewhere in
>>> /usr/share/hildon-application-manager). Without it HAM will
>>> always refuse OTA & OVI repositories, because it has *invalid*
>>> key in configuration...
>>>
>>> --
>>> Pali Rohár
>>> pali.rohar at gmail.com
>>> _______________________________________________
>>> maemo-community mailing list
>>> maemo-community at maemo.org
>>> https://lists.maemo.org/mailman/listinfo/maemo-community
>>>
>>>
>>
>>
>> --
>> Iván Gálvez Junquera
>>
>> _______________________________________________
>> maemo-community mailing list
>> maemo-community at maemo.org
>> https://lists.maemo.org/mailman/listinfo/maemo-community
>>
>>
>
> _______________________________________________
> maemo-community mailing list
> maemo-community at maemo.org
> https://lists.maemo.org/mailman/listinfo/maemo-community
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.maemo.org/pipermail/maemo-community/attachments/20121221/7c88ac9a/attachment.htm>
More information about the maemo-community mailing list