Re: Review pull request: dracut-modules-olpc
On 10 May 2010 14:37, Martin Langhoff martin.langh...@gmail.com wrote: at least let's get greplease merged now. It is non-controversial, and fixes a long standing bug that hits large deployments... done,sorry for delay ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Review pull request: dracut-modules-olpc
On Thu, Apr 29, 2010 at 12:23 PM, Martin Langhoff mar...@laptop.org wrote: http://dev.laptop.org/git/users/martin/dracut-modules-olpc/log/?h=clockset-pyx Tested on an XO-1.5 on top of build 121. The branch includes - Greplease patch so that the right lease is picked form huge lease.sig files are with mmap instead of parsing it into memory (and OOM'ing in the process). Hi Daniel, at least let's get greplease merged now. It is non-controversial, and fixes a long standing bug that hits large deployments... cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Review pull request: dracut-modules-olpc
On 30 April 2010 19:39, Martin Langhoff martin.langh...@gmail.com wrote: Fair enough. One of the problems is that normally the expiry check is done inside bitfrost lib and the code there only respects the system clock. So it's a bit messy. Rework bitfrost libs (with impact on users if the lib) or implement a bit of code that knows enough about the sig format to find out all the expiry dates and picks the lowest one... If you really want it, I'll try find the time, though it's... messy. It seems like a pretty important security hole to me. We should do this stuff properly. Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Review pull request: dracut-modules-olpc
On 29 April 2010 13:23, Martin Langhoff mar...@laptop.org wrote: http://dev.laptop.org/git/users/martin/dracut-modules-olpc/log/?h=clockset-pyx Tested on an XO-1.5 on top of build 121. The branch includes Looks good, thanks. Maybe I asked this already, but I can't find the discussion. When the server communicates the time to the XO and the XO sets the clock based on that, shouldn't the XO verify that the delegation has not expired? By that I mean it should refuse to set a time/date that is beyond the expiration of the delegation. I don't see the benefit of reimplementing timegm() in the initramfs and the comment in the function that follows about _strptime not being included seems to be wrong. Can we switch to using the standard library? If you're low on time, feel free to just mark these as a FIXME. It's not important. Finally, can you adjust the README to talk about the more simplistic option of testing the initramfs without signing it? The process is much simpler and you aren't always working on the security code. Thanks Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Review pull request: dracut-modules-olpc
On Fri, Apr 30, 2010 at 5:04 PM, Daniel Drake d...@laptop.org wrote: Maybe I asked this already, but I can't find the discussion. When the server communicates the time to the XO and the XO sets the clock based on that, shouldn't the XO verify that the delegation has not expired? By that I mean it should refuse to set a time/date that is beyond the expiration of the delegation. Fair enough. One of the problems is that normally the expiry check is done inside bitfrost lib and the code there only respects the system clock. So it's a bit messy. Rework bitfrost libs (with impact on users if the lib) or implement a bit of code that knows enough about the sig format to find out all the expiry dates and picks the lowest one... If you really want it, I'll try find the time, though it's... messy. I don't see the benefit of reimplementing timegm() in the initramfs Maybe it wasn't included in the old initramfs. The current one includes lots of things. If you're low on time, feel free to just mark these as a FIXME. It's not important. FIXME for now :-/ Finally, can you adjust the README to talk about the more simplistic option of testing the initramfs without signing it? The process is much simpler and you aren't always working on the security code. Sure - will do. m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Review pull request: dracut-modules-olpc
On Thu, Apr 29, 2010 at 12:23 PM, Martin Langhoff mar...@laptop.org wrote: http://dev.laptop.org/git/users/martin/dracut-modules-olpc/log/?h=clockset-pyx Tested on an XO-1.5 on top of build 121. The branch includes Add 2 patches on top that include the ctypes implementation and switch to it. Passes all tests with flying colours. Thanks Hal for both Pyrex and ctypes implementations! The resulting initrd grows by 134K (compared with what's shipped in os121). m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel