Fremantle/Repositories

Contents

Introduction

This page serves to stimulate discussion and exchange ideas with regards to Fremantle Repositories for the following:

Basics of Operations
Security Issues
Current Issues
Options for Solutions
Agreed Solution


Basics of Operations

Security Issues

Issue 1 - Expired GPG key

It is common knowledge that the GPG keys for Nokia's official Fremantle repositories has been expired since a few months.


On 21/01/2013, the Community has been contacted by a Nokia representative from the Nokia MeeGo team in-charge of supporting, in addition to the N9, Fremantle. However, due to the team being the late addition in Harmattan, they are foreign to Fremantle systems.


The issue is with the GPG key 13FA4ED6, known as "Nokia repository signing key 4v1". The Nokia MeeGo team have requested the Community to assist in a way forward that would help in solving this issue for all N900s.


Current Issues

Options for Solutions

Proposed Solution 1 - CSSU-Security

A CSSU-style update is pushed out to N900 devices. This CSSU update would be independent of the user having CSSU-Stable or CSSU-Testing. The proposed CSSU-Security branch would be solely for the purpose of pushing out security updates now and in the future.


CSSU-Security would merely add a repository to the user's device which would be able to first fix the signing key issue with a new signing key. This new signing key would be required to be added on Nokia's servers too.


This proposed solution would also require Nokia to help the Community sustain infrastructure in the future via either sponsorship for a proposed 2 years in the form of hosting costs for all Maemo infrastructure that the Community will be hosting. Therefore, a win-win situation for Nokia and users of Maemo.



Agreed Solution