Re: BeagleBone Black apt oddness

To: ARM <debian-arm@lists.debian.org>
Subject: Re: BeagleBone Black apt oddness
From: Robert Nelson <robertcnelson@gmail.com>
Date: Sun, 10 Nov 2013 18:12:03 -0600
Message-id: <[🔎] CAOCHtYhWPk2mVg0zniBqBgyWqeWu4xE-UY2yh5eRWGZL-+UFrA@mail.gmail.com>
In-reply-to: <[🔎] CAKTje6FUmqU0zSBTT9oLvBYkBNo8KPPE5xdnjby3yvxiPQGphQ@mail.gmail.com>
References: <[🔎] CAG6aBkWZN=9-JM+Y528kK2soSi9fFvKyTdAYb5oN194F7npcrA@mail.gmail.com> <[🔎] CAKTje6H7=98aukDRQNcFZ1W_KqCPdppUtWNW1CDo_oh6pVQKGQ@mail.gmail.com> <[🔎] CAOCHtYgKbOAN8uJRW48NH_D4_K7Ck3YYkTvfGsPYT11o-zNfPw@mail.gmail.com> <[🔎] CAKTje6FUmqU0zSBTT9oLvBYkBNo8KPPE5xdnjby3yvxiPQGphQ@mail.gmail.com>

(gmail: forgot to cc the list...)

> Your image contains SSH private keys, which means that everyone can do
> MITM attacks against connections to machines running your image. It
> also contains the dbus machine identifier and other machine-specific
> things that should not be duplicated between instances.

I agree, there are a lot of "security" issues with the Demonstration
image, it's purpose is primary for initial board development and
testing and should never be used in the field as is..

To fixh ssh there's a script installed under /opt/boot-scripts/

https://github.com/RobertCNelson/boot-scripts/blob/master/fix_ssh_host_key.sh

to regenerate the ssh key, I've just not yet enabled it by default..

>
> In Debian we generally suggest people use d-i or debootstrap, for this
> reason. Debian install methods don't yet support generating generic
> images that can be installed on any host. Until this is solved I would
> strongly suggest you point people at a script that runs debootstrap
> instead.
>
> At the very least you should generate multiple images, compare them,
> remove the differing files and create a script that runs on first boot
> to generate these files. Alternately, use debootstrap --foreign and
> rely on how it runs all the postinst scripts on first boot.

The initial image is created by "debootstrap --foreign".. then (qemu
static on x86 or a chroot on arm) is used to add other packages, to
finish the install and
generate the initrd..

>> It's the latest release snapshot from the beagleboard.org kernel release..
>
> Is this code upstreamed yet? It would be great to be able to switch to
> armmp more.

With v3.12.x final, only dtb changes are required for bbb..
https://github.com/RobertCNelson/linux-dev/tree/am33x-v3.12/patches/omap-next-dt
(all heading to v3.13-rc0)
(minus the cape stuff as that still needs the overlay infrastructure
panto just posted as a review for on lkml this last week..)

btw: for security purposes, my NetInstall, which is a board generic
kernel/bootloader wrapper around debian's debian-installer is a much
better choice for end users..

It just required a network connection and some time for end users to run
https://github.com/RobertCNelson/Netinstall

vs the quick 5 minute flashing script from the demonstration images..

Regards,

-- 
Robert Nelson
http://www.rcn-ee.com/

Reply to:

Follow-Ups:
- Re: BeagleBone Black apt oddness
  - From: Paul Wise <pabs@debian.org>
- Re: BeagleBone Black apt oddness
  - From: Oliver Grawert <ogra@ubuntu.com>

References:
- BeagleBone Black apt oddness
  - From: Nigel Sollars <nsollars@gmail.com>
- Re: BeagleBone Black apt oddness
  - From: Paul Wise <pabs@debian.org>
- Re: BeagleBone Black apt oddness
  - From: Robert Nelson <robertcnelson@gmail.com>
- Re: BeagleBone Black apt oddness
  - From: Paul Wise <pabs@debian.org>

Prev by Date: partly OT: Where does mysql store its database?
Next by Date: Further trimming of ARM NAS kernel images
Previous by thread: Re: BeagleBone Black apt oddness
Next by thread: Re: BeagleBone Black apt oddness
Index(es):
- Date
- Thread