On Friday, July 10, 2020 4:12:42 AM MST Przemek Klosowski via devel wrote: > On 7/10/20 5:06 AM, Nicolas Mailhot wrote: > > > The problem IOT side is not the security of the > > software update chain. The problem is that manufacturers skimp on > > software updates in the first place > > > Yes, that's the situation right now: everyone has a custom firmware tied > to a short product cycle---so new versions and fixes have to be > developed separately by everyone. This does not scale, and so it doesn't > happen most of the time. I think the only long-term solution is a wide > use of platforms, such as Android or Fedora. > > My point is that however the updates are being produced, they need a > secure remote update method. It's not realistic to expect end users to > be in the loop---it doesn't scale to the size the IOT is going to be. > Moreover, without the secure method, any vulnerability can be easily > converted to persistent breakage. > > Android, actually, is trying to get it right by a) being a platform so > that common security updates are available from the platform owner, and > can be applied to everyone's system and b) having a secure remote update > method.
The problem with implementing systems such as this is obvious.. If the end user cannot upload their own firmware, because the host has a hardware mechanism for checking the signature of the firmware, that's not good for the end user, it's harmful. It would mean they don't actually own the system, the vendor does. -- John M. Harris, Jr. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
