Firmware release procedures: Difference between revisions

From OLPC
Jump to navigation Jump to search
mNo edit summary
No edit summary
Line 36: Line 36:
==Using PGP for EC code==
==Using PGP for EC code==


=== For first release only ===
=== For first release only: This is already done ===


Download and run ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.5.exe
Download and install GPG4Win from http://www.gpg4win.org/download.html


Create a PGP key and get dwmw2 to sign it to verify that it is Quanta's.
Download and install Thunderbird from http://www.mozilla.com/thunderbird/


=== For subsequent releases ===
Download Enigmail from http://www.mozilla-enigmail.org/downloads/enigmail-0.94.1.1-tb15-linux.xpi


Right-click on the EC binary and select the option to create a "detached signature", in plain text. It should create a separate file like 'ECv21.bin.asc', which looks something like this:
Download http://dev.laptop.org/pub/ec/olpc-bios-key.pub ; this will be the public key that the mail is encrypted to.


{{{
Run Thunderbird
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)


iD8DBQBFTxvGmfQ2bFM/BesRAoKzAJ0RNczipB+pul5sEUR+wCYIQvt+/wCguqrV
Set up an e-mail account; when asked for name, use "Quanta OLPC BIOS"
5GRPVDpdH155fwsDwnu7B4M=

=URby
Tools menu->Extensions:
-----END PGP SIGNATURE-----
* Click install, find downloaded Enigmail .xpi
}}}
* Restart Thunderbird

OpenPGP menu->Key Management:
* choose "No", don't use wizard
* Generate menu->new key pair:
** Enter passphrase twice
** Set key expiry to 2 months
** Supply key fingerprint to OLPC out-of-band
** <b>It is vital that the private key file (secring.gpg) is kept secure, and is not distributed from the computer it was created on</b>

Tools menu->Account Settings->OpenPGP Security:
* OpenPGP support should be enabled
* Check "Encrypt messages by default" and "Sign encrypted messages by default"

Tools menu->Account Settings->Copies & folders:
* Uncheck "Place a copy in"

Tools menu->Account Settings->Composition & Addressing:
* Uncheck "Compose messages in HTML format"

OpenPGP menu->Key Management:
* File menu->Import keys from file
* Choose the downloaded olpc-bios-key.pub file

=== For subsequent releases ===


Send the EC binary as you normally would, and _also_ attach the separate signature file which is used to verify the binary.
Click "Write":
* To: bios@laptop.org
* OpenPGP menu->"Send My Public Key"
* Attach changelog
* Attach EC file
* Click "Send"
* Choose "inline pgp"

Revision as of 04:20, 12 November 2006

Release procedure

Here is a draft of a BIOS release procedure.

Stage one: EC:

  • Quanta e-mails EC release and changelog to the OLPC BIOS contact, signed and encrypted with PGP
    • see notes below
  • Quanta and OLPC test this version of EC

Stage two: Buildrom:

  • Pull EC release from http://dev.laptop.org/pub/ec/, check hashes
  • Update buildrom changelog and tag for release
  • Update SPI flash version string in buildrom binary
  • Create buildrom SRPM
  • Build two flavors of binary RPM for the two RAM variants

Stage three: Testing:

  • announce build to BIOS team and Ray, release candidate testing begins
  • test on a 256M board
  • install the binary RPMs on Tinderbox machines
  • >12 hours of burn-in warm reboot testing on Tinderbox
  • cold boot tests
    • we need a cold boot solution; X10 doesn't seem to like the power at OLPC
  • After automated tests, send "Who has tested?" mail asking for problem reports
  • Release after twelve hours if no problem reports

Stage four: Release:

  • Release builds kept in a separate directory
  • Update the version number in LB from release candidate to final
  • Announce new build and hashes to devel-boards@ (requires moderation).

Using PGP for EC code

For first release only: This is already done

Download and install GPG4Win from http://www.gpg4win.org/download.html

Create a PGP key and get dwmw2 to sign it to verify that it is Quanta's.

For subsequent releases

Right-click on the EC binary and select the option to create a "detached signature", in plain text. It should create a separate file like 'ECv21.bin.asc', which looks something like this:

{{{


BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.5 (MingW32)

iD8DBQBFTxvGmfQ2bFM/BesRAoKzAJ0RNczipB+pul5sEUR+wCYIQvt+/wCguqrV 5GRPVDpdH155fwsDwnu7B4M= =URby


END PGP SIGNATURE-----

}}}

Send the EC binary as you normally would, and _also_ attach the separate signature file which is used to verify the binary.