OpenWrt Meeting - April 6, 2015
Global prpl/OpenWrt ecosystem meeting
Attendees: Ranga, Kathy, Eric
Kathy mentions her excitement at the Security PEG. Feels there is overlap between the Security PEG and the work going on in OpenWrt, including John Crispin’s OpenWrt jails work.
Kathy highlights the discussion with Felix Fietkow at the US Meeting on how to improve alignment with the OpenWrt trunk and minimize divergence between OpenWrt.org and industry SDKs like QSDK. Additionally, CC is nearing release candidate. Additionally, Kathy will be at the hackathon.
Ranga mentioned that the hackathon is April 18 and there’s about 15 registrations right now. Ranga suggests that at hackathon we should discuss a security incident reporting database and see if we could build one that would make sense and work for OpenWrt.
Eric mentioned that he would be at the hackathon and that Imre Kaloz would also be there. Code of conduct was proposed and Ranga said we could move forward posting it. Eric investigated the Wifi regulatory framework of Linux wifi and posted information on the wiki. Additionally, he’ll be meeting with Matthew Garrett of Linux Secure Boot and FSF fame in SF. prpl will be sponsoring Battlemesh v8 ( August 3-9) and we were waiting on the amount.
Kathy mentioned that Luka meet QCA last week and that Imre would be visiting. Kathy invites any OpenWrt developers visiting the Bay Area to meet with QCA. Kathy is also happy to help visiting devs with other companies as well.
Eric mentioned beginning of creating talking points for why OpenWrt is a good choice for vendor. Kathy said she had some that she could pass along.
Ranga suggested setting up a time to meet with Nate Cardozo of EFF about the wifi regulatory issues while Eric’s out in SF.
Kathy suggested that anyone interested in having any technical topics addressed at the hackathon should email Ranga, a mailing list or other organizers.
Ranga mentioned that he sent out a link to an article on media-making at hackathons which will likely be used at the hackathon.
Attendees: Felix, Kathy, Eric
Felix discusses his work on package list signing:
- The lists, with the package hashes, are signed.
- Only adds about 15 kilobytes, uncompressed, to the binaries
- Command line is mostly compatible with OpenBSD signify utility, so if you want to use it on bigger systems, just swap in signify
- Local keystorage, keys are only 100 bytes
- Only library dependency is libc
- Prototype working, just need to do some final testing and then can commit
- Builds will be signed by default so if someone builds images and a feed and distributes them, they’ll be signed by default with no work on the builders part.
- Not sure right now how firmware images will be signed but it’s something that they’d like to add. Packages are considered more important because they often install with minimal action on the part of the user.
Kathy asked if the daily builds would be signed going forward.
- Felix said they would and he’d send the same key to all the daily snapshot builders. The goal is that anyone can pull a build and it should be signed with the same key as all the others.
- Release keys will be different and kept on separate, more secure devices
- Snapshots will be a “best effort” system and only core team will get access to that key. The number who have access to release keys will be much smaller and more restrictive and kept on smaller, non-connected devices