On 7/10/20 5:06 AM, Nicolas Mailhot wrote:
The problem IOT side is not the security of the software update chain. The problem is that manufacturers skimp on software updates in the first place
Yes, that's the situation right now: everyone has a custom firmware tied to a short product cycle---so new versions and fixes have to be developed separately by everyone. This does not scale, and so it doesn't happen most of the time. I think the only long-term solution is a wide use of platforms, such as Android or Fedora.
My point is that however the updates are being produced, they need a secure remote update method. It's not realistic to expect end users to be in the loop---it doesn't scale to the size the IOT is going to be. Moreover, without the secure method, any vulnerability can be easily converted to persistent breakage.
Android, actually, is trying to get it right by a) being a platform so that common security updates are available from the platform owner, and can be applied to everyone's system and b) having a secure remote update method.
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
