Comment 3 for bug 1447633

Revision history for this message
Daniel Manrique (roadmr) wrote :

This file configuration goes into system-image and reads the json files to figure out the latest ubuntu tarball to get for the mako device and the ubuntu-touch/devel-proposed channel.

file_ubuntu = remote-system-image;http://system-image.ubuntu.com;ubuntu-touch/devel-proposed;ubuntu;device=mako;name=ubuntu

This is in the generate_file_remote_system_image method. One thing I noticed it doesn't do, comparing with what we discussed it should do, is verify the signatures. All it does is get the json files, starting with the index.json top-level one and working its way down from there.

The tarball will be stored in the pool and named using the checksum from the original file. So it blindly trusts that the checksum is correct (though I think it's only used for file naming, not for actual verification). This is nice because it guarantees that the tarball will be named exactly the same as it was in the upstream system-image.

So functionally this fits the requirement for this bug, but perhaps it's worth fleshing out this generator so it does validation of the chain of trust.