[Dev] [RFC] Tizen system rollback

Łukasz Stelmach l.stelmach at samsung.com
Mon Dec 2 09:45:56 GMT 2013


It was <2013-12-01 nie 22:21>, when Stoppa, Igor wrote:
> On 30 November 2013 04:22, Carsten Haitzler <tizen at rasterman.com> wrote:
>
> [...]
>
>> i think that your cases, while they do exist, are for a shrinking mindset.
>> more
>> and more operators don't lock devices even with contracts. they use actual
>> contracts and legal means for that. it's a practice that is in decline.
>>
>
> well ... this might be a matter of perception - I'd rather not get into a
> debate of
> I think/you think
>
[...]
>> products are not done and finished when shipped. software is large
>> and complex and FULL of bugs. always. and always will be. there is
>> nothing you can do to change that. the most important thing to any
>> producer of a product is to be able to update in the field. probably
>> 100% the most important thing. the device has to be able to function
>> enough to be able to update and "be fixed". as a direct bi-product of
>> this, should a fix render the device unable to do another update
>> after this (a buggy update not tested well enough), you just bricked
>> a whole bunch of devices out there. a rollback mechanism is an
>> absolute requirement of any update-in-the-field mechanism. since the
>> update mechanism is a requirement, then so is a rollback, by
>> definition. not having such a mechanism is living life on the edge.
>>
>
> Sorry, but I cannot agree with this.  You are somehow implying that
> the end user would not be able to flash the sw on a bricked device.
>
> Which is not true.
>
> Both x86 and ARM nowadays support the cold flashing of signed FW,
> through the execution of ROM code or some other means that a broken
> update cannot cripple.  So that's your recovery path, in the extreme
> case. All is needed is that the OEM provides a chain of trust
> FW->kernel->OS.
>
> Sure, OTA upgrades are nice, but the real safety net lies in cold
> flashing.  You can equally have buggy rollback mechanism :-) Of course
> this applies to the cold-flashing mechanism as well, but in general
> that's much simpler and extremely more tested, so I think it's fair to
> expect it to be safer.

Please consider upgrading tens (hundreds) of thousands units. If you
break them OTA you have to fix them OTA. You won't make N (where N ~
1E5, you may be lucky enough to make 10% of you customers download
flashing software for PC that still gives 90k) customers visit repair
shops. You don't have that many repair shops to fix such failure (in
reasonable time).

-- 
Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://lists.tizen.org/pipermail/dev/attachments/20131202/22d8df53/attachment-0001.sig>


More information about the Dev mailing list