[Dev] [RFC] Tizen system rollback

Łukasz Stelmach l.stelmach at samsung.com
Mon Dec 2 09:45:56 GMT 2013

It was <2013-12-01 nie 22:21>, when Stoppa, Igor wrote:
> On 30 November 2013 04:22, Carsten Haitzler <tizen at rasterman.com> wrote:
> [...]
>> i think that your cases, while they do exist, are for a shrinking mindset.
>> more
>> and more operators don't lock devices even with contracts. they use actual
>> contracts and legal means for that. it's a practice that is in decline.
> well ... this might be a matter of perception - I'd rather not get into a
> debate of
> I think/you think
>> products are not done and finished when shipped. software is large
>> and complex and FULL of bugs. always. and always will be. there is
>> nothing you can do to change that. the most important thing to any
>> producer of a product is to be able to update in the field. probably
>> 100% the most important thing. the device has to be able to function
>> enough to be able to update and "be fixed". as a direct bi-product of
>> this, should a fix render the device unable to do another update
>> after this (a buggy update not tested well enough), you just bricked
>> a whole bunch of devices out there. a rollback mechanism is an
>> absolute requirement of any update-in-the-field mechanism. since the
>> update mechanism is a requirement, then so is a rollback, by
>> definition. not having such a mechanism is living life on the edge.
> Sorry, but I cannot agree with this.  You are somehow implying that
> the end user would not be able to flash the sw on a bricked device.
> Which is not true.
> Both x86 and ARM nowadays support the cold flashing of signed FW,
> through the execution of ROM code or some other means that a broken
> update cannot cripple.  So that's your recovery path, in the extreme
> case. All is needed is that the OEM provides a chain of trust
> FW->kernel->OS.
> Sure, OTA upgrades are nice, but the real safety net lies in cold
> flashing.  You can equally have buggy rollback mechanism :-) Of course
> this applies to the cold-flashing mechanism as well, but in general
> that's much simpler and extremely more tested, so I think it's fair to
> expect it to be safer.

Please consider upgrading tens (hundreds) of thousands units. If you
break them OTA you have to fix them OTA. You won't make N (where N ~
1E5, you may be lucky enough to make 10% of you customers download
flashing software for PC that still gives 90k) customers visit repair
shops. You don't have that many repair shops to fix such failure (in
reasonable time).

Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://lists.tizen.org/pipermail/dev/attachments/20131202/22d8df53/attachment-0001.sig>

More information about the Dev mailing list