[Dev] [RFC] Tizen system rollback
l.stelmach at samsung.com
Mon Dec 2 09:45:56 GMT 2013
It was <2013-12-01 nie 22:21>, when Stoppa, Igor wrote:
> On 30 November 2013 04:22, Carsten Haitzler <tizen at rasterman.com> wrote:
>> i think that your cases, while they do exist, are for a shrinking mindset.
>> and more operators don't lock devices even with contracts. they use actual
>> contracts and legal means for that. it's a practice that is in decline.
> well ... this might be a matter of perception - I'd rather not get into a
> debate of
> I think/you think
>> products are not done and finished when shipped. software is large
>> and complex and FULL of bugs. always. and always will be. there is
>> nothing you can do to change that. the most important thing to any
>> producer of a product is to be able to update in the field. probably
>> 100% the most important thing. the device has to be able to function
>> enough to be able to update and "be fixed". as a direct bi-product of
>> this, should a fix render the device unable to do another update
>> after this (a buggy update not tested well enough), you just bricked
>> a whole bunch of devices out there. a rollback mechanism is an
>> absolute requirement of any update-in-the-field mechanism. since the
>> update mechanism is a requirement, then so is a rollback, by
>> definition. not having such a mechanism is living life on the edge.
> Sorry, but I cannot agree with this. You are somehow implying that
> the end user would not be able to flash the sw on a bricked device.
> Which is not true.
> Both x86 and ARM nowadays support the cold flashing of signed FW,
> through the execution of ROM code or some other means that a broken
> update cannot cripple. So that's your recovery path, in the extreme
> case. All is needed is that the OEM provides a chain of trust
> Sure, OTA upgrades are nice, but the real safety net lies in cold
> flashing. You can equally have buggy rollback mechanism :-) Of course
> this applies to the cold-flashing mechanism as well, but in general
> that's much simpler and extremely more tested, so I think it's fair to
> expect it to be safer.
Please consider upgrading tens (hundreds) of thousands units. If you
break them OTA you have to fix them OTA. You won't make N (where N ~
1E5, you may be lucky enough to make 10% of you customers download
flashing software for PC that still gives 90k) customers visit repair
shops. You don't have that many repair shops to fix such failure (in
Samsung R&D Institute Poland
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 489 bytes
Desc: not available
More information about the Dev