This might be a better question for the OLPC development lists. <div class="gmail_quote">On Wed, Sep 12, 2012 at 8:39 PM, Juan Cubillo <<a href="mailto:jcubillo@fundacionqt.org" target="_blank">jcubillo@fundacionqt.org</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello, Our project would like to give kids the posibility of downloading a lease.sig file and unlock a friends or family XO without having to contact our tech support team. In order to do this, I setup a public dropbox link to a nightly generated lease.sig file that gives the XOs some extra activation time. Problem is that when an XO downloads the file, its name gets and extra .asc extension so it ends up as lease.sig.asc. Since kids will be doing this, I wanted to give them only the basic steps to be able to re-activate laptops: 1-Download file. 2-place it on an empty usb memory. 3-Conect to xo and turn on. Re-naming the file would mean that they have to go to terminal, cd into the thumbdrive directory, change filename, etc... it's just way too much. So... couple questions: 1. Is there a security problem/concern with having our project's lease.sig file publicly available? (we only generate activations for non-stolen XOs) </blockquote><div> I will leave it this to deployment staff to answer authoritatively, but the only practical attack I can think of is thieves will know where to find a lease if a XO is not reported stolen, or before it is reported stolen. They can then use this lease to use or sell the XO. Theoretically it might be possible to reverse engineer your private lease key given lots and lots of sample leases but I seriously doubt any real thief can do that. The mathematics skills required to do this are not trivial. </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 2. Why is the XO adding this .asc extension or how can it be avoided? </blockquote><div> Are you having the students download the lease in Browse from within Sugar? If so Sugar's journal internally uses mime types, not file extensions, until a file is written to an external device or folder. The extension ".asc" is one possible choice for plain text.(*) I was able to reproduce this problem given this approach. I agree that this is not the best behavior, especially if Browse can potentially determine the original extension while downloading. If your XO images have the GNOME desktop in them, using the web browser included for GNOME (Firefox or Epiphany) to download the file to USB should not alter the file name. Just make sure the kids know how to "eject" the USB stick when they are done. (*) The ".asc" choice could be due to <a href="http://bugs.sugarlabs.org/ticket/2267">http://bugs.sugarlabs.org/ticket/2267</a> (also <a href="http://bugs.sugarlabs.org/ticket/3226">http://bugs.sugarlabs.org/ticket/3226</a>) </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Regards, - Juan Cubillo _______________________________________________ Sugar-devel mailing list <a href="mailto:Sugar-devel@lists.sugarlabs.org" target="_blank">Sugar-devel@lists.sugarlabs.org</a> <a href="http://lists.sugarlabs.org/listinfo/sugar-devel" target="_blank">http://lists.sugarlabs.org/listinfo/sugar-devel</a> </blockquote></div>