Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[xenial] Fetches upstream Tor debs via Molecule #4101

Merged
merged 1 commit into from
Feb 8, 2019
Merged

[xenial] Fetches upstream Tor debs via Molecule #4101

merged 1 commit into from
Feb 8, 2019

Conversation

conorsch
Copy link
Contributor

@conorsch conorsch commented Feb 6, 2019

Status

Ready for review.

Description of Changes

Follow up to #3961.

Changes proposed in this pull request:

Uses another Molecule-based build scenario that fetches the Xenial tor debs
for inclusion in the FPF-maintained apt repository. The debs are fetched into
the same build/xenial/ dir as the SD debs. There's no corresponding logic
for fetching Trusty debs, since Tor has stopped backporting tor for trusty.

The major change here is the update to the Tor Project public key, which
has expired since we last updated the pubkey stored in this repo. We haven't used
the Tor pubkey directly since switching to an apt mirror for distributing tor debs.

As of 0.12.0, we plan to use a single, consolidated apt repo, to distribute both
SecureDrop and Tor deb packages.

Testing

  • make fetch-tor-packages completes without error
  • Inspect tor debs inside build/xenial/ via e.g. dpkg-deb and confirm they're valid Xenial tor debs
  • Tor repo pubkey is current and correct
  • Tor package versions match what's served up by https://apt-test.freedom.press/pool/main/t/tor/ currently

Deployment

Starting with 0.12.0, we will use the tor debs fetched by this process for inclusion in the FPF-controlled apt repository at apt.freedom.press. Only the Xenial tor packages will be updated, since Tor no longer maintains packages for Trusty.

Checklist

If you made changes to the server application code:

  • Linting (make ci-lint) and tests (make -C securedrop test) pass in the development container

If you made changes to securedrop-admin:

  • Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

If you made changes to documentation:

  • Doc linting (make docs-lint) passed locally

Fetches upstream Tor debs via Molecule
afc4f6b 
Uses another Molecule-based build scenario that fetches the Xenial tor debs
for inclusion in the FPF-maintained apt repository. The debs are fetched into
the same `build/xenial/` dir as the SD debs. There's no corresponding logic
for fetching Trusty debs, since Tor has stopped backporting tor for trusty.

The major change here is the update to the Tor Project public key, which
has expired since we last updated the pubkey stored in this repo. We haven't used
the Tor pubkey directly since switching to an apt mirror for distributing tor debs.

As of 0.12.0, we plan to use a single, consolidated apt repo, to distribute both
SecureDrop and Tor deb packages.
kushaldas
kushaldas reviewed Feb 7, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • make fetch-tor-packages completes without error
  • Inspect tor debs inside build/xenial/ via e.g. dpkg-deb and confirm they're valid Xenial tor debs
  • Tor repo pubkey is current and correct
  • Tor package versions match what's served up by https://apt-test.freedom.press/pool/main/t/tor/ currently

Don't know where and how to test the point 3, rest are okay.

redshiftzero
redshiftzero approved these changes Feb 8, 2019
View reviewed changes
Copy link
Contributor

@redshiftzero redshiftzero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @conorsch and thanks @kushaldas for the testing, the final testing step is:

✅ verified tor public key is correct 0xEE8CBC9E886DDD89 (note that if you fetch it from the keyservers right now it will fail due to the issue described here)

@redshiftzero redshiftzero merged commit 530a239 into develop Feb 8, 2019
@redshiftzero redshiftzero deleted the 3961-fetch-tor-packages-for-xenial branch February 8, 2019 18:57
@eloquence eloquence changed the title Fetches upstream Tor debs via Molecule [xenial] Fetches upstream Tor debs via Molecule Feb 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kushaldas kushaldas kushaldas left review comments

@redshiftzero redshiftzero redshiftzero approved these changes

@emkll emkll Awaiting requested review from emkll

@msheiny msheiny Awaiting requested review from msheiny

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@conorsch @kushaldas @redshiftzero