Merge 0.9.0 from freedomofpress #7
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We are now shipping kernels more frequently, so it's not useful to assert an exact kernel version is being used, continually needing to be manually updated. As of <freedomofpress/securedrop@9cd5e8d> in SecureDrop server, we only verify that the running kernel is using the correct grsec flavor, which is what I've updated this test to match. Fixes freedomofpress#872.
(cherry picked from commit badb8cc)
(cherry picked from commit 65884aa)
(cherry picked from commit 015e701)
(cherry picked from commit 7cf2358)
Backport 0.8.0 version bumps and changelog entries
…kernel Don't verify a specific kernel version
* Change build environment to use containers of the package's target OS
* Use "native" reproducibility macros as much as possible, removing
need for custom scripting
* Install `diffoscope` and `reprotest` from PyPI for minimal OS
package requirements in CI and containers
* Replace `sed` hack for `reprotest` container support with a custom
(inert) `setarch` script, allowing seamless upgrades in the future
* Reorganise repo a bit …
* … to distinguish between `files/` we ship and `scripts/` used for
development
* … move Python dependencies into `requirements/` in their own folder
(as is the case in `securedrop-client`)
* Add `isort`, `bandit` and `shellcheck`, however, there's no generic
`make lint`, the suggested changes by the respective tools haven't
been added yet, and CI has yet to be updated.
* Removes launcher from the `/srv/salt/` directory where it hasn't been
used since `make clone` was introduced
* Container runtime is now required for building the RPM natively in the OS of our target platform * `config.json.example` has a new location, but `config.json` is still expected in the root of the repository.
dist-info will be necessary if we want to install extensions to other Qubes systems via Setuptools' Entry Points
Co-authored-by: Ro <ro@freedom.press>
…erize-build-test Containerize build and test environment, add some developer tools
…ly-avoid-tty-during-rpm-build Pass -it to container.sh's oci_run() only if we're a tty
…n-sdw-admin-py-as-root Don't allow running sdw-admin.py as root
…ase-pubkey Update signing key with 2024-07-08 expiry
Update debian keyring check
…backport Backport 0.8.1 version bumps and changelog entry
docker and podman interpret "fedora:32" in different ways, docker pulls it from Docker Hub and podman gets it from registry.fedoraproject.org. Despite presumably being maintained by the same people, those two 32 images are different. Let's be explicit and have docker use Fedora's own registry too. Fixes freedomofpress#912.
…ning-language Clarify closed beta status
Pull fedora:32 image from Fedora's own registry, always
…e-template-install-check Check if template is installed before trying to install it
…-dep Bump gitpython dev dep
Clean up sd-fedora-37-dvm after update. Force full salt run to apply sys-vm changes.
This is mostly a copy of @eaon's change in securedrop-updater[1], with one key change of normalizing the version down to a PEP 440 compatible format. Since we use setuptools's sdist to create a tarball and then expect rpmbuild to be able to find it, we need to use a common version format across both setuptools and RPM. Encoding the RC version in the `Release` field has always been wrong, since that's used for changes to packaging, not when the upstream (i.e. sdist tarball) changes. This also means we no longer need to update `Source` in the release branch to point at the tarball, since it can be inferred correctly from the existing `%{name}-%{version}.tar.gz` macros. Leave a TODO to switch to rpmdev-bumpspec which is the RPM `dch` equivalent to bump the version and insert a changelog entry. [1] freedomofpress/securedrop-updater@42a55c7 Co-authored-by: Michael Z <michael@freedom.press> (cherry picked from commit fdf191a)
…2-and-bump [0.9.0] Backport versioning fix and bump version to 0.9.0-rc2
The RPM build container needs to be highly trustworthy, so it should only contain things from Fedora itself and any audited code. We don't audit development dependencies, so we shouldn't be installing them into the build container. We split the container used by `./scripts/container.sh` into two, a base, build container and then a container layered on top with dev dependencies. Functionally this should be a no-op since none of the dependencies are used at build time but it cuts down on the risk of malicious code injection. Fixes freedomofpress#921. (cherry picked from commit 3d53304)
[0.9.0] backport build container dev deps removal
SecureDrop Workstation 0.9.0
philmcmahon
approved these changes
Jan 15, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
This PR syncs this repo with securedrop workstation version 0.9.0 found https://github.com/freedomofpress/securedrop-workstation/releases/tag/0.9.0 by merging the freedomofpress 0.9.0 tag into this branch which is based on guardian securedrop-workstation main branch.