-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Finalize Debian packaging strategy and developer guidelines #136
Comments
Thanks for filing this @eloquence, note that it makes sense to put all our packaging code in a new repo (but we can keep this tracking issue here for visibility) |
https://packages.debian.org/search?keywords=python-flask says Sid has |
Let's look at |
Given the situation with CVEs in multiple important packages, and several Python dependencies we need not being packaged for Debian, we should re-evaluate the packaging strategy. The possible options are:
I think we should re-evaluate option 2 - what do you think? Do you see significant downsides to that approach? |
None of the Operating Systems provide a formal way to install/update/maintain packaging of weel based installation. The whole reason we have python wheel so that people don't have to compile for their platforms in the virtualenvs and use system packages where people want to update/maintain in a safer way. Qubes still uses option 3 has their default option :) |
Regarding option 3, I'm looking around and we're hitting similar problems (though overall the packages are more recent versions): some packages are not being packaged for Fedora (e.g. |
Agreed. While the goal of using strictly repo-hosted packages to install all application dependencies is a noble one, what we really care about is the ability to ship updates in a timely manner, to ensure a minimal attack surface over the life of a workstation installation. Why should we not use wheel? It seems like it would provide us flexibility over both Debian and Fedora repos in terms of updating dependencies when we deem it necessary.
That doesn't sound untenable to me. Maintaining wheel packages is a bit of a pain on the packagers, but I'm willing to absorb that cost if it results in a stronger workstation config over time. |
To recap our ad hoc discussion today:
|
Hey @kushaldas - you mentioned in chat today that you'd been doing packaging using |
@redshiftzero I just started working on the packaging and learning part itself, I will update this ticket during the current sprint with full documentation + examples. |
I have pushed the initial documentation at https://github.com/freedomofpress/securedrop-debian-packaging-guide Time to start building 🏭 |
Hey @kushaldas et al., ReadTheDocs is now set to build the SecureDrop packager documentation off (btw: see PR adding link to |
Per our discussion today at sprint planning, |
One outstanding question based on the current documentation is how to ensure integrity of dependencies from PyPI - i.e. we want to at minimum be using the hashes in |
We should be able to use computepipfilehash tool to generate |
The guide is now updated to use the tool . We are now using hashes in every part of the |
If there is any mismatch in the hashes, the debian build command will fail.
|
Recapping where we are with this:
Question:
|
Per discussion at sprint planning today:
|
@kushaldas - looks like the upstream issue to address freedomofpress/securedrop-debian-packaging-guide#3 on our side is waiting for feedback One other question: can you explain why this freedomofpress/securedrop-debian-packaging-guide@8c3772e change was made? i.e. why the |
@redshiftzero I will work with upstream on that
I added those as helper command in computepipfilehash package. We can have the full commands also in the guide (instead of those two). The sources: sd-downloadsources and sd-buildwheels. |
ok great, thanks for the pointer. Let's include the full command in the guide just for clarity (and we'll eventually be automating this entire deb building process anyway as we do on the server side) |
I did a dry run building the
(but not closing yet as these are outstanding) |
To quote @redshiftzero:
So, closing this issue, we can revisit the reproducibility issue down the road if we find a way around it. |
We've reached a preliminary agreement to package SecureDrop Workstation code, such as the SDK and the client, as Debian packages. To do so, we need clear developer packaging guidelines that should be committed as documentation to this repository. Preparatory to creating these guidelines, some initial research and experimentation is required.
Review turnaround cycles for recent security vulnerabilities in dependencies used by SecureDrop (e.g., Flask) to determine if using official Debian packages for Python dependencies is an option
Create developer guidelines with example package
Final test run and sign-off by @redshiftzero
2018-09-07: Updated and re-scoped per discussion.
2018-10-04: Updated per outcomes of sprint planning
The text was updated successfully, but these errors were encountered: