Merge 0.4.4 post-release changes into develop #2483
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Removes non-default apt behavior setting force=yes on package installations, which has the catastrophic affect of installing apt packages without checking authentication first. There are three packages total affected by this vulnerability: * deb.torproject.org-keyring * ntp * tor The force=yes flag was introduced on the tor and deb.torproject.org-keyring packages via e578b9a, and on the ntp package when it was first added to the config in 79e7d54.
Uses a single entrypoint in the top-level "securedrop-admin" script to provide a convenient method for fetching, compressing, and encrypting the logs for sending to FPF. We've often discussed the need for a convenient action to prepare logs for support purposes, and 0.4.4 provides the perfect opportunity to ship the feature. The GPG fingerprint used for encrypted the tarball is not customizable; future versions of the script should provide override capability via `--recipient` or similar.
Updates the Ansible version to 2.3.2, in order to address CVE-2017-7481 [0], which was patched in 2.3.1 [1]. Updates the Ansible version throughout the project, including both the hash-pinned requirements file for SecureDrop Administrators, and the sundry requirements files used by developers and in CI for testing. We have a sanity check on forcing a supported Ansible version via a callback plugin, so that hardcoded version check has been incremented, as well. [0] https://access.redhat.com/security/cve/CVE-2017-7481 [1] https://github.com/ansible/ansible/blob/70c58e74ab492ea17df893bb4692f3b64a755858/CHANGELOG.md#231-ramble-on---2017-06-01
Expiration date has been increased:
2017-10-20 -> 2018-10-05
The fingerprint for the SecureDrop Release Signing Key remains the same:
22245C81E3BAEB4138B36061310F561200F4AD77
The Ansible role uses the ASCII-armored file to set up apt repo access
for the servers at install time. Thereafter, the `securedrop-keyring`
package will manage trust via automatic updates going forward.
The new keyring was generated via the command:
gpg --no-default-keyring --keyring \
install_files/securedrop-keyring/etc/apt/trusted.gpg.d/securedrop-keyring.gpg \
--import \
install_files/ansible-base/roles/install-fpf-repo/files/fpf-signing-key.pub
Noting these changes here because the keyring file is binary format, and
therefore difficult to inspect changes for.
Conflict resolved manually in install_files/securedrop-keyring/DEBIAN/control
|
The merge commit 1732352 lists the file that had conflicts manually resolved during the merge |
|
It appears this error is related to the Ansible version bump, I've reproduced it in local staging environment while trying to update the develop-requirements. edit: This appears to be the problem #1146 |
Back in May (d803bc7b8c4), when we were still under ansible 2.2.x we had to pull in the synchronize module from upstream in order to get rsync playing nice with docker. Now that we are on 2.3+ there is some piece of code we are missing from upstream that is causing problems. Lets drop our fork and rely on upstream synchronize module now :)
|
b3b3b1c -- seems to be getting us farther fingers crossed -- seems like it was a conflict with ansible 2.3+ and our forked synchronize module. That was needed when we were running under <ansible 2.3 which had a lot of missing functionality. |
I saw this the other day... think I got a fix for it. Its probably molecule related. |
Honestly I started going into the molecule source-code but had to time-box myself here since I was able to find the fix quickly by trial/error. Seems to be an underlying python yaml module issue with how it is being called. Anyways - I'm not super sure what `molecule_to_yaml` was buying us here.
heartsucker
approved these changes
Nov 2, 2017
|
Thanks @heartsucker @msheiny ! |
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Ready for review
Description of Changes
Fixes one checkbox in #2474.
Testing
Does CI pass?
Deployment
None, these changes are already in prod: https://securedrop.org/news/securedrop-044-released
Checklist
If you made changes to the system configuration: