search

freedomofpress / ansible-role-grsecurity

The documentation and build system for the grsecurity kernel maintained by the Freedom of the Press Foundation for SecureDrop
GNU General Public License v2.0
49 stars 13 forks source link

Validate OS choice for build and install roles #33

Closed conorsch closed 8 years ago

conorsch commented 8 years ago

We should check the target OS and warn or fail if conditions aren't met in the build and install roles. Right now the build role checks for "Debian" or "Ubuntu", but #30 shows that we need to be more fine-grained in what's considered an OK build host. At the very least, we should bail out with an informative message if Ubuntu 14.04 is detected on the target build host.

Haven't tested building on Debian 7, but Debian 8 64-bit works quite well.

garrettr commented 8 years ago

@conorsch Is there any reason to support a variety of build hosts? If Debian 8 works well, maybe we should just stick to using that.

I'd prefer Debian over Ubuntu because Debian doesn't include unverifiable binary blobs like Ubuntu does, prioritizes stability, and is making good progress on reproducible builds which are not an immediate goal of this project but should be down the line.

IIRC, the only reason we use Ubuntu as a build machine right now is because the default Ubuntu images from Hashicorp Atlas allocate enough space in the disk image (~20GB) to build a kernel, whereas the Debian images from the Atlas do not.

Standardizing on one distro for the build machine (while still supporting building kernels for a variety of distros) seems like it could only reduce our maintenance burden, which is a benefit.

ageis commented 8 years ago

I agree with these comments. Reminds me of this too: https://github.com/freedomofpress/securedrop/issues/306

conorsch commented 8 years ago

To be clear, I'm not talking about increasing the number of platforms that we support, but rather explicitly documenting which platforms we do support. If someone runs the build role on Ubuntu 14.04, they're going to have a hair-pulling time debugging #30. We can detect that host OS and fail with an informative message.

garrettr commented 8 years ago

@conorsch Thanks for clarifying. I think making the validation more specific is a good idea. I also think it's a good idea to support as few build platforms as possible to aid maintainability, but perhaps that should be tracked in separate issue.

conorsch commented 8 years ago

Resolved via #73.