Evaluate setting keyring dependency in securedrop-grsec metapackage

freedomofpress / ansible-role-grsecurity

The documentation and build system for the grsecurity kernel maintained by the Freedom of the Press Foundation for SecureDrop

GNU General Public License v2.0

49 stars 13 forks source link

Evaluate setting keyring dependency in securedrop-grsec metapackage #74

Closed conorsch closed 7 years ago

conorsch commented 8 years ago

SecureDrop 0.3.10 includes a package securedrop-keyring for managing apt key rotations. The non-grsec packages:

securedrop-app-code
securedrop-ossec-agent
securedrop-ossec-server

now declare securedrop-keyring as a dependency. Mostly this is a hack to allow unattended upgrades to seamlessly rotate the key, without requiring Admin intervention, but we should consider setting the same dependency for the securedrop-grsec metapackage, maintained in this repo.

conorsch commented 7 years ago

We recently updated the securedrop-grsec metapackage and did not set the dependency on the securedrop-keyring. The metapackage logic is theoretically applicable to other environments, and while we could customize the control file logic to accept vars for dependencies, I don't see a lot of benefit to doing so at this point in time.

Administrators of SecureDrop instances will use the Ansible playbook shipped in the securedrop repo to configure the servers, and the securedrop-keyring package will be explicitly installed as part of that config.