Open rocodes opened 1 month ago
Overall +1 from me, I like being able to skip the tarball step and also like how this brings us closer to the deb building workflow.
I use a template to create an RPM Spec file.
Because I have multiple specs (55), I generate them based on the readme, including the installation scriptlet etc is gathered this way, I understand your %post
is very simple, but I try to avoid multiple mentions of the same code, in case a user wants to install manually instead of using the RPM.
It allows for a very simple %files
section. I did not finish the specs building yet, I know there are some things missing so I indicate this for a testing only qube.
If you organize the files in the same hierarchical structure you plan to apply to Dom0, it will be much easier indeed. Example: use find
on a dir that has the same dir structure that is going to be applied to dom0, them prefix each line with the RPM macro, be it %{_bindir}
, %{_datadir}
or even in the %install
section for %{_buildroot}
. No more manual tracking of files in RPM spec. If you also set the correct mode on the repo, it could be identified to set the mode on installation also if necessary.
I see that https://github.com/freedomofpress/securedrop-workstation/pull/1048 started making it better.
Description
In our rpm build, we create a source tarball, but we don't really need one; we don't have a "build" step of the build and we just need to copy files into place.
It's possible to use a subdirectory as a
Source
instead of using a tarball. (Evidence!). (By extension, we could probably use multiple subdirectories as Source0, Source1, but I don't think we have to make things that complicated).I propose we reorganize the files in the workstation repo so that all the files intended for the SDW laptop are contained in one directory (eg
securedrop-workstation-dom0-config
), and inside that directory, are in a tree structure that gives some indication of their final destination on the Qubes machine. (Sosecuredrop-workstation-dom0-config/etc/qubes.policy.d/{31-workstation.policy,32-workstation.policy}
for example).Then our rpm .spec file would have a very simple %install and %files section, possibly even as simple as
but we could also make the
%files
section a little more legible rather than globbing so aggressively (and/or, if we decide we like installing specific files one at a time, we have that option as well, just showing a dramatic example of what we could do if we wanted).Good
Bad
How will this impact SecureDrop/SecureDrop Workstation users?
Should be no user-facing changes
How would this affect the SecureDrop Workstation threat model?
Should be no threat-model-related impacts
User Stories
As a developer [or as an external contributor, or a community member, or an SDW journo/admin], I want to be able to clearly see which files will end up on an end user's machine by looking at the repo