Closed legoktm closed 2 months ago
version: rc1 status: WIP
version: rc1 status: WIP
rc2
T490, Qubes 4.2.1
[x] download rpm from https://yum-test.securedrop.org/workstation/dom0/f37/, copy into dom0 and install (see steps at https://workstation.securedrop.org/en/stable/admin/install.html#download-and-install-securedrop-workstation but it's OK to skip the download through dnf and signature verification parts)
[x] RPM installs successfully in dom0
[x] Set up /usr/share/securedrop-workstation-dom0-config/
, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging
.
[x] Run sdw-admin --validate && sdw-admin --apply
; both should finish successfully.
[x] open a terminal in one of the SDW appVMs/templates, run dpkg -l | grep securedrop
and verify you have 0.11.0-rc1 packages
[ ] basic client functionality requiring Tor (login, first sync) completed successfully.
[ ] Run through https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-Acceptance-Tests and other QA testing
[x] After running the updater, ~/.securedrop_updater/sdw-last-updated
has been updated. (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1107)
[x] Manually start the sdw-notify
systemd user unit after running the updater - you should not see a notification popup (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1107)
[x] Open the menu, for sd-devices you should see "Files" and "Disks". for sd-whonix you should see "Anon Connection Wizard" and "Tor Control panel" (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1109)
/usr/share/securedrop-workstation-dom0-config/
, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging
.sdw-admin --validate && sdw-admin --apply
; both should finish successfully.dpkg -l | grep securedrop
and verify you have 0.11.0-rc1 packages~/.securedrop_updater/sdw-last-updated
has been updated. (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1107)sdw-notify
systemd user unit after running the updater - you should not see a notification popup (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1107)With known limitations of the current data/sync model:
Data race (contention): If you click the star icon while a sync is in progress, then: (1) the GUI shows the source as starred; (2) the sync completes; (3) the GUI shows the source as unstarred; (4) the star operation completes; (5) the GUI shows the source as starred.
Data race (interruption): If you click the star icon and then immediately quit the Client, then: (1) the GUI shows the source as starred; (2) the Client quits; (3) when the Client restarts, the GUI shows the source as unstarred; (4) the first sync completes; (5) the GUI shows the source as starred.
→ https://github.com/freedomofpress/securedrop-client/issues/874#issuecomment-2218297615
when a source is selected in the source list:
[x] the reply panel is available for use and there is no message asking the user to sign in
[x] a reply can be added to the conversation
[x] a pending reply can be added to the conversation (ie., by disconnecting the network or shutting down sd-whonix
just before sending a reply)
[x] a reply containing HTML is displayed as unformatted text
[x] a reply with a line longer than 100 chars is displayed correctly
[x] two replies added immediately after each other are ordered correctly
No, probably an unsupported format: A .webm
video file fails with the prompt "Are you sure you want to create another disposable VM?" and then Denied: qubes.OpenInVM
.
This is freedomofpress/securedrop-client#2007 at https://github.com/freedomofpress/securedrop-client/blob/d94eca34a2f530c7286e5463bde64ef0fc73f878/workstation-config/mimeapps.list.sd-app#L191.
Prerequisites:
- server is available and contains large source test dataset (256 sources, submission sizes ranging from 1-500MB)
- client data directory is empty
diff --git a/securedrop/loaddata.py b/securedrop/loaddata.py
index 241e00f43..3b1b7a85f 100755
--- a/securedrop/loaddata.py
+++ b/securedrop/loaddata.py
@@ -208,6 +208,7 @@ def submit_file(source: Source, journalist_who_saw: Optional[Journalist], size:
if not size:
file_bytes = b"This is an example of a plain text file upload"
else:
+ size = random.randint(0, size)
file_bytes = os.urandom(size * 1024)
fpath = Storage.get_default().save_file_submission(
Modulo freedomofpress/securedrop-client#1476.
Yes, although the wizard steps stall for an interval proportional to the size of the file being exported, without much UI feedback.
I had one failure where send-to-usb
returned EOF
after reaching Syncing filesystems
, but I've not been able to reproduce it in repeated testing with a ~500 MB file.
sd-export-<timestamp>/export_data
/usr/share/securedrop-workstation-dom0-config/
, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging
.sdw-admin --validate && sdw-admin --apply
; both should finish successfully.dpkg -l | grep securedrop
and verify you have 0.11.0-rc1 packages~/.securedrop_updater/sdw-last-updated
has been updated. (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1107)sdw-notify
systemd user unit after running the updater - you should not see a notification popup (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1107)the user is not prompted for the USB's password, if the (LUKS or VeraCrypt) device is unlocked
the user is not prompted for the USB's password, if the (LUKS or VeraCrypt) device is unlocked and mounted
@deeplow can you provide more details about the export failures please, eg STR / where the process failed/what error message or error logs you see? (Edit) Even if it's a misconfigured drive, it could be something real-world users run into so it's helpful information. Thank you!
That was at the end of last week. I was trying to reproduce it now, but it works. Could have something to do with how I created the device. Will test again various times this week and see if I get it to fail as before. But I had originally provisioned from nautilus » right-click on drive » format.
Thanks @deeplow - For creating a device, we ask people to follow https://workstation.securedrop.org/en/stable/admin/provisioning_usb.html , so as long as you're using that or equivalent workflow and creating a whole-encrypted device, or a device with one encrypted partition (other non encrypted partitions are fine), any STR / bugreports are useful
hw: T480 / Qubes 4.2.2-rc1 version 1.0.0-rc2
/usr/share/securedrop-workstation-dom0-config/
, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging
.sdw-admin --validate && sdw-admin --apply
; both should finish successfully.dpkg -l | grep securedrop
and verify you have 0.11.0-rc1 packages~/.securedrop_updater/sdw-last-updated
has been updated. (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1107)sdw-notify
systemd user unit after running the updater - you should not see a notification popup (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1107)When the export fails it shows the following screen:
The scenarios expect this:
When the user encounters error state(s) during export: a user-facing message (rather than an EXPORT_ERROR_CODE style message) is shown
I am not sure if this is a successful outcome or not.
The way I simulated the failure was by remove the USB stick mid-copying.
Looks like https://github.com/freedomofpress/securedrop-client/issues/1926, same question - I'm curious about the logs in sd-devices, specifically the export_status, when that happens.
It's definitely something to fix, but I'm not sure where it ranks in our priorities - if the user pulls out a drive mid-export they can/should expect that to fail in a weird way. (Ideally it would fail with a better message of course)
@deeplow (and other testers) re the export scenarios:
HTH!
HTH!
Does help. Thanks for the context, again!
I still have to finish up some of the export/print test plan and report out in more detail (tomorrow), but with the addition of https://github.com/freedomofpress/securedrop-client/pull/2102 in sd-app, basic print testing so far is looking good on both supported HP and Brother printers. Basic export testing is also looking good and I will test https://github.com/freedomofpress/securedrop-client/pull/2100 tomorrow to mark for review since I think it will resolve some of the corner case issues with error reporting.
until tm :)
Qubes: 4.2.2-rc2 dom0 config: rc2 client: 0.11.0 -rc1 + print changes (0.11.0-rc2 equiv)
sd-devices
VM is startedEXPORT_ERROR_CODE
style message) is shown (yes, except see discussion above and https://github.com/freedomofpress/securedrop-client/issues/2098)sd-export-<timestamp>/export_data
Tested with HP LaserJetPro 4001dn and Brother HL-L2360DW
sd-devices
VM is startedsd-devices
VM, and clicks Continue:
Qubes 4.2.2-rc1, Novacustom NV41
/usr/share/securedrop-workstation-dom0-config/
, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging
.sdw-admin --validate && sdw-admin --apply
; both should finish successfully.dpkg -l | grep securedrop
and verify you have 0.11.0-rc1 packages~/.securedrop_updater/sdw-last-updated
has been updated. (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1107)sdw-notify
systemd user unit after running the updater - you should not see a notification popup (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1107)~ skippedPrerequisites:
- server is available and contains large source test dataset (256 sources, submission sizes ranging from 1-500MB)
- client data directory is empty
sd-export-<timestamp>/export_data
Qubes 4.2.2-rc1 / T480 / staging servers
dom0 rc3 / client rc2
upgrade (rc{1,2} -> rc{2,3}) via updater
I was able, once, to encounter a printer error, when deliberately trying to print without a printer connected, but I couldn't replicate it.
apply
, manually edit the following files so that the repo URLs point to our prod qa repos:
/srv/salt/securedrop_salt/sd-default.config.yml
: change the prod settings (dom0_yum_repo_url
) to https://yum-qa.securedrop.org/workstation/dom0
/srv/salt/securedrop_salt/apt_freedom_press.sources.j2
: change the apt repo to https://apt-qa.freedom.press
/srv/salt/securedrop_salt/apt_freedom_press.sources.j2
to /srv/salt/securedrop_salt/apt-qa_freedom_press.sources.j2
, and edit the path in /srv/salt/securedrop_salt/sd-default.config.yml
. apply
For apt-qa, I also copied /srv/salt/securedrop_salt/apt_freedom_press.sources.j2
to /srv/salt/securedrop_salt/apt-qa_freedom_press.sources.j2
, and edited the path in /srv/salt/securedrop_salt/sd-default.config.yml
. Otherwise when the securedrop-keyring package is installed, it overwrites our apt->apt-qa.
Shall we update https://github.com/freedomofpress/securedrop-workstation/wiki/QA-Testing#preflight-testing with this information?
@deeplow : Yes, and we should update the developer docs as well
QA:
To test this release, you will need a dedicated computer compatible with Qubes 4.2. You'll also need a test SecureDrop server instance, either:
make dev-tor
)In order to configure SecureDrop Workstation, you'll need the Journalist interface address and authorization key, and the Submission Private Key from the server instance - so set the server instance up first.
Next, install Qubes 4.2 (preferably the latest stable patch version) on your Qubes computer. Then install SecureDrop Workstation, following the standard installation process with 2 deviations:
config.json
, set the value ofenvironment
tostaging
instead of prod - this will enforce the use of the test repos and latest RCs for both workstation and client packages.Once the installation is complete, copy the
securedrop-workstation
source tagged with the curent RC version todom0
on your test system usingmake clone
and run the configuration tests in dom0 withmake test
.Then, add a column with your config and initial test results (installation, setup, dom0 tests) in the SecureDrop Workstation QA Matrix, and complete one or more acceptance test scenarios (check with the release manager if you're unsure as to which ones are needed), and complete any linked release-specific tests, copying the scenario test plans from the linked wiki pages, and adding the completed versions as comments on this issue.
(Then take a rest and get yourself a nice treat - you've earned it.)
QA test plan:
Note: there is no upgrade scenario because all users must reinstall for this release.
Fresh install (prodlike install)
Qubes ~4.2.1~ [edit: 4.2.2-rc1 or newer] expected, please note hardware
Testing:
/usr/share/securedrop-workstation-dom0-config/
, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set tostaging
.sdw-admin --validate && sdw-admin --apply
; both should finish successfully.dpkg -l | grep securedrop
and verify you have 0.11.0-rc1 packages~/.securedrop_updater/sdw-last-updated
has been updated. (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1107)sdw-notify
systemd user unit after running the updater - you should not see a notification popup (verifies https://github.com/freedomofpress/securedrop-workstation/issues/1107)Release process:
RC1:
update_version
script, update changelog in .spec file and markdown: https://github.com/freedomofpress/securedrop-workstation/pull/1102RC2:
update_version
script, update changelog in .spec file and markdown: https://github.com/freedomofpress/securedrop-workstation/pull/1102Release:
update_version
script, and update changelog in .spec file and markdownPost-release