Closed zenmonkeykstop closed 3 years ago
For both upgrades and fresh installs, here is a list of functionality that requires testing. You can use this for copy/pasting into your QA report.
./securedrop-admin verify
are passing:
cd ~/Persistent/securedrop && ./securedrop-admin setup -t
./securedrop-admin verify
(this will take a while)rm -rf admin/.venv3/ && ./securedrop-admin setup
After updating to this release candidate and running securedrop-admin tailsconfig
Have also confirmed that upgrade path works for 1U servers and that 5.4.136 is present and correct.
Release comms draft (minimal as it is) here: https://docs.google.com/document/d/1np9z-E9GZAn_HLliPzVC9kaPZOBVberuw7wZh9p3mto/edit#
Upgrade path works on NUC5.
For both upgrades and fresh installs, here is a list of functionality that requires testing. You can use this for copy/pasting into your QA report.
install_files/ansible_base/roles/install-fpf-repo/defaults/main.yml
to use:apt_repo_url: https://apt-test.freedom.press
...
apt_repo_pubkey_files:
- apt-test-signing-key.pub
To configure and install SecureDrop, run the following:
cd ~/Persistent/securedrop
./securedrop-admin --force setup
./securedrop-admin --force sdconfig
./securedrop-admin --force install
./securedrop-admin --force tailsconfig
Confirm package versions:
apt-cache policy securedrop-app-code
-> Installed: 2.0.2~rc1+focalapt-cache policy securedrop-config
-> Installed: 0.1.4+2.0.2~rc1+focalapt-cache policy securedrop-keyring
-> Installed: 0.1.5+2.0.2~rc1+focalapt-cache policy securedrop-ossec-agent
-> Installed: 3.6.0+2.0.2~rc1+focalapt-cache policy securedrop-ossec-server
-> Installed: 3.6.0+2.0.0~rc1+focal (mon)apt-cache policy securedrop-grsec
-> Installed: 5.4.136+focalpaxtest blackhat
has expected results
memcpy
and memcpy, PIE
shows "Vulnerable" (see https://github.com/freedomofpress/securedrop/issues/1039#issuecomment-790033219)strcpy and
strcpy, PIEshow
paxtest: return address contains a NULL byte`curl -L https://meltdown.ovh -o meltdown.sh && sudo bash meltdown.sh -v
CVE-2018-365
aka 'Foreshadow (SGX), L1 terminal fault' shows vulnerable (see https://github.com/freedomofpress/securedrop/issues/5040#issuecomment-559597643)./securedrop-admin --force verify
passes
cd ~/Persistent/securedrop && rm -r admin/.venv3 && ./securedrop-admin setup -t
./securedrop-admin verify
(this will take a while)rm -rf admin/.venv3/ && ./securedrop-admin setup
See notes in QA Matrix
For prosperity, whenever a PR is opened (phase 1) in https://github.com/freedomofpress/securedrop-debian-packages-lfs with the branch name "release", the changes are pushed to https://apt-qa.freedom.press/. Then the package on https://apt-qa.freedom.press/ is signed with the prod key and we run through our Preflight Test plan (my results will be posted below). Once all our preflight testing comes back positive, the PR is merged (phase 2) which promotes the SAME package to be pushed to https://apt.freedom.press/.
https://apt-qa.freedom.press/
instead of https://apt.freedom.press/
GUI update from 2.0.1->2.0.2 on Tails 4.21 worked without issues.
This is a tracking issue for the release of SecureDrop 2.0.2
Tentatively scheduled as follows:
Pre-release announcement: 2021-08-11 Release date: 2021-08-12
Release manager: KOG Deputy release manager: n/a Communications manager:: EM
SecureDrop maintainers and testers: As you QA 2.0.2, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release", and associate them with the 2.0.2 milestone for tracking (or ask a maintainer to do so).
Test debian packages will be posted on https://apt-test.freedom.press signed with the test key. An Ansible playbook testing the upgrade path is here.
QA Matrix for 2.0.2
Test Plan for 2.0.2
Prepare release candidate (2.0.2~rc1)
2.0.2~rc1
on test apt serverAfter each test, please update the QA matrix and post details for Basic Server Testing, Application Acceptance Testing and release-specific testing below in comments to this ticket.
Final release
release
branch in the LFS repo)5.4.136
grsec kernel packages, to apt-qa serverrelease
branch in the LFS repo for the debs)main
in the LFS repo)main
and verify new docs build in securedrop-docs repoPost release
securedrop-docs
and Wagtaildevelop