Closed eloquence closed 2 years ago
Draft release comms are ready for initial review. As always, it's a bit of a judgment call which changes should go into the blog post and which ones are only in the changelog -- if there's stuff you feel warrants more or less visibility, please don't hesitate to comment.
NB. An upgrade scenario newly provisioned from a tag (i.e., without #6120) will fail in securedrop-admin install
role install-fpf-repo
with apt cache update failed
until both VMs are brought up to date via (e.g.):
root@sd-staging:~/securedrop# molecule login -s libvirt-prod-focal -h app-prod
vagrant@app-prod:~$ sudo apt-get update
vagrant@app-prod:~$ sudo apt-get upgrade -y
vagrant@app-prod:~$ exit
root@sd-staging:~/securedrop# molecule login -s libvirt-prod-focal -h mon-prod
vagrant@mon-prod:~$ sudo apt-get update
vagrant@mon-prod:~$ sudo apt-get upgrade -y
vagrant@mon-prod:~$ exit
Yup, that's the same root cause as captured in #6119. If you have more up-to-date bento/20.04 boxes it shouldn't be a problem, but it doesn't look like those are available yet in a provider format that we can use.
[x] If you are testing the upgrade scenario, you should create source and journalist accounts before performing the upgrade - some test cases require existing accounts.
[x] In order to test #5988 you will need to enable HTTPS on the source interface. To do so using self-signed certs:
~/Persistent/securedrop && make self-signed-https-certs
on the Admin Workstation to generate the necessary files./securedrop-admin sdconfig
[x] Take a backup of your existing SecureDrop installation using the securedrop-admin backup
command. You will need enough free space on your Admin Workstation USB to complete this backup.
[x] ~Either~ run the ansible QA playbook from qa-update-playbook
(pending #6123):
https://github.com/freedomofpress/securedrop/blob/ed008a0e49738ab8695fe438255b9ee06362831f/install_files/ansible-base/securedrop-qa.yml#L7-L18
[...]
./securedrop-admin verify
are passing:
cd ~/Persistent/securedrop && ./securedrop-admin setup -t
./securedrop-admin verify
(this will take a while)rm -rf admin/.venv3/ && ./securedrop-admin setup
Tests failing: (see also: #6127)
test_hosts_files
: expects original configured hostname mon
(≠ mon-prod
)
test_fpf_apt_repo_present
: expects apt.freedom.press
rather than apt-test.freedom.press
used for QA
test_unattended_upgrades_functional
test_postfix_generic_maps
: expects original configured hostname mon
(≠ mon-prod
)
[x] QA Matrix checks pass
After updating to this release candidate and running securedrop-admin tailsconfig
[x] #6075 - valid HTML time tags
[x] #5695 - scrypt and sessions refactor
sudo -u www-data gpg --homedir /var/lib/securedrop/keys -k
/lookup
page vs the corresponding page on https://demo-source.securedrop.org
manage.py add-admin
on the application server are 32 chars long and can be used to generate valid TOTP codes via the Google Authenticator mobile app[x] #5696 - no JS in user delete modal
Tor Browser "Page Info" says (my emphasis):
Connection Encrypted (Onion Service, TLS_AES_128GCM_SHA256, 128 bit keys, TLS 1.3)
After rerunning make self-signed-https-certs && ./securedrop-admin install
, Tor Browser "Page Info" says (my emphasis):
Connection Encrypted (Onion Service, TLS_AES_256GCM_SHA384, 256 bit keys, TLS 1.3)
This suggests that an explicit ./securedrop-admin install
is necessary for #5988 to go into effect on upgrading an existing SecureDrop installation.
/etc/apache2/sites-enabled/source.conf
and verify that it contains the line SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
amnesia@amnesia:~/Persistent/securedrop$ git branch --points-at HEAD
* release/2.1.0
amnesia@amnesia:~/Persistent/securedrop$ ssh app "grep 'SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2' /etc/apache2/sites-enabled/source.conf"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
22245C81E3BAEB4138B36061310F561200F4AD77
is not present on the application or monitor servers, e.g. by running the command for s in app mon; do ssh $s sudo apt-key list
from the Admin workstationamnesia@amnesia:~/Persistent/securedrop$ git branch --points-at HEAD
* release/2.1.0
amnesia@amnesia:~/Persistent/securedrop$ for s in app mon; do ssh $s sudo apt-key list | grep -b2 -a1 "2224"; done
Warning: apt-key output should not be parsed (stdout is not a terminal)
587-pub rsa4096 2016-10-20 [SC] [expired: 2021-06-30]
639: 2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77
696-uid [ expired] SecureDrop Release Signing Key
Warning: apt-key output should not be parsed (stdout is not a terminal)
587-pub rsa4096 2016-10-20 [SC] [expired: 2021-06-30]
639: 2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77
696-uid [ expired] SecureDrop Release Signing Key
2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3
is present on the serversamnesia@amnesia:~/Persistent/securedrop$ git branch --points-at HEAD
* release/2.1.0
amnesia@amnesia:~/Persistent/securedrop$ for s in app mon; do ssh $s sudo apt-key list | grep -b2 -a1 "2359"; done
Warning: apt-key output should not be parsed (stdout is not a terminal)
326-pub rsa4096 2021-05-10 [SC] [expires: 2022-07-04]
378: 2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3
435-uid [ unknown] SecureDrop Release Signing Key <securedrop-release-key-2021@freedom.press>
Warning: apt-key output should not be parsed (stdout is not a terminal)
326-pub rsa4096 2021-05-10 [SC] [expires: 2022-07-04]
378: 2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3
435-uid [ unknown] SecureDrop Release Signing Key <securedrop-release-key-2021@freedom.press>
amnesia@amnesia:~/Persistent/securedrop$ git branch --points-at HEAD
* release/2.1.0
amnesia@amnesia:~/Persistent/securedrop$ ssh mon sudo grep -R "fwupd" /var/ossec/logs/alerts | grep -v "grep" | wc -l
0
./securedrop-admin backup
scp sd-backup.tar.gz app:/tmp/sd-backup-transfer.tar.gz
./securedrop-admin restore --no-transfer sd-backup-transfer.tar.gz
completes successfully, and that the local backup file is not transferred to the server during the playbook run.amnesia@amnesia:~/Persistent/securedrop$ git branch --points-at HEAD
* release/2.1.0
amnesia@amnesia:~/Persistent/securedrop$ scp install_files/ansible-base/sd-backup-2021-10-08* app:/tmp/sd-backup-2021-10-08.tar.gz
sd-backup-2021-10-08--01-23-08.tar.gz 100% 107KB 72.1KB/s 00:01
amnesia@amnesia:~/Persistent/securedrop$ ./securedrop-admin --force restore --no-transfer sd-backup-2021-10-08.tar.gz
[...]
TASK [restore : Extract Tor configuration from backup] *************************
fatal: [app]: FAILED! => {
"changed": false
}
MSG:
Source '/home/amnesia/Persistent/securedrop/install_files/ansible-base/sd-backup-2021-10-08.tar.gz' does not exist
[...]
amnesia@amnesia:~/Persistent/securedrop$ scp install_files/ansible-base/sd-backup-2021-10-08* app:/tmp/
sd-backup-2021-10-08--01-23-08.tar.gz 100% 107KB 93.4KB/s 00:01
amnesia@amnesia:~/Persistent/securedrop$ ./securedrop-admin --force restore --no-transfer sd-backup-2021-10-08--01-23-08.tar.gz
[...]
PLAY RECAP *********************************************************************
app : ok=17 changed=12 unreachable=0 failed=0 skipped=13 rescued=0 ignored=0
Even with --no-transfer
, restore_file
needs to exist in install_files/ansible-base
—which might be worth documenting further as the intended behavior of #5909.
./securedrop-admin tailsconfig
completes successfully and the Tails OS Updater starts without displaying errors./securedrop-admin tailsconfig
completes successfully without triggering the Tails OS Updater./etc/os-release
to change the TAILS_VERSION_ID to a pre-4.19 versiontouch /usr/local/etc/ssl/certs/tails.boum.org-CA.pem
/usr/local/etc/ssl/certs/tails.boum.org-CA.pem
./securedrop-admin verify
are passing:
(Not tested)
N.B. If you previously used "Safest" mode in Tor Browser as a Source, you'll have to re-enable JS to verify some of the functionality below.
[x] #6075 - valid HTML time tags
[ ] #5695 - scrypt and sessions refactor
sudo -u www-data gpg --homedir /var/lib/securedrop/keys -k | grep "Source Key" | wc -l
; that number matches the number of sources I see in the JI/lookup
page vs the corresponding page on https://demo-source.securedrop.org
https://demo-source.securedrop.org
and pay attention to how the experience feels manage.py add-admin
on the application server are 32 chars long and can be used to generate valid TOTP codes via the Google Authenticator mobile app[x] #5696 - no JS in user delete modal
/etc/apache2/sites-enabled/source.conf
and verify that it contains the line SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
sudo apt install -y testssl.sh -t buster-backports
, then run testssl.sh <onion url>
. Confirm that only TLSv1.3 is provided; all earlier protos are not.[ ] #5979 - Remove expired key
22245C81E3BAEB4138B36061310F561200F4AD77
is not present on the application or monitor servers, e.g. by running the command for s in app mon; do ssh $s sudo apt-key list
from the Admin workstation2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3
is presenton the servers[ ] #5909 - Manually-transferred backup
./securedrop-admin backup
scp sd-backup.tar.gz app:/tmp/sd-backup-transfer.tar.gz
./securedrop-admin restore --no-transfer sd-backup-transfer.tar.gz
completes successfully, and that the local backup file is not transferred to the server during the playbook run.[ ] #6110 - Repair Tails installer
@cfm: re the manual transfer test, the playbook does require that the tarball be available locally as well to verify that it is valid - good catch on the docs side, this option hasn't been documented yet and should be for the release.
Updated the OP with mention of 2.1.0~rc2. @cfm if you've got cycles today, simply re-testing the problematic sections of your previous testing report on rc1 would be ideal. For simplicity's sake, I'd say take the VM upgrade scenario again, and I'll take clean install VMs again and post results.
So far so good on 2.1.0~rc2. One issue of note is that on the clean install scenario, I observed an apt-update failure:
It appears the order of operations is as follows:
prepare-servers
, as expectedinstall-fpf-repo
vars, as part of QAinstall-fpf-repo
vars, as part of QAsecuredrop-keyring
package is installed from apt-test, which clobbers the test key with the prod key upon installationcommon
role fails to update apt lists again, since the apt-test repo is configured but the key is removedThis issue only affects QA testing, it isn't a problem for prod. But I'm documenting it here in case other testers encounter it.
All issues raised about 2.1.0\~rc1 in https://github.com/freedomofpress/securedrop/issues/6103#issuecomment-938341940 are resolved in 2.1.0\~rc2. Still outstanding against 2.1.0\~rc2:
amnesia@amnesia:~/Persistent/securedrop$ ./securedrop-admin verify
```sh-session
=========================== short test summary info ============================
FAILED app/test_apparmor.py::test_apparmor_pkg[paramiko:/app-apparmor-utils]
FAILED app/test_apparmor.py::test_apparmor_pkg[paramiko:/app-apparmor] - para...
FAILED app/test_apparmor.py::test_apparmor_apache_capabilities[paramiko:/app-dac_override]
FAILED app/test_ossec_agent.py::test_hosts_files[paramiko:/app] - AssertionEr...
FAILED common/test_fpf_apt_repo.py::test_fpf_apt_repo_present[paramiko:/app]
FAILED common/test_fpf_apt_repo.py::test_fpf_apt_repo_present[paramiko:/mon]
FAILED common/test_automatic_updates.py::test_unattended_upgrades_functional[paramiko:/app]
FAILED mon/test_ossec_server.py::test_ossec_connectivity[paramiko:/mon] - Ass...
FAILED mon/test_ossec_server.py::test_hosts_files[paramiko:/mon] - AssertionE...
FAILED mon/test_postfix.py::test_postfix_generic_maps[paramiko:/mon] - Assert...
= 10 failed, 425 passed, 7 skipped, 3 xfailed, 1 xpassed, 10 warnings in 2016.78s (0:33:36) =
[...]
```
[x] If you are testing the upgrade scenario, you should create source and journalist accounts before performing the upgrade - some test cases require existing accounts.
[x] In order to test #5988 you will need to enable HTTPS on the source interface. To do so using self-signed certs:
~/Persistent/securedrop && make self-signed-https-certs
on the Admin Workstation to generate the necessary files./securedrop-admin sdconfig
[x] Take a backup of your existing SecureDrop installation using the securedrop-admin backup
command. You will need enough free space on your Admin Workstation USB to complete this backup.
[x] ~Either~ run the ansible QA playbook from qa-update-playbook
(pending #6123):
https://github.com/freedomofpress/securedrop/blob/ed008a0e49738ab8695fe438255b9ee06362831f/install_files/ansible-base/securedrop-qa.yml#L7-L18
Retesting only those cases that failed or raised questions in https://github.com/freedomofpress/securedrop/issues/6103#issuecomment-938341940...
/lookup
page vs the corresponding page on https://demo-source.securedrop.org
https://demo-source.securedrop.org
and pay attention to how the experience feels/etc/apache2/sites-enabled/source.conf
and verify that it contains the line SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
amnesia@amnesia:~/Persistent/securedrop$ git branch --points-at HEAD
* release/2.1.0
amnesia@amnesia:~/Persistent/securedrop$ ssh app "grep 'SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2' /etc/apache2/sites-enabled/source.conf"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
sudo apt install -y testssl.sh -t buster-backports
in Tails, then run testssl.sh <onion url>
. Confirm that only TLSv1.3 is provided; all earlier protos are not.amnesia@amnesia:~/Persistent/securedrop$ testssl https://e336cukmz45e4ittiaa35gxjojz6467355tkssnpjbclv3omk2fmb6yd.onion/
amnesia@amnesia:~/Persistent/securedrop$ testssl
[...]
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 not offered
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 http/1.1 (offered)
[...]
22245C81E3BAEB4138B36061310F561200F4AD77
is not present on the application or monitor servers, e.g. by running the command for s in app mon; do ssh $s sudo apt-key list
from the Admin workstationamnesia@amnesia:~/Persistent/securedrop$ git branch --points-at HEAD
* release/2.1.0
amnesia@amnesia:~/Persistent/securedrop$ for s in app mon; do ssh $s sudo apt-key list | grep -b2 -a1 "2224"; done
Warning: apt-key output should not be parsed (stdout is not a terminal)
Warning: apt-key output should not be parsed (stdout is not a terminal)
2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3
is present on the serversamnesia@amnesia:~/Persistent/securedrop$ git branch --points-at HEAD
* release/2.1.0
amnesia@amnesia:~/Persistent/securedrop$ for s in app mon; do ssh $s sudo apt-key list | grep -b2 -a1 "2359"; done
Warning: apt-key output should not be parsed (stdout is not a terminal)
326-pub rsa4096 2021-05-10 [SC] [expires: 2022-07-04]
378: 2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3
435-uid [ unknown] SecureDrop Release Signing Key <securedrop-release-key-2021@freedom.press>
Warning: apt-key output should not be parsed (stdout is not a terminal)
326-pub rsa4096 2021-05-10 [SC] [expires: 2022-07-04]
378: 2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3
435-uid [ unknown] SecureDrop Release Signing Key <securedrop-release-key-2021@freedom.press>
No further concerns to point out. 100% of all testinfra tests pass on my prod VMs, which is mostly due to the key clobbering mentioned in https://github.com/freedomofpress/securedrop/issues/6103#issuecomment-943852881, but again, not a release-blocker. 2.1.0 is looking good to me! Will focus on LM tasks over the weekend to see if we can't drum up a bit more coverage. Thereafter, it's by the numbers.
So far so good on 2.1.0~rc2. One issue of note is that on the clean install scenario, I observed an apt-update failure: ... It appears the order of operations is as follows:
1. All apt packages updated in `prepare-servers`, as expected 2. apt-test key is added via local modifications of the `install-fpf-repo` vars, as part of QA 3. apt-test repo URL is added via local modifications of the `install-fpf-repo` vars, as part of QA 4. the `securedrop-keyring` package is installed from apt-test, which clobbers the test key with the prod key upon installation 5. the `common` role fails to update apt lists again, since the apt-test repo is configured but the key is removed
This issue only affects QA testing, it isn't a problem for prod. But I'm documenting it here in case other testers encounter it.
I'm confused as to why we weren't seeing this all the time in QA, it looks like the only possibly-relevant change was the upgrade added in prepare-servers
. It could probably be avoided by either:
when "apt_repo_url" != "https://apt.freedom.press"
would seem like the minimal change necessary)I don't think it merits another RC if there's a workaround, but we should fix this for the next release, as it means clean install test scenarios aren't exactly representative of reality.
I've updated https://github.com/freedomofpress/securedrop/issues/6103#issuecomment-943859841 to log some surprising testinfra failures in the VM upgrade scenario, which I'll investigate further on Monday.
https://github.com/freedomofpress/securedrop/issues/6103#issuecomment-944786736:
I've updated #6103 (comment) to log some surprising testinfra failures in the VM upgrade scenario, which I'll investigate further on Monday.
Initial investigations follow.
FAILED app/test_apparmor.py::test_apparmor_pkg[paramiko:/app-apparmor-utils]
FAILED app/test_apparmor.py::test_apparmor_pkg[paramiko:/app-apparmor] - para...
FAILED app/test_apparmor.py::test_apparmor_apache_capabilities[paramiko:/app-dac_override]
paramiko.ssh_exception.SSHException: No existing session
errors look like transient SSH failures.
FAILED app/test_ossec_agent.py::test_hosts_files[paramiko:/app] - AssertionEr...
Seems to be looking for default hostname mon
rather than configured hostname mon-prod
:
amnesia@amnesia:~/Persistent/securedrop$ ssh app cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 app-prod app-prod
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.121.58 mon-prod securedrop-monitor-server-alias
FAILED common/test_fpf_apt_repo.py::test_fpf_apt_repo_present[paramiko:/app]
FAILED common/test_fpf_apt_repo.py::test_fpf_apt_repo_present[paramiko:/mon]
Expected per https://github.com/freedomofpress/securedrop/issues/6103#issuecomment-939044457.
FAILED common/test_automatic_updates.py::test_unattended_upgrades_functional[paramiko:/app]
Looks like a change in unattended-upgrades --dry-run
behavior:
E assert 'No packages found that can be upgraded unattended and no pending auto-removals' in "Starting unattended upgrades script\nAllowed origins are: origin=Ubuntu,archive=focal, origin=Ubuntu,archive=focal-se...ades installed\nInstCount=0 DelCount=0 BrokenCount=0\nThe list of kept packages can't be calculated in dry-run mode.\n"
E + where "Starting unattended upgrades script\nAllowed origins are: origin=Ubuntu,archive=focal, origin=Ubuntu,archive=focal-se...ades installed\nInstCount=0 DelCount=0 BrokenCount=0\nThe list of kept packages can't be calculated in dry-run mode.\n" = CommandResult(command=b'sudo unattended-upgrades --dry-run --debug', exit_status=0, stdout=b"Starting unattended upgra.../usr/bin/dpkg --force-confdef --force-confold --force-confdef --force-confold --status-fd 10 --configure --pending \n').stdout
FAILED mon/test_ossec_server.py::test_ossec_connectivity[paramiko:/mon] - Ass...
FAILED mon/test_ossec_server.py::test_hosts_files[paramiko:/mon] - AssertionE...
FAILED mon/test_postfix.py::test_postfix_generic_maps[paramiko:/mon] - Assert...
Looking for default hostnames app
and mon
rather than configured hostnames {app,mon}-prod
(see https://github.com/freedomofpress/securedrop/issues/6127#issuecomment-938342242).
Thanks @cfm:
install_files/ansible-base/group_vars/all/site-specific
file created by ./securedrop-admin sdconfig
. Looks like the server hostnames are not being overridden. So if they're not named according to the reccos in the docs I'd expect to see this error. Would be an easy fix to override them too methinks - check molecule/testinfra/conftest.py
.It would be good to get a clean run if possible on the unattended-upgrades one (immediately after a non-dry-run one should be cool), but otherwise I think we're ok here.
@zenmonkeykstop in https://github.com/freedomofpress/securedrop/issues/6103#issuecomment-946018659:
- The unattended-upgrades error may just be bad luck - the test seems to assume that the system is up-to-date, which will not be true if new updates have been made available since installation or the overnight run.
It would be good to get a clean run if possible on the unattended-upgrades one (immediately after a non-dry-run one should be cool), but otherwise I think we're ok here.
Thanks for this suggestion. Confirmed that common/test_automatic_updates.py::test_unattended_upgrades_functional
has subsequently passed with:
amnesia@amnesia:~/Persistent/securedrop$ ssh app "sudo unattended-upgrades -d && sudo reboot"
amnesia@amnesia:~/Persistent/securedrop$ ssh mon "sudo unattended-upgrades -d && sudo reboot"
amnesia@amnesia:~/Persistent/securedrop$ ./securedrop-admin verify
So all of https://github.com/freedomofpress/securedrop/issues/6103#issuecomment-945983929 is safe to ignore for QA and release purposes.
./securedrop-admin verify
are passing: FAIL
cd ~/Persistent/securedrop && ./securedrop-admin setup -t
./securedrop-admin verify
(this will take a while)rm -rf admin/.venv3/ && ./securedrop-admin setup
[x] #6075 - valid HTML time tags
[x] #5695 - scrypt and sessions refactor
sudo -u www-data gpg --homedir /var/lib/securedrop/keys -k
/lookup
page vs the corresponding page on https://demo-source.securedrop.org
manage.py add-admin
on the application server are 32 chars long and can be used to generate valid TOTP codes via the Google Authenticator mobile app[x] #5696 - no JS in user delete modal
/etc/apache2/sites-enabled/source.conf
and verify that it contains the line SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
[x] #5979 - Remove expired key
22245C81E3BAEB4138B36061310F561200F4AD77
is not present on the application or monitor servers, e.g. by running the command for s in app mon; do ssh $s sudo apt-key list
from the Admin workstation2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3
is presenton the servers[x] #5909 - Manually-transferred backup
./securedrop-admin backup
scp sd-backup.tar.gz app:/tmp/sd-backup-transfer.tar.gz
./securedrop-admin restore --no-transfer sd-backup-transfer.tar.gz
completes successfully, and that the local backup file is not transferred to the server during the playbook run.[ ] #6110 - Repair Tails installer skipped
./securedrop-admin tailsconfig
completes successfully and the Tails OS Updater starts without displaying errors./securedrop-admin tailsconfig
completes successfully without triggering the Tails OS Updater./etc/os-release
to change the TAILS_VERSION_ID to a pre-4.19 versiontouch /usr/local/etc/ssl/certs/tails.boum.org-CA.pem
/usr/local/etc/ssl/certs/tails.boum.org-CA.pem
Updated an Admin Workstation on Tails 4.22 from SecureDrop 2.0.2 to SecureDrop 2.1.0 successfully using the graphical updater.
This is a tracking issue for the release of SecureDrop 2.1.0
Scheduled as follows:
Feature / string freeze: 2021-09-28 Pre-release announcement: 2021-10-12 Release date: 2021-10-19 Release manager: @zenmonkeykstop Deputy release manager: @conorsch Communications manager: @eloquence Localization manager: @conorsch Deputy LM: @cfm [tentative]
QA team: @creviera @tesitura @cfm @conorsch @zenmonkeykstop
SecureDrop maintainers and testers: As you QA 2.1.0, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release", and associate them with the 2.1.0 milestone for tracking (or ask a maintainer to do so).
Test debian packages will be posted on https://apt-test.freedom.press signed with the test key
QA Matrix for 2.1.0
Test Plan for 2.1.0
Prepare release candidate (2.1.0~rc1)
2.1.0~rc1
on test apt serverPrepare release candidate (2.1.0~rc2)
2.1.0~rc2
on test apt server - https://github.com/freedomofpress/securedrop-dev-packages-lfs/pull/125After each test, please update the QA matrix and post details for Basic Server Testing, Application Acceptance Testing and release-specific testing below in comments to this ticket.
Final release
release
branch in the LFS repo)release
branch in the LFS repo for the debs)main
in the LFS repo)main
and verify new docs build in securedrop-docs repoPost release
securedrop-docs
(version information in Wagtail is updated automatically)develop