jgowdy
commented
3 years ago Updated would simply setup a timer, configurable, perhaps as frequently as 1-5 minutes. On that timer interval the files managed by updated would be checked and if updated, replaced and restarted. Updated keeps us online when bad / failed updates happen, allowing us to revert or repeatedly try to release.
When Updated updates itself, it does so in a paranoid fashion, ensuring that we never lose connectivity to the Node.
Updates can be based on http accessible single file binaries, optionally compressed with standard extensions (meshd.xz). There would be a file called “versions.txt” which contains a list of files like “meshd-20210501-1.xz” or “meshd-2.0.1.xz”, a sha256 hash, a UTC published date/time, a revoked flag, and an optional mirror list name. There would be a file called “mirrors.txt” with a “default” mirror list and then optionally additional named mirror lists.
Mirror paths are simply prepended to the desired file name. Mirror paths that fail are skipped and other mirrors are tried.
The two files “versions.txt” and “mirrors.txt” should be available at either of two hard coded host names (on different domain names), or overridden by parameter. Versions.txt and mirrors.txt should be signed, so that hijacking the DNS of the source servers accomplishes nothing but a failed attempt.
As long as the binaries and the versions/mirrors are all signed by a trusted CA (or really intermediate), the updated service should be secure. Updated would be configured for the CA or possibly the CA would even be compiled in.