Use reprepro to automatically pull Tor packages #128
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
legoktm
added a commit
to freedomofpress/securedrop-builder
that referenced
this pull request
Feb 2, 2022
Instead of maintaining and running a custom molecule playbook to pull down Tor packages, we can use reprepro's built-in update functionality. Once <freedomofpress/securedrop-apt-test#128> is merged, we can run `reprepro update` to automatically check the upstream Tor apt repo, pulling down new debs if they're available. The CI job checks out the securedrop-dev-packages-lfs repository, runs `reprepro update` and copies over the newly fetched debs. If there's a difference, it'll commit the new packages and push. In the future we could publish an image with the reprepro, etc. packages pre-installed so we don't have to do it at runtime. Refs <freedomofpress/securedrop#6233>.
legoktm
added a commit
to freedomofpress/securedrop-builder
that referenced
this pull request
Feb 2, 2022
Instead of maintaining and running a custom molecule playbook to pull down Tor packages, we can use reprepro's built-in update functionality. Once <freedomofpress/securedrop-apt-test#128> is merged, we can run `reprepro update` to automatically check the upstream Tor apt repo, pulling down new debs if they're available. The CI job checks out the securedrop-dev-packages-lfs repository, runs `reprepro update` and copies over the newly fetched debs. If there's a difference, it'll commit the new packages and push. In the future we could publish an image with the reprepro, etc. packages pre-installed so we don't have to do it at runtime. Refs <freedomofpress/securedrop#6233>.
Instead of maintaining and running a custom molecule playbook to pull down Tor packages, we can use reprepro's built-in update functionality. With this configuration, getting new Tor packages just requires: $ gpg --import repo/conf/updates-keys/*.gpg $ REPREPRO_BASE_DIR=repo reprepro --export=never update And the latest Tor packages will be in repo/pool/t/tor/, where they can be moved to core/focal and committed. For apt-test we should be able to have CI do this regularly. The container that runs the above commands will just need reprepro, ca-certificates and dctrl-tools installed. The bundled key was downloaded from <https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc>. Refs freedomofpress/securedrop#6233.
legoktm
added a commit
to freedomofpress/securedrop-builder
that referenced
this pull request
Feb 28, 2022
Instead of maintaining and running a custom molecule playbook to pull down Tor packages, we can use reprepro's built-in update functionality. Once <freedomofpress/securedrop-apt-test#128> is merged, we can run `reprepro update` to automatically check the upstream Tor apt repo, pulling down new debs if they're available. The CI job checks out the securedrop-dev-packages-lfs repository, runs `reprepro update` and copies over the newly fetched debs. If there's a difference, it'll commit the new packages and push. In the future we could publish an image with the reprepro, etc. packages pre-installed so we don't have to do it at runtime. Refs <freedomofpress/securedrop#6233>.
zenmonkeykstop
approved these changes
Mar 11, 2022
legoktm
added a commit
to freedomofpress/securedrop
that referenced
this pull request
Mar 17, 2022
We now use reprepro-update with CI to automatically fetch Tor packages every night. This is now obsolete and no longer needed. See: * freedomofpress/securedrop-apt-test#128 * freedomofpress/securedrop-builder#287 Refs #6233.
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Ready for review
Description of changes
Instead of maintaining and running a custom molecule playbook to pull
down Tor packages, we can use reprepro's built-in update functionality.
With this configuration, getting new Tor packages just requires:
$ gpg --import repo/conf/updates-keys/*.gpg
$ REPREPRO_BASE_DIR=repo reprepro --export=never update
And the latest Tor packages will be in repo/pool/t/tor/, where they
can be moved to core/focal and committed. For apt-test we should be
able to have CI do this regularly.
The container that runs the above commands will just need reprepro,
ca-certificates and dctrl-tools installed.
The bundled key was downloaded from https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc.
Refs freedomofpress/securedrop#6233.
Test plan
apt install reprepro ca-cerificates dctrl-tools. Then run the twogpg --import...andreprepro updatecommands as written above and verify the latest Tor packages are in repo/pool/t/tor/, and these packages match the ones currently in the repo (or if a new upstream version is released, that they match those).