Securedrop: Release SecureDrop 0.4.3

Created on 5 Sep 2017  Â·  9Comments  Â·  Source: freedomofpress/securedrop

This is a tracking issue for the upcoming release of SecureDrop 0.4.3 - tasks may get added or modified.

Pre-release

  • [x] Send 0.4.3 pre-release notification to admins - @redshiftzero

Finish release candidate (0.4.3-rc1)

  • [x] Branch release/0.4.3 off develop - @redshiftzero
  • [x] Merge in any last minute PRs (feature freeze is EOD Sept 5)
  • [x] Build test debs - @conorsch
  • [x] Stand up test apt server with 0.4.3-rc1 packages - @conorsch

QA (0.4.3-rc1)

  • [x] Unit tests pass on 0.4.3 staging VMs - @redshiftzero
  • [x] Test upgrade from 0.4.2 works on prod w/ test repo debs - @dachary, @conorsch
  • [x] Test install (not upgrade) of 0.4.3 works on prod w/ test repo debs - @redshiftzero ✅

Finish release candidate (0.4.3-rc2)

  • [x] Make any necessary bugfixes
  • [x] Push up new rc - @redshiftzero
  • [x] Build test debs - @conorsch
  • [x] Stand up test apt server with 0.4.3-rc2 packages - @conorsch

QA (0.4.3-rc2)

  • [x] Test upgrade from 0.4.2 works on prod w/ test repo debs - @redshiftzero ✅
  • [x] Test install (not upgrade) of 0.4.3 works on prod w/ test repo debs - @redshiftzero ✅

Release

  • [x] Build final Debian packages for 0.4.3
  • [x] Release 0.4.3
  • [x] Publish blog post about 0.4.3 Debian package release and instructions for admins

Post-release

  • [x] Merge release changes into master branch
  • [x] Merge release changes into development branch

All 9 comments

No change today git log origin/develop..origin/release/0.4.3 is empty.

Some changes today

$ git --no-pager log --oneline origin/develop..origin/release/0.4.3 
dd51cd95 SecureDrop 0.4.3-rc1
b42e09e2 Merge pull request #2258 from freedomofpress/update-version-script-043
829935f6 Run update_version.sh script in development VM
c2c051b9 Install git and dch in the development VM

Proposed at https://github.com/freedomofpress/securedrop/pull/2263

Test upgrade from 0.4.2 works on prod w/ test repo debs

Used @conorsch playbook at https://gist.github.com/conorsch/e7556624df59b2a0f8b81f7c0c4f9b7d to do the upgrade.

I did that and confirmed the journalist / source interface work after the upgrade. I submitted a document via the source interface, created an admin user with ./manage.py, logged in via the journalist interface, downloaded the submitted document.

Went to take a look at the logs in /var/log/apache2 but did not notice anything unusual.

The mon server upgraded ok, the packages 0.4.3 are installed. Not sure how to verify it works as intended though, except the daemons are up and were restarted.

Thanks for testing the upgrade path @dachary! I usually test the mon server by decrypting a few of the OSSEC alerts and in particular looking for the "Ossec server started" email. Also, if you're using dummy values for OSSEC-related vars, you can SSH into mon and take a look through /var/ossec/logs/alerts/alerts.log (where the alerts are stored) to see if you spot any potential issues (for example, AppArmor denials will make it into this file and can indicate a forgotten rule).

I did a fresh install on prod VMs on 0.4.3-rc1 and tested in particular the following for the release, all looked good:

  • [x] Account with empty username cannot be created from command line
  • [x] Account with empty username cannot be created from the interface
  • [x] New account made on command line with diceware passphrase can log in
  • [x] New account made on interface with diceware passphrase can log in
  • [x] Edit own account flow with diceware passphrase works (user can log in with their new passphrase)
  • [x] Admin edits user account flow with diceware passphrase works (user can log in with their new passphrase)
  • [x] All actives in testing the source-journalist flow done while tailing Apache error logs /var/log/apache2/*error.log and nothing unusual appeared
  • [x] DEFAULT_LOCALE set to expected value (en_US) in config.py on app-prod

But found a couple of issues (#2269 #2270) while digging around and running through the source and journalist workflows.

No change today git log origin/develop..origin/release/0.4.3 is empty.

Just ran through the 0.4.2 to 0.4.3-rc2 upgrade process on VMs and I did not encounter any bugs. My particular testing steps for 0.4.3:

  • [x] Account with empty username cannot be created from command line
  • [x] Account with empty username cannot be created from the interface
  • [x] New account made on command line with diceware passphrase can log in
  • [x] New account made on interface with diceware passphrase can log in
  • [x] Edit own account flow with diceware passphrase works (user can log in with their new passphrase)
  • [x] Admin edits user account flow with diceware passphrase works (user can log in with their new passphrase)
  • [x] All activies in testing the source-journalist user flow done while tailing Apache error logs /var/log/apache2/*error.log and nothing suspicious appeared
  • [ ] DEFAULT_LOCALE set to expected value (en_US) in config.py on app-prod - this is not the case - added https://github.com/freedomofpress/securedrop/pull/2116#issuecomment-328232638
  • [x] PAM 2FA console login works on both servers (see #2270)

There are commits to merge back to develop from yesterday's action.

$ git --no-pager  log --oneline --cherry-mark --right-only origin/develop...origin/release/0.4.3
+ a1f77890 SecureDrop 0.4.3-rc2
+ 68a63ea6 Merge pull request #2271 from freedomofpress/wip-dachary-0.4.3-2269-delete-all
+ 67f41b67 source: hide the delete confirmation prompt
+ eb8230ed Merge pull request #2273 from freedomofpress/wip-dachary-0.4.3-2272-redis
= 53eaf57d Revert "Don't start redis server twice on Travis"

The 53eaf57d has been manually cherry-picked to develop already and shows with = meaning it has the same cherry-pick-id, proof it was not tampered with. The other commits should be merged.

Proposed at https://github.com/freedomofpress/securedrop/pull/2278

There are commits to merge back to develop from yesterday's action.

$ git --no-pager  log --oneline --cherry-mark --right-only origin/develop...origin/release/0.4.3
+ cb1d048a Merge pull request #2283 from freedomofpress/docs-dont-use-templates
+ de527dda Docs: For network firewall, use templates only as a reference
+ ce675b15 Merge pull request #2280 from freedomofpress/docs-add-mrphs-warning
+ bb598b8f Fix subnet in pfSense template - set to /24
+ 71aa2db7 Fix  tag typo in pfSense firewall template
+ d926b601 Remove warning about insecure login in Tor Browser

Proposed at https://github.com/freedomofpress/securedrop/pull/2284

The 0.4.3 release is complete, deployed SecureDrop instances have come back up on 0.4.3 without issue, and these changes are synced to the develop and master branches. Closing!

Was this page helpful?
0 / 5 - 0 ratings