This is a tracking issue for the upcoming release of SecureDrop 0.11.0 - tasks may get added or modified.
Feature freeze: November 27, 2018
String freeze: December 04, 2018
Pre-release announcement: December 04, 2018
Release date: December 11, 2018
_SecureDrop maintainers and testers:_ As you QA 0.11.0, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release", and associate them with the 0.11.0 milestone for tracking (or ask a maintainer to do so).
Test debian packages will be posted on https://apt-test.freedom.press signed with the test key. An Ansible playbook testing the upgrade path is here.
0.11.0~rc1 on test apt server - @emkll 0.11.0~rc2 on test apt server - @emkll 0.11.0~rc3 on test apt server - @emkll 0.11.0~rc4 on test apt server - @emkll 0.11.0~rc5 on test apt server - @emkll After each test, please update the QA matrix and post details for Basic Server Testing, Application Acceptance Testing and 0.11.0-specific testing below in comments to this ticket.
linux-image, linux-firmware, and tor packages) to apt test - @conorsch develop - @redshiftzero develop in prep for 0.12.0 release - @redshiftzero (IN PROGRESS)
After updating to this release candidate and running securedrop-admin tailsconfig
These tests should be performed the day of release prior to live debian packages on apt.freedom.press
Hi @kushaldas, unfortunately I can't complete the task "Build final Debian packages for 0.11.0", you might need @conorsch to help with this.
After updating to this release candidate and running securedrop-admin tailsconfig
[x] Change the OSSEC pubkey post-install using securedrop-admin
[ ] (Upgrade only) Make sure no 3.14.x grsecurity kernels are left in the system (#3913)
Though I am running the latest kernel, I can still see 3.14.x series of kernels on the vm. @emkll also check the output of the following command:
# cron-apt -i -s
CRON-APT RUN [/etc/cron-apt/config]: Mon Dec 3 12:04:34 UTC 2018
CRON-APT ACTION: 0-update
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 update -o quiet=2 -o Dir::Etc::SourceList=/etc/apt/security.list -o Dir::Etc::SourceParts=""
CRON-APT ACTION: 1-remove
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 remove -y linux-image-generic-lts-xenial linux-image-.*generic -o quiet=2
CRON-APT ACTION: 5-security
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 autoclean -y
Reading package lists...
Building dependency tree...
Reading state information...
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true -o Dir::Etc::SourceList=/etc/apt/security.list -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold
Reading package lists...
Building dependency tree...
Reading state information...
The following packages have been kept back:
securedrop-grsec
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
W: Duplicate sources.list entry https://apt-test.freedom.press/ trusty/main amd64 Packages (/var/lib/apt/lists/apt-test.freedom.press_dists_trusty_main_binary-amd64_Packages)
W: You may want to run apt-get update to correct these problems
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 autoremove -y
Reading package lists...
Building dependency tree...
Reading state information...
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
@kushaldas I just reproduced this, the intel-microcode package is not installed due to iucode tool (>=1.0) not being installable.
intel-microcode comes from the security repo, but it's dependency iucode-tool comes from multiverse. Cron-apt will therefore not pull in the depencency, and lead to a broken install.
I propose we back out the microcode update for 0.11.0 and investigate mirroring iucode-tools for the next release
I propose we back out the microcode update for 0.11.0 and investigate mirroring iucode-tools for the next release
I am +1 to this idea.
@emkll even with rc3, I can see old kernels in the box.
I used a wrong command to verify it. we should use sudo apt list --installed | grep grsec
Upgrade testing on VMs (Completed)
I forgot to do this, will do this next RC and/or on hardware
After updating to this release candidate and running securedrop-admin tailsconfig
securedrop-adminThese tests should be performed the day of release prior to live debian packages on apt.freedom.press
For both upgrades and fresh installs, here is a list of functionality that requires testing. You can use this for copy/pasting into your QA report. Feel free to edit this message to update the plan as appropriate.
If you have submitted a QA report already for a 0.11.0 release candidate with successful basic server testing and application acceptance testing sections, then you can skip these sections in subsequent reports, unless otherwise indicated by the Release Manager. This is to ensure that you focus your QA effort on the 0.11.0-specific changes as well as changes since the previous release candidate.
After updating to this release candidate and running securedrop-admin tailsconfig
securedrop-adminThese tests should be performed the day of release prior to live debian packages on apt.freedom.press
After updating to this release candidate and running securedrop-admin tailsconfig
securedrop-adminThese tests should be performed the day of release prior to live debian packages on apt.freedom.press
After updating to this release candidate and running securedrop-admin tailsconfig
securedrop-adminThese tests should be performed the day of release prior to live debian packages on apt.freedom.press
NOTE: I am not receiving OSSEC test emails, can anyone please confirm? Other OSSEC emails are flowing properly.
After updating to this release candidate and running securedrop-admin tailsconfig
securedrop-adminThese tests should be performed the day of release prior to live debian packages on apt.freedom.press
After updating to this release candidate and running securedrop-admin tailsconfig
securedrop-adminFor both upgrades and fresh installs, here is a list of functionality that requires testing. You can use this for copy/pasting into your QA report. Feel free to edit this message to update the plan as appropriate.
If you have submitted a QA report already for a 0.11.0 release candidate with successful basic server testing and application acceptance testing sections, then you can skip these sections in subsequent reports, unless otherwise indicated by the Release Manager. This is to ensure that you focus your QA effort on the 0.11.0-specific changes as well as changes since the previous release candidate.
After updating to this release candidate and running securedrop-admin tailsconfig
securedrop-adminThese tests should be performed the day of release prior to live debian packages on apt.freedom.press
source .venv/bin/activate && ansible --version returns 2.6.8SecureDrop 0.11.0 was released on December 11th, and all post-release items are finished, closing!
Most helpful comment
Hi @kushaldas, unfortunately I can't complete the task "Build final Debian packages for 0.11.0", you might need @conorsch to help with this.