Release SecureDrop 2.4.2

[zenmonkeykstop]

This is a tracking issue for the release of SecureDrop 2.4.2

Tentatively scheduled as follows:

Pre-release announcement: 2022-08-02
Release date: 2022-08-08

Release manager: @legoktm
Deputy release manager: @eaon
Communications manager:: @eloquence and @gonzalo-bulnes

SecureDrop maintainers and testers: As you QA 2.4.2, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release".

Test debian packages will be posted on https://apt-test.freedom.press signed with the test key. An Ansible playbook testing the upgrade path is here.

QA Matrix for 2.4.2

Test Plan for 2.4.2

Prepare release candidate (2.4.2~rc1)

• Build 5.15.57 kernel packages and deploy to apt-test.freedom.press
• Link to latest version of Tails, including release candidates, to test against during QA
• Prepare 2.4.2~rc1 release changelog
• Branch off release/2.4.2 from release/2.4.1
• Prepare 2.4.2~rc1
• Build debs, preserving build log, and put up 2.4.2~rc1 on test apt server
• Commit build log.

After each test, please update the QA matrix and post details for Basic Server Testing, Application Acceptance Testing and release-specific testing below in comments to this ticket.

Final release

• Ensure builder in release branch is updated and/or update builder image
• Push signed tag
• Pre-Flight: Test updater logic in Tails (apt-qa tracks the release branch in the LFS repo)
• Build final Debian packages(and preserve build log)
• Commit package build log to https://github.com/freedomofpress/build-logs
• Upload Debian packages, including 5.15.57 grsec kernel packages, to apt-qa server
• Pre-Flight: Test that install and upgrade from 2.4.1 to 2.4.2 works w/ prod repo debs (apt-qa.freedom.press polls the release branch in the LFS repo for the debs)
• Flip apt QA server to prod status (merge to main in the LFS repo)
• Merge Docs branch changes to main and verify new docs build in securedrop-docs repo
• Prepare release messaging

Post release

• Create GitHub release object
• Once release object is created, update versions in securedrop-docs and Wagtail
• Verify new docs show up on https://docs.securedrop.org
• Publish announcements
• Merge changelog back to develop
• Update roadmap wiki page: https://github.com/freedomofpress/securedrop/wiki/Development-Roadmap

[legoktm]

Environment

• Install target: NUC11 (app) / NUC10 (mon)
• Tails version: 5.0
• Test Scenario: Upgrade
• SSH over Tor: yes
• Release candidate: 2.4.2-rc1
• General notes:

Basic Server Testing

• After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)
  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
• QA Matrix checks pass

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• The Updater GUI appears on boot

2.4.2 release-specific changes

• Kernel is updated to 5.15.57 #6506
  • both app and mon servers are using the 5.15.57 grsec kernel
  • paxtest tests return [expected results]
  • spectre-meltdown tests return expected results

[sssoleileraaa]

Environment

2.4.2 release-specific changes

For both my NUC7i5BNH and NUC8i5BEK1 mon servers:

• Kernel is updated to 5.15.57
• Server is using the 5.15.57 grsec kernel (install, reboot, check uname -r)
• spectre-meltdown tests return expected results

[legoktm]

Environment

• Install target: NUC11 (app) / NUC10 (mon)
• Tails version: 5.0
• Test Scenario: Upgrade
• SSH over Tor: Yes
• Release candidate: 2.4.2 (final)
• General notes: LGTM

Basic Server Testing

• After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)
  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
• QA Matrix checks pass

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• The Updater GUI appears on boot

2.4.2 release-specific changes

• Kernel is updated to 5.15.57 #6506
  • both app and mon servers are using the 5.15.57 grsec kernel
  • paxtest tests return [expected results]
  • spectre-meltdown tests return expected results

Preflight testing

Basic testing

• Install or upgrade occurs without error (from apt-qa.freedom.press per preflight procedure)
• Source interface is available and version string indicates it is 2.4.2
• A message can be successfully submitted

Tails

• The updater GUI appears on boot
• The update successfully occurs to 2.4.2
• After reboot, updater GUI no longer appears

[legoktm]

Also for completeness, @eaon tested the new kernel (with rc1) on a Dell PowerEdge R420.

[eloquence]

My first graphical updater run errored out due to its gpg command exiting with exit code 2. I was able to reproduce the error outside Tails by running the command our updater runs, gpg --batch --no-tty --recv-key --keyserver hkps://keys.openpgp.org "2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3". The command exited with gpg: keyserver receive failed: Server indicated a failure. A second run (both outside Tails and via the updater) was successful, suggesting some keys.openpgp.org flakiness at the time.