Merge pull request #605 from freedomofpress/2.10.1

adapt v2.10.0 upgrade guide for v2.10.1

docs/admin/installation/set_up_admin_tails.rst

@@ -139,7 +139,7 @@ signed with the release signing key:
 
     cd ~/Persistent/securedrop/
     git fetch --tags
-    git tag -v 2.10.0
+    git tag -v 2.10.1
 
 The output should include the following two lines:
 
@@ -160,9 +160,9 @@ screen of your workstation. If it does, you can check out the new release:
 
 .. code:: sh
 
-    git checkout 2.10.0
+    git checkout 2.10.1
 
-.. important:: If you see the warning ``refname '2.10.0' is ambiguous`` in the
+.. important:: If you see the warning ``refname '2.10.1' is ambiguous`` in the
                output, we recommend that you contact us immediately at
                [email protected] (`GPG encrypted <https://securedrop.org/sites/default/files/fpf-email.asc>`__).
 

docs/admin/maintenance/backup_and_restore.rst

@@ -229,7 +229,7 @@ Migrating Using a V2+V3 or V3-Only Backup
 
       cd ~/Persistent/securedrop/
       git fetch --tags
-      git tag -v 2.10.0
+      git tag -v 2.10.1
 
    The output should include the following two lines:
 
@@ -250,10 +250,10 @@ Migrating Using a V2+V3 or V3-Only Backup
 
    .. code:: sh
 
-      git checkout 2.10.0
+      git checkout 2.10.1
 
    .. important::
-      If you see the warning ``refname '2.10.0' is ambiguous`` in the
+      If you see the warning ``refname '2.10.1' is ambiguous`` in the
       output, we recommend that you contact us immediately at
       [email protected]
       (`GPG encrypted <https://securedrop.org/sites/default/files/fpf-email.asc>`__).
@@ -472,7 +472,7 @@ source accounts, and journalist accounts. To do so, follow the steps below:
 
       cd ~/Persistent/securedrop/
       git fetch --tags
-      git tag -v 2.10.0
+      git tag -v 2.10.1
 
    The output should include the following two lines:
 
@@ -491,11 +491,11 @@ source accounts, and journalist accounts. To do so, follow the steps below:
 
    .. code:: sh
 
-      git checkout 2.10.0
+      git checkout 2.10.1
 
 
    .. important::
-      If you see the warning ``refname '2.10.0' is ambiguous`` in the
+      If you see the warning ``refname '2.10.1' is ambiguous`` in the
       output, we recommend that you contact us immediately at
       [email protected] (`GPG encrypted <https://securedrop.org/sites/default/files/fpf-email.asc>`__).
 

docs/admin/maintenance/update_workstations.rst

@@ -24,7 +24,7 @@ update by running the following commands: ::
   git fetch --tags
   gpg --keyserver hkps://keys.openpgp.org --recv-key \
    "2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3"
-  git tag -v 2.10.0
+  git tag -v 2.10.1
 
 The output should include the following two lines: ::
 
@@ -37,9 +37,9 @@ on the screen of your workstation. A warning that the key is not certified
 is normal and expected. If the output includes the lines above, you can check
 out the new release: ::
 
-    git checkout 2.10.0
+    git checkout 2.10.1
 
-.. important:: If you do see the warning "refname '2.10.0' is ambiguous" in the
+.. important:: If you do see the warning "refname '2.10.1' is ambiguous" in the
   output, we recommend that you contact us immediately at [email protected]
   (`GPG encrypted <https://securedrop.org/sites/default/files/fpf-email.asc>`__).
 

docs/conf.py

@@ -46,7 +46,7 @@
 # built documents.
 #
 # The short X.Y version.
-version = "2.10.0"
+version = "2.10.1"
 # The full version, including alpha/beta/rc tags.
 # On the live site, this will be overridden to "stable" or "latest".
 release = os.environ.get("SECUREDROP_DOCS_RELEASE", version)

docs/index.rst

@@ -151,6 +151,7 @@ Get Started
    :maxdepth: 2
    :hidden:
 
+   upgrade/2.10.0_to_2.10.1.rst
    upgrade/2.9.0_to_2.10.0.rst
    upgrade/2.8.0_to_2.9.0.rst
    upgrade/2.7.0_to_2.8.0.rst

docs/upgrade/2.10.0_to_2.10.1.rst

@@ -0,0 +1,136 @@
+.. _latest_upgrade_guide:
+
+Upgrade from 2.10.0 to 2.10.1
+=============================
+
+Update Servers to SecureDrop 2.10.1
+------------------------------------
+
+Servers running Ubuntu 20.04 will be updated to the latest version of SecureDrop
+automatically within 24 hours of the release.
+
+Update Workstations to SecureDrop 2.10.1 and Tails 6
+----------------------------------------------------
+If you have not already upgraded to Tails 6 alogside the 2.10.0 release,
+you should do so as part of this upgrade. Please note that the upgrade
+from Tails 6 must be performed manually. If you have already upgraded
+to Tails 6, you only need to complete Step 1 below.
+
+.. important:: We always recommend backing up your workstations prior to
+  an upgrade, but we *especially* recommend it before a major Tails version
+  bump. This upgrade is an excellent occasion to make sure you have fresh
+  backups for each of your Tails drives. See our :ref:`backup instructions <backup_workstations>`
+  for more information.
+
+To upgrade your *Secure Viewing Station* Tails USB, follow our instructions
+to :ref:`update Tails manually <Update Tails Manually>`. The *SVS* upgrade
+to Tails 6 **must** be fully performed on an air-gapped machine.
+
+To upgrade your *Journalist Workstation* and *Admin Workstation* USB drives,
+complete the following steps for each USB drive:
+
+1. Update to SecureDrop 2.10.1 using the graphical updater
+2. Perform a manual upgrade to Tails 6
+3. Apply SecureDrop-specific configuration
+4. Verify that the workstation works as expected.
+
+These steps are further explained below. If these steps fail unexpectedly, please get
+in touch.
+
+Step 1: Update to SecureDrop 2.10.1 using the graphical updater
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+On the next boot of your SecureDrop *Journalist* and *Admin Workstations*,
+the *SecureDrop Workstation Updater* will alert you to workstation updates. You
+must have `configured an administrator password <https://tails.net/doc/first_steps/welcome_screen/administration_password/>`_
+on the Tails welcome screen in order to use the graphical updater.
+
+Perform the update to 2.10.1 by clicking "Update Now":
+
+.. image:: ../images/securedrop-updater.png
+
+Fallback: Perform a manual update
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+If the graphical updater fails and you want to perform a manual update instead,
+first delete the graphical updater's temporary flag file, if it exists (the
+``.`` before ``securedrop`` is not a typo): ::
+
+  rm ~/Persistent/.securedrop/securedrop_update.flag
+
+This will prevent the graphical updater from attempting to re-apply the failed
+update and has no bearing on future updates. You can now perform a manual
+update by running the following commands: ::
+
+  cd ~/Persistent/securedrop
+  git fetch --tags
+  gpg --keyserver hkps://keys.openpgp.org --recv-key \
+   "2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3"
+  git tag -v 2.10.1
+
+The output should include the following two lines: ::
+
+    gpg:                using RSA key 2359E6538C0613E652955E6C188EDD3B7B22E6A3
+    gpg: Good signature from "SecureDrop Release Signing Key <[email protected]>" [unknown]
+
+
+Please verify that each character of the fingerprint above matches what is
+on the screen of your workstation. A warning that the key is not certified
+is normal and expected. If the output includes the lines above, you can check
+out the new release: ::
+
+    git checkout 2.10.1
+
+.. important:: If you do see the warning "refname '2.10.1' is ambiguous" in the
+  output, we recommend that you contact us immediately at [email protected]
+  (`GPG encrypted <https://securedrop.org/sites/default/files/fpf-email.asc>`__).
+
+Finally, run the following commands: ::
+
+  sudo apt update
+  ./securedrop-admin setup
+  ./securedrop-admin tailsconfig
+
+Step 2: Perform a manual upgrade to Tails 6
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Because Tails 6 represents a major release, an automatic update from Tails 5 is
+not possible.
+
+Follow our instructions to :ref:`update Tails manually <Update Tails Manually>`.
+
+Step 3: Apply SecureDrop-specific configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Boot up the updated workstation, connect to the Tor network, and run the
+following commands in a terminal: ::
+
+  cd ~/Persistent/securedrop
+  sudo apt update
+  ./securedrop-admin setup
+  ./securedrop-admin tailsconfig
+
+You must run these commands on Tails 6 even if you have just run them on
+Tails 5. This will create a Python virtual environment compatible with Tails 6
+and re-apply the SecureDrop-specific configuration on your workstation.
+
+Step 4: Verify that the workstation works as expected
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+You should now see the SecureDrop Menu in the menu bar at the top:
+
+|The SecureDrop Menu|
+
+Note that the options listed in the menu will depend on whether
+you are booting a *Journalist Workstation* or an *Admin Workstation*.
+Confirm that all options work as expected.
+
+.. note:: Support for desktop shortcuts has been removed in Tails 6.
+  Use the *Securedrop Menu* to access all SecureDrop-related features.
+
+.. |The SecureDrop Menu| image:: ../images/securedrop_menu.png
+   :alt: The SecureDrop Menu, showing all available options.
+
+Getting Support
+---------------
+
+Should you require further support with your SecureDrop installation, we are
+happy to help!
+
+.. include:: ../includes/getting-support.txt

docs/upgrade/2.9.0_to_2.10.0.rst

@@ -1,5 +1,3 @@
-.. _latest_upgrade_guide:
-
 Upgrade from 2.9.0 to 2.10.0
 ============================