-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: build variant managed by boostrap package #1212
Comments
The use of systemd presets with priorities definitely addresses one concern with this approach in terms RPMs managing the same config files. How would the yum-test and apt-test configs get applied to override the prod versions though? |
For the non repo related files (eg systemd presets, conf overrides) it's straightforward: if our systemd presets in prod are For the repo and signing key, the tldr is "we could decide how we want it to work / it could use package-based or file-based constraints that we specify in the rpm .spec file(s)." Say we ship prod package securedrop-workstation-keyring-0.1.0. A staging package would have a newer version number (securedrop-workstation-keyring-staging-0.2.0-rc1) and we could decide exactly what the constraint relationship could be. At one extreme, we could declare that the packages Conflict, and require the user to uninstall the prod keyring before reinstalling the staging setup. At the other extreme, we could allow the packages to exist side by side, with the higher version number (dev/staging) taking precedence. This option is (only slightly) more complicated, because it would mean we'd be permitting both the staging and prod key and repo files to be on the dev machine, and we'd need to either tell the dom0 config rpm which repo file to prioritize, or allow the dev package to overwrite the repo files even if the two packages don't conflict. But I see this as something that could be solved in a few different ways depending on our desired behaviour. |
In advance of a conversation about this, another related issue about managing dev/staging/prod config: #1053 The main thing I am hoping for is that we consolidate around only shipping prod configurations in the dom0 config rpm and the prod keyring rpm, but I am flexible on how we accomplish this plus maintain developer convenience, and I think there are a number of ways we could do that. |
Discussed today in meeting:
Still to be resolved:
|
Proposal:
Proposal with more detail on two separate rpm boostrap packages, securedrop-workstation-keyring{,staging} and how it will help us with cleaner encapsulation and separation of prod from non-prod content/logic.
After #1058 (comment) I realized I needed to write stuff up more formally and it probably belongs in a separate issue/proposal instead of a ticket comment.
Affected components
SecureDrop Workstation
People and roles
sd maintainers
Problem Statement
A few related problems:
ConditionPathExists
and flag files/directories (/var/lib/securedrop-workstation/{dev,prod,staging}) is a bit messy and potentially brittle Use preset files for conditionally enabling/disabling systemd services #1052Solution impact
Requirements and constraints
Initial proposal
My proposal is as follows:
Key points:
Selected proposal
The text was updated successfully, but these errors were encountered: