Switch Ubuntu APT sources to use HTTPS #7438
Conversation
Ubuntu now supports HTTPS on their primary mirrors, including archive.ubuntu.com and security.ubuntu.com. While APT verifies integrity using PGP signatures, there have been a few vulnerabilities in APT that would've been prevented by also layering TLS on top. No attempt is made to update the configuration on existing instances; instead this change will be made during the noble migration. Fixes #3286.
There was a problem hiding this comment.
No attempt is made to update the configuration on existing instances; instead this change will be made during the noble migration.
In that case, @legoktm, shouldn't these tests be parameterized on securedrop_target_platform? Otherwise, won't an Admin Workstation updated to v2.12 expect to see https:// URLs on a Focal-based Server running v2.12 still with http:// URLs?
There was a problem hiding this comment.
Hmm, yes but also if someone does a focal fresh install on 2.12, then they'll also get HTTPS URLs.
But also with 2.12 we will enable noble fresh installs so maybe no one should be doing focal fresh installs at that point and we don't need to worry about it?
Or is tying this with the noble migration a bad idea and we should just have a mechanism to update the sources.list file outside of ansible installs regardless?
There was a problem hiding this comment.
The case I'm concerned about is "upgrade to v2.12, but not yet Noble, and run testinfra", e.g.:
| Time | Admin Workstation tag | Testinfra checks for | Server OS version | Server SecureDrop version | URLs | ? |
|---|---|---|---|---|---|---|
| 0 | 2.11.1 | http:// |
Focal | 2.11.1 | http:// |
✓ |
| 1 | 2.12.0 | https:// |
Focal | 2.12.0 | http:// |
✗ |
Put another way, I read the current diff as saying: "If you've upgraded to v2.12, but haven't yet upgraded to Noble, then test_automatic_updates.py will fail." Am I contriving an edge case without consequence?
Or is tying this with the noble migration a bad idea and we should just have a mechanism to update the sources.list file outside of ansible installs regardless?
I think having largely separate installation and upgrade configuration paths is a bad idea, but I know we can't fix that here! :-)
Status
Ready for review
Description of Changes
Ubuntu now supports HTTPS on their primary mirrors, including archive.ubuntu.com and security.ubuntu.com.
While APT verifies integrity using PGP signatures, there have been a few vulnerabilities in APT that would've been prevented by also layering TLS on top.
No attempt is made to update the configuration on existing instances; instead this change will be made during the noble migration.
Fixes #3286.
Testing
How should the reviewer test this PR?
Deployment
Any special considerations for deployment? Consider both:
Checklist