Splitting from freedomofpress/securedrop#6514
On a technical level, to build packages one needs a machine (currently a clean Qubes VM) that has Docker installed, and then:
- run
make securedrop-core-5.15, wait 2+ hours
- run
make securedrop-workstation-5.15, wait 2+ hours
- upload the build logs to the build-logs repo
- sign and upload the source tarballs to S3
- copy and upload the debs to apt-test, to kick off kernel testing
Currently these steps are done manually, on maintainer laptops. This seems ripe for automation, especially because it's a slow process.
One important note is that these builds are currently not reproducible (see #3).
So if we were to automate this process, what are the requirements for the build host? Would we be OK if:
- it was entirely run on a CircleCI pipeline (or other cloud CI provider, e.g. CodeFresh)?
- it was entirely run on a DO droplet we/infra controls?
- it was entirely run on a physical machine under FPF control (e.g. in NYO)?
- status quo, entirely run on a maintainer laptop
Pinging @L3th3 & @lsd-cat for security input
Splitting from freedomofpress/securedrop#6514
On a technical level, to build packages one needs a machine (currently a clean Qubes VM) that has Docker installed, and then:
make securedrop-core-5.15, wait 2+ hoursmake securedrop-workstation-5.15, wait 2+ hoursCurrently these steps are done manually, on maintainer laptops. This seems ripe for automation, especially because it's a slow process.
One important note is that these builds are currently not reproducible (see #3).
So if we were to automate this process, what are the requirements for the build host? Would we be OK if:
Pinging @L3th3 & @lsd-cat for security input