Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removes auto-updater from workstation #322

Closed
wants to merge 1 commit into from
Closed

Removes auto-updater from workstation #322

wants to merge 1 commit into from

Conversation

kushaldas
Copy link
Contributor

This PR removes the securedrop autoupdater.

We can get it back in future, for now use the Qubes
updater UI.

How to test?

In dom0 after getting this branch.

make prep-dom0

@kushaldas
Removes auto-updater from workstation
9360b9e 
We can get it back in future, for now use the Qubes
updater UI.
redshiftzero
redshiftzero suggested changes Nov 8, 2019
View reviewed changes
Copy link
Contributor

@redshiftzero redshiftzero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realize that you were asked you to do this by another team member but I am blocking merge on this into master due to the security implications, see #238 (securedrop-workstation based VMs will never report updates using the qubes updater)

@eloquence
Copy link
Member

We discussed this further today. Even though we're not formally in production yet, it's our policy to not introduce security regressions during development, and the existing cron-job, in spite of its limitations, provides a core security feature right now. The current recommendation to developers who find it disruptive is to temporarily delete the symlink in /etc/cron.daily (it will be reinstated on the next make all run).

We've also agreed to improve the updater story ASAP; see discussion in freedomofpress/securedrop-updater#34. In the meantime, this PR can be closed.

@redshiftzero
Copy link
Contributor

closing as discussed

@eloquence eloquence mentioned this pull request Feb 19, 2020
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@redshiftzero redshiftzero redshiftzero requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kushaldas @eloquence @redshiftzero