diff --git a/Cargo.lock b/Cargo.lock index 0681721e23..9626a066e9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -516,6 +516,10 @@ version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e4a24736216ec316047a1fc4252e27dabb04218aa4a3f37c6e7ddbf1f9782b54" +[[package]] +name = "noble-migration" +version = "0.1.0" + [[package]] name = "num-traits" version = "0.2.17" diff --git a/Cargo.toml b/Cargo.toml index db80b091ae..d9008ab715 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,7 @@ [workspace] members = [ + "noble-migration", "redwood", ] diff --git a/builder/build-debs-securedrop.sh b/builder/build-debs-securedrop.sh index 0f90affc5d..a075c35836 100755 --- a/builder/build-debs-securedrop.sh +++ b/builder/build-debs-securedrop.sh @@ -11,8 +11,10 @@ set -euxo pipefail # Make a copy of the source tree since we do destructive operations on it cp -R /src/securedrop /srv/securedrop -cp -R /src/redwood /srv/redwood -cp /src/Cargo.lock /srv/redwood/ +mkdir /srv/rust +cp -R /src/noble-migration /srv/rust/noble-migration +cp -R /src/redwood /srv/rust/redwood +cp /src/Cargo.{toml,lock} /srv/rust/ cd /srv/securedrop/ # Control the version of setuptools used in the default construction of virtual environments diff --git a/install_files/ansible-base/group_vars/securedrop_application_server.yml b/install_files/ansible-base/group_vars/securedrop_application_server.yml index 651af6665e..4a6d64c8eb 100644 --- a/install_files/ansible-base/group_vars/securedrop_application_server.yml +++ b/install_files/ansible-base/group_vars/securedrop_application_server.yml @@ -7,7 +7,7 @@ ip_info: ### Used by the install_local_deb_pkgs role ### local_deb_packages: - "securedrop-keyring_0.2.2+{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb" - - "securedrop-config_{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb" + - "securedrop-config_{{ securedrop_version }}+{{ securedrop_target_distribution }}_amd64.deb" - "securedrop-ossec-agent_3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb" - "{{ securedrop_app_code_deb }}.deb" - "ossec-agent_3.6.0+{{ securedrop_target_distribution }}_amd64.deb" diff --git a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml index 99fbceb2a7..659e678559 100644 --- a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml +++ b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml @@ -7,7 +7,7 @@ ip_info: ### Used by the install_local_deb_pkgs role ### local_deb_packages: - "securedrop-keyring_0.2.2+{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb" - - "securedrop-config_{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb" + - "securedrop-config_{{ securedrop_version }}+{{ securedrop_target_distribution }}_amd64.deb" - "securedrop-ossec-server_3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb" - ossec-server_3.6.0+{{ securedrop_target_distribution }}_amd64.deb diff --git a/noble-migration/Cargo.toml b/noble-migration/Cargo.toml new file mode 100644 index 0000000000..6714ccddeb --- /dev/null +++ b/noble-migration/Cargo.toml @@ -0,0 +1,6 @@ +[package] +name = "noble-migration" +version = "0.1.0" +edition = "2021" + +[dependencies] diff --git a/noble-migration/src/main.rs b/noble-migration/src/main.rs new file mode 100644 index 0000000000..e7a11a969c --- /dev/null +++ b/noble-migration/src/main.rs @@ -0,0 +1,3 @@ +fn main() { + println!("Hello, world!"); +} diff --git a/securedrop/debian/control b/securedrop/debian/control index 0566bc05c5..5e7f5b97d3 100644 --- a/securedrop/debian/control +++ b/securedrop/debian/control @@ -14,8 +14,8 @@ Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, ${apparmor:Depend Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode. Package: securedrop-config -Architecture: all -Depends: unattended-upgrades, update-notifier-common +Architecture: amd64 +Depends: ${shlibs:Depends}, unattended-upgrades, update-notifier-common Description: Establishes baseline system state for running SecureDrop. Configures apt repositories. diff --git a/securedrop/debian/rules b/securedrop/debian/rules index afd24178c9..e5637bfdd2 100755 --- a/securedrop/debian/rules +++ b/securedrop/debian/rules @@ -18,8 +18,13 @@ override_dh_installdeb: echo -n "" > ${CURDIR}/debian/securedrop-keyring/DEBIAN/conffiles override_dh_auto_install: + # Build securedrop-config Rust code + cd /srv/rust/noble-migration && cargo build --release --locked && \ + cd /srv/securedrop && \ + mkdir -p ./debian/securedrop-config/usr/bin && \ + mv /srv/rust/target/release/noble-migration ./debian/securedrop-config/usr/bin/noble-migration # Build redwood wheel - python3 /srv/redwood/build-wheel.py --release --redwood /srv/redwood --target /srv/redwood/target + python3 /srv/rust/redwood/build-wheel.py --release --redwood /srv/rust/redwood --target /srv/rust/target # Set up virtualenv and install dependencies /usr/bin/python3 -m venv ./debian/securedrop-app-code/opt/venvs/securedrop-app-code ./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \ @@ -27,7 +32,7 @@ override_dh_auto_install: ./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \ -r requirements/python3/requirements.txt ./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \ - /srv/redwood/redwood-*.whl + /srv/rust/redwood/redwood-*.whl # Update paths to point to install destination find ./debian/securedrop-app-code/ -type f -exec sed -i "s#$(shell pwd)/debian/securedrop-app-code##" {} \; # Generage wsgi.load for apache diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 0a0de1ad6a..e083c660a4 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -39,6 +39,9 @@ notes = "Haiku OS-only" criteria = [] notes = "WASM-only" +[policy.noble-migration] +criteria = "safe-to-run" + [policy.redox_syscall] criteria = [] notes = "Redox OS-only"