Commit 6a79c74a authored by intrigeri's avatar intrigeri

Merge branch 'doc/15999-integrate-usb-image-in-the-release-process' into feature/15292-usb-image

The follow-up fixes after the review of this branch were pushed
but not reviewed yet. Regardless, we need this branch merged
so that 3.12~rc1 can be prepared.

refs: #15999
parents 73afff29 57d3c93f
......@@ -27,32 +27,30 @@ def target_file_url(channel, filename):
}
def idf_content(build_target, channel, product_name, version, img, iso):
installation_paths = [
{
'type': 'iso',
'target-files': [{
'url': target_file_url(channel, iso),
'sha256': sha256_file(iso),
'size': Path(iso).stat().st_size,
}],
},
]
if img is not None:
installation_paths += {
'type': 'img',
'target-files': [{
'url': target_file_url(channel, img),
'sha256': sha256_file(img),
'size': Path(img).stat().st_size,
}],
}
return to_json({
'build_target': build_target,
'channel': channel,
'product-name': product_name,
'installations': [{
'version': version,
'installation-paths': installation_paths,
'installation-paths': [
{
'type': 'img',
'target-files': [{
'url': target_file_url(channel, img),
'sha256': sha256_file(img),
'size': Path(img).stat().st_size,
}],
},
{
'type': 'iso',
'target-files': [{
'url': target_file_url(channel, iso),
'sha256': sha256_file(iso),
'size': Path(iso).stat().st_size,
}],
},
],
}],
})
......@@ -64,7 +62,7 @@ if __name__ == '__main__':
parser.add_argument('--product-name', dest='product_name', default='Tails')
parser.add_argument('--version', default=None, required=True,
help='Version of Tails .')
parser.add_argument('--img', default=None,
parser.add_argument('--img', default=None, required=True,
help='Path to the USB image.')
parser.add_argument('--iso', default=None, required=True,
help='Path to the ISO file.')
......
......@@ -19,8 +19,8 @@ What are reproducible builds?
(Quoted from <https://reproducible-builds.org>)
Tails ISO images should be reproducible: everybody who
builds the ISO should be able to obtain the exact same resulting ISO
Tails ISO and USB images should be reproducible: everybody who
builds one of them should be able to obtain the exact same resulting
image from a given Git tag.
Why is it important?
......@@ -28,8 +28,8 @@ Why is it important?
Reproducibility increases confidence in the value of our continuous
quality assurance processes as well as the trust that users, and anyone
interested can put into our released build products (such as ISO images)
and our development and release process.
interested can put into our released build products (such as ISO and USB
images) and our development and release process.
Reproducible builds help [detect
bugs](https://reproducible-builds.org/docs/buy-in/) and ensure that
......@@ -43,54 +43,57 @@ developers](https://reproducible-builds.org/docs/buy-in/), improves
users' security, and allows developers to sleep better at night (as the
incentive for an attacker to compromise developers' systems, or to
compromise developers themselves, is lowered). In turn, this avoids the
need to trust people (or software) who build the ISO we release, which
in turn allows more people to get involved in release management work.
need to trust people (or software) who build the ISO and USB images we
release, which in turn allows more people to get involved in release
management work.
Release managers do not have to upload the ISO image anymore when they
Release managers do not have to upload the ISO and USB images anymore when they
do a release: they can instead build it both on our infrastructure
(Jenkins) and locally and compare the outputs: if they match, one can
publish the ISO built by Jenkins. Uploading an ISO can take many hours
publish the ISO and USB images built by Jenkins. Uploading the ISO and USB
images can take many hours
with some commonly found means of accessing the Internet, so removing
the need to go through this step decreases our time to remediation for
fixing security issues, and makes it easier for developers with poor
access to the Internet to take care of a release.
Build and compare a Tails ISO image
===================================
Build and compare Tails ISO and USB images
==========================================
Build a Tails ISO image
-----------------------
Build Tails ISO and USB images
------------------------------
See the [[build instructions|contribute/build]].
<a id="verify-iso"></a>
How do I verify the ISO I have built against the official one?
--------------------------------------------------------------
How do I verify the image I have built against the official one?
----------------------------------------------------------------
You can verify that the ISO image you have built is identical to the
You can verify that the image you have built is identical to the
official one we published either with OpenPGP or with a checksum.
### Verify with OpenPGP
When you reproducibly build our ISO you should obtain a file that is
exactly the same as the official Tails ISO image, thus, *our* signature
should be able to verify *your* ISO for you.
When you reproducibly build our image you should obtain a file that is
exactly the same as the official Tails image, thus, *our* signature
should be able to verify *your* image for you.
[[Download and verify our OpenPGP signature|/install/download#openpgp]]
against your own ISO image.
against your own ISO or USB image.
### Verify with a checksum
To verify that the ISO image you have built is identical as the
To verify that the ISO or USB image you have built is identical as the
official one:
1. Compute the checksum of your ISO image by executing the following
command on it:
1. Compute the checksum of your image by executing one of the following
commands on it:
sha256sum yourimage.iso
sha256sum yourimage.img
2. Compare the SHA-256 checksum of your ISO image with the one found
in the official [ISO description file](https://tails.boum.org/install/v2/Tails/amd64/stable/latest.json).
2. Compare the SHA-256 checksum of your images with the ones found
in the official [image description file](https://tails.boum.org/install/v2/Tails/amd64/stable/latest.json).
Build and compare a Tails upgrade (IUK)
=======================================
......
......@@ -19,7 +19,7 @@ should provide an automated way of doing the upgrade.
* **Incremental Upgrade Kit (IUK)**: a file that contains everything
needed to upgrade from.
* **full image**: a file that is sufficient to install and run Tails
(currently, that means an ISO image).
(currently, that means an ISO or USB image).
* **target files**: the whole set of files included by reference into
an upgrade; e.g. this may be an IUK or a full image.
......
This diff is collapsed.
......@@ -18,19 +18,19 @@ many safeguards against releasing crap.
Compare the to-be-released source code with previous version's one e.g.:
Boot the candidate ISO and find the commit it was build from with the
Boot the candidate image and find the commit it was build from with the
`tails-version` command.
Then, from the source tree, see the diff:
git diff --find-renames <old ISO commit>..<ISO commit>
git diff --find-renames <old image commit>..<candidate image commit>
e.g. `git diff --find-renames 334e1c485a3a79be9fff899d4dc9d2db89cdc9e1..cfbde80925fdd0af008f10bc90c8a91a578c58e3`
## Result
Compare the list of bundled packages and versions with the one shipped last
time. `.packages` are usually attached to the email announcing the ISO is ready.
time. `.packages` are usually attached to the email announcing the image is ready.
/usr/bin/diff -u \
wiki/src/torrents/files/tails-amd64-3.1.packages \
......@@ -48,11 +48,12 @@ Check the output for:
## Image size
Check the image size has not changed much since the last release.
Check the images size has not changed much since the last release.
In a directory with many Tails ISO images:
In a directory with many Tails ISO and USB images:
find -iname "tails*.iso" -exec ls -lh '{}' \; | sort -rhk 5
find \( -iname "tails*.iso" -o -iname "tails*.img" \) \
-exec ls -lh '{}' \; | sort -rhk 5
<a id="reproducibility-final-check"></a>
......@@ -60,7 +61,7 @@ In a directory with many Tails ISO images:
This section can **not** be done by the RM.
1. Download the ISO and all the
1. Download the ISO and USB images plus all the
[IUKs](https://mirrors.wikimedia.org/tails/stable/iuk/) that
upgrade to the version you are testing.
......@@ -83,7 +84,7 @@ documented on a [[dedicated page|test/automated_tests]].
See [[test/setup]] and [[test/usage]].
Do point `--old-iso` to the ISO of the previous stable release.
Do point `--old-iso` to the ISO image of the previous stable release.
## Automated test suite migration progress
......@@ -276,8 +277,8 @@ tracked by tickets prefixed with `todo/test_suite:`.
* The goal is is to check that *Tails Verification* works in *Tor
Browser* in the version of Tails we are testing here. *Tails
Verification* only supports verifying the current release so for
example, when doing tests for the Tails 3.9 release, we use it in
the tentative Tails 3.9 to verify the Tails 3.8 ISO image.
example, when doing tests for the Tails 3.13 release, we use it in
the tentative Tails 3.13 to verify the Tails 3.12 ISO and USB images.
1. Start the Tails that you are testing.
......@@ -297,6 +298,8 @@ tracked by tickets prefixed with `todo/test_suite:`.
7. The verification should be successful.
8. Repeat for the USB image.
# Real (non-VM) hardware
`[can't-automate]`
......
......@@ -80,7 +80,7 @@ called `SHA512SUMS.txt`.
Set these environment variables accordingly:
* `ISOS_CHECKOUT`: path to your Tails ISO history repo checout.
* `ISOS_CHECKOUT`: path to your Tails ISO history repo checkout.
<!-- * `PACKAGES_FILE="${ISOS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso.packages"` -->
* `PUBLISHED_ARTIFACTS`: some _new_ directory where you can download
gigabytes of data to.
......@@ -99,7 +99,7 @@ Set these environment variables accordingly:
# Build your own products
## Build your own ISO image
## Build your own images
1. Fetch and verify the Git tag:
......@@ -113,7 +113,7 @@ Set these environment variables accordingly:
contact the RM and <tails@boum.org>! Proceeding with the rest of the steps
are pointless in this case, so await instruction.
2. Build an ISO image:
2. Build ISO and USB images:
cd "${TAILS_CHECKOUT:?}" && \
git checkout "${TAG:?}" && \
......@@ -121,7 +121,7 @@ Set these environment variables accordingly:
export SOURCE_DATE_EPOCH=$(date --utc --date="$(dpkg-parsechangelog --show-field=Date)" '+%s') && \
rake build && \
mkdir "${ISOS:?}/tails-amd64-${VERSION:?}" && \
mv "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.iso*" \
mv "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.*" \
"${ISOS:?}/tails-amd64-${VERSION:?}/"
<!-- ## Build your own IUKs -->
......@@ -183,11 +183,11 @@ the following steps have to be done only after the release has been made public.
cd "${PUBLISHED_ARTIFACTS:?}" && \
mkdir tails-amd64-${VERSION:?} && \
cd tails-amd64-${VERSION:?} && \
wget http://dl.amnesia.boum.org/tails/${DIST:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso && \
wget http://dl.amnesia.boum.org/tails/${DIST:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.{img,iso}
## Verify that your products match what was published
### ISO
### ISO and USB images
cd "${PUBLISHED_ARTIFACTS:?}" && \
sha512sum -c "${SHA512SUMS:?}"
......
---
build-target: amd64
channel: stable
product-name: Tails
version: '3.11'
target-files:
- sha256: 2ffeacab6ad74671a9eb15b560f47bae7d22e1bcbd9735342ee6d7dfe3c5706e
size: 1225568256
url: http://dl.amnesia.boum.org/tails/stable/tails-amd64-3.11/tails-amd64-3.11.iso
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment