-
Notifications
You must be signed in to change notification settings - Fork 12
FAQ
We use the please-build-nightlies branch to trigger the build and deployment of the latest component code on the main
branches of each component's respective repo (see https://github.com/freedomofpress/securedrop-debian-packaging/commit/c7b1d60e7c9158f94125ac79789986f8c904424e). To do this, first we rebase the branch off the latest on main
, which will modify the circleci config to fire off the jobs immediately.
Follow this step-by-step guide: https://github.com/freedomofpress/securedrop/wiki/Dependency-specification-and-update-policies#step-by-step-procedure
We review the source code of our dependencies for security vulnerabilities that could compromise SecureDrop and SecureDrop Workstation. Specifically, we want to guard against supply chain attacks where an upstream dependency was compromised and begins to ship malicious code.
Counter arguments:
- Given limited review bandwidth, diff reviews only provide partial mitigation, especially e.g. for C code changes.
No, even if a wheel is not reproducible, the derivative Debian package would still be reproducible as long as it includes the same verified wheel each time it is built.
Given that some of our dependencies on PyPI are not built reproducibly, we cannot programmatically verify that the binary wheel was built from the exact source tarball that we diff-reviewed. By building from the source tarball ourselves, we can be sure that's the case. Additionally, we can ensure that the build environment used to create the wheel artifact was sufficiently patched.
Counter arguments:
- Some of our dependencies are reproducible so we could verify the hash of the wheel on PyPI (we only need to build the wheel once and keep record of the hash). It would make it clearer which dependencies are actually requiring us to maintain local wheels.
- We know examples of account-level compromises, but we don’t know examples of tainted binary artifacts released alongside pristine source artifacts. Can we find one incident in the wild?
Any wheels we upload to PyPI should be reproducible so that consumers can verify them. We also care about our external dependencies being reproducible so that we can verify that the wheel came from the source tarball that we diff-reviewed. If all our dependencies were reproducible then we wouldn't need to maintain local wheels.