Skip to content
Allie Crevier edited this page Oct 19, 2021 · 19 revisions

How to trigger SDW nightlies

We use the please-build-nightlies branch to trigger the build and deployment of the latest component code on the main branches of each component's respective repo (see https://github.com/freedomofpress/securedrop-debian-packaging/commit/c7b1d60e7c9158f94125ac79789986f8c904424e). To do this, first we rebase the branch off the latest on main, which will modify the circleci config to fire off the jobs immediately.

How to do a diff review

Follow this step-by-step guide: https://github.com/freedomofpress/securedrop/wiki/Dependency-specification-and-update-policies#step-by-step-procedure

Why do we perform diff reviews?

We review the source code of our dependencies for security vulnerabilities that could compromise SecureDrop and SecureDrop Workstation. Specifically, we want to guard against supply chain attacks where an upstream dependency was compromised and begins to ship malicious code.

Counter arguments:

  • Given limited review bandwidth, diff reviews only provide partial mitigation, especially e.g. for C code changes.

Are reproducible wheels necessary in order to make the Debian packages that we ship reproducible?

No, even if a wheel is not reproducible, the derivative Debian package would still be reproducible as long as it includes the same verified wheel each time it is built.

Why do we keep local wheels?

Given that some of our dependencies on PyPI are not built reproducibly, we cannot programmatically verify that the binary wheel was built from the exact source tarball that we diff-reviewed. By building from the source tarball ourselves, we can be sure that's the case. Additionally, we can ensure that the build environment used to create the wheel artifact was sufficiently patched.

Counter arguments:

  • Some of our dependencies are reproducible so we could verify the hash of the wheel on PyPI (we only need to build the wheel once and keep record of the hash). It would make it clearer which dependencies are actually requiring us to maintain local wheels.
  • We know examples of account-level compromises, but we don’t know examples of tainted binary artifacts released alongside pristine source artifacts. Can we find one incident in the wild?

Why do we care about reproducible wheels?

Any wheels we upload to PyPI should be reproducible so that consumers can verify them. We also care about our external dependencies being reproducible so that we can verify that the wheel came from the source tarball that we diff-reviewed. If all our dependencies were reproducible then we wouldn't need to maintain local wheels.

Clone this wiki locally