Adds clarifying comments to the update script

Factored in some advice received during pre-review. For now we're taking an interative approach to automating the updates. Currently we want, in order: 1. All dom0 RPMs up to date 2. All TemplateVMs up to date with packages (either RPMs or debs) What's not yet implemented is a strategy to automatically enforce the VM state regularly. That'll likely be a `qubesctl state.highstate` command, but punting for now to simplify testing of this already significant change.
freedomofpress · Oct 19, 2018 · d43b057 · d43b057
1 parent 7da6573
commit d43b057
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/dom0/securedrop-update b/dom0/securedrop-update
@@ -28,6 +28,9 @@ function securedrop-update-feedback() {
         '$msg'"
 }
 
+# `qubesctl pkg.upgrade` will automatically update dom0 packages, as well,
+# but we *first* want the freshest RPMs from dom0, *then* we'll want to
+# update the VMs themselves.
 securedrop-update-feedback "SecureDrop: Updating dom0 configuration..."
 sudo qubes-dom0-update -y
 
@@ -36,4 +39,8 @@ qubesctl --templates \
     --max-concurrency "$SECUREDROP_MAX_CONCURRENCY" \
     pkg.upgrade refresh=true
 
+# Here would be a good place for state.highstate, to re-apply the VM configs.
+# Let's first make sure the package upgrade logic is stable, we can circle
+# back to enforce the Salt configs regularly.
+
 securedrop-update-feedback "SecureDrop: All updates complete!"