From d43b057aba2d9d5785ea2f33028a896802742735 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Fri, 19 Oct 2018 13:48:08 -0400
Subject: [PATCH] Adds clarifying comments to the update script

Factored in some advice received during pre-review. For now we're taking
an interative approach to automating the updates. Currently we want,
in order:

  1. All dom0 RPMs up to date
  2. All TemplateVMs up to date with packages (either RPMs or debs)

What's not yet implemented is a strategy to automatically enforce the VM
state regularly. That'll likely be a `qubesctl state.highstate` command,
but punting for now to simplify testing of this already significant
change.
---
 dom0/securedrop-update | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/dom0/securedrop-update b/dom0/securedrop-update
index 55cf40cf6..f5ecc59b6 100755
--- a/dom0/securedrop-update
+++ b/dom0/securedrop-update
@@ -28,6 +28,9 @@ function securedrop-update-feedback() {
         '$msg'"
 }
 
+# `qubesctl pkg.upgrade` will automatically update dom0 packages, as well,
+# but we *first* want the freshest RPMs from dom0, *then* we'll want to
+# update the VMs themselves.
 securedrop-update-feedback "SecureDrop: Updating dom0 configuration..."
 sudo qubes-dom0-update -y
 
@@ -36,4 +39,8 @@ qubesctl --templates \
     --max-concurrency "$SECUREDROP_MAX_CONCURRENCY" \
     pkg.upgrade refresh=true
 
+# Here would be a good place for state.highstate, to re-apply the VM configs.
+# Let's first make sure the package upgrade logic is stable, we can circle
+# back to enforce the Salt configs regularly.
+
 securedrop-update-feedback "SecureDrop: All updates complete!"