Merge pull request #4262 from freedomofpress/backports-for-0.12.1

Backports and changelog for 0.12.1

admin/securedrop_admin/__init__.py

@@ -642,7 +642,8 @@ def check_for_updates(args):
 
 
 def get_release_key_from_keyserver(args, keyserver=None, timeout=45):
-    gpg_recv = ['timeout', str(timeout), 'gpg', '--recv-key']
+    gpg_recv = ['timeout', str(timeout), 'gpg', '--batch', '--no-tty',
+                '--recv-key']
     release_key = [RELEASE_KEY]
 
     # We construct the gpg --recv-key command based on optional keyserver arg.

changelog.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## 0.12.1~rc1
+
+### Web Application
+
+* Add "Back to submission page" link to NoScript docs (#4208)
+
+### Operations
+
+* Ensured WiFi related packages are not installed on Xenial on upgrade (#4163)
+* Try harder to attach to a `tmux` session on upgrade (#4221) 
+* Control locale during Ansible runs (#4252)
+
+### Tails Environment
+
+* Resolved error in GUI updater due to flaky keyservers (#4100)
+
 ## 0.12.0
 
 ### Web Application

docs/conf.py

@@ -57,9 +57,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '0.12.0'
+version = '0.12.1~rc1'
 # The full version, including alpha/beta/rc tags.
-release = '0.12.0'
+release = '0.12.1~rc1'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/set_up_admin_tails.rst

@@ -114,8 +114,8 @@ key:
 .. code:: sh
 
     cd ~/Persistent/securedrop/
-    git checkout 0.12.0
-    git tag -v 0.12.0
+    git checkout 0.12.1~rc1
+    git tag -v 0.12.1~rc1
 
 You should see ``Good signature from "SecureDrop Release Signing Key"`` in the
 output of that last command along with the fingerprint above.

install_files/ansible-base/group_vars/all/securedrop

@@ -2,7 +2,7 @@
 # Variables that apply to both the app and monitor server go in this file
 # If the monitor or app server need different values define the variable in
 # hosts_vars/app.yml or host_vars/mon.yml
-securedrop_app_code_version: "0.12.0"
+securedrop_app_code_version: "0.12.1~rc1"
 
 grsecurity: true
 install_local_packages: false

install_files/ansible-base/group_vars/securedrop_application_server.yml

@@ -7,7 +7,7 @@ ip_info:
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
   - "securedrop-keyring-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
-  - "securedrop-config-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
+  - "securedrop-config-0.1.3+{{ securedrop_app_code_version }}-amd64.deb"
   - "securedrop-ossec-agent-3.0.0+{{ securedrop_app_code_version }}-amd64.deb"
   - "{{ securedrop_app_code_deb }}.deb"
   - "ossec-agent-3.0.0-amd64.deb"

install_files/ansible-base/group_vars/securedrop_monitor_server.yml

@@ -7,7 +7,7 @@ ip_info:
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
   - "securedrop-keyring-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
-  - "securedrop-config-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
+  - "securedrop-config-0.1.3+{{ securedrop_app_code_version }}-amd64.deb"
   - "securedrop-ossec-server-3.0.0+{{ securedrop_app_code_version }}-amd64.deb"
   - ossec-server-3.0.0-amd64.deb
 

install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-trusty

@@ -1,3 +1,9 @@
+securedrop-app-code (0.12.1~rc1+trusty) trusty; urgency=medium
+
+  * See changelog.md 
+
+ -- SecureDrop Team <[email protected]>  Thu, 14 Mar 2019 13:45:10 +0000
+
 securedrop-app-code (0.12.0+trusty) trusty; urgency=medium
 
   * See changelog.md 

install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial

@@ -1,3 +1,9 @@
+securedrop-app-code (0.12.1~rc1+xenial) xenial; urgency=medium
+
+  * See changelog.md 
+
+ -- SecureDrop Team <[email protected]>  Thu, 14 Mar 2019 13:45:16 +0000
+
 securedrop-app-code (0.12.0+xenial) xenial; urgency=medium
 
   * See changelog.md 

install_files/ansible-base/roles/common/defaults/main.yml

@@ -44,3 +44,8 @@ sysctl_flags:
     value: "1"
   - name: "net.ipv6.conf.lo.disable_ipv6"
     value: "1"
+
+unused_packages:
+  - libiw30
+  - wireless-tools
+  - wpasupplicant

install_files/ansible-base/roles/common/tasks/create_users.yml

@@ -23,17 +23,6 @@
     - users
     - sudoers
 
-- name: Set SecureDrop bash profile additions.
-  copy:
-    src: bashrc_securedrop_additions
-    dest: /etc/profile.d/securedrop_additions.sh
-    owner: root
-    group: root
-    mode: "0644"
-  tags:
-    - users
-    - environment
-
 # Backwards-compatibility. Previously, the SecureDrop bashrc additions
 # for forcing a terminal multiplexer during interactive login sessions were
 # added to ~/.bashrc for each admin user account. It's cleaner to add the

install_files/ansible-base/roles/common/tasks/main.yml

@@ -22,3 +22,5 @@
 - include: disable_swap.yml
 
 - include: remove_kernel_modules.yml
+
+- include: remove_unused_packages.yml

install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml

@@ -0,0 +1,16 @@
+---
+- name: Remove unused packages
+  apt:
+    name: "{{ item }}"
+    state: absent
+  with_items: "{{ unused_packages }}"
+  tags:
+    - apt
+    - hardening
+
+- name: Remove dependencies that are no longer required
+  apt:
+    autoremove: yes
+  tags:
+    - apt
+    - hardening

install_files/ansible-base/securedrop-backup.yml

@@ -3,6 +3,8 @@
   hosts: securedrop_application_server
   max_fail_percentage: 0
   any_errors_fatal: yes
+  environment:
+    LC_ALL: C
   roles:
     - role: backup
       tags: backup

install_files/ansible-base/securedrop-logs.yml

@@ -4,6 +4,8 @@
   become: yes
   max_fail_percentage: 0
   any_errors_fatal: yes
+  environment:
+    LC_ALL: C
   vars:
     log_paths_reference:
       app:

install_files/ansible-base/securedrop-prod.yml

@@ -2,6 +2,8 @@
 ---
 - name: Ensure validation is run before prod install
   hosts: localhost
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   connection: local
@@ -10,6 +12,8 @@
 
 - name: Prepare servers for installation
   hosts: securedrop
+  environment:
+    LC_ALL: C
   gather_facts: no
   max_fail_percentage: 0
   any_errors_fatal: yes
@@ -19,6 +23,8 @@
 
 - name: Add FPF apt repository and install base packages.
   hosts: securedrop
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   pre_tasks:
@@ -49,6 +55,8 @@
 
 - name: Configure OSSEC.
   hosts: securedrop
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   roles:
@@ -58,6 +66,8 @@
 
 - name: Configure mailing utilities.
   hosts: securedrop_monitor_server
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   roles:
@@ -67,6 +77,8 @@
 
 - name: Configure SecureDrop Application Server.
   hosts: securedrop_application_server
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   roles:
@@ -81,6 +93,8 @@
   # connection. After that point the admin will to proxy traffic over tor.
 - name: Lock down firewall configuration for Application and Monitor Servers.
   hosts: securedrop
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   roles:
@@ -89,6 +103,8 @@
 
 - name: Reboot Application and Monitor Servers.
   hosts: securedrop
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   vars:

install_files/ansible-base/securedrop-restore.yml

@@ -3,6 +3,8 @@
   hosts: securedrop_application_server
   max_fail_percentage: 0
   any_errors_fatal: yes
+  environment:
+    LC_ALL: C
   roles:
     - role: restore
       tags: restore

install_files/ansible-base/securedrop-staging.yml

@@ -2,6 +2,8 @@
 ---
 - name: Scrape build directory
   hosts: localhost
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   tasks:
@@ -23,6 +25,8 @@
 
 - name: Prepare servers for installation
   hosts: staging
+  environment:
+    LC_ALL: C
   gather_facts: no
   max_fail_percentage: 0
   any_errors_fatal: yes
@@ -32,6 +36,8 @@
 
 - name: Add FPF apt repository and install base packages.
   hosts: staging
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   roles:
@@ -47,6 +53,8 @@
 
 - name: Configure OSSEC.
   hosts: staging
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   roles:
@@ -56,6 +64,8 @@
 
 - name: Configure mailing utilities.
   hosts: mon-staging
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   roles:
@@ -65,6 +75,8 @@
 
 - name: Configure SecureDrop Application Server.
   hosts: app-staging
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   roles:
@@ -77,6 +89,8 @@
   # and default false in production environments, in order to force SSH traffic over Tor.
 - name: Configure host firewalls (with direct access for staging).
   hosts: staging
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   roles:
@@ -85,6 +99,8 @@
 
 - name: Reboot Application and Monitor Servers.
   hosts: staging
+  environment:
+    LC_ALL: C
   max_fail_percentage: 0
   any_errors_fatal: yes
   roles:

install_files/ansible-base/securedrop-tails.yml

@@ -8,6 +8,8 @@
   any_errors_fatal: yes
   connection: local
   gather_facts: yes
+  environment:
+    LC_ALL: C
   roles:
     - role: tails-config
       tags: tails-config

install_files/securedrop-config/DEBIAN/control

@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <[email protected]>
 Homepage: https://securedrop.org
 Package: securedrop-config
-Version: 0.1.2+0.12.0
+Version: 0.1.3+0.12.1~rc1
 Architecture: all
 Description: Establishes baseline system state for running SecureDrop.
  Configures apt repositories.

install_files/securedrop-config/etc/profile.d/securedrop_additions.sh

@@ -0,0 +1,22 @@
+[[ $- != *i* ]] && return
+
+which tmux >/dev/null 2>&1 || return
+
+tmux_attach_via_proc() {
+    # If the tmux package is upgraded during the lifetime of a
+    # session, attaching with the new binary can fail due to different
+    # protocol versions. This function attaches using the reference to
+    # the old executable found in the /proc tree of an existing
+    # session.
+    pid=$(pgrep --newest tmux)
+    if test -n "$pid"
+    then
+        /proc/$pid/exe attach
+    fi
+    return 1
+}
+
+if test -z "$TMUX"
+then
+    (tmux attach || tmux_attach_via_proc || tmux new-session)
+fi

install_files/securedrop-keyring/DEBIAN/control

@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <[email protected]>
 Homepage: https://securedrop.org
 Package: securedrop-keyring
-Version: 0.1.2+0.12.0
+Version: 0.1.2+0.12.1~rc1
 Architecture: amd64
 Depends: gnupg
 Description: Provides an apt keyring for SecureDrop-related packages, so the master signing key used for SecureDrop packages can be updated via apt.

install_files/securedrop-ossec-agent/DEBIAN/control

@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <[email protected]>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-agent
-Version: 3.0.0+0.12.0
+Version: 3.0.0+0.12.1~rc1
 Architecture: amd64
 Depends: ossec-agent,securedrop-keyring,securedrop-config
 Replaces: ossec-agent