Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add EOL warning and disable Source Interface on instances running Ubuntu 16.04 after April 30 #5688

Closed
eloquence opened this issue Jan 5, 2021 · 6 comments · Fixed by #5789
Milestone

Comments

@eloquence
Copy link
Member

As we did with Trusty (#4325), for security reasons, we'll want to disable the use of the Source Interface on instances that are running on Ubuntu 16.04 after its end-of-life (April 30, 2021). Support for Ubuntu 20.04 is expected to ship with SecureDrop 1.8.0 (tentatively scheduled for 2021-02-23).

See #4305 and #4325 for previous discussions regarding the language for the message displayed on the Source Interface. If there is no reason to modify this language, we may be able to re-use translations.

@eloquence
Copy link
Member Author

(If we stick to a 6-8 week cadence, there's a good chance there'll be another release before April 30, so not strictly a release blocker for 1.8.0.)

@eloquence eloquence changed the title Disable Source Interface on instances running Ubuntu 16.04 after April 30 Add EOL warning and disable Source Interface on instances running Ubuntu 16.04 after April 30 Feb 2, 2021
@eloquence
Copy link
Member Author

eloquence commented Feb 2, 2021

@emkll and I discussed this a bit today. All things considered, we agreed it would be ideal to update the warning messaging for 1.8.0, to ensure that all admins are reminded about the Ubuntu 20.04 upgrade as soon as it's possible to migrate. This also avoids boxing us in for the 1.9.0 release schedule.

Functionally, this could be done as follows:

  1. Updating the current v2/v3 messaging (i.e. what was implemented in Updates v3 warnings with varying messages based on instance configs #5679) and pointing it to the combined EOL advisory
  2. Updating the advisory with links to additional documentation as we publish it
  3. Including similar code to Disable Source Interface for Trusty when Trusty is end-of-life #4325 to disable the Source Interface on Ubuntu 16.04 instances after April 30.

Open Q: How should the messaging differ, depending on instance state?

  • v2-only, Ubuntu 16.04
  • v2/v3, Ubuntu 16.04
  • v3-only, Ubuntu 16.04

(No messages should be displayed on Ubuntu 20.04, which is v3-only.)

@eloquence
Copy link
Member Author

@creviera has committed to work on this. For now we've agreed that for the 1.8.0 release, we can

  • Remove all banners related to v2/v3 (if folks haven't done it yet by March, they can do it as part of the Ubuntu migration)
  • Display a single banner that informs people about the April 30 end-of-life
  • Implement the logic to disable the Source Interface after April 30

Essentially, we will want to replicate the functionality previously implemented in #4325 and #4055. Perhaps we can have a quick check-in if we want to stick to previous messaging/styling choices.

@eloquence
Copy link
Member Author

eloquence commented Feb 4, 2021

For the "Learn More" link, I've set up https://securedrop.org/xenial-eol, which redirects to our current advisory blog post. My suggestion would be to keep that advisory up-to-date as we add more instructions, instead of creating a new one.

@sssoleileraaa
Copy link
Contributor

So we're okay with this language on a disabled Source Interface:

We're sorry, our SecureDrop is currently offline.

Please try again later. Check our website for more information.

With the benefit of reusing previous translations?

@emkll
Copy link
Contributor

emkll commented Feb 10, 2021

The existing language seems clear to me, barring any objections from you @creviera .

As for the translations, it seems likely that these strings were never actually translated: the original change was merged to develop and introduced in 0.12.2 (https://github.com/freedomofpress/securedrop/commits/release/0.12.2) and it seems like no translations were done for 0.12.2, and the disabling logic was very swiftly removed from the develop branch: less than 2 weeks later in https://github.com/freedomofpress/securedrop/pull/4416/files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants