Merge remote-tracking branch 'origin/develop' into develop

.github/workflows/ci.yml

@@ -38,42 +38,60 @@ jobs:
 
   test-app:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ubuntu_version:
+          - focal
+          - noble
     steps:
       - uses: actions/checkout@v4
       - name: Build image
         run: |
-          DOCKER_BUILD_VERBOSE=true ./securedrop/bin/dev-shell true
+          UBUNTU_VERSION=${{ matrix.ubuntu_version }} DOCKER_BUILD_VERBOSE=true ./securedrop/bin/dev-shell true
       - name: Run application tests
         run: |
-          make test-app
+          UBUNTU_VERSION=${{ matrix.ubuntu_version }} make test-app
 
   test-functional:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ubuntu_version:
+          - focal
+          - noble
     steps:
       - uses: actions/checkout@v4
       - name: Build image
         run: |
-          DOCKER_BUILD_VERBOSE=true ./securedrop/bin/dev-shell true
+          UBUNTU_VERSION=${{ matrix.ubuntu_version }} DOCKER_BUILD_VERBOSE=true ./securedrop/bin/dev-shell true
       - name: Run functional tests
         run: |
-          make test-functional
+          UBUNTU_VERSION=${{ matrix.ubuntu_version }} make test-functional
 
   test-pageslayout:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ubuntu_version:
+          - focal
+          - noble
     steps:
       - uses: actions/checkout@v4
       - name: Build image
         run: |
-          DOCKER_BUILD_VERBOSE=true ./securedrop/bin/dev-shell true
+          UBUNTU_VERSION=${{ matrix.ubuntu_version }} DOCKER_BUILD_VERBOSE=true ./securedrop/bin/dev-shell true
       - name: Run page layout tests
         run: |
-          make test-pageslayout
+          UBUNTU_VERSION=${{ matrix.ubuntu_version }} make test-pageslayout
       - name: Validate HTML (informational)
         run: |
-          make validate-test-html || true
+          UBUNTU_VERSION=${{ matrix.ubuntu_version }} make validate-test-html || true
       - name: Validate accessibility (informational)
         run: |
-          make accessibility-summary || true
+          UBUNTU_VERSION=${{ matrix.ubuntu_version }} make accessibility-summary || true
 
   rust:
     runs-on: ubuntu-latest

admin/requirements-dev.txt

@@ -177,9 +177,9 @@ requests==2.26.0 \
     --hash=sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24 \
     --hash=sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7
     # via -r requirements-dev.in
-six==1.15.0 \
-    --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
-    --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced
+six==1.16.0 \
+    --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
+    --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
     # via
     #   mock
     #   tox

admin/requirements-testinfra.txt

@@ -324,9 +324,9 @@ resolvelib==0.8.1 \
     --hash=sha256:c6ea56732e9fb6fca1b2acc2ccc68a0b6b8c566d8f3e78e0443310ede61dbd37 \
     --hash=sha256:d9b7907f055c3b3a2cfc56c914ffd940122915826ff5fb5b1de0c99778f4de98
     # via ansible-core
-six==1.15.0 \
-    --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
-    --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced
+six==1.16.0 \
+    --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
+    --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
     # via
     #   -r requirements.in
     #   prompt-toolkit

admin/requirements.in

@@ -3,4 +3,4 @@ markupsafe>=1.1
 prompt_toolkit==2.0.9
 pyyaml>=6.0.1
 setuptools>=70.0.0
-six==1.15.0
+six>=1.16.0

admin/requirements.txt

@@ -238,9 +238,9 @@ resolvelib==0.8.1 \
     --hash=sha256:c6ea56732e9fb6fca1b2acc2ccc68a0b6b8c566d8f3e78e0443310ede61dbd37 \
     --hash=sha256:d9b7907f055c3b3a2cfc56c914ffd940122915826ff5fb5b1de0c99778f4de98
     # via ansible-core
-six==1.15.0 \
-    --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
-    --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced
+six==1.16.0 \
+    --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
+    --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
     # via
     #   -r requirements.in
     #   prompt-toolkit

builder/Dockerfile

@@ -11,7 +11,6 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
         debhelper \
         devscripts \
         dh-python \
-        dh-systemd \
         gdb \
         git \
         gnupg2 \
@@ -27,7 +26,6 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
         python3-venv \
         python3-virtualenv \
         rsync \
-        sqlite \
         sudo \
         tzdata \
         libevent-dev \

changelog.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 2.11.0~rc1
+
+## 2.10.1
+
+* Update translations (#7143, #7259)
+
 ## 2.10.0
 
 This release contains fixes for issues described in the most recent security audit by 7A Security, see

install_files/ansible-base/group_vars/all/securedrop

@@ -2,7 +2,7 @@
 # Variables that apply to both the app and monitor server go in this file
 # If the monitor or app server need different values define the variable in
 # hosts_vars/app.yml or host_vars/mon.yml
-securedrop_version: "2.10.0"
+securedrop_version: "2.11.0~rc1"
 securedrop_app_code_sdist_name: "securedrop-app-code-{{ securedrop_version | replace('~', '-') }}.tar.gz"
 
 grsecurity: true

install_files/ansible-base/roles/install-local-packages/tasks/install_debs.yml

@@ -7,22 +7,8 @@
     dest: /root/
   with_items: "{{ local_deb_packages }}"
 
-# Using a two-pass approach for installing local deb packages.
-# The first pass uses `apt`, which will intelligently resolve dependencies;
-# a useful attribute, particular for the initial provisioning run. On subsequent
-# runs, however, the apt module will skip installation, since the version in
-# the DEBIAN/control file hasn't changed.
+# Install all the packages we just copied using apt, which will resolve
+# dependencies for us. Use --reinstall to forcibly install them even if
+# the version is the same.
 - name: Install locally built deb packages (via apt).
-  apt:
-    deb: /root/{{ item.1 }}
-  ignore_errors: yes
-  with_indexed_items: "{{ local_deb_packages }}"
-
-# Using `dpkg` via `command` to ensure installation ensure installation
-# every time, regardless of whether packages changed. SecureDrop deb package
-# builds are not deterministic, so the `copy` task above will always report
-# changed. Once the `apt` task above has installed the packages, only the
-# `dpkg -i` calls will reinstall, ensuring the latest local code changes are used.
-- name: Install locally built deb packages (via dpkg).
-  command: dpkg -i /root/{{ item }}
-  with_items: "{{ local_deb_packages }}"
+  command: apt-get install --reinstall --yes /root/{{ local_deb_packages | join(' /root/') }}

molecule/shared/stable.ver

@@ -1 +1 @@
-2.10.0
+2.10.1

securedrop/bin/dev-deps

@@ -175,17 +175,20 @@ function reset_demo() {
 }
 
 function build_redwood() {
+    source /etc/os-release
     # For the demo, we build the wheel at container build time instead of
     # during launch, so skip this part
     if [[ -z "${SKIP_REDWOOD_BUILD:-}" ]]; then
         # Create a debug build of redwood and install it in the app-code virtualenv
         # TODO: add live reload support
         # We tell cargo to put its registry/crate cache and build cache in the target/ folder so
-        # it persists instead of being recreated from scratch each time the container starts.
+        # it persists instead of being recreated from scratch each time the container starts. The
+        # cache needs to be split across OS versions because it can't tell that it's supposed to
+        # link to a different libssl version.
         # n.b. we can't re-use the host's caches because of permission differences
         PATH="$PATH:/opt/cargo/bin/" \
         CARGO_HOME="${REPOROOT}/target/cargo-dev" \
-            python3 "${REPOROOT}/redwood/build-wheel.py" --redwood "${REPOROOT}/redwood" --target "${REPOROOT}/target/dev"
+            python3 "${REPOROOT}/redwood/build-wheel.py" --redwood "${REPOROOT}/redwood" --target "${REPOROOT}/target/dev-${VERSION_CODENAME}"
         /opt/venvs/securedrop-app-code/bin/pip install "${REPOROOT}"/redwood/redwood-*.whl
     fi
 }

securedrop/bin/dev-shell

@@ -13,6 +13,7 @@ USE_TOR="${USE_TOR:-}"
 USE_PODMAN="${USE_PODMAN:-}"
 SLIM_BUILD="${SLIM_BUILD:-}"
 DOCKER_RUN_ARGUMENTS="${DOCKER_RUN_ARGUMENTS:-}"
+UBUNTU_VERSION="${UBUNTU_VERSION:-focal}"
 
 # Allow opting into using podman with USE_PODMAN=1
 if  [[ -n "${USE_PODMAN}" ]]; then
@@ -57,6 +58,7 @@ function docker_image() {
            ${DOCKER_BUILD_ARGUMENTS:-} \
            --build-arg=USER_ID="$(id -u)" \
            --build-arg=USER_NAME="${USER:-root}" \
+           --build-arg=UBUNTU_VERSION="${UBUNTU_VERSION}" \
            -t "${1}" \
            --file "${TOPLEVEL}/securedrop/dockerfiles/focal/python3/${2}" \
            "${TOPLEVEL}/securedrop" > $out
@@ -122,6 +124,7 @@ function docker_run() {
 
     # The --shm-size argument sets up dedicated shared memory for the
     # container. Our tests can fail with the default of 64m.
+    echo "Starting ${UBUNTU_VERSION} container..."
     $DOCKER_BIN run $ci_env \
            --shm-size 2g \
            --rm \
@@ -144,10 +147,10 @@ function docker_run() {
            $DOCKER_RUN_ARGUMENTS "${1}" "${@:2}"
 }
 
-image="securedrop-slim-focal-py3"
+image="securedrop-slim-${UBUNTU_VERSION}-py3"
 docker_image "$image" "SlimDockerfile"
 if  [[ -z "${SLIM_BUILD}" ]]; then
-    image="securedrop-test-focal-py3"
+    image="securedrop-test-${UBUNTU_VERSION}-py3"
     docker_image "$image" "Dockerfile"
 fi
 

securedrop/debian/changelog

@@ -1,3 +1,15 @@
+securedrop (2.11.0~rc1+focal) focal; urgency=medium
+
+  * 
+
+ -- SecureDrop Team <[email protected]>  Tue, 22 Oct 2024 16:50:19 -0400
+
+securedrop (2.10.1+focal) focal; urgency=medium
+
+  * see changelog.md
+
+ -- SecureDrop Team <[email protected]>  Thu, 17 Oct 2024 12:04:45 -0700
+
 securedrop (2.10.0+focal) focal; urgency=medium
 
   * see changelog.md

securedrop/debian/control

@@ -2,7 +2,7 @@ Source: securedrop
 Section: web
 Priority: optional
 Maintainer: SecureDrop Team <[email protected]>
-Build-Depends: debhelper (>= 9), dh-python, python3-all, python3-setuptools, dh-systemd
+Build-Depends: debhelper (>= 9), dh-python, python3-all, python3-setuptools
 Homepage: https://securedrop.org
 Standards-Version: 4.5.1
 

securedrop/dockerfiles/focal/python3/Dockerfile

@@ -1,4 +1,5 @@
-FROM securedrop-slim-focal-py3
+ARG UBUNTU_VERSION=focal
+FROM securedrop-slim-${UBUNTU_VERSION}-py3
 
 RUN apt-get update  && apt-get install -y \
     libgtk2.0 devscripts xvfb x11vnc \
@@ -8,14 +9,14 @@ RUN apt-get update  && apt-get install -y \
     default-jdk \
     # For diffoscope:
     libarchive13 libmagic1 \
-    libasound2 libdbus-glib-1-2 libgtk2.0-0 libfontconfig1 libxrender1 \
+    libasound2-dev libdbus-glib-1-2 libgtk2.0-0 libfontconfig1 libxrender1 \
     libcairo-gobject2 libgtk-3-0 libstartup-notification0 npm && \
     npm install --global [email protected]
 
 # Current versions of the test browser software. Tor Browser is based
-# on a specific version of Firefox, noted in Help > About Tor Browser.
-# Ideally we'll keep those in sync.
-ENV FF_VERSION 115.3.1esr
+# on a specific version of Firefox - we download both for generic and TBB testing
+
+# We should use the version of geckodriver corresponding to the above Firefox version.
 ENV GECKODRIVER_VERSION v0.35.0
 
 # Import Tor release signing key
@@ -32,18 +33,20 @@ RUN TBB_VERSION=$(curl -s https://aus1.torproject.org/torbrowser/update_3/releas
     mkdir -p /root/.local/tbb && mv tor-browser /root/.local/tbb && \
     rm -f tor.keyring tor-browser-linux-x86_64-${TBB_VERSION}.tar.xz.asc tor-browser-linux-x86_64-${TBB_VERSION}.tar.xz
 
-# Import Mozilla release signing key
+
+# Import Mozilla release signing key and install the version of Firefox on which
+# Tor Browser is based
 ENV MOZILLA_RELEASE_KEY_FINGERPRINT "14F26682D0916CDD81E37B6D61B7B526D98F0353"
-RUN curl -s https://archive.mozilla.org/pub/firefox/releases/${FF_VERSION}/KEY | gpg2 --import -
 
-# Install the version of Firefox on which Tor Browser is based
-RUN curl -LO https://archive.mozilla.org/pub/firefox/releases/${FF_VERSION}/linux-x86_64/en-US/firefox-${FF_VERSION}.tar.bz2 && \
+RUN FF_VERSION=$(curl -s https://aus1.torproject.org/torbrowser/update_3/release/Linux_x86_64-gcc3/x/ALL | grep -oP '(?<=platformVersion=")[^"]*' | head -1)esr && \
+curl -s https://archive.mozilla.org/pub/firefox/releases/${FF_VERSION}/KEY | gpg2 --import - && \
+curl -LO https://archive.mozilla.org/pub/firefox/releases/${FF_VERSION}/linux-x86_64/en-US/firefox-${FF_VERSION}.tar.bz2 && \
     curl -LO https://archive.mozilla.org/pub/firefox/releases/${FF_VERSION}/linux-x86_64/en-US/firefox-${FF_VERSION}.tar.bz2.asc && \
     gpg2 --output ./mozilla.keyring --export ${MOZILLA_RELEASE_KEY_FINGERPRINT} && \
     gpgv --keyring ./mozilla.keyring firefox-${FF_VERSION}.tar.bz2.asc firefox-${FF_VERSION}.tar.bz2 && \
     tar xjf firefox-*.tar.bz2 && \
     mv firefox /usr/bin && \
-    rm -f firefox-${FF_VERSION}.tar.bz2.asc firefox-${FF_VERSION}.tar.bz2 
+    rm -f firefox-${FF_VERSION}.tar.bz2.asc firefox-${FF_VERSION}.tar.bz2
 
 # Install geckodriver
 RUN wget https://github.com/mozilla/geckodriver/releases/download/${GECKODRIVER_VERSION}/geckodriver-${GECKODRIVER_VERSION}-linux64.tar.gz && \

securedrop/dockerfiles/focal/python3/SlimDockerfile

@@ -1,5 +1,5 @@
-# ubuntu 20.04 image from 2022-10-19
-FROM ubuntu@sha256:450e066588f42ebe1551f3b1a535034b6aa46cd936fe7f2c6b0d72997ec61dbd
+ARG UBUNTU_VERSION=focal
+FROM ubuntu:${UBUNTU_VERSION}
 ARG USER_NAME
 ENV USER_NAME ${USER_NAME:-root}
 ARG USER_ID
@@ -9,7 +9,7 @@ RUN apt-get update && DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get install
                        apache2-dev coreutils vim \
                        python3-pip python3-all python3-venv virtualenv python3-dev libssl-dev \
                        gnupg2 redis-server git curl wget jq \
-                       enchant libffi-dev sqlite3 gettext sudo tor basez pkg-config
+                       enchant-2 libffi-dev sqlite3 gettext sudo tor basez pkg-config
 
 # Install Rust using the same steps as <https://github.com/rust-lang/docker-rust>
 # 1) Download rustup-init and verify it matches hardcoded checksum
@@ -34,8 +34,11 @@ RUN python3 -m venv /opt/venvs/securedrop-app-code && \
     /opt/venvs/securedrop-app-code/bin/pip3 install --no-deps --require-hashes -r requirements/python3/test-requirements.txt && \
     /opt/venvs/securedrop-app-code/bin/pip3 install --no-deps --require-hashes -r requirements/python3/requirements.txt
 
+# noble ships with an `ubuntu` user that has id 1000, which conflicts with podman's ID mapping
+RUN if id ubuntu; then deluser ubuntu; fi
+
 RUN if test $USER_NAME != root ; then useradd --no-create-home --home-dir /tmp --uid $USER_ID $USER_NAME && echo "$USER_NAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers ; fi && \
-    chown -R $USER_NAME.$USER_NAME /opt/venvs/
+    chown -R $USER_NAME:$USER_NAME /opt/venvs/
 
 STOPSIGNAL SIGKILL
 

securedrop/pretty_bad_protocol/_meta.py

@@ -530,7 +530,8 @@ def _make_args(self, args, passphrase=False):  # type: ignore[no-untyped-def]
 
         if self.keyring:
             cmd.append("--no-default-keyring --keyring %s" % self.keyring)
-        if self.secring:
+        if self.secring and self.binary_version != "2.4.4":
+            # In GnuPG 2.4.4, --secret-keyring has no effect
             cmd.append("--secret-keyring %s" % self.secring)
 
         if passphrase:

securedrop/requirements/python3/develop-requirements.in

@@ -37,7 +37,7 @@ safety>2.2.0
 semgrep>=1.57.0
 setuptools>=70.0.0
 shellcheck-py
-six==1.15.0
+six>=1.16.0
 testinfra>=5.3.1
 translate-toolkit
 urllib3>=1.26.5

securedrop/requirements/python3/develop-requirements.txt

@@ -946,9 +946,9 @@ shellcheck-py==0.9.0.2 \
     --hash=sha256:bbaaba3044d266e793964e391c8caad4fcccafcd64e63de24e9b87a31a0c7aff \
     --hash=sha256:ddb9b9fd4750d726b9ac24df8b63599dc742c8749477bcdfd4ed639b22de21ae
     # via -r requirements/python3/develop-requirements.in
-six==1.15.0 \
-    --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
-    --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced
+six==1.16.0 \
+    --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
+    --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
     # via
     #   -r requirements/python3/develop-requirements.in
     #   ansible-lint

securedrop/requirements/python3/requirements.in

@@ -1,4 +1,4 @@
-alembic
+alembic>=1.1.0,<1.1.1
 argon2_cffi>=20.1.0
 babel>=2.9.1
 cffi==1.16.0