Add preliminary Focal packages to apt-test

[eloquence]

As part of adding Focal support to SecureDrop (freedomofpress/securedrop#4768), we must host the following packages on apt-test.freedom.press to support the staging environment:

• All SecureDrop packages created by make build-debs-focal once Adds package builds for Focal  securedrop#5465 is merged
• The linux kernel images required by the grsec metapackage, as of this writing [1] These kernel images can be copied from the Xenial distribution in this repo:
  • linux-image-4.14.188-grsec-securedrop_4.14.188-grsec-securedrop-1_amd64.deb
  • linux-image-4.14.175-grsec-securedrop_4.14.175-grsec-securedrop-1_amd64.deb
• A focal build for tor and tor-geoipdb as provided by Tor's apt servers - Add Focal support to fetch-tor-packages target securedrop#5481

[1] https://github.com/freedomofpress/securedrop/blob/da6aed84d06a9531af43067854dbc2173fd80906/install_files/ansible-base/group_vars/all/securedrop#L44

[conorsch]

All SecureDrop packages created by make build-debs-focal once freedomofpress/securedrop#5465 is merged

I don't see this as a hard requirement, since the staging environments will install these packages from local debs. We absolutely need the tor & kernel packages for a staging environment to work, so will do those first.

[conorsch]

We definitely need the securedrop-grsec metapackage for the SD staging environment. Looks like that doesn't currently have a platform-specific version string, so we may need to adjust the repo logic to support reusing the same package across multiple channels.

[conorsch]

Tested serving the securedrop-grsec package via reprepro locally, by naively copying in the same xenial-built deb into the core/focal/ directory, then rerunning the publish logic. A local focal container was able to pick up the listing just fine, so it apepars we don't have more complicated logic to implement here.

[conorsch]

Jotting a few notes here in case we need to do this again in the future. In order to spin up a local apt repo to evaluate behavior:

1. Pull in tools/publish script from prod repo: https://github.com/freedomofpress/securedrop-debian-packages-lfs/blob/main/tools/publish
2. sed -i '/SignWith/d' repo/conf/distributions

Then add the following files:

 $ tree docker/
docker/
├── apt-repo.conf
├── apt-repo-focal.list
└── apt-repo-xenial.list

0 directories, 3 files
$ cat docker/apt-repo.conf 
Acquire::AllowInsecureRepositories "true";
Acquire::AllowDowngradeToInsecureRepositories "true";
APT::Get::AllowUnauthenticated "true";
$ cat docker/apt-repo-focal.list 
deb file:///repo focal main
$ cat tools/run-repo 
#!/bin/bash
set -e
set -u
set -o pipefail

echo "Preparing XENIAL repo"
docker run \
    -v "$PWD/repo/public:/repo:ro" \
    -v "$PWD/docker/apt-repo-xenial.list:/etc/apt/sources.list.d/apt-local.list" \
    -v "$PWD/docker/apt-repo.conf:/etc/apt/apt.conf.d/apt-local.conf" \
    -it ubuntu:xenial bash -c "apt-get update && apt-cache policy securedrop-grsec"

echo "Preparing FOCAL repo"
docker run \
    -v "$PWD/repo/public:/repo:ro" \
    -v "$PWD/docker/apt-repo-focal.list:/etc/apt/sources.list.d/apt-local.list" \
    -v "$PWD/docker/apt-repo.conf:/etc/apt/apt.conf.d/apt-local.conf" \
    -it ubuntu:focal bash -c "apt-get update && apt-cache policy securedrop-grsec"

The volume mounts allow for an unauthenticated apt source inside the container, suitable only for testing.

[eloquence]

Note that we are still missing the result of make build-debs-focal on https://apt-test.freedom.press/ . This is gated on changes required to get a grsec-patched kernel to work on Focal.

[conorsch]

Since #62 got merged, we're now unblocked for evaluating kernel behavior on Focal. The remaining packages, i.e. "the result of make build-debs-focal" aren't required for a staging VM environment, since the staging environment installs the packages locally. Agreed that we should still build and publish to apt-test, just clarifying that it's not a strict blocker right now.

[eloquence]

So we can get the staging environment fully working. work on the kernel metapackage will continue during the 9/17-10/1 sprint, while uploading other packages is something we'll defer to for later for now.

[emkll]

As @conorsch states in #59 (comment), the securedrop-specific packages (the output of make build-debs-focal) still need to be added to this repository, in order to unblock testing on hardware instances, tracked in freedomofpress/securedrop#5663

[eloquence]

With #77 merged, is anything still left to do here?

[conorsch]

#77 absolutely resolved, my mistake in not cross-linking for automatic close.