New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce sd-svs-disp
updates on login
#341
Comments
For discussion purposes only, here are some example messages that could be shown to the user. Screen 1
Screen 2
Screen 3
Screen 4 (error case)
|
Took a stab at adding a desktop file to Will do some more reading on the proper methods to run scripts at login in XFCE, both vanilla and under Qubes. |
@redshiftzero and I just discussed this a bit more. She made the point that even for the less critical templates, we want to eventually enforce updates (e.g., after a week or so if the admin hasn't run them manually yet). Eventual enforcement seems tricky, and it sounds like the recent improvements in #356 have reduced the update runtime to the 6 minutes vicinity for typical runs. <10 minutes feels like an acceptable typical on-boot update runtime during the beta to me. As an iteration on the current state, how do folks feel about the following:
If that plan sounds reasonable, what I'd like to discuss next is how/whether the native Qubes updater GUI fits into (2). |
Something I just thought about: if the only time the user is doing updates is on boot, what happens if they never shut down the workstation? I think we'll still want to have a daily cronjob (of course with better user messaging). |
I do this all the time except travel or kernel updates. |
How about something like this:
|
yea that sounds reasonable, screen 1 text will just need to be customized for the on-boot launch and mid-use case |
after the most recent discussions, @emkll and I worked on a design doc, this is to solidify what the functionality should be based on the security requirements: https://docs.google.com/document/d/1py8nM0eIMynsnDVa73c_Ev2UWxc3-qqetlQK-jLG04Y/edit# we want to ensure that we consider the cases where:
please take a look, comments and thoughts welcome! |
Thank you both for putting this together. :) I left a couple of comments in the doc. My biggest concern is with the >5 day scenario (see comment at the end) and with the complexity of the low capability mode, at least for beta. |
We'd like to use Qubes' native facilities for templates updates to the greatest extent possible. This is freedomofpress/securedrop-updater#34. The native updater is an opt-in updater: it requires the user to actively launch the updater app.
Opt-in is not sufficient for the most security-sensitive template,
sd-svs-disp
, which is used for the creation of disposable VMs that contain viewer applications. In this case, we want to enforce updates.This is a feature proposal to add an updater that launches on login in a manner that clearly indicates to the user that
sd-svs-disp
updates must be run before using the client.Proposed Acceptance Criteria
Given that the Securedrop Workstation has just been booted
When I log into Qubes with my username/password
Then I should see a dialog that informs me that security updates must be applied before using SecureDrop
And it should give me the option to start the update
And no updates should start until I choose this option
And it should not be trivially possible to dismiss this dialog
Given that the "update required" dialog is open
When I start the update
Then security updates should be applied to
sd-svs-disp
templateAnd it should be obvious when this process is ongoing
And it should be obvious when this process is completed.
User Stories
As a journalist user, I want to be informed clearly and succinctly about any steps I need to take before using the SecureDrop Workstation, so that I can focus on my work to the greatest extent possible.
As a journalist user, I want my system to be up-to-date with security updates, so my sources and I are secure.
The text was updated successfully, but these errors were encountered: