Bug #16068

Have a repo for the Etcher binary

Added by sajolida 2018-10-21 21:48:54 . Updated 2019-01-02 18:27:02 .

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
Installation
Target version:
Start date:
2018-10-21
Due date:
% Done:

100%

Feature Branch:
Type of work:
Sysadmin
Blueprint:

Starter:
Affected tool:
Deliverable for:
316

Description

Similary as we’re currently doing for UUI, I think we should have a repo for the Etcher binary.

See https://git.tails.boum.org/uui-binary/.

It would:

  1. Provide us with a stable URL to download the binaries. Right now, the URLs used by Etcher or their GitHub include the version number.
  2. Give stability to the version used by our users and make sure that their are running what is documented.
  3. Help us spot whenever their interface change and we need to update our documentation.
  4. Possibly prevent Etcher or GitHub from distributing rogue downloads to Tails users (that could be identified through the referrer). We could check that the version of Etcher that we are distributing produces the correct result (something that is not possible so far with UUI).

Note that we could achieve #1 and #2 by pointing to a given release version in GitHub. To have #3 we would have to test new versions by hand, like I’ve been doing for UUI.

If we don’t want to have our own repo and always point to the latest version, we could ask Etcher to provide a stable link or write some code on our side.

Assigning to intrigeri as sysadmin/RM with more hours on the USB image project: what do you think?


Subtasks


Related issues

Related to Tails - Feature #9893: Have a Git repo for UUI under our control Resolved 2015-08-04
Blocks Tails - Feature #16199: Publish a beta for USB images Resolved 2018-12-07
Blocks Tails - Feature #16192: Upload and serve our copy of the Etcher binary Resolved 2018-12-06

History

#1 Updated by sajolida 2018-10-21 22:01:07

  • related to Feature #9893: Have a Git repo for UUI under our control added

#2 Updated by sajolida 2018-10-21 22:02:48

Also, right now we have an underlay for UUI (served on https://tails.boum.org/uui/Universal-USB-Installer.exe). I don’t remember why we did that… Shall we have one for Etcher as well?

#3 Updated by sajolida 2018-10-21 22:09:10

  • Description updated

#4 Updated by intrigeri 2018-10-24 16:45:59

  • Assignee changed from intrigeri to bertagaz

> Also, right now we have an underlay for UUI (served on https://tails.boum.org/uui/Universal-USB-Installer.exe). I don’t remember why we did that… Shall we have one for Etcher as well?

If we want to serve the files under https://tails.boum.org/, we need that.

Reassigning to the sysadmin on duty at the time of your request.

#5 Updated by Anonymous 2018-11-05 12:06:42

  • related to Bug #16098: Inline installation deprecated in Chrome 71 added

#6 Updated by Anonymous 2018-11-05 12:06:48

  • related to deleted (Bug #16098: Inline installation deprecated in Chrome 71)

#7 Updated by sajolida 2018-12-06 11:14:05

  • Deliverable for set to 316

Making this part of Sponsor_I_2018 so it’s on everybody’s radar.

#8 Updated by sajolida 2018-12-06 11:16:35

  • Subject changed from Have a repo for Etcher binary to Have a repo for the Etcher binary
  • Status changed from New to Confirmed
  • Priority changed from Normal to Elevated

#9 Updated by sajolida 2018-12-07 13:06:45

  • Target version set to Tails_3.11

#10 Updated by sajolida 2018-12-07 13:08:59

  • QA Check deleted (Info Needed)

#11 Updated by intrigeri 2018-12-07 13:31:03

#12 Updated by intrigeri 2018-12-07 13:31:07

  • blocks Feature #16192: Upload and serve our copy of the Etcher binary added

#13 Updated by sajolida 2018-12-07 13:34:16

bertagaz: I’ll need this ready by December 15. Do you think you can make it?

#14 Updated by intrigeri 2018-12-16 11:43:07

  • Target version changed from Tails_3.11 to Tails_3.12

#18 Updated by bertagaz 2018-12-30 15:19:59

  • Assignee changed from bertagaz to sajolida
  • QA Check set to Ready for QA

intrigeri wrote:
> Yes (it’ll be an underlay of our website so the same constraints as for UUI apply :)

OK thanks. That’s what I thought but wanted to be sure.

I’ve created the repo on lizard and immerda, assigning back to sajolida. Please close the ticket if it works for you (and sorry again for the delay).

#19 Updated by bertagaz 2018-12-30 17:09:30

bertagaz wrote:
> I’ve created the repo on lizard and immerda, assigning back to sajolida. Please close the ticket if it works for you (and sorry again for the delay).

the repo is named etcher-binary btw.

#20 Updated by sajolida 2018-12-30 19:18:02

  • Assignee changed from sajolida to bertagaz
  • QA Check changed from Ready for QA to Dev Needed

Ok, I could clone the repo and push the first version of the binaries we’ll serve (6257473).

But I can’t see them on git.tails.boum.org:

https://git.tails.boum.org/etcher-binary

I also still don’t remember why we decided to have an overlay for UUI. I understand that the overlay is needed to serve the files under tails.boum.org, but I don’t understand why we want to serve from tails.boum.org either as git.tails.boum.org already has HTTPS.

Sooooo, I still need a bit more help from you to either:

  • Fix the download from git.tails.boum.org if we can’t find why serving from tails.boum.org would be better.
  • Install an overlay on tails.boum.org.

I need to be able to give people a direct HTTPS URL to download these binaries, not a Git repo.

#21 Updated by bertagaz 2018-12-31 13:10:12

  • Assignee changed from bertagaz to sajolida
  • QA Check changed from Dev Needed to Ready for QA

sajolida wrote:
> Ok, I could clone the repo and push the first version of the binaries we’ll serve (6257473).
>
> But I can’t see them on git.tails.boum.org:
>
> https://git.tails.boum.org/etcher-binary

Ooops.

> I also still don’t remember why we decided to have an overlay for UUI. I understand that the overlay is needed to serve the files under tails.boum.org, but I don’t understand why we want to serve from tails.boum.org either as git.tails.boum.org already has HTTPS.

That I can’t help, I have no idea. Maybe because even if immerda are nice people, they still are a third party?

> Sooooo, I still need a bit more help from you to either:
>
> * Fix the download from git.tails.boum.org if we can’t find why serving from tails.boum.org would be better.
> * Install an overlay on tails.boum.org.
>
> I need to be able to give people a direct HTTPS URL to download these binaries, not a Git repo.

My bad, I did not set this overlay so I forgot a step. The hooks are now in place in lizard’s repo so any push from you now should update the immerda repo and ping the website to update the overlay. Hopefully. :)

Tell me if there’s still some problem.

#22 Updated by intrigeri 2019-01-02 07:50:40

First, note that what we’re using here are underlays, not overlays. That difference matters a lot when discussing the security of this setup :)

>> I also still don’t remember why we decided to have an overlay for UUI. I understand that the overlay is needed to serve the files under tails.boum.org, but I don’t understand why we want to serve from tails.boum.org either as git.tails.boum.org already has HTTPS.

> That I can’t help, I have no idea. Maybe because even if immerda are nice people, they still are a third party?

I don’t remember either (perhaps back then git.tails.b.o had no valid SSL certificate? maybe it’s documented in the design doc or in some ticket?) but either way, it seems cheaper to do the same for Etcher than to re-do the security analysis.

> The hooks are now in place in lizard’s repo so any push from you now should update the immerda repo and ping the website to update the overlay. Hopefully. :)

bertagaz: tails::website and thus ikiwiki had no clue that this underlay existed and shall be used so this would not work. Fixed in puppet-tails, deployed.

sajolida: in the etcher-binary repo the files were in the root directory, while according to the USB image doc we want links such as https://tails.boum.org/etcher/Etcher.dmg ⇒ we need to move the files to an etcher sub-directory for this URL to work, just like what we’ve been doing in the uui-binary repo. I’ve fixed it and the link to the DMG now works fine. But FWIW, I see no link to Etcher-Portable.exe in feature/15292-usb-image.

#23 Updated by intrigeri 2019-01-02 07:51:23

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 80

#24 Updated by bertagaz 2019-01-02 10:41:58

intrigeri wrote:
> bertagaz: tails::website and thus ikiwiki had no clue that this underlay existed and shall be used so this would not work. Fixed in puppet-tails, deployed.

Ack, noted. Thanks for the catchup.

#25 Updated by sajolida 2019-01-02 17:18:44

Thanks bertagaz for the underlay. Both links work fine now.

> First, note that what we’re using here are underlays, not overlays.

Make sense :)

> I don’t remember either (perhaps back then git.tails.b.o had no valid SSL certificate? maybe it’s documented in the design doc or in some ticket?)

I looked already and couldn’t find anything, thus my questioning.

> it seems cheaper to do the same for Etcher than to re-do the security analysis.

Ok, I didn’t know it was that cheap to have one for Etcher and thought
that we might save you some work.

> we need to move the files to an etcher sub-directory for this URL to work

Thanks for fixing this!

> I see no link to Etcher-Portable.exe in feature/15292-usb-image.

Fixed in etcher-binary.git:30967bfff6.

#26 Updated by sajolida 2019-01-02 17:19:29

  • Status changed from In Progress to Resolved
  • Assignee deleted (sajolida)
  • QA Check deleted (Ready for QA)

#27 Updated by intrigeri 2019-01-02 17:28:22

>> I see no link to Etcher-Portable.exe in feature/15292-usb-image.

> Fixed in etcher-binary.git:30967bfff6.

I can’t see that. I suspect you did not push, or got the wrong remote configured. FYI the canonical remote is on the same server as tails.git.

#28 Updated by intrigeri 2019-01-02 17:29:10

  • Status changed from Resolved to In Progress
  • Assignee set to sajolida
  • % Done changed from 80 to 90

#29 Updated by sajolida 2019-01-02 17:51:20

  • Assignee changed from sajolida to intrigeri
  • QA Check set to Ready for QA

Oops, I meant tails.git:30967bfff6!

#30 Updated by intrigeri 2019-01-02 17:54:50

  • Assignee changed from intrigeri to sajolida

> Oops, I meant tails.git:30967bfff6!

OK, I see this one :)

I’m still surprised we don’t link to the Windows binary from our USB image branch. If that’s not on purpose, perhaps we need another ticket.

#31 Updated by sajolida 2019-01-02 18:03:47

  • Assignee changed from sajolida to intrigeri

I pushed tails.git:30967bfff6 now.

#32 Updated by intrigeri 2019-01-02 18:27:02

  • Status changed from In Progress to Resolved
  • Assignee deleted (intrigeri)
  • % Done changed from 90 to 100
  • QA Check changed from Ready for QA to Pass

It all makes sense to me now, thanks!