Bug #17315
Check if APT snapshots expiration date (post-4.5) is still far away enough
0%
Description
Here’s what our snapshot expiration dates look like:
config/APT_snapshots.d:
* Archive 'debian' uses snapshot '2019111801' which expires on: Sat, 16 May 2020 08:44:51 +0000
* Archive 'debian-security' uses snapshot 'latest' which expires on: never
* Archive 'torproject' uses snapshot '2019100904' which expires on: Sun, 19 Apr 2020 13:57:39 +0000
---
vagrant/definitions/tails-builder/config/APT_snapshots.d:
* Archive 'debian' uses snapshot '2019100904' which expires on: Sun, 19 Apr 2020 13:57:44 +0000
* Archive 'debian-security' uses snapshot '2019100904' which expires on: Sun, 19 Apr 2020 13:57:50 +0000
* Archive 'tails' uses snapshot '2019102001' which expires on: Fri, 17 Apr 2020 08:06:53 +0000
---
which should expire after the next major release. Right now, it’s schedule in early April, but I don’t think we’re that certain of Mozilla’s calendar and our own. So maybe we should bump those by a month or two just to be on the safe side?
Subtasks
History
#1 Updated by intrigeri 2019-12-12 07:57:05
- Target version set to Tails_4.3
> […] which should expire after the next major release. Right now, it’s schedule in early April, but I don’t think we’re that certain of Mozilla’s calendar and our own. So maybe we should bump those by a month or two just to be on the safe side?
I appreciate that you have such failure modes in mind.
I propose we come back to it in a couple months. By then, we’ll have more info about:
- Whether we’ve already bumped these snapshots, e.g. to get a Buster point release or a kernel upgrade.
- Whether we’ll put out a major release earlier than April (e.g. with overlayfs).
#2 Updated by intrigeri 2020-01-28 09:41:10
- Subject changed from Checking snapshot expiration for 4.1 vs. 4.5 to Check if APT snapshots expiration date (post-4.5) is still far away enough
- Target version changed from Tails_4.3 to Tails_4.4
I’ll have more info about this once 4.3 is out (Feature #17443) and later in February (once segfault and I have resumed work on overlayfs & friends).
#3 Updated by intrigeri 2020-02-23 07:38:16
- Status changed from Confirmed to Needs Validation
- Assignee changed from intrigeri to CyrilBrulebois
FTR, on our stable branch we currently use:
config/APT_snapshots.d:
debian/ debian-security/ .placeholder torproject/
* Archive 'debian' uses snapshot '2020020902' which expires on: Mon, 08 Jun 2020 15:51:21 +0000
* Archive 'debian-security' uses snapshot 'latest' which expires on: never
* Archive 'torproject' uses snapshot '2020020402' which expires on: Thu, 04 Jun 2020 07:05:54 +0000
---
vagrant/definitions/tails-builder/config/APT_snapshots.d:
debian/ debian-security/ .placeholder tails/
* Archive 'debian' uses snapshot '2019100904' which expires on: Sun, 19 Apr 2020 13:57:44 +0000
* Archive 'debian-security' uses snapshot '2019100904' which expires on: Sun, 19 Apr 2020 13:57:50 +0000
* Archive 'tails' uses snapshot '2019102001' which expires on: Fri, 17 Apr 2020 08:06:53 +0000
That is:
- snapshots used for the Vagrant box expire 10 days after the 4.5 planned release date; according to the current plan, they’ll be bumped at 4.5 code freeze time late March; but if for whatever reason we change our mind and decide that 4.5 is not a major release, then these snapshots will expire before the next time we would bump them (likely: 4.6~rc1); this gives us very little margin to cope with change so I’ve bumped the expiration date for these snapshots to June 7, i.e. post-4.7.
- snapshots used for the rest of the build expire 2 days after the 4.7 planned release date; that’s a pretty comfortable margin already, and most likely they’ll be updated again in the meantime (
Bug #17477and upcoming similar changes), so I’m not concerned.
So we now have this:
config/APT_snapshots.d:
debian/ debian-security/ .placeholder torproject/
* Archive 'debian' uses snapshot '2020020902' which expires on: Mon, 08 Jun 2020 15:51:21 +0000
* Archive 'debian-security' uses snapshot 'latest' which expires on: never
* Archive 'torproject' uses snapshot '2020020402' which expires on: Thu, 04 Jun 2020 07:05:54 +0000
---
vagrant/definitions/tails-builder/config/APT_snapshots.d:
debian/ debian-security/ .placeholder tails/
* Archive 'debian' uses snapshot '2019100904' which expires on: Sun, 07 Jun 2020 07:34:56 +0000
* Archive 'debian-security' uses snapshot '2019100904' which expires on: Sun, 07 Jun 2020 07:35:11 +0000
* Archive 'tails' uses snapshot '2019102001' which expires on: Sun, 07 Jun 2020 07:35:22 +0000
To me, this now looks like a good trade-off between “our code & release process are resilient vs. unplanned release schedule changes” and “disk space usage”. What do you think?
#4 Updated by CyrilBrulebois 2020-02-24 08:26:09
I’d tend to think “LGTM”.
Just to make sure I understand what happens in case something goes bad: I suppose we have up until the expiration date of a given snasphot to bump its expiration date? After that, it gets GC’d, and it can only be restored from backups?
#5 Updated by intrigeri 2020-02-24 08:48:17
> Just to make sure I understand what happens in case something goes bad: I suppose we have up until the expiration date of a given snasphot to bump its expiration date? After that, it gets GC’d, and it can only be restored from backups?
Exactly!
#6 Updated by CyrilBrulebois 2020-02-24 09:10:37
- Status changed from Needs Validation to Resolved
OK, thanks.
Switching to `Resolved` then; I might open other such tickets if unsure during the next few release processes.
#7 Updated by intrigeri 2020-02-24 09:22:04
> Switching to `Resolved` then
:)
> I might open other such tickets if unsure during the next few release processes.
Great, please do!