Re: [Tails-dev] The future of Vagrant Tails builds [Was: Fwd…

Nachricht löschen

Nachricht beantworten
Autor: intrigeri
Datum:  
To: The Tails public development discussion list
Betreff: Re: [Tails-dev] The future of Vagrant Tails builds [Was: Fwd: Bug#753095: RFH: vagrant]
Hi,

BS wrote (03 Jul 2014 16:25:09 GMT) :
> I must admit, I'm pretty confused. I thought the docs stated that
> wheezy was the only environment which
> Tails would build in.


There are two different things here:

a) the *host* operating system
b) the system running in the VM that is *dedicated* to build Tails

(a) can very well run Wheezy.

(b) runs on (a). Our Vagrant basebox for (b) is still based on
Squeeze, but work is in progress (and almost completed) to update it
for Wheezy.

> If that's not the case, how is Tails building Tails?


I'm not aware of anyone doing this.

>> intrigeri wrote (29 Jun 2014 11:01:19 GMT) :
>> 1. Someone who maintains the package in Debian.


> Is that an absolute requirement?


Yes.

> What about downloading from vagrant's 'legacy' page


Quoting https://tails.boum.org/blueprint/replace_vagrant/ :

"Vagrant's upstream provides a .deb, but no proper source package
(they're using FPM). There's no strong cryptographic way to
authenticate this package after downloading it. We don't want to rely
on that package, nor to advertise it, for security reasons, and also
due to our policy to do things with/in Debian."

>> Any idea if there's a good alternative to Vagrant, that requires less
>> work from us? Would e.g. Docker be an option? Can Gitian be used
>> without Vagrant, e.g. thanks to its LXC backend?


> Docker is available in jessie, but not as a back port.


Indeed, we want to evaluate Docker: https://labs.riseup.net/code/issues/7530

> It's also limited to amd64 machines, because it uses go.


I don't think it's a blocker to require a 64-bit machine to
build Tails.

> Also, FWIW, the docker team says you shouldn't use docker
> in production.


Good to know, thanks.

> I assume Tails counts itself as "production"?


Yes, and no. Our usage of Docker, as far as this discussion is
concerned, would "only" be about developers machines and CI
infrastructure, and would not run on end-user systems.

> (also
> http://blog.docker.com/2013/08/containers-docker-how-secure-are-they/)


It's not a design goal of what we currently have with VirtualBox
(Vagrant) to have the basebox guest VM isolation secure the host
system against malicious code running as part of our build system.
Note that our build system runs as root in the guest VM. So, this
requirement doesn't really apply to Linux namespaces (Docker) either.

> 1) Rebuild the squeeze.box with the version of vagrant available on wheezy
>     This may resolve current box add issues on wheezy and may buy  some time. It does
> not seem like a permanent solution.


Yes, that's the short-term plan, and WIP :)

> 2) Move the vagrant related Rakefile code into the vagrant file or use  the vagrant
> CLI, where appropriate
>     This should allow for easier upgrades, and the opportunity to  explore other
> versions of vagrant


Before investing more time into Vagrant, I think we'll want to
investigate alternative solutions and decide if we want to go on
(#7526).

Cheers,
--
intrigeri