Bootstrap Rust project for noble-migration scripts

Establish a folder where we can build Rust binaries that will be shipped in the securedrop-config deb. That package is now architecture-dependent and only built for amd64. We are using Rust because a statically compiled binary is going to be the most robust option during a system upgrade when Python itself is being removed and installed (not to mention all the other Rust benefits).
freedomofpress · Nov 21, 2024 · 105a171 · 105a171
1 parent f006815
commit 105a171
Show file tree

Hide file tree

Showing 10 changed files with 32 additions and 8 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,7 @@
 [workspace]
 
 members = [
+    "noble-migration",
     "redwood",
 ]
 

diff --git a/builder/build-debs-securedrop.sh b/builder/build-debs-securedrop.sh
@@ -11,8 +11,10 @@ set -euxo pipefail
 
 # Make a copy of the source tree since we do destructive operations on it
 cp -R /src/securedrop /srv/securedrop
-cp -R /src/redwood /srv/redwood
-cp /src/Cargo.lock /srv/redwood/
+mkdir /srv/rust
+cp -R /src/noble-migration /srv/rust/noble-migration
+cp -R /src/redwood /srv/rust/redwood
+cp /src/Cargo.{toml,lock} /srv/rust/
 cd /srv/securedrop/
 
 # Control the version of setuptools used in the default construction of virtual environments

diff --git a/install_files/ansible-base/group_vars/securedrop_application_server.yml b/install_files/ansible-base/group_vars/securedrop_application_server.yml
@@ -7,7 +7,7 @@ ip_info:
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
   - "securedrop-keyring_0.2.2+{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb"
-  - "securedrop-config_{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb"
+  - "securedrop-config_{{ securedrop_version }}+{{ securedrop_target_distribution }}_amd64.deb"
   - "securedrop-ossec-agent_3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb"
   - "{{ securedrop_app_code_deb }}.deb"
   - "ossec-agent_3.6.0+{{ securedrop_target_distribution }}_amd64.deb"

diff --git a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
@@ -7,7 +7,7 @@ ip_info:
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
   - "securedrop-keyring_0.2.2+{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb"
-  - "securedrop-config_{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb"
+  - "securedrop-config_{{ securedrop_version }}+{{ securedrop_target_distribution }}_amd64.deb"
   - "securedrop-ossec-server_3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb"
   - ossec-server_3.6.0+{{ securedrop_target_distribution }}_amd64.deb
 

diff --git a/noble-migration/Cargo.toml b/noble-migration/Cargo.toml
@@ -0,0 +1,6 @@
+[package]
+name = "noble-migration"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
diff --git a/noble-migration/src/main.rs b/noble-migration/src/main.rs
@@ -0,0 +1,3 @@
+fn main() {
+    println!("Hello, world!");
+}
diff --git a/securedrop/debian/control b/securedrop/debian/control
@@ -14,8 +14,8 @@ Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, ${apparmor:Depend
 Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode.
 
 Package: securedrop-config
-Architecture: all
-Depends: unattended-upgrades, update-notifier-common
+Architecture: amd64
+Depends: ${shlibs:Depends}, unattended-upgrades, update-notifier-common
 Description: Establishes baseline system state for running SecureDrop.
  Configures apt repositories.
 

diff --git a/securedrop/debian/rules b/securedrop/debian/rules
@@ -18,16 +18,21 @@ override_dh_installdeb:
 	echo -n "" > ${CURDIR}/debian/securedrop-keyring/DEBIAN/conffiles
 
 override_dh_auto_install:
+	# Build securedrop-config Rust code
+	cd /srv/rust/noble-migration && cargo build --release --locked && \
+		cd /srv/securedrop && \
+		mkdir -p ./debian/securedrop-config/usr/bin && \
+		mv /srv/rust/target/release/noble-migration ./debian/securedrop-config/usr/bin/noble-migration
 	# Build redwood wheel
-	python3 /srv/redwood/build-wheel.py --release --redwood /srv/redwood --target /srv/redwood/target
+	python3 /srv/rust/redwood/build-wheel.py --release --redwood /srv/rust/redwood --target /srv/rust/target
 	# Set up virtualenv and install dependencies
 	/usr/bin/python3 -m venv ./debian/securedrop-app-code/opt/venvs/securedrop-app-code
 	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
 		pip==24.2
 	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
 		-r requirements/python3/requirements.txt
 	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
-		/srv/redwood/redwood-*.whl
+		/srv/rust/redwood/redwood-*.whl
 	# Update paths to point to install destination
 	find ./debian/securedrop-app-code/ -type f -exec sed -i "s#$(shell pwd)/debian/securedrop-app-code##" {} \;
 	# Generage wsgi.load for apache

diff --git a/supply-chain/config.toml b/supply-chain/config.toml
@@ -39,6 +39,9 @@ notes = "Haiku OS-only"
 criteria = []
 notes = "WASM-only"
 
+[policy.noble-migration]
+criteria = "safe-to-run"
+
 [policy.redox_syscall]
 criteria = []
 notes = "Redox OS-only"