Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider applying improved CSP via unattended upgrades #4868

Closed
emkll opened this issue Sep 25, 2019 · 1 comment
Closed

Consider applying improved CSP via unattended upgrades #4868

emkll opened this issue Sep 25, 2019 · 1 comment

Comments

@emkll
Copy link
Contributor

emkll commented Sep 25, 2019

Description

In #4678, a stronger CSP was introduced, but the Apache configuration for both Source and Journalist interfaces are applied via Ansible.

Therefore, there is a slight discrepancy between the CSP in Apache configurations between 1.1.0 and earlier versions.

As a result, instances installed from 1.0.0 or below will not have this CSP applied. Starting from 1.1.0, running the installer will apply this configuration change, but this ticket is to track providing these changes via unattended upgrades (e.g.: modifying the Apache configurations via the postinst for securedrop-app-code)

Given the risk of breakage and the likelihood of news orgs running the installer post 1.1.0 (for tor v3), I don't see a strong enough argument to provide those changes via unattended upgrades. Does anyone think otherwise?
@emkll
Copy link
Contributor Author

emkll commented Jan 5, 2021

Because we will be updating the base OS for all servers as part of #4768 and requiring an Ansible run, CSP changes will be applied by this Ansible run. Closing.

@emkll emkll closed this as completed Jan 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@emkll