Project

General

Profile

Bug #17315

Check if APT snapshots expiration date (post-4.5) is still far away enough

Added by CyrilBrulebois 4 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Category:
-
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:
Starter:
Affected tool:

Description

Here's what our snapshot expiration dates look like:

config/APT_snapshots.d:
* Archive 'debian' uses snapshot '2019111801' which expires on: Sat, 16 May 2020 08:44:51 +0000
* Archive 'debian-security' uses snapshot 'latest' which expires on: never
* Archive 'torproject' uses snapshot '2019100904' which expires on: Sun, 19 Apr 2020 13:57:39 +0000
---
vagrant/definitions/tails-builder/config/APT_snapshots.d:
* Archive 'debian' uses snapshot '2019100904' which expires on: Sun, 19 Apr 2020 13:57:44 +0000
* Archive 'debian-security' uses snapshot '2019100904' which expires on: Sun, 19 Apr 2020 13:57:50 +0000
* Archive 'tails' uses snapshot '2019102001' which expires on: Fri, 17 Apr 2020 08:06:53 +0000
---

which should expire after the next major release. Right now, it's schedule in early April, but I don't think we're that certain of Mozilla's calendar and our own. So maybe we should bump those by a month or two just to be on the safe side?

History

#1 Updated by intrigeri 4 months ago

  • Target version set to Tails_4.3

[…] which should expire after the next major release. Right now, it's schedule in early April, but I don't think we're that certain of Mozilla's calendar and our own. So maybe we should bump those by a month or two just to be on the safe side?

I appreciate that you have such failure modes in mind.

I propose we come back to it in a couple months. By then, we'll have more info about:

  • Whether we've already bumped these snapshots, e.g. to get a Buster point release or a kernel upgrade.
  • Whether we'll put out a major release earlier than April (e.g. with overlayfs).

#2 Updated by intrigeri 2 months ago

  • Subject changed from Checking snapshot expiration for 4.1 vs. 4.5 to Check if APT snapshots expiration date (post-4.5) is still far away enough
  • Target version changed from Tails_4.3 to Tails_4.4

I'll have more info about this once 4.3 is out (#17443) and later in February (once segfault and I have resumed work on overlayfs & friends).

#3 Updated by intrigeri about 1 month ago

  • Status changed from Confirmed to Needs Validation
  • Assignee changed from intrigeri to CyrilBrulebois

FTR, on our stable branch we currently use:

config/APT_snapshots.d:
debian/  debian-security/  .placeholder  torproject/
* Archive 'debian' uses snapshot '2020020902' which expires on: Mon, 08 Jun 2020 15:51:21 +0000
* Archive 'debian-security' uses snapshot 'latest' which expires on: never
* Archive 'torproject' uses snapshot '2020020402' which expires on: Thu, 04 Jun 2020 07:05:54 +0000
---
vagrant/definitions/tails-builder/config/APT_snapshots.d:
debian/  debian-security/  .placeholder  tails/
* Archive 'debian' uses snapshot '2019100904' which expires on: Sun, 19 Apr 2020 13:57:44 +0000
* Archive 'debian-security' uses snapshot '2019100904' which expires on: Sun, 19 Apr 2020 13:57:50 +0000
* Archive 'tails' uses snapshot '2019102001' which expires on: Fri, 17 Apr 2020 08:06:53 +0000

That is:

  • snapshots used for the Vagrant box expire 10 days after the 4.5 planned release date; according to the current plan, they'll be bumped at 4.5 code freeze time late March; but if for whatever reason we change our mind and decide that 4.5 is not a major release, then these snapshots will expire before the next time we would bump them (likely: 4.6~rc1); this gives us very little margin to cope with change so I've bumped the expiration date for these snapshots to June 7, i.e. post-4.7.
  • snapshots used for the rest of the build expire 2 days after the 4.7 planned release date; that's a pretty comfortable margin already, and most likely they'll be updated again in the meantime (#17477 and upcoming similar changes), so I'm not concerned.

So we now have this:

config/APT_snapshots.d:
debian/  debian-security/  .placeholder  torproject/
* Archive 'debian' uses snapshot '2020020902' which expires on: Mon, 08 Jun 2020 15:51:21 +0000
* Archive 'debian-security' uses snapshot 'latest' which expires on: never
* Archive 'torproject' uses snapshot '2020020402' which expires on: Thu, 04 Jun 2020 07:05:54 +0000
---
vagrant/definitions/tails-builder/config/APT_snapshots.d:
debian/  debian-security/  .placeholder  tails/
* Archive 'debian' uses snapshot '2019100904' which expires on: Sun, 07 Jun 2020 07:34:56 +0000
* Archive 'debian-security' uses snapshot '2019100904' which expires on: Sun, 07 Jun 2020 07:35:11 +0000
* Archive 'tails' uses snapshot '2019102001' which expires on: Sun, 07 Jun 2020 07:35:22 +0000

To me, this now looks like a good trade-off between "our code & release process are resilient vs. unplanned release schedule changes" and "disk space usage". What do you think?

#4 Updated by CyrilBrulebois about 1 month ago

I'd tend to think “LGTM”.

Just to make sure I understand what happens in case something goes bad: I suppose we have up until the expiration date of a given snasphot to bump its expiration date? After that, it gets GC'd, and it can only be restored from backups?

#5 Updated by intrigeri about 1 month ago

Just to make sure I understand what happens in case something goes bad: I suppose we have up until the expiration date of a given snasphot to bump its expiration date? After that, it gets GC'd, and it can only be restored from backups?

Exactly!

#6 Updated by CyrilBrulebois about 1 month ago

  • Status changed from Needs Validation to Resolved

OK, thanks.

Switching to `Resolved` then; I might open other such tickets if unsure during the next few release processes.

#7 Updated by intrigeri about 1 month ago

Switching to `Resolved` then

:)

I might open other such tickets if unsure during the next few release processes.

Great, please do!

Also available in: Atom PDF