% Improving the infrastructure behind Tails % intrigeri % December, 2014

Current Tails' challenges

Cadence & popularity

• new release every 6 weeks
• about 10k boots a day, doubles every year

Limited resources and time

• mostly volunteer work
• 2800 commits, by ~15 persons, in the last 6 months

Energy-draining release process

• automated test suite, but:
• still huge manual test suite
• no way to freeze the APT repositories we are using

Roadmap

Tails 2.0

• sustainability and maintainability: lots of continuous integration and infrastructure work
• Greeter revamp
• Icedove (Thunderbird)
• support more download mirrors
• nicer initial download and installation process

Tails 3.0

• more hardening, more sandboxing
• multi-platform installer

More?

• port to Debian Jessie: WIP, must be finished in 2015

What we have

People

very few people involved in continuous integration and infrastructure work

Services

• Jenkins:
  ISO images from major branches built after Git push
  PO files sanity checks
  thanks to jenkins.debian.net for the inspiration!
• APT repository
• rsync, Bitcoin, BitTorrent, etc.

Needed infrastructure improvements

Release process

• building Debian packages
• building ISO images
• freezing for real

Quality assurance

• does our stuff stop building?
• does our stuff stop working?
• does new stuff break anything?
• notifications, integration with the review process
• some day, gatekeeping?

Security

• deterministic (reproducible) builds
• hardening build flags status
• same-day security updates

Internal communication

• commit notifications
• package upload notifications

Tails system administrators

Goals

The Tails system administrators set up and maintain the infrastructure that supports the development and operations of Tails, to:

• make the life of Tails contributors easier
• improve the quality of the Tails releases

Principles

• Infrastructure as code
• Free Software
• Relationships with upstream

Infrastructure as code

We want to treat system administration like a (free) software development project.

Infrastructure as code: why?

• enabling people to participate without accounts on our servers
• reviewing changes applied to our systems
• being able to reproduce our systems via automatic deployment
• sharing knowledge with other people

Infrastructure as code: how?

• publish as much as possible of our systems configuration
• manage our whole infrastructure with configuration management tools

Free Software

• Debian Free Software Guidelines
• exception: firmware needed by our hardware

Relationships with upstream

https://tails.boum.org/contribute/relationship_with_upstream/

Tools

• Debian GNU/Linux
• Puppet
• Git to host and deploy configuration, including our Puppet modules

How to help?

Entry points

• https://tails.boum.org/contribute/how/sysadmin/
• https://tails.boum.org/contribute/working_together/roles/sysadmins/
• "easy" tasks

Where to start?

• #6295: Evaluate consequences of importing large amounts of packages into reprepro
• #6891: Monitor broken links on our website
• #6918: Track hardening status of the binaries shipped in Tails
• #7427: Evaluate using aptly
• #7125: Write a Puppet class to manage a Tails mirror
• #5894: APT repository: notify incoming

Tell us about your skills and desires,

we'll help you get started :)

Contact

Talk to us

• A few of us are here.
• Sysadmins (private and encrypted) mailing-list: tails-sysadmins@boum.org
• Development mailing-list: tails-dev@boum.org
• Private and encrypted mailing-list: tails@boum.org
• IRC: see https://tails.boum.org/contribute/
• Web: https://tails.boum.org/