% Improving the infrastructure behind Tails
% intrigeri
% December, 2014
Current Tails' challenges
Cadence & popularity
- new release every 6 weeks
- about 10k boots a day, doubles every year
Limited resources and time
- mostly volunteer work
- 2800 commits, by ~15 persons, in the last 6 months
Energy-draining release process
- automated test suite, but:
- still huge manual test suite
- no way to freeze the APT repositories we are using
Tails 2.0
* sustainability and maintainability: lots of continuous integration
and infrastructure work
* Greeter revamp
* Icedove (Thunderbird)
* support more download mirrors
* nicer initial download and installation process
Tails 3.0
* more hardening, more sandboxing
* multi-platform installer
* port to Debian Jessie: WIP, must be finished in 2015
What we have
*very* few people involved in continuous integration and
infrastructure work
* Jenkins:
ISO images from major branches built after Git push
PO files sanity checks
thanks to jenkins.debian.net for the inspiration!
* APT repository
* rsync, Bitcoin, BitTorrent, etc.
Needed infrastructure improvements
Release process
* building Debian packages
* building ISO images
* freezing for real
Quality assurance
* does our stuff stop building?
* does our stuff stop working?
* does new stuff break anything?
* notifications, integration with the review process
* some day, gatekeeping?
* deterministic (reproducible) builds
* hardening build flags status
* same-day security updates
Internal communication
* commit notifications
* package upload notifications
Tails system administrators
The Tails system administrators set up and maintain the infrastructure
that supports the development and operations of Tails, to:
* make the life of Tails contributors easier
* improve the quality of the Tails releases
## Principles
* Infrastructure as code
* Free Software
* Relationships with upstream
## Infrastructure as code
We want to treat system administration like a (free) software
development project.
## Infrastructure as code: why?
* enabling people to participate without accounts on our servers
* reviewing changes applied to our systems
* being able to reproduce our systems via automatic deployment
* sharing knowledge with other people
## Infrastructure as code: how?
* publish as much as possible of our systems configuration
* manage our whole infrastructure with configuration management tools
## Free Software
* [Debian Free Software Guidelines](https://www.debian.org/social_contract#guidelines)
* exception: firmware needed by our hardware
## Relationships with upstream
## Tools
* [Debian](https://www.debian.org/) GNU/Linux
* [Puppet](http://projects.puppetlabs.com/projects/puppet)
* [Git](http://git-scm.com/) to host and deploy configuration,
including our Puppet modules
How to help?
## Entry points
* https://tails.boum.org/contribute/how/sysadmin/
* https://tails.boum.org/contribute/working_together/roles/sysadmins/
* "easy" tasks
## Where to start?
* #6295: Evaluate consequences of importing large amounts of packages into reprepro
* #6891: Monitor broken links on our website
* #6918: Track hardening status of the binaries shipped in Tails
* #7427: Evaluate using aptly
* #7125: Write a Puppet class to manage a Tails mirror
* #5894: APT repository: notify incoming
## Tell us about your skills and desires,
we'll help you get started :)
## Talk to us
* I'm here.
* Sysadmins (private and encrypted) mailing-list: ****
* Development mailing-list: ****
* Private and encrypted mailing-list: ****
* IRC: see
* Web: ****