Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • T tails
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 931
    • Issues 931
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 18
    • Merge requests 18
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • tails
  • tails
  • Issues
  • #18138

Closed
Open
Created Jan 19, 2021 by intrigeri@intrigeriMaintainer

Serve UDFs under a dedicated virtualhost with a TLS certificate signed by our own CA

This was suggested by @zen on #18127 (comment 163859):

we could setup a special URL just for the upgrader, serve it using a CA we control, and pin that CA instead.

This would avoid problems like #18127 (closed).

I find this idea interesting and I think it could work: the only real-world-relevant client that needs to access the relevant files is our Upgrader.

I understand this implies serving the relevant files (UDFs) under a new, dedicated hostname, e.g. https://upgrade.tails.boum.org/ or similar.

To avoid complicating the release process, we could leave the UDFs in tails.git, and when we push to tails.git's master branch, on top of refreshing our website like we already do, this would also trigger copying the UDFs to that new virtualhost's static files directory.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking