Release SecureDrop Client 0.13.0

[legoktm]

This issue tracks the SecureDrop Client release 0.13.0. It will be organized by:

• Release Manager:
• Deputy Release Manager:

This release includes the following changes:

• don't print unprintable types
• convert more mimetypes using libreoffice

All other changes are listed at https://github.com/freedomofpress/securedrop-client/milestone/12?closed=1

SecureDrop maintainers and testers: As you QA this release, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release", and associate them with the release milestone for tracking (or ask a maintainer to do so).

Test plan

You will need a compatible printer.

Fresh Install

• Install 1.0.0 prod RPM and place configuration files, being sure you have "prod" specified in config.json. Before running apply:
• Make a copy of /srv/salt/securedrop_salt/apt_freedom_press.sources.j2, /srv/salt/securedrop_salt/apt_qa_freedom_press.sources.j2 in which you change the apt repo to https://apt-qa.freedom.press/
• Edit /srv/salt/securedrop_salt/sd-default-config.yml to point to the apt-qa sources file
• Run apply
• Provisioning completes successfully
• See shared test plan

Upgrade Testing

• Start from a prod installation.
• Edit /etc/apt/sources.list/securedrop_workstation.list in both the small and the large templates so that they point to apt-qa.securedrop.org, then shut down the templates and vms.
• Run the updater.
• Updater run completes successfully
• See shared test plan

Test Plan

• 0.13.0 packages are installed (use dpkg -l)
• PDF prints successfully
• Text file prints successfully
• File types requiring conversion before print (image, LibreOffice/MS Office of various formats) print successfully
• Unprintable file types (audio/video) display an "unprintable type" error message in print dialog instead of attempting to print
• Attempting to print file types we don't yet have print support for (.heic, .avif, .html, any mimetype not found in libreoffice .desktop files) results in error message in print dialog
• At least one tester: Test edge case bhvr by temporarily breaking libreoffice installation on sd-devices. Least disruptive breakage: move /usr/share/applications/libreoffice*.desktop files out of /usr/share/applications in your template, then shut down the template. Attempt to print a file requiring PDF conversion (Office file). The user should see a generic Error message in the UI and the sd-export logs should show ERROR_MIMETYPE_DISCOVERY.
• At least one tester: Basic functionality/regression testing (login, download, reply, export to USB)
• At least one tester: Pseudolocale (LANG=en_XA) QA per https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-Acceptance-Tests#internationalization-reference

Release tasks

• Check if there are any security bug fixes waiting to be pulled into the RC
• Check if there are any translations:
  • pending merge into main
  • pending inclusion as a supported language in MANIFEST.in
• Update changelog
• Create test plan
• Build production package in standard build environment
• Sign production package
• Perform QA testing using apt-qa.freedom.press
  • Localization: In a dispVM, change your locale (e.g.: export LANG=es_ES.utf-8; dpkg-reconfigure locales), run the Client, and confirm that the application is translated.
• Publish production package
• Publicize release via support channels

[deeplow]

I did the fresh install path (but over a system from which I had uninstalled the workstation).

Test Plan

• 0.13.0 packages are installed (use dpkg -l)
• PDF prints successfully
• Text file prints successfully
• File types requiring conversion before print (image, LibreOffice/MS Office of various formats) print successfully
  • ppt / pptx failed - This file type cannot be printed (I described the issue here)
  • png worked
  • svg failed - ERROR_MIME_TYPE_UNSUPPORTED
  • xlsx failed - this file type cannot be printed
• Unprintable file types (audio/video) display an "unprintable type" error message in print dialog instead of attempting to print
• Attempting to print file types we don't yet have print support for (.heic, .avif, .html, any mimetype not found in libreoffice .desktop files) results in error message in print dialog
  • I get ERROR_MIME_TYPE_UNSUPPORTED, which I guess means this did work
• At least one tester: Test edge case bhvr by temporarily breaking libreoffice installation on sd-devices. Least disruptive breakage: move /usr/share/applications/libreoffice*.desktop files out of /usr/share/applications in your template, then shut down the template. Attempt to print a file requiring PDF conversion (Office file). The user should see a generic Error message in the UI and the sd-export logs should show ERROR_MIMETYPE_DISCOVERY.
• At least one tester: Basic functionality/regression testing (login, download, reply, export to USB)
• At least one tester: Pseudolocale (LANG=en_XA) QA per https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-Acceptance-Tests#internationalization-reference

[deeplow]

I think I know why my .ppt and .pptx files are not being converted. It's because their mime types are weird. We had the same issue over in dangerzone land. I was using the .ppt from this google drive link and you get file's mimetype with mimetype -M, then you get application/zip or application/x-ole-storage. In other words, magic bytes alone are not enough to determine a file's type, unfortunately. So we may have to broaden our use of the mimetype guessing tool. If security was the reasoning, I don't think we're more exposed than already by parsing said files, but I'm open to arguments against.

Update: I have tried removing the -M and it was indeed the source of trouble. Converting .pptx files works fine after that.

[rocodes]

@deeplow thank you for your careful testing :)

• The pptx and xlsx issue should be resolved with Revert magicbytes (-M) check for print conversion  #2184, above. Thanks for find+fix.
• I looked into the svg issue. Libreoffice can support svg conversion to pdf, but it doesn't list svg in its .desktop files, so we return UNSUPPORTED. This isn't ideal; ideal would be if there was a convenient list of all the mimetypes libreoffice supports for conversion mode, so we don't have to hardcode them or write workarounds. (The other option would be to throw caution to the winds and try conversion opportunistically. I don't love this option, especially because LO exits with 0 even if it couldn't successfully convert a file, so we'd be grepping the output for "Error:" and checking if the file exists as our way of seeing if a conversion took place. But it would be the way to print the most file types.)

I'm not sure whether we should block on this libreoffice issue, but I'm open to opinions. there is #2177 where we also discuss using imagemagick to convert further image types, and we may want to make further changes to this overall workflow instead of investing more energy in it as is, or instead of hardcoding more mimetypes.