In the course of SecureDrop development, we routinely encounter questions with deep architectural implications. To avoid dealing with these questions in a purely reactive manner (e.g., in response to a new tech announcement, or a security vulnerability), the dev team recently agreed that it would make sense to have regular, open architecture meetings, at a frequency about once every 1-2 months.
Each meeting will tackle a challenging topic. Prior to the meeting, we’ll start a forum thread like this one, to enable asynchronous debate. At the meeting itself, participants are invited to give brief, 5-10 minute presentations. We will then discussion the possible decisions. We strive for broad consensus, but @redshiftzero will act as a tie-breaker if needed.
The first meeting will take place on Tuesday, May 22, 2018 Thursday, June 14, 2018, at 10:00 AM PDT / 5:00 PM UTC on Jitsi.
The topic for discussion are coming changes to our base OS. Our current base operating system (Ubuntu 14.04) reaches its End of Life in April 2019, so we must, at minimum, perform an upgrade to Ubuntu 16.04 before then (ideally well before then, to allow for a gradual transition before we hit the EoL window). This is a major change that needs to be carefully managed. See issue #3204 for background.
One possible alternative that has been discussed is to use this opportunity to make the switch to a new base operating system that also gives us security and maintainability benefits, such as Fedora Atomic or Ubuntu Core. In particular, there is significant interest among the development team in an immutable base operating system, to increase predictability of SecureDrop installs and upgrades.
Needless to say, such a change would be a major undertaking, given the 60+ SecureDrop installations that would need to eventually make the transition. However, the Xenial upgrade will also be a significant burden for administrators. If we do upgrade to Xenial, a base OS change could be deferred to 2019 or even 2020, depending on the administrative effort involved in the Xenial transition (e.g., reinstall of some or all SecureDrop instances).
There might be a third option: upgrade to Xenial but harden configuration and deployment to ensure a more predictable state of the server OS. What are your thoughts?
I look forward to discussing this here and in the meeting. (My own role in these discussions is primarily facilitative, and as PM I also will help with the implementation planning.)