Tor has been undertaking security audits of code that we've been changing. Security audits are a good thing! They uncover blind spots, peel back assumptions, and present us with ways to improve our overall security posture. We intend to publish the results of the two that we've done recently, and commit to publishing every one we undertake - stay tuned.
The first audit we did recently was a great success! The auditors remarked that although the scope was large, the number of issues uncovered was low, and that Tor in general adopts an admirably robust and hardened security posture and sound design decisions:
"[Tor's] code was written to a first-rate standard and conformed to secure coding practices ... adopt[ing] highly-advanced and deliberately security focused building processes ... all which contribute towards considerable defense-in-depth security posture".
One of the issues that came up was the overall lack of automated resiliency in our software supply chain. What does this mean? That means several dependencies in our software were outdated. Why were these outdated? Because we lack the automation. Tracking dependencies manually is difficult, you need to manually search for those updates individually (although some package managers offer automated functionality), it can be difficult to handle
So now we have a solution, Renovate: a highly configurable system for dependency update automation. It scans your software, discovers dependencies, automatically checks to see if an updated version exists, and helps you by submitting automated pull requests. It is an open source project that we are self-hosting on our gitlab (its like 'dependabot' if you know that).
A number of Tor projects are using it already, please consider using it for your project! Its very simple to use, and there is no harm in giving it a try. We are still trying this out, so your feedback[2] is important for how to move forwards. Ideally, we will have this problem solved automatically for all of our projects, but lets make sure things work well for everyone first.
How do I use it? ----------------- To have renovate work on your gitlab project, you simply have to invite the 'renovate-bot' user (its a bot!) to your project (with the `Developer` access level), and then wait for it to do its work. Next time it runs, it will open an "Onboarding" issue[0], to get you started.
The first time it runs, there may be a number of dependencies that need updating, which will result in a MR for each[1]. That could be overwhelming, but after the initial wave, things will calm down.
Simply review the MR and merge it if it makes sense (making any code adjustments necessary). If you don't want that MR to happen, simply close it, and Renovate will stop bugging you about it.
How does it work? ----------------- There is a project in our gitlab[2], which has a scheduled CI that runs every 30 minutes. When it runs, it looks to see what projects have the gitlab bot user 'renovate-bot' as a member, with 'developer' level access. For each of those projects, it then scans the project for any dependencies that need updating, and will open MRs to update those out-of-date dependencies (triggering CI builds).
Your project must also have a CI that is being tended to, so that it runs and succeeds.
I want to change its behavior ----------------------------- Renovate is highly configurable. You can decide what you do, and do not, want from Renovate. There are knobs for practically everything[3]. Renovate has a default[4] set of configurations that we've set organization-wide, you can override those in your project, and set any other configuration options[5] you might want.
How to give feedback, ask questions, etc. ----------------------------------------- If you are looking for help, have questions, or want to give some feedback on global defaults or other aspects that could be improved, please file an issue[1]!
0. eg. https://gitlab.torproject.org/tpo/core/onionmasq/-/merge_requests/101 1. eg. https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/merge_requests/151 2. https://gitlab.torproject.org/tpo/tpa/renovate-cron/ 3. https://docs.renovatebot.com 4. https://github.com/renovatebot/renovate/blob/main/docs/development/configura... 5. https://docs.renovatebot.com/getting-started/use-cases/
-
micah anderson