[tor-dev] Automating dependency updates in Tor

micah anderson micah at torproject.org
Sun Sep 17 16:45:18 UTC 2023


Tor has been undertaking security audits of code that we've been
changing. Security audits are a good thing! They uncover blind spots,
peel back assumptions, and present us with ways to improve our overall
security posture. We intend to publish the results of the two that we've
done recently, and commit to publishing every one we undertake - stay
tuned.

The first audit we did recently was a great success! The auditors
remarked that although the scope was large, the number of issues
uncovered was low, and that Tor in general adopts an admirably robust
and hardened security posture and sound design decisions:

"[Tor's] code was written to a first-rate standard and conformed to
secure coding practices ... adopt[ing] highly-advanced and deliberately
security focused building processes ... all which contribute towards
considerable defense-in-depth security posture".

One of the issues that came up was the overall lack of automated
resiliency in our software supply chain. What does this mean? That means
several dependencies in our software were outdated. Why were these
outdated? Because we lack the automation. Tracking dependencies manually
is difficult, you need to manually search for those updates individually
(although some package managers offer automated functionality), it
can be difficult to handle

So now we have a solution, Renovate: a highly configurable system for
dependency update automation. It scans your software, discovers
dependencies, automatically checks to see if an updated version exists,
and helps you by submitting automated pull requests. It is an open
source project that we are self-hosting on our gitlab (its like
'dependabot' if you know that).

A number of Tor projects are using it already, please consider using it
for your project! Its very simple to use, and there is no harm in giving
it a try. We are still trying this out, so your feedback[2] is important
for how to move forwards. Ideally, we will have this problem solved
automatically for all of our projects, but lets make sure things work
well for everyone first.

How do I use it?
-----------------
To have renovate work on your gitlab project, you simply have to invite
the 'renovate-bot' user (its a bot!) to your project (with the `Developer`
access level), and then wait for it to do its work. Next time it runs,
it will open an "Onboarding" issue[0], to get you started.

The first time it runs, there may be a number of dependencies that need
updating, which will result in a MR for each[1]. That could be
overwhelming, but after the initial wave, things will calm down.

Simply review the MR and merge it if it makes sense (making any code
adjustments necessary). If you don't want that MR to happen, simply
close it, and Renovate will stop bugging you about it.

How does it work?
-----------------
There is a project in our gitlab[2], which has a scheduled CI that runs
every 30 minutes. When it runs, it looks to see what projects have the
gitlab bot user 'renovate-bot' as a member, with 'developer' level
access. For each of those projects, it then scans the project for any
dependencies that need updating, and will open MRs to update those
out-of-date dependencies (triggering CI builds).

Your project must also have a CI that is being tended to, so that it
runs and succeeds.

I want to change its behavior
-----------------------------
Renovate is highly configurable. You can decide what you do, and do not,
want from Renovate. There are knobs for practically
everything[3]. Renovate has a default[4] set of configurations that
we've set organization-wide, you can override those in your project, and
set any other configuration options[5] you might want.

How to give feedback, ask questions, etc.
-----------------------------------------
If you are looking for help, have questions, or want to give some
feedback on global defaults or other aspects that could be improved,
please file an issue[1]!


0. eg. https://gitlab.torproject.org/tpo/core/onionmasq/-/merge_requests/101
1. eg. https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/merge_requests/151
2. https://gitlab.torproject.org/tpo/tpa/renovate-cron/
3. https://docs.renovatebot.com
4. https://github.com/renovatebot/renovate/blob/main/docs/development/configuration.md#default-configuration
5. https://docs.renovatebot.com/getting-started/use-cases/


More information about the tor-dev mailing list