grsecurity download can fail silently

Running under `GRSECURITY=1,` our script can fail silently when downloading the grsecurity patch set, resulting in a nominal `grsec` kernel with no grsecurity patches.


## Steps to reproduce

```sh-session
$ export GRSECURITY=1
$ make securedrop-core-5.15
```


## Expected behavior

The build aborts if there's an error downloading the grsecurity patch set.


##

https://raw.githubusercontent.com/freedomofpress/build-logs/67da58c6c9ad552919abd650ec81af821a6a8ef2/core/20250428-securedrop-core-6.6.log

```
Will include grsecurity patch for kernel 6.6.88
2025-04-29 03:43:12 ERROR    Credentials not found, set GRSECURITY_USERNAME & GRSECURITY_PASSWORD
Fetching Linux kernel source 6.6.88
```


## Comments

Per @legoktm:

```
    if grsecurity:
        # TODO: invoke this through normal Python means
        linux_version = subprocess.check_output(
            ["/usr/local/bin/grsecurity-urls.py", "--print-version"], text=True
        ).strip()
        print("Will include grsecurity patch for kernel", linux_version)
        with open("/patches-grsec/grsec", "wb") as f:
            # TODO: invoke this through normal Python means
            subprocess.run(["/usr/local/bin/grsecurity-urls.py"], stdout=f)
```

> notably, `--print-version` does not require auth, while the actual patch download is just subprocess.run with no check=True

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

grsecurity download can fail silently #62

Steps to reproduce

Expected behavior

Comments

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

grsecurity download can fail silently #62

Description

Steps to reproduce

Expected behavior

Comments

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions