changelog 236 KB
Newer Older
intrigeri's avatar
intrigeri committed
1
tails (2.0~beta1) unstable; urgency=medium
2

intrigeri's avatar
intrigeri committed
3
  XXX: see changelog of custom packages
4

intrigeri's avatar
intrigeri committed
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
  * Major new features and changes
    - Upgrade to Debian 8 (Jessie).
    - Migrate to GNOME Shell in Classic mode.
    - Use systemd as PID 1.
    - Remove the Windows camouflage feature: our call for help to port
      it to GNOME Shell (issues in January, 2015) was unsuccessful.

  * Security fixes


  * Bugfixes


  * Minor improvements
    - Convert all our custom initscripts to native systemd units.
    - Use socket activation for CUPS, to save some boot time.
    - Port XXX [check custom packages] to GTK3 / UDisks2 / Python 3 / whatever.
22
23
24
25
    - Don't install UDisks v1.
    - Adapt custom udev rules to UDisks v2 (Closes: #9054).
    - Adjust import-translations' post-import step for Tails Installer,
      to match how its i18n system works nowadays.
intrigeri's avatar
intrigeri committed
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
    - Set memlockd.service's OOMScoreAdjust to -17.
    - Don't bother creating /var/lib/live in tails-detect-virtualization.
      If it does not exist at this point, we have bigger and more
      noticeable problems.
    - Simplify the virtualization detection & reporting system, and do it
      as a non-root user with systemd-detect-virt rather than virt-what.
    - Replace rsyslog with the systemd Journal (Closes: #8320), and adjust
      WhisperBack's logs handling accordingly.
    - Drop tails-save-im-environment.
      It's not been used since we stopped automatically starting the web browser.
    - Add a hook that aborts the build if any *.orig file is found. Such files
      appear mainly when a patch of ours is fuzzy. In most cases they are no big
      deal, but in some cases they end up being taken into account
      and break things.
    - Replace the tor+http shim with apt-transport-tor (Closes: #8198).
    - Install gnome-tweak-tool.
    - Don't bother testing if we're using dependency based boot.
    - Drop workaround to start spice-vdagent in GDM (Closes: #8025).
      This has been fixed in Jessie proper.
    - Don't install ipheth-utils anymore. It seems to be obsolete
      in current desktop environments.
    - Stop installing the buggy unrar-free, superseded in Jessie (Closes: #5838)
    - Drop all custom fontconfig configuration, and configure fonts rendering
      via dconf.
    - Drop zenity patch (zenity-fix-whitespacing-box-sizes.diff),
      that was applied upstream.
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
    - Install libnet-dbus-perl (currently 1.1.0) from jessie-backports,
      it brings new features we need.
    - Have the security check and the upgrader wait for Tor having bootstrapped
      with systemd unit ordering.
    - Get rid of tails-security-check's wrapper.
      Its only purpose was to wait for Tor to have bootstrapped,
      which is now done via systemd.
    - Don't allow the amnesia and tails-upgrade-frontend users to run
      tor-has-bootstrapped as root with sudo. They don't need it anymore,
      thanks to using systemd for starting relevant units only once Tor
      has bootstrapped.
    - Install python-nautilus, that enables MAT's context menu item in Nautilus.
      (Closes: #9151).
    - Configure GDM with a snippet file instead of patching its
      greeter.dconf-defaults.
    - WhisperBack:
      · port to Python 3 and GObject Introspection (Closes: #7755)
      · migrate from the gnutls module to the ssl one
      · use PGP/MIME for better attachments handling
      · migrate from the gnupginterface module to the gnupg one
      · natively support SOCKS ⇒ don't wrap with torsocks anymore
        (Closes: #9412)
      · don't try to include the obsolete .xession-errors in bug reports
        (Closes: #9966)
    - chroot-browser.sh: don't use static DISPLAY.
    - Restore the logo in the "About Tails" dialog.
    - Don't tell the user that "Tor is ready" before htpdate is done
      (Closes: #7721).
    - Simplify debugging:
      · don't hide the emergency shutdown's stdout
      · tails-unblock-network: trace commands so that they end up in the Journal
    - Configure the console codeset at ISO build time, instead of setting it
      to a constant via the Greeter's PostLogin.default.
    - Order the AppArmor policy compiling in a way that is less of a blocker
      during boot.
    - Include the major KMS modules in the initramfs. This helps seamless
      transition to X.Org when booting, and back to text mode on shutdown,
      can help for proper graphics hardware reinitialization post-kexec,
      and should improve GNOME Shell support in some virtual machines.
intrigeri's avatar
intrigeri committed
91
92
93
94
95
96
97
98
99

  * Test suite
    - Adapt to the new desktop environment and applications' look.
    - Adapt new changed nmcli syntax and output.
    - New NetworkManager connection files must be manually loaded in Jessie.
    - Adapt to new pkexec behavior.
    - Use sysctl instead of echo:ing into /proc/sys.
    - Use oom_score_adj instead of the older oom_adj.
    - Adapt everything depending on logs to the use of the Journal.
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
    - Port to UDisks v2.
    - Check that the system partition is an EFI System Partition.
    - Add ldlinux.c32 to the list of bootloader files that are expected
      to be modified when we run syslinux (Closes: #9053).
    - Use apt(8) instead of apt-get(8).
    - Don't hide the cursor after opening the GNOME apps menu.
    - Convert the remote shell to into a systemd native service and a Python 3,
      script that uses the sd_notify facility (Closes: #9057).
    - Adjust to match where screenshots are saved nowadays.
    - Check that all system units have started (Closes: #8262)
    - Simplify the "too small device" test.
    - Spawn `poweroff' and `halt' in the background, and don't wait for them
      to return: anything else would be racy vs. the remote shell's stopping.
    - Bump video memory allocated to the system under test, to fix out of video
      memory errors.
    - When configuring the CPU to lack PAE support, use a qemu32 CPU instead
      of a Pentium one: the latter makes GNOME Shell crash.
      See #8778 for details about how Mesa's CPU features detection has
      room for improvement.
    - Adjust free(1) output parsing for Jessie.
    - vm-execute: rename --type option to --spawn.
    - Add method to set the X.Org clipboard, and install its dependency
      (xsel) in the ISO.
    - Paste URLs in one go, to work around issue with lost key presses
      in the browser (Closes: #10467).
    - Add wait_*_gnome_window() helpers and use them everywhere applicable
      for added reliability.
    - Reliably wait for Synaptic's search button to fade in.
intrigeri's avatar
intrigeri committed
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

  * Adjustments for Debian 8 (Jessie) with no or very little user-visible impact
    - Free the fixed UIDs/GIDs we need before creating the corresponding users.
    - Disable /etc/network/if-pre-up.d/macchanger (Closes: #8265).
      On Jessie, macchanger ships /etc/network/if-pre-up.d/macchanger, that
      probably conflicts with the way we're spoofing MAC addresses.
    - Replace the real gnome-backgrounds with a fake, equivs generated one
      (Closes: #8055). Jessie's gnome-shell depends on gnome-backgrounds,
      which is too fat to ship considering we're not using it.
    - AppArmor: adjust CUPS profile to support our Live system environment
      (Closes: #8261):
      · Mangle lib/live/mount/overlay/... as usual for aufs.
      · Pass the the attach_disconnected flag, that's needed for compatibility
        with PrivateTmp.
    - Make sure we don't ship geoclue* (Closes: #7949).
    - Drop deprecated GDM configuration file.
    - Don't add the Live user to the deprecated 'fuse' group.
    - Drop hidepid mount option for /proc (Closes: #8256). In its current,
      simplistic form it cannot be supported by systemd.
    - Don't manually load acpi-cpufreq at boot time. It fails to load
      whenever no device it supports is present, which makes the
      systemd-modules-load.service fail. These days, the kernel
      should just automatically load such modules when they are needed.
    - Drop sysvinit-specific (sensigs.omit.d) tweaks for memlockd.
    - Disable the GDM unit file's Restart=always, that breaks our "emergency
      shutdown on boot medium removal" feature.
154
155
156
157
158
159
160
161
162
163
    - Update the implementation of the memory erasure on shutdown feature:
      · check for rebooting state using systemctl, instead of the obsolete
        $RUNLEVEL (Closes: #8306)
      · the kexec-load initscript normally silently exits unless systemd is
        currently running a reboot job. This is not the case when the emergency
        shutdown has been triggered, so we removed this check
      · migrate tails-kexec to the /lib/systemd/system-shutdown/ facility
      - don't (try to) switch to tty1 on emergency shutdown: it apparently
        requires data that we haven't locked into memory, and then it blocks
        the whole emergency shutdown process
intrigeri's avatar
intrigeri committed
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
    - Display a slightly darker version of the desktop wallpaper on the screen
      saver, instead of the default flashy "Debian 8" branding (Closes: #9038).
    - Disable software autorun from external media.
    - Disable a few unneeded D-Bus services. Some of these services are
      automatically started (via D-Bus activation) when GNOME Shell tries
      to use them. The only "use" I've seen for them, except eating
      precious RAM, is to display "No appointment today" in the calendar pop-up.
      (Closes: #9037)
    - Prevent NetworkManager services from starting at boot time
      (Closes: #8313). We start them ourselves after changing the MAC address.
    - Unfuzzy all patches (Closes: #8268) and drop a few obsolete ones.
    - Adapt IBus configuration for Jessie (Closes: #8270), i.e. merge the two
      places where we configure keyboard layout and input methods: both are now
      configured in the same place in Jessie's GNOME.
    - Migrate panel launchers to the favorite apps list (Closes: #7992).
    - Drop pre-GNOME Shell menu tweaks.
    - Hide "Log out" button in the GNOME Shell menu (Closes: #8364).
    - Add a custom shutdown-helper GNOME Shell extension (Closes: #8302, #5684
      and #5878) that removes the press-Alt-to-turn-shutdown-button-into-Suspend
      functionality from the GNOME user menu, and makes Restart and Shutdown
      immediate, without further user interaction. Accordingly remove our custom
      Shutdown Helper panel applet (#8302).
    - Drop GNOME Panel configuration, now deprecated.
    - Disable GNOME Shell's screen lock feature.
      We're not there yet (see #5684).
    - Disable GNOME Shell screen locker's user switch feature.
    - Explicitly install libany-moose-perl (Closes: #8051).
      It's needed by our OpenPGP applet. On Wheezy, this package was pulled
      by some other dependency. This is not the case anymore on Jessie.
    - Don't install notification-daemon nor gnome-mag: GNOME Shell has taken
      over this functionality (Closes: #7481).
    - Don't install ntfsprogs: superseded on Jessie.
    - Don't install barry-util: not part of Jessie.
    - Link udev-watchdog dynamically, and lock it plus its dependencies
      in memory.
    - Migrate from gdm-simple-greeter to a custom gdm-tails session
      (Closes: #7599).
201
202
203
204
205
206
207
208
209
    - Update Plymouth installation and configuration:
      · install the plymouth packages via chroot_local-hooks: lb 2.x's "standard"
        packages list pulls console-common in, which plymouth now conflicts with
      · don't patch the plymouth initscript anymore, that was superseded
        by native systemd unit files
      · mask the plymouth-{halt,kexec,poweroff,reboot,shutdown} services,
        to prevent them from occupying the active TTY with an (empty) splash
        screen on shutdown/reboot, that would hide the messages we want to show
        to the user via tails-kexec (Closes: #9032)
intrigeri's avatar
intrigeri committed
210
211
212
213
214
215
    - Migrate GNOME keyboard layout settings from libgnomekbd to input-sources
      (Closes: #7898).
    - Explicitly install syslinux-efi, that we need and is not automatically
      pulled by anything else anymore.
    - Workaround #7248 for GDM: use a solid blue background picture,
      instead of a solid color fill, in the Greeter session.
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
    - De-install gcc-4.8-base and gcc-4.9 at the end of the ISO build process.
    - Revert the "Wrap syndaemon to always use -t" Wheezy-specific workaround.
    - htpdate: run date(1) in a Jessie-compatible (and nicer) way.
    - Remove obsolete dconf screenshot settings and the corresponding test.
    - Drop our patched python-dbus{,-dev} package (Closes: #9177).
    - live-persist: stop overriding live-boot's functions, we now have
      a recent enough blkid.
    - Adjust sdmem initramfs bits for Jessie:
      · Directly call poweroff instead of halt -p.
      · Don't pass -n to poweroff and reboot, it's not supported anymore.
    - Wrap text in the Unsafe Browser startup warning dialog
      (Jessie's zenity does not wrap it itself).
    - Associate application/pgp-keys with Seahorse's "Import Key" application
      (Closes: #10571).
    - Install topIcons GNOME Shell extension (v28), to work around the fact
      that a few of the applets we use hijack the notification area.
    - "cd /" to fix permissions issue at tails-persistence-setup startup
      (Closes: #8097).
    - Install gstreamer1.0-libav, so that Totem can play H264-encoded videos.
    - Adjust APT sources configuration:
      · remove explicit jessie and jessie-updates sources:
        automatically added by live-build
      · add Debian testing
      · add jessie-backports
    - Firewall: white-list access to the accessibility daemon (Closes: #8075).
    - Adjust to changed desktop notification behavior and supported feature set
      (Closes: #7989):
      · pass the DBUS_SESSION_BUS_ADDRESS used by the GNOME session
        to notify-send
      · update waiting for a notification handler: gnome-panel and nm-applet
        are obsolete, GNOME Shell is now providing this facility, so instead
        wait for a process that starts once GNOME Shell is ready, namely
        ibus-daemon (Closes: #8685)
      · port tails-warn-about-disabled-persistence and tails-virt-notify-user
        to notification actions (instead of hyperlinks), and make the latter
        transient; to this end, add support to Desktop::Notify for "hints"
        and notification actions
      · tails-security-check: use a dialog box instead of desktop notifications
      · MAC spoofing failure notification: remove the link to the documentation;
        it was broken on Tails/Wheezy already, see #10559 for next steps
intrigeri's avatar
intrigeri committed
256
257
258
259
260
261

  * Drop Wheezy-era hacks to make the PulseAudio initscript silent.
    It has never been used in Tails, and has finally been removed on Jessie:
    per-user sessions for everyone.
  * Install gir1.2-gmenu-3.0, needed by the apps-menu GNOME Shell extension (Closes: #8096).
    This works around Debian#765460.
262

intrigeri's avatar
intrigeri committed
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
  * Make removable devices user writable.
    This fixes #8273, but I'm not sure whether it's a proper solution or
    just a workaround.
  * Only make floppy own devices that we support installing Tails to.
    Tails Installer requires raw block device access to such devices,
    which is why we have this workaround in the first place.
  * On MAC spoofing failure, disable NM services in addition to stopping then.
    ... and actually stop all of them.
  * Install gkbd-capplet, that provides gkbd-keyboard-display (Closes: #8363).
  * Remove chroot hook that deals with the GDM background: the file we're removing doesn't exist anymore.
  * Don't install gnome-panel nor gnome-menus.
    They're not needed in GNOME Shell anymore. We still get them by way of the
    dependency from the GNOME Flashback stack (used in the Greeter), and they
    will go away whenever the Greeter runs in GNOME Shell.
  * Drop manual dependency on gir1.2-gmenu-3.0.
    Debian#765460 has been fixed.
  * Always show the Universal Access menu icon in the GNOME panel.
  * Stop using /usr/bin/gnome-session-fallback as the default X session manager.
    We're now using GNOME Classic.
  * Clone the host CPU for the test suite guests (Will-fix: #8778).
  * Drop patch against /etc/default/macchanger: the default settings are now what we need.

  * Forcibly install Tor from o=TorProject,n=jessie.
  * Make our shutdown-helper Shell extension call `poweroff' instead of `halt'.
    The latter is _not_ supported to actually turn off the system.
    It was a SysV init bug that it did, which is fixed under systemd.
289

intrigeri's avatar
intrigeri committed
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
  * Turn the htpdate SysV initscript into a native systemd service.
  * Adjust test suite: the sticky bit is not set of the device file on Jessie anymore.
    This basically reverts commit:fc5e73b, that was introduced when we migrated
    from Squeeze to Wheezy.

  * Convert a few X session startup programs to `systemd --user' units.
    This is merely preparatory work that lays down some foundations.
    For now, we're using two targets:
     * basic.target sets up things that should be done as early as possible, don't
       need access to X, notifications, nor D-Bus ; it is automatically started by
       `systemd --user' when the logind session is created. Note that this happens
       after persistence has been set up, when the GDM autologin is triggered, and
       before /etc/gdm3/Xsession is run:
       - tails-add-GNOME-bookmarks.service
       - tails-create-tor-browser-directories.service
     * desktop.target: we're starting it via xdg/autostart during the GNOME session
       startup. There are a few units wanted by this target so far:
       - tails-configure-keyboard.service
       - tails-virt-notify-user: ideally, this should have something like
         After=notifications-ready.target (and then, most other things that
         wait for GNOME Shell to be ready to handle notifications could do the
         same instead of grep'ing the process list).
       - tails-warn-about-disabled-persistence.service
       - tails-upgrade-frontend.service: the idea is to later use systemd units
         ordering to make it run at a time that increases chances for the system
         having enough free memory; e.g. as soon as possible once the session is
         ready, Tor has bootstrapped, and some other memory-hungry programs we run
         at session startup time have completed.
       - tails-security-check.service: similarly, the idea is that we could get
         rid of the wrapper — that merely waits for Tor to have finished
         bootstrapping — given another systemd unit.
    Most of these units exit early unless they're run by the `amnesia' user.
    Otherwise they break e.g. Tails Greeter startup, and probably worse.
    Also note that the units that may take ages to complete have Type=simple.
    With Type=oneshot, systemd would wait for them to complete before running any
    follow-up units, and before considering the target they're part of has been
    reached. Two of our units can take minutes to complete, so the desktop.target
    startup would fail. Now, using Type=simple has one drawback: it makes it harder
    to order other units relatively to tails-security-check-wrapper's and
    tails-upgrade-frontend-wrapper's completion. This doesn't feel too bothering,
    though: it's more likely that we want to configure these units to start after
    others, than the opposite.
    Also, when the GNOME session is initialized, we import the relevant D-Bus, X11
    and locales variables into systemd --user's environment, so that our units can
    use them. We do that immediately before starting desktop.target.
  * Don't start tails-restricted-network-detector.service unless MAC spoofing is enabled.
    Previously, this check was done in PostLogin.default. Let's import it here
    so that the unit file becomes the canonical place that describes this service,
    including whether it should start or not.
  * Migrate tails-unblock-network to a systemd service, that handles starting NetworkManager.
    In the current state of things, this change merely speeds up login a bit since
    this allows us to start this service in a non-blocking way in Tails Greeter,
    without losing the ability to retrieve its status and output later.
    That's the first step towards Will-fix: #8327.
    Also, we move the "start NetworkManager as soon as the network is unblocked"
    logic to tails-unblock-network.service.
    Previously, /usr/local/sbin/tails-unblock-network (started by
    tails-unblock-network.service) would manually start NetworkManager services.
    This feels ugly, since it encodes systemd unit ordering in /usr/local/sbin/,
    while it really belongs to the unit files themselves.
    So, we use:
     * Requires= to trigger the startup of the NM services;
     * Before= to ensure that said startup only happens once the network
       has been unblocked.
    Note that tails-unblock-network.service is *not* WantedBy multi-user.target.
    Otherwise, it would try to start on boot before the user has had the chance to
    opt-out from MAC spoofing. And then it would fail, since its EnvironmentFile
    (/var/lib/gdm3/tails.physical_security) does not exist yet.
  * Drop notification for not-migrated-yet persistence configuration.
    That migration happened in Tails 0.21, released on 2013-10-29.
  * Add a unit file whose completion indicates that Tor has bootstrapped.
    We'll then be able to use this, with systemd units ordering, to get rid
    of some of the while/sleep loops we have elsewhere.
  * Create a tails-wait-until-tor-has-bootstrapped.service in the systemd user instance.
    The systemd user and system instances don't share units. Thus, the dependency
    we have from the security check and upgrader user services on
    tails-wait-until-tor-has-bootstrapped had no effect.
    So, we have the *system* tails-wait-until-tor-has-bootstrapped.service create
    a file upon completion -- and the identically named *user* unit file wait for
    that file to appear.
  * tor-browser, 60-tor-ready.sh: use systemctl to determine if Tor has bootstrapped already.
    Note that `systemctl is-active' returns false for a service that's in
    "activating" state. The thing is, tails-wait-until-tor-has-bootstrapped.service
    *is* in "activating" state until Tor has bootstrapped. So, we explicitly check
    for its state to be "inactive" (meaning it has completed, and Tor has
    bootstrapped).
  * Harden system-wide systemd unit files.
  * 60-tor-ready.sh: sleep for a shorter time between checking if Tor has bootstrapped.
    This is now done via systemctl, and doesn't require grep'ing logs everytime,
    so let's decrease the time until the user is made aware that Tor is ready.
  * Make sure the blacklist has disappeared from the filesystem before triggering udev events.
    There's apparently a race condition somewhere. We've already seen cases when
    a file we've just deleted was still visible to some other process for a short
    amount of time, so let's try to be on the safe side.
  * Mimic systemd-udev-trigger.service when triggering udev events.
    The default setting for `udevadm trigger' is --type=devices.
    That's why systemd-udev-trigger.service runs it twice, once
    with --type=subsystems, and then with --type=devices.
    Given the racy behaviour I'm seeing in tails-unblock-network.service,
    it seems worth doing exactly the same thing as systemd-udev-trigger does.
  * Disable udev's 75-persistent-net-generator.rules.
    This should help preventing races between MAC spoofing and interface naming.
  * Move udevadm stuff to PostLogin/Default.
    Apparently, udevadm calls are not always honored when they're started from
    tails-unblock-network.service, possibly because we started it in a non-blocking
    way.
  * Import network unblocking steps + NM startup back into /usr/local/sbin/tails-unblock-network.
    We've previously moved the udevadm mangling out of
    tails-unblock-network.service, but the NM startup handling was left in there.
    So, NM could possibly start before the MAC address has been spoofed, which we
    need to avoid.
    Another option would have been to add all of this to PostLogin, but it has so
    little to do with the Greeter's job that I felt it would be nicer to have
    PostLogin simply run a script that does all the work, so that most of it is
    self-contained in our main Git repo. For the same reason, this commit also
    imports the restricted network detector startup in the very same script.
  * Test suite: use a slightly cheaper way to test if Tor is working.
    The grep'ing and grepping etc. is now done in a systemd unit file, so we just
    have to wait for it to complete. That's what tor-has-bootstrapped now does,
    let's use it.


  * Explicitly disable systemd-networkd, to prevent any risk of DNS leaks it might cause.

  * Allow the amnesia user, when active, to open non-system devices for writing with udisks2.
    This is roughly udisks2's equivalent of having direct write access to raw block
    storage devices. Tails Installer (ported to Jessie) uses this functionality
    (with call_open_for_restore_sync) so that most operations can be done non-Tails
    systems without special privileges on the target block device.
  * Test suite: don't wait for window title while we're waiting for its content already.
    I've found wait_for_gnome_window to be fragile in this scenario (especially
    combined with #9692), and we don't really need it here.
  * Update polkit rules wrt. the porting of t-p-s to udisks2.
    Will-fix: #9270
  * Really allow the t-p-s user to modify system devices without requiring authentication.
    Without this, the operator of the current session (that is, the amnesia user)
    is asked to authenticate: polkit somewhat considers that this person controls
    the client, even if run as a different user, which kinda makes sense.
    Will-fix: #9270
  * Disable hwclock-save.service, to avoid sync'ing the system clock to the hardware clock on shutdown.
    Closes: #9363
  * Use "mask" instead of "disable" for disabling hwclock-save.service.
    It's more reliable, as it has less chances to be reverted by some upgrade.
  * Explicitly disable timesyncd: we have our own time synchronization mechanism.
    It's not enabled by default in Jessie, but it will be in Stretch, so let's be
    explicit about it.
  * tails-unblock-network: add some logging to help debugging race conditions.
  * tails-unblock-network: sleep a bit after unblocking network devices, and before triggering udev events.
    That's ugly but I wasn't able to find anything better. We'll see if it fixes
    the problem everywhere, or if it merely makes it less frequent..
    Closes: #9012
  * Replace patch against NetworkManager.conf with drop-in files.
  * Replace resolvconf with simpler NetworkManager and dhclient configuration.
    Refs: #7708
  * Test suite: run ping as root.
    For some reason, on Jessie, running ping as a regular users results in "ping:
    icmp open socket: Operation not permitted", with exit code == 2. But as root, it
    "works" and the firewall blocks the packets. This is rather an improvement than
    a problem (stuff is blocked earlier, which is cheaper), so let's just deal with
    it in the test suite only, by running ping as root: the main purpose here is to
    test the firewall.
    This change also affects the netcat command used to open TCP and UDP
    connections, for code simplicity's sake. Here again, the goal is to test
    the firewall.

  * Replace patching of the gdomap, i2p, hdparm, tor and ttdnsd initscripts with 'systemctl disable'.
    Closes: #9881
  * Pass --yes to apt-get when installing imagemagick.
    Otherwise, the Jessie build is asking a question interactively.
  * Refresh apparmor-adjust-pidgin-profile.diff and apparmor-adjust-totem-profile.diff: otherwise they leave .orig files around, that apparmor_parser fails to load.
  * apparmor-adjust-cupsd-profile.diff: adjust to parse fine on current Jessie.
    Closes: #9963
    More specifically:
    a) avoid "conflicting x modifiers" for /usr/bin/hpijs, by modifying the
       /usr/bin/* rule to not match it;
    b) add missing backends to the list of confined ones, and:
       asked how we can better maintain this list :
       https://lists.ubuntu.com/archives/apparmor/2015-August/008463.html
    c) to avoid "conflicting x modifiers", replaced glob that matches
       all remaining backends by a hard-coded list of third-party ones
       we ship;
    d) Added a note to the RM role duties to sanity check these two lists.
    Also, add the attach_disconnected flag to the third_party local profile in
    there, as was done in sid already, and is needed for it to work under systemd
    (this patch already did that for /usr/sbin/cupsd).
  * Replace patches that wrapped apps with torsocks with dynamic patching with a hook.
    This should avoid the need to maintain these patches and avoid them becoming
    fuzzy, especially when migrating to new versions of Debian.

  * Stop installing system-config-printer.
    It's been there since the first commit, mostly because back in the
    years, it was the only decent CUPS GUI available; nowadays, GNOME's one
    is good enough; we explicitly document that one should use the latter
    anyway, and as shown by #8443, even us are sometimes confused by (or
    reporting confusing information about) the fact that we ship 2 GUIs for
    the same task.
    Besides, on Jessie system-config-printer adds "an unclear and useless
    Sundry category in Applications menu".
    Note that typing in the sudoer password is still required to manage
    printers, but that's not a Jessie regression and it's tracked by
    Closes: #8505
  * Allow the amnesia user, when active, to use all CUPS actions needed by the GNOME printing setup dialog.
    These rules override those shipped by cups-pk-helper 0.2.5-2+b1 in
    /usr/share/polkit-1/actions/org.opensuse.cupspkhelper.mechanism.policy
    Closes: #8443
  * apparmor-adjust-cupsd-profile.diff: drop explicit support of /lib/live/mount/overlay.
    This is now globally handled with aliases.
  * apparmor-adjust-cupsd-profile.diff: fix access to aufs whiteouts for /etc/cups, /var/{cache,log,spool}/cups.
    Closes: #10210
  * tails-virt-notify-user: notify the user if running in a non-free vm.
    Thanks to Austin English <austinenglish@gmail.com> for the patch.
    Sorry, my `git am' does not want to hear about this patch,
    so I'm applying it by hand.
    Closes: #5315

  * Upgrade to experimental Tor 0.2.7 packages.
    Note that this introduces a regression as-is, since we lose
    the patch for https://bugs.torproject.org/15482. That's tracked by
    Refs: #10194
  * Fix is_persistent?() helper due to findmnt changes in Jessie.
    In jessie, findmnt correctly notices that / is an aufs mounts. Hence
    let's assume that we're not using read-only persistence (which uses
    aufs) in which case aufs => no persistence.
  * Rework how we measure pattern coverage.
    The approaches we used before just seems incorrect in multiple ways:
    * vm.overcommit_memory = 2 seems to make OOM killing happen way too
      early, around when 15% or RAM is still free, no matter the value of
      vm.overcommit_ratio and the various *reserved settings.
    * Using the ratio of a ration for the {min,max}_coverage calculations
      were just weird and a sign of incremental bandaid-like fixes.
    Now we do what we intended more explicitly, that is: measure the
    pattern coverage in the free RAM at the time we start filling it. We
    also have to reserve some RAM for the kernel (so it doesn't freeze
    when approaching full RAM) and admin processes like the remote shell
    (so it doesn't get unresponsive), and we exclude this from the free
    RAM in the calculations for a much more accurate result than before.
    Note that we may end up having a bit more than 100% pattern
    coverage. While that may seem strange it may just indicate that some
    unrelated RAM was freed after we noted the amount of free RAM right
    before we started filling it.
    Will-fix: #9705
  * Use blkid instead of parted to determine the filesystem type.
    In Jessie, "parted print NUMBER" doesn't work, and then blkid seems
    like a cleaner approach (bonus: the name blkid uses for swap is
    cleaner too).
  * Simplify by removing the wait_for_gnome*() helpers.
    They don't work well and do not seem needed. Also, it's used in only
    two places, and add to that that GNOME seems to be moving away from
    having the type of title bar we're looking for.
  * Start each fillram instance with the correct oom_score_adj.
    ... by starting them in sub shell with the desired oom_score_adj. The
    way we did it before left a window where they inherit the remote
    shell's oom_score_adj, which is the absolute opposite of the range,
    meaning that everything else will be prioritized.
  * Remove the check for the sound icon in the systray.
    Will-fix: #10493

  * Also wrap Seahorse with torsocks when it is started as a D-Bus service.
    It's started this way e.g. with "Password and keys" from the Activities Overview
    and applications menu.
    Closes: #9792

  * Decide memory wiping waiting time on configured RAM.
    ... instead of detected RAM. This should only make us wait longer,
    since detected RAM <= configured RAM, so it's safe but potentially an
    increase in runtime.
    We actually do this since we often want to run these modified steps
    when the remote shell is not available any more, since Tails is
    shutting down.
  * Add missing chomp().
  * Use --kiosk mode instead of --fullscreen in virt-viewer.
    The only effect will be that the tiny border of the in-viewer menu is
    removed (which *potentially* could be in the way some time) since
    --kiosk implies --fullscreen.
  * Restore AppArmor confinement of Tor by renaming the AppArmor profile.
    Jessie's systemd has no AppArmor support, so Tor 0.2.7.x backport for Jessie's
    systemd unit files don't load the profile. We've ensure that on Stretch
    everything will work just as we need, but for Jessie we need this kludge:
    simply rename the system_tor profile so that it's used automatically, without
    having to explicitly assign it to the service.
    Closes: #10528
  * Unmute and sanitize ALSA mixer levels at boot time.
    This essentially reverts ALSA state handling to pre-Jessie.
    For Stretch we might need something better, but it's simple enough that
    we could easily turn the relevant bits of the legacy initscript into
    a systemd unit file if needed.
    Closes: #7591
  * Mask the ALSA state store/restore systemd services.
    These are "static" so can't be enabled/disabled.

  * Turn htpdate.service into Type=oneshot.
    I want to use time-sync.target (see systemd.special(7)), so that we can
    order stuff after it.
    But with Type=simple, we can't tell when htpdate is done, so we can't
    specify that time-sync.target has not been reached until then. So let's
    use Type=oneshot. But then, 20-time.sh would block until htpdate is
    done, which is not what we want; this is solved by using --no-block when
    restarting the service there.
  * Explicitly declare htpdate.service as being needed for time-sync.target.
    This ensures that "services where correct time is essential should be
    ordered after this unit" (as long as such services have themselves
    declared the right dependencies). We don't ship any such services
    currently, so this is rather pedantic a commit.
    Note: in our case, we don't want the Tor service to wait for
    time-sync.target, since we still use the Tor consensus for time
    sync' purposes.
  * Explicitly use tor@default.service when it's the one we mean.
    Tor 0.2.7.x packaging now uses a template systemd unit file,
    and the instance we use is called tor@default.service.

  * Remove scenario.
    In Jessie, org.gnome.gnome-screenshot.auto-save-directory is empty
    since the default is sensible, ~/Pictures. To save the removed
    scenario we'd have to set it explicitly, which seems stupid. Besides,
    the 'A screenshot is taken when the PRINTSCREEN key is pressed'
    scenario is already testing that GNOME Screenshot saves into this
    directory, which is enough.
  * Adapt Gnome notification handling for Debian Jessie.
    When waiting for specific notifications we'll completely depend on
    robust_notification_wait() from now on *and* it will leave other
    notifications unlike the old version.
    Will-fix: #8782
  * Migrate to robust_notification_wait() and update some related images for Jessie.

  * Introduce a dedicated systemd target for "Tor has bootstrapped" state.
    ... and move tails-wait-until-tor-has-bootstrapped.service from
    default.target to it. The main effect is that anything that wants to
    start after graphical.target or multi-user.target does not have to wait
    for Tor to have bootstrapped (which could very well never happen, e.g.
    when working offline) anymore.
    Will-fix: #9393

  * Install tails-installer instead of liveusb-creator.
    Refs: #8561

  * Draft a test to ensure that we can use a NetworkManager connection stored in persistence.
    Will-fix: #7966
  * Revert "Lower required free (non-buffer/cache) memory for Tails Upgrader."
    This reverts commit 01c88c1b5f13ea02437c2f547fad0dd61946abdc.
    Refs: #8263
    Since then, we've bumped the memory requirements (both in our
    documentation and on the test suite's "hardware") to 2 GB, so the
    original reason for this change has gone away => let's go back to
    a value that was tested and confirmed to work (as in: allow upgrading
    a running Tails) on Wheezy, instead of a value that was tested on
    Jessie, but only for checking for available upgrades.
    The follow-ups will be:
     * the cool ideas posted on
       https://labs.riseup.net/code/issues/8263#note-1 will become a new,
       dedicated ticket (that has no reason to block the Tails 2.0 release);
     * #8083 and #7986 will tell us if the value this commit reverts to
       is OK.
  * Upgrader wrapper: make the check for free memory smarter.
    Quoting anonym (#8263#note-1):
    In our Live system context, where a lot of stuff is in tmpfs:es, looking
    at the values of free or /proc/meminfo alone isn't accurate for
    determining how much memory "really" is free, since the tmpfs usage is
    included in the buffers. Hence, MemFree is the lower (and safe) bound of
    how much "really" free memory we have, and MemFree + Buffers + Cache is
    the upper (and unsafe) bound. The true value should be (at least closer
    to) MemFree + Buffers + Cache - (sum of usage by tmpfs:es). We should
    check once against that value instead.
    The 300 MB magic number (minimum "real memory" available) was found
    after bisecting with an ISO built from current feature/jessie:
     * with 278000 kB of "real memory" available, Tails Upgrader could
       successfully tell me that no upgrade was available (which is indeed
       the case), or that I should manually upgrade (after tweaking
       /etc/os-release; because I started from DVD);
     * with 255000 kB of "real memory" available, the check for upgrades
       failed and the desktop session froze;
    => so 300x1024 kB should give us a small safety margin.
    For the record, a VM with 1GB of RAM allocated (891 MB visible due to
    the QXL video adapter stealing some) on current feature/jessie has
    336MB (137MB free + 39MB buffers + 212MB cache - 52MB tmpfs) of "real
    memory" available once Tor is ready and Tor Browser is started, so in
    practice any system that's beefy enough to use Tails 2.0 can check
    for upgrades.
    Closes: #10540, #8263
  * Drop notification when persistence settings were disabled due to wrong access rights.
    No need to run this script at login time on every Tails two years later.
  * Drop obsolete comment.
  * Fix link to documentation.
  * tails-security-check: remove obsolete code.
    We've stopped using this "version file" a while ago.
  * Remove the restricted network detector.
    As explained on https://labs.riseup.net/code/issues/8328#note-5, it's
    been broken for 16 months, it is still broken after the partial fix that
    went in Tails 1.6, and the logic on which the detector is based cannot
    work anymore. Reintroducing and porting this feature is now tracked
    on #10560.
    Closes: #8328
    Refs: #10560
  * Don't try to disable lvm2 initscripts anymore.
    It was disabled in amnesia 0.3 because "it slows-down too much the boot
    in certain circumstances". I can't confirm that with current hardware on
    feature/jessie: the output of `systemd-analyze critical-chain' does not
    include anything LVM-related, and in `systemd-analyze blame' everything
    LVM-related takes 400ms or less on one of my systems, and 100ms or less
    on another.
    On Jessie, lvm2 initscripts have been split into numerous systemd units,
    so it might help avoid unconditionally blocking boot.
    Note that the way we did in this this chroot_local-hooks has no effect
    on Jessie.

  * Remove kiosk mode support.
    It was a partial, never completed attempt. We don't ship such things in
    Tails anymore these days.
  * Test suite: use a stricter regexp when extracting logs for dropped packets.
    Thanks to journalctl's --output=cat option, we can trivially look at the
    logged message itself, without any metadata around.
  * clock_gettime_monotonic: use Perl's own function to get the integer part, instead of forking out to sed.
701

intrigeri's avatar
intrigeri committed
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722

  * Refactor GNOME/X env exporting to Tails' shell library.
  * Grab the rest of the variables from gnome-shell's environment.
    The static guess for DISPLAY *could* be wrong, and the how we relied
    on a shell blog for XAUTHORITY could results in problems if there's a
    leftover database from a previous session for some reason. Besides,
    the new approach feels more consistent.
  * Include the GNOME/X environment in the remote shell.
    And kill the (inferior) code about DISPLAY and XAUTHORITY since
    they're set by export_gnome_env() into the environment.
  * Disable screen blanking in the automated test suite.
    In the automated test suite we sometimes need to wait long enough so
    screen blanking activates, which can mess with Sikuli wait():ing for
    some image. This is the case in e.g. the 'Install packages using
    Synaptic' scenario, in which the APT update can take >5 minutes.
    Will-fix: #10403
  * Remove useless code.
    We only intend to run these script from environments where XAUTHORITY
    is set. Also, there is no ~/.Xauthority.

 -- Tails developers <tails@boum.org>  Thu, 19 Nov 2015 16:01:19 +0000
723

anonym's avatar
anonym committed
724
725
726
727
728
729
tails (1.8) UNRELEASED; urgency=medium

  * Dummy entry.

 -- anonym <anonym@riseup.net>  Wed, 18 Nov 2015 20:22:23 +0100

anonym's avatar
anonym committed
730
tails (1.7) unstable; urgency=medium
bertagaz's avatar
bertagaz committed
731

anonym's avatar
anonym committed
732
  * Major new features and changes
anonym's avatar
anonym committed
733
    - Upgrade Tor Browser to 5.0.4. (Closes: #10456)
anonym's avatar
anonym committed
734
735
736
    - Add a technology preview of the Icedove Email client (a
      rebranded version of Mozilla Thunderbird), including OpenPGP
      support via the Enigmail add-on, general security and anonymity
sajolida's avatar
sajolida committed
737
      improvements via the Torbirdy add-on, and complete persistence
anonym's avatar
anonym committed
738
739
740
741
742
743
744
745
      support (which will be enabled automatically if you already have
      Claws Mail persistence enabled). Icedove will replace Claws Mail
      as the supported email client in Tails in a future
      release. (Closes: #6151, #9498, #10285)
    - Upgrade Tor to 0.2.7.4-rc-1~d70.wheezy+1+tails1. Among the many
      improvement of this new Tor major release, the new
      KeepAliveIsolateSOCKSAuth option allows us to drop the
      bug15482.patch patch (taken from the Tor Browse bundle) that
sajolida's avatar
sajolida committed
746
      enabled similar (but inferior) functionality for *all*
anonym's avatar
anonym committed
747
748
749
750
751
752
      SocksPort:s -- now the same circuit is only kept alive for
      extended periods for the SocksPort used by the Tor
      Browser. (Closes: #10194, #10308)
    - Add an option to Tails Greeter which disables networking
      completely. This is useful when intending to use Tails for
      offline work only. (Closes: #6811)
bertagaz's avatar
bertagaz committed
753

anonym's avatar
anonym committed
754
755
  * Security fixes
    - Fix CVE-2015-7665, which could lead to a network interface's IP
elouann's avatar
elouann committed
756
      address being exposed through wget. (Closes: #10364)
anonym's avatar
anonym committed
757
758
759
760
    - Prevent a symlink attack on ~/.xsession-errors via
      tails-debugging-info which could be used by the amnesia user to
      read the contents of any file, no matter the
      permissions. (Closes: #10333)
anonym's avatar
anonym committed
761
762
763
764
765
766
767
768
769
770
771
772
773
    - Upgrade libfreetype6 to 2.4.9-1.1+deb7u2.
    - Upgrade gdk-pixbuf packages to 2.26.1-1+deb7u2.
    - Upgrade Linux to 3.16.7-ckt11-1+deb8u5.
    - Upgrade openjdk-7 packages to 7u85-2.6.1-6~deb7u1.
    - Upgrade unzip to 6.0-8+deb7u4.

  * Bugfixes
    - Add a temporary workaround for an issue in our code which checks
      whether i2p has bootstrapped, which (due to some recent change
      in either I2P or Java) could make it appear it had finished
      prematurely. (Closes: #10185)
    - Fix a logical bug in the persistence preset migration code while
      real-only persistence is enabled. (Closes: #10431)
anonym's avatar
anonym committed
774
775

  * Minor improvements
anonym's avatar
anonym committed
776
777
    - Rework the wordings of the various installation and upgrade
      options available in Tails installer in Wheezy. (Closes: #9672)
anonym's avatar
anonym committed
778
779
780
781
782
    - Restart Tor if bootstrapping stalls for too long when not using
      pluggable transports. (Closes: #9516)
    - Install firmware-amd-graphics, and firmware-misc-nonfree instead
      of firmware-ralink-nonfree, both from Debian Sid.
    - Update the Tails signing key. (Closes: #10012)
anonym's avatar
anonym committed
783
784
785
786
787
788
    - Update the Tails APT repo signing key. (Closes: #10419)
    - Install the nmh package. (Closes: #10457)
    - Explicitly run "sync" at the end of the Tails Upgrader's upgrade
      process, and pass the "sync" option when remounting the system
      partition as read-write. This might help with some issues we've
      seen, such as #10239, and possibly for #8449 as well.
anonym's avatar
anonym committed
789
790
791

  * Test suite
    - Add initial automated tests for Icedove. (Closes: #10332)
elouann's avatar
elouann committed
792
    - Add automated tests of the MAC spoofing feature. (Closes: #6302)
anonym's avatar
anonym committed
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
    - Drop the concept of "background snapshots" and introduce a general
      system for generating snapshots that can be shared between
      features. This removes all silly hacks we previously used to
      "skip" steps, and greatly improves performance and reliability
      of the whole test suite. (Closes: #6094, #8008)
    - Flush to the log file in debug_log() so the debugging info can
      be viewed in real time when monitoring the debug log
      file. (Closes: #10323)
    - Force UTF-8 locale in automated test suite. Ruby will default to
      the system locale, and if it is non-UTF-8, some String-methods
      will fail when operating on non-ASCII strings. (Closes: #10359)
    - Escape regexp used to match nick in CTCP replies. Our Pidgin
      nick's have a 10% chance to include a ^, which will break that
      regexp. We need to escape all characters in the nick. (Closes:
      #10219)
    - Extract TBB languages from the Tails source code. This will
      ensure that valid locales are tested. As an added bonus, the
      code is greatly simplified. (Closes: #9897)
anonym's avatar
anonym committed
811
812
    - Automatically test that tails-debugging-info is not susceptible
      to the type of symlink attacks fixed by #10333.
anonym's avatar
anonym committed
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
    - Save all test suite artifacts in a dedicated directory with more
      useful infromation encoded in the path. This makes it easier to
      see which artifacts belongs to which failed scenario and which
      run. (Closes: #10151)
    - Log all useful information via Cucumber's formatters instead of
      printing to stderr, which is not included when logging to file
      via `--out`. (Closes: #10342)
    - Continue running the automated test suite's vnc server even if
      the client disconnects. (Closes: #10345)
    - Add more automatic tests for I2P. (Closes: #6406)
    - Bump the Tor circuit retry count to 10. (Closes: #10375)
    - Clean up dependencies: (Closes: #10208)
      * libxslt1-dev
      * radvd
      * x11-apps
anonym's avatar
anonym committed
828

anonym's avatar
anonym committed
829
 -- Tails developers <tails@boum.org>  Tue, 03 Nov 2015 01:09:41 +0100
bertagaz's avatar
bertagaz committed
830

anonym's avatar
anonym committed
831
tails (1.6) unstable; urgency=medium
anonym's avatar
anonym committed
832

anonym's avatar
anonym committed
833
834
835
  * Security fixes
    - Upgrade Tor Browser to 5.0.3. (Closes: #10223)
    - Upgrade bind9-based packages to 1:9.8.4.dfsg.P1-6+nmu2+deb7u7.
836
    - Upgrade liblcms1 to 1.19.dfsg2-1.2+deb7u1.
anonym's avatar
anonym committed
837
838
    - Upgrade libldap-2.4-2 to 2.4.31-2+deb7u1.
    - Upgrade libslp1 to 1.2.1-9+deb7u1.
839
    - Upgrade ssl-cert to 1.0.32+deb7u1.
anonym's avatar
anonym committed
840

anonym's avatar
anonym committed
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
  * Bugfixes
    - Fix a corner case for the MAC spoofing panic mode. If panic mode
      failed to disable the specific device that couldn't be spoofed
      (by unloading the module) we disable networking. Previously we
      only stopped NetworkManager. The problem is that NM isn't even
      started at this time, but will specifically be started when
      we're done with MAC spoofing. Therefore, let's completely
      disable NetworkManager so it cannot possibly be
      started. (Closes: #10160)
    - Avoid use of uninitialized value in restricted-network-detector.
      If NetworkManager decides that a wireless connection has timed
      out before "supplicant connection state" has occued, our idea of
      the state is `undef`, so it cannot be used in a string
      comparison. Hence, let's initialize the state to the empty
      string instead of `undef`. Also fix the state
      recording. Apparently NetworkManager can say a few different
      things when it logs the device state transitions. (Closes:
      #7689)

  * Minor improvements
    - Remove workaround for localizing search engine plugins. The
      workaround has recently become unnecessary, possibly due to the
      changes made for the seach bar after the Tor Browser was rebased
      on Firefox 38esr. (Closes: #9146)
    - Refer to the I2P Browser in the I2P notifications. Instead of
      some obscure links that won't work in the Tor Browser, where
      users likely will try them, and which I believe will open them
      by default. (Closes: #10182)
    - Upgrade I2P to 0.9.22. Also set the I2P apparmor profile to
      enforce mode. (Closes: #9830)

  * Test suite
    - Test that udev-watchdog is monitoring the correct device when
      booted from USB. (Closes: #9890)
    - Remove unused 'gksu' step. This causes a false-positive to be
      found for #5330. (Closes: #9877)
    - Make --capture capture individual videos for failed scenarios
      only, and --capture-all to capture videos for all scenarios.
      (Closes: #10148)
anonym's avatar
anonym committed
880
    - Use the more efficient x264 encoding when capturing videos using
anonym's avatar
anonym committed
881
      the --capture* options. (Closes: #10001)
anonym's avatar
anonym committed
882
    - Make --old-iso default to --iso if omitted. Using the same ISO
anonym's avatar
anonym committed
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
      for the USB upgrade tests most often still does what we want,
      e.g. test that the current version of Tails being tested has a
      working Tails installer. Hence this seems like a reasonable
      default. (Closes: #10147)
    - Avoid nested FindFailed exceptions in waitAny()/findAny(), and
      throw a new dedicated FindAnyFailed exception if these fail
      instead. Rjb::throw doesn't block Ruby's execution until the
      Java exception has been received by Ruby, so strange things can
      happen and we must avoid it. (Closes: #9633)
    - Fix the Download Management page in our browsers. Without the
      browser.download.panel.shown pref set, the progress being made
      will not update until after the browser has been restarted.
      (Closes: #8159)
    - Add a 'pretty_debug' (with an alias: 'debug') Cucumber formatter
      that deals with debugging instead of printing it to STDERR via
      the `--debug` option (which now has been removed). This gives us
      the full flexibility of Cucumber's formatter system, e.g. one
      easy-to-read formatter can print to the terminal, while we get
      the full debug log printed to a file. (Closes: #9491)
    - Import logging module in otr-bot.py. Our otr-bot.py does not use
      logging but the jabberbot library makes logging calls, causing a
      one-off message No handlers could be found for logger
      "jabberbot" to be printed to the console. This commit
      effectively prevents logging/outputting anything to the terminal
      which is at a level lower than CRITICAL. (Closes: 9375)
    - Force new Tor circuit and reload web site on browser
      timeouts. (Closes: #10116)
    - Focus Pidgin's buddy list before trying to access the tools
      menu. (Closes: #10217)
    - Optimize IRC test using waitAny. If connecting to IRC fails,
      such as when OFTC is blocking Tor, waiting 60 seconds to connect
      while a a Reconnect button is visible is sub-optimal. It would
      be better to try forcing a new Tor circuit and clicking the
      reconnect button. (Closes: #9653)
    - Wait for (and focus if necessary) Pidgin's Certificate windows.
      (Closes: #10222)

 -- Tails developers <tails@boum.org>  Sun, 20 Sep 2015 17:47:26 +0000
anonym's avatar
anonym committed
921

anonym's avatar
anonym committed
922
tails (1.5.1) unstable; urgency=medium
anonym's avatar
anonym committed
923

anonym's avatar
anonym committed
924
925
926
927
928
929
930
931
932
933
934
935
  * Security fixes
    - Upgrade Tor Browser to 5.0.2. (Closes: #10112)
    - Upgrade gdk-pixbuf packages to 2.26.1-1+deb7u1.
    - Upgrade libnss3 to 2:3.14.5-1+deb7u5.

  * Bugfixes
    - Refresh Tor Browser AppArmor profile patch. The old one doesn't
      apply on top of testing's torbrowser-launcher anymore.

  * Build system
    - Make sure Jenkins creates new jobs to build the testing branch
      after freezes. (Closes: #9925)
anonym's avatar
anonym committed
936

anonym's avatar
anonym committed
937
 -- Tails developers <tails@boum.org>  Fri, 28 Aug 2015 01:52:14 +0200
anonym's avatar
anonym committed
938

anonym's avatar
anonym committed
939
tails (1.5) unstable; urgency=medium
anonym's avatar
anonym committed
940

intrigeri's avatar
intrigeri committed
941
942
943
  * Major new features and changes
    - Move LAN web browsing from Tor Browser to the Unsafe Browser,
      and forbid access to the LAN from the former. (Closes: #7976)
944
945
    - Install a 32-bit GRUB EFI boot loader. This at least works
      on some Intel Baytrail systems. (Closes: #8471)
anonym's avatar
anonym committed
946

intrigeri's avatar
intrigeri committed
947
  * Security fixes
anonym's avatar
anonym committed
948
    - Upgrade Tor Browser to 5.0, and integrate it:
949
950
951
      · Disable Tiles in all browsers' new tab page.
      · Don't use geo-specific search engine prefs in our browsers.
      · Hide Tools -> Set Up Sync, Tools -> Apps (that links to the Firefox
anonym's avatar
anonym committed
952
        Marketplace), and the "Share this page" button in the Tool bar.
anonym's avatar
anonym committed
953
954
955
      · Generate localized Wikipedia search engine plugin icons so the
        English and localized versions can be distinguished in the new
        search bar. (Closes: #9955)
intrigeri's avatar
intrigeri committed
956
    - Fix panic mode on MAC spoofing failure. (Closes: #9531)
intrigeri's avatar
intrigeri committed
957
958
959
960
    - Deny Tor Browser access to global tmp directories with AppArmor,
      and give it its own $TMPDIR. (Closes: #9558)
    - Tails Installer: don't use a predictable file name for the subprocess
      error log. (Closes: #9349)
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
    - Pidgin AppArmor profile: disable the launchpad-integration abstraction,
      which is too wide-open.
    - Use aliases so that our AppArmor policy applies to
      /lib/live/mount/overlay/ and /lib/live/mount/rootfs/*.squashfs/ as well as
      it applies to /. And accordingly:
      · Upgrade AppArmor packages to 2.9.0-3~bpo70+1.
      · Install rsyslog from wheezy-backports, since the version from Wheezy
        conflicts with AppArmor 2.9.
      · Stop installing systemd for now: the migration work is being done in
        the feature/jessie branch, and it conflicts with rsyslog from
        wheezy-backports.
      · Drop apparmor-adjust-user-tmp-abstraction.diff: obsoleted.
      · apparmor-adjust-tor-profile.diff: simplify and de-duplicate rules.
      · Take into account aufs whiteouts in the system_tor profile.
      · Adjust the Vidalia profile to take into account Live-specific paths.
976
    - Upgrade Linux to 3.16.7-ckt11-1+deb8u3.
intrigeri's avatar
intrigeri committed
977
978
979
980
981
982
983
984
985
    - Upgrade bind9-host, dnsutils and friends to 1:9.8.4.dfsg.P1-6+nmu2+deb7u6.
    - Upgrade cups-filters to 1.0.18-2.1+deb7u2.
    - Upgrade ghostscript to 9.05~dfsg-6.3+deb7u2.
    - Upgrade libexpat1 to 2.1.0-1+deb7u2.
    - Upgrade libicu48 to 4.8.1.1-12+deb7u3.
    - Upgrade libwmf0.2-7 to 0.2.8.4-10.3+deb7u1.
    - Upgrade openjdk-7 to 7u79-2.5.6-1~deb7u1.

  * Bugfixes
986
    - Upgrade Tor to 0.2.6.10-1~d70.wheezy+1+tails1.
intrigeri's avatar
intrigeri committed
987
988
989
990
991
992
993
994
995
996
997
998
999

  * Minor improvements
    - Tails Installer: let the user know when it has rejected a candidate
      destination device because it is too small. (Closes: #9130)
    - Tails Installer: prevent users from trying to "upgrade" a device
      that contains no Tails, or that was not installed with Tails Installer.
      (Closes: #5623)
    - Install libotr5 and pidgin-otr 4.x from wheezy-backports. This adds
      support for the OTRv3 protocol and for multiple concurrent connections
      to the same account. (Closes: #9513)
    - Skip warning dialog when starting Tor Browser while being offline,
      in case it is already running. Thanks to Austin English for the patch!
      (Closes: #7525)
1000
    - Install the apparmor-profiles package (Closes: #9539), but don't ship
For faster browsing, not all history is shown. View entire blame