changelog 265 KB
Newer Older
anonym's avatar
anonym committed
1
2
3
4
5
6
tails (2.10) UNRELEASED; urgency=medium

  * Dummy.

 -- anonym <anonym@riseup.net>  Fri, 13 Jan 2017 14:22:56 +0100

anonym's avatar
anonym committed
7
tails (2.10~rc1) unstable; urgency=medium
8

anonym's avatar
anonym committed
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  * Major new features and changes
    - Upgrade the Linux kernel to 4.8.0-0.bpo.2 (Closes: #11886).
    - Install OnionShare from jessie-backports. Also install
      python3-stem from jessie-backports to allow the use of ephemeral
      onion services (Closes: #7870).
    - Completely rewrite tor-controlport-filter. Now we can safely
      support OnionShare, Tor Browser's per-tab circuit view and
      similar.
      * Port to python3.
      * Handle multiple sessions simultaneously.
      * Separate data (filters) from code.
      * Use python3-stem to allow our filter to be a lot more
        oblivious of the control language (Closes: #6788).
      * Allow restricting STREAM events to only those generated by the
        subscribed client application.
      * Allow rewriting commands and responses arbitrarily.
      * Make tor-controlport-filter reusable for others by e.g. making
        it possible to pass the listen port, and Tor control
        cookie/socket paths as arguments (Closes: #6742). We hear
        Whonix plan to use it! :)
    - Upgrade Tor to 0.2.9.8-2~d80.jessie+1, the new stable series
      (Closes: #12012).
31

anonym's avatar
anonym committed
32
  * Security fixes
33
    - Upgrade Icedove to 1:45.6.0-1~deb8u1+tail1s.
anonym's avatar
anonym committed
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

  * Minor improvements
    - Enable and use the Debian Jessie proposed-updates APT
      repository, anticipating on the Jessie 8.7 point-release
      (Closes: #12124).
    - Enable the per-tab circuit view in Tor Browser (Closes: #9365).
    - Change syslinux menu entries from "Live" to "Tails" (Closes:
      #11975). Also replace the confusing "failsafe" wording with
      "Troubleshooting Mode" (Closes: #11365).
    - Make OnionCircuits use the filtered control port (Closes:
      #9001).
    - Make  tor-launcher use the filtered control port.
    - Run OnionCircuits directly as the Live user, instead of a
      separate user. This will make it compatible with the Orca screen
      reader (Closes: #11197).
    - Run tor-controlport-filter on port 9051, and the unfiltered one
      on 9052. This simplifies client configurations and assumptions
      made in many applications that use Tor's ControlPort. It's the
      exception that we connect to the unfiltered version, so this
      seems like the more sane approach.
    - Remove tor-arm (Nyx) (Closes: #9811).
    - Remove AddTrust_External_Root.pem from our website CA bundle. We
      now only use Let's Encrypt (Closes: #11811).
    - Configure APT to use Debian's Onion services instead of the
      clearnet ones (Closes: #11556).
    - Replaced AdBlock Plus with uBlock Origin (Closes: #9833). This
      incidentally also makes our filter lists lighter by
      de-duplicating common patterns among the EasyList filters
      (Closes: #6908). Thanks to spriver for this first major code
      contribution!
    - Install OpenPGP Applet 1.0 (and libgtk3-simplelist-perl) from
      Jessie backports (Closes: #11899).
    - Add support for exFAT (Closes: #9659).
    - Disable unprivileged BPF. Since upgrading to kernel 4.6,
      unprivileged users can use the bpf() syscall, which is a
      security concern, even with JIT disabled. So we disable that.
      This feature wasn't available before Linux 4.6, so disabling it
      should not cause any regressions (Closes: #11827).
    - Add and enable AppArmor profiles for OnionCircuits and OnoinShare.
    - Raise the maximum number of loop devices to 32 (Closes: #12065).
    - Drop kernel.dmesg_restrict customization: it's enabled by
      default since 4.8.4-1~exp1 (Closes: #11886).
76
    - Upgrade Electrum to 2.7.9-1.
anonym's avatar
anonym committed
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

  * Bugfixes
    - Tails Greeter:
      * use gdm-password instead of gdm-autologin, to fix switching to
        the VT where the desktop session lives on Stretch (Closes:
        #11694)
      * Fix more options scrolledwindow size in Stretch (Closes:
        #11919)
    - Tails Installer: remove unused code warning about missing
      extlinux in Tails Installer (Closes: #11196).
    - Update APT pinning to cover all binary packages built from
      src:mesa so we ensure installing mesa from jessie-backports
      (Closes: #11853).
    - Install xserver-xorg-video-amdgpu. This should help supporting
      newer AMD graphics adapters. (Closes #11850)
    - Fix firewall startup during early boot, by referring to the
      "amnesia" user via its UID (Closes: #7018).
    - Include all amd64-microcodes.
95

anonym's avatar
anonym committed
96
97
98
99
100
101
102
  * Build system
    - Be more careful when unmounting the tmpfs used as workspace
      during builds, fixing an issue that made Jenkins' ISO builders
      prone to failures (Closes: #12009).
    - Upgrade the Vagrant basebox to 20170105. The only big change is
      that we now install the backported kernel in the builder VM, to
      make building possible on Debian Sid (Closes: #12081).
bertagaz's avatar
bertagaz committed
103

anonym's avatar
anonym committed
104
105
106
107
108
109
110
111
112
113
114
115
116
117
  * Test suite
    - Replace the filesystem shares support with a helper for easily
      sharing files from the host to the guest using virtual disks
      (Closes: #5571).
    - Do not test sending email when testing POP3. We cannot clean
      that email up (easily) since when we use POP3 deletions won't
      affect the remote inbox, only our local one, resulting in the
      quota being reached eventually (Closes: #12006).
    - Have APT tests configure APT to use non-onion sources. Our test
      suite uses Chutney to create a virtual, private Tor network, and
      thus doesn't support connections to Onion services running in
      the real Tor network (Refs: #11556).
    - Allow connections to Tor's control port during stream isolation
      tests, but only for those applications where we expect that.
anonym's avatar
anonym committed
118

anonym's avatar
anonym committed
119
 -- Tails Developers <tails@boum.org>  Thu, 12 Jan 2017 23:50:39 +0100
anonym's avatar
anonym committed
120

anonym's avatar
anonym committed
121
tails (2.9.1) unstable; urgency=medium
anonym's avatar
anonym committed
122

anonym's avatar
anonym committed
123
  * Security fixes
124
125
126
127
128
    - Upgrade Tor Browser to 6.0.8 based on Firefox 45.6. If you pay
      close attention you'll see that we import -build1 but there was
      a -build2. The only change is Tor Button 1.9.5.13 which makes
      some changes to the donation campaign banner in `about:tor`,
      which we safely can skip. (Closes: #12028)
anonym's avatar
anonym committed
129
    - Upgrade Icedove to 45.5.1-1~deb8u1+tails1. (Closes: #12029)
130
    - Upgrade APT-related packages to 1.0.9.8.4.
anonym's avatar
anonym committed
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177

  * Minor improvements
    - Switch to DuckDuckGo as the default search engine in the tor
      Browser. This is what Tor Browser has, and Disconnect.me (the
      previous default) has been re-directing to DDG for some time,
      which has been confusing users. In addition, we localize the DDG
      user interface for the locales with availablelangpacks. (Closes:
      #11913)
    - Improve the display name for the Wikipedia search plugin.
    - Enable contrib and non-free for our own APT repos.
    - Upgrade Tor to 0.2.8.10. (Closes: #12015)
    - Upgrade obfs4proxy to 0.0.7-1~tpo1.

  * Bugfixes
    - AppArmor Totem profile: add permissions needed to avoid warning
      on startup. (Closes: #11984)
    - Upgrade the VirtualBox Guest additions and modules to version
      5.1.8. This should prevent Xorg from crashing unless the video
      memory for the VMs are significantly bumped. (Closes: #11965)
      Users will still have to enable I/O APIC due to a bug in Linux.
    - Drop unwanted search plugins from the Tor Browser langpacks.
      Otherwise they are only removed from English locales. Note that
      the langpacks contain copies of the English plugins, not
      localized versions, so we actually lose nothing.

  * Test suite
    - Add support for SikuliX, which recently hit Debian Unstable,
      while still supporting Sikuli for Jessie users. (Closes: #11991)
    - Fix some instances where we were trying to use the mouse outside
      of the Sikuli screen.
    - Use "TorBirdy" instead of "amnesia branding" as the "anchor"
      addon.  I.e. the addon that we use to find the other ones. The
      "amnesia branding" addon has been removed, so we must use
      something else. (Fixup: #11906)
    - Dogtailify "the support documentation page opens in Tor Browser"
      step. We previously relied on Sikuli, and the image was made
      outdated thanks to our donation campaign. No more! (Closes:
      #11911)
    - Resolve dl.amnesia.boum.org instead of picking a static address.
      Just hours after updating the dustri.org IP address, its web
      server went down => test suite failures. Let's make this test as
      robust as actually downloading the Tails ISO image -- if that
      fails, we probably have more serious problems on our hands than
      a failing test suite. (Closes: #11960)
    - Switch MAT scenario from testing PDFs to PNGs. Also add
      anti-test and test using using a tool *different* from MAT, the
      tool being tested here. (Closes: #11901)
anonym's avatar
anonym committed
178

anonym's avatar
anonym committed
179
 -- Tails Developers <tails@boum.org>  Wed, 14 Dec 2016 13:19:16 +0100
anonym's avatar
anonym committed
180

anonym's avatar
anonym committed
181
tails (2.7.1) unstable; urgency=medium
bertagaz's avatar
bertagaz committed
182

anonym's avatar
anonym committed
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
  * Security fixes
    - Upgrade Tor Browser to 6.0.7 (build3) based on Firefox 45.5.1.
    - Upgrade gstreamer0.10-based packages to 0.10.31-3+nmu4+deb8u2.
    - Upgrade imagemagick-based packages to 8:6.8.9.9-5+deb8u6.
    - Upgrade libicu52 to 52.1-8+deb8u4.
    - Upgrade vim-based packages to 2:7.4.488-7+deb8u1.

  * Minor improvements
    - Reserve 64 MiB for the kernel and 128 MiB for privileged
      processes before the memory is wiped. We hope that this might
      help (but not solve, sadly) some crashes experienced while
      wiping the memory.

  * Build system
    - Make the wiki shipped inside Tails build deterministically
      (Closes: #11966):
      * Enable ikiwiki's "deterministic" option, and require it when
        building.
      * Use our custom backport of discount (2.2.1-1~bpo8+1~0.tails1),
        to fix reproducibility issues (Debian#782315). This can be
        dropped once our ISO builders use Stretch.
      * Install ikiwiki from our builder-jessie APT suite, to make the
        pagestats plugin output deterministic.
    - refresh-translations: don't update PO files unless something
      other than POT-Creation-Date was changed. (Closes: #11967)
    - Fix Vagrant's is_release? check. Per auto/build, we consider it
      a release when we build from detached head, and HEAD is tagged.
    - Enforce `cleanall` when building a release. I.e. don't allow the
      user supplied options to override this behaviour. This is
      important since Vagrant caches wiki builds, and we do not want
      leftovers from a previous builds ending up in a release. Also,
      this is required for making Tails images build reproducibly.
    - Make the build system's `cleanall` option really clean
      everything.  At the moment it doesn't clean the cached wiki
      build (which basically was its only job).
    - import-package: support contrib and non-free sections.

  * Test suite
    - Wait a bit between opening the shutdown applet menu, and
      clicking one of its widgets. (Closes: #11616).
    - Adapt Icedove test after removing the amnesia branding add-on.
      (Closes: #11906)
    - Replace --pause-on-fail with --interactive-debugging. It does
      the same thing, but also offers an interactive Ruby shell, via
      pry, with the Cucumber world context.
bertagaz's avatar
bertagaz committed
228

anonym's avatar
anonym committed
229
 -- Tails developers <tails@boum.org>  Wed, 30 Nov 2016 17:27:37 +0100
bertagaz's avatar
bertagaz committed
230

bertagaz's avatar
bertagaz committed
231
tails (2.7) unstable; urgency=medium
anonym's avatar
anonym committed
232

233
234
235
  * Security fixes
    - Upgrade to Linux 4.7. (Closes: #11885, #11818)
    - Upgrade to Tor 0.2.8.9. (Closes: #11832, #11891)
bertagaz's avatar
bertagaz committed
236
237
238
    - Upgrade Tor Browser to 6.0.6 based on Firefox 45.5. (Closes: #11910)
    - Upgrade Icedove to 1:45.4.0-1~deb8u1+tails1. (Closes: #11854,
      #11860)
239
240
241
242
    - Upgrade imagemagick to 8:6.8.9.9-5+deb8u5.
    - Upgrade openssl to 1.0.1t-1+deb8u5.
    - Upgrade libarchive to 3.1.2-11+deb8u3.
    - Upgrade bind9 to 1:9.9.5.dfsg-9+deb8u8.
243
244
    - Upgrade libav to 6:11.8-1~deb8u1.
    - Upgrade ghostscript to 9.06~dfsg-2+deb8u3.
245
246
247
248
    - Upgrade c-ares to 1.10.0-2+deb8u1.
    - Upgrade nspr to 2:4.12-1+debu8u1.
    - Upgrade nss to 2:3.26-1+debu8u1.
    - Upgrade tar to 1.27.1-2+deb8u1.
249
250
251
    - Upgrade curl to 7.38.0-4+deb8u5.
    - Upgrade libgd3 to 2.1.0-5+deb8u7.
    - Upgrade opendjk-7 to 7u111-2.6.7-2~deb8u1.
252
    - Upgrade mat to 0.5.2-3+deb8u1.
253
254
    - Upgrade libxslt to 1.1.28-2+deb8u2.
    - Upgrade pillow to 2.6.1-2+deb8u3.
255

bertagaz's avatar
bertagaz committed
256
257
258
259
260
261
262
263
  * Minor improvements
    - Ship Let's encrypt intermediate certificate to prepare the
      the next certificate renewal of our website. Also unify the
      way our upgrades and security checkers verify this SSL
      certificate using our dedicated perl lib code. (Closes: #11810)

  * Bugfixes
    - Fix multiarch support in Synaptic. (Closes: #11820)
bertagaz's avatar
bertagaz committed
264
    - Set default spelling language to en_US in Icedove. (Closes: #11037)
bertagaz's avatar
bertagaz committed
265

bertagaz's avatar
bertagaz committed
266
267
268
  * Build system
    - Disable debootstrap merged-usr option. (Closes: #11903)

bertagaz's avatar
bertagaz committed
269
  * Test suite
270
271
    - Add test for incremental upgrades. (Closes: #6309)
    - Add tests for Icedove. (Closes: #6304)
272
273
    - Decrease timeout to Tails Greeter to speed up testing of branches
      where it is broken. (Closes: #11449)
274
275
    - Add a ID field to the remote shell responses to filter out
      unrelated ones. (Closes: #11846)
276
    - Reliabily wait for the Greeter PostLogin script. (Closes: #5666)
277
278
279
280
281
    - Reliabily type the kernel command line in the prompt at the boot
      menu to ensure the remote shell is started. (Closes: #10777)
    - Remove DVDROM device when not used, to workaround QEMU/Libvirt
      compatibility issue. (Closes: #11874)

bertagaz's avatar
bertagaz committed
282
 -- Tails developers <tails@boum.org>  Sun, 13 Nov 2016 14:46:04 +0100
anonym's avatar
anonym committed
283

anonym's avatar
anonym committed
284
tails (2.6) unstable; urgency=medium
intrigeri's avatar
intrigeri committed
285

anonym's avatar
anonym committed
286
  * Major new features and changes
anonym's avatar
anonym committed
287
    - Install Tor 0.2.8.7. (Closes: #11351)
anonym's avatar
anonym committed
288
289
290
291
292
293
294
295
296
297
298
299
300
    - Enable kASLR in the Linux kernel. (Closes: #11281)
    - Upgrade Icedove to 1:45.2.0-1~deb8u1+tails1: (Closes: #11714)
      · Drop auto-fetched configurations using Oauth2.  They do not
        work together with Torbirdy since it disables needed
        functionality (like JavaScript and cookies) in the embedded
        browser. This should make auto-configuration work for GMail
        again, for instance.  (Closes: ##11536)
      · Pin Icedove to be installed from our APT repo. Debian's
        Icedove packages still do not have our secure Icedove
        autoconfig wizard patches applied, so installing them would be
        a serious security regression. (Closes: #11613)
      · Add missing icedove-l10n-* packages to our custom APT
        repository (Closes: #11550)
anonym's avatar
anonym committed
301
    - Upgrade to Linux 4.6: (Closes: #10298)
anonym's avatar
anonym committed
302
303
304
305
306
307
308
309
310
311
312
313
314
      · Install the 686 kernel flavour instead of the obsolete 586
        one.
      · APT, dpkg: add amd64 architecture. The amd64 kernel flavour is
        not built anymore for the i386 architecture, so we need to use
        multiarch now.
      · Build and install the out-of-tree aufs4 module. (Closes: #10298)
      · Disable kernel modesetting for QXL: it's not compatible with
        Jessie's QXL X.Org driver.

  * Security fixes
    - Hopefully fixed an issue which would sometimes make the Greeter
      ignore the "disable networking" or "bridge mode"
      options. (Closes: #11593)
intrigeri's avatar
intrigeri committed
315

anonym's avatar
anonym committed
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
  * Minor improvements
    - Install firmware-intel-sound and firmware-ti-connectivity.  This
      adds support for some sound cards and Wi-Fi adapters.  (Closes:
      #11502)
    - Install OpenPGP Applet from Debian. (Closes: #10190)
    - Port the "About Tails" dialog to python3.
    - Run our initramfs memory erasure hook earlier (Closes:
      #10733). The goal here is to:
      · save a few seconds on shutdown (it might matter especially for
        the emergency one);
      · work in a less heavily multitasking / event-driven
        environment, for more robust operation.
    - Install rngd, and make rng-tools initscript return success when
      it can't find any hardware RNG device. Most Tails systems around
      probably have no such device, and we don't want systemd to
      believe they failed to boot properly. (Closes: #5650)
    - Don't force using the vboxvideo X.Org driver. According to our
      tests, this forced setting is:
       · harmful: it breaks X startup when the vboxvideo *kernel*
         driver is loaded;
       · useless: X.Org now autodetects the vboxvideo X.Org driver and
         uses it when running in VirtualBox and the vboxvideo kernel
         is not present.
    - Port boot-profile to python3 (Closes: #10083). Thanks to
      heartsucker <heartsucker@autistici.org> for the patch!
    - Include /proc/cmdline and the content of persistent APT sources
      in WhisperBack bug reports. (Closes: #11675, #11635)
    - Disable non-free APT sources at boot time. (Closes: #10130)
    - Have a dedicated page for the homepage of Tor Browser in
      Tails. (Closes: # 11725)
    - Only build the VirtualBox kernel modules for the 32-bit kernel.
      It's both hard and useless to build it for 64-bit in the current
      state of things, as long as we're shipping a 32-bit userspace.
      Also, install virtualbox-* from jessie-backports, since the
      version in Jessie is not compatible with Linux 4.x.
intrigeri's avatar
intrigeri committed
351

anonym's avatar
anonym committed
352
353
354
355
356
  * Build system
    - Don't install+remove dpatch during the build. It's not been
      needed in this hook for ages.
    - Bump BUILD_SPACE_REQUIREMENT: at least one of us needed that to
      build feature/10298-linux-4.x-aufs with the gzipcomp option.
357

anonym's avatar
anonym committed
358
359
360
361
362
363
364
365
366
367
368
  * Test suite
    - Send Tails Installer's debug log to the Cucumber debug log on
      failure. This is meant to debug #10720 since I can't
      reproduce it locally.
    - Give the system under testing 2 vCPUs. (Closes: #6729)
    - Split scenarios from checks.feature. (Closes: #5707)
    - Add retry-logic to the Synaptic tests. (Closes: #10412, #10441,
      #10991)
    - Run usb_upgrade.feature earlier, when there is enough free disk
      space left. (Closes: #11582)
    - Use more recent virtual hardware in the system under test,
anonym's avatar
anonym committed
369
370
371
372
373
      i.e. USB 3.0 (nec-xhci) on a pc-i440fx-2.5 machine. Switching
      USB controllers has helped with problems we see on Jenkins when
      booting from USB (#11588). Also, there are chances that more
      recent virtual hardware sees more testing these days, so it
      sounds potentially useful to "upgrade".
anonym's avatar
anonym committed
374
375
376
377
378
379
380
    - Add support for Cucumber 2.4. (Closes: #11690)
    - Always write {pretty,debug} logs and JSON output to the artifact
      directory.
    - Disable info level logging on Chutney nodes to save disk
      space. For our network all these add up to > 1 GiB and we didn't
      take this into account when budgeting RAM to the isotesters on
      Jenkins.
381

anonym's avatar
anonym committed
382
 -- Tails developers <tails@boum.org>  Tue, 20 Sep 2016 04:16:33 +0200
383

intrigeri's avatar
intrigeri committed
384
tails (2.5) unstable; urgency=medium
anonym's avatar
anonym committed
385

intrigeri's avatar
intrigeri committed
386
387
388
389
390
391
392
393
394
395
396
397
398
399
  * Major new features and changes
    - Upgrade Icedove to 1:45.1.0-1~deb8u1+tails2. (Closes: #11530)
      · Fix long delay causing bad UX in the autoconfig wizard,
        when it does not manage to guess proper settings on some domains.
        (Closes: #11486)
      · Better support sending email through some ISPs, such as Riseup.
        (Closes: #10933)
      · Fix spurious error message when creating an account and providing
        its password. (Closes: #11550)

  * Security fixes
    - Upgrade Tor Browser to 6.0.3 based on Firefox 45.3. (Closes: #11611)
    - Upgrade GIMP to 2.8.14-1+deb8u1.
    - Upgrade libav to 6:11.7-1~deb8u1.
intrigeri's avatar
intrigeri committed
400
    - Upgrade expat to 2.1.0-6+deb8u3.
intrigeri's avatar
intrigeri committed
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
    - Upgrade libgd3 to 2.1.0-5+deb8u6.
    - Upgrade libmodule-build-perl to 0.421000-2+deb8u1.
    - Upgrade perl to 5.20.2-3+deb8u6.
    - Upgrade Pidgin to 2.11.0-0+deb8u1.
    - Upgrade LibreOffice to 1:4.3.3-2+deb8u5.
    - Upgrade libxslt1.1 to 1.1.28-2+deb8u1.
    - Upgrade Linux to 3.16.7-ckt25-2+deb8u3.
    - Upgrade OpenSSH to 1:6.7p1-5+deb8u3.
    - Upgrade p7zip to 9.20.1~dfsg.1-4.1+deb8u2.

  * Minor improvements
    - htpdate: replace obsolete and unreliable URIs in HTP pools, and decrease
      timeout for HTTP operations for more robust time synchronization.
      (Closes: #11577)
    - Hide settings panel for the Online Accounts component of GNOME,
      that we don't support. (Closes: #11545)
    - Vastly improve graphics performance in KVM guest with QXL driver.
      (Closes: #11500)
    - Fix graphics artifacts in Tor Browser in KVM guest with QXL driver.
      (Closes: #11489)

  * Build system
    - Wrap Pidgin in a more maintainable way. (Closes: #11567)

  * Test suite
    - Add a test scenario for the persistence "dotfiles" feature.
      (Closes: #10840)
    - Improve robustness of most APT, Git, SFTP and SSH scenarios,
      enough to enable them on Jenkins. (Closes: #10444, #10496, #10498)
    - Improve robustness of checking for persistence partition. (Closes: #11558)
    - Treat Tails booting from /dev/sda as OK, to support all cases
      including a weird one caused by hybrid ISO images. (Closes: #10504)
    - Bump a bunch of timeouts to cope with the occasional slowness on Jenkins.
    - Only query A records when exercising DNS lookups, to improve robustness.
anonym's avatar
anonym committed
435

intrigeri's avatar
intrigeri committed
436
 -- Tails developers <tails@boum.org>  Sun, 31 Jul 2016 16:50:35 +0000
anonym's avatar
anonym committed
437

anonym's avatar
anonym committed
438
tails (2.4) unstable; urgency=medium
anonym's avatar
anonym committed
439

anonym's avatar
anonym committed
440
  * Major new features and changes
anonym's avatar
anonym committed
441
442
    - Upgrade Tor Browser to 6.0.1 based on Firefox 45.2. (Closes:
      #11403, #11513).
anonym's avatar
anonym committed
443
444
445
446
447
448
    - Enable Icedove's automatic configuration wizard. We patch the
      wizard to only use secure protocols when probing, and only
      accept secure protocols, while keeping the improvements done by
      TorBirdy in its own non-automatic configuration wizard. (Closes:
      #6158, #11204)

anonym's avatar
anonym committed
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
  * Security fixes
    - Upgrade bsdtar and libarchive13 to 3.1.2-11+deb8u1.
    - Upgrade icedove to 38.8.0-1~deb8u1+tails3.
    - Upgrade imagemagick to 8:6.8.9.9-5+deb8u3.
    - Upgrade libexpat1 to 2.1.0-6+deb8u2.
    - Upgrade libgd3 to 2.1.0-5+deb8u3.
    - Upgrade gdk-pixbuf-based packages to 2.31.1-2+deb8u5.
    - Upgrade libidn11 to 1.29-1+deb8u1.
    - Upgrade libndp0 to 1.4-2+deb8u1.
    - Upgrade poppler-based packages to 0.26.5-2+deb8u1.
    - Upgrade librsvg2-2 to 2.40.5-1+deb8u2.
    - Upgrade libsmbclient to 2:4.2.10+dfsg-0+deb8u3.
    - Upgrade OpenSSL to 1.0.1k-3+deb8u5.
    - Upgrade libtasn1-6 to 4.2-3+deb8u2.
    - Upgrade libxml2 to 2.9.1+dfsg1-5+deb8u2.
    - Upgrade openjdk-7-jre to 7u101-2.6.6-1~deb8u1.

anonym's avatar
anonym committed
466
467
468
469
470
471
472
473
474
475
476
  * Bugfixes
    - Enable Packetization Layer Path MTU Discovery for IPv4. If any
      system on the path to the remote host has a MTU smaller than the
      standard Ethernet one, then Tails will receive an ICMP packet
      asking it to send smaller packets. Our firewall will drop such
      ICMP packets to the floor, and then the TCP connection won't
      work properly. This can happen to any TCP connection, but so far
      it's been reported as breaking obfs4 for actual users. Thanks to
      Yawning for the help! (Closes: #9268)
    - Make Tails Upgrader ship other locales than English. (Closes:
      #10221)
anonym's avatar
anonym committed
477
478
    - Make it possible to add local USB printers again. Bugfix on
      Tails 2.0. (Closes #10965).
anonym's avatar
anonym committed
479
480

  * Minor improvements
sajolida's avatar
sajolida committed
481
482
483
    - Remove custom SSH ciphers and MACs settings. (Closes: #7315)
    - Bring back "minimize" and "maximize" buttons in titlebars by
      default. (Closes: #11270)
anonym's avatar
anonym committed
484
485
486
487
    - Icedove improvements:
      * Stop patching in our default into Torbirdy. We've upstreamed
        some parts, and the rest we set with pref branch overrides in
        /etc/xul-ext/torbirdy.js. (Closes: #10905)
sajolida's avatar
sajolida committed
488
      * Use hkps keyserver in Enigmail. (Closes: #10906)
anonym's avatar
anonym committed
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
      * Default to POP if persistence is enabled, IMAP is
        not. (Closes: #10574)
      * Disable remote email account creation in Icedove. (Closes:
        #10464)
    - Firewall hardening (Closes: #11391):
      * Don't accept RELATED packets. This enables quite a lot of code
        in the kernel that we don't need. Let's reduce the attack
        surface a bit.
      * Restrict debian-tor user to NEW TCP syn packets. It doesn't
        need to do more, so let's do a little bit of security in
        depth.
      * Disable netfilter's nf_conntrack_helper.
      * Fix disabling of automatic conntrack helper assignment.
    - Kernel hardening:
      * Set various kernel boot options: slab_nomerge slub_debug=FZ
        mce=0 vsyscall=none. (Closes: #11143)
      * Remove the kernel .map files. These are only useful for kernel
        debugging and slightly make things easier for malware, perhaps
        and otherwise just occupy disk space. Also stop exposing
        kernel memory addresses through /proc etc. (Closes: #10951)
    - Drop zenity hacks to "focus" the negative answer. Jessie's
      zenity introduced the --default-cancel option, finally!
      (Closes: #11229)
    - Drop useless APT pinning for Linux.
    - Remove gnome-tweak-tool. (Closes: #11237)
    - Install python-dogtail, to enable accessibility technologies in
      our automated test suite (see below). (Part of: #10721)
    - Install libdrm and mesa from jessie-backports. (Closes: #11303)
    - Remove hledger. (Closes: #11346)
    - Don't pre-configure the #tails chan on the default OFTC account.
      (Part of: #11306)
    - Install onioncircuits from jessie-backports. (Closes: #11443)
    - Remove nmh. (Closes: #10477)
    - Drop Debian experimental APT source: we don't use it.
    - Use APT codenames (e.g. "stretch") instead of suites, to be
      compatible with our tagged APT snapshots.
    - Drop module-assistant hook and its cleanup. We've not been using
      it since 2010.
    - Remove 'Reboot' and 'Power Off' entries from Applications 
      System Tools. (Closes: #11075)
    - Pin our custom APT repo to the same level as Debian ones, and
      explicitly pin higher the packages we want to pull from our custom
      APT repo, when needed.
    - config/chroot_local-hooks/59-libdvd-pkg: verify libdvdcss
      package installation. (Closes: #11420)
    - Make Tails Upgrader use our new mirror pool design. (Closes:
      #11123)
anonym's avatar
anonym committed
536
537
538
539
540
541
542
543
    - Drop custom OpenSSH client ciphers and MACs settings. We did a
      pretty bad job at maintaining them compared to the Debian
      upstream. (Closes: #7315)
    - Install jessie-backports version of all binary packages built
      from src:hplip. This adds support for quite a few new
      printers.
    - Install printer-driver-postscript-hp, which adds support for
      some more printers.
anonym's avatar
anonym committed
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614

  * Build system
    - Use a freezable APT repo when building Tails. This is a first
      step towards reproducible builds, and improves our QA and
      development processes by making our builds more predictable. For
      details, see: https://tails.boum.org/contribute/APT_repository/
    - There has been a massive amount of improvements to the
      Vagrant-based build system, and now it could be considered the
      de-facto build system for Tails! Improvements and fixes include:
      * Migrate Vagrant to use libvirt/KVM instead of
        Virtualbox. (Closes: #6354)
      * Make apt-get stuff non-interactive while provisioning.
        Because there is no interaction, so that will results in
        errors.
      * Bump disk space (=> RAM for RAM builds) needed to build with
        Vagrant. Since the Jessie migration it seems impossible to
        keep this low enough to fit in 8 GiB or RAM. For this reason
        we also drop the space optimization where we build inside a
        crazy aufs stack; now we just build in a tmpfs.
      * Clean up apt-cacher-ng cache on vm:provision to save disk
        space on the builder.
      * Add convenient Rake task for SSH:ing into the builder VM:
        `rake vm:ssh`.
      * Add rake task for generating a new Vagrant base box.
      * Automatically provision the VM on build to keep things up-to-date.
      * Don't enable extproxy unless explicitly given as an
        option. Previously it would automatically be enabled when
        `http_proxy` is set in the environment, unlike what is
        documented. This will hopefully lead to fewer surprises for users
        who e.g. point http_proxy to a torified polipo, or similar.
      * Re-fetch tags when running build-tails with Vagrant. That
        should fix an annoyance related to #7182 that I frequently
        encounter: when I, as the RM, rebuild the release image the
        second time from the force-updated tag, the build system would
        not have the force-updated tag. (Closes: #7182)
      * Make sure we use the intended locale in the Tails builder VM.
        Since we communicate via SSH, and e.g. Debian forward the
        locale env vars by default, we have to take some steps
        ensuring we do not do that.
    - Pull monkeysphere from stretch to avoid failing to install under
      eatmydata. Patch submitted by Cyril Brulebois <cyril@debamax.com>.

  * Test suite
    - Add wrapper around dogtail (inside Tails) for "remote" usage in
      the automated test suite. This provides a simple interface for
      generating dogtail python code, sending it to the guest, and
      executing it, and should allow us to write more robust tests
      leveraging assistive technologies. (Closes: #10721)
    - A few previously sikuli-based tests has been migrated to use
      dogtail instead, e.g. GNOME Applications menu interaction.
    - Add a test for re-configuring an existing persistent volume.
      This is a regression test for #10809. (Closes: #10834)
    - Use a simulated Tor network provided by Chutney in the automated
      test suite. The main motivation here is improved robustness --
      since the "Tor network" we now use will exit from the host
      running the automated test suite, we won't have to deal with Tor
      network blocking, or unreliable circuits. Performance should
      also be improved. (Closes: #9521)
    - Drop the usage of Tor Check in our tests. It doesn't make sense
      now when we use Chutney since that always means it will report
      that Tor is not being used.
    - Stop testing obsolete pluggable transports.
    - Completely rewrite the firewall leak detector to something more
      flexible and expressive.
    - Run tcpdump with --immediate-mode for the network sniffer. With
      this option, "packets are delivered to tcpdump as soon as they
      arrive, rather than being buffered for efficiency" which is
      required to make the sniffing work reliable the way we use it.
    - Remove most scenarios testing "tordate". It just isn't working
      well in Tails, so we shouldn't expect the tests to actually work
      all of the time. (Closes: #10440)
anonym's avatar
anonym committed
615
616
617
618
619
620
621
622
623
624
625
    - Close Pidgin before we inspect or persist its accounts.xml.
      I've seen a case when that file is _not_ saved (and thus, not
      persisted) if we shut down the system while Pidgin is still
      running. (Closes: #11413)
    - Close the GNOME Notification bar by pressing ESC, instead of
      opening the Applications menu. The Applications menu often
      covers other elements that we're looking for on the
      screen. (Closes #11401)
    - Hide Florence keyboard window when it doesn't vanish by itself
      (Closes: #11398) and wait a bit less for Florence to disappear
      (Closes: #11464).
anonym's avatar
anonym committed
626

anonym's avatar
anonym committed
627
 -- Tails developers <tails@boum.org>  Mon, 06 Jun 2016 20:10:56 +0200
anonym's avatar
anonym committed
628

anonym's avatar
anonym committed
629
tails (2.3) unstable; urgency=medium
anonym's avatar
anonym committed
630

anonym's avatar
anonym committed
631
632
633
634
  * Security fixes
    - Upgrade Tor Browser to 5.5.5. (Fixes: #11362)
    - Upgrade icedove to 38.7.0-1~deb8u1
    - Upgrade git to 1:2.1.4-2.1+deb8u2
635
    - Upgrade libgd3 to 2.1.0-5+deb8u1
anonym's avatar
anonym committed
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
    - Upgrade pidgin-otr to 4.0.1-1+deb8u1
    - Upgrade srtp to 1.4.5~20130609~dfsg-1.1+deb8u1
    - Upgrade imagemagick to 8:6.8.9.9-5+deb8u1
    - Upgrade samba to 2:4.2.10+dfsg-0+deb8u2
    - Upgrade openssh to 1:6.7p1-5+deb8u2

  * Bugfixes
    - Refresh Tor Browser's AppArmor profile patch against the one from
      torbrowser-launcher 0.2.4-1. (Fixes: #11264)
    - Pull monkeysphere from stretch to avoid failing to install under
      eatmydata. (Fixes: #11170)
    - Start gpg-agent with no-grab option due to issues with pinentry and
      GNOME's top bar. (Fixes: #11038)
    - Tails Installer: Update error message to match new name of 'Clone
      & Install'. (Fixes: #11238)
    - Onion Circuits:
      * Cope with a missing geoipdb. (Fixes: #11203)
      * Make both panes of the window scrollable. (Fixes #11192)
    - WhisperBack: Workaround socks bug. When the Tor fails to connect to
      the host, WisperBack used to display a ValueError.  This is caused by
      a socks bug that is solved in upstream's master but not in Tails.
      This commit workarounds this bug Unclear error message in WhisperBack
      when failing to connect to the server. (Fixes: #11136)

  * Minor improvements
    - Upgrade to Debian 8.4, a Debian point release with many minor upgrades
      and fixes to various packages . (Fixes: #11232)
    - Upgrade I2P to 0.9.25. (Fixes: #11363)
    - Pin pinentry-gtk2 to jessie-backports. The new version allows pasting
      passwords from the clipboard. (Fixes: #11239)
    - config/chroot_local-hooks/59-libdvd-pkg: cleanup /usr/src/libdvd-pkg.
      (Fixes: #11273)
    - Make the Tor Status "disconnected" icon more contrasted with the
      "connected" one. (Fixes: #11199)

  * Test suite
    - Add UTF-8 support to OTR Bot. (Fixes: #10866)
    - Don't explicitly depend on openjdk-7-jre or any JRE for that
      matter. Sikuli will pull in a suitable one, so depending on one
      ourselves is only risks causing trouble. (Fixes: #11335)
anonym's avatar
anonym committed
676

anonym's avatar
anonym committed
677
 -- Tails developers <tails@boum.org>  Mon, 25 Apr 2016 14:12:22 +0200
anonym's avatar
anonym committed
678

anonym's avatar
anonym committed
679
tails (2.2.1) unstable; urgency=medium
anonym's avatar
anonym committed
680

anonym's avatar
anonym committed
681
682
683
684
685
686
  * Security fixes
    - Upgrade Tor Browser to 5.5.4. (Closes: #11254)
    - Upgrade bind9-related packages to 1:9.9.5.dfsg-9+deb8u6
    - Upgrade libotr to 4.1.0-2+deb8u1
    - Upgrade samba-related packages to 2:4.1.17+dfsg-2+deb8u2.
    - Upgrade libgraphite2 to 1.3.6-1~deb8u1.
anonym's avatar
anonym committed
687

anonym's avatar
anonym committed
688
 -- Tails developers <tails@boum.org>  Thu, 17 Mar 2016 15:03:52 +0100
anonym's avatar
anonym committed
689

anonym's avatar
anonym committed
690
tails (2.2) unstable; urgency=medium
691

anonym's avatar
anonym committed
692
693
694
695
696
697
698
699
  * Major new features and changes
    - Replace Vidalia (which has been unmaintained for years) with:
      (Closes: #6841)
      * the Tor Status GNOME Shell extension, which adds a System Status
        icon indicating whether Tor is ready or not.
      * Onion Circuits, a simple Tor circuit monitoring tool.

  * Security fixes
anonym's avatar
anonym committed
700
701
    - Upgrade Tor Browser to 5.5.3 (Closes: #11189).
    - Upgrade Linux to 3.16.7-ckt20-1+deb8u4.
anonym's avatar
anonym committed
702
703
    - Upgrade cpio to 2.11+dfsg-4.1+deb8u1.
    - Upgrade glibc to 2.19-18+deb8u3.
anonym's avatar
anonym committed
704
    - Upgrade libav to 6:11.6-1~deb8u1.
anonym's avatar
anonym committed
705
    - Upgrade libgraphite2 to 1.3.5-1~deb8u1.
anonym's avatar
anonym committed
706
    - Upgrade libjasper1 to 1.900.1-debian1-2.4+deb8u1.
anonym's avatar
anonym committed
707
708
    - Upgrade libreoffice to 4.3.3-2+deb8u3.
    - Upgrade libssh2 to 1.4.3-4.1+deb8u1.
anonym's avatar
anonym committed
709
710
711
    - Upgrade openssl to 1.0.1k-3+deb8u4.
    - Upgrade perl to 5.20.2-3+deb8u4.
    - Upgrade python-imaging, python-pil to 2.6.1-2 2.6.1-2+deb8u2.
anonym's avatar
anonym committed
712
713
714
715
716
717
718
719
720
721

  * Bugfixes
    - Hide "Laptop Mode Tools Configuration" menu entry. We don't
      support configuring l-m-t in Tails, and it doesn't work out of
      the box. (Closes: #11074)
    - WhisperBack:
      * Actually write a string when saving bug report to
        disk. (Closes: #11133)
      * Add missing argument to OpenPGP dialog so the optional OpenPGP
        key can be added again. (Closes: #11033)
anonym's avatar
anonym committed
722

anonym's avatar
anonym committed
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
  * Minor improvements
    - Upgrade I2P to 0.9.24-1~deb8u+1.
    - Add support for viewing DRM protected DVD videos using
      libdvdcss2. Patch series submitted by Austin English
      <austinenglish@gmail.com>. (Closes: #7674)
    - Automatically save KeePassX database after every change by default.
      (Closes: #11147)
    - Implement Tor stream isolation for WhisperBack
    - Delete unused tor-tsocks-mua.conf previously used by Claws
      Mail. (Closes: #10904)
    - Add set -u to all gettext:ized shell scripts. In gettext-base <
      1.8.2, like the one we had in Wheezy, gettext.sh references the
      environment variable ZSH_VERSION, which we do not set. This has
      prevented us from doing `set -u` without various hacks. (Closes:
      #9371)
    - Also set -e in some shell scripts which lacked it for no good
      reason.
    - Make Git verify the integrity of transferred objects. (Closes:
      #11107)
anonym's avatar
anonym committed
742
743
    - Remove LAlt+Shift and LShift+RShift keyboard layout toggling
      shortcuts. (Closes: #10913, #11042)
anonym's avatar
anonym committed
744
745
746
747

  * Test suite
    - Reorder the execution of feature to decrease peak disk
      usage. (Closes: #10503)
anonym's avatar
anonym committed
748
749
750
751
752
753
754
755
    - Paste into the GTK file chooser, instead of typing. (Closes:
      #10775)
    - Pidgin: wait a bit for text to have stopped scrolling before we
      click on it. (Closes: #10783)
    - Fix step that runs commands in GNOME Terminal, that was broken
      on Jessie when a Terminal is running already. (Closes: #11176)
    - Let ruby-rjb guess JAVA_HOME instead fixing on one jvm
      version. (Closes: #11190)
anonym's avatar
anonym committed
756
757
758
759
760
761
762
763
764
765
766

  * Build system
    - Upgrade build system to Debian Jessie. This includes migrating to a
      new Vagrant basebox based on Debian Jessie.
    - Rakefile: print git status when there are uncommitted
      changes. Patch submitted by Austin English
      <austinenglish@gmail.com>. (Closes: #11108)
    - .gitignore: add .rake_tasks~. Patch submitted by Austin English
      <austinenglish@gmail.com>. (Closes: #11134)
    - config/amnesia: use --show-field over sed filtering. Patch
      submitted by Chris Lamb <lamby@debian.org>.
anonym's avatar
anonym committed
767
768
    - Umount and clean up leftover temporary directories from old
      builds. (Closes: #10772)
769

anonym's avatar
anonym committed
770
 -- Tails developers <tails@boum.org>  Mon, 07 Mar 2016 18:09:50 +0100
771

intrigeri's avatar
intrigeri committed
772
tails (2.0.1) unstable; urgency=medium
anonym's avatar
anonym committed
773

intrigeri's avatar
intrigeri committed
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
  * Major new features and changes
    - Enable the Tor Browser's font fingerprinting protection
      (Closes: #11000). We do it for all browsers (including
      the Unsafe Browser and I2P Browser mainly to avoid making our
      automated test suite overly complex. This implied to set an appropriate
      working directory when launching the Tor Browser, to accommodate for
      the assumptions it makes about this.

  * Security fixes
    - Upgrade Tor Browser to 5.5.2 (Closes: #11105).

  * Bugfixes
    - Repair 32-bit UEFI support (Closes: #11007); bugfix on 2.0.
    - Add libgnome2-bin to installed packages list to provide gnome-open,
      which fixes URL handling at least in KeePassX, Electrum and Icedove
      (Closes: #11031); bugfix on 2.0. Thanks to segfault for the patch!

  * Minor improvements
    - Refactor and de-duplicate the chrooted browsers' configuration:
      prefs.js, userChrome.css (Closes: #9896).
    - Make the -profile Tor Launcher workaround simpler (Closes: #7943).
    - Move Torbutton environment configuration to the tor-browser script,
      instead of polluting the default system environment with it.
    - Refresh patch against the Tor Browser AppArmor profile
      (Closes: #11078).
    - Propagate Tor Launcher options via the wrapper.
    - Move tor-launcher script to /usr/local/bin.
    - Move tor-launcher-standalone to /usr/local/lib.
    - Move Tor Launcher env configuration closer to the place where it is used,
      for simplicity's sake.

  * Test suite
    - Mass update browser and Tor Launcher related images due to font change,
      caused by Tor Browser 5.5's font fingerprinting protection
      (Closes: #11097). And then, use separate PrintToFile.png for the browsers,
      and Evince, since it cannot be shared anymore.
    - Adjust to the refactored chrooted browsers configuration handling.
    - Test that Tor Launcher uses the correct Tor Browser libraries.
    - Allow more slack when verifying that the date that was set.
    - Bump a bit the timeout used when waiting for the remote shell.
    - Bump timeout for the process to disappear, when closing Evince.
    - Bump timeout when saving persistence configuration.
    - Bump timeout for bootstrapping I2P.

  * Build system
    - Remove no longer relevant places.sqlite cleanup procedure.
anonym's avatar
anonym committed
820

intrigeri's avatar
intrigeri committed
821
 -- Tails developers <tails@boum.org>  Fri, 12 Feb 2016 13:00:15 +0000
anonym's avatar
anonym committed
822

anonym's avatar
anonym committed
823
tails (2.0) unstable; urgency=medium
intrigeri's avatar
intrigeri committed
824

intrigeri's avatar
intrigeri committed
825
  * Major new features and changes
anonym's avatar
anonym committed
826
827
828
829
830
    - Upgrade to Debian 8 (Jessie).
    - Migrate to GNOME Shell in Classic mode.
    - Use systemd as PID 1, and convert all custom initscripts to systemd units.
    - Remove the Windows camouflage feature: our call for help to port
      it to GNOME Shell (issued in January, 2015) was unsuccessful.
intrigeri's avatar
intrigeri committed
831
832
    - Remove Claws Mail: Icedove is now the default email client
      (Closes: #10167).
anonym's avatar
anonym committed
833
    - Upgrade Tor Browser to 5.5 (Closes: #10858, #10983).
intrigeri's avatar
intrigeri committed
834
835

  * Security fixes
anonym's avatar
anonym committed
836
837
    - Minimally sandbox many services with systemd's namespacing features.
    - Upgrade Linux to 3.16.7-ckt20-1+deb8u3.
intrigeri's avatar
intrigeri committed
838
    - Upgrade Git to 1:2.1.4-2.1+deb8u1.
anonym's avatar
anonym committed
839
840
841
842
843
844
    - Upgrade Perl to 5.20.2-3+deb8u3.
    - Upgrade bind9-related packages to 1:9.9.5.dfsg-9+deb8u5.
    - Upgrade FUSE to 2.9.3-15+deb8u2.
    - Upgrade isc-dhcp-client tot 4.3.1-6+deb8u2.
    - Upgrade libpng12-0 to 1.2.50-2+deb8u2.
    - Upgrade OpenSSH client to 1:6.7p1-5+deb8u1.
intrigeri's avatar
intrigeri committed
845
846

  * Bugfixes
anonym's avatar
anonym committed
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
    - Restore the logo in the "About Tails" dialog.
    - Don't tell the user that "Tor is ready" before htpdate is done
      (Closes: #7721).
    - Upgrader wrapper: make the check for free memory more accurate
      (Closes: #10540, #8263).
    - Allow the desktop user, when active, to configure printers;
      fixes regression introduced in Tails 1.1 (Closes: #8443).
    - Close Vidalia before we restart Tor. Otherwise Vidalia will be running
      and showing errors while we make sure that Tor bootstraps, which could
      take a while.
    - Allow Totem to read DVDs, by installing apparmor-profiles-extra
      from jessie-backports (Closes: #9990).
    - Make memory erasure on shutdown more robust (Closes: #9707, #10487):
      · don't forcefully overcommit memory
      · don't kill the allocating task
      · make sure the kernel doesn't starve from memory
      · make parallel sdmem handling faster and more robust
intrigeri's avatar
intrigeri committed
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
    - Don't offer the option, in Tor Browser, to open a downloaded file with
      an external application (Closes: #9285). Our AppArmor confinement was
      blocking most such actions anyway, resulting in poor UX; bugfix on 1.3.
      Accordingly, remove the now-obsolete exception we had in the Tor
      Browser AppArmor profile, that allowed executing seahorse-tool.
    - Fix performance issue in Tails Upgrader, that made it very slow to apply
      an automatic upgrade; bugfix on 1.7 (Closes: #10757).
    - Use our wrapper script to start Icedove from the GNOME menus.
    - Make it possible to localize our Icedove wrapper script.
    - List Icedove persistence option in the same position where Claws Mail
      used to be, in the persistent volume assistant (Closes: #10832).
    - Fix Electrum by installing the version from Debian Testing
      (Closes: #10754). We need version >=2.5.4-2, see #9713;
      bugfix on 2.0~beta1. And, explicitly install python-qt4 to enable
      Electrum's GUI: it's a Recommends, and we're not pulling it ourselves
      via other means anymore.
    - Restore default file associations (Closes: #10798);
      bugfix on 2.0~beta1.
    - Update 'nopersistent' boot parameter to 'nopersistence'; bugfix on 0.12
      (Closes: #10831). Thanks to live-media=removable, this had no security
      impact in practice.
    - Repair dotfiles persistence feature, by adding a symlink from
      /lib/live/mount/persistence to /live/persistence; bugfix on 2.0~beta1
      (Closes: #10784).
    - Fix ability to re-configure an existing persistent volume using
      the GUI; bugfix on 2.0~beta1 (Closes: #10809).
    - Associate armored OpenPGP public keys named *.key with Seahorse,
      to workaround https://bugs.freedesktop.org/show_bug.cgi?id=93656;
      bugfix on 1.1 (Closes: #10889).
    - Update the list of enabled GNOME Shell extensions, which might fix
      the "GNOME Shell sometimes leaves Classic mode" bug seen in 2.0~beta1:
      · Remove obsolete "Alternative Status Menu", that is not shipped
        in Debian anymore.
      · Explicitly enable the GNOME Shell extensions that build
        the Classic mode.
    - Make _get_tg_setting() compatible with set -u (Closes: #10785).
anonym's avatar
anonym committed
900
901
902
903
904
    - laptop-mode-tools: don't control autosuspend. Some USB input
      devices don't support autosuspend. This change might help fix
      #10850, but even if it doesn't, it makes sense to me that we
      don't let laptop-mode-tools fiddle with this on a Live system
      (Closes (for now): #10850).
intrigeri's avatar
intrigeri committed
905
906

  * Minor improvements
907
    - Remove obsolete code from various places.
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
    - Tails Greeter:
      · hide all windows while logging in
      · resize and re-position the panel when the screen size grows
      · PostLogin: log into the Journal instead of a dedicated log file
      · use localectl to set the system locale and keyboard mapping
      · delete the Live user's password if no administration password is set
        (Closes: #5589)
      · port to GDBus greeter interface, and adjust to other GDM
        and GNOME changes
    - Tails Installer:
      · port to UDisks2, and from Qt4 to GTK3
      · adapt to work on other GNU/Linux operating systems than Tails
      · clean up enough upstream code and packaging bits to make it
        deserve being uploaded to Debian
      · rename everything from liveusb-creator to tails-installer
    - Port tails-perl5lib to GTK3 and UDisks2. In passing, do some minor
      refactoring and a GUI improvement.
    - Persistent Volume Assistant:
      · port to GTK3 and UDisks2
      · handle errors when deleting persistent volume (Closes: #8435)
      · remove obsolete workarounds
929
    - Don't install UDisks v1.
930
    - Adapt custom udev and polkit rules to UDisks v2 (Closes: #9054, #9270).
931
932
    - Adjust import-translations' post-import step for Tails Installer,
      to match how its i18n system works nowadays.
933
    - Use socket activation for CUPS, to save some boot time.
934
    - Set memlockd.service's OOMScoreAdjust to -1000.
intrigeri's avatar
intrigeri committed
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
    - Don't bother creating /var/lib/live in tails-detect-virtualization.
      If it does not exist at this point, we have bigger and more
      noticeable problems.
    - Simplify the virtualization detection & reporting system, and do it
      as a non-root user with systemd-detect-virt rather than virt-what.
    - Replace rsyslog with the systemd Journal (Closes: #8320), and adjust
      WhisperBack's logs handling accordingly.
    - Drop tails-save-im-environment.
      It's not been used since we stopped automatically starting the web browser.
    - Add a hook that aborts the build if any *.orig file is found. Such files
      appear mainly when a patch of ours is fuzzy. In most cases they are no big
      deal, but in some cases they end up being taken into account
      and break things.
    - Replace the tor+http shim with apt-transport-tor (Closes: #8198).
    - Install gnome-tweak-tool.
    - Don't bother testing if we're using dependency based boot.
    - Drop workaround to start spice-vdagent in GDM (Closes: #8025).
      This has been fixed in Jessie proper.
    - Don't install ipheth-utils anymore. It seems to be obsolete
      in current desktop environments.
    - Stop installing the buggy unrar-free, superseded in Jessie (Closes: #5838)
    - Drop all custom fontconfig configuration, and configure fonts rendering
      via dconf.
    - Drop zenity patch (zenity-fix-whitespacing-box-sizes.diff),
      that was applied upstream.
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
    - Install libnet-dbus-perl (currently 1.1.0) from jessie-backports,
      it brings new features we need.
    - Have the security check and the upgrader wait for Tor having bootstrapped
      with systemd unit ordering.
    - Get rid of tails-security-check's wrapper.
      Its only purpose was to wait for Tor to have bootstrapped,
      which is now done via systemd.
    - Don't allow the amnesia and tails-upgrade-frontend users to run
      tor-has-bootstrapped as root with sudo. They don't need it anymore,
      thanks to using systemd for starting relevant units only once Tor
      has bootstrapped.
    - Install python-nautilus, that enables MAT's context menu item in Nautilus.
      (Closes: #9151).
    - Configure GDM with a snippet file instead of patching its
      greeter.dconf-defaults.
    - WhisperBack:
      · port to Python 3 and GObject Introspection (Closes: #7755)
      · migrate from the gnutls module to the ssl one
      · use PGP/MIME for better attachments handling
      · migrate from the gnupginterface module to the gnupg one
      · natively support SOCKS ⇒ don't wrap with torsocks anymore
        (Closes: #9412)
      · don't try to include the obsolete .xession-errors in bug reports
        (Closes: #9966)
    - chroot-browser.sh: don't use static DISPLAY.
    - Simplify debugging:
      · don't hide the emergency shutdown's stdout
      · tails-unblock-network: trace commands so that they end up in the Journal
    - Configure the console codeset at ISO build time, instead of setting it
      to a constant via the Greeter's PostLogin.default.
    - Order the AppArmor policy compiling in a way that is less of a blocker
      during boot.
    - Include the major KMS modules in the initramfs. This helps seamless
      transition to X.Org when booting, and back to text mode on shutdown,
      can help for proper graphics hardware reinitialization post-kexec,
      and should improve GNOME Shell support in some virtual machines.
996
997
998
999
1000
    - Always show the Universal Access menu icon in the GNOME panel.
    - Drop notification for not-migrated-yet persistence configuration,
      and persistence settings disabled due to wrong access rights.
      That migration happened more two years ago.
    - Remove the restricted network detector, that has been broken for too long;
For faster browsing, not all history is shown. View entire blame