Commit 09932780 authored by intrigeri's avatar intrigeri
Browse files

Merge remote-tracking branch 'origin/master' into feature/12356+reproducible_blog_post

parents 0dce2403 37980b83
......@@ -81,8 +81,11 @@ chmod -R go+rX config/chroot_apt
chmod -R go+rX config/chroot_sources
# normalize file timestamps
find config/binary_local-includes config/chroot_local-includes \
-exec touch --date="@$SOURCE_DATE_EPOCH" '{}' \;
find \
config/binary_local-includes \
config/chroot_local-includes \
wiki/src \
-exec touch --date="@$SOURCE_DATE_EPOCH" '{}' \;
# build the image
......
......@@ -59,8 +59,9 @@ if [ "${TAILS_MERGE_BASE_BRANCH:-}" = 1 ] && \
echo "Merging base branch origin/${GIT_BASE_BRANCH}"
echo "(at commit ${GIT_BASE_BRANCH_COMMIT})..."
git merge --no-edit "origin/${GIT_BASE_BRANCH}" \
|| fatal "Failed to merge base branch."
faketime -f "${SOURCE_DATE_FAKETIME}" \
git merge --no-edit "origin/${GIT_BASE_BRANCH}" \
|| fatal "Failed to merge base branch."
git submodule update --init
# Adjust BUILD_BASENAME to embed the base branch name and its top commit
......
......@@ -25,4 +25,13 @@ if ! "${git_dir}/bin/sanity-check-website" ; then
fi
fi
ikiwiki -setup ikiwiki.setup -refresh "$@"
# If I knew Ikiwiki better I'd probably figure out how to just make it
# keep the misc/*.html files as-is instead of this hack.
fixup_14962_workaround() {
mkdir -p config/chroot_local-includes/usr/share/doc/tails/website/misc
rm -f config/chroot_local-includes/usr/share/doc/tails/website/misc/*
cp wiki/src/misc/*.html \
config/chroot_local-includes/usr/share/doc/tails/website/misc
}
ikiwiki -setup ikiwiki.setup -refresh "$@" && fixup_14962_workaround
......@@ -12,11 +12,12 @@
export SOURCE_DATE_EPOCH="$(date --utc --date="$(dpkg-parsechangelog --show-field=Date)" +%s)"
export SOURCE_DATE_YYYYMMDD="$(date --utc --date="$(dpkg-parsechangelog --show-field=Date)" +%Y%m%d)"
export SOURCE_DATE_FAKETIME="$(date --utc --date="$(dpkg-parsechangelog --show-field=Date)" '+%Y-%m-%d %H:%M:%S')"
# Base for the string that will be passed to "lb config --bootappend-live"
# FIXME: see [[bugs/sdmem_on_eject_broken_for_CD]] for explanation why we
# need to set block.events_dfl_poll_msecs
AMNESIA_APPEND="live-media=removable apparmor=1 security=apparmor nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 union=aufs"
AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 union=aufs"
# Options passed to isohybrid
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
......@@ -25,7 +26,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version
KERNEL_VERSION='4.12.0-2'
KERNEL_VERSION='4.13.0-1'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
......@@ -36,5 +36,6 @@ mkdir -p binary/EFI/BOOT
cp chroot/usr/lib/SYSLINUX.EFI/efi64/syslinux.efi binary/EFI/BOOT/BOOTX64.EFI
cp chroot/usr/share/tails/bootx64.png binary/EFI/BOOT/BOOTX64.PNG
cp "$SYSLINUX_PATH"/* binary/EFI/BOOT/
mv binary/EFI/BOOT/isolinux.cfg binary/EFI/BOOT/syslinux.cfg
cp -f chroot/usr/lib/syslinux/modules/efi64/* binary/EFI/BOOT/
sed -r -i -e 's,^(menu background splash\.png)$,\#\1,' binary/EFI/BOOT/stdmenu.cfg
This diff is collapsed.
......@@ -27,6 +27,11 @@ Package: firmware-zd1211
Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: src:gdk-pixbuf
Package: gir1.2-gdkpixbuf-2.0 libgdk-pixbuf2.0-*
Pin: version 2.36.5-2.0tails*
Pin-Priority: -1
Package: linux-compiler-* linux-headers-* linux-image-* linux-kbuild-* linux-source-*
Pin: release o=Debian,n=sid
Pin-Priority: 999
......
......@@ -28,6 +28,25 @@ dkms install \
# clean the build directory
# rm -r /var/lib/dkms/virtualbox-guest/
# Ensure the modules were actually built and installed: when
# dkms.conf for a DKMS module includes a BUILD_EXCLUSIVE directive
# which does not match our kernel version, the modules won't be built
# and then we should abort the build.
for modules_dir in /lib/modules/*/kernel/fs/aufs ; do
if [ ! -f "${modules_dir}/aufs.ko" ]; then
echo "Can not find aufs.ko module in '${modules_dir}" >&2
exit 1
fi
done
for module in vboxguest vboxsf vboxvideo ; do
for modules_dir in /lib/modules/*/updates ; do
if [ ! -f "${modules_dir}/${module}.ko" ]; then
echo "Can not find ${module} module in '${modules_dir}" >&2
exit 1
fi
done
done
# virtualbox-guest-dkms's postrm script deletes any previously
# built binary module; let's delete it before the package gets purged.
rm /var/lib/dpkg/info/aufs-dkms.prerm
......
[Desktop Entry]
Name=systemd GNOME EarlyInitialization target
GenericName=Start the GNOME EarlyInitialization target in the systemd user session
Version=1.0
Exec=/bin/systemctl --user start gnome-early-initialization.target
Terminal=false
Type=Application
Categories=
X-GNOME-Autostart-Phase=EarlyInitialization
[Unit]
Description=Bits of GNOME EarlyInitialization managed by systemd
Requires=default.target
After=default.target
AllowIsolate=yes
......@@ -8,4 +8,4 @@ ExecStart=/usr/local/lib/tails-configure-keyboard
RemainAfterExit=yes
[Install]
WantedBy=desktop.target
WantedBy=gnome-early-initialization.target
#! /bin/sh
if [ $# -ge 1 ]; then
PAGE="$1"
else
PAGE='index'
fi
WIKI_ROOT='/usr/share/doc/tails/website'
LANG_CODE="`echo ${LANG} | head -c 2`"
if [ -r "${WIKI_ROOT}/${PAGE}.${LANG_CODE}.html" ]; then
FILE="${PAGE}.${LANG_CODE}.html"
elif [ -r "${WIKI_ROOT}/${PAGE}.en.html" ]; then
FILE="${PAGE}.en.html"
else
FILE="${PAGE}.html"
fi
if [ -n "${2}" ]; then
FILE="${FILE}#${2}"
fi
export TOR_BROWSER_SKIP_OFFLINE_WARNING=yes
exec /usr/local/bin/tor-browser "file://${WIKI_ROOT}/${FILE}"
#!/usr/bin/env python3
import gettext
import gi
import locale
import os
import os.path
import sys
import tailsgreeter.gui
gi.require_version('Gdk', '3.0')
from gi.repository import Gdk # NOQA: E402
gi.require_version('Gtk', '3.0')
from gi.repository import Gtk # NOQA: E402
gi.require_version('WebKit2', '4.0')
from gi.repository import WebKit2 # NOQA: E402
# We'll only use a single translation, "Tails documentation", which
# already is translated for the launcher. For this reason, this script
# is not managed by `refresh-translations`.
gettext.textdomain('tails')
# The browser from the Greeter is good as-is, but a button for
# navigating backwards in the history would be nice.
class DocumentationWindow(tailsgreeter.gui.GreeterHelpWindow):
def _build_ui(self):
super()._build_ui()
# The super class' headerbar is not exposed as an instance
# variable, but we need it!
headerbar = next(child for child in self.get_children() \
if isinstance(child, Gtk.HeaderBar))
back_button = Gtk.Button.new_from_icon_name('back', Gtk.IconSize.BUTTON)
back_button.connect("clicked", lambda x: self.webview.go_back())
headerbar.pack_start(back_button)
back_button.show()
self.webview.connect(
"load-changed",
lambda webview, e: back_button.set_visible(webview.can_go_back())
)
self.find_entry = Gtk.Entry()
self.find_entry.set_icon_from_icon_name(Gtk.EntryIconPosition.PRIMARY,
"search")
self.find_entry.connect("activate", self.find_forward)
self.find_entry.connect("changed", self.find_forward)
self.find_entry.connect("key-press-event", self.cb_find_entry_key_press)
headerbar.pack_end(self.find_entry)
self.find_entry.show()
accelgroup = Gtk.AccelGroup.new()
self.add_accel_group(accelgroup)
accelgroup.connect(Gdk.KEY_f, Gdk.ModifierType.CONTROL_MASK, 0,
lambda *args: self.find_entry.grab_focus())
def cb_load_started(self, webview, ressource, request):
super().cb_load_started(webview, ressource, request)
if not request.get_uri().startswith("file://"):
# An external link was clicked, let's abort following it
# in our WebKit browser; any configured external protocol
# handler will still open the link's uri.
webview.stop_loading()
def find_forward(self, entry, user_data=None):
find_controller = self.webview.get_find_controller()
find_options = WebKit2.FindOptions.CASE_INSENSITIVE | \
WebKit2.FindOptions.WRAP_AROUND
find_controller.search(self.find_entry.get_text(), find_options, 32)
def find_previous(self):
find_controller = self.webview.get_find_controller()
find_controller.search_previous()
def find_finish(self):
find_controller = self.webview.get_find_controller()
find_controller.search_finish()
self.find_entry.set_text('')
self.webview.grab_focus()
def cb_find_entry_key_press(self, entry, event, user_data=None):
if event.keyval == Gdk.KEY_Return and event.state & Gdk.ModifierType.SHIFT_MASK:
self.find_previous()
if event.keyval == Gdk.KEY_Escape:
self.find_finish()
# Main
try:
page = sys.argv[1]
except IndexError:
page = 'getting_started'
wiki_path = '/usr/share/doc/tails/website'
lang_code = os.getenv('LANG', 'en')[0:2]
trials = [
os.path.join(wiki_path, page + code + ".html")
for code in ['.' + lang_code, '.en', '']
]
try:
uri = 'file://' + next(trial for trial in trials if os.path.isfile(trial))
except StopIteration:
sys.exit('error: could not find the requested documentation page')
if '..' in uri.split(os.sep):
sys.exit('error: cannot escape from {}'.format(wiki_path))
helpwindow = DocumentationWindow(uri)
helpwindow.connect("delete-event", Gtk.main_quit)
helpwindow.window.set_title(gettext.gettext('Tails documentation'))
helpwindow.show()
Gtk.main()
......@@ -39,6 +39,7 @@ start_thunderbird() {
# be stored forever there (#13340).
rm -rf "${TMPDIR}"/*
export GNOME_ACCESSIBILITY=1
unset SESSION_MANAGER
configure_default_incoming_protocol
......
......@@ -30,3 +30,7 @@ if persistence_is_enabled_for "${HOME}/Persistent" ; then
"Tor Browser (persistent)"
fi
fi
for launcher in Report_an_error tails-documentation ; do
gio set "${HOME}/Desktop/${launcher}.desktop" metadata::trusted yes
done
......@@ -25,6 +25,7 @@ exec_firefox_helper() {
export LD_LIBRARY_PATH="${TBB_INSTALL}"
export FONTCONFIG_PATH="${TBB_INSTALL}/TorBrowser/Data/fontconfig"
export FONTCONFIG_FILE="fonts.conf"
export GNOME_ACCESSIBILITY=1
# The Tor Browser often assumes that the current directory is
# where the browser lives, e.g. for the fixed set of fonts set by
......
http://torbrowser-archive.tails.boum.org/7.0.6-build3/
http://torbrowser-archive.tails.boum.org/7.0.10-build2/
36cd9715021cf6f9dd4915fa898cd15bdf896861ab1012496bfa51c9563b434d tor-browser-linux64-7.0.6_ar.tar.xz
9aded063cb4ad4338098ee0a6fb2ca45d7fe9a0ce541d6bc4c78f2a904fc2faa tor-browser-linux64-7.0.6_de.tar.xz
d5e0b7803902d08868bae59de3f939d390c513cc944c9aa28be8dc730ac8e387 tor-browser-linux64-7.0.6_en-US.tar.xz
46628403f482d2d396bfc8095ed6accd7824efb031a1477a66e0ce111729e3a4 tor-browser-linux64-7.0.6_es-ES.tar.xz
5d0162d7865acc1ce132dabb6cb02d6ebe2ab76dda7512fc48e640f51419378b tor-browser-linux64-7.0.6_fa.tar.xz
b5eb9997472872150edb54edebdf0e79c009d58651bff2bd7db0607c5c0b35d2 tor-browser-linux64-7.0.6_fr.tar.xz
c996d62702479a4d5eed905125303bf9fe4ce4e9f73265932dee73ea5bfa1598 tor-browser-linux64-7.0.6_it.tar.xz
fda12b98b4415e916063c9c12174e7871e7b475be8498b5b092a13358c4b7fd6 tor-browser-linux64-7.0.6_ja.tar.xz
d63231e045fa775ed3335801aecbed230adb3a2c738f73483802c82510f4455f tor-browser-linux64-7.0.6_ko.tar.xz
8728852e82e5da1795cee97eea5357956798ec3db5c19c5bc775aa05127ce8da tor-browser-linux64-7.0.6_nl.tar.xz
b5788645e2e8b0712d5ad13c2beab75002142a0d880a0673978605d9d9db842f tor-browser-linux64-7.0.6_pl.tar.xz
49fc1a3fd865ee33eb5be42b7d3488d69ab388245992379f9e7ec6aabcfa4179 tor-browser-linux64-7.0.6_pt-BR.tar.xz
651a5fed10f9c865af42ca470a28dd74e938b89d0ee883064e08e521fd3d62d4 tor-browser-linux64-7.0.6_ru.tar.xz
90c91b69ce381a7ea11033d16cc27a5573a4b35d7fd86c6cd298b22b4311fad8 tor-browser-linux64-7.0.6_tr.tar.xz
100fee5cc8421add7473b65645c991a23e0fe82437fbae63b62f96fe663cec95 tor-browser-linux64-7.0.6_vi.tar.xz
f5f4accd6a13022ada33d28b9aa17aac2081895c4774a8f5454cc49a90c2aaa6 tor-browser-linux64-7.0.6_zh-CN.tar.xz
8d385a202d88ebbdc2e9ee3a6251f2d02fa60c3ac197e0f558da90338d66774a tor-browser-linux64-7.0.10_ar.tar.xz
35a55237d0e74e8dd571e06a5781750d17f9ec1ca5162bcd7c8762867fb95bc2 tor-browser-linux64-7.0.10_de.tar.xz
10eebffe22594d336441ed59e5edc97ba1d296eb7d94bca3ff94ebfac2da3e34 tor-browser-linux64-7.0.10_en-US.tar.xz
0347af2ef038a6a350c7d900485884b1a0ceba73e617176c06d48e1aba297519 tor-browser-linux64-7.0.10_es-ES.tar.xz
725f9f9d539b305994e08fd654832383d78961fad05048690f253c7945f5c0a2 tor-browser-linux64-7.0.10_fa.tar.xz
3fa4e14977688cfd6f798d6b273e96a141ad693cf48c52c3f2678c26dac614ec tor-browser-linux64-7.0.10_fr.tar.xz
695dd603b948767943c673261a8c77f952dffe48c32ceef680589162e1697424 tor-browser-linux64-7.0.10_it.tar.xz
8725e42e4db3b366156dff5de575cf4805f1178ce511f5fcf9d085a495a1326c tor-browser-linux64-7.0.10_ja.tar.xz
287b84523381f5bde854f27bdfed1e853998c006eccfc7e398d13f04c4a4d04e tor-browser-linux64-7.0.10_ko.tar.xz
f5650f8b12f1a0cbb4b188d9c0e1d3f188ecbe73052d22000b0ab821279de26d tor-browser-linux64-7.0.10_nl.tar.xz
e9df01fc1d71c5a288bcb51b17ddf3d59321f7e58b48cfbd80fe18399d4e6286 tor-browser-linux64-7.0.10_pl.tar.xz
7dbdae678046b2e91501603eff3738f64de8ca803b9fcc67caa6bf334ef683d9 tor-browser-linux64-7.0.10_pt-BR.tar.xz
dee5437e9dc73b7bad99ef4cd7637303154628475c072c918760cb8b5141f36a tor-browser-linux64-7.0.10_ru.tar.xz
2376e603424d847ed8ec94be528c2a10a802e3771ad27ffcfdfbfe9b2430d479 tor-browser-linux64-7.0.10_tr.tar.xz
1b840320a9f6b1891371e39d2985ef886a489ade58d21f49548ad400761e8311 tor-browser-linux64-7.0.10_vi.tar.xz
61b0c39d8801b6aedbd0b551c958fcdf7e6de52133a9f805d1fb4cd2545e22e2 tor-browser-linux64-7.0.10_zh-CN.tar.xz
......@@ -18,9 +18,9 @@
# Uncomment the following lines if you want to give the Tor Browser read-write
# access to most of your personal files.
@@ -17,48 +19,54 @@
#dbus,
network tcp,
@@ -20,52 +22,58 @@
ptrace (trace) peer=@{profile_name},
+ /etc/asound.conf r,
deny /etc/host.conf r,
......@@ -42,6 +42,10 @@
+ /etc/machine-id r,
+ /var/lib/dbus/machine-id r,
/dev/ r,
/dev/shm/ r,
owner @{PROC}/@{pid}/fd/ r,
+ owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
......@@ -104,7 +108,7 @@
/etc/mailcap r,
/etc/mime.types r,
@@ -96,10 +104,44 @@
@@ -103,9 +111,43 @@
# Silence denial logs about permissions we don't need
deny /dev/dri/ rwklx,
......@@ -113,12 +117,12 @@
+ deny @{HOME}/.config/gtk-2.0/ rw,
+ deny @{HOME}/.config/gtk-2.0/** rw,
+ deny @{HOME}/.mozilla/firefox/bookmarks/ r,
+ deny /usr/local/lib/tor-browser/TorBrowser/UpdateInfo/ rw,
+ deny /usr/local/lib/tor-browser/update.test/ rw,
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
+ deny /usr/local/lib/tor-browser/TorBrowser/UpdateInfo/ rw,
+ deny /usr/local/lib/tor-browser/update.test/ rw,
+
+ /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Cix -> gst_plugin_scanner,
+ owner @{HOME}/.gstreamer*/ rw,
+ owner @{HOME}/.gstreamer*/** rw,
......@@ -145,11 +149,10 @@
+ # Deny access to the list of recently used files. This overrides the
+ # access to it that's granted by the freedesktop.org abstraction.
+ deny @{HOME}/.local/share/recently-used.xbel* rw,
+
# KDE 4
owner @{HOME}/.kde/share/config/* r,
@@ -107,5 +145,11 @@
@@ -114,5 +156,11 @@
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment