Merge branch 'stable' into devel

config/chroot_apt/preferences

@@ -134,10 +134,18 @@ Package: linux-kbuild-3.16
 Pin: release o=Debian,n=jessie
 Pin-Priority: 999
 
+Package: monkeysphere
+Pin: release o=Debian,n=stretch
+Pin-Priority: 999
+
 Package: obfs4proxy
 Pin: release o=TorProject,n=obfs4proxy
 Pin-Priority: 990
 
+Package: pinentry-gtk2
+Pin: release o=Debian Backports,n=jessie-backports
+Pin-Priority: 999
+
 Package: python-electrum
 Pin: release o=Debian,n=stretch
 Pin-Priority: 999

config/chroot_local-hooks/59-libdvd-pkg

@@ -36,7 +36,7 @@ EOF
     equivs-build "libdvd-pkg-${LIBDVD_PKG_VERSION}.control"
     dpkg -i "libdvd-pkg_${LIBDVD_PKG_VERSION}_all.deb"
 )
-rm -R "${tmp}"
+rm -r "${tmp}" /usr/src/libdvd-pkg
 
 # Remove dangling symlink -- note that we absolutely do not want the
 # functionality (automatic checks and upgrades for new css sources)

config/chroot_local-includes/lib/systemd/system-shutdown/tails-kexec

@@ -35,6 +35,16 @@ print_text "--------------------------------------------------------------------
 
 # Note to translators: any text line must fit on a 80 characters wide screen
 case "${LANG}" in
+   de_DE.UTF-8)
+      print_text "        Sie können nun die Start-DVD oder den Start-USB-Stick entfernen"
+      print_empty_line
+      print_text "            Der Systemspeicher wird in einigen Sekunden gelöscht..."
+      print_empty_line
+      print_text "               Die Anzeige könnte anschließend fehlerhaft sein."
+      print_empty_line
+      print_text "      Falls sich das System in einigen Sekunden nicht selbst ausschaltet,"
+      print_text "         bedeutet dies, dass die Speicherlöschung fehlgeschlagen ist."
+      ;;
    es_ES.UTF-8)
       print_text "              Puede ahora retirar el DVD o el USB de arranque."
       print_empty_line

config/chroot_local-includes/usr/local/bin/icedove

@@ -16,10 +16,17 @@ claws_mail_config_is_persistent() {
 }
 
 warn_about_claws_mail_persistence() {
+
     local dialog_msg="<b><big>`gettext \"The <b>Claws Mail</b> persistence feature is activated.\"`</big></b>
 
 `gettext \"If you have emails saved in <b>Claws Mail</b>, you should <a href='https://tails.boum.org/doc/anonymous_internet/claws_mail_to_icedove'>migrate your data</a> before starting <b>Icedove</b>.\"`"
 
+    if [ -f "${PROFILE}/prefs.js" ]; then
+        dialog_msg="${dialog_msg}
+
+`gettext \"If you already migrated your emails to <b>Icedove</b>, you should <a href='https://tails.boum.org/doc/anonymous_internet/claws_mail_to_icedove#delete'>delete all your <b>Claws Mail</b> data</a> to remove this warning.\"`"
+    fi
+
     local launch="`gettext \"_Launch\"`"
     local exit="`gettext \"_Exit\"`"
     # Since zenity can't set the default button to cancel, we switch the

ikiwiki-cgi.setup

@@ -226,6 +226,11 @@ po_slave_languages:
   - fr|Français
   - pt|Português
 # PageSpec controlling which pages are translatable
+#
+# On each release `n` of Tails 3.0, 4.0, etc. this list should be
+# updated to disable translations of news/version_*, news/test_*, and
+# security/Numerous_security_holes_in_* for release `n-2`.
+# Also update ikiwiki.setup, news.mdwn, and security.mdwn.
 po_translatable_pages: '!security/audits and !security/audits/* and !news/report_2* and !news/version_0* and !news/test_0* and !security/Numerous_security_holes_in_0* and (about or bugs or chat or contribute or contribute/how/donate or doc or doc/* or download or download.inline or getting_started or inc/stable_i386_release_notes or index or news or news/* or press or press/* or security or security/* or sidebar or support or support/* or todo or torrents or wishlist or misc or misc/* or install or install/* or upgrade or upgrade/*)'
 # internal linking behavior (default/current/negotiated)
 po_link_to: current

ikiwiki.setup

@@ -203,6 +203,11 @@ po_slave_languages:
   - fr|Français
   - pt|Português
 # PageSpec controlling which pages are translatable
+#
+# On each release `n` of Tails 3.0, 4.0, etc. this list should be
+# updated to disable translations of news/version_*, news/test_*, and
+# security/Numerous_security_holes_in_* for release `n-2`.
+# Also update ikiwiki-cgi.setup, news.mdwn, and security.mdwn.
 po_translatable_pages: '!security/audits and !security/audits/* and !news/report_2* and !news/version_0* and !news/test_0* and !security/Numerous_security_holes_in_0* and (about or bugs or chat or contribute or contribute/how/donate or doc or doc/* or download or download.inline or getting_started or inc/stable_i386_release_notes or index or news or news/* or press or press/* or security or security/* or sidebar or support or support/* or todo or torrents or wishlist or misc or misc/* or install or install/* or upgrade or upgrade/*)'
 # internal linking behavior (default/current/negotiated)
 po_link_to: current

wiki/src/about.de.po

@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: Tails i10n Team\n"
-"POT-Creation-Date: 2015-10-30 11:35+0100\n"
+"POT-Creation-Date: 2016-03-21 18:14+0100\n"
 "PO-Revision-Date: 2016-03-14 13:51-0000\n"
 "Last-Translator: Tails translators <tails@boum.org>\n"
 "Language-Team: Tails translators <tails-l10n@boum.org>\n"
@@ -456,3 +456,12 @@ msgid ""
 msgstr ""
 "Sehen Sie die [[Danksagungen und ähnlichen Projekte|doc/about/"
 "acknowledgments_and_similar_projects]]."
+
+#. type: Title =
+#, no-wrap
+msgid "Contact\n"
+msgstr ""
+
+#. type: Plain text
+msgid "See the [[contact page|about/contact]]."
+msgstr ""

wiki/src/about.fa.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: tails-l10n@boum.org\n"
-"POT-Creation-Date: 2015-12-24 15:03+0100\n"
+"POT-Creation-Date: 2016-03-21 18:14+0100\n"
 "PO-Revision-Date: 2015-10-21 10:58+0000\n"
 "Last-Translator: sprint5 <translation5@451f.org>\n"
 "Language-Team: Persian <http://weblate.451f.org:8889/projects/tails/about/fa/"
@@ -493,3 +493,12 @@ msgid ""
 msgstr ""
 "[[قدردانی‌ها و پروژه‌های مشابه|doc/about/"
 "acknowledgments_and_similar_projects]] را ببینید."
+
+#. type: Title =
+#, no-wrap
+msgid "Contact\n"
+msgstr ""
+
+#. type: Plain text
+msgid "See the [[contact page|about/contact]]."
+msgstr ""

wiki/src/about.fr.po

@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: tails-about-fr\n"
-"POT-Creation-Date: 2015-10-30 11:35+0100\n"
+"POT-Creation-Date: 2016-03-21 18:14+0100\n"
 "PO-Revision-Date: 2013-10-13 17:08-0000\n"
 "Last-Translator: \n"
 "Language-Team: \n"
@@ -507,3 +507,12 @@ msgid ""
 msgstr ""
 "Voir [[Remerciements et projets similaires|doc/about/"
 "acknowledgments_and_similar_projects]]."
+
+#. type: Title =
+#, no-wrap
+msgid "Contact\n"
+msgstr ""
+
+#. type: Plain text
+msgid "See the [[contact page|about/contact]]."
+msgstr ""

wiki/src/about.mdwn

@@ -152,3 +152,8 @@ Acknowledgments and similar projects
 ====================================
 
 See [[Acknowledgments and similar projects|doc/about/acknowledgments_and_similar_projects]].
+
+Contact
+=======
+
+See the [[contact page|about/contact]].

wiki/src/about.pt.po

@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: 1\n"
-"POT-Creation-Date: 2015-10-30 11:35+0100\n"
+"POT-Creation-Date: 2016-03-21 18:14+0100\n"
 "PO-Revision-Date: 2014-04-30 20:00-0300\n"
 "Last-Translator: Tails Developers <amnesia@boum.org>\n"
 "Language-Team: Portuguese <LL@li.org>\n"
@@ -509,3 +509,12 @@ msgid ""
 "See [[Acknowledgments and similar projects|doc/about/"
 "acknowledgments_and_similar_projects]]."
 msgstr ""
+
+#. type: Title =
+#, no-wrap
+msgid "Contact\n"
+msgstr ""
+
+#. type: Plain text
+msgid "See the [[contact page|about/contact]]."
+msgstr ""

wiki/src/about/contact.mdwn

+[[!meta title="Contact"]]
+
+There are many ways to contact us, depending on what you want
+to talk about.
+
+All mailing lists are in English unless specified otherwise.
+
+[[!toc levels=2]]
+
+Public mailing lists
+====================
+
+<div class="caution">
+
+<p>These mailing lists are public: subscription is open to anyone. Don't
+send compromising information. Please respect the
+[[code of conduct|contribute/working_together/code_of_conduct/]].</p>
+
+</div>
+
+<a id="tails-support"></a>
+
+tails-support
+-------------
+
+[[tails-support@boum.org|support/tails-support]] is the mailing list
+dedicated to Tails user support.
+
+[[!inline pages="support/tails-support" raw="yes"]]
+
+<a id="amnesia-news"></a>
+
+amnesia-news
+------------
+
+amnesia-news@boum.org is the mailing list where we send our [[news]] by
+email. It has a low traffic and it is the right place to stay
+up-to-date with the releases and security announcements.
+
+Public archive of amnesia-news: <https://mailman.boum.org/pipermail/amnesia-news/>.
+
+<form method="POST" action="https://mailman.boum.org/subscribe/amnesia-news">
+	<input class="text" name="email" value=""/>
+	<input class="button" type="submit" value="Subscribe"/>
+</form>
+
+<a id="tails-project"></a>
+
+tails-project
+-------------
+
+tails-project@boum.org is the mailing list where we discuss upcoming
+events, monthly reports, and other non-technical matters.
+
+Public archive of tails-project: <https://mailman.boum.org/pipermail/tails-project/>.
+
+<form method="POST" action="https://mailman.boum.org/subscribe/tails-project">
+	<input class="text" name="email" value=""/>
+	<input class="button" type="submit" value="Subscribe"/>
+</form>
+
+<a id="tails-dev"></a>
+
+tails-dev
+---------
+
+tails-dev@boum.org is the mailing list where the development work is
+coordinated and technical design questions are discussed. Subscribe if
+you want to [[contribute code|contribute/how/code]].
+
+Public archive of tails-dev: <https://mailman.boum.org/pipermail/tails-dev/>.
+
+<form method="POST" action="https://mailman.boum.org/subscribe/tails-dev">
+	<input class="text" name="email" value=""/>
+	<input class="button" type="submit" value="Subscribe"/>
+</form>
+
+<a id="tails-testers"></a>
+
+tails-testers
+-------------
+
+tails-testers@boum.org is the mailing list for people who want to help
+[[test|contribute/how/testing]] new releases or features.
+
+Public archive of tails-testers: <https://mailman.boum.org/pipermail/tails-testers/>.
+
+<form method="POST" action="https://mailman.boum.org/subscribe/tails-testers">
+	<input class="text" name="email" value=""/>
+	<input class="button" type="submit" value="Subscribe"/>
+</form>
+
+<a id="tails-ux"></a>
+
+tails-ux
+--------
+
+tails-ux@boum.org is the list for matters related to
+[[user experience and user interface|contribute/how/user_interface]].
+
+Public archive of tails-ux: <https://mailman.boum.org/pipermail/tails-ux/>.
+
+<form method="POST" action="https://mailman.boum.org/subscribe/tails-ux">
+	<input class="text" name="email" value=""/>
+	<input class="button" type="submit" value="Subscribe"/>
+</form>
+
+<a id="tails-l10n"></a>
+
+tails-l10n
+----------
+
+[[!inline pages="contribute/how/translate/tails-l10n.inline" raw="yes"]]
+
+Private email addresses
+=======================
+
+<a id="tails-support-private"></a>
+
+tails-support-private
+---------------------
+
+You can write encrypted emails to <tails-support-private@boum.org> if
+you need help in private.
+
+[[OpenPGP key|tails-bugs.key]]
+([[details|doc/about/openpgp_keys#support]]).
+
+[[!inline pages="support/talk/languages.inline" raw="yes"]]
+
+<a id="tails-press"></a>
+
+tails-press
+-----------
+
+If you are a journalist and want to write about Tails, or if you want to
+send us links to [[press articles|press]] about Tails, write to
+<tails-press@boum.org>.
+
+[[OpenPGP key|tails-press.key]]
+([[details|doc/about/openpgp_keys#press]]).
+
+<a id="tails-accounting"></a>
+
+tails-accounting
+-----------------
+
+If you want to fund Tails, write to <tails-accounting@boum.org>.
+
+[[OpenPGP key|tails-accounting.key]]
+([[details|doc/about/openpgp_keys#accounting]]).
+
+<a id="tails-sysadmins"></a>
+
+tails-sysadmins
+---------------
+
+To talk about our infrastructure (servers, test suite, repositories,
+mirrors, etc.), write to <tails-sysadmins@boum.org>.
+
+[[OpenPGP key|tails-sysadmins.key]]
+([[details|doc/about/openpgp_keys#sysadmins]]).
+
+<a id="tails"></a>
+
+tails
+-----
+
+For matters that are listed in none of the above and for
+vulnerabilities disclosures, you can write encrypted emails to
+<tails@boum.org>.
+
+[[OpenPGP key|tails-email.key]]
+([[details|doc/about/openpgp_keys#private]]).
+
+<a id="irc"></a>
+
+IRC channels
+============
+
+You can join our [[users chat room|support/chat]] and
+[[developers chat room|contribute/chat]]. Only a few Tails
+developers hang out there, so email is preferred for anything that
+might be of interest for the larger community.

wiki/src/blueprint/SponsorS/reports/2016_03.mdwn

@@ -32,6 +32,10 @@ Everything in this report can be made public.
 
 # B. Improve our quality assurance process
 
+## B.4. Freezable APT repository
+
+- B.4.2. Implement a mechanism to save the list of packages used at
+  ISO build time ([[!tails_ticket 10748]])
 
 # C. Scale our infrastructure
 

wiki/src/blueprint/UEFI.mdwn

@@ -31,8 +31,7 @@ tickets on [[!tails_redmine desc="Redmine"]], meaning that patches are
 welcome, but we do not feel committed, as a project, to make
 it happen.
 
-On the other hand, it appears that adding support for [[blueprint/UEFI
-Secure boot]] will be necessary at some point. More and more
+On the other hand, it appears that adding support for [[blueprint/UEFI_Secure_boot]] will be necessary at some point. More and more
 off-the-shelf PC hardware is shipped with this functionality enabled.
 Also, having to constantly disable and re-enable Secure boot in the
 firmware configuration is not the best dual-boot user experience we
@@ -140,7 +139,7 @@ More technical details:
 OVMF
 ----
 
-* The <edk2-devel@lists.sourceforge.net> mailing-list is the canonical
+* The <edk2-devel@lists.sourceforge.net> mailing list is the canonical
   place for discussions on this topic.
 * Ubuntu's page about OVMF: <https://wiki.ubuntu.com/UEFI/OVMF>
 * <http://www.linux-kvm.org/page/OVMF>

wiki/src/blueprint/automated_builds_and_tests/buildbot.mdwn

@@ -18,7 +18,7 @@ Our buildbot's instance runs inside a KVM guest managed by libvirt.
    work on this.
 1. Custom notifications when a build fails: the one currently sent
    lacks some useful information.
-2. Request a mailing-list where buildbot would send its build
+2. Request a mailing list where buildbot would send its build
    failure reports.
 3. Move to a "build in a throw-away VM" approach, so that a given
    build cannot taint future ones.

wiki/src/blueprint/automated_builds_and_tests/testing.mdwn

@@ -68,7 +68,7 @@ Mozilla and others:
 * [tutorial](http://download.freedesktop.org/ldtp/doc/ldtp-tutorial.pdf)
 * The main bindings are Python, but there also are a Ruby client and
   Perl bindings in the [Git repo](http://cgit.freedesktop.org/ldtp/ldtp2/tree/ldtp)
-* The LDTP dev mailing-list is very quiet, and it's unclear whether
+* The LDTP dev mailing list is very quiet, and it's unclear whether
   GNOME still uses it, or instead switched to dogtail.
 
 ## misc

wiki/src/blueprint/better_track_and_document_our_delta_with_Debian.mdwn

@@ -75,7 +75,7 @@ Next steps
 
 * This is being discussed in the [Tracking derivatives delta:
   explanations, history](https://lists.debian.org/85r41tx7k4.fsf@boum.org)
-  thread on the debian-derivatives mailing-list.
+  thread on the debian-derivatives mailing list.
 * Action items: [[!tails_ticket 7607]] and subtasks
 
 Misc. ideas

wiki/src/blueprint/freezable_APT_repository.mdwn

@@ -28,10 +28,27 @@ little value.
      - developer (including stable, testing, devel, and `$topic`)
    * get the updated documentation + this design reviewed, including
      security aspects [i]
-   * write tools that the doc calls for
-     - bump `Valid-Until`
-     - freeze
-     - unfreeze
+   * give RM's access to `reprepro-time-based-snapshots@apt.lizard` [i]
+   * document how to freeze time-based APT snapshots being used:
+
+             ./auto/scripts/apt-snapshots-serials freeze && \
+             git commit \
+                 -m 'Freeze APT snapshots to the current ones.' \
+                 config/APT_snapshots.d/*/serial
+
+   * document how to thaw time-based APT snapshots being used:
+
+             ./auto/scripts/apt-snapshots-serials thaw && \
+             git commit \
+                 -m 'Thaw APT snapshots.' \
+                 config/APT_snapshots.d/*/serial
+
+   * document how to bump `Valid-Until` [i], e.g.
+
+             ssh reprepro-time-based-snapshots@apt.lizard \
+                 tails-bump-apt-snapshot-valid-until \
+                     tails 2016031304 15
+
    * move relevant content from this blueprint to the "final" design
      doc + contributors doc
 
@@ -47,26 +64,37 @@ little value.
       snapshots)
    e. **done** publish the snapshots' serial over HTTP
       (e.g. <http://time-based.snapshots.deb.tails.boum.org/debian-security/project/trace/debian-security>)
+   e. **done** try using such snapshots for building an ISO:
+      done in `feature/5926-freezable-APT-repository`
+   e. Avoid re-downloading everything one has in their local
+      apt-cacher-ng, and filling its cache with files duplicated
+      many times. It's acceptable not to have optimal caching for `dists/`; what
+      matters is `pool`. We have a working PoC using the "merging" strategy (documented on
+      <file:///usr/share/doc/apt-cacher-ng/html/config-serv.html#repmap>),
+      that is `Remap-tails` with no `TargetURLs` list; it works if
+      we do that for the `pool/` directory only (we don't want to
+      merge the cache for the different `dists` directory):
+
+               $ echo 'Remap-tailspool: file:tails-time-based-snapshots-debian-pool.list' \
+                 | sudo tee /etc/apt-cacher-ng/tails-time-based-snapshots-debian-pool.conf
+
+               $ for origin in $(cd config/APT_snapshots.d/ ; ls -d *) ; do for y in $(seq 2016 2026) ; do for m in $(seq 1 12); do for d in $(seq 1 31) ; do for t in $(seq 1 4) ; do printf 'http://time-based.snapshots.deb.tails.boum.org/%s/%04u%02u%02u%02u/pool/\n' $origin $y $m $d $t ; done ; done ; done ; done | sudo tee /etc/apt-cacher-ng/tails-time-based-snapshots-$origin-pool.list ; done
+
    e. deny robots access to that data
-   e. manage symlinks or rewrite rules for URL → reprepro filesystem
-      layout (cf. "APT vs. reprepro: dist names" below)
-   e. try using such snapshots for building an ISO
-      - branch: `feature/build-from-snapshots`
-      - how to avoid re-downloading everything one has in their local
-        apt-cacher-ng, and filling its cache with files duplicated
-        many times? It seems that we can't merge caches between the
-        default `debrep` and our own snapshots: XXX.
-        But at least we should de-duplicate among our own snapshots,
-        e.g. using the "merging" strategy (documented on
-        <file:///usr/share/doc/apt-cacher-ng/html/config-serv.html#repmap>),
-        that is `Remap-tails` with no `TargetURLs` list.
-   d. implement list of sticky snapshots that must not be GC'ed,
-      including the tool to add to that list
-   e. implement GC of snapshots
-   f. implement GC of packages
+   e. implement GC of expired snapshots and packages (`tails-delete-expired-apt-snapshots`):
+      * allow running in verbose or silent mode, just like in
+        `tails-update-time-based-apt-snapshots` [k]
+      * delete expired snapshots' `dist` directories after
+        `deleteunreferenced` [k]
+      * review and test [i]
+      * deploy with Puppet, redirect output to a log file, logrotate snippet [i]
    f. clean up old snapshots that the GC system can't clean up
       automatically (e.g. those before 20160311, that have no
       `Valid-Until`)
+      * debian
+      * debian-security
+      * tails
+      * torproject
    g. have build system output the snapshots being used,
       and have Jenkins publish this info if available
 
@@ -89,30 +117,18 @@ little value.
    b. **done** PoC of capturing the list of source packages used during the build
    c. **done** initial reprepro setup for tagged snapshots
    d. **done** debootstrap in jessie-backports
-   e. **WIP** how to create a partial snapshot from a manifest and
-      the origin time-based snapshots?
-      * `generate-build-manifest` (main Git repo), aka. [[!tails_ticket 10748]]
-        - cherry-pick the relevant bits and get them into Tails 2.3 [i]
+   e. **WIP** create a partial snapshot from a manifest and
+      the origin time-based snapshots:
+      * add comments for the most obscure aspects of
+        `tails-prepare-tagged-apt-snapshot-import` [k]
+      * `generate-build-manifest` (main Git repo), aka. get [[!tails_ticket 10748]]
+        done in Tails 2.3 [i]
         - convert custom `data/debootstrap/tails-wheezy` into a patch,
           or set up the process to update/replace it in the future,
           or something (we're using Jessie now) [i]
-      * `tails-prepare-tagged-apt-snapshot-import`, aka.
-        [[!tails_ticket 10749]] (`puppet-tails` repo):
-          - review & test support for multiple architectures [i]:
-            * beware of differing versions due to binNMUs
-            * test with a complete set of data (including all
-              architectures we want, source packages, and a build
-              manifest that includes amd64 (e.g.
-              [[!tails_gitweb_branch feature/8415-overlayfs]]) and
-              source packages
-   g. **WIP** have the manifest → partial snapshot process include source
-      packages
-      => review this [i], in particular:
-      - check the case when the binary package's version is different
-        from the corresponding source package's one
-        (`libdevmapper1.02.1` vs. `lvm2`)
-      - torproject provides no source packages; how does
-        `tails-prepare-tagged-apt-snapshot-import` deal with it?
+        - get rid of the last XXX in `data/wrappers/apt-get`
+        - move `data/wrappers/apt-get` to a better place
+      * deploy, update release process doc, grant RM's access
    h. publish tagged snapshots over HTTP
    h. for some Tails release: generate manifest, import packages into
       tagged snapshots, try building *offline* with these tagged
@@ -132,8 +148,7 @@ little value.
 ## Snapshots and branches
 
 Several times a day (e.g. 4 times, to match runs of `dinstall` in the
-Debian archive; XXX: start with once a day and then raise the
-frequency if the infrastructure can hold it?) we update a local mirror
+Debian archive, we update a local mirror
 of the APT repositories we're
 interested in, e.g. with `reprepro update`. Once this is successfully
 done, we take a snapshot of the current state of our local mirror
@@ -190,12 +205,6 @@ except:
  * if a set of APT repository snapshots is encoded directly in that
    branch: use them, even for security.debian.org.
 
-XXX: add special handling of deb.tails.b.o, that we need since it's
-the repo where we can sneak freeze exceptions in. In theory it's not
-related to our great APT repository snapshots plans, since it has its
-own snapshots mechanism already, but ideally we would integrate it
-into the new system entirely?
-
 ## Different problems ⇒ different solutions
 
 Note that:
@@ -251,14 +260,26 @@ snapshots information.
 So we'll use two independent `reprepro` instances to address these
 two problems.
 
-XXX: how exactly we'll import packages we need from time-based
-snapshots to tagged ones is left to be defined (filtered `reprepro
-update`? `cp` + `reprepro includeblah`?)
-
 # Special cases and implementation
 
 <a id="runtime-sources"></a>
 
+## Custom APT repository
+
+Our custom APT repository (<http://deb.tails.boum.org/>) is not part of
+the first iteration of this system: it's not needed, since we already
+have a process to manage it, including creating snapshots labeled with
+the Git tag.
+
+However, longer-term, ideally we would integrate it into the new
+system. It will require quite some infrastructure and code, if we want
+to avoid making the release process more painful (e.g. it would be nice
+if this didn't require waiting up to 6 hours until the next time-based
+snapshot of our custom APT repository is created, between the time we
+upload a package to it, and when we can build an ISO with it; we could
+solve this by automatically creating a new snapshot whenever an APT
+suite corresponding to a release branch is updated).
+
 ## APT sources used inside Tails
 
 A running Tails' APT must be pointed at the official, live Debian
@@ -450,9 +471,13 @@ than N days will probably be compulsory.
 
 To ensure that garbage collection doesn't delete a snapshot we still
 need, e.g. the one currently referenced in the frozen `testing`
-branch, we'll maintain a list of snapshots that need to be kept
-around. The tool used by the RM to bump the archive snapshot serials
-in Git should take care of it.
+branch, we'll rely on `Valid-Until`: the way to express "I want to
+keep a given snapshot around" would be to postpone its expiration
+date; i.e. we don't differentiate "keep a given snapshot around" from
+"keep a given snapshot usable".
+
+See the section about `Valid-Until` below, for details about how we
+can bump it.
 
 ### Tagged snapshots
 
@@ -545,7 +570,7 @@ Conclusion: compared to the "snapshots as full-blown distributions +
 is very appealing. The counterpart being that: