Commit 1d505dae authored by intrigeri's avatar intrigeri

Merge remote-tracking branch 'origin/web/release-4.2.2'

parents 3e8a08d2 e0841602
......@@ -3,15 +3,34 @@
set -e
set -u
IGNORED_TAGS="4.2.1"
major_version () {
local version="$1"
echo "$version" | perl -p -E 's,[.].*,,'
}
member () {
local item="$1"
shift
local found=no
for i in "$@"; do
if [ "$i" = "$item" ]; then
found=yes
break
fi
done
[ "$found" = 'yes' ]
}
RELEASING_VERSION="$1"
RELEASING_MAJOR_VERSION=$(major_version "$RELEASING_VERSION")
git tag --color=never | while read tag ; do
git tag | while read tag ; do
if member "$tag" $IGNORED_TAGS; then
continue
fi
version=$(echo "$tag" | perl -p -E 's,-,~,')
major_version=$(major_version "$version")
if [ "$major_version" = "$RELEASING_MAJOR_VERSION" ] && \
......
This diff is collapsed.
......@@ -182,7 +182,6 @@ pref("security.enable_ssl3", false);
// https://bugs.torproject.org/11253
// March 2017: See https://bugs.torproject.org/20751
pref("security.tls.version.min", 3);
pref("security.tls.version.max", 3);
// Display a dialog warning the user when entering an insecure site from a secure one.
pref("security.warn_entering_weak", true);
// Display a dialog warning the user when submtting a form to an insecure site.
......
[Service]
# Don't let the Upgrader block the reboot after applying an upgrade
TimeoutStopSec=10
http://torbrowser-archive.tails.boum.org/9.0.3-build4/
http://torbrowser-archive.tails.boum.org/9.0.4-build1/
8983d3784b9563b67e54ed46c74839aa486013fbc3568441cf1c3b09abbd5169 tor-browser-linux64-9.0.3_en-US.tar.xz
951e26f04276f816773b74f32747e8d56556e62c5b1ffa1e0852968cbeaf97fc langpacks-tor-browser-linux64-9.0.3.tar.xz
53c85059445eff023e7e5ed4749dfdf12b328353e82a4c7263f010120570f493 tor-browser-linux64-9.0.4_en-US.tar.xz
7c83a6f2b679e4d8f8ee7b2cb2cae01a12ef31987688f3c450733f715973405d langpacks-tor-browser-linux64-9.0.4.tar.xz
......@@ -40,7 +40,7 @@ for my $input_filename (@input_filenames) {
say STDERR "Checking '$input_filename'...";
my $upgrade_description = Tails::IUK::UpgradeDescriptionFile->new_from_file(
$input_filename
filename => $input_filename
);
assert_isa($upgrade_description, 'Tails::IUK::UpgradeDescriptionFile');
......
......@@ -62,9 +62,9 @@ Feature: create an IUK
Scenario: create an IUK when new files have appeared in filesystem.squashfs
Given an old ISO image whose filesystem.squashfs does not contain file "A"
And a new ISO image whose filesystem.squashfs contains file "A"
And a new ISO image whose filesystem.squashfs contains file "A" owned by www-data
When I create an IUK
Then the saved IUK contains a SquashFS that contains file "A"
Then the saved IUK contains a SquashFS that contains file "A" owned by www-data
Scenario: create an IUK when files have disappeared from filesystem.squashfs
Given an old ISO image whose filesystem.squashfs contains file "A"
......
......@@ -148,11 +148,20 @@ Given qr{^two ISO images when a new kernel was added$}, fun ($c) {
);
};
Given qr{^(an old|a new) ISO image whose filesystem.squashfs( does not|) contains? file "([^"]+)"(?:| modified at ([0-9]+))$}, fun ($c) {
Given qr{^(an old|a new) ISO image whose filesystem.squashfs( does not|) contains? file "([^"]+)"(?:| modified at ([0-9]+)| owned by ([a-z-]+))$}, fun ($c) {
my $generation = $c->matches->[0] eq 'an old' ? 'old' : 'new';
my $contains = $c->matches->[1] eq "" ? 1 : 0;
my $file = $c->matches->[2];
my $mtime = $c->matches->[3];
my ($mtime, $owner);
if (defined $c->matches->[3]) {
if ($c->matches->[3] =~ m{\A[0-9]+\z}) {
$mtime = $c->matches->[3];
} elsif ($c->matches->[3] =~ m{\A[a-z-]+\z}) {
$owner = $c->matches->[3];
} else {
croak "Test suite implementation error";
}
}
my $iso_basename = $generation eq 'old' ? 'old.iso' : 'new.iso';
my $iso_filename = path($c->{stash}->{scenario}->{tempdir}, $iso_basename);
......@@ -164,6 +173,7 @@ Given qr{^(an old|a new) ISO image whose filesystem.squashfs( does not|) contain
path($squashfs_tempdir, $file)->parent->mkpath();
path($squashfs_tempdir, $file)->touch;
utime($mtime, $mtime, path($squashfs_tempdir, $file)) if defined($mtime);
run_as_root('chown', $owner, path($squashfs_tempdir, $file)) if defined($owner);
}
path($iso_tempdir, 'live')->mkpath();
capture("mksquashfs '$squashfs_tempdir' '$iso_tempdir/live/filesystem.squashfs' -no-progress 2>/dev/null");
......@@ -311,7 +321,8 @@ fun file_content_in_iuk_unlike($iuk_in, Path $filename, $regexp) {
_file_content_in_iuk_like(@_, 0);
}
fun squashfs_in_iuk_contains($iuk_in, $squashfs_name, $expected_file, $expected_mtime) {
fun squashfs_in_iuk_contains(:$iuk_in, :$squashfs_name, :$expected_file,
:$expected_mtime, :$expected_owner) {
my $squashfs_path = path('overlay', 'live', $squashfs_name);
die "SquashFS '$squashfs_name' not found in the IUK"
unless $iuk_in->contains_file($squashfs_path);
......@@ -341,8 +352,13 @@ fun squashfs_in_iuk_contains($iuk_in, $squashfs_name, $expected_file, $expected_
return unless $exists;
if (defined $expected_mtime) {
return $expected_mtime == $tempdir->child('squashfs-root', $expected_file)->stat->mtime
return unless $expected_mtime == $tempdir->child('squashfs-root', $expected_file)->stat->mtime
}
if (defined $expected_owner) {
return unless $expected_owner eq getpwuid($tempdir->child('squashfs-root', $expected_file)->stat->uid)
}
return 1;
}
......@@ -439,14 +455,25 @@ Then qr{^the delete_files list is empty$}, fun ($c) {
is($c->{stash}->{scenario}->{iuk_in}->delete_files_count, 0);
};
Then qr{^the saved IUK contains a SquashFS that contains file "([^"]+)"(?:| modified at ([0-9]+))$}, fun ($c) {
Then qr{^the saved IUK contains a SquashFS that contains file "([^"]+)"(?:| modified at ([0-9]+)| owned by ([a-z-]+))$}, fun ($c) {
my $expected_file = $c->matches->[0];
my $expected_mtime = $c->matches->[1];
my ($expected_mtime, $expected_owner);
if (defined $c->matches->[1]) {
if ($c->matches->[1] =~ m{\A[0-9]+\z}) {
$expected_mtime = $c->matches->[1];
} elsif ($c->matches->[1] =~ m{\A[a-z-]+\z}) {
$expected_owner = $c->matches->[1];
} else {
croak "Test suite implementation error";
}
}
ok(squashfs_in_iuk_contains(
$c->{stash}->{scenario}->{iuk_in},
$c->{stash}->{scenario}->{squashfs_diff_name},
$expected_file, $expected_mtime,
iuk_in => $c->{stash}->{scenario}->{iuk_in},
squashfs_name => $c->{stash}->{scenario}->{squashfs_diff_name},
expected_file => $expected_file,
expected_mtime => $expected_mtime,
expected_owner => $expected_owner,
));
};
......
......@@ -83,6 +83,9 @@ Feature: upgrade frontend
And the downloaded IUK should be installed
And I should be proposed to restart the system
And the system should be restarted
When I run tails-upgrade-frontend in batch mode
Then it should succeed
And I should be told "The system is up-to-date"
Scenario: USB produced by our installer: no incremental upgrade is available, but a full upgrade is
Given Tails is running from a USB thumb drive
......
......@@ -430,8 +430,6 @@ When qr{^I run tails-upgrade-frontend(| in batch mode)$}, fun ($c) {
};
Then qr{^it should succeed$}, fun ($c) {
Test::Util::kill_httpd($c);
ok(defined $c->{stash}->{scenario}->{exit_code})
and
is($c->{stash}->{scenario}->{exit_code}, 0);
......@@ -448,8 +446,6 @@ Then qr{^it should succeed$}, fun ($c) {
};
Then qr{^it should fail to (check for upgrades|download the upgrade)$}, fun ($c) {
Test::Util::kill_httpd($c);
ok(defined $c->{stash}->{scenario}->{exit_code})
and
isnt($c->{stash}->{scenario}->{exit_code}, 0);
......@@ -521,6 +517,11 @@ Then qr{^the network should be shutdown$}, fun ($c) {
Then qr{^the downloaded IUK should be installed$}, fun ($c) {
# the overlay directory in the test IUK contains a "placeholder" file
ok(path($c->{stash}->{scenario}->{liveos_mountpoint}, 'placeholder')->exists);
# Ensure the next "I run tails-upgrade-frontend in batch mode"
# is aware that the upgrade was applied
$c->{stash}->{scenario}->{os_release_file}->edit_lines(
sub { s{\ATAILS_VERSION_ID="0[.]11"$}{TAILS_VERSION_ID="0.12.1"}xms }
);
};
Then qr{^I should be proposed to restart the system$}, fun ($c) {
......@@ -543,6 +544,7 @@ Then qr{^the system should be restarted$}, fun ($c) {
};
After fun ($c) {
Test::Util::kill_httpd($c);
run_as_root('umount', $c->{stash}->{scenario}->{liveos_mountpoint});
${^CHILD_ERROR_NATIVE} == 0 or croak("Failed to umount system partition.");
run_as_root(qw{kpartx -d}, $c->{stash}->{scenario}->{backing_file});
......
......@@ -246,7 +246,6 @@ method _build_overlay_dir () {
method _build_format_version () { "2"; }
method _build_mksquashfs_options () { [
qw{-no-progress -noappend},
qw{-all-root},
qw{-comp xz -Xbcj x86 -b 1024K -Xdict-size 1024K},
]}
method _build_union_type () { "aufs"; }
......@@ -452,7 +451,8 @@ method saveas ($outfile_name) {
qw{mksquashfs},
$self->squashfs_src_dir,
$outfile_name,
$self->list_mksquashfs_options
$self->list_mksquashfs_options,
'-all-root',
);
return;
......
......@@ -335,7 +335,8 @@ method run () {
$self->refresh_signing_key;
my ($upgrade_description_text) = $self->get_upgrade_description;
my $upgrade_description = Tails::IUK::UpgradeDescriptionFile->new_from_text(
$upgrade_description_text
text => $upgrade_description_text,
product_version => $self->running_system->product_version,
);
assert_isa($upgrade_description, 'Tails::IUK::UpgradeDescriptionFile');
......
......@@ -24,7 +24,7 @@ use Function::Parameters;
use List::MoreUtils qw{any};
use List::Util qw{sum};
use Path::Tiny;
use Types::Standard qw{ArrayRef Str};
use Types::Standard qw{ArrayRef ClassName Maybe Str};
use YAML::Any;
use namespace::clean;
......@@ -41,6 +41,13 @@ has "$_" => (
predicate => 1,
) for (qw{product_name initial_install_version build_target channel});
has product_version => (
is => 'ro',
isa => Maybe[Str],
default => sub { undef },
predicate => 1,
);
has upgrades =>
is => 'lazy',
isa => ArrayRef,
......@@ -70,10 +77,18 @@ has upgrade_paths =>
method _build_upgrades () { return [] }
method _build_upgrade_paths () {
assert($self->has_product_version);
assert_defined($self->product_version);
my @upgrade_paths;
foreach my $upgrade ($self->all_upgrades) {
exists $upgrade->{'upgrade-paths'} or $upgrade->{'upgrade-paths'} = [];
foreach my $path (@{$upgrade->{'upgrade-paths'}}) {
next unless exists $upgrade->{'upgrade-paths'};
my @upgrade_paths_to_newer_version = grep {
version_compare(
$upgrade->{version},
$self->product_version
) == 1;
} @{$upgrade->{'upgrade-paths'}};
foreach my $path (@upgrade_paths_to_newer_version) {
foreach my $key (qw{type target-files}) {
assert(exists $path->{$key});
assert(defined $path->{$key});
......@@ -88,9 +103,9 @@ method _build_upgrade_paths () {
return \@upgrade_paths;
}
sub new_from_text {
my $class = shift;
my $text = shift;
fun new_from_text (ClassName $class,
Str :$text,
Maybe[Str] :$product_version = undef) {
my $data = YAML::Any::Load($text);
......@@ -101,17 +116,16 @@ sub new_from_text {
$args{$attribute} = $data->{$key};
}
$class->new(%args);
$class->new(%args, product_version => $product_version);
}
sub new_from_file {
my $class = shift;
my $filename = shift;
fun new_from_file (ClassName $class,
Str :$filename,
Maybe[Str] :$product_version = undef) {
my $content = path($filename)->slurp;
assert_nonblank($content);
$class->new_from_text($content);
$class->new_from_text(text => $content, product_version => $product_version);
}
......
......@@ -153,7 +153,7 @@ method update_udf_for_previous_release ($previous_version) {
my $description;
if (-e $udf) {
$description = Tails::IUK::UpgradeDescriptionFile->new_from_file($udf);
$description = Tails::IUK::UpgradeDescriptionFile->new_from_file(filename => $udf->canonpath);
}
else {
$description = Tails::IUK::UpgradeDescriptionFile->new(
......
tails (4.2.2) unstable; urgency=medium
* Major changes
- Upgrade Tor Browser to 9.0.4-build1 (MFSA-2020-03)
* Bugfixes
- Avoid the Upgrader proposing to upgrade to the version
that's already running (Closes: #17425)
- Avoid 2 minutes delay while rebooting after applying an automatic
upgrade (Closes: #17026)
- Make Thunderbird support TLS 1.3 (Closes: #17333)
* Build system
- IUK generation: don't make all files in the SquashFS diff
owned by root, otherwise an upgraded system cannot start
(Closes: #17422)
-- Tails developers <tails@boum.org> Mon, 13 Jan 2020 09:21:51 +0000
tails (4.2) unstable; urgency=medium
* Major changes
......
......@@ -920,6 +920,14 @@ When /^I eject the boot medium$/ do
end
end
Given /^Tails is fooled to think it is running version (.+)$/ do |version|
$vm.execute_successfully(
"sed -i " +
"'s/^TAILS_VERSION_ID=.*$/TAILS_VERSION_ID=\"#{version}\"/' " +
"/etc/os-release"
)
end
Given /^Tails is fooled to think that version (.+) was initially installed$/ do |version|
initial_os_release_file =
'/lib/live/mount/rootfs/filesystem.squashfs/etc/os-release'
......
......@@ -903,6 +903,18 @@ Given /^Tails is fooled to think a (.+) SquashFS delta is installed$/ do |versio
)
end
Then /^the Upgrader considers the system as up-to-date$/ do
try_for(120, :delay => 10) do
$vm.execute_successfully(
"systemctl --user status tails-upgrade-frontend.service",
:user => LIVE_USER
)
$vm.execute_successfully(
"journalctl | grep -q -E 'tails-upgrade-frontend-wrapper\[[0-9]+\]: The system is up-to-date'"
)
end
end
def upgrader_trusted_signing_subkeys
$vm.execute_successfully(
"sudo -u tails-upgrade-frontend gpg --batch --list-keys --with-colons '#{TAILS_SIGNING_KEY}'",
......
......@@ -108,6 +108,7 @@ Feature: Upgrading an old Tails USB installation
Given I have started Tails without network from a USB drive with a persistent partition enabled and logged in
And no SquashFS delta is installed
And Tails is fooled to think that version 2.0~test was initially installed
And Tails is fooled to think it is running version 2.0~test
And the file system changes introduced in version 2.2~test are not present
And the file system changes introduced in version 2.3~test are not present
When the network is plugged
......@@ -136,18 +137,22 @@ Feature: Upgrading an old Tails USB installation
And all persistence presets are enabled
And the file system changes introduced in version 2.3~test are present
And only the 2.3~test SquashFS delta is installed
# Our IUK sets a release date that can make Tor bootstrapping impossible
# Regression test for #17425 (i.e. the Upgrader would propose
# upgrading to the version that's already running)
Given Tails system time is magically synchronized
# Regression test on #8158 (i.e. the IUK's filesystem is not part of the Unsafe Browser's chroot)
And Tails is fooled to think that version 2.1~test was initially installed
When the network is plugged
And Tor is ready
Then I successfully start the Unsafe Browser
Then the Upgrader considers the system as up-to-date
# Regression test on #8158 (i.e. the IUK's filesystem is not part of the Unsafe Browser's chroot)
And I successfully start the Unsafe Browser
And the file system changes introduced in version 2.3~test are present in the Unsafe Browser's chroot
@automatic_upgrade
Scenario: Upgrading a Tails that has several SquashFS deltas present with an incremental upgrade
Given I have started Tails without network from a USB drive with a persistent partition enabled and logged in
And Tails is fooled to think that version 2.0~test was initially installed
And Tails is fooled to think it is running version 2.1~test
And Tails is fooled to think a 2.0.1~test SquashFS delta is installed
And Tails is fooled to think a 2.1~test SquashFS delta is installed
When the network is plugged
......@@ -160,6 +165,7 @@ Feature: Upgrading an old Tails USB installation
Scenario: Upgrading a Tails whose signing key is outdated
Given I have started Tails without network from a USB drive with a persistent partition enabled and logged in
And Tails is fooled to think that version 2.0~test was initially installed
And Tails is fooled to think it is running version 2.0~test
And the signing key used by the Upgrader is outdated
But a current signing key is available on our website
When the network is plugged
......
......@@ -33,8 +33,8 @@ msgstr ""
"Project-Id-Version: Tor Project\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2020-01-06 11:20+0100\n"
"PO-Revision-Date: 2019-12-08 17:27+0000\n"
"Last-Translator: Abanoub Ebied <abanoub_samuel@outlook.com>\n"
"PO-Revision-Date: 2020-01-06 13:47+0000\n"
"Last-Translator: erinm\n"
"Language-Team: Arabic (http://www.transifex.com/otf/torproject/language/"
"ar/)\n"
"Language: ar\n"
......@@ -192,9 +192,8 @@ msgid "The system is up-to-date"
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:350
#, fuzzy
msgid "This version of Tails is outdated, and may have security issues."
msgstr "هذه النسخة من تيلز تحتوي مشاكل أمنية:"
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:382
#, perl-brace-format
......@@ -237,9 +236,8 @@ msgid ""
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:448
#, fuzzy
msgid "Upgrade available"
msgstr "غير متاح"
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:449
msgid "Upgrade now"
......@@ -264,9 +262,8 @@ msgid ""
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:474
#, fuzzy
msgid "New version available"
msgstr "غير متاح"
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:555
msgid "Downloading upgrade"
......@@ -360,18 +357,16 @@ msgid "Error while restarting the system"
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:728
#, fuzzy
msgid "Failed to restart the system"
msgstr "فشلت محاولة إعادة تشغيل تور."
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:743
msgid "Error while shutting down the network"
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:746
#, fuzzy
msgid "Failed to shutdown network"
msgstr "فشلت محاولة إعادة تشغيل تور."
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:753
msgid "Upgrading the system"
......
......@@ -25,8 +25,8 @@ msgstr ""
"Project-Id-Version: Tor Project\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2020-01-06 11:20+0100\n"
"PO-Revision-Date: 2019-11-29 02:19+0000\n"
"Last-Translator: Benny Beat <bennybeat@gmail.com>\n"
"PO-Revision-Date: 2020-01-06 13:47+0000\n"
"Last-Translator: erinm\n"
"Language-Team: Catalan (http://www.transifex.com/otf/torproject/language/"
"ca/)\n"
"Language: ca\n"
......@@ -199,9 +199,8 @@ msgid "The system is up-to-date"
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:350
#, fuzzy
msgid "This version of Tails is outdated, and may have security issues."
msgstr "Aquesta versió de Tails té problemes de seguretat coneguts:"
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:382
#, perl-brace-format
......@@ -244,9 +243,8 @@ msgid ""
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:448
#, fuzzy
msgid "Upgrade available"
msgstr "no disponible"
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:449
msgid "Upgrade now"
......@@ -271,9 +269,8 @@ msgid ""
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:474
#, fuzzy
msgid "New version available"
msgstr "no disponible"
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:555
msgid "Downloading upgrade"
......@@ -351,37 +348,32 @@ msgid ""
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:712
#, fuzzy
msgid "Restart Tails"
msgstr "Reinicia"
msgstr ""
#: config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/Frontend.pm:713
#, fuzzy