Commit 23965452 authored by Tails developers's avatar Tails developers

Upgrade documentation for the TBB migration.

parent 6c6d7392
......@@ -147,14 +147,14 @@ configure_chroot () {
done
chmod a+r ${CHROOT}/etc/resolv.conf
# Remove all Iceweasel addons: some adds proxying, which we don't
# Remove all addons: some adds proxying, which we don't
# want; some may change the fingerprint compared to a standard
# Iceweasel install. Note: We cannot use apt-get since we don't ship its
# Firefox install. Note: We cannot use apt-get since we don't ship its
# lists (#6531). Too bad, APT supports globbing, while dkpg does not.
dpkg -l 'xul-ext-*' | /bin/grep '^ii' | awk '{print $2}' | \
xargs chroot ${CHROOT} dpkg --remove
# Create a fresh Iceweasel profile for the clearnet user
# Create a fresh browser profile for the clearnet user
CLEARNET_PROFILE="${CHROOT}"/home/clearnet/.tor-browser/profile.default
CLEARNET_EXT="${CLEARNET_PROFILE}"/extensions
......@@ -210,7 +210,7 @@ EOF
}
run_browser_in_chroot () {
# Start Iceweasel in the chroot
# Start the browser in the chroot
echo "* Starting Unsafe Browser"
sudo -u ${SUDO_USER} xhost +SI:localuser:${CLEARNET_USER} 2>/dev/null
......
When Tails is built, the searchplugins defined in these directories
will be symlinked to the corresponding locale directory in
/etc/iceweasel/searchplugins/locale. With one twist: if a language
has more than one locale, the searchplugins will be symlinked in all
the corresponding directories.
/usr/local/lib/tor-browser/Browser/distribution/searchplugins/locale with
one twist: if a language has more than one locale, the searchplugins
will be symlinked in all the corresponding directories.
......@@ -745,9 +745,9 @@ See [[doc/about/features]].
## 3.3 Internationalization
Tails ships, as is, localization files provided by the installed
Debian packages. All available iceweasel localization packages
Debian packages. All available Tor Browser localization packages
are installed. Spell checking software and data is installed for the
set of best supported languages; it is usable at least is Iceweasel,
set of best supported languages; it is usable at least is Tor Browser,
LibreOffice and gedit.
### 3.3.1 Input methods
......@@ -945,77 +945,58 @@ granting `sudo` privileges to the `amnesia` user by default.
Unless an administrator password is set in tails-greeter,
no root access is possible afterwards.
### 3.6.13 Iceweasel
(Note: Iceweasel is the name of the web browser, based on Mozilla
Firefox, that is shipped by Debian and thus by Tails.)
Tails ships custom Iceweasel ESR packages built with the Torbrowser
patches to better blend in the Tor Browser Bundle's anonymity set.
Some patches, that are not relevant for Tails, are not
applied, though: see the Tails browser's
[changelog](https://git-tails.immerda.ch/iceweasel/plain/debian/changelog?h=tails/master)
for the current status.
Iceweasel uses the Torbutton extension in order to prevent attacks
using JavaScript, plugins and other non-HTTP features like web
bugs. It is configured to always be enabled on Iceweasel start and
uses Tor as SOCKS5 proxy. SOCKS is configured to perform name
resolution through this proxy. Iceweasel is also configured to not
cache to disk (mainly to reduce memory usage for DVD users as disk
writes will be stored there), history is disabled (just in case) and
many other things. It is also set up not to automatically check for
updates of its installed extensions. Java support is disabled.
Iceweasel is shipped with some extensions to help users manage their
browsing experience. The Torbutton settings treat all cookies as
session cookies by default. This prevents the
known leak of browsing information cookies can lead to. The [Adblock
plus](https://addons.mozilla.org/fr/firefox/addon/1865/) extension
protects against many tracking possibilities by removing most ads.
Tails ships the [HTTPS
Everywhere](https://www.eff.org/https-everywhere) extension that
forces HTTPS usage for requests to a number of major websites.
Tails also ships the
[FoxyProxy](https://addons.mozilla.org/fr/firefox/addon/2464/)
extension that:
- allows using I2P instead of Tor to visit eepsites (I2P's own hidden
services look-alike); see [[the design document dedicated to Tails
use of I2P|I2P]] for details;
- could help [[!tails_todo FTP_in_Iceweasel desc="fixing Iceweasel's FTP support"]].
Thanks to Torbutton, to the Tor Browser patches, and to us importing
(most of) the TBB preferences, Iceweasel is configured so that Tor browser
fingerprint appears uniformly among Torbutton users. Tails enables
Torbutton's EN-US locale spoofing to avoid partitioning Tails
users into per-language anonymity sets.
Torbutton is also configured to spoof the timezone settings the same
way as the Tor Browser Bundle does, i.e. to `UTC+00:00`.
Thanks to the Tor Browser patches, the in-memory web cache is isolated
to the url bar origin.
The Iceweasel config is poorly commented but the commit messages in
Git history explains it all. In a nutshell, Iceweasel preferences are
set in various ways:
* A Tor Browser patch called
`0022-Tor-Browser-s-Firefox-preference-overrides.patch` bundles
their prefs directly into `omni.ja`.
* `/etc/iceweasel/*/*.js` contains:
- Torbutton preferences that the TBB also sets;
- some Tails-specific settings.
Whenever the user tries to start Iceweasel before Tor is ready, they
are informed it won't work, and asked whether to start the browser
anyway:
- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/iceweasel]]
- [[!tails_gitweb config/chroot_local-includes/usr/local/sbin/tor-has-bootstrapped]]
### 3.6.13 Tor Browser
Tails ships with the Tor Browser, which is based on Mozilla Firefox
and patched by the Tor Project for improved anonymity by reducing
information leaks, decreasing attack surface and similar. The actual
binaries etc. used in Tails are those distributed by the Tor Project,
but the configuration differs slightly, which is described below.
In Tails we diverge from the TBB's one-profile-only design, and
install the Tor Browser in a globally accessible directory used by all
browser profiles (and other XUL applications).
- [[!tails_gitweb config/chroot_local-hooks/10-tbb]]
The default profile is split from the binaries and application data:
- [[!tails_gitweb_dir config/chroot_local-includes/etc/tor-browser]]
As for extensions we have the following differences:
* Tails also installs the
[Adblock plus](https://addons.mozilla.org/fr/firefox/addon/1865/)
extension to protect against many tracking possibilities by removing
most ads.
* Tails also ships the
[FoxyProxy](https://addons.mozilla.org/fr/firefox/addon/2464/)
extension that:
- allows using I2P instead of Tor to visit eepsites (I2P's own
hidden services look-alike); see
[[the design document dedicated to Tails use of I2P|I2P]] for
details;
- could help
[[!tails_todo FTP_in_Iceweasel desc="fixing web browser FTP support"]].
* Tails does not install the same Torbutton as in the TBB. We
installed a patched version.
* Tails does not install the Tor Launcher extension as part of the
browser. A patched Tor Launcher is installed for use as a
stand-alone XUL application, though.
In Tails we do not use the `start-tor-browser` script, since it does a
lot of stuff not needed in Tails (error checking mainly) and isn't
flexible since it looks for the browser profile in a specific
place. Our custom script makes use of the global installation and also
makes sure the default profile is used as a basis. Also, whenever the
user tries to start the Tor Browser before Tor is ready, they are
informed it won't work, and asked whether to start the browser anyway:
- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/tor-browser]]
- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/generate-tor-browser-profile]]- [[!tails_gitweb config/chroot_local-includes/usr/local/sbin/tor-has-bootstrapped]]
- [[!tails_gitweb config/chroot_local-includes/etc/sudoers.d/zzz_tor-has-bootstrapped]]
Once Tor is ready to be used, the user is informed they can now use
......@@ -1023,15 +1004,13 @@ the Internet:
- [[!tails_gitweb config/chroot_local-includes/etc/NetworkManager/dispatcher.d/60-tor-ready-notification.sh]]
Source code, scripts and configuration:
The remaining configuration differences can be found in:
- [[!tails_gitweb_dir config/chroot_local-includes/etc/iceweasel]]
- Tails' Iceweasel source [[lives in Git|contribute/git]]
- [[!tails_gitweb config/chroot_local-hooks/12-remove_unwanted_iceweasel_searchplugins]]
- [[!tails_gitweb config/chroot_local-hooks/13-iceweasel_sqlite]]
- [[!tails_gitweb_dir config/chroot_local-includes/etc/tor-browser/preferences/zzz_tails.js]]
- [[!tails_gitweb config/chroot_local-hooks/12-remove_unwanted_browser_searchplugins]]
- [[!tails_gitweb config/chroot_local-hooks/13-override-tbb-branding]]
- [[!tails_gitweb config/chroot_local-hooks/14-add_localized_iceweasel_searchplugins]]
- [[!tails_gitweb config/chroot_local-hooks/14-generate-iceweasel-profile]]
- [[!tails_gitweb config/chroot_local-hooks/14-add_localized_browser_searchplugins]]
- [[!tails_gitweb config/chroot_local-hooks/14-generate-tor-browser-profile]]
- [[!tails_gitweb config/chroot_local-hooks/15-symlink-places.sqlite]]
### 3.6.14 Claws Mail
......@@ -1244,7 +1223,7 @@ release candidates images before they are officially published.
### 3.8.3 Upgrades
Keeping Tor (stable releases only, unless the Tor core developers
recommend otherwise) and Iceweasel up-to-date is a priority.
recommend otherwise) and the Tor Browser up-to-date is a priority.
Remaining applications, including the base system, will be upgraded
using Debian standard upgrade process, and generally based on the
......@@ -1299,11 +1278,11 @@ where Tails is heading to.
Tails tries to make it as difficult as possible to distinguish Tails
users from other Tor users.
Iceweasel is configured to match the fingerprint of the Tor Browser
The Tor Browser used in Tails is configured to match the fingerprint of the Tor Browser
Bundle and the known differences, if any, are listed in the [[known
issues|support/known_issues]] page.
However the fact that different extensions are installed in Tails and in
However the fact that different browser extensions are installed in Tails and in
the TBB surely allows more sophisticated attacks that usual fingerprint
as returned by tools such as <https://panopticlick.eff.org/> and
<http://ip-check.info/>. For example, the fact that Adblock is removing
......
......@@ -11,7 +11,7 @@ be able to access eepsites from Tails.
Versions
========
[I2P](https:/geti2p.net) has been included since Tails v0.7 with Iceweasel
[I2P](https:/geti2p.net) has been included since Tails v0.7 with the web browser
preconfigured using FoxyProxy so that eepsites (`.i2p` TLD) are directed to
I2P. All other traffic gets routed through Tor.
......@@ -78,12 +78,12 @@ participating in I2P traffic:
[[!tails_gitweb config/chroot_local-hooks/16-i2p_config]].
[[!tails_todo iceweasel_addon_-_FoxyProxy desc="FoxyProxy"]] has been installed
system-wide, and the default iceweasel profile provides with a
system-wide, and the default web browser profile provides with a
configuration handling the I2P integration. FoxyProxy's whitelist
filter is used to make sure that the corresponding urls will be
proxied appropriately.
Below are the patterns that each url handled by iceweasel will be
Below are the patterns that each url handled by the web browser will be
matched against. These patterns will be tried in order, from top to
bottom, until the first match is found:
......@@ -231,7 +231,7 @@ Things to meditate upon
SOCKS5. This effectively breaks FTP completely, so there's room for
adding a pattern above number 4 which matches ftp connections
(i.e. `^ftp://.*`) and proxies them through some ftp proxy using Tor
as its parent proxy. See [[!tails_todo FTP_in_Iceweasel]]. As an addition,
as its parent proxy. See [[!tails_todo FTP_in_Iceweasel desc="FTP in Tor Browser"]]. As an addition,
at the moment (versions <=0.8) ftp does not work in I2P for
technical reasons, so no pattern for that is needed.
......@@ -258,4 +258,4 @@ Things to meditate upon
* Are the patterns used above correct for their intended purposes?
Does the FoxyProxy setup in any way open up for attacks? See
[[!tails_todo iceweasel_addon_-_FoxyProxy]].
[[!tails_todo iceweasel_addon_-_FoxyProxy desc="FoxyProxy"]].
......@@ -14,8 +14,8 @@ Internet access seem required for avoiding this problem.
Requirements
============
* It must run a completely separate Iceweasel profile from the
Torified browser's.
* It must run a completely separate browser profile from the
Torified browser.
* It must be hard to start by mistake.
* It must be hard to mistake for the Torified browser.
* It must be configured to use the DNS provided by DHCP (which is required
......@@ -42,8 +42,8 @@ when started:
0. Show a dialog asking the user for verification, while also briefly
explaining that the Unsafe Browser won't be anonymous.
0. "No" is the default answer, but if "Yes", we start a separate
Iceweasel instance.
0. Iceweasel is configured to use a theme with scary colors (red). To
browser instance.
0. The browser is configured to use a theme with scary colors (red). To
not raise suspicion the scary theme is not used when Windows
camouflage is activated, but instead the normal Internet Explorer
theme is used.
......
......@@ -23,8 +23,8 @@ This is relevant for the following applications:
- GnuPG, SSH and OTR key pairs
- GnuPG configuration
- SSH client configuration
- iceweasel certificate trust
- iceweasel bookmarks
- Tor Browser certificate trust
- Tor Browser bookmarks
- Pidgin configuration
- MUA configuration
- printers configuration
......
......@@ -26,8 +26,8 @@ Tails:
Web Browser
-----------
Until Torbrowser implements clever fine-grained stream isolation
([[!tor_bug 3455]]), Iceweasel is merely directed to a dedicated SOCKS port.
Until the Tor Browser implements clever fine-grained stream isolation
([[!tor_bug 3455]]) it is merely directed to a dedicated SOCKS port.
Destination address/port -based circuit isolation
-------------------------------------------------
......@@ -46,7 +46,7 @@ However:
before we ship it to the masses.
For performance reasons, we will start with *not* using
`IsolateDestAddr`/`IsolateDestPort` for iceweasel we ship: nowadays,
`IsolateDestAddr`/`IsolateDestPort` for the Tor Browser: nowadays,
loading a mere web page often requires fetching resources from a dozen
or more remote sources. (Also, it looks like the use of
`IsolateDestAddr` in a modern web browser may create very uncommon
......@@ -91,9 +91,7 @@ in [[!tails_gitweb config/chroot_local-includes/etc/tor/torrc]]:
Applications are configured to use the right SOCKS port:
- [[!tails_gitweb config/chroot_local-includes/etc/iceweasel/pref/iceweasel.js]]
- [[!tails_gitweb config/chroot_local-includes/etc/iceweasel/profile/foxyproxy.xml]]
- [[!tails_gitweb config/chroot_local-includes/etc/iceweasel/profile/user.js]]
- [[!tails_gitweb config/chroot_local-includes/etc/tor-browser/profile/preferences/zzz_tails.js]]
- [[!tails_gitweb config/chroot_local-includes/etc/init.d/htpdate]]
- [[!tails_gitweb config/chroot_local-includes/etc/tor/tor-tsocks-mua.conf]]
- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/tails-security-check]]
......
......@@ -119,7 +119,7 @@ is described in its principal use cases. For example:
The screen reading functionality of <span class="application">GNOME
Orca</span> does not work neither with the <span
class="application">Iceweasel Web Browser</span> nor with the <span
class="application">Tor Browser</span> nor with the <span
class="application">Unsafe Web Browser</span>.
</div>
......
......@@ -41,12 +41,6 @@ Pre-freeze
The [[contribute/working_together/roles/release_manager]] role
documentation has more tasks that should be done early enough.
Update Iceweasel preferences
----------------------------
* update `extensions.adblockplus.currentVersion` in
`config/chroot_local-includes/etc/iceweasel/profile/user.js`
Coordinate with Debian security updates
---------------------------------------
......@@ -71,22 +65,22 @@ AdBlock patterns
----------------
Patterns are stored in
`config/chroot_local-includes/etc/iceweasel/profile/adblockplus/`.
`config/chroot_local-includes/etc/tor-browser/profile.default/adblockplus/`.
1. Boot Tails
2. Open *Tools* → *Addons*
2. Start the tor Browser and open *Tools* → *Addons*
3. Select *Adblock Plus* in extensions
4. Open *Preferences* → *Filter preferences…*
5. For each filters, click *Actions* → *Update filters*
6. Close Iceweasel
7. Copy the `.mozilla/firefox/default/adblockplus/patterns.ini` from
this Iceweasel instance to the
`config/chroot_local-includes/etc/iceweasel/profile/adblockplus`
6. Close the Tor Browser
7. Copy the `.tor-browser/profile.default/adblockplus/patterns.ini` from
this Tor Browser instance to the
`config/chroot_local-includes/etc/tor-browser/profile.default/adblockplus`
directory in the Tails Git checkout.
8. Commit:
git commit -m 'Update AdBlock Plus patterns.' \
config/chroot_local-includes/etc/iceweasel/profile/adblockplus/patterns.ini
config/chroot_local-includes/etc/tor-browser/profile.default/adblockplus/patterns.ini
Upgrade bundled binary Debian packages
--------------------------------------
......@@ -116,7 +110,6 @@ Correct all the errors that are not in the ignored list of
Then see the relevant release processes:
* [[iceweasel]]
* [[liveusb-creator]]
* [[tails-greeter]]
* [[perl5lib]]
......@@ -127,6 +120,11 @@ Then see the relevant release processes:
* build a Debian package
* upload it to our [[APT repository]]
Upgrade the Tor Browser
-----------------------
See the dedicated page: [[tor-browser]]
Update PO files
---------------
......@@ -479,15 +477,6 @@ Prepare upgrade-description files
Upload images
=============
Sanity check
------------
Verify that the current source for Firefox is still the same we've
used when preparing our custom Iceweasel package: e.g. FF17.0.8 got
re-tagged and re-uploaded at the last minute, due to a test failure.
Better catch this before people spend time doing manual tests.
## Announce, seed and test the Torrents
Announce and seed the Torrents.
......@@ -622,7 +611,7 @@ image to be released was *built*. Including:
- the list of BSA fixed in packages we ship since those that were in
the previous release of Tails:
<https://lists.debian.org/debian-backports-announce/>
- the list of MFSA fixed by the iceweasel update:
- the list of MFSA fixed by the Tor Browser update:
<https://www.mozilla.org/security/announce/>
If preparing a release candidate
......@@ -679,12 +668,6 @@ Testing
Go wild!
========
Sanity check
------------
Verify once more that the current source for Firefox is still the same
we've used when preparing our custom Iceweasel packages.
Push
----
......
......@@ -5,17 +5,6 @@ by delaying a Tails release a bit to wait for a DSA to happen.
[[!toc levels=2]]
Iceweasel
=========
Mozilla updates are scheduled in advance. Searching the web for the
next (point-)release number tells you when it will be released. Add
2-3 days to this release date, and you know when a xulrunner/iceweasel
Debian security update will be ready on the mirrors.
See the [releases page](http://wiki.mozilla.org/Releases) on Mozilla
wiki.
Debian security team
====================
......
[[!meta title="Releasing Iceweasel + Torbrowser patches"]]
[[!toc levels=2]]
1. Prepare environment
======================
* Clone our Tor browser
[[Git repository|contribute/git#other-repositories]] if you do not
have it handy yet.
* Add (and fetch from) a Git remote for the Debian iceweasel packaging
repository:
git remote add -f debian git://git.debian.org/git/pkg-mozilla/iceweasel.git
* Export the new upstream release to the environment of the one shell
or three that will be used:
export VERSION=17.0.9esr
2. Was Iceweasel updated?
=========================
It might have been updated in one of these sources:
* branch `esr/master` in `git://git.debian.org/git/pkg-mozilla/iceweasel.git`
* <http://mozilla.debian.net/pool/iceweasel-esr/i/iceweasel/>
**If** it was updated, then skip to [[New Iceweasel release|iceweasel#new-iceweasel-release]].
**Else**, skip to [[New Firefox release|iceweasel#new-firefox-release]].
<a id="new-firefox-release"></a>
3. New Firefox release
======================
If Iceweasel was not updated to match the new Firefox release we want,
a bit more work is needed.
Note that usually, we're doing these steps (usually on Sunday or
Monday) *before* the new ESR was officially released (which usually
happens on Tuesday). Mozilla make the source available on previous
Friday or Saturday, so that downstreams (such as us!) can get their
stuff ready in time for the security announce.
* Download the Firefox tarball and detached signature from
<https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/VERSION/source/>
(`VERSION` is the version we want to build, that is something like
`17.0.7esr`).
If it's not ready there yet, look at
<https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/VERSION-candidates/>
instead: Mozilla now only moves the tarballs to the `releases` directory after
it has passed their internal QA.
* Check the signature.
* Put the tarball in the parent directory of your Iceweasel Git repository.
* Extract the tarball.
* `cd` into the extracted directory.
* Copy the `debian/` directory from our previous package into the new
upstream source directory.
* Add a `debian/changelog` entry matching the new
upstream version. Use 0 for the Debian packaging version, e.g.
`17.0.5esr-0`, to leave room for the official packaging that we will
want to merge when it's out:
dch -v ${VERSION}-0 "New upstream release."
* If you had to download a *candidate* version above, patch
`debian/upstream.mk` so that it downloads stuff from the same place,
e.g.:
--- a/debian/upstream.mk
+++ b/debian/upstream.mk
@@ -89,12 +89,12 @@ ifndef L10N_CHANNEL
L10N_CHANNEL := $(SOURCE_CHANNEL)
endif
-BASE_URL = ftp://ftp.mozilla.org/pub/mozilla.org/$(PRODUCT_NAME)/$(SOURCE_TYPE)
+BASE_URL = ftp://ftp.mozilla.org/pub/mozilla.org/$(PRODUCT_NAME)/candidates
L10N_FILTER = awk '(NF == 1 || /linux/) && $$1 != "en-US" { print $$1 }'
$(call lazy,L10N_LANGS,$$(shell $$(L10N_FILTER) $(PRODUCT)/locales/shipped-locales))
ifeq ($(SOURCE_TYPE),releases)
-SOURCE_URL = $(BASE_URL)/$(SOURCE_VERSION)/source/$(PRODUCT_NAME)-$(SOURCE_VERSION).source.tar.bz2
+SOURCE_URL = $(BASE_URL)/$(SOURCE_VERSION)-candidates/build1/source/$(PRODUCT_NAME)-$(SOURCE_VERSION).source.tar.bz2
SOURCE_REV = $(call uc,$(PRODUCT_NAME))_$(subst .,_,$(SOURCE_VERSION))_RELEASE
L10N_REV = $(SOURCE_REV)
SOURCE_REPO = http://hg.mozilla.org/releases/$(SOURCE_CHANNEL)
**Beware**: make sure to replace `build1` with the name of the
directory you downloaded the upstream candidate tarball above.
* Download and repack the other tarballs:
make -f debian/rules download
* `cd` into our Iceweasel Git directory.
* Checkout the `tails/master` branch.
* Unapply all quilt patches and commit:
quilt pop -a && \
git add . && git reset HEAD .pc && git commit -a -m 'Unapply all quilt patches.'
* Get yourself a new upstream branch:
git branch -D upstream && \
git branch upstream tails/master
* Trick the tarball importer to import the correct version:
cp ../mozilla-esr24/browser/config/version.txt browser/config/ && \
cp ../mozilla-esr24/debian/changelog debian/
* Import the new upstream release into the `upstream` branch:
make -f debian/rules import
* Merge the import commit into `tails/master`:
git reset --hard && git merge upstream
* Get the `debian` directory back:
git checkout HEAD^ -- debian && \
git commit -m 'Get Debian packaging directory back.'
* Don't ignore `.mozconfig`'s:
grep -v -F '/.mozconfig*' .gitignore | sponge .gitignore && \
git commit -m "Don't ignore .mozconfig's." .gitignore
* Cleanup quilt status:
rm -rf .pc
* Apply all quilt patches:
quilt push -a
It might be that the last patch (`configure.patch`) fails. Ignore it
for now.
* Commit:
git add . && git reset HEAD .pc && git commit -a -m 'Apply all quilt patches.'
<a id="new-iceweasel-release"></a>
4. New Iceweasel release
=========================
Skip this entire stage if you imported a new Firefox release.
The way to proceed is different depending on whether Debian's
iceweasel was pushed to it yet, or not.
If Debian's iceweasel was pushed to Git already
-----------------------------------------------
* Retrieve the update from the iceweasel Git repository and verify the
Git tag you want to import, e.g.
git fetch debian && git tag -v debian/17.0.8esr-1
* Checkout our `tails/master` branch.
* Unapply all Torbrowser patches:
- If quilt knows they are applied (`quilt applied` will tell you),
then use `quilt pop` as many times as needed.
- Else, some manual care is needed so that quilt internal state
matches the actual state of the source tree. We need to manually
unapply all quilt patches, then reapply them all:
for p in $(tac debian/patches/series) ; do
patch -p1 -R < "debian/patches/$p"
done && quilt push -a
... and then use `quilt pop` as many times as needed to unapply
all Torbrowser patches.
* `git add` the new files and the modified ones