Commit 2adc5f02 authored by sajolida's avatar sajolida

Merge remote-tracking branch 'origin/master'

parents 70d72e7e d6fadd6f
......@@ -57,12 +57,16 @@
/config/chroot_local-includes/usr/share/applications/tails-shutdown.desktop
/config/chroot_local-includes/usr/share/applications/tor-browser.desktop
/config/chroot_local-includes/usr/share/applications/tails-about.desktop
/config/chroot_local-includes/usr/share/applications/tails-installer.desktop
/config/chroot_local-includes/usr/share/applications/unlock-veracrypt-volumes.desktop
/config/chroot_local-includes/usr/share/applications/whisperback.desktop
/config/chroot_local-includes/usr/share/desktop-directories/Tails.directory
/config/chroot_local-includes/usr/share/polkit-1/actions/org.boum.tails.root-terminal.policy
/config/chroot_local-includes/usr/share/polkit-1/actions/org.boum.tails.additional-software.policy
/config/chroot_local-includes/usr/share/tails/greeter/*.ui
/config/chroot_local-includes/usr/share/tails-installer/*.ui
/config/chroot_local-includes/usr/share/tails/unlock-veracrypt-volumes/*.ui
/config/chroot_local-includes/usr/share/whisperback/*.ui
/tmp/
# The test suite's local configuration files
......
#!/bin/bash
set -eu
set -o pipefail
NAME=$(basename "${0}")
LONGOPTS="version:,isos:,release-branch:,matching-jenkins-images-build-id:"
OPTS=$(getopt -o "" --longoptions $LONGOPTS -n "${NAME}" -- "$@")
eval set -- "$OPTS"
while [ $# -gt 0 ]; do
case $1 in
--version)
shift
VERSION="$1"
;;
--isos)
shift
ISOS="$1"
;;
--release-branch)
shift
RELEASE_BRANCH="$1"
;;
--matching-jenkins-images-build-id)
shift
MATCHING_JENKINS_IMAGES_BUILD_ID="$1"
;;
esac
shift
done
ssh misc.lizard mkdir "tails-amd64-${VERSION:?}"
scp "${ISOS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}."{apt-sources,build-manifest,buildlog,packages,iso.sig,img.sig} \
"misc.lizard:tails-amd64-${VERSION:?}"
ssh misc.lizard gpg --import < "wiki/src/tails-signing.key"
ssh misc.lizard << EOF
cd tails-amd64-${VERSION:?} && \
wget --quiet \
"https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_IMAGES_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.iso" \
"https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_IMAGES_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.img" && \
gpg --verify tails-amd64-${VERSION:?}.iso{.sig,} && \
gpg --verify tails-amd64-${VERSION:?}.img{.sig,}
EOF
ssh misc.lizard << EOF
( [ -d isos ] || git clone gitolite@puppet-git.lizard:isos.git ) && \
cd isos && \
git annex init && \
git annex sync && \
git annex import ../tails-amd64-${VERSION:?} && \
rmdir ../tails-amd64-${VERSION:?} && \
git commit -m "Add Tails ${VERSION:?}" && \
git annex sync && \
git annex copy tails-amd64-${VERSION:?} --to origin && \
git annex drop tails-amd64-${VERSION:?} && \
git annex sync
EOF
#!/bin/sh
set -eu
for dir in config/APT_snapshots.d vagrant/definitions/tails-builder/config/APT_snapshots.d; do
(
set -eu
echo "${dir:?}:"
cd "${dir:?}"
for ARCHIVE in * ; do
SERIAL="$(cat ${ARCHIVE:?}/serial)"
if [ "${SERIAL:?}" = 'latest' ]; then
EXPIRY='never'
if [ "${ARCHIVE:?}" != 'debian-security' ]; then
echo "Warning: origin '${ARCHIVE:?}' is using the 'latest' snapshot, which is unexpected" >&2
fi
else
case "${ARCHIVE:?}" in
'debian-security')
DIST='buster/updates'
;;
'torproject')
DIST='buster'
;;
*)
DIST='stable'
;;
esac
EXPIRY="$(curl --silent "https://time-based.snapshots.deb.tails.boum.org/${ARCHIVE:?}/dists/${DIST:?}/snapshots/${SERIAL:?}/Release" | sed -n 's/^Valid-Until:\s\+\(.*\)$/\1/p')"
fi
echo "* Archive '${ARCHIVE:?}' uses snapshot '${SERIAL:?}' which expires on: ${EXPIRY:?}"
done
echo ---
)
done
#!/bin/bash
set -eu
set -o pipefail
NAME=$(basename "${0}")
LONGOPTS="version:,dist:,release-branch:,matching-jenkins-images-build-id:"
OPTS=$(getopt -o "" --longoptions $LONGOPTS -n "${NAME}" -- "$@")
eval set -- "$OPTS"
while [ $# -gt 0 ]; do
case $1 in
--version)
shift
VERSION="$1"
;;
--dist)
shift
DIST="$1"
;;
--release-branch)
shift
RELEASE_BRANCH="$1"
;;
--matching-jenkins-images-build-id)
shift
MATCHING_JENKINS_IMAGES_BUILD_ID="$1"
;;
esac
shift
done
ssh rsync.lizard gpg --import < wiki/src/tails-signing.key
ssh rsync.lizard << EOF
wget --quiet \
"https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_IMAGES_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.iso" \
"https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_IMAGES_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.img" && \
gpg --verify tails-amd64-${VERSION:?}.iso{.sig,} && \
gpg --verify tails-amd64-${VERSION:?}.img{.sig,}
EOF
ssh rsync.lizard << EOF
sudo install -o root -g rsync_tails -m 0755 -d \
/srv/rsync/tails/tails/${DIST:?}/tails-amd64-${VERSION:?} && \
sudo chown root:rsync_tails tails-amd64-${VERSION:?}.{iso,img}* && \
sudo chmod u=rwX,go=rX tails-amd64-${VERSION:?}.{iso,img}* && \
sudo mv tails-amd64-${VERSION:?}.{iso,img}* \
/srv/rsync/tails/tails/${DIST:?}/tails-amd64-${VERSION:?}
EOF
......@@ -92,41 +92,6 @@ def download_iuks_from_jenkins(
destdir: str,
jenkins_iuks_base_url: str,
jenkins_build_id: int) -> None:
# This assumes same basename for hashes, locally and in Jenkins:
log.info("Downloading IUK hashes (if available) from Jenkins to %s…" % (desthost))
try:
url = "%s/%s/archive/%s" % (
jenkins_iuks_base_url,
jenkins_build_id,
Path(hashes_file).name
)
jenkins_hashes = '%(d)s/%(f)s' % {
"d": destdir,
"f": '%s.jenkins' % Path(hashes_file).name
}
our_hashes = '%(d)s/%(f)s' % {
"d": destdir,
"f": Path(hashes_file).name,
}
subprocess.run(
["ssh", desthost, "wget", "--quiet", "--no-clobber",
"-O", jenkins_hashes, url],
check=True
)
subprocess.run(
["ssh", desthost,
"sh -c \"if ! cmp -s '%(j_h)s' '%(o_h)s'; then "
"echo 'WARNING: IUK hashes seem different'; else "
"echo 'OK: IUK hashes seem similar'; fi\"" % {
"j_h": jenkins_hashes,
"o_h": our_hashes,
}],
check=True
)
except subprocess.CalledProcessError:
log.error("Unable to download/validate IUK hashes from Jenkins")
log.info("Downloading IUKs from Jenkins to %s…" % (desthost))
iuks = iuks_listed_in(hashes_file)
log.debug("IUKS: %s" % ', '.join(iuks))
......
#! /usr/bin/python3
import email.utils
import subprocess
from datetime import datetime, timedelta
import jinja2
def feedback_deadline(final_date: datetime) -> datetime:
return final_date - timedelta(days=2)
def call_for_testing_contents(args) -> str:
jinja2_env = jinja2.Environment(
loader=jinja2.FileSystemLoader('config/release_management/templates'))
return (jinja2_env.get_template('call_for_testing.mdwn').render(
date=email.utils.format_datetime(datetime.fromisoformat(args.date)),
version=args.version,
tag=args.tag,
final_date=datetime.fromisoformat(args.final_date).strftime("%B %d"),
final_version=args.final_version,
deadline=feedback_deadline(datetime.fromisoformat(
args.final_date)).strftime("%B %d")))
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--version', required=True)
parser.add_argument('--tag', required=True)
parser.add_argument('--date', required=True)
parser.add_argument('--final-version', required=True)
parser.add_argument('--final-date', required=True)
args = parser.parse_args()
print(call_for_testing_contents(args))
......@@ -24,9 +24,7 @@ GROUP_NAME = 'tails'
PROJECTS = [
GROUP_NAME + '/' + project for project in [
'chutney',
'installer',
'tails',
'whisperback',
'workarounds',
]
]
......
#!/bin/sh
set -u
current_mfsa() {
local current
current="$(
torsocks --isolate curl --silent https://www.mozilla.org/en-US/security/advisories/ | \
sed --regexp-extended -n 's@.*<a href="/en-US/security/advisories/(mfsa[0-9]+-[0-9]+)/".*>@\1@p' | \
sort -n | \
tail -n 1
)"
echo "$(date --rfc-3339=s): got ${current}" >&2
echo "${current}"
}
initial="$(current_mfsa)"
while true; do
new="$(current_mfsa)"
[ -n "${new}" ] || continue
if [ "${new}" != "${initial}" ]; then
echo "${new}"
exit 0
fi
sleep 60
done
......@@ -17,13 +17,13 @@ export SOURCE_DATE_FAKETIME="$(date --utc --date="$(dpkg-parsechangelog --show-f
# Base for the string that will be passed to "lb config --bootappend-live"
# FIXME: see [[bugs/sdmem_on_eject_broken_for_CD]] for explanation why we
# need to set block.events_dfl_poll_msecs
AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 init_on_alloc=1 init_on_free=1 mds=full,nosmt"
AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 init_on_free=1 mds=full,nosmt"
# Options passed to isohybrid
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
# Kernel version
KERNEL_VERSION='5.7.0-3'
KERNEL_VERSION='5.8.0-2'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
This diff is collapsed.
......@@ -79,7 +79,8 @@ Package: squashfs-tools
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: tails-installer
Explanation: install Thunderbird 68 until we're ready for 78 (#17962)
Package: calendar-google-provider lightning* thunderbird*
Pin: origin deb.tails.boum.org
Pin-Priority: 999
......@@ -87,7 +88,7 @@ Package: virtualbox*
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: webext-ublock-origin
Package: webext-ublock-origin-firefox
Pin: release o=Debian,n=sid
Pin-Priority: 999
......
......@@ -88,44 +88,6 @@ install_tor_browser() {
# Otherwise the "General" section in the preferences is not displayed.
install -d -m 0755 "${prep}"/TorBrowser/UpdateInfo
# Apply 10.0-build2 → 10.0-build3 changes:
(
local tmp
tmp="$(mktemp -d)"
cd "${tmp}"
7z x -tzip "${prep}/browser/omni.ja"
# Any $ in the below in-line patch must be escaped!
patch -p1 <<EOF
commit fb9428098b5b85eed400daa6e0010ac63faf8848 (tag: tor-browser-78.3.0esr-10.0-2-build2, origin/tor-browser-78.3.0esr-10.0-2)
Author: Matthew Finkel <sysrqb@torproject.org>
Date: Sat Sep 19 17:03:53 2020 +0000
Revert "fixup! TB4: Tor Browser's Firefox preference overrides."
This reverts commit c386fb3312237fd6c0d123ba9aaad662f8740e56.
We continue using the old webextensions storage backend due to #40137.
diff --git a/browser/app/profile/000-tor-browser.js b/browser/app/profile/000-tor-browser.js
index bac98ce06540..7e29c788b720 100644
--- a/defaults/preferences/000-tor-browser.js
+++ b/defaults/preferences/000-tor-browser.js
@@ -286,6 +286,8 @@ pref("extensions.htmlaboutaddons.recommendations.enabled", false);
pref("extensions.legacy.exceptions", "{972ce4c6-7e08-4474-a285-3208198ce6fd},torbutton@torproject.org");
// Bug 26114: Allow NoScript to access addons.mozilla.org etc.
pref("extensions.webextensions.restrictedDomains", "");
+// Bug 31396: Disable indexedDB WebExtension storage backend.
+pref("extensions.webextensions.ExtensionStorageIDB.enabled", false);
// Bug 28896: Make sure our bundled WebExtensions are running in Private Browsing Mode
pref("extensions.allowPrivateBrowsingByDefault", true);
EOF
touch --date="@${TBB_TIMESTAMP:?}" defaults/preferences/000-tor-browser.js
rm "${prep}/browser/omni.ja"
7z a -mtc=off -tzip "${prep}/browser/omni.ja" *
rm -r "${tmp}"
)
mv "${prep}" "${destination}"
rm -r "${tmp}"
}
......@@ -325,7 +287,7 @@ install_debian_extensions() {
fake_firefox_version=${firefox_version}+fake1
install_fake_package firefox "${fake_firefox_version}" web
apt-get install --yes webext-ublock-origin
apt-get install --yes webext-ublock-origin-firefox
patch -p1 < /usr/share/tails/uBlock-disable-autoUpdate.diff
# Apply the same hack for our extension as the Tor Browser does
......@@ -335,7 +297,7 @@ install_debian_extensions() {
embed_extensions_in_omni_ja "${destination}" "${timestamp}"
# ... and then remove the packages we just installed, since we
# don't need them outside of omni.ja.
apt purge --yes firefox webext-ublock-origin
apt purge --yes firefox webext-ublock-origin-firefox
}
create_default_profile() {
......
......@@ -11,17 +11,17 @@ echo "Setting up a build environment for kernel modules"
# Import ensure_hook_dependency_is_installed()
. /usr/local/lib/tails-shell-library/build.sh
# Install gcc-8 and fake linux-compiler-gcc-9-x86
# (linux-headers-5.3.0+ depends on it, but Buster hasn't GCC 9)
# Install gcc-8 and fake linux-compiler-gcc-10-x86
# (linux-headers-5.8.0+ depends on it, but Buster hasn't GCC 10)
ensure_hook_dependency_is_installed gcc-8
NEWEST_INSTALLED_KERNEL_VERSION="$(
dpkg-query --showformat '${Version}\n' --show 'linux-image-*-amd64' \
| sort --version-sort | tail -n1
)"
install_fake_package \
linux-compiler-gcc-9-x86 \
linux-compiler-gcc-10-x86 \
"${NEWEST_INSTALLED_KERNEL_VERSION}~0tails1"
ln -s /usr/bin/gcc-8 /usr/bin/gcc-9
ln -s /usr/bin/gcc-8 /usr/bin/gcc-10
ensure_hook_dependency_is_installed \
build-essential \
......
......@@ -11,5 +11,6 @@ tails-upgrade-frontend ALL = (tails-install-iuk) NOPASSWD: /usr/local/bi
tails-upgrade-frontend ALL = (tails-iuk-get-target-file) NOPASSWD: IUK_GET_TARGET_FILE
tails-upgrade-frontend ALL = (tails-iuk-get-target-file) NOPASSWD: /usr/local/bin/tails-iuk-mktemp-get-target-file ""
tails-upgrade-frontend ALL = NOPASSWD: /sbin/reboot ""
tails-upgrade-frontend ALL = NOPASSWD: /usr/local/bin/tails-iuk-cancel-download ""
tails-install-iuk ALL = NOPASSWD: INSTALL_IUK
......@@ -85,7 +85,7 @@ s{
tor[+]https?://deb[.]tails[.]boum[.]org
/?
(\s+)
}{$1tor+http://jenw7xbd6tf7vfhp.onion/$2}xms;
}{$1tor+http://umjqavufhoix3smyq6az2sx4istmuvsgmz4bq5u5x56rnayejoo6l2qd.onion/$2}xms;
' | perl -pi - /etc/apt/sources.list /etc/apt/sources.list.d/*.list
......@@ -99,7 +99,7 @@ s{
(Pin:\s+origin\s+)
deb[.]tails[.]boum[.]org
$
}{$1jenw7xbd6tf7vfhp.onion}xms;
}{$1umjqavufhoix3smyq6az2sx4istmuvsgmz4bq5u5x56rnayejoo6l2qd.onion}xms;
### Fix origin for backports
......
# -*- coding: utf-8 -*-
#
# Copyright © 2008 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing to use, modify,
# copy, or redistribute it subject to the terms and conditions of the GNU
# General Public License v.2. This program is distributed in the hope that it
# will be useful, but WITHOUT ANY WARRANTY expressed or implied, including the
# implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# See the GNU General Public License for more details. You should have
# received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
# Floor, Boston, MA 02110-1301, USA. Any Red Hat trademarks that are
# incorporated in the source code or documentation are not subject to the GNU
# General Public License and may only be used or replicated with the express
# permission of Red Hat, Inc.
#
# Author(s): Luke Macken <lmacken@redhat.com>
import os
import sys
import gettext
import locale
# Add sbin to PATH to support unprivileged mode
if os.path.exists('/usr/sbin') or os.path.exists('/usr/local/sbin'):
try:
os.environ['PATH'] = '/usr/local/sbin:/usr/sbin:' + os.environ['PATH']
except KeyError, e:
os.environ['PATH'] = '/usr/local/sbin:/usr/sbin'
def utf8_gettext(*args, **kwargs):
" Translate string, converting it to a UTF-8 encoded bytestring "
return gettext.translation(
'tails', '/usr/share/locale', fallback=True
).gettext(*args, **kwargs)
_ = utf8_gettext
from tails_installer.creator import TailsInstallerError
from tails_installer.creator import LinuxTailsInstallerCreator as TailsInstallerCreator
from tails_installer.config import config
branding = {
'distribution': config['branding']['distribution'],
'header': config['branding']['header']
}
__all__ = ("TailsInstallerCreator", "TailsInstallerError", "TailsInstallerDialog", "_", "utf8_gettext", "branding")