Merge remote-tracking branch 'origin/master'

.gitignore

@@ -57,12 +57,16 @@
 /config/chroot_local-includes/usr/share/applications/tails-shutdown.desktop
 /config/chroot_local-includes/usr/share/applications/tor-browser.desktop
 /config/chroot_local-includes/usr/share/applications/tails-about.desktop
+/config/chroot_local-includes/usr/share/applications/tails-installer.desktop
 /config/chroot_local-includes/usr/share/applications/unlock-veracrypt-volumes.desktop
+/config/chroot_local-includes/usr/share/applications/whisperback.desktop
 /config/chroot_local-includes/usr/share/desktop-directories/Tails.directory
 /config/chroot_local-includes/usr/share/polkit-1/actions/org.boum.tails.root-terminal.policy
 /config/chroot_local-includes/usr/share/polkit-1/actions/org.boum.tails.additional-software.policy
 /config/chroot_local-includes/usr/share/tails/greeter/*.ui
+/config/chroot_local-includes/usr/share/tails-installer/*.ui
 /config/chroot_local-includes/usr/share/tails/unlock-veracrypt-volumes/*.ui
+/config/chroot_local-includes/usr/share/whisperback/*.ui
 /tmp/
 
 # The test suite's local configuration files

bin/add-release-to-iso-history

+#!/bin/bash
+
+set -eu
+set -o pipefail
+
+NAME=$(basename "${0}")
+LONGOPTS="version:,isos:,release-branch:,matching-jenkins-images-build-id:"
+OPTS=$(getopt -o "" --longoptions $LONGOPTS -n "${NAME}" -- "$@")
+eval set -- "$OPTS"
+while [ $# -gt 0 ]; do
+    case $1 in
+        --version)
+	    shift
+            VERSION="$1"
+            ;;
+	--isos)
+	    shift
+	    ISOS="$1"
+	    ;;
+	--release-branch)
+	    shift
+	    RELEASE_BRANCH="$1"
+	    ;;
+	--matching-jenkins-images-build-id)
+	    shift
+	    MATCHING_JENKINS_IMAGES_BUILD_ID="$1"
+	    ;;
+    esac
+    shift
+done
+
+ssh misc.lizard mkdir "tails-amd64-${VERSION:?}"
+
+scp "${ISOS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}."{apt-sources,build-manifest,buildlog,packages,iso.sig,img.sig} \
+    "misc.lizard:tails-amd64-${VERSION:?}"
+
+ssh misc.lizard gpg --import < "wiki/src/tails-signing.key"
+
+ssh misc.lizard << EOF
+   cd tails-amd64-${VERSION:?} && \
+   wget --quiet \
+      "https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_IMAGES_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.iso" \
+      "https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_IMAGES_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.img" && \
+   gpg --verify tails-amd64-${VERSION:?}.iso{.sig,} && \
+   gpg --verify tails-amd64-${VERSION:?}.img{.sig,}
+EOF
+
+ssh misc.lizard << EOF
+   ( [ -d isos ] || git clone gitolite@puppet-git.lizard:isos.git ) && \
+   cd isos && \
+   git annex init && \
+   git annex sync && \
+   git annex import ../tails-amd64-${VERSION:?} && \
+   rmdir ../tails-amd64-${VERSION:?} && \
+   git commit -m "Add Tails ${VERSION:?}" && \
+   git annex sync && \
+   git annex copy tails-amd64-${VERSION:?} --to origin && \
+   git annex drop tails-amd64-${VERSION:?} && \
+   git annex sync
+EOF

bin/apt-snapshots-expiry

+#!/bin/sh
+
+set -eu
+
+for dir in config/APT_snapshots.d vagrant/definitions/tails-builder/config/APT_snapshots.d; do
+(
+    set -eu
+    echo "${dir:?}:"
+    cd "${dir:?}"
+    for ARCHIVE in * ; do
+        SERIAL="$(cat ${ARCHIVE:?}/serial)"
+        if [ "${SERIAL:?}" = 'latest' ]; then
+            EXPIRY='never'
+            if [ "${ARCHIVE:?}" != 'debian-security' ]; then
+                echo "Warning: origin '${ARCHIVE:?}' is using the 'latest' snapshot, which is unexpected" >&2
+            fi
+        else
+            case "${ARCHIVE:?}" in
+                'debian-security')
+                    DIST='buster/updates'
+                    ;;
+                'torproject')
+                    DIST='buster'
+                    ;;
+                *)
+                    DIST='stable'
+                    ;;
+            esac
+            EXPIRY="$(curl --silent "https://time-based.snapshots.deb.tails.boum.org/${ARCHIVE:?}/dists/${DIST:?}/snapshots/${SERIAL:?}/Release" | sed -n 's/^Valid-Until:\s\+\(.*\)$/\1/p')"
+        fi
+        echo "* Archive '${ARCHIVE:?}' uses snapshot '${SERIAL:?}' which expires on: ${EXPIRY:?}"
+    done
+    echo ---
+)
+done

bin/copy-images-to-rsync-server-and-verify

+#!/bin/bash
+
+set -eu
+set -o pipefail
+
+NAME=$(basename "${0}")
+LONGOPTS="version:,dist:,release-branch:,matching-jenkins-images-build-id:"
+OPTS=$(getopt -o "" --longoptions $LONGOPTS -n "${NAME}" -- "$@")
+eval set -- "$OPTS"
+while [ $# -gt 0 ]; do
+    case $1 in
+        --version)
+	    shift
+            VERSION="$1"
+            ;;
+	--dist)
+	    shift
+	    DIST="$1"
+	    ;;
+	--release-branch)
+	    shift
+	    RELEASE_BRANCH="$1"
+	    ;;
+	--matching-jenkins-images-build-id)
+	    shift
+	    MATCHING_JENKINS_IMAGES_BUILD_ID="$1"
+	    ;;
+    esac
+    shift
+done
+
+ssh rsync.lizard gpg --import < wiki/src/tails-signing.key
+
+ssh rsync.lizard << EOF
+   wget --quiet \
+      "https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_IMAGES_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.iso" \
+      "https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_IMAGES_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.img" && \
+   gpg --verify tails-amd64-${VERSION:?}.iso{.sig,} && \
+   gpg --verify tails-amd64-${VERSION:?}.img{.sig,}
+EOF
+
+ssh rsync.lizard << EOF
+  sudo install -o root -g rsync_tails -m 0755 -d \
+     /srv/rsync/tails/tails/${DIST:?}/tails-amd64-${VERSION:?} && \
+  sudo chown root:rsync_tails tails-amd64-${VERSION:?}.{iso,img}* && \
+  sudo chmod u=rwX,go=rX tails-amd64-${VERSION:?}.{iso,img}* && \
+  sudo mv tails-amd64-${VERSION:?}.{iso,img}* \
+          /srv/rsync/tails/tails/${DIST:?}/tails-amd64-${VERSION:?}
+EOF

bin/copy-iuks-to-rsync-server-and-verify

@@ -92,41 +92,6 @@ def download_iuks_from_jenkins(
         destdir: str,
         jenkins_iuks_base_url: str,
         jenkins_build_id: int) -> None:
-
-    # This assumes same basename for hashes, locally and in Jenkins:
-    log.info("Downloading IUK hashes (if available) from Jenkins to %s…" % (desthost))
-    try:
-        url = "%s/%s/archive/%s" % (
-            jenkins_iuks_base_url,
-            jenkins_build_id,
-            Path(hashes_file).name
-        )
-        jenkins_hashes = '%(d)s/%(f)s' % {
-            "d": destdir,
-            "f": '%s.jenkins' % Path(hashes_file).name
-        }
-        our_hashes = '%(d)s/%(f)s' % {
-            "d": destdir,
-            "f": Path(hashes_file).name,
-        }
-        subprocess.run(
-            ["ssh", desthost, "wget", "--quiet", "--no-clobber",
-             "-O", jenkins_hashes, url],
-            check=True
-        )
-        subprocess.run(
-            ["ssh", desthost,
-             "sh -c \"if ! cmp -s '%(j_h)s' '%(o_h)s'; then "
-             "echo 'WARNING: IUK hashes seem different'; else "
-             "echo 'OK: IUK hashes seem similar'; fi\"" % {
-                 "j_h": jenkins_hashes,
-                 "o_h": our_hashes,
-             }],
-            check=True
-        )
-    except subprocess.CalledProcessError:
-        log.error("Unable to download/validate IUK hashes from Jenkins")
-
     log.info("Downloading IUKs from Jenkins to %s…" % (desthost))
     iuks = iuks_listed_in(hashes_file)
     log.debug("IUKS: %s" % ', '.join(iuks))

bin/generate-call-for-testing

+#! /usr/bin/python3
+
+import email.utils
+import subprocess
+
+from datetime import datetime, timedelta
+import jinja2
+
+
+def feedback_deadline(final_date: datetime) -> datetime:
+    return final_date - timedelta(days=2)
+
+
+def call_for_testing_contents(args) -> str:
+    jinja2_env = jinja2.Environment(
+        loader=jinja2.FileSystemLoader('config/release_management/templates'))
+
+    return (jinja2_env.get_template('call_for_testing.mdwn').render(
+        date=email.utils.format_datetime(datetime.fromisoformat(args.date)),
+        version=args.version,
+        tag=args.tag,
+        final_date=datetime.fromisoformat(args.final_date).strftime("%B %d"),
+        final_version=args.final_version,
+        deadline=feedback_deadline(datetime.fromisoformat(
+            args.final_date)).strftime("%B %d")))
+
+
+if __name__ == '__main__':
+    import argparse
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--version', required=True)
+    parser.add_argument('--tag', required=True)
+    parser.add_argument('--date', required=True)
+    parser.add_argument('--final-version', required=True)
+    parser.add_argument('--final-date', required=True)
+    args = parser.parse_args()
+
+    print(call_for_testing_contents(args))

bin/generate-changelog

@@ -24,9 +24,7 @@ GROUP_NAME = 'tails'
 PROJECTS = [
     GROUP_NAME + '/' + project for project in [
         'chutney',
-        'installer',
         'tails',
-        'whisperback',
         'workarounds',
     ]
 ]

bin/wait-for-new-mfsa

+#!/bin/sh
+
+set -u
+
+current_mfsa() {
+    local current
+    current="$(
+        torsocks --isolate curl --silent https://www.mozilla.org/en-US/security/advisories/ | \
+           sed --regexp-extended -n 's@.*<a href="/en-US/security/advisories/(mfsa[0-9]+-[0-9]+)/".*>@\1@p' | \
+           sort -n | \
+           tail -n 1
+    )"
+    echo "$(date --rfc-3339=s): got ${current}" >&2
+    echo "${current}"
+}
+
+initial="$(current_mfsa)"
+while true; do
+    new="$(current_mfsa)"
+    [ -n "${new}" ] || continue
+    if [ "${new}" != "${initial}" ]; then
+	echo "${new}"
+	exit 0
+    fi
+    sleep 60
+done

config/APT_snapshots.d/debian/serial

-2020090702
+2020101002

config/APT_snapshots.d/torproject/serial

-2020090701
+2020091901

config/amnesia

@@ -17,13 +17,13 @@ export SOURCE_DATE_FAKETIME="$(date --utc --date="$(dpkg-parsechangelog --show-f
 # Base for the string that will be passed to "lb config --bootappend-live"
 # FIXME: see [[bugs/sdmem_on_eject_broken_for_CD]] for explanation why we
 # need to set block.events_dfl_poll_msecs
-AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 init_on_alloc=1 init_on_free=1 mds=full,nosmt"
+AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 init_on_free=1 mds=full,nosmt"
 
 # Options passed to isohybrid
 AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
 
 # Kernel version
-KERNEL_VERSION='5.7.0-3'
+KERNEL_VERSION='5.8.0-2'
 KERNEL_SOURCE_VERSION=$(
    echo "$KERNEL_VERSION" \
        | perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'

config/chroot_apt/preferences

@@ -79,7 +79,8 @@ Package: squashfs-tools
 Pin: release o=Debian,n=sid
 Pin-Priority: 999
 
-Package: tails-installer
+Explanation: install Thunderbird 68 until we're ready for 78 (#17962)
+Package: calendar-google-provider lightning* thunderbird*
 Pin: origin deb.tails.boum.org
 Pin-Priority: 999
 
@@ -87,7 +88,7 @@ Package: virtualbox*
 Pin: release o=Debian,n=sid
 Pin-Priority: 999
 
-Package: webext-ublock-origin
+Package: webext-ublock-origin-firefox
 Pin: release o=Debian,n=sid
 Pin-Priority: 999
 

config/chroot_local-hooks/10-tbb

@@ -88,44 +88,6 @@ install_tor_browser() {
     # Otherwise the "General" section in the preferences is not displayed.
     install -d -m 0755 "${prep}"/TorBrowser/UpdateInfo
 
-    # Apply 10.0-build2 → 10.0-build3 changes:
-    (
-        local tmp
-        tmp="$(mktemp -d)"
-        cd "${tmp}"
-        7z x -tzip "${prep}/browser/omni.ja"
-        # Any $ in the below in-line patch must be escaped!
-        patch -p1 <<EOF
-commit fb9428098b5b85eed400daa6e0010ac63faf8848 (tag: tor-browser-78.3.0esr-10.0-2-build2, origin/tor-browser-78.3.0esr-10.0-2)
-Author: Matthew Finkel <sysrqb@torproject.org>
-Date:   Sat Sep 19 17:03:53 2020 +0000
-
-    Revert "fixup! TB4: Tor Browser's Firefox preference overrides."
-    
-    This reverts commit c386fb3312237fd6c0d123ba9aaad662f8740e56.
-    
-    We continue using the old webextensions storage backend due to #40137.
-
-diff --git a/browser/app/profile/000-tor-browser.js b/browser/app/profile/000-tor-browser.js
-index bac98ce06540..7e29c788b720 100644
---- a/defaults/preferences/000-tor-browser.js
-+++ b/defaults/preferences/000-tor-browser.js
-@@ -286,6 +286,8 @@ pref("extensions.htmlaboutaddons.recommendations.enabled", false);
- pref("extensions.legacy.exceptions", "{972ce4c6-7e08-4474-a285-3208198ce6fd},torbutton@torproject.org");
- // Bug 26114: Allow NoScript to access addons.mozilla.org etc.
- pref("extensions.webextensions.restrictedDomains", "");
-+// Bug 31396: Disable indexedDB WebExtension storage backend.
-+pref("extensions.webextensions.ExtensionStorageIDB.enabled", false);
- // Bug 28896: Make sure our bundled WebExtensions are running in Private Browsing Mode
- pref("extensions.allowPrivateBrowsingByDefault", true);
- 
-EOF
-        touch --date="@${TBB_TIMESTAMP:?}" defaults/preferences/000-tor-browser.js
-        rm "${prep}/browser/omni.ja"
-        7z a -mtc=off -tzip "${prep}/browser/omni.ja" *
-        rm -r "${tmp}"
-    )
-    
     mv "${prep}" "${destination}"
     rm -r "${tmp}"
 }
@@ -325,7 +287,7 @@ install_debian_extensions() {
     fake_firefox_version=${firefox_version}+fake1
     install_fake_package firefox "${fake_firefox_version}" web
 
-    apt-get install --yes webext-ublock-origin
+    apt-get install --yes webext-ublock-origin-firefox
     patch -p1 < /usr/share/tails/uBlock-disable-autoUpdate.diff
 
     # Apply the same hack for our extension as the Tor Browser does
@@ -335,7 +297,7 @@ install_debian_extensions() {
     embed_extensions_in_omni_ja "${destination}" "${timestamp}"
     # ... and then remove the packages we just installed, since we
     # don't need them outside of omni.ja.
-    apt purge --yes firefox webext-ublock-origin
+    apt purge --yes firefox webext-ublock-origin-firefox
 }
 
 create_default_profile() {

config/chroot_local-hooks/12-kernel-modules-build-environment

@@ -11,17 +11,17 @@ echo "Setting up a build environment for kernel modules"
 # Import ensure_hook_dependency_is_installed()
 . /usr/local/lib/tails-shell-library/build.sh
 
-# Install gcc-8 and fake linux-compiler-gcc-9-x86
-# (linux-headers-5.3.0+ depends on it, but Buster hasn't GCC 9)
+# Install gcc-8 and fake linux-compiler-gcc-10-x86
+# (linux-headers-5.8.0+ depends on it, but Buster hasn't GCC 10)
 ensure_hook_dependency_is_installed gcc-8
 NEWEST_INSTALLED_KERNEL_VERSION="$(
     dpkg-query --showformat '${Version}\n' --show 'linux-image-*-amd64' \
     | sort --version-sort | tail -n1
 )"
 install_fake_package \
-    linux-compiler-gcc-9-x86 \
+    linux-compiler-gcc-10-x86 \
     "${NEWEST_INSTALLED_KERNEL_VERSION}~0tails1"
-ln -s /usr/bin/gcc-8 /usr/bin/gcc-9
+ln -s /usr/bin/gcc-8 /usr/bin/gcc-10
 
 ensure_hook_dependency_is_installed \
     build-essential \

config/chroot_local-includes/etc/sudoers.d/zzz_upgrade

@@ -11,5 +11,6 @@ tails-upgrade-frontend ALL = (tails-install-iuk)         NOPASSWD: /usr/local/bi
 tails-upgrade-frontend ALL = (tails-iuk-get-target-file) NOPASSWD: IUK_GET_TARGET_FILE
 tails-upgrade-frontend ALL = (tails-iuk-get-target-file) NOPASSWD: /usr/local/bin/tails-iuk-mktemp-get-target-file ""
 tails-upgrade-frontend ALL =                             NOPASSWD: /sbin/reboot ""
+tails-upgrade-frontend ALL =                             NOPASSWD: /usr/local/bin/tails-iuk-cancel-download ""
 
 tails-install-iuk     ALL =                             NOPASSWD: INSTALL_IUK

config/chroot_local-includes/lib/live/config/1500-reconfigure-APT

@@ -85,7 +85,7 @@ s{
    tor[+]https?://deb[.]tails[.]boum[.]org
    /?
    (\s+)
-}{$1tor+http://jenw7xbd6tf7vfhp.onion/$2}xms;
+}{$1tor+http://umjqavufhoix3smyq6az2sx4istmuvsgmz4bq5u5x56rnayejoo6l2qd.onion/$2}xms;
 
 ' | perl -pi - /etc/apt/sources.list /etc/apt/sources.list.d/*.list
 
@@ -99,7 +99,7 @@ s{
    (Pin:\s+origin\s+)
    deb[.]tails[.]boum[.]org
    $
-}{$1jenw7xbd6tf7vfhp.onion}xms;
+}{$1umjqavufhoix3smyq6az2sx4istmuvsgmz4bq5u5x56rnayejoo6l2qd.onion}xms;
 
 ### Fix origin for backports
 

config/chroot_local-includes/usr/lib/python2.7/dist-packages/tails_installer/__init__.py

+# -*- coding: utf-8 -*-
+#
+# Copyright © 2008  Red Hat, Inc. All rights reserved.
+#
+# This copyrighted material is made available to anyone wishing to use, modify,
+# copy, or redistribute it subject to the terms and conditions of the GNU
+# General Public License v.2.  This program is distributed in the hope that it
+# will be useful, but WITHOUT ANY WARRANTY expressed or implied, including the
+# implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the GNU General Public License for more details.  You should have
+# received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
+# Floor, Boston, MA 02110-1301, USA. Any Red Hat trademarks that are
+# incorporated in the source code or documentation are not subject to the GNU
+# General Public License and may only be used or replicated with the express
+# permission of Red Hat, Inc.
+#
+# Author(s): Luke Macken <lmacken@redhat.com>
+
+import os
+import sys
+import gettext
+import locale
+
+# Add sbin to PATH to support unprivileged mode
+if os.path.exists('/usr/sbin') or os.path.exists('/usr/local/sbin'):
+    try:
+        os.environ['PATH'] = '/usr/local/sbin:/usr/sbin:' + os.environ['PATH']
+    except KeyError, e:
+        os.environ['PATH'] = '/usr/local/sbin:/usr/sbin'
+
+def utf8_gettext(*args, **kwargs):
+    " Translate string, converting it to a UTF-8 encoded bytestring "
+    return gettext.translation(
+               'tails', '/usr/share/locale', fallback=True
+           ).gettext(*args, **kwargs)
+
+_ = utf8_gettext
+
+from tails_installer.creator import TailsInstallerError
+
+from tails_installer.creator import LinuxTailsInstallerCreator as TailsInstallerCreator
+
+from tails_installer.config import config
+branding = {
+    'distribution': config['branding']['distribution'],
+    'header':       config['branding']['header']
+}
+
+__all__ = ("TailsInstallerCreator", "TailsInstallerError", "TailsInstallerDialog", "_", "utf8_gettext", "branding")

config/chroot_local-includes/usr/lib/python2.7/dist-packages/tails_installer/config.py

+# -*- coding: utf-8 -*-
+
+config = {
+    # Minimum device size we accept as valid target for initial
+    # installation, in MiB as in 1 MiB = 1024**2 bytes. I've seen USB
+    # sticks labeled "8 GB" that were 7759462400 bytes = 7400 MiB
+    # large, and one can probably fine even smaller ones, so let's be
+    # nice with users who believed what was written on the box and
+    # accept slightly smaller devices than what the theory
+    # would dictate.
+    'min_installation_device_size': 7200,
+    # Minimum device size we tell the user they should get, in MB
+    # as in 1000 MB = 1 GB, i.e. let's use a unit close to what they will
+    # see displayed in shops.
+    'official_min_installation_device_size': 8000,
+    'main_liveos_dir': 'live',
+    'running_liveos_mountpoint': '/lib/live/mount/medium',
+    'liveos_toplevel_files': [ 'autorun.bat', 'autorun.inf', 'boot', '.disk',
+                               'doc', 'EFI', 'live', 'isolinux', 'syslinux',
+                               'tmp', 'utils' ],
+    'persistence': { 'enabled': False,
+                },
+    'branding': { 'distribution': 'Tails',
+                  'header': 'tails-liveusb-header.png',
+                  'color': '#56347c',
+                  'partition_label': 'Tails',
+                },
+}