Commit 2cb0c90c authored by segfault's avatar segfault
Browse files

Merge branch 'devel' into feature/5684-screen-locker

parents 36cb4658 031a66be
......@@ -369,8 +369,9 @@ task :setup_environment => ['validate_git_state'] do
ENV['BASE_BRANCH_GIT_COMMIT'] = git_helper('git_base_branch_head')
['GIT_COMMIT', 'GIT_REF', 'BASE_BRANCH_GIT_COMMIT'].each do |var|
if ENV[var].empty?
raise "Variable '#{var}' is empty, which should not be possible" +
"(validate_git_state must be buggy)"
raise "Variable '#{var}' is empty, which should not be possible: " +
"either validate_git_state is buggy or the 'origin' remote " +
"does not point to the official Tails Git repository."
end
end
end
......
......@@ -185,12 +185,15 @@ cp debian/changelog config/chroot_local-includes/usr/share/doc/amnesia/Changelog
# create readahead-list from squashfs.sort
if [ -e config/binary_rootfs/squashfs.sort ]; then
mkdir -p config/chroot_local-includes/usr/share/amnesia
sort -k2 -n -r config/binary_rootfs/squashfs.sort |
cut -d' ' -f1 > config/chroot_local-includes/usr/share/amnesia/readahead-list
sort -k2 -n -r config/binary_rootfs/squashfs.sort | \
cut -d' ' -f1 | \
grep --invert-match --extended-regexp "$READAHEAD_EXCLUDE_PATTERN" \
> config/chroot_local-includes/usr/share/amnesia/readahead-list
fi
# custom APT sources
tails-custom-apt-sources > config/chroot_sources/tails.chroot
tails-custom-apt-sources > config/chroot_sources/tails.chroot \
|| fatal "tails-custom-apt-sources failed with exit code $?"
# tails-transform-mirror-url and its dependencies
install -m 0755 \
......
......@@ -21,7 +21,7 @@ Tails developers <amnesia@boum.org>
=head1 LICENSE AND COPYRIGHT
Copyright (C) 2011 Tails developers <amnesia@boum.org>
Copyright (C) 2011 Tails developers <tails@boum.org>
Licensed under the GNU GPL version 3 or any later version.
......
......@@ -26,12 +26,16 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version
KERNEL_VERSION='4.13.0-1'
KERNEL_VERSION='4.14.0-3'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
)
# Files to exclude from the readahead list
# (passed to `grep --extended-regexp`)
READAHEAD_EXCLUDE_PATTERN='^lib/live/mount/medium/'
### You should not have to change anything below this line ####################
# sanity checks
......
This diff is collapsed.
Package: amd64-microcode
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: aufs-dkms
Pin: release o=Debian,n=sid
Pin-Priority: 999
......@@ -57,6 +61,14 @@ Package: virtualbox*
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: xul-ext-ublock-origin
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: pdf-redact-tools
Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: weirdness in chroot_apt install-binary
Package: *
Pin: release o=chroot_local-packages
......
#! /bin/sh
set -e
set -u
set -x
echo "Checking if we should stop shipping our own AppArmor feature set"
if [ -f /usr/share/apparmor-features/features ]; then
if cmp --quiet /usr/share/apparmor-features/features.Tails \
/usr/share/apparmor-features/features; then
echo "Debian ships the same AppArmor feature set as ours. " \
"Likely we can now remove our own one." >&2
else
echo "Debian ships a different AppArmor feature set from ours. " \
"Likely our own one is outdated and can be removed:" >&2
diff -Naur \
/usr/share/apparmor-features/features.Tails \
/usr/share/apparmor-features/features \
>&2
fi
# In any case, we probably have to do something about it.
exit 1
fi
......@@ -128,9 +128,7 @@ apply_extension_code_signing_hacks () {
tmp="$(mktemp -d)"
(
cd "${tmp}"
7z x -tzip "${TBB_INSTALL}/omni.ja" \
modules/addons/XPIProvider.jsm \
chrome/toolkit/content/mozapps/extensions/extensions.js
7z x -tzip "${TBB_INSTALL}/omni.ja"
patch -p1 <<EOF
diff -Naur a/chrome/toolkit/content/mozapps/extensions/extensions.js b/chrome/toolkit/content/mozapps/extensions/extensions.js
--- a/chrome/toolkit/content/mozapps/extensions/extensions.js 2000-01-01 00:00:00.000000000 +0000
......@@ -157,20 +155,31 @@ diff -Naur a/modules/addons/XPIProvider.jsm b/modules/addons/XPIProvider.jsm
+ aAddon.id == "uBlock0@raymondhill.net") {
return true;
}
@@ -3465,6 +3466,7 @@
addon.id != "tor-launcher@torproject.org" &&
addon.id != "https-everywhere-eff@eff.org" &&
addon.id != "meek-http-helper@bamsoftware.com" &&
+ addon.id != "uBlock0@raymondhill.net" &&
addon.signedState <= AddonManager.SIGNEDSTATE_MISSING) {
logger.warn("Refusing to install staged add-on " + id + " with signed state " + addon.signedState);
seenFiles.push(stageDirEntry.leafName);
EOF
touch --date="@${tbb_timestamp}" modules/addons/XPIProvider.jsm \
chrome/toolkit/content/mozapps/extensions/extensions.js
7z u -mtc=off -tzip "${TBB_INSTALL}/omni.ja" \
modules/addons/XPIProvider.jsm \
chrome/toolkit/content/mozapps/extensions/extensions.js
7z x -tzip "${TBB_INSTALL}/browser/omni.ja" \
components/nsBrowserGlue.js
rm "${TBB_INSTALL}/omni.ja"
7z a -mtc=off -tzip "${TBB_INSTALL}/omni.ja" *
)
rm -r "${tmp}"
tmp="$(mktemp -d)"
(
cd "${tmp}"
7z x -tzip "${TBB_INSTALL}/browser/omni.ja"
patch -p1 <<EOF
diff -Naur x/components/nsBrowserGlue.js y/components/nsBrowserGlue.js
--- a/components/nsBrowserGlue.js 2000-01-01 00:00:00.000000000 +0000
+++ b/components/nsBrowserGlue.js 2000-01-01 00:00:00.000000000 +0000
@@ -1122,7 +1122,8 @@
@@ -1137,7 +1137,8 @@
if ((addon.signedState <= AddonManager.SIGNEDSTATE_MISSING) &&
!(addon.id == "torbutton@torproject.org" ||
addon.id == "tor-launcher@torproject.org" ||
......@@ -182,22 +191,14 @@ diff -Naur x/components/nsBrowserGlue.js y/components/nsBrowserGlue.js
}
EOF
touch --date="@${tbb_timestamp}" components/nsBrowserGlue.js
7z u -mtc=off -tzip "${TBB_INSTALL}/browser/omni.ja" \
components/nsBrowserGlue.js
# These binaries are generated from the above modified files
# so we have to remove them. This will have a performance
# impact that probably is unnoticeable for humans, but TBB 7.5
# won't ship any of these binaries any way, so we'll converge.
7z d -mtc=off -tzip "${TBB_INSTALL}/omni.ja" \
jsloader/resource/gre/modules/addons/XPIProvider.jsm
7z d -mtc=off -tzip "${TBB_INSTALL}/browser/omni.ja" \
jsloader/resource/app/components/nsBrowserGlue.js
for archive in "${TBB_INSTALL}/omni.ja" "${TBB_INSTALL}/browser/omni.ja"; do
strip_nondeterminism_wrapper --type zip --timestamp "${tbb_timestamp}" \
"${archive}" 2>/dev/null
done
rm "${TBB_INSTALL}/browser/omni.ja"
7z a -mtc=off -tzip "${TBB_INSTALL}/browser/omni.ja" *
)
rm -r "${tmp}"
for archive in "${TBB_INSTALL}/omni.ja" "${TBB_INSTALL}/browser/omni.ja"; do
strip_nondeterminism_wrapper --type zip --timestamp "${tbb_timestamp}" \
"${archive}" 2>/dev/null
done
}
# Modern Firefox doesn't apply browser.search.defaultenginename on
......
......@@ -2,31 +2,43 @@
set -e
set -u
set -x
echo "Building dkms modules"
. /usr/share/amnesia/build/variables
# the -dkms package must be installed *after* dkms to be properly registered
apt-get install --yes build-essential dkms
# Import install_fake_package
. /usr/local/lib/tails-shell-library/build.sh
# Install gcc-6 and fake linux-compiler-gcc-7-x86
# (linux-headers-4.14+ depends on it, but Stretch hasn't GCC 7)
# XXX:Buster: remove this hack.
apt-get install --yes gcc-6
NEWEST_INSTALLED_KERNEL_VERSION="$(
dpkg-query --showformat '${Version}\n' --show 'linux-image-*-amd64' \
| sort --version-sort | tail -n1
)"
install_fake_package \
linux-compiler-gcc-7-x86 \
"${NEWEST_INSTALLED_KERNEL_VERSION}~0tails1"
ln -s /usr/bin/gcc-6 /usr/bin/gcc-7
# Any -dkms package must be installed *after* dkms to be properly registered
apt-get install --yes \
build-essential \
dkms \
libelf-dev
# Installing the headers triggers the building of the modules for that kernel
apt-get install --yes \
"linux-headers-${KERNEL_VERSION}-amd64" \
aufs-dkms \
virtualbox-guest-dkms
MODULES_VERSION="$(dpkg-query -W -f='${Version}\n' virtualbox-guest-dkms \
| sed -E 's,-.*,,')"
dkms build \
-a amd64 -k "${KERNEL_VERSION}-amd64" \
-m virtualbox-guest -v "$MODULES_VERSION"
dkms install \
-a amd64 -k "${KERNEL_VERSION}-amd64" \
-m virtualbox-guest -v "$MODULES_VERSION"
# clean the build directory
# rm -r /var/lib/dkms/virtualbox-guest/
for log in $(ls /var/lib/dkms/*/*/build/make.log); do
echo "---- $log"
cat "$log"
done
# Ensure the modules were actually built and installed: when
# dkms.conf for a DKMS module includes a BUILD_EXCLUSIVE directive
......
......@@ -21,6 +21,7 @@ systemctl enable var-tmp.mount
# Enable our own systemd user unit files
systemctl --global enable tails-add-GNOME-bookmarks.service
systemctl --global enable tails-additional-software-install.service
systemctl --global enable tails-configure-keyboard.service
systemctl --global enable tails-create-tor-browser-directories.service
systemctl --global enable tails-security-check.service
......
......@@ -12,12 +12,15 @@ echo "Removing unwanted packages"
# - libgcc1 (apt depends on it)
# - cpp, cpp-* (big parts of GNOME depend on it)
apt-get --yes purge \
'^linux-compiler-*' \
'^linux-kbuild-*' \
'^linux-headers-*' \
build-essential debhelper dkms dpkg-dev \
gcc gcc-6 \
intltool-debian \
libc6-dev linux-libc-dev \
libc6-dev \
libelf-dev \
linux-libc-dev \
make \
po-debconf \
rsyslog \
......
......@@ -12,4 +12,4 @@ if [ "$2" != "up" ]; then
exit 0
fi
/usr/local/sbin/tails-additional-software upgrade
/bin/systemctl --no-block start tails-additional-software-upgrade.path
APT::Keep-Downloaded-Packages "true";
Binary::apt::APT::Keep-Downloaded-Packages "true";
......@@ -69,3 +69,7 @@ lid-close-battery-action = 'blank'
[org/gnome/shell]
enabled-extensions = ['apps-menu@gnome-shell-extensions.gcampax.github.com', 'places-menu@gnome-shell-extensions.gcampax.github.com', 'window-list@gnome-shell-extensions.gcampax.github.com', 'TopIcons@phocean.net', 'status-menu-helper@tails.boum.org', 'torstatus@tails.boum.org']
favorite-apps=['tor-browser.desktop', 'thunderbird.desktop', 'pidgin.desktop', 'keepassx.desktop', 'gnome-terminal.desktop']
[org/gnome/shell/extensions/topicons]
tray-pos='right'
tray-order=4
......@@ -13,3 +13,6 @@ ForwardX11Trusted no
# Prevent fingerprinting when username was not specified
User root
# Avoid storing full remote IP / host name connection history in plaintext
HashKnownHosts yes
# XXX:Buster this sudo rule should be replaced by a polkit rule once we have
# policykit >= 0.106. The rule is already in
# [[blueprint/additional_software_packages/org.boum.tails.additional-software.rules]]
# and should be installed in /usr/share/polkit-1/rules.d/
amnesia ALL = NOPASSWD: /bin/systemctl start tails-additional-software-install.service
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment