Commit 3d0d57f5 authored by intrigeri's avatar intrigeri

Merge branch 'stable' into devel

parents 48863a8d 47c699e0
#!/bin/bash
set -eu
set -o pipefail
NAME=$(basename "${0}")
LONGOPTS="version:,isos:,release-branch:,matching-jenkins-images-build-id:"
OPTS=$(getopt -o "" --longoptions $LONGOPTS -n "${NAME}" -- "$@")
eval set -- "$OPTS"
while [ $# -gt 0 ]; do
case $1 in
--version)
shift
VERSION="$1"
;;
--isos)
shift
ISOS="$1"
;;
--release-branch)
shift
RELEASE_BRANCH="$1"
;;
--matching-jenkins-images-build-id)
shift
MATCHING_JENKINS_IMAGES_BUILD_ID="$1"
;;
esac
shift
done
ssh misc.lizard mkdir "tails-amd64-${VERSION:?}"
scp "${ISOS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}."{apt-sources,build-manifest,buildlog,packages,iso.sig,img.sig} \
"misc.lizard:tails-amd64-${VERSION:?}"
ssh misc.lizard gpg --import < "wiki/src/tails-signing.key"
ssh misc.lizard << EOF
cd tails-amd64-${VERSION:?} && \
wget --quiet \
"https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_IMAGES_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.iso" \
"https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_IMAGES_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.img" && \
gpg --verify tails-amd64-${VERSION:?}.iso{.sig,} && \
gpg --verify tails-amd64-${VERSION:?}.img{.sig,}
EOF
ssh misc.lizard << EOF
( [ -d isos ] || git clone gitolite@puppet-git.lizard:isos.git ) && \
cd isos && \
git annex init && \
git annex sync && \
git annex import ../tails-amd64-${VERSION:?} && \
rmdir ../tails-amd64-${VERSION:?} && \
git commit -m "Add Tails ${VERSION:?}" && \
git annex sync && \
git annex copy tails-amd64-${VERSION:?} --to origin && \
git annex drop tails-amd64-${VERSION:?} && \
git annex sync
EOF
#!/bin/sh
set -eu
for dir in config/APT_snapshots.d vagrant/definitions/tails-builder/config/APT_snapshots.d; do
(
set -eu
echo "${dir:?}:"
cd "${dir:?}"
for ARCHIVE in * ; do
SERIAL="$(cat ${ARCHIVE:?}/serial)"
if [ "${SERIAL:?}" = 'latest' ]; then
EXPIRY='never'
if [ "${ARCHIVE:?}" != 'debian-security' ]; then
echo "Warning: origin '${ARCHIVE:?}' is using the 'latest' snapshot, which is unexpected" >&2
fi
else
case "${ARCHIVE:?}" in
'debian-security')
DIST='buster/updates'
;;
'torproject')
DIST='buster'
;;
*)
DIST='stable'
;;
esac
EXPIRY="$(curl --silent "https://time-based.snapshots.deb.tails.boum.org/${ARCHIVE:?}/dists/${DIST:?}/snapshots/${SERIAL:?}/Release" | sed -n 's/^Valid-Until:\s\+\(.*\)$/\1/p')"
fi
echo "* Archive '${ARCHIVE:?}' uses snapshot '${SERIAL:?}' which expires on: ${EXPIRY:?}"
done
echo ---
)
done
#!/bin/bash
set -eu
set -o pipefail
NAME=$(basename "${0}")
LONGOPTS="version:,dist:,release-branch:,matching-jenkins-images-build-id:"
OPTS=$(getopt -o "" --longoptions $LONGOPTS -n "${NAME}" -- "$@")
eval set -- "$OPTS"
while [ $# -gt 0 ]; do
case $1 in
--version)
shift
VERSION="$1"
;;
--dist)
shift
DIST="$1"
;;
--release-branch)
shift
RELEASE_BRANCH="$1"
;;
--matching-jenkins-images-build-id)
shift
MATCHING_JENKINS_IMAGES_BUILD_ID="$1"
;;
esac
shift
done
ssh rsync.lizard gpg --import < wiki/src/tails-signing.key
ssh rsync.lizard << EOF
wget --quiet \
"https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_IMAGES_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.iso" \
"https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_IMAGES_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.img" && \
gpg --verify tails-amd64-${VERSION:?}.iso{.sig,} && \
gpg --verify tails-amd64-${VERSION:?}.img{.sig,}
EOF
ssh rsync.lizard << EOF
sudo install -o root -g rsync_tails -m 0755 -d \
/srv/rsync/tails/tails/${DIST:?}/tails-amd64-${VERSION:?} && \
sudo chown root:rsync_tails tails-amd64-${VERSION:?}.{iso,img}* && \
sudo chmod u=rwX,go=rX tails-amd64-${VERSION:?}.{iso,img}* && \
sudo mv tails-amd64-${VERSION:?}.{iso,img}* \
/srv/rsync/tails/tails/${DIST:?}/tails-amd64-${VERSION:?}
EOF
......@@ -92,41 +92,6 @@ def download_iuks_from_jenkins(
destdir: str,
jenkins_iuks_base_url: str,
jenkins_build_id: int) -> None:
# This assumes same basename for hashes, locally and in Jenkins:
log.info("Downloading IUK hashes (if available) from Jenkins to %s…" % (desthost))
try:
url = "%s/%s/archive/%s" % (
jenkins_iuks_base_url,
jenkins_build_id,
Path(hashes_file).name
)
jenkins_hashes = '%(d)s/%(f)s' % {
"d": destdir,
"f": '%s.jenkins' % Path(hashes_file).name
}
our_hashes = '%(d)s/%(f)s' % {
"d": destdir,
"f": Path(hashes_file).name,
}
subprocess.run(
["ssh", desthost, "wget", "--quiet", "--no-clobber",
"-O", jenkins_hashes, url],
check=True
)
subprocess.run(
["ssh", desthost,
"sh -c \"if ! cmp -s '%(j_h)s' '%(o_h)s'; then "
"echo 'WARNING: IUK hashes seem different'; else "
"echo 'OK: IUK hashes seem similar'; fi\"" % {
"j_h": jenkins_hashes,
"o_h": our_hashes,
}],
check=True
)
except subprocess.CalledProcessError:
log.error("Unable to download/validate IUK hashes from Jenkins")
log.info("Downloading IUKs from Jenkins to %s…" % (desthost))
iuks = iuks_listed_in(hashes_file)
log.debug("IUKS: %s" % ', '.join(iuks))
......
#!/bin/sh
set -u
current_mfsa() {
local current
current="$(
torsocks --isolate curl --silent https://www.mozilla.org/en-US/security/advisories/ | \
sed --regexp-extended -n 's@.*<a href="/en-US/security/advisories/(mfsa[0-9]+-[0-9]+)/".*>@\1@p' | \
sort -n | \
tail -n 1
)"
echo "$(date --rfc-3339=s): got ${current}" >&2
echo "${current}"
}
initial="$(current_mfsa)"
while true; do
new="$(current_mfsa)"
[ -n "${new}" ] || continue
if [ "${new}" != "${initial}" ]; then
echo "${new}"
exit 0
fi
sleep 60
done
This diff is collapsed.
......@@ -4,11 +4,194 @@ tails (4.15) UNRELEASED; urgency=medium
-- anonym <anonym@riseup.net> Tue, 15 Sep 2020 12:17:44 +0200
tails (4.11.1) UNRELEASED; urgency=medium
tails (4.12) unstable; urgency=medium
* Dummy entry for next release.
* Security fixes
- Upgrade libx11 to 2:1.6.7-1+deb10u1
* Hardware support
- Upgrade firmware-linux-nonfree to 20200918-1
* Upgrade to Tor Browser 10.0.2 (based on Firefox 78.4) (tails/tails!208)
Closes issues:
- Upgrade to Tor Browser 10.0.2 (based on Firefox 78.4) (tails/tails#17971)
Commits:
- Revert "Tor Browser: patch in prefs changes introduced in 10.0-build3."
- Fetch Tor Browser from our own archive.
- Upgrade Tor Browser to 10.0.2-build2.
* Use v3 Onion service to connect to our custom APT repository (tails/tails!201)
Closes issues:
- Migrate deb.tails.boum.org APT source to v3 onion (tails/tails#17937)
Commits:
- Use v3 Onion service to connect to our custom APT repository
* onion-grater: fix rate limiting of how often we try to connect to tor
(tails/tails!199)
Commits:
- onion-grater: fix rate limiting of how often we try to connect to tor
* Electrum & Upgrader wrappers: fix i18n support and use canonical URL for manual
upgrade doc (tails/tails!198)
Closes issues:
- tails-upgrade-frontend-wrapper points users to a 404 URL for manual upgrades in
French (tails/tails#17958)
- Some Python scripts fail to set the gettext text domain correctly
(tails/tails#17758)
Commits:
- Lint
- Electrum & Upgrader wrappers: fix internationalization support, by setting the
text domain correctly
- Unfuzzy 2 translation strings
- Update POT and PO files
- tails-upgrade-frontend-wrapper: remove spurious double quotes surrounding error
message
- Update POT and PO files
- tails-upgrade-frontend-wrapper: use canonical URLs for manual upgrade doc
* Keep installing Thunderbird 68 until we're ready for 78 (tails/tails!197)
Closes issues:
- All branches FTBFS since Thunderbird 78 reached the Buster security repo
(tails/tails#17962)
Commits:
- Install Thunderbird 68 until we're ready for 78
* WhisperBack: sanitize HTTP(s) URLs (tails/tails!196)
Closes issues:
- Unscrubbed URL in WhisperBack reports (tails/tails#10695)
Commits:
- WhisperBack: sanitize HTTP(s) URLs
* Avoid mirrors and rsync.lizard running out of disk space during the release
process when upgrades to a beta/RC are present (tails/tails!195)
Closes issues:
- Avoid mirrors and rsync.lizard running out of disk space during the release
process when upgrades to a beta/RC are present (tails/tails#17944)
-- anonym <anonym@riseup.net> Tue, 22 Sep 2020 15:23:20 +0200
Commits:
- Release process: delete beta/RC IUKs before uploading the IUKs for the final
version
- Call for testing: set a deadline for providing feedback (2 days before the
final release)
- Release process: automate generation of call for testing
* Installer: fix various internationalization bugs (tails/tails!194)
Closes issues:
- Various internationalization bugs in the Installer (tails/tails#17961)
Commits:
- Update POT and PO files, to match translatable strings changes
- Installer: allow translators to reorder string arguments in translations
- Installer: fix translations being unused due to translatable string being
computed at runtime
* Upgrade Linux to 5.8 and Debian to 10.6 (tails/tails!188)
Closes issues:
- Upgrade Linux to 5.8 (tails/tails#17896)
- Upgrade to Buster 10.6 (tails/tails#17930)
- Regression with Intel Corporation [8086:22b0] and [8086:22b1] GPU since 4.9
(tails/tails#17953)
Commits:
- Tor Browser AppArmor profile: allow access to DRI nodes
- Tor Browser AppArmor profile: update patch to apply on top of 0.3.2-14
- Update GNOME Shell to 3.30.2-11~deb10u2.0tails1
- Update systemd to 241-7~deb10u4.0tails1
- Refresh uBlock patch to apply cleanly on top of webext-ublock-origin-firefox
1.30.0+dfsg-1
- Adjust for webext-ublock-origin package split
- Adjust fake linux-compiler-gcc-N-x86 hack to Linux 5.8's needs
- Kernel command line: drop init_on_alloc=1, now set by default in Debian
- Upgrade Linux to 5.8.0-2 (currently at version 5.8.10-1)
- Bump snapshot of the Debian archive to 2020101002
* Upgrade to tor 0.4.4.5 (tails/tails!187)
Closes issues:
- Upgrade to tor 0.4.4 (tails/tails#17932)
Commits:
- Bump APT snapshot of the "torproject" archive to 2020091901, that has tor
0.4.4.x
* Port Perl code to translatable strings format supported by GNU gettext
(tails/tails!181)
Closes issues:
- Port Perl code to translatable strings format supported by GNU gettext
(tails/tails#17928)
Commits:
- refresh-translations: check PO files while converting them to MO
- Upgrader, Persistence wizard: set the UTF-8 flag on all strings returned by
Locale::TextDomain
- Re-add loading POSIX: we use it for more than setlocale
- Upgrader, Persistence wizard: assume UTF-8 locale
- Drop unneeded call to setlocale
- Drop meaningless attempt at localization
- Persistence setup: encode output when displaying errors on stdout
- IUK creation: make saveas method benchmarking info honor its $outfile_name
argument
- Port Perl code to translatable strings format supported by GNU gettext
* Import WhisperBack into our main Git repository (tails/tails!179)
Closes issues:
- Move WhisperBack source to our main Git repository (tails/tails#16936)
Commits:
- generate-changelog: don't consider obsolete tails/whisperback project
- Integrate WhisperBack into our l10n setup
- Import WhisperBack
* Import Tails Installer into our main Git repository and delete its dead code
(tails/tails!159)
Closes issues:
- Move Tails Installer to our main Git repository (tails/tails#17917)
Commits:
- generate-changelog: don't consider obsolete tails/installer project
- Adjust tails-installer.desktop to l10n setup
- Installer: adjust gettext files lookup
- Installer: adjust data directory lookup
- Update Transifex script & doc: most of our Transifex projects are obsolete
- Adjust code and doc to the fact Tails Installer now lives in tails.git
- Import Tails Installer
* Add a button to cancel the upgrade while downloading (tails/tails!12)
Closes issues:
- Add a button to cancel the upgrade while it's downloading (tails/tails#17310)
Commits:
- Fix regression introduced by 26b9b1b83f3857232474dd2291889867e80a3b45
- Upgrader: port code added in !12 to the l10n setup we switched to in !181
- Lint
- Convert tails-iuk-get-target-file | zenity pipeline to start / pump / finish
- Untabify
- Update design doc wrt. new tails-iuk-get-target-file permissions
- Remove unnecessary exit code handling
- Fix typo
- Allow tails-upgrade-frontend to kill the download process
- Set a signal handler to cancel the download when the zenity dialog is closed
- Add a button to cancel the upgrade while it is downloading
-- Tails developers <tails@boum.org> Mon, 19 Oct 2020 08:35:44 +0000
tails (4.11) unstable; urgency=medium
......
......@@ -8,7 +8,7 @@ msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: tails-l10n@boum.org\n"
"POT-Creation-Date: 2020-07-23 01:14+0000\n"
"PO-Revision-Date: 2020-10-04 21:30+0000\n"
"PO-Revision-Date: 2020-10-19 16:31+0000\n"
"Last-Translator: Chre <tor@renaudineau.org>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: fr\n"
......@@ -607,11 +607,13 @@ msgstr ""
#. type: Content of: <section><div><div><ul><li>
msgid "[[Relationship with upstream|contribute/relationship_with_upstream]]"
msgstr "[[Relationship with upstream|contribute/relationship_with_upstream]]"
msgstr ""
"[[Relations avec les autres projets constituant Tails|contribute/"
"relationship_with_upstream]]"
#. type: Content of: <section><div><div><ul><li>
msgid "[[Contribute|contribute]]"
msgstr "[[Contribuer|contribute]]"
msgstr "[[Participer|contribute]]"
#. type: Content of: <section><div><div><ul><li>
msgid "<a href=\"https://www.torproject.org/\">The Tor Project</a>"
......
......@@ -8,7 +8,7 @@ msgstr ""
"Project-Id-Version: Tails\n"
"Report-Msgid-Bugs-To: tails-l10n@boum.org\n"
"POT-Creation-Date: 2020-07-29 20:51+0000\n"
"PO-Revision-Date: 2020-10-04 21:30+0000\n"
"PO-Revision-Date: 2020-10-19 16:31+0000\n"
"Last-Translator: Chre <tor@renaudineau.org>\n"
"Language-Team: Tails translators <tails@boum.org>\n"
"Language: fr\n"
......@@ -482,7 +482,9 @@ msgstr "Relationship with upstream and derivatives"
#. type: Bullet: ' - '
msgid "[[Relationship with upstream|contribute/relationship_with_upstream]]"
msgstr "[[Relationship with upstream|contribute/relationship_with_upstream]]"
msgstr ""
"[[Relations avec les autres projets constituant Tails|contribute/"
"relationship_with_upstream]]"
#. type: Bullet: ' - '
msgid "[[Improve Tails by working on Debian|contribute/how/debian]]"
......
......@@ -82,7 +82,6 @@
- Mention updates as "Update *Xyz* to [1.2.4]."
- Mention previous version if we skipped some "Update *Xyz* from 1.0.0 to [1.2.3]."
- Link to release notes if any, or changelog
- For Linux upgrades add "*This should improve the support for newer hardware (graphics, Wi-Fi, etc.)*"
- Order items to put the most visible, less technical, and most popular
items first while not being afraid of putting more technical items as
well down the list.
......
......@@ -20,9 +20,9 @@ vulnerabilities|security/Numerous_security_holes_in_$VERSION-1]]. You should upg
[[!toc levels=1]]
# New features
<h1 id="features">New features</h1>
# Changes and updates
<h1 id="changes">Changes and updates</h1>
<-- You can reuse the following subsections if the section gets too big:
......@@ -36,7 +36,7 @@ vulnerabilities|security/Numerous_security_holes_in_$VERSION-1]]. You should upg
- Update *Thunderbird* to [1.2.3](https://www.thunderbird.net/en-US/thunderbird/1.2.3/releasenotes/).
- Update *Linux* to 1.2.3. This should improve the support for newer
- Update (*Linux* to 1.2.3|most firmware packages). This should improve the support for newer
hardware (graphics, Wi-Fi, etc.).
## Hardware support
......@@ -46,13 +46,11 @@ Wi-Fi, etc.):
-->
# Fixed problems
<h1 id="fixes">Fixed problems</h1>
For more details, read our [[!tails_gitweb debian/changelog desc="changelog"]].
<a id="known-issues"></a>
# Known issues
<h1 id="issues">Known issues</h1>
<!--
......@@ -65,7 +63,7 @@ None specific to this release.
See the list of [[long-standing issues|support/known_issues]].
# Get Tails $VERSION
<h1 id="get">Get Tails $VERSION</h1>
## To upgrade your Tails USB stick and keep your persistent storage
......@@ -93,7 +91,7 @@ Tails $VERSION directly:
- [[For USB sticks (USB image)|install/download]]
- [[For DVDs and virtual machines (ISO image)|install/download-iso]]
# What's coming up?
<h1 id="next">What's coming up?</h1>
Tails $VERSION+1 is [[scheduled|contribute/calendar]] for $MONTH $DAY.
......
This diff is collapsed.
......@@ -59,6 +59,11 @@ In a directory with many Tails ISO and USB images:
This section can **not** be done by the RM.
0. Check that the <https://tails.boum.org/contribute/calendar/>
documents who is the _Trusted Reproducer_ for this release.
If this is not the case, ask the RM (this is the only exception
to "do not trust anything said by the RM about this process").
1. Download the ISO and USB images.
2. Clear-sign the hashes of all products using your OpenPGP key
......@@ -77,8 +82,7 @@ This section can **not** be done by the RM.
echo "$DEST_DIR/TR-bits.gz"
4. Send the aforementioned generated file as an attachment
to the _Trusted Reproducer_, whose name is on the
[release calendar](https://tails.boum.org/contribute/calendar/).
to the _Trusted Reproducer_.
5. If the _Trusted Reproducer_ is around, ask them:
......
......@@ -8,7 +8,7 @@ msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: tails-l10n@boum.org\n"
"POT-Creation-Date: 2020-10-15 20:39+0000\n"
"PO-Revision-Date: 2020-10-18 09:29+0000\n"
"PO-Revision-Date: 2020-10-19 16:31+0000\n"
"Last-Translator: Joaquín Serna <bubuanabelas@cryptolab.net>\n"
"Language-Team: Spanish <https://translate.tails.boum.org/projects/tails/"
"src-donate/es/>\n"
......@@ -113,22 +113,6 @@ msgstr ""
#. For recurring donations only.
#. For one-time donation only.
#. type: Content of: <div><div><div><form>
#, fuzzy
#| msgid ""
#| "<input type=\"hidden\" name=\"cmd\" value=\"_xclick-subscriptions\" id="
#| "\"cmd\"/> <input type=\"hidden\" name=\"business\" value="
#| "\"tailsriseuplabs@riseup.net\" id=\"business\"/> <input type=\"hidden\" "
#| "name=\"currency_code\" value=\"USD\" id=\"currency_code\"/> <input type="
#| "\"hidden\" name=\"item_name\" value=\"Donation to Tails\"/> <input type="
#| "\"hidden\" name=\"no_note\" value=\"1\"/> <input type=\"hidden\" name="
#| "\"return\" class=\"return-url\" value=\"https://tails.boum.org/donate/"
#| "thanks\"/> <input type=\"hidden\" name=\"cancel_return\" class=\"return-"
#| "url\" value=\"https://tails.boum.org/donate/canceled\"/> <input name=\"lc"
#| "\" type=\"hidden\" value=\"US\"/> <input type=\"hidden\" name=\"a3\" "
#| "value=\"5\" id=\"a3\"/> <input type=\"hidden\" name=\"t3\" value=\"M\" id="
#| "\"t3\"/> <input type=\"hidden\" name=\"p3\" value=\"1\"/> <input type="
#| "\"hidden\" name=\"src\" value=\"1\"/> <input type=\"hidden\" name=\"amount"
#| "\" value=\"5\" id=\"amount\"/>"
msgid ""
"<input type=\"hidden\" name=\"cmd\" value=\"_xclick-subscriptions\" id=\"cmd"
"\"/> <input type=\"hidden\" name=\"business\" value=\"tailsriseuplabs@riseup."
......@@ -145,19 +129,20 @@ msgid ""
"type=\"hidden\" name=\"src\" value=\"1\"/> <input type=\"hidden\" name="
"\"amount\" value=\"5\" id=\"amount\"/>"
msgstr ""
"<input type=\"hidden\" name=\"cmd\" value=\"_xclick-subscriptions\" id=\"cmd"
"\"/> <input type=\"hidden\" name=\"business\" value=\"tailsriseuplabs@riseup."
"net\" id=\"business\"/> <input type=\"hidden\" name=\"currency_code\" value="
"\"USD\" id=\"currency_code\"/> <input type=\"hidden\" name=\"item_name\" "
"value=\"Donation to Tails\"/> <input type=\"hidden\" name=\"no_note\" value="
"\"1\"/> <input type=\"hidden\" name=\"return\" class=\"return-url\" value="
"\"https://tails.boum.org/donate/thanks\"/> <input type=\"hidden\" name="
"\"cancel_return\" class=\"return-url\" value=\"https://tails.boum.org/donate/"
"canceled\"/> <input name=\"lc\" type=\"hidden\" value=\"ES\"/> <input type="
"\"hidden\" name=\"a3\" value=\"5\" id=\"a3\"/> <input type=\"hidden\" name="
"\"t3\" value=\"M\" id=\"t3\"/> <input type=\"hidden\" name=\"p3\" value="
"\"1\"/> <input type=\"hidden\" name=\"src\" value=\"1\"/> <input type="