Commit 3ec86237 authored by anonym's avatar anonym
Browse files

Merge remote-tracking branch 'origin/feature/buster' into devel

parents dbbf93bf 437b7529
......@@ -46,6 +46,7 @@
/config/chroot_local-includes/etc/skel/Desktop/Tails_documentation.desktop
/config/chroot_local-includes/usr/local/share/mime/packages/unlock-veracrypt-volumes.xml
/config/chroot_local-includes/usr/share/applications/org.boum.tails.additional-software-config.desktop
/config/chroot_local-includes/usr/share/applications/root-terminal.desktop
/config/chroot_local-includes/usr/share/applications/tails-documentation.desktop
/config/chroot_local-includes/usr/share/applications/tails-reboot.desktop
/config/chroot_local-includes/usr/share/applications/unsafe-browser.desktop
......
......@@ -35,6 +35,7 @@ STABLE_BRANCH_NAMES = ['stable', 'testing']
EXPORTED_VARIABLES = [
'MKSQUASHFS_OPTIONS',
'APT_SNAPSHOTS_SERIALS',
'TAILS_ACNG_PROXY',
'TAILS_BUILD_FAILURE_RESCUE',
'TAILS_DATE_OFFSET',
'TAILS_MERGE_BASE_BRANCH',
......@@ -212,7 +213,7 @@ task :parse_build_options do
options << 'vmproxy'
# Default to fast compression on development branches
options << 'gzipcomp' unless is_release?
options << 'fastcomp' unless is_release?
# Default to the number of system CPUs when we can figure it out
cpus = system_cpus
......@@ -233,17 +234,21 @@ task :parse_build_options do
abort "No HTTP proxy set, but one is required by TAILS_BUILD_OPTIONS. Aborting." unless EXTERNAL_HTTP_PROXY
ENV['TAILS_PROXY'] = EXTERNAL_HTTP_PROXY
ENV['TAILS_PROXY_TYPE'] = 'extproxy'
when 'vmproxy'
when 'vmproxy', 'vmproxy+extproxy'
ENV['TAILS_PROXY'] = INTERNAL_HTTP_PROXY
ENV['TAILS_PROXY_TYPE'] = 'vmproxy'
if opt == 'vmproxy+extproxy'
abort "No HTTP proxy set, but one is required by TAILS_BUILD_OPTIONS. Aborting." unless EXTERNAL_HTTP_PROXY
ENV['TAILS_ACNG_PROXY'] = EXTERNAL_HTTP_PROXY
end
when 'noproxy'
ENV['TAILS_PROXY'] = nil
ENV['TAILS_PROXY_TYPE'] = 'noproxy'
when 'offline'
ENV['TAILS_OFFLINE_MODE'] = '1'
# SquashFS compression settings
when 'gzipcomp'
ENV['MKSQUASHFS_OPTIONS'] = '-comp gzip -Xcompression-level 1'
when 'fastcomp', 'gzipcomp'
ENV['MKSQUASHFS_OPTIONS'] = '-comp xz'
if is_release?
raise 'We must use the default compression when building releases!'
end
......
......@@ -82,11 +82,16 @@ if [ $(dpkg --print-architecture) != amd64 ] ; then
fatal "Only amd64 build systems are supported"
fi
# space-separated list of additional packages debootstrap installs
# - gnupg: needed by apt-key, not installed by default anymore on Buster
export LB_BOOTSTRAP_INCLUDE="gnupg"
# init variables
RUN_LB_CONFIG="lb config noauto"
# init config/ with defaults for the target distribution
$RUN_LB_CONFIG --distribution stretch ${@}
$RUN_LB_CONFIG --distribution buster ${@}
# set up everything for time-based snapshots:
if [ -n "${APT_SNAPSHOTS_SERIALS:-}" ]; then
......@@ -146,9 +151,10 @@ $RUN_LB_CONFIG \
--mirror-chroot "$DEBIAN_MIRROR" \
--mirror-binary-security "$DEBIAN_SECURITY_MIRROR" \
--mirror-chroot-security "$DEBIAN_SECURITY_MIRROR" \
--packages-lists="standard" \
--tasks="standard" \
--packages-lists none \
--tasks none \
--linux-packages="linux-image-${KERNEL_VERSION}" \
--security false \
--syslinux-menu vesamenu \
--syslinux-splash data/splash.png \
--syslinux-timeout 4 \
......
......@@ -33,8 +33,7 @@ CURRENT_BRANCH=$(git_current_branch)
if [ "$BASE_BRANCH" = stable ] \
|| [ "$BASE_BRANCH" = testing ] \
|| [ "$CURRENT_BRANCH" = feature/buster ] \
|| ( git_on_a_tag && [ "$BASE_BRANCH" = feature/buster ] ) \
|| ( git_on_a_tag && [ "$CURRENT_BRANCH" = feature/buster ] ) \
then
case "$ARCHIVE" in
debian-security)
......
......@@ -59,8 +59,8 @@ for origin in $(list_origins) ; do
# including some version number we'll end up using) or of more
# code complexity (=> higher maintenance cost).
#
# XXX: Stretch: bump the end of the range of major versions
for major in $(seq 2 3) ; do
# XXX: Bullseye: bump the end of the range of major versions
for major in $(seq 3 4 5) ; do
for minor in $(seq 0 32); do
for suffix in "" alpha beta rc ; do
for suffix_n in "" $(seq 1 8); do
......
# This library is meant to be used in bash, with "set -e" and "set -u".
BASE_BRANCHES="stable testing devel feature/buster"
BASE_BRANCHES="stable testing devel"
# Returns "" if in undetached head
git_current_branch() {
......
......@@ -39,20 +39,3 @@ CHROOT_TEMP_APT_SOURCES='chroot/etc/apt/sources.list.d/tmp-deb-src.list'
mkdir -p "$LINUX_BINARY_UTILS_DIR" "$WIN32_BINARY_UTILS_DIR" "$BINARY_MBR_DIR"
cp "$CHROOT_SYSLINUX_BIN" "$LINUX_BINARY_UTILS_DIR/"
cp "$CHROOT_SYSLINUX_MBR" "$BINARY_MBR_DIR/mbr.bin"
cat chroot/etc/apt/sources.list chroot/etc/apt/sources.list.d/*.list \
| grep --extended-regexp --invert-match \
'file:/root/local-packages' \
| grep --extended-regexp --invert-match \
'^deb\s+http://tagged\.snapshots\.deb\.tails\.boum.org/[^/]+/torproject(/|\s)' \
| grep --extended-regexp --invert-match \
'^deb\s+http://time-based\.snapshots\.deb\.tails\.boum.org/torproject/' \
| sed --regexp-extended -e 's,^deb(\s+),deb-src\1,' \
> "$CHROOT_TEMP_APT_SOURCES"
Chroot chroot apt-get --yes update
Chroot chroot apt-get --yes install dpkg-dev
Chroot chroot apt-get source syslinux="$(syslinux_deb_version_in_chroot)"
cp chroot/syslinux-*/bios/win32/syslinux.exe "$WIN32_BINARY_UTILS_DIR/"
rm -r chroot/syslinux*
rm "$CHROOT_TEMP_APT_SOURCES"
Chroot chroot apt-get --yes purge dpkg-dev make # dpkg-dev depends on make
This diff is collapsed.
......@@ -15,11 +15,6 @@ Package: electrum python3-electrum
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Explanation: Electrum dependencies
Package: python3-jsonrpclib-pelix python3-pyaes
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Package: enigmail
Pin: origin deb.tails.boum.org
Pin-Priority: -1
......@@ -50,114 +45,31 @@ Package: firmware-zd1211
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: fonts-noto*
Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: src:gdk-pixbuf
Package: gir1.2-gdkpixbuf-2.0 libgdk-pixbuf2.0-*
Pin: version 2.36.5-2.0tails*
Pin-Priority: -1
Explanation: not available in Stretch; XXX:Buster: remove this entry
Package: hunspell-id hunspell-tr
Pin: release o=Debian,n=sid
Pin-Priority: 990
Package: intel-microcode
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 990
Package: libfunction-parameters-perl
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Package: linux-compiler-* linux-headers-* linux-image-* linux-kbuild-* linux-source-*
Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: src:libdrm
Package: libdrm*
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Explanation: src:libclc
Package: libclc*
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Explanation: src:libglvnd
Package: libglvnd* libegl1 libgles2 libgl1 libglx0 libopengl0
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Explanation: src:llvm-toolchain-5.0
Package: clang* libclang* libfuzzer-* python-clang-* libllvm* llvm-* lld-* liblld-* lldb-* liblldb-* python-lldb-*
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Explanation: src:mesa
Package: lib*-mesa* libgbm* libosmesa* libxatracker* mesa*
Pin: release o=Debian,n=stretch-backports
Explanation: src:live-boot (#15477)
Package: live-boot live-boot-doc live-boot-initramfs-tools
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: obfs4proxy
Pin: release o=TorProject,n=obfs4proxy
Pin-Priority: 990
Explanation: src:systemd
Explanation: systemd >= v233 required for meek_lite and enable the unsafe browser and Tor launcher applications to do clearnet DNS resolution. (#8243)
Package: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump systemd-tests libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Explanation: src:systemd
Explanation: systemd >= v240 required to fix CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866 (#16352)
Package: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump systemd-tests libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: openpgp-applet
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: tails-installer
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: virtualbox*
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Explanation: src:vulkan
Package: vulcan* libvulkan*
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Explanation: src:wayland and src:wayland-protocols
Package: libwayland* wayland-protocols
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Explanation: #15833
Package: xserver-xorg-video-nouveau
Pin: version 1:1.0.15-3~bpo9+0tails1
Pin-Priority: -1
Explanation: src:xorg-server
Package: xserver-xorg-core xserver-xorg-dev xdmx xdmx-tools xnest xvfb xserver-xephyr xserver-common xorg-server-source xwayland xserver-xorg-legacy
Pin: release o=Debian,n=stretch
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: webext-ublock-origin
Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: compatibility with TB60
Package: xul-ext-torbirdy
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Explanation: weirdness in chroot_apt install-binary
Package: *
Pin: release o=chroot_local-packages
......@@ -168,25 +80,21 @@ Pin: origin deb.tails.boum.org
Pin-Priority: 990
Package: *
Pin: release o=Debian,n=stretch-updates
Pin: release o=Debian,n=buster
Pin-Priority: 990
Package: *
Pin: release l=Debian-Security,n=stretch/updates
Pin: release o=Debian,n=buster-updates
Pin-Priority: 990
Package: *
Pin: release o=Debian,n=stretch
Pin: release l=Debian-Security,n=buster/updates
Pin-Priority: 990
Package: *
Pin: release o=TorProject,n=stretch
Pin: release o=TorProject,n=buster
Pin-Priority: 990
Package: *
Pin: origin live.debian.net
Pin-Priority: -1
Package: *
Pin: release o=Debian
Pin-Priority: -10
......
#! /bin/sh
set -e
set -u
set -x
echo "Checking if we should stop shipping our own AppArmor feature set"
if [ -f /usr/share/apparmor-features/features ] \
&& [ -f /usr/share/apparmor-features/Tails.features ]; then
if cmp --quiet /usr/share/apparmor-features/features.Tails \
/usr/share/apparmor-features/features; then
echo "Debian ships the same AppArmor feature set as ours. " \
"Likely we can now remove our own one." >&2
else
echo "Debian ships a different AppArmor feature set from ours. " \
"Likely our own one is outdated and can be removed:" >&2
diff -Naur \
/usr/share/apparmor-features/features.Tails \
/usr/share/apparmor-features/features \
>&2
fi
# In any case, we probably have to do something about it.
exit 1
fi
......@@ -95,53 +95,5 @@ Change_gid () {
fi
}
# Temporarily give these users and groups a UID/GID that's out of the way,
# to avoid collisions
Change_uid debian-tor 1070
Change_uid speech-dispatcher 1080
Change_uid colord 1090
Change_uid saned 1100
Change_uid pulse 1110
Change_uid hplip 1120
Change_uid Debian-gdm 1130
Change_gid messagebus 1050
Change_gid ssh 1090
Change_gid memlockd 1100
Change_gid ssl-cert 1110
Change_gid vboxsf 1120
Change_gid debian-tor 1140
Change_gid lpadmin 1150
Change_gid scanner 1160
Change_gid colord 1170
Change_gid saned 1180
Change_gid pulse 1190
Change_gid pulse-access 1200
Change_gid Debian-gdm 1210
Change_gid kvm 1500
Change_gid render 1510
Change_gid Debian-exim 1520
# Finally, give these users and groups the desired UID/GID
Change_uid debian-tor 107
Change_uid speech-dispatcher 108
Change_uid colord 109
Change_uid saned 110
Change_uid pulse 111
Change_uid hplip 112
Change_uid Debian-gdm 113
Change_gid messagebus 105
Change_gid ssh 109
Change_gid memlockd 110
Change_gid ssl-cert 111
Change_gid vboxsf 112
Change_gid debian-tor 114
Change_gid lpadmin 115
Change_gid scanner 116
Change_gid colord 117
Change_gid saned 118
Change_gid pulse 119
Change_gid pulse-access 120
Change_gid Debian-gdm 121
Change_gid kvm 150
Change_gid render 151
Change_gid Debian-exim 152
# Free the GID 122, we need for tails-persistence-setup
Change_gid Debian-gdm 200
......@@ -8,6 +8,16 @@ set -e
# This allows us to give it special privileges (e.g. access via udisk
# to internal disks and to the boot medium) that we don't want to give
# to the desktop user.
#
# The UID and GID for this user and group need to remain the same (respectively:
# 115 and 122) accross Tails releases: they are encoded numerically in ACLs
# which allow tails-persistence-setup to update persistence configuration
# files. If these UID and GID changed:
# - when enabling a persistent volume, persistence configuration files
# created with older Tails versions would be treated as unsafe and
# thus disabled;
# - tails-persistence-setup would not be allowed to modify persistence
# configuration files created with an older Tails version.
echo "Creating the tails-persistence-setup user"
......
......@@ -8,22 +8,21 @@ echo "Setting up a build environment for kernel modules"
. /usr/share/tails/build/variables
# Import ensure_hook_dependency_is_installed() and
# install_fake_package()
# Import ensure_hook_dependency_is_installed()
. /usr/local/lib/tails-shell-library/build.sh
# Install gcc-6 and fake linux-compiler-gcc-8-x86
# (linux-headers-4.19+ depends on it, but Stretch hasn't GCC 8)
# XXX:Buster: remove this hack.
ensure_hook_dependency_is_installed gcc-6
NEWEST_INSTALLED_KERNEL_VERSION="$(
dpkg-query --showformat '${Version}\n' --show 'linux-image-*-amd64' \
| sort --version-sort | tail -n1
)"
install_fake_package \
linux-compiler-gcc-8-x86 \
"${NEWEST_INSTALLED_KERNEL_VERSION}~0tails1"
ln -s /usr/bin/gcc-6 /usr/bin/gcc-8
# # Install gcc-6 and fake linux-compiler-gcc-8-x86
# # (linux-headers-4.19+ depends on it, but Stretch hasn't GCC 8)
# # XXX:Buster: remove this hack.
# ensure_hook_dependency_is_installed gcc-6
# NEWEST_INSTALLED_KERNEL_VERSION="$(
# dpkg-query --showformat '${Version}\n' --show 'linux-image-*-amd64' \
# | sort --version-sort | tail -n1
# )"
# install_fake_package \
# linux-compiler-gcc-8-x86 \
# "${NEWEST_INSTALLED_KERNEL_VERSION}~0tails1"
# ln -s /usr/bin/gcc-6 /usr/bin/gcc-8
ensure_hook_dependency_is_installed \
build-essential \
......
#!/bin/sh
set -e
echo "Creating the Root Terminal .desktop file"
TMP="$(mktemp -d)"
cd "${TMP}"
apt-get download gksu
dpkg-deb --extract gksu_*.deb .
mv ./usr/share/pixmaps/gksu-root-terminal.png /usr/share/pixmaps/
sed 's@^Exec=.*$@Exec=/usr/local/bin/gnome-terminal-pkexec@' \
./usr/share/applications/gksu.desktop \
> /usr/share/applications/root-terminal.desktop
cd /
rm -r "${TMP}"
......@@ -6,7 +6,9 @@ set -e
# console-common in, which plymouth conflicts with, so we have to deal
# with that at this stage.)
echo "Installing Plymouth"
echo "Installing and configuring Plymouth"
apt-get --yes purge console-common
apt-get --yes install plymouth
patch -p1 < /usr/share/tails/build/plymouth-theme.diff
......@@ -11,9 +11,7 @@ echo "Deleting unused AppArmor profiles"
sbin.klogd \
sbin.syslogd \
sbin.syslog-ng \
usr.lib.dovecot.* \
usr.sbin.dnsmasq \
usr.sbin.dovecot \
usr.sbin.identd \
usr.sbin.mdnsd \
usr.sbin.nmbd \
......
......@@ -67,3 +67,9 @@ systemctl mask apt-daily.timer
# Do not let pppd-dns manage /etc/resolv.conf
systemctl mask pppd-dns.service
# Conflicts with our custom shutdown procedure
systemctl mask live-tools.service
# "Daily man-db regeneration" is not needed in Tails (#16631)
systemctl mask man-db.timer
......@@ -18,6 +18,8 @@ done
rm \
/usr/share/applications/gnome-online-accounts-panel.desktop \
/usr/share/applications/laptop-mode-tools.desktop \
/usr/share/applications/lstopo.desktop \
/usr/share/applications/nm-connection-editor.desktop \
/usr/share/applications/sniff.desktop
sed -i'' --regexp-extended 's,^Exec=pidgin$,Exec=/usr/local/bin/pidgin,' \
......
......@@ -17,33 +17,34 @@ echo "Removing unwanted packages"
apt-get --yes purge \
'^linux-compiler-*' \
'^linux-kbuild-*' \
debhelper dpkg-dev \
'^binutils*' \
build-essential \
debhelper \
dh-autoreconf \
dpkg-dev \
fakeroot \
gcc gcc-6 \
intltool-debian \
gcc-7 \
gcc-8 \
gdbm-l10n \
libc-dev-bin \
libc6-dev \
libelf-dev \
libgcc-7-dev \
libgcc-8-dev \
libtool \
linux-libc-dev \
make \
po-debconf \
rsyslog \
libdvdcss-dev
### Deinstall a few unwanted packages that were pulled by tasksel
### since they have Priority: standard.
apt-get --yes purge \
apt-listchanges \
debian-faq \
doc-debian \
'^exim4*' \
m4 \
mlocate \
ncurses-term \
nfs-common \
python3-reportbug \
reportbug \
telnet \
texinfo \
wamerican
texinfo
### Deinstall a few unwanted packages that were pulled by the xorg
### metapackage.
......@@ -68,10 +69,8 @@ fi
### Deinstall some other unwanted packages.
apt-get --yes purge \
'^aptitude*' \
krb5-locales \
libdvdcss2-dbgsym \
live-build \
locales \
rpcbind \
tasksel \
tasksel-data \
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment