Commit 4f79e5fe authored by sajolida's avatar sajolida
Browse files

Merge remote-tracking branch 'origin/master' into web/16128-verification-on-page

parents 168a1b64 4c7cc012
......@@ -8,8 +8,8 @@ msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: tails-l10n@boum.org\n"
"POT-Creation-Date: 2020-11-17 11:41+0000\n"
"PO-Revision-Date: 2020-11-16 20:43+0000\n"
"Last-Translator: Chre <tor@renaudineau.org>\n"
"PO-Revision-Date: 2020-12-05 00:43+0000\n"
"Last-Translator: Corl3ss <corl3ss@corl3ss.com>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: fr\n"
"MIME-Version: 1.0\n"
......@@ -257,10 +257,8 @@ msgstr ""
"bloqueur de publicité"
#. type: Content of: <section><div><ul><li>
#, fuzzy
#| msgid "<i>Thunderbird</i> with <i>Enigmail</i>, for encrypted emails"
msgid "<i>Thunderbird</i>, for encrypted emails"
msgstr "<i>Thunderbird</i> avec <i>Enigmail</i>, pour les emails chiffrés"
msgstr "<i>Thunderbird</i>, pour les messages électroniques chiffrés"
#. type: Content of: <section><div><ul><li>
msgid "<i>KeePassXC</i>, to create and store strong passwords"
......
......@@ -65,17 +65,36 @@ XXX: If you feel like it and developers, foundation team, and RMs don't do it th
Documentation and website
=========================
XXX: If you feel like it and technical writers don't do it
themselves, explore the Git history:
- Planned the [[!tails_ticket 16128 desc="deprecation of the Tails
Verification extension"]]. We will publish a [[!tails_gitweb_commit b6d965c1f5
desc="deprecation notice on /news"]] and remove the extension from app
stores a few weeks later.
git log --patch --since='1 October' --until='1 November' origin/master -- "doc**.*m*" "about**.*m*" "support**.*m*" "install**.*m*" "upgrade**.*m*"
- Documented how to use [[GMail in
Thunderbird|doc/anonymous_internet/thunderbird#gmail]].
([[!tails_ticket 17879]])
- Explained why is a [[bad idea to use an old version of
Tails|support/faq#older-version]] in the FAQ. ([[!tails_ticket 18001]])
- Recommended [[doing backups|install/win/usb#recommendations]] at the end of
our installation instructions. ([[!tails_ticket 18000]])
- Decided to remove */support/learn*. ([[!tails_ticket 17920]])
- Updated our doc to Thunderbird 78 and wrote [[migration
instructions|doc/anonymous_internet/thunderbird/openpgp_migration]].
([[!tails_ticket 17147]])
User experience
===============
XXX: If you feel like it and the UX team does not do it
themselves, check the archives of tails-ux:
<https://lists.autistici.org/list/tails-XXX.html>
- Published improved consent documents for user research: ([[!tails_ticket 16534]])
* [Consent form](https://gitlab.tails.boum.org/tails/ux/-/raw/master/tools/consent_form.fodt)
* [Research information sheet](https://gitlab.tails.boum.org/tails/ux/-/raw/master/tools/research_information_sheet.fodt)
- Cleaned our user research data for 2021/2022. ([[!tails_ticket 17409]])
Hot topics on our help desk
===========================
......@@ -94,11 +113,26 @@ Infrastructure
Funding
=======
XXX: The fundraising team should look at the fundraising Git.
- The first numbers that we could analyze for the donation campaign look
very promising compared to the same period last year:
* PayPal: 34% more donations, 28% more money
* Bitcoin: 62% more donations
* Monero: 205% more donations
git log --patch --since='1 December' --until='1 January' origin/master
- We programmed our biggest Twitter campaign ever: 34 tweets, 1 tweet
every 2 days at most. Half of them are not direct calls to donate but
rather build up on the new Home and About pages to talk about the
main properties of Tails.
XXX: The fundraising and accounting teams should look at the archives of <tails-fundraising@boum.org> and <tails-accounting@boum.org>.
- We decided not to blog about the donation campaign for now because our
team is seriously overworked. It doesn't seem to have impacted the
campaign significantly. We might still blog about achievements and
plans in December.
- Our grant to RIPE on [improving Tails for censorship
circumvention](https://www.ripe.net/support/cpf/funding-recipients-2020)
was approved.
Outreach
========
......@@ -106,7 +140,9 @@ Outreach
Past events
-----------
Tails in Privacy Week 2020 <https://media.ccc.de/v/pw20-342-tails>
* Tails in [Privacy Week 2020](https://media.ccc.de/v/pw20-342-tails).
* Tails was presented (among other tools) to journalism students at [Sciences Po Rennes](http://www.sciencespo-rennes.fr/en/) (Rennes, France).
Upcoming events
---------------
......
......@@ -72,6 +72,8 @@ Outreach
Past events
-----------
* Tails was presented (among other tools) to journalism students at [Sciences Po Rennes](http://www.sciencespo-rennes.fr/en/) (Rennes, France).
Upcoming events
---------------
......
Corresponding ticket: [[!tails_ticket 8573]]
It would be nice to replace Pidgin with another secure IM client. Unfortunately no good alternative seems to exist today. To be able to decide, if another IM client would be a suitable replacement this document should list the requirements a client needs to fulfill to fit the bill.
We want to replace Pidgin with a more secure IM client.
The document can also list candidate clients together with some indication where they are lacking (and where they shine).
This document lists our requirements and candidate clients, along with their pros and cons.
[[!toc levels=3]]
# Requirements
**Note**: this is a work in progress. See [[!tails_ticket 11686]]
and its blockers for the next steps.
**Note**: the key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
......@@ -22,10 +19,8 @@ and its blockers for the next steps.
The client SHOULD support the following use cases:
1. Contributing to Free Software projects that use IRC chatrooms (and won't switch to anything else any time soon)
2. Contributing to Free Software projects that use XMPP chatrooms
3. One-to-one chat that is compatible with currently widespread practice. That basically means XMPP + OTR, nowadays.
4. Participation in public chatrooms for Tails user support.
1. Use Tails' XMPP public and internal chatrooms
2. One-to-one chat that is compatible with currently widespread practice. That basically means XMPP + OMEMO, nowadays.
The client MAY support the following use cases:
......@@ -49,11 +44,22 @@ The client must support connections using TLS.
The client must support Tor and must not leak any private data (hostname, username, local IP, ...) at the application level.
### Support for OTR
### Support for OMEMO
The client must support OMEMO and should make it easy to enforce usage of OMEMO for all conversations or only for specific contacts.
Ideally, some usability study for the OMEMO user interface has been done.
Resources:
The client must support OTR and should make it easy to enforce usage of OTR for all conversations or only for specific contacts.
- [clients support](https://omemo.top/)
- [[!tails_gitlab 11541]]
- [[!wikipedia OMEMO]]
- [XEP-0384](http://xmpp.org/extensions/xep-0384.html)
Ideally, some usability study for the OTR user interface has been done.
### Support for OTR
The client MAY support OTR and make it easy to enforce usage of OTR for specific contacts.
### Other
......@@ -77,13 +83,124 @@ Suggested by sajolida on <https://mailman.boum.org/pipermail/tails-dev/2016-Janu
### MUC
The client must support XMPP conference rooms [(XEP-0045)](https://xmpp.org/extensions/xep-0045.html).
## IRC
### SASL
The client must support SASL authentication.
# Candidate alternatives
## CoyIM
## Dino
* [homepage](https://github.com/dino/dino)
* implemented in GTK+/Vala
* supports XMPP, OMEMO and OpenPGP; OTR support is
[not high on the todo list](https://github.com/dino/dino/issues/97)
* Supports Tor, works in Tails. [Wiki page on Dino with Tor](https://github.com/dino/dino/wiki/Tor)
* is [[!debpts dino-im desc="in Debian"]] Buster
* the Debian maintainer wants to add an AppArmor profile and got in
touch with intrigeri about it
* Translated into 25+ languages
* Small but quickly increasing popularity:
<https://qa.debian.org/popcon.php?package=dino-im>
* Simple and modern-looking GUI
* Simple account setup wizard. First-run experience feels good. -- intrigeri
* Requires valid TLS certificate, which prevents connecting to Onion XMPP servers:
- <https://github.com/dino/dino/issues/57>
- <https://github.com/dino/dino/issues/452>
- <https://github.com/dino/dino/pull/209>
Is there a way for power-users to workaround this?
* Reading encrypted OMEMO messages received from a Gajim user always worked out of the box.
* Sending encrypted OMEMO messages to a Gajim user did not work initially (looks
like <https://github.com/dino/dino/issues/873> and
<https://github.com/dino/dino/issues/206>). But it turns out it was a caused
by a XMPP server that is known to have odd issues. It worked just fine
with another XMPP server.
### Security
- 28k lines of Vala + 1k lines of C = 29k lines of code
- Track record:
- In 2019, [Multiple protocol implementation
errors](https://gultsch.de/dino_multiple.html) were discovered in Dino:
- [[!cve CVE-2019-16237]]: an attacker can send messages in the name of someone else
(previously found in other XMPP clients: CVE-2017-5589+)
- [[!cve CVE-2019-16236]]: remote attackers can modify the roster (previously
found in Gajim: CVE-2015-8688)
- [[!cve CVE-2019-16235]]: does not properly check the source of a carbons message
As that document says, "When confronted with the fact that the same trivial
vulnerabilities have been discovered in multiple, independent clients one
can not avoid the question if there is a more fundamental issue underneath
that causes different developers to all make the same mistakes."
Indeed, at the time, the corresponding XEPs lacked sufficient information
to implement them securely.
- intrigeri's conclusion (2020-12-07):
- Looks OK to me, but Dino is pretty recent
and not widespread, so this could be a case that nobody bothered looking
closely enough.
- Dino's small feature set suggests it should be easy to confine it with AppArmor.
## Gajim
* XMPP client
* in Debian
* OMEMO plugin is in Debian Buster
* OTR v3 plugin is not in Debian
* People from Security-in-a-Box have used it successfully in Tails.
* Large established user base (<https://qa.debian.org/popcon.php?package=gajim>)
for a XMPP client. Stagnating since about 10 years.
* Account setup wizard is confusing: when one wants to enable Tor, one also has to fill in
other advanced settings.
* By default, tries to save passwords to the GNOME password store,
which we decided is hard to persist. This can be disabled.
* Allows accepting an arbitrary TLS certificate, which allows connecting to
Onion XMPP servers.
### Security
- 86k lines of Python + 2k for the OMEMO plugin = 88k lines of code
- D-Bus capabilities: can be disabled?
- Track record:
- [[!cve CVE-2016-10376]]: allows being controlled by the XMPP server
- [[!cve CVE-2015-8688]]: remote attackers can modify the roster and intercept
messages
- [[!cve CVE-2012-5524]]: custom SSL certificate verification callback
accepted CA-signed certificates for any domain.
- [[!cve CVE-2012-2085]] aka. https://dev.gajim.org/gajim/gajim/-/issues/7031:
remote code execution by building command lines out of untrusted input.
- Gajim ships with a plugin called "plugin installer" which allows a user to
download new plugins. This sounds suspicious for security, because plugins are
pieces of code running with full privilege. The implementation in Debian use
unverified TLS connection, which is very very open to MITM. The development
version has switched to verified HTTPS connection and is trying to make it
more robust.
However, I think that Tails should not ship this plugin installer at all: it
allows a user to download code without needing sudo. We could work debian-side
to separate gajim-plugininstaller in a separate package so that Tails can
choose not to install it?
- intrigeri's conclusion (2020-12-07):
- Having tons of powerful features increases attack surface and the risk of
secure programming mistakes. Gajim's security track record in 2012 is not
confidence inspiring, to say the least. OTOH the worst problems happened
many years ago, so perhaps the Gajim project has updated their processes to
lower the risks of introducing other really bad security issues?
- The plugin installer is not confidence inspiring either.
- Gajim's large feature set suggests it may be hard to write an AppArmor
profile that provides meaningful security, while not breaking too
much functionality.
## Does not meet our requirements
### CoyIM
* [Homepage](https://coy.im/)
* [Github](https://github.com/coyim/coyim/)
......@@ -99,36 +216,13 @@ The client must support SASL authentication.
* No logging, no clickable links.
* Not audited.
* Test results in Tails: [[!tails_ticket 8574]]
* No OMEMO support.
## dino
* [homepage](https://github.com/dino/dino)
* implemented in GTK+/Vala
* supports XMPP, OMEMO and OpenPGP; OTR support is
[not high on the todo list](https://github.com/dino/dino/issues/97)
* Supports Tor, works in Tails. [Wiki page on Dino with Tor](https://github.com/dino/dino/wiki/Tor)
* is [[!debpts dino-im desc="in Debian"]] Buster
* the Debian maintainer wants to add an AppArmor profile and got in
touch with intrigeri about it
* Translated into 25+ languages
## Gajim
XMPP client in Debian with plugins for OTR and [OMEMO](https://en.wikipedia.org/wiki/OMEMO) (Signal-like, [XEP-0384](http://xmpp.org/extensions/xep-0384.html)) but no IRC. Tickets were created and rejected some time ago
([[!tails_ticket 7868]] and [[!tails_ticket 11541]]) but might be worth
reconsidering after updating this blueprint ([[!tails_ticket 11686]]).
People from Security-in-a-Box have used it successfully in Tails.
Gajim ships with a plugin called "plugin installer" which allows a user to download new plugins. This sounds suspicious for security, because plugins are pieces of code running with full privilege. The implementation in Debian use unverified TLS connection, which is very very open to MITM. The development version has switched to verified HTTPS connection and is trying to make it more robust.
However, I think that Tails should not ship this plugin at all: it allows a user to download code without needing sudo. We could work debian-side to separate gajim-plugininstaller in a separate package so that Tails can choose not to install it?
## Thunderbird
### Thunderbird
- Thunderbird 75 Beta will support OTR after enabling the `chat.otr.enable`
pref: <https://wiki.mozilla.org/Thunderbird:OTR>
## No longer viable
* No OMEMO support: <https://bugzilla.mozilla.org/show_bug.cgi?id=1237416>
### Tor Messenger ([[!tails_ticket 8577]])
......@@ -139,7 +233,7 @@ Tor Messenger is no more: https://blog.torproject.org/sunsetting-tor-messenger
`8e3157d5f4cd7894bca21adf6b95a6b49d9beb01`) except the TODO about
StartTLS (I bet it has the code for it though, since Thunderbird
supports it, but I in the GUI there is only "Enable SSL" as options
for IRC and XMPP).
for XMPP).
* The GUI is very similar to Pidgin's, which might be a bonus point
since we are looking for a "Pidgin replacement".
* It has support for "temporary XMPP accounts" that require no
......
......@@ -2,7 +2,7 @@
[[!tails_ticket 14545]]
[[!toc levels=2]]
[[!toc levels=3]]
Past surveys
============
......@@ -15,44 +15,131 @@ Future surveys
Research questions
------------------
- Size of user base
### Size of user base
- How many users do we really have?
- Right now we only have number of boots per day but combining this
with how frequently people use Tails, we could extrapolate rough
number of users and maybe usage categories (fraction of frequent
users and occasional users, etc.).
- How many users do we really have?
- Technical skills
Right now we only have number of boots per day but combining this
with how frequently people use Tails, we could extrapolate rough
number of users and maybe usage categories (fraction of frequent
users and occasional users, etc.).
- How technically skilled are our users?
- How big is the difference between the technical skills of our target
audience and real audience?
- Is there a match between how hard Tails is to use and the skills of
our actual users?
### Technical skills
- Region
- How technically skilled are our users?
- How big is the difference between the technical skills of our target
audience and real audience?
- Is there a match between how hard Tails is to use and the skills of
our actual users?
- Is Tails useful and accessible by a global audience?
- Information on where Tails is used the most is very helpful for
fundraising, outreach, or translation efforts.
### Region
- Current features
- Is Tails useful and accessible by a global audience?
- What are people using Tails the most?
This would help us clarify what are the most important features of
Tails and prioritize incremental improvements.
- Information on where Tails is used the most is very helpful for
fundraising, outreach, or translation efforts.
- New features
### Current features
- How shall we prioritize our future plans?
- What is missing the most in Tails?
This would help us build a better roadmap.
- What are people using Tails the most?
- OpenPGP
This would help us clarify what are the most important features of
Tails and prioritize incremental improvements.
- How many users use OpenPGP mostly to verify downloads?
- How many users use KeePassX to type their OpenPGP passphrase? ([[!tails_ticket 17867]])
### New features
- How shall we prioritize our future plans?
- What is missing the most in Tails?
This would help us build a better roadmap.
### OpenPGP
- How many users use OpenPGP mostly to verify downloads?
- How many users use KeePassX to type their OpenPGP passphrase? ([[!tails_ticket 17867]])
### Upgrades
We used to have quantitative data on which versions our users were
running but we lost this in 4.2. ([[!tails_ticket 17545]])
In April 2019, 10 days after 3.13:
- 28.7% of users were using an outdated version
- 5.3% of users were using a version that was between 6 and 12 months old
- 4.1% of users were using a version that was more than 12 months old
- 1.6% of users were stuck with 3.5, which was 14 months old and the last forced manual upgrade
See the [detailed analysis](https://gitlab.tails.boum.org/tails/ux/-/raw/master/upgrades/april-2019.ods).
What user research could we do to complete this quantitative data?
What we already have:
- Qualitative info here and there about upgrades being painful
- [[Roberto, October 2019|contribute/how/user_experience/interviews/roberto]]:
> More than anything, they are upgrades constantly. Sometimes it takes us a
> whole day to do an upgrade and then there's another one the week after. I
> could do some parts of it but not everything.
> Each time there's an upgrade we have to do a backup, I'm not sure if
> that's for security or for technical reasons. GlobaLeaks also have expiring
> GPG keys and we have to make sure that the GPG keys match or otherwise I
> could loose files.
- [[Joana and Orlando, January 2018|contribute/how/user_experience/interviews/joana_orlando]]:
> Joana once had problems with upgrade on a USB stick. She could do the
> first two upgrade but then it was not possible to do the third one.
- [[Claudia and Felix, January 2018|contribute/how/user_experience/interviews/claudia_felix]]:
> The first year Tails worked very well. But then they started
> having more problems when the upgrades started.
> Several time, their Tails stopped working because of an upgrade.
> In such cases they would get help from another organization
> collaborating with the whistleblowing platform which has more
> technical staff. Right now for example, their Tails has been
> broken since December and is being fixed by them.
> One of their Tails was so old that it was impossible to upgrade
> it. Felix installed a new Tails and copied the cryptographic key
> to the whistleblowing platform manually.
- [[Isabella, May 2017|contribute/how/user_experience/interviews/helen]]:
> Upgrades are painful when using Tails not so often.
- [[Ernesto, March 2017|contribute/how/user_experience/interviews/ernesto]]:
> The fact the upgrade mechanism is sometimes automatic and sometimes
> manual. You never know what to expect.
- [[Helen, March 2017|contribute/how/user_experience/interviews/helen]]:
> She likes the automatic upgrades in general but she always have to go
> back to the documentation when the upgrade fails. As part of her work, she
> also sometimes sees infrequent users struggling with accumulated upgrades
> (for example upgrading from 2.6 to 2.10).
- Top 5 hot topic in [OpenPGP and Pidgin
survey](https://tails.boum.org/blueprint/user_survey/openpgp_and_pidgin/#index3h2)
- 5 comments were about simpler and easier upgrades without specifying
- 4 comments were directly complaining about manual upgrades and asking for always going automatic upgrades
- 2 comments were about faster upgrades
- 1 comment was about less frequent upgrades
We could also research:
- What makes people skip or delay upgrades?
- Ask questions about upgrades in a survey and follow up with a few interviews
Survey questions
----------------
......
......@@ -8,7 +8,7 @@ msgstr ""
"Project-Id-Version: Tails\n"
"Report-Msgid-Bugs-To: tails-l10n@boum.org\n"
"POT-Creation-Date: 2020-07-29 20:51+0000\n"
"PO-Revision-Date: 2020-10-19 16:31+0000\n"
"PO-Revision-Date: 2020-12-05 13:43+0000\n"
"Last-Translator: Chre <tor@renaudineau.org>\n"
"Language-Team: Tails translators <tails@boum.org>\n"
"Language: fr\n"
......@@ -16,7 +16,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n > 1;\n"
"X-Generator: Weblate 3.8\n"
"X-Generator: Weblate 3.11.3\n"
#. type: Plain text
#, no-wrap
......@@ -124,7 +124,7 @@ msgstr ""
"<div class=\"contribute-roles-3\">\n"
"<h2>Faire bénéficier de vos compétences linguistiques</h2>\n"
"<div class=\"contribute-role\" id=\"content-writer\">\n"
" <h3>Rédacteur</h3>\n"
" <h3>Personne qui rédige</h3>\n"
#. type: Plain text
#, no-wrap
......@@ -217,7 +217,7 @@ msgstr ""
"<div class=\"contribute-roles-3\">\n"
"<h2>Contribuer par vos compétences informatiques</h2>\n"
"<div class=\"contribute-role\" id=\"developer\">\n"
" <h3>Développeur ou mainteneur</h3>\n"
" <h3>Personne qui développe ou maintien</h3>\n"
#. type: Plain text
#, no-wrap
......@@ -236,14 +236,16 @@ msgid ""
"<div class=\"contribute-role\" id=\"sysadmin\">\n"
" <h3>System administrator</h3>\n"
msgstr ""
" <p>Des développeurs logiciels avec diverses compétences peuvent améliorer Tails.</p>\n"
" <p>Des développeurs logiciels avec diverses compétences peuvent améliorer "
"Tails.</p>\n"
" <ul>\n"
" <li>[[Travailler sur le code source|contribute/how/code]]</li>\n"
" <li>[[Améliorer Tails en travaillant sur Debian|contribute/how/debian]]</li>\n"
" <li>[[Améliorer Tails en travaillant sur Debian|contribute/how/"
"debian]]</li>\n"
" </ul>\n"
"</div>\n"
"<div class=\"contribute-role\" id=\"sysadmin\">\n"
" <h3>Administrateur système</h3>\n"
" <h3>Personne qui administre le système</h3>\n"
#. type: Plain text
#, no-wrap
......
......@@ -8,12 +8,16 @@ All times are referenced in [[!wikipedia UTC]].
* 2020-12-03, 15:00: Foundations Team / UX meeting
* 2020-12-10, 15:00: Roadmap meeting on cross-team projects
* 2020-12-15: **Release 4.14** (Firefox 78.6 — intrigeri is the RM, nodens is the TR)
* 2020-12-22, 15:00: Accounting Team meeting
# 2021 Q1
- 2021-01-05, 15:00: **UX debt prioritization**
- 2021-01-11 to 2021-01-14: Foundations Team sprint
Scope:
......
......@@ -383,12 +383,6 @@
- Tails does not work on 32-bit computers since Tails 3.0 (June 2017).
<a id="welcome-screen"></a>
- **Welcome Screen**
With an article. Not *Tails Greeter* or *the Greeter*.
<a id="update"></a>
- **update** vs **upgrade**
......@@ -412,8 +406,20 @@
- The packages from your list of additional software will be updated
automatically when you connect to the Internet.
<a id="usb-stick"></a>
- **USB stick**
And not *USB drive*, *USB*, *thumb drive*, or *flash drive*.
<a id="vulnerability"></a>
- **vulnerability** or **security vulnerability**
And not *hole*, *bug*, *issue*, or *exploit*.
<a id="welcome-screen"></a>
- **Welcome Screen**
With an article. Not *Tails Greeter* or *the Greeter*.
......@@ -737,7 +737,7 @@ Verify there's enough free disk space in `$IUKS_DIR`:
echo "ERROR! Not enough free space in ${IUKS_DIR:?}"
fi
Start building the IUKs locally:
If you can build the IUKs on your host system, run this command:
(
set -eu
......@@ -759,10 +759,39 @@ Start building the IUKs locally:
--new-version "${VERSION?:}" \
--verbose \
--jobs "$(grep '^core id' /proc/cpuinfo | sort -u | wc -l)"
cd "${IUKS_DIR?:}"
sha256sum Tails_amd64_*_to_${VERSION?:}.iuk > "${IUKS_HASHES?:}"
)
Else, if you need to build them in a VM (assuming you can SSH into it, as a user
with passwordless sudo access, with `ssh buster-rm`; and [[!tails_gitlab