Commit 57406974 authored by sajolida's avatar sajolida
Browse files

Merge branch 'master' into doc/10024-derivatives

parents b6645174 86707931
......@@ -79,18 +79,13 @@ MKSQUASHFS_OPTIONS="${MKSQUASHFS_OPTIONS} -wildcards -ef chroot/usr/share/amnesi
export MKSQUASHFS_OPTIONS
# get git branch or tag so we can set the basename appropriately, i.e.:
# * if we build from a tag: tails-$ARCH-$TAG.iso
# * if we build from a branch: tails-$ARCH-$BRANCH-$VERSION-$DATE.iso
# * if Jenkins builds from a branch: tails-$ARCH-$BRANCH-$VERSION-$TIME-$COMMIT.iso
# * if we build from a tag: tails-$ARCH-$TAG.iso
# * otherwise: tails-$ARCH-$BRANCH-$VERSION-$TIME-$COMMIT.iso
if GIT_REF="$(git symbolic-ref HEAD)"; then
GIT_BRANCH="${GIT_REF#refs/heads/}"
CLEAN_GIT_BRANCH=$(echo "$GIT_BRANCH" | sed 's,/,_,g')
if [ -n "$JENKINS_URL" ]; then
GIT_SHORT_ID="$(git rev-parse --short HEAD)"
BUILD_BASENAME="tails-${LB_ARCHITECTURE}-${CLEAN_GIT_BRANCH}-${AMNESIA_VERSION}-${AMNESIA_NOW}-${GIT_SHORT_ID}"
else
BUILD_BASENAME="tails-${LB_ARCHITECTURE}-${CLEAN_GIT_BRANCH}-${AMNESIA_VERSION}-${AMNESIA_TODAY}"
fi
GIT_SHORT_ID="$(git rev-parse --short HEAD)"
BUILD_BASENAME="tails-${LB_ARCHITECTURE}-${CLEAN_GIT_BRANCH}-${AMNESIA_VERSION}-${AMNESIA_NOW}-${GIT_SHORT_ID}"
else
GIT_CURRENT_COMMIT="$(git rev-parse HEAD)"
if GIT_TAG="$(git describe --tags --exact-match ${GIT_CURRENT_COMMIT})"; then
......
This diff is collapsed.
......@@ -34,10 +34,6 @@ Package: libeatmydata1
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: electrum
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: florence
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
......@@ -242,10 +238,22 @@ Package: python-ecdsa
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: python-electrum
Package: python-qrcode
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: python-requests
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: python-urllib3
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: python-pbkdf2
Pin: release o=Debian,n=jessie
Pin-Priority: 999
Package: rsyslog
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
......
#!/bin/sh
set -e
set -u
EXT="/usr/lib/icedove/extensions"
[ -d "$EXT" ] || exit 1
echo "Enabling Torbirdy and Enigmail in Icedove"
ln -s /usr/share/xul-ext/torbirdy "$EXT"/castironthunderbirdclub@torproject.org
ln -s /usr/lib/xul-ext/enigmail "$EXT"/\{847b3a00-7ab1-11d4-8f02-006008948af5\}
echo "Enabling the amnesia branding extension in Icedove"
ln -s /usr/local/share/tor-browser-extensions/branding@amnesia.boum.org "$EXT"
......@@ -33,7 +33,7 @@ install_torbrowser_AppArmor_profile() {
tmpdir="$(mktemp -d)"
(
cd "$tmpdir"
apt-get source torbrowser-launcher/sid
apt-get source torbrowser-launcher/testing
install -m 0644 \
torbrowser-launcher-*/apparmor/torbrowser.Browser.firefox \
"$PROFILE"
......
#!/bin/sh
set -e
# We don't want the real binary to be in $PATH:
# Also note that wget uses the executable name in some help/error messages,
# so wget-real/etc. should be avoided.
mkdir -p /usr/lib/wget
dpkg-divert --add --rename --divert /usr/lib/wget/wget /usr/bin/wget
# We don't want users or other applications using wget directly:
cat > /usr/bin/wget << 'EOF'
#!/bin/sh
unset http_proxy
unset HTTP_PROXY
unset https_proxy
unset HTTPS_PROXY
exec torsocks /usr/lib/wget/wget --passive-ftp "$@"
EOF
chmod 755 /usr/bin/wget
......@@ -5,12 +5,12 @@
# Run only when the interface is not "lo":
if [ $1 = "lo" ]; then
exit 0
exit 0
fi
# Run whenever an interface gets "up", not otherwise:
if [ $2 != "up" ]; then
exit 0
exit 0
fi
# Import tor_control_setconf(), TOR_LOG
......@@ -35,26 +35,41 @@ rm -f "${TOR_LOG}"
# a HTTP proxy or allowed firewall ports won't get the sandboxing, but
# much better than nothing.
if [ "$(tails_netconf)" = "direct" ]; then
tor_set_in_torrc Sandbox 1
tor_set_in_torrc Sandbox 1
fi
# A SIGHUP should be enough but there's a bug in Tor. Details:
# We would like Tor to be started during init time, even before the
# network is up, and then send it a SIGHUP here to make it start
# bootstrapping swiftly, but it doesn't work because of a bug in
# Tor. Details:
# * https://trac.torproject.org/projects/tor/ticket/1247
# * https://tails.boum.org/bugs/tor_vs_networkmanager/
restart-tor
# To work around this we restart Tor, in various ways, no matter the
# case below.
if [ "$(tails_netconf)" = "obstacle" ]; then
# When using a bridge Tor reports TLS cert lifetime errors
# (e.g. when the system clock is way off) with severity "info", but
# when no bridge is used the severity is "warn". tordate/20-time.sh
# depends on grepping these error messages, so we temporarily
# increase Tor's logging severity.
tor_control_setconf "Log=\"info file ${TOR_LOG}\""
# Enable the transports we support. We cannot do this in general,
# when bridge mode is not enabled, since we then use seccomp
# sandboxing.
tor_control_setconf 'ClientTransportPlugin="obfs2,obfs3,obfs4 exec /usr/bin/obfs4proxy managed"'
/usr/local/sbin/tails-tor-launcher &
# We do not use restart-tor since it validates that bootstraping
# succeeds. That cannot happen until Tor Launcher has started
# (below) and the user is done configuring it.
service tor restart
# When using a bridge Tor reports TLS cert lifetime errors
# (e.g. when the system clock is way off) with severity "info", but
# when no bridge is used the severity is "warn". tordate/20-time.sh
# depends on grepping these error messages, so we temporarily
# increase Tor's logging severity.
tor_control_setconf "Log=\"info file ${TOR_LOG}\""
# Enable the transports we support. We cannot do this in general,
# when bridge mode is not enabled, since we then use seccomp
# sandboxing.
tor_control_setconf 'ClientTransportPlugin="obfs2,obfs3,obfs4 exec /usr/bin/obfs4proxy managed"'
/usr/local/sbin/tails-tor-launcher &
# Wait until the user has done the Tor Launcher configuration.
until [ "$(tor_control_getconf DisableNetwork)" = 0 ]; do
sleep 1
done
else
( restart-tor ) &
fi
......@@ -70,7 +70,7 @@ has_only_unverified_consensus() {
wait_for_tor_consensus_helper() {
tries=0
while ! has_consensus && [ $tries -lt 5 ]; do
while ! has_consensus && [ $tries -lt 10 ]; do
inotifywait -q -t 30 -e close_write -e moved_to ${TOR_DIR} || log "timeout"
tries=$(expr $tries + 1)
done
......@@ -81,10 +81,6 @@ wait_for_tor_consensus_helper() {
wait_for_tor_consensus() {
log "Waiting for a Tor consensus file to contain a valid time interval"
if ! has_consensus && ! wait_for_tor_consensus_helper; then
log "Unsuccessfully waited for Tor consensus, restarting Tor and retrying."
restart-tor
fi
if ! has_consensus && ! wait_for_tor_consensus_helper; then
log "Unsuccessfully retried waiting for Tor consensus, aborting."
fi
......@@ -175,7 +171,7 @@ maybe_set_time_from_tor_consensus() {
date -us "${vmid}" 1>/dev/null
# Tor is unreliable with picking a circuit after time change
restart-tor
service tor restart
}
tor_cert_valid_after() {
......@@ -219,15 +215,6 @@ start_notification_helper() {
### Main
# When the network is obstacled (e.g. we need a bridge) we wait until
# Tor Launcher has unset DisableNetwork, since Tor's bootstrapping
# won't start until then.
if [ "$(tails_netconf)" = "obstacle" ]; then
until [ "$(tor_control_getconf DisableNetwork)" = 0 ]; do
sleep 1
done
fi
start_notification_helper
# Delegate time setting to other daemons if Tor connections work
......
// This is the Debian specific preferences file for Mozilla Firefox
// You can make any change in here, it is the purpose of this file.
// You can, with this file and all files present in the
// /etc/thunderbird/pref directory, override any preference that is
// present in /usr/lib/thunderbird/defaults/pref directory.
// While your changes will be kept on upgrade if you modify files in
// /etc/thunderbird/pref, please note that they won't be kept if you
// do them in /usr/lib/thunderbird/defaults/pref.
pref("extensions.update.enabled", false);
// Use LANG environment variable to choose locale
pref("intl.locale.matchOS", true);
// Disable default mail checking (gnome).
pref("mail.shell.checkDefaultMail", false);
// if you are not using gnome
pref("network.protocol-handler.app.http", "x-www-browser");
pref("network.protocol-handler.app.https", "x-www-browser");
// Tell TorBirdy we're running Tails so that it adapts its behaviour.
//pref("vendor.name", "Tails");
// Disable mail indexing
pref("mailnews.database.global.indexer.enabled", false);
// Disable chat
pref("mail.chat.enabled", false);
// Disable system addons
pref("extensions.autoDisableScopes", 3);
pref("extensions.enabledScopes", 4);
// Only show the tab bar if there's more than one tab to display
pref("mail.tabs.autoHide", true);
// Try to disable "Would you like to help Icedove Mail/News by automatically reporting memory usage, performance, and responsiveness to Mozilla"
pref("toolkit.telemetry.prompted", 2);
pref("toolkit.telemetry.rejected", true);
pref("toolkit.telemetry.enabled", false);
......@@ -20,11 +20,11 @@ toplevel-id=top-panel
pack-index=1
@instance-config/location='/usr/share/applications/tor-browser.desktop'
[Object claws-launcher]
[Object icedove-launcher]
object-iid=PanelInternalFactory::Launcher
toplevel-id=top-panel
pack-index=2
@instance-config/location='/usr/share/applications/claws-mail.desktop'
@instance-config/location='/usr/share/applications/icedove.desktop'
[Object pidgin-launcher]
object-iid=PanelInternalFactory::Launcher
......
{
'protocol': 's',
'auto_cycle': True,
'server': 'electrum.coinwallet.me:50002:s',
'proxy': {'host': 'localhost', 'mode': 'socks5', 'port': '9050'},
"proxy": "socks5:localhost:9050",
}
/* Required, do not remove */
@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul");
#torbirdy-jondo-selection,
#torbirdy-whonix-selection,
#torbirdy-tor-selection,
#torbirdy-tor-selection + menuseparator,
#torbirdy-anon-settings,
#torbirdy-anonservice,
/* Hide "Chat account" on Icedove's start-up page */
#CreateAccountChat
{ display: none; }
user_pref("extensions.enigmail.configuredVersion", "1.7.2");
......@@ -20,7 +20,7 @@ SocksPort 127.0.0.1:9061 IsolateDestAddr
## SocksPort for Tails-specific applications
SocksPort 127.0.0.1:9062 IsolateDestAddr IsolateDestPort
## SocksPort for the default web browser
SocksPort 127.0.0.1:9150
SocksPort 127.0.0.1:9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth
## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
......
#!/bin/sh
set -e
. gettext.sh
TEXTDOMAIN="tails"
export TEXTDOMAIN
CLAWSMAIL_DIR="${HOME}/.claws-mail"
PROFILE="${HOME}/.icedove/profile.default"
claws_mail_config_is_persistent() {
[ "$(findmnt --noheadings --output SOURCE --target "${CLAWSMAIL_DIR}")" = "/dev/mapper/TailsData_unlocked[/claws-mail]" ]
}
warn_about_claws_mail_persistence() {
local dialog_msg="<b><big>`gettext \"The <b>Claws Mail</b> persistence feature is activated.\"`</big></b>
`gettext \"If you have emails saved in <b>Claws Mail</b>, you should <a href='https://tails.boum.org/doc/anonymous_internet/claws_mail_to_icedove'>migrate your data</a> before starting <b>Icedove</b>.\"`"
local launch="`gettext \"_Launch\"`"
local exit="`gettext \"_Exit\"`"
# Since zenity can't set the default button to cancel, we switch the
# labels and interpret the return value as its negation.
if zenity --question --title "" --ok-label "${exit}" \
--cancel-label "${launch}" --text "${dialog_msg}"; then
return 1
fi
}
start_icedove() {
# Give Icedove its own temp directory, similar rationale to a1fd1f0f & #9558.
TMPDIR="${PROFILE}/tmp"
mkdir --mode=0700 -p "$TMPDIR"
export TMPDIR
if [ -z "$XAUTHORITY" ]; then
XAUTHORITY=~/.Xauthority
export XAUTHORITY
fi
unset SESSION_MANAGER
/usr/bin/icedove --class "Icedove" -profile "${PROFILE}" "${@}"
}
if claws_mail_config_is_persistent && [ -f "${CLAWSMAIL_DIR}/accountrc" ]; then
warn_about_claws_mail_persistence || exit 0
fi
start_icedove "${@}"
#!/bin/sh
unset http_proxy
unset HTTP_PROXY
unset https_proxy
unset HTTPS_PROXY
exec torsocks /usr/bin/wget "$@"
#!/bin/sh
# Get monotonic time in seconds. See clock_gettime(2) for details.
# Note: we limit ourselves to seconds simply because floating point
# arithmetic is a PITA in the shell.
clock_gettime_monotonic() {
perl -w -MTime::HiRes=clock_gettime,CLOCK_MONOTONIC \
-E 'say clock_gettime(CLOCK_MONOTONIC)' | \
sed 's/\..*$//'
}
# Run `check_expr` until `timeout` seconds has passed, and sleep
# `delay` (optional, defaults to 1) seconds in between the calls.
# Note that execution isn't aborted exactly after `timeout`
......@@ -11,9 +20,9 @@ wait_until() {
timeout="${1}"
check_expr="${2}"
delay="${3:-1}"
timeout_at=$(expr $(date +%s) + ${timeout})
timeout_at=$(expr $(clock_gettime_monotonic) + ${timeout})
until eval "${check_expr}"; do
if [ "$(date +%s)" -ge "${timeout_at}" ]; then
if [ "$(clock_gettime_monotonic)" -ge "${timeout_at}" ]; then
return 1
fi
sleep ${delay}
......
......@@ -21,6 +21,14 @@ nic_is_up() {
# The following "nic"-related functions require that the argument is a
# NIC that exists
nic_ipv4_addr() {
ip addr show "${1}" | sed -n 's,^\s*inet \([0-9\.]\+\)/.*$,\1,p'
}
nic_ipv6_addr() {
ip addr show "${1}" | sed -n 's,^\s*inet6 \([0-9a-fA-F:]\+\)/.*$,\1,p'
}
# Will just output nothing on failure
get_current_mac_of_nic() {
local mac
......
......@@ -9,6 +9,7 @@
I2P_DEFAULT_CONFIG="/usr/share/i2p"
I2P_CONFIG="/var/lib/i2p/i2p-config"
I2P_TUNNEL_CONFIG="${I2P_CONFIG}/i2ptunnel.config"
I2P_WRAPPER_LOG="/var/log/i2p/wrapper.log"
i2p_is_enabled() {
grep -qw "i2p" /proc/cmdline
......@@ -27,7 +28,29 @@ i2p_eep_proxy_address() {
echo ${listen_host}:${listen_port}
}
i2p_has_bootstrapped() {
i2p_reseed_started() {
grep -q 'Reseed start$' "${I2P_WRAPPER_LOG}"
}
i2p_reseed_failed() {
grep -q 'Reseed failed, check network connection$' "${I2P_WRAPPER_LOG}"
}
i2p_reseed_completed() {
grep -q "Reseed complete" "${I2P_WRAPPER_LOG}"
}
i2p_reseed_status() {
if i2p_reseed_completed; then
echo success
elif i2p_reseed_failed; then
echo failure
elif i2p_reseed_started; then
echo running
fi
}
i2p_built_a_tunnel() {
netstat -nlp | grep -qwF "$(i2p_eep_proxy_address)"
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment