Commit 5915cdf0 authored by Tails developers's avatar Tails developers

Merge branch 'testing' into test/8669-anonymous-git

parents 6b1a6052 2c0a8687
......@@ -34,7 +34,7 @@ VAGRANT_PATH = File.expand_path('../vagrant', __FILE__)
STABLE_BRANCH_NAMES = ['stable', 'testing']
# Environment variables that will be exported to the build script
EXPORTED_VARIABLES = ['http_proxy', 'MKSQUASHFS_OPTIONS', 'TAILS_RAM_BUILD', 'TAILS_CLEAN_BUILD', 'TAILS_BOOTSTRAP_CACHE']
EXPORTED_VARIABLES = ['http_proxy', 'MKSQUASHFS_OPTIONS', 'TAILS_RAM_BUILD', 'TAILS_CLEAN_BUILD']
# Let's save the http_proxy set before playing with it
EXTERNAL_HTTP_PROXY = ENV['http_proxy']
......@@ -167,10 +167,6 @@ task :parse_build_options do
when 'noram'
ENV['TAILS_RAM_BUILD'] = nil
# Bootstrap cache settings
when 'cache'
ENV['TAILS_BOOTSTRAP_CACHE'] = '1'
when 'nocache'
ENV['TAILS_BOOTSTRAP_CACHE'] = nil
# HTTP proxy settings
when 'extproxy'
abort "No HTTP proxy set, but one is required by TAILS_BUILD_OPTIONS. Aborting." unless EXTERNAL_HTTP_PROXY
......
......@@ -11,6 +11,14 @@ fatal () {
exit 1
}
syslinux_utils_upstream_version () {
dpkg-query -W -f='${Version}\n' syslinux-utils | \
# drop epoch
sed -e 's,.*:,,' | \
# drop +dfsg and everything that follows
sed -e 's,\+dfsg.*,,'
}
### Main
# we require building from git
......@@ -98,6 +106,16 @@ case "$LB_BINARY_IMAGES" in
iso)
BUILD_FILENAME_EXT=iso
BUILD_FILENAME=binary
which isohybrid >/dev/null || fatal 'Cannot find isohybrid in $PATH'
installed_syslinux_utils_upstream_version="$(syslinux_utils_upstream_version)"
if dpkg --compare-versions \
"$installed_syslinux_utils_upstream_version" \
'lt' \
"$REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION" ; then
fatal \
"syslinux-utils '${installed_syslinux_utils_upstream_version}' is installed, " \
"while we need at least '${REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION}'."
fi
;;
iso-hybrid)
BUILD_FILENAME_EXT=iso
......@@ -124,13 +142,18 @@ BUILD_END_FILENAME="${BUILD_DEST_FILENAME}.end.timestamp"
echo "Building $LB_BINARY_IMAGES image ${BUILD_BASENAME}..."
set -o pipefail
date --utc '+%s' > "$BUILD_START_FILENAME"
[ -z "$JENKINS_URL" ] || date --utc '+%s' > "$BUILD_START_FILENAME"
time eatmydata lb build noauto ${@} 2>&1 | tee "${BUILD_LOG}"
RET=$?
if [ -e "${BUILD_FILENAME}.${BUILD_FILENAME_EXT}" ]; then
if [ "$RET" -eq 0 ]; then
date --utc '+%s' > "$BUILD_END_FILENAME"
[ -z "$JENKINS_URL" ] || date --utc '+%s' > "$BUILD_END_FILENAME"
echo "Image was successfully created"
if [ "$LB_BINARY_IMAGES" = iso ]; then
echo "Hybriding it..."
isohybrid $AMNESIA_ISOHYBRID_OPTS \
"${BUILD_FILENAME}.${BUILD_FILENAME_EXT}"
fi
else
echo "Warning: image created, but lb build exited with code $RET"
fi
......
......@@ -33,6 +33,9 @@ $RUN_LB_CONFIG \
--iso-publisher="https://tails.boum.org/" \
--iso-volume="TAILS ${AMNESIA_FULL_VERSION}" \
--memtest none \
--mirror-binary "http://ftp.us.debian.org/debian/" \
--mirror-bootstrap "http://ftp.us.debian.org/debian/" \
--mirror-chroot "http://ftp.us.debian.org/debian/" \
--packages-lists="standard" \
--tasks="standard" \
--linux-packages="linux-image-3.16.0-4" \
......
......@@ -15,6 +15,12 @@
# need to set block.events_dfl_poll_msecs
AMNESIA_APPEND="live-media=removable apparmor=1 security=apparmor nopersistent noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails"
# Options passed to isohybrid
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63"
# Minimal upstream version of syslinux-utils we need
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
### You should not have to change anything bellow this line ####################
# sanity checks
......@@ -32,4 +38,4 @@ AMNESIA_FULL_VERSION="${AMNESIA_VERSION} - ${AMNESIA_TODAY}"
# Developpers' data used by git-dch, debcommit and friends in the release script
AMNESIA_DEV_FULLNAME='Tails developers'
AMNESIA_DEV_EMAIL="tails@boum.org"
AMNESIA_DEV_KEYID="BE2CD9C1"
AMNESIA_DEV_KEYID="0D24 B36A A9A2 A651 7878 7645 1202 821C BE2C D9C1"
......@@ -41,14 +41,14 @@ cp "$CHROOT_SYSLINUX_BIN" "$LINUX_BINARY_UTILS_DIR/"
cp "$CHROOT_SYSLINUX_MBR" "$BINARY_MBR_DIR/mbr.bin"
cat chroot/etc/apt/sources.list chroot/etc/apt/sources.list.d/*.list \
| grep --extended-regexp --line-regexp --invert-match \
'deb\s+file:/root/local-packages\s+\./' \
| sed --regexp-extended -e 's,^deb(\s+),deb-src\1,' \
> "$CHROOT_TEMP_APT_SOURCES"
Chroot chroot /usr/local/lib/apt-toggle-tor-http off
Chroot chroot apt-get --yes update
Chroot chroot apt-get --yes install dpkg-dev
Chroot chroot apt-get source syslinux="$(syslinux_deb_version_in_chroot)"
cp chroot/syslinux-*/bios/win32/syslinux.exe "$WIN32_BINARY_UTILS_DIR/"
rm -r chroot/syslinux*
rm "$CHROOT_TEMP_APT_SOURCES"
Chroot chroot /usr/local/lib/apt-toggle-tor-http on
Chroot chroot apt-get --yes purge dpkg-dev make # dpkg-dev depends on make
......@@ -26,10 +26,22 @@ Package: cryptsetup-bin
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: electrum
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: florence
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: gnupg-agent
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: gnupg2
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: hopenpgp-tools
Pin: release o=Debian,n=jessie
Pin-Priority: 999
......@@ -110,6 +122,10 @@ Package: iucode-tool
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: keyringer
Pin: release o=Debian,n=jessie
Pin-Priority: 999
Package: libcryptsetup4
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
......@@ -186,16 +202,36 @@ Package: monkeysign
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: seahorse-nautilus
Package: obfs4proxy
Pin: release o=TorProject,n=obfs4proxy
Pin-Priority: 990
Package: python-six
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: shared-mime-info
Package: python-slowaes
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: tor
Pin: release o=TorProject,n=wheezy
Package: python-ecdsa
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: python-electrum
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: scdaemon
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: seahorse-nautilus
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: shared-mime-info
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: torsocks
......@@ -214,10 +250,6 @@ Package: virtualbox-guest-x11
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: tor-geoipdb
Pin: release o=TorProject,n=wheezy
Pin-Priority: 999
Package: ttdnsd
Pin: release o=TorProject,a=unstable
Pin-Priority: 999
......
......@@ -210,6 +210,10 @@ install_debian_extensions "${TBB_EXT}" ${DEBIAN_EXT_PKGS}
mkdir -p "${TBB_PROFILE}"
create_default_profile "${TBB_INSTALL}"/TorBrowser/Data/Browser/profile.default "${TBB_EXT}" "${TBB_PROFILE}"
# Create a copy of the Firefox binary, for use e.g. by Tor Launcher.
# It won't be subject to AppArmor confinement.
cp -a "${TBB_INSTALL}/firefox" "${TBB_INSTALL}/firefox-unconfined"
chown -R root:root "${TBB_INSTALL}" "${TBB_PROFILE}" "${TBB_EXT}"
chmod -R a+rX "${TBB_INSTALL}" "${TBB_PROFILE}" "${TBB_EXT}"
......
#!/bin/sh
set -e
echo "Installing AppArmor profile for Tor Browser"
PATCH='/usr/share/tails/torbrowser-AppArmor-profile.patch'
PROFILE='/etc/apparmor.d/torbrowser'
### Functions
toggle_src_APT_sources() {
MODE="$1"
TEMP_APT_SOURCES='/etc/apt/sources.list.d/tmp-deb-src.list'
case "$MODE" in
on)
cat /etc/apt/sources.list /etc/apt/sources.list.d/*.list \
| sed --regexp-extended -e 's,^deb(\s+),deb-src\1,' \
> "$TEMP_APT_SOURCES"
;;
off)
rm "$TEMP_APT_SOURCES"
;;
esac
apt-get --yes update
}
install_torbrowser_AppArmor_profile() {
tmpdir="$(mktemp -d)"
(
cd "$tmpdir"
apt-get source torbrowser-launcher/testing
install -m 0644 \
torbrowser-launcher-*/apparmor/torbrowser.Browser.firefox \
"$PROFILE"
)
rm -r "$tmpdir"
}
### Main
toggle_src_APT_sources on
install_torbrowser_AppArmor_profile
toggle_src_APT_sources off
patch --forward --batch "$PROFILE" < "$PATCH"
rm "$PATCH"
#!/bin/sh
set -e
echo "Moving IBus Unikey binaries to /usr/lib/ibus/"
# Workaround Debian bug #714932 -- we can't just dpkg-divert it, since
# the original path is hardcoded in these binaries.
for infix in engine setup ; do
orig="/usr/lib/ibus-unikey/ibus-$infix-unikey"
dest="/usr/lib/ibus/ibus-$infix-unikey"
ln -s "$orig" "$dest"
done
# Adjust path to the binary in unikey.xml
sed -i -e \
's,/usr/lib/ibus-unikey/ibus-engine-unikey,/usr/lib/ibus/ibus-engine-unikey,' \
/usr/share/ibus/component/unikey.xml
#!/bin/sh
set -eu
echo "Configuring APT for runtime"
/usr/local/lib/apt-toggle-tor-http on
......@@ -16,23 +16,28 @@
# Deside order in which input methods are preferred
# (chinese needs pinyin, japanese needs anthy, korean needs hangul)
# (chinese needs pinyin, japanese needs anthy, korean needs hangul,
# vietnamese needs Unikey)
# (bopomofo is an alternative input method for chinese)
LANGPREFIX=`echo "$LANG" | sed 's/_.*//'`
PREFLIST='[pinyin,anthy,hangul,bopomofo]'
PREFLIST='[pinyin,anthy,hangul,Unikey,bopomofo]'
NEEDIBUS='n'
case "$LANGPREFIX" in
ja)
PREFLIST='[anthy,pinyin,hangul,bopomofo]'
PREFLIST='[anthy,pinyin,hangul,Unikey,bopomofo]'
NEEDIBUS='y'
;;
ko)
PREFLIST='[hangul,pinyin,anthy,bopomofo]'
PREFLIST='[hangul,pinyin,anthy,Unikey,bopomofo]'
NEEDIBUS='y'
;;
vi)
PREFLIST='[Unikey,pinyin,anthy,hangul,bopomofo]'
NEEDIBUS='y'
;;
zh)
PREFLIST='[pinyin,bopomofo,anthy,hangul]'
PREFLIST='[pinyin,bopomofo,anthy,hangul,Unikey]'
NEEDIBUS='y'
;;
esac
......
# Use PulseAudio by default
pcm.!default {
type pulse
fallback "sysdefault"
hint {
show on
description "Default ALSA Output (currently PulseAudio Sound Server)"
}
}
ctl.!default {
type pulse
fallback "sysdefault"
}
# vim:set ft=alsaconf:
......@@ -51,6 +51,12 @@ create-backup-copy = false
[org/gnome/nautilus/desktop]
volumes-visible = false
[org/gnome/settings-daemon/peripherals/touchpad]
disable-while-typing = true
horiz-scroll-enabled = false
scroll-method = 'two-finger-scrolling'
tap-to-click = true
[org/gnome/settings-daemon/plugins/power]
button-hibernate = 'shutdown'
button-power = 'shutdown'
......
......@@ -8,7 +8,5 @@ TOR_CONTROL_HOST='127.0.0.1'
TOR_CONTROL_PORT='9052'
TOR_CONTROL_PASSWD='passwd'
GIT_PROXY_COMMAND=/usr/local/bin/connect-socks
# Port that the monkeysphere validation agent listens on
MSVA_PORT='6136'
{
'protocol': 's',
'auto_cycle': True,
'server': 'electrum.coinwallet.me:50002:s',
'proxy': {'host': 'localhost', 'mode': 'socks5', 'port': '9050'},
}
......@@ -231,7 +231,7 @@
</pref>
<pref name='pidgin'>
<pref name='browsers'>
<pref name='command' type='path' value='sensible-browser'/>
<pref name='manual_command' type='string' value='/usr/local/bin/tor-browser %s'/>
<pref name='browser' type='string' value='custom'/>
<pref name='place' type='int' value='0'/>
</pref>
......
......@@ -59,6 +59,8 @@ pref("noscript.forbidPlugins", true);
pref("noscript.untrusted", "google-analytics.com");
// Other non-Torbutton, Tails-specific prefs
pref("browser.download.dir", "/home/amnesia/Tor Browser");
pref("browser.download.folderList", 2);
pref("browser.download.manager.closeWhenDone", true);
pref("extensions.update.enabled", false);
pref("layout.spellcheckDefault", 0);
......
# This is the configuration for libtsocks (transparent socks) for use
# with the Tails mail user agent: /usr/local/bin/torified-claws-mail
#
# See tsocks.conf(5) and torify(1) manpages.
server = 127.0.0.1
server_port = 9050
# We specify local as 127.0.0.0 - 127.191.255.255 because the
# Tor MAPADDRESS virtual IP range is the rest of net 127.
local = 127.0.0.0/255.128.0.0
local = 127.128.0.0/255.192.0.0
# My local networks
local = 10.0.0.0/255.0.0.0
local = 172.16.0.0/255.240.0.0
local = 192.168.0.0/255.255.0.0
......@@ -66,14 +66,13 @@ html_help = _(
<p><strong>Do not include more personal information than
needed!</strong></p>
<h2>About giving us an email address</h2>
<p>If you don't mind disclosing some bits of your identity
to Tails developers, you can provide an email address to
let us ask more details about the bug. Additionally entering
a public PGP key enables us to encrypt such future
communication.</p>
<p>Anyone who can see this reply will probably infer you are
a Tails user. Time to wonder how much you trust your
Internet and mailbox providers?</p>
<p>
Giving us an email address allows us to contact you to clarify the problem. This
is needed for the vast majority of the reports we receive as most reports
without any contact information are useless. On the other hand it also provides
an opportunity for eavesdroppers, like your email or Internet provider, to