Commit 5bc1e831 authored by sajolida's avatar sajolida
Browse files

Merge remote-tracking branch 'origin/master'

parents 878915bd ef161612
......@@ -415,14 +415,21 @@ To get a list of changes on the website:
':!wiki/src/news*' \
':!wiki/src/security*'
Import the signing key
Enable OpenPGP signing
======================
Skip this part if you have a Tails signing subkey on an OpenPGPG
smartcard, i.e. if you are one of the usual release managers. This is
only relevant when the master key has been reassembled, e.g. for
signing a Tails emergency release where none of the usual release
managers are available.
### If you have an OpenPGP smart card
If you have an OpenPGP smart card (i.e. if you are one of the usual
release managers) go fetch it. Remember to only plug it when needed! A
pro tip is to never plug it unless prompted which `gpg` will do for
you. Then just unplug it as soon as the `.sig` is done.
### Otherwise: importing the signing key
This is only relevant when the master key has been reassembled,
e.g. for signing a Tails emergency release where none of the usual
release managers are available.
You should never import the Tails signing key into your own keyring,
and a good practice is to import it to a tmpfs to limit the risks that
......@@ -875,6 +882,28 @@ Update the ISO description file (IDF) used by the browser extension:
git add wiki/src/install/v1/Tails/amd64/stable/latest.yml && \
git commit -m "Update IDF file for Tails Verification." )
Done with OpenPGP signing
=========================
By now you are done with Tails signing key, so please make sure it is
not usable by your system any more.
<div class="note">
Beware! If your have to plug your OpenPGP smart card or reassemble the
key again after this point it invalidates <i>everything</i> done for
the [[reproduction of this release|test#reproducibility-final-check]]
so it has to be started from the beginning:
* the original text is restored on the pad, and
* some tester follows it from scratch, and
* the Trusted Reproducer follows awaits the new input from said tester
and then starts from scratch.
So please try to avoid this!
</div>
Upload images
=============
......@@ -1000,6 +1029,7 @@ Testing
1. Email <tails@boum.org> and potential contributors (see
`manual_testers.mdwn` in the internal Git repository) that tests
may start:
- make sure the Trusted Verifier is in the list of recipients
- point them to the up-to-date mirror you've found previously
- make it clear what's the deadline
- make it clear where and how you expect to get feedback
......
......@@ -182,13 +182,22 @@ Update `debian/changelog`:
gbp dch && dch -e
In there, set the appropriate:
* version number, such as `5.3+dfsg-0tails1`; in particular, note that
the Debian revision starts with `-0` for any package meant for the
Tails APT repository, while the first package that will be uploaded
to Debian will have `-1`;
* target release name.
The raw data compiled by `gbp dch` must be edited to convey
information that's relevant and self-contained for a Debian audience
(clearly our upstream commit messages are not written with this
audience in mind). For example, the 5.0.4+dfsg-0tails1 changelog entry
is pretty good, but things like "Apply awful hack to fix Tails#14755"
are meaningless for a Debian audience.
Also:
* Set the appropriate version number, such as `5.3+dfsg-0tails1`; in
particular, note that the Debian revision starts with `-0` for any
package meant for the Tails APT repository, while the first package
that will be uploaded to Debian will have `-1`;
* Set the appropriate target release name.
* Make sure every Tails ticket ID is of the form `Tails#NNNNN`, not
`#NNNNN` and definitely not `Closes: #NNNNN`.
Commit the changelog:
......
......@@ -58,31 +58,19 @@ In a directory with many Tails ISO images:
# Reproducibility
## For the RM
This section can only be done by the RM.
<div class="note">
Clear-sign the hashes of all products using *your personal* OpenPGP
key:
Beware! If your have to plug your OpenPGP smart card again after
having done the above substitution, it invalidates *everything* that
has been done for this test so far, so it has to be started completely
from the beginning.
( \
cd "${ISOS:?}" && \
sha512sum tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso \
Tails_amd64_*_to_${VERSION:?}.iuk \
| gpg --clear-sign \
)
</div>
Generate the output needed for the next section by following [[these
instructions|test/reproducibility/preparation]]!
## For anyone _but_ the RM
Find the "Trusted Reproducer" for this Tails release in the
[[contribute/calendar]] and send this as a signed email to this
person:
EMAIL_PLACEHOLDER
and attach a file named `SHA512SUMS.txt` with these contents:
SHA512SUMS_PLACEHOLDER
and leave the output in this section.
# Automated test suite
......
[[!meta title="Preparing the email for the Trusted Verifier"]]
Make sure you still have your variables set from following the release
process (incl. `IUK_SOURCE_VERSIONS`), then run:
DEADLINE="$(date -d 'now + 72 hours')" && \
IUK_VERSION="$(awk '/^tails-iuk\s/ { print $2 }' {${ARTIFACTS:?},${RELEASE_CHECKOUT:?}/wiki/src/torrents/files}/tails-amd64-${VERSION:?}.{,iso.}packages 2>/dev/null | head -n1)" && \
if [ -z "${IUK_VERSION}" ]; then
echo 'Failed to determine IUK_VERSION, aborting' && \
false
fi && \
IUK_CHECKOUT_TAG="debian/${IUK_VERSION}"
TAG_COMMIT="$(git rev-parse --verify ${TAG:?})"
INPUTS="DEADLINE DIST IUK_CHECKOUT_TAG IUK_SOURCE_VERSIONS TAG TAG_COMMIT VERSION"
sh <<EOF
sed --regexp-extended \
$(for var in ${INPUTS:?}; do
val="$(eval "echo \${${var}:?}")" && \
echo -n "-e 's@\\\$\\{${var}\\}@${val}@' "
done) \
wiki/src/contribute/release_process/test/reproducibility/verification-email.template
EOF
and carefully make sure there were no errors, and that each variable
was replaced (i.e. you should see no `$` in the output). If the output
looks good, replace `EMAIL_PLACEHOLDER` on the testing pad with
it. Then run:
( \
cd "${ISOS:?}" && \
sha512sum tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso \
Tails_amd64_*_to_${VERSION:?}.iuk \
)
and replace `SHA512SUMS_PLACEHOLDER` in the testing pad with the
output.
Hi, Trusted Reproducer!
You signed up for reproducing Tails ${VERSION}. The deadline for doing
so is ${DEADLINE}.
Here are the inputs:
DIST=${DIST}
IUK_CHECKOUT_TAG=${IUK_CHECKOUT_TAG}
IUK_SOURCE_VERSIONS=${IUK_SOURCE_VERSIONS}
TAG=${TAG}
TAG_COMMIT=${TAG_COMMIT}
VERSION=${VERSION}
Attached you will find SHA512SUMS.txt containing all needed hashes.
Check out the ${TAG} tag in Tails' Git repo and read the instructions
from:
wiki/src/contribute/release_process/test/reproducibility/verification.mdwn
or if you build the website:
config/chroot_local-includes/usr/share/doc/tails/website/contribute/release_process/test/reproducibility/verification.html
Good luck and have fun!
[[!meta title="Trusted verification of reproducibility"]]
[[!meta title="Verification of Tails reproducibility"]]
[[!toc levels=2]]
<div class="note">
# Preparation
After accepting to be the Trusted Verifier you should have been
instructed to go here immediately and read the "Preparation"
section. For a planned release you should be doing this weeks before
the release you are about to reproduce; for emergency releases you
likely only have days or even hours. If you were not, please file a
ticket about this, since an important part of process must have been
missed by the RM.
## Inputs
</div>
You will need some environment variables set when following these
instructions.
[[!toc levels=2]]
### Inputs received be email
<a id="preparation"></a>
You should receive values for the following variables:
# Preparation (when accepting to be the Trusted Verifier)
* `DIST`
* `IUK_CHECKOUT_TAG`
* `IUK_SOURCE_VERSIONS`
* `TAG`
* `TAG_COMMIT`
* `VERSION`
Use whatever scheduling tool you prefer to make sure you will, on your
own initiative, return to this document and follow it within 72 hours
from the start of the manual testing session. In particular, do not
trust anything said by the RM about this process.
as well as a `SHA512SUMS.txt` file attached.
# Inputs
### Your inputs
## Inputs from the release process
Set these variables according to the beginning of our
[[contribute/release_process]] document:
Look at the "Environment" section at the beginning of [[the release
process instructions|contribute/release_process]] and set the
following variables as instructed:
* `ARTIFACTS`
* `DIST`
* `ISOS`
* `IUK_CHECKOUT`
* `PERL5LIB_CHECKOUT`
* `RELEASE_BRANCH`
* `VERSION`
Now for the only tricky part, setting `IUK_SOURCE_VERSIONS`. It should
simply list the old Tails versions that will get an automatic upgrade
to the current release, and should be set correctly by this command
most of the time:
IUK_SOURCE_VERSIONS="$(
curl "http://dl.amnesia.boum.org/tails/${DIST:?}/iuk/" \
| grep --extended-regexp --only-matching \
"Tails_amd64_[^_]+_to_${VERSION:?}.iuk" \
| sort -u \
| tr '_' ' ' \
| cut -d' ' -f3
)"
echo -e "Got these IUK source versions:\n${IUK_SOURCE_VERSIONS}"
Now sanity check the contents of `IUK_SOURCE_VERSIONS`:
* If empty, the RM has probably not uploaded them yet so you may have
to wait.
* make sure each listed version actually has been released! :)
* [[Figure out the rules for how to set this
variable|contribute/release_process/#prepare-iuk]] and double-check
that it makes sense! Note that exceptions happen (e.g. there could
be a bug in some old versions upgrader so we skip it).
* If the release notes have already been written (generally there is a
ticket about it) it should list which versions
## Inputs from the testing pad
In the "Reproducibility" section of the testing pad you'll find
clear-signed hashes for all products of this release. Verify the
signature, and put the hashes (excluding the OpenPGP signature data)
into a file called `SHA512SUMS.txt`.
## Your inputs
Also set these accordingly:
Set these environment variables accordingly:
* `ISOS_CHECKOUT`: path to your Tails ISO history repo checout.
* `PACKAGES_FILE`: path to the `.packages` file for this release
(should be attached to the "Testing Tails `$VERSION`" email you have
in your inbox)
* `PUBLISHED_ARTIFACTS`: some _new_ directory where you can download
gigabytes of data to.
* `SHA512SUMS`: the path of the `SHA512SUMS.txt` file from above.
* `TAILS_CHECKOUT`: path to your Tails Git repo checkout.
## Download published products
## Derived environment variables
cd "${TAILS_CHECKOUT:?}" && \
TAG="$(echo $VERSION | tr '~' '-')" && \
TAG_COMMIT="$(git rev-parse --verify ${TAG:?})" && \
git fetch && \
git checkout "${RELEASE_BRANCH:?}" && \
git merge "origin/${RELEASE_BRANCH:?}" && \
PERL5LIB_VERSION="$(awk '/^tails-perl5lib\s/ { print $2 }' "${PACKAGES_FILE:?}")" && \
if [ -z "${PERL5LIB_VERSION}" ]; then
echo 'Failed to determine PERL5LIB_VERSION, aborting' && \
false
fi && \
PERL5LIB_CHECKOUT_TAG="debian/${PERL5LIB_VERSION}" && \
IUK_VERSION="$(awk '/^tails-iuk\s/ { print $2 }' "${PACKAGES_FILE:?}")" && \
if [ -z "${IUK_VERSION}" ]; then
echo 'Failed to determine IUK_VERSION, aborting' && \
false
fi && \
IUK_CHECKOUT_TAG="debian/${IUK_VERSION}"
# Download published products
mkdir -p "${PUBLISHED_ARTIFACTS:?}" && \
cd "${PUBLISHED_ARTIFACTS:?}" && \
mkdir tails-amd64-${VERSION:?} && \
cd tails-amd64-${VERSION:?} && \
wget --recursive http://dl.amnesia.boum.org/tails/${DIST:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso && \
wget http://dl.amnesia.boum.org/tails/${DIST:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso && \
cd .. && \
for old_version in ${IUK_SOURCE_VERSIONS}; do
wget http://dl.amnesia.boum.org/tails/${DIST:?}/iuk/Tails_amd64_${old_version}_to_${VERSION:?}.iuk
done
## Obtain needed old Tails releases
# Obtain needed old Tails releases
cd "${ISOS_CHECKOUT:?}" && \
git annex sync && \
......@@ -59,12 +127,15 @@ Also set these accordingly:
tails_dir="tails-amd64-${old_version}" && \
if [ ! -d "${ISOS:?}/${tails_dir}" ]; then
git annex get "${tails_dir}" && \
cp -r "${tails_dir}" "${ISOS:?}"
cp --dereference --recursive "${tails_dir}" "${ISOS:?}"
fi
done
## Refresh tails-iuk Git repo
# Refresh iuk and perl5lib Git repos
cd "${PERL5LIB_CHECKOUT:?}" && \
git fetch && \
git checkout "${PERL5LIB_CHECKOUT_TAG:?}" && \
cd "${IUK_CHECKOUT:?}" && \
git fetch && \
git checkout "${IUK_CHECKOUT_TAG:?}"
......@@ -74,13 +145,8 @@ Also set these accordingly:
## Fetch and verify the Git tag
cd "${TAILS_CHECKOUT:?}" && \
git fetch && \
git checkout "${TAG_COMMIT:?}" && \
if [ "$(git describe --tags --exact-match)" = "${TAG:?}" ]; then
git tag -v "${TAG}"
else
echo 'TAG_COMMIT and TAG does not match!'
fi
git fetch origin "${TAG}" && \
git tag -v "${TAG}"
* If the last output is a "Good signature" for the expected tag, made by
Tails signing key, then we are good.
......@@ -91,10 +157,13 @@ Also set these accordingly:
## Reproduce the image
cd "${TAILS_CHECKOUT:?}" && \
git checkout "${TAG:?}" && \
git submodule update --init && \
export SOURCE_DATE_EPOCH=$(date --utc --date="$(dpkg-parsechangelog --show-field=Date)" '+%s') && \
rake build && \
mkdir "${ISOS:?}/tails-amd64-${VERSION:?}" && \
mv "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.iso" \
mv "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.iso" \
"${ISOS:?}/tails-amd64-${VERSION:?}/"
## Reproduce IUKs
......@@ -106,7 +175,8 @@ the value of `SOURCE_DATE_EPOCH` set above is needed!
# Verification
If there is *any* type of mismatch at some point below, let the RM and
tails@ know *immediately*!
tails@ know *immediately*! But still proceed and do everything below,
potentially reporting multiple different issues.
## Verify your products
......@@ -120,23 +190,26 @@ tails@ know *immediately*!
## Verify IDF
This step can only be done after the release is been made public.
Examine the IDF by running:
curl https://tails.boum.org/install/v1/Tails/amd64/${DIST:?}/latest.yml
and checking that:
and checking that it matches the output of the following command:
* the `url` value is the expected ISO image URL, i.e.:
cat <<-EOF
sha256: $(sha256sum "${ISOS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso" | cut -f 1 -d ' ' | tr -d '\n')
size: $(du --bytes "${ISOS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.iso" | cut -f1)
url: http://dl.amnesia.boum.org/tails/${DIST:?}/tails-amd64-$VERSION/tails-amd64-$VERSION.iso
EOF
http://dl.amnesia.boum.org/tails/${DIST:?}/tails-amd64-$VERSION/tails-amd64-$VERSION.iso
* the `sha256` value is the `SHA-256` you get from your image (with
e.g. `sha256sum`).
* the `size` value is the number of bytes of your image.
Keep this output, you will need it below!
## Verify UDFs
This step can only be done after the release is been made public.
Examine each UDF by running:
for old_version in ${IUK_SOURCE_VERSIONS}; do
......@@ -149,12 +222,25 @@ Examine each UDF by running:
done
and checking that there are either one or two `target-files`
entries, where `type: full` means a full upgrade (so it refers to
the ISO image) and `type: incremental` means an incremental upgrade
(so it refers to a IUK). Verify
* that the `url` is
http://dl.amnesia.boum.org/tails/${DIST:?}/iuk/Tails_amd64_${old_version}_to_$$VERSION.iuk
* the `sha256` and `size` values just like you did for the IDF previously.
entries:
, where `type: full` means a full upgrade (so it refers to
the ISO image) and `type: incremental` . Verify
* `type: full` means a full upgrade (so it refers to the ISO image)
and must have the same values as for the IDF (you were asked to save
the output above), so please verify that it matches!
* `type: incremental` means an incremental upgrade (so it refers to a
IUK) and should match the output of:
for old_version in ${IUK_SOURCE_VERSIONS}; do
cat <<EOF
Expected values for https://tails.boum.org/upgrade/v1/Tails/${old_version}/amd64/${DIST:?}/upgrades.yml:
sha256: $(sha256sum "${ISOS:?}/Tails_amd64_${old_version}_to_${VERSION:?}.iuk" | cut -f 1 -d ' ' | tr -d '\n')
size: $(du --bytes "${ISOS:?}/Tails_amd64_${old_version}_to_${VERSION:?}.iuk" | cut -f1)
url: http://dl.amnesia.boum.org/tails/${DIST:?}/iuk/Tails_amd64_${old_version}_to_${VERSION:?}.iuk
EOF
done
......@@ -13,7 +13,10 @@
designated dates for testing the RC and final image.
- Ask `tails@` for a _Trusted Reproducer_ who will reproduce the
ISOs and IUKs for the RC and final release within 72 hours after
the RM has unplugged their smartcard.
the RM has unplugged their smartcard. When accepting the offer,
the Trusted Reproducer must read the [["Preparation" section of
the instructions|test/reproducibility/verification/#preparation]].
- Update [[contribute/calendar]] accordingly.
- Update the due date on [[!tails_roadmap]] accordingly.
- Ask to be added to the `rsync_tails` group on `rsync.lizard`,
......
......@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: \n"
"POT-Creation-Date: 2018-02-21 18:45+0100\n"
"POT-Creation-Date: 2018-03-02 14:23+0100\n"
"PO-Revision-Date: 2017-02-09 19:24+0100\n"
"Last-Translator: Tails translators <tails@boum.org>\n"
"Language-Team: \n"
......@@ -131,10 +131,16 @@ msgstr ""
"\"]] zum herunterladen</small>"
#. type: Content of: <div><div><div><div><div><h4>
#, fuzzy
#| msgid ""
#| "</span> <span class=\"windows linux mac-usb mac-dvd\"><small>1 hour to "
#| "install</small></span> <span class=\"debian expert\"><small>½ hour to "
#| "install</small></span> <span class=\"upgrade-tails\"><small>½ hour to "
#| "upgrade</small></span>"
msgid ""
"</span> <span class=\"windows linux mac-usb mac-dvd\"><small>1 hour to "
"install</small></span> <span class=\"debian expert\"><small>½ hour to "
"install</small></span> <span class=\"upgrade-tails\"><small>½ hour to "
"install</small></span> <span class=\"upgrade-tails\"><small>¼ hour to "
"upgrade</small></span>"
msgstr ""
"</span> <span class=\"windows linux mac-usb mac-dvd\"><small>1 Stunde zum "
......
......@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2018-02-21 18:45+0100\n"
"POT-Creation-Date: 2018-03-02 14:23+0100\n"
"PO-Revision-Date: 2018-01-30 19:04+0000\n"
"Last-Translator: Weblate Admin <admin@example.com>\n"
"Language-Team: Spanish <http://translate.tails.boum.org/projects/tails/"
......@@ -126,10 +126,16 @@ msgstr ""
"\"]] para descargar</small>"
#. type: Content of: <div><div><div><div><div><h4>
#, fuzzy
#| msgid ""
#| "</span> <span class=\"windows linux mac-usb mac-dvd\"><small>1 hour to "
#| "install</small></span> <span class=\"debian expert\"><small>½ hour to "
#| "install</small></span> <span class=\"upgrade-tails\"><small>½ hour to "
#| "upgrade</small></span>"
msgid ""
"</span> <span class=\"windows linux mac-usb mac-dvd\"><small>1 hour to "
"install</small></span> <span class=\"debian expert\"><small>½ hour to "
"install</small></span> <span class=\"upgrade-tails\"><small>½ hour to "
"install</small></span> <span class=\"upgrade-tails\"><small>¼ hour to "
"upgrade</small></span>"
msgstr ""
"</span> <span class=\"windows linux mac-usb mac-dvd\"><small>1 hora para "
......
......@@ -7,7 +7,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2018-02-21 18:45+0100\n"
"POT-Creation-Date: 2018-03-02 14:23+0100\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
......@@ -116,7 +116,7 @@ msgstr ""
msgid ""
"</span> <span class=\"windows linux mac-usb mac-dvd\"><small>1 hour to "
"install</small></span> <span class=\"debian expert\"><small>½ hour to "
"install</small></span> <span class=\"upgrade-tails\"><small>½ hour to "
"install</small></span> <span class=\"upgrade-tails\"><small>¼ hour to "
"upgrade</small></span>"
msgstr ""
......
......@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: Tails\n"
"POT-Creation-Date: 2018-02-21 18:45+0100\n"
"POT-Creation-Date: 2018-03-02 14:23+0100\n"
"PO-Revision-Date: 2018-01-04 15:32+0000\n"
"Last-Translator: \n"
"Language-Team: Tails translators <tails@boum.org>\n"
......@@ -125,10 +125,16 @@ msgstr ""
"\"]] à télécharger</small>"
#. type: Content of: <div><div><div><div><div><h4>
#, fuzzy
#| msgid ""
#| "</span> <span class=\"windows linux mac-usb mac-dvd\"><small>1 hour to "
#| "install</small></span> <span class=\"debian expert\"><small>½ hour to "
#| "install</small></span> <span class=\"upgrade-tails\"><small>½ hour to "
#| "upgrade</small></span>"
msgid ""
"</span> <span class=\"windows linux mac-usb mac-dvd\"><small>1 hour to "
"install</small></span> <span class=\"debian expert\"><small>½ hour to "
"install</small></span> <span class=\"upgrade-tails\"><small>½ hour to "
"install</small></span> <span class=\"upgrade-tails\"><small>¼ hour to "
"upgrade</small></span>"
msgstr ""
"</span> <span class=\"windows linux mac-usb mac-dvd\"><small>1 heure pour "
......
......@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2018-02-21 18:45+0100\n"
"POT-Creation-Date: 2018-03-02 14:23+0100\n"
"PO-Revision-Date: 2016-09-02 14:00+0200\n"
"Last-Translator: ita team\n"
"Language-Team: ita <transitails@inventati.org>\n"
......@@ -123,7 +123,7 @@ msgstr ""
msgid ""
"</span> <span class=\"windows linux mac-usb mac-dvd\"><small>1 hour to "
"install</small></span> <span class=\"debian expert\"><small>½ hour to "
"install</small></span> <span class=\"upgrade-tails\"><small>½ hour to "
"install</small></span> <span class=\"upgrade-tails\"><small>¼ hour to "
"upgrade</small></span>"
msgstr ""
......
......@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: \n"
"POT-Creation-Date: 2018-02-21 18:45+0100\n"
"POT-Creation-Date: 2018-03-02 14:23+0100\n"
"PO-Revision-Date: 2017-02-09 19:26+0100\n"
"Last-Translator: Tails Developers <amnesia@boum.org>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
......@@ -131,10 +131,16 @@ msgstr ""
"\"]] para baixar</small>"