Commit 60d995f6 authored by sajolida's avatar sajolida
Browse files

Merge remote-tracking branch 'origin/devel' into doc/16282-buster-doc

parents 8f7d9b81 b504ca56
......@@ -11,6 +11,6 @@
[submodule "submodules/mirror-pool-dispatcher"]
path = submodules/mirror-pool-dispatcher
url = https://git-tails.immerda.ch/mirror-pool-dispatcher
[submodule "submodules/aufs4-standalone"]
path = submodules/aufs4-standalone
url = https://github.com/sfjro/aufs4-standalone.git
[submodule "submodules/aufs-standalone"]
path = submodules/aufs-standalone
url = https://github.com/sfjro/aufs5-standalone.git
......@@ -439,6 +439,8 @@ task :build => ['parse_build_options', 'ensure_clean_repository', 'maybe_clean_u
# command to modify the #{hostname} below.
'-o', 'StrictHostKeyChecking=no',
'-o', 'UserKnownHostsFile=/dev/null',
# Speed up the copy
'-o', 'Compression=no',
]
fetch_command += artifacts.map { |a| "#{user}@#{hostname}:#{a}" }
fetch_command << ENV['ARTIFACTS']
......
......@@ -85,7 +85,7 @@ find \
config/binary_local-includes \
config/chroot_local-includes \
wiki/src \
-exec touch --date="@$SOURCE_DATE_EPOCH" '{}' \;
-exec touch --no-dereference --date="@$SOURCE_DATE_EPOCH" '{}' \;
# build the image
......
......@@ -203,9 +203,9 @@ install -m 0755 \
submodules/mirror-pool-dispatcher/lib/js/mirror-dispatcher.js \
config/chroot_local-includes/usr/local/lib/nodejs/
# aufs4-standalone
rm -rf config/chroot_local-includes/usr/src/aufs4-standalone
cp -a submodules/aufs4-standalone config/chroot_local-includes/usr/src/
# aufs-standalone
rm -rf config/chroot_local-includes/usr/src/aufs-standalone
cp -a submodules/aufs-standalone config/chroot_local-includes/usr/src/
# custom debootstrap script, setting some APT magic to log downloads:
patch \
......
......@@ -33,19 +33,19 @@ CURRENT_BRANCH=$(git_current_branch)
if [ "$BASE_BRANCH" = stable ] \
|| [ "$BASE_BRANCH" = testing ] \
|| ( git_on_a_tag && [ "$CURRENT_BRANCH" = feature/buster ] ) \
|| ( git_on_a_tag && [ "$CURRENT_BRANCH" = feature/bullseye ] ) \
then
case "$ARCHIVE" in
debian-security)
[ "$SERIAL" = latest ] \
|| fatal "APT snapshots are frozen for the debian-security archive," \
"which should happen neither on feature/buster nor on" \
"which should happen neither on feature/bullseye nor on" \
"a branch based on $BASE_BRANCH"
;;
*)
[ "$SERIAL" != latest ] \
|| fatal "APT snapshots are not frozen for the $ARCHIVE archive," \
"which should happen neither on feature/buster nor on" \
"which should happen neither on feature/bullseye nor on" \
"a branch based on $BASE_BRANCH"
esac
if version_was_released "$(version_in_changelog)"; then
......@@ -61,10 +61,10 @@ then
output_time_based_snapshot "$ARCHIVE" "$RESOLVED_SERIAL"
fi
else
if [ "$BASE_BRANCH" = devel ] || [ "$CURRENT_BRANCH" = feature/buster ]; then
if [ "$BASE_BRANCH" = devel ] || [ "$CURRENT_BRANCH" = feature/bullseye ]; then
if [ "$SERIAL" != latest ]; then
fatal "APT snapshots are frozen, which should happen neither on" \
"feature/buster nor on a branch based on the devel one"
"feature/bullseye nor on a branch based on the devel one"
fi
fi
output_time_based_snapshot "$ARCHIVE" "$RESOLVED_SERIAL"
......
......@@ -106,7 +106,7 @@ class ImageCreator(object):
self.create_partition()
# udisks' create_partition function seems to ignore arg_type
# in Stretch, so we set it via sgdisk.
# XXX:Buster: Remove set_partition_type
# XXX: Remove set_partition_type once our Vagrant box runs Buster (#16868)
self.set_partition_type()
self.set_partition_flags()
# XXX: Rescan?
......
......@@ -60,7 +60,7 @@ for origin in $(list_origins) ; do
# code complexity (=> higher maintenance cost).
#
# XXX: Bullseye: bump the end of the range of major versions
for major in $(seq 3 4 5) ; do
for major in $(seq 3 5); do
for minor in $(seq 0 32); do
for suffix in "" alpha beta rc ; do
for suffix_n in "" $(seq 1 8); do
......
......@@ -23,7 +23,7 @@ AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC blo
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
# Kernel version
KERNEL_VERSION='4.19.0-5'
KERNEL_VERSION='5.2.0-2'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
This diff is collapsed.
......@@ -10,14 +10,14 @@ Package: b43-fwcutter
Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: unavailable in stretch and stretch-backports, version in sid is intentionally broken (Debian#928518)
Explanation: unavailable in Buster, version in sid is intentionally broken (Debian#928518)
Package: electrum python3-electrum
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: enigmail
Pin: origin deb.tails.boum.org
Pin-Priority: -1
Pin: release o=Debian,n=bullseye
Pin-Priority: 999
Package: firmware-b43-installer
Pin: release o=Debian,n=sid
......@@ -32,15 +32,10 @@ Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: src:firmware-nonfree
Package: firmware-linux firmware-linux-nonfree firmware-atheros firmware-brcm80211 firmware-intel-sound firmware-ipw2x00 firmware-iwlwifi firmware-libertas firmware-misc-nonfree firmware-realtek firmware-ti-connectivity
Package: firmware-linux firmware-linux-nonfree firmware-amd-graphics firmware-atheros firmware-brcm80211 firmware-intel-sound firmware-ipw2x00 firmware-iwlwifi firmware-libertas firmware-misc-nonfree firmware-realtek firmware-ti-connectivity
Pin: release o=Debian,n=sid
Pin-Priority: 990
Explanation: Exception to src:firmware-nonfree pinning due to Debian#928631
Package: firmware-amd-graphics
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 990
Package: firmware-zd1211
Pin: release o=Debian,n=sid
Pin-Priority: 999
......@@ -58,12 +53,12 @@ Package: obfs4proxy
Pin: release o=TorProject,n=obfs4proxy
Pin-Priority: 990
Package: tails-installer
Pin: origin deb.tails.boum.org
Package: squashfs-tools
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: tor tor-geoipdb
Pin: release o=Debian,n=experimental
Package: tails-installer
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: virtualbox*
......
......@@ -74,7 +74,7 @@ install_tor_browser() {
# instead of the system one, whenever ours is too old.
# For details see projects/firefox/abicheck.cc in
# https://git.torproject.org/builders/tor-browser-build.git
# Tor Browser 8.0a10 requires GLIBCXX_3.4.22, which Stretch has
# Tor Browser 8.0a10 requires GLIBCXX_3.4.22, which Buster has
# so disable this for now.
# cp "${prep}"/TorBrowser/Tor/libstdc++.so.6 "${prep}"
......@@ -217,6 +217,13 @@ apply_prefs_hacks() {
perl -pi -E \
's/^(pref\("browser.uiCustomization.state",.*\\"loop-button\\")/$1,\\"stop-reload-button\\"/' \
defaults/preferences/000-tor-browser.js
# Hide the security level button in the unsafe browser (#16735)
UNSAFE_BROWSER_PREFS=/usr/share/tails/chroot-browsers/unsafe-browser/prefs.js
echo "\n// Hide the security level button" >> "${UNSAFE_BROWSER_PREFS}"
grep -E '^pref\("browser.uiCustomization.state"' defaults/preferences/000-tor-browser.js | \
perl -p -E 's/(.*)\\"security-level-button\\",/user_$1/' >> "${UNSAFE_BROWSER_PREFS}"
# Append our custom prefs
cat /usr/share/tails/tor-browser-prefs.js \
>> defaults/preferences/000-tor-browser.js
......
......@@ -11,9 +11,11 @@ echo "Setting up a build environment for kernel modules"
# Import ensure_hook_dependency_is_installed()
. /usr/local/lib/tails-shell-library/build.sh
# This hack is not needed on Buster but let's keep the commented code around
# for next time we need it.
#
# # Install gcc-6 and fake linux-compiler-gcc-8-x86
# # (linux-headers-4.19+ depends on it, but Stretch hasn't GCC 8)
# # XXX:Buster: remove this hack.
# ensure_hook_dependency_is_installed gcc-6
# NEWEST_INSTALLED_KERNEL_VERSION="$(
# dpkg-query --showformat '${Version}\n' --show 'linux-image-*-amd64' \
......
......@@ -23,7 +23,7 @@ ln -s \
"/usr/src/linux-source-${KERNEL_SOURCE_VERSION}/fs" \
"/usr/src/linux-headers-${KERNEL_VERSION}-${arch}/fs"
(
cd /usr/src/aufs4-standalone
cd /usr/src/aufs-standalone
perl -pi -E \
's{\A CONFIG_AUFS_DEBUG \s* = \s* y $}{CONFIG_AUFS_DEBUG =}xms' \
config.mk
......@@ -42,5 +42,5 @@ done
strip --strip-debug /lib/modules/*/extra/aufs.ko
depmod "${KERNEL_VERSION}-${arch}"
rm -r /usr/src/aufs4-standalone
rm -r /usr/src/aufs-standalone
rm -r "/usr/src/linux-source-${KERNEL_SOURCE_VERSION}"
#! /bin/sh
set -e
set -u
echo "Set up greeter language codes"
# Extract language codes from the supported locales
perl -n -E 'next unless m{_}xms; \
next if m{\@}xms; \
say $1 if m{(.*?) [. ]}xms' \
/usr/share/i18n/SUPPORTED \
| uniq \
> /usr/share/tails-greeter/language_codes
#!/bin/sh
set -e
set -u
ORIG_SHELL_DESKTOP_FILE="/usr/share/applications/org.gnome.Shell.desktop"
TAILS_SHELL_DESKTOP_FILE="/usr/share/gdm/greeter/applications/gdm-shell-tails.desktop"
ORIG_SESSION_FILE="/usr/share/gnome-session/sessions/gnome-classic.session"
TAILS_SESSION_FILE="/usr/share/gnome-session/sessions/gdm-tails.session"
create_gdm_shell_tails_desktop_file() {
if ! grep -q --fixed-strings --line-regexp "Exec=/usr/bin/gnome-shell" \
"${ORIG_SHELL_DESKTOP_FILE}"; then
echo "Couldn't find expected exec line in GNOME Shell's .desktop file:" >&2
echo "(${ORIG_SHELL_DESKTOP_FILE})" >&2
exit 1
fi
sed -E "s,^Exec=/usr/bin/gnome-shell$,Exec=/usr/bin/gnome-shell --mode=gdm-tails," \
"${ORIG_SHELL_DESKTOP_FILE}" \
> "${TAILS_SHELL_DESKTOP_FILE}"
}
create_tails_session_file() {
if ! grep -q -E \
"^RequiredComponents=org\.gnome\.Shell;" "${ORIG_SESSION_FILE}" || \
! grep -q --fixed-strings --line-regexp \
"Name=GNOME Classic" "${ORIG_SESSION_FILE}"; then
echo "Couldn't find expected Name and RequiredComponents lines in GNOME's session file:" >&2
echo "(${ORIG_SESSION_FILE})" >&2
exit 1
fi
sed -E \
-e "s,^RequiredComponents=org\.gnome\.Shell;,RequiredComponents=gdm-shell-tails;tails-greeter;," \
-e "s,^Name=GNOME Classic$,Name=Display Manager," \
-e "/^Name\[/d" \
"${ORIG_SESSION_FILE}" \
> "${TAILS_SESSION_FILE}"
}
create_gdm_shell_tails_desktop_file
create_tails_session_file
......@@ -8,7 +8,7 @@ for alternative in pinentry pinentry-x11 ; do
update-alternatives --set "$alternative" /usr/bin/pinentry-gtk-2
done
# XXX:Buster remove once Debian bug #869416 is fixed
# XXX:Bullseye remove once Debian bug #869416 is fixed
mkdir -p /usr/lib/pinentry
dpkg-divert --add --rename --divert \
/usr/lib/pinentry/pinentry-gtk-2 \
......
#!/bin/sh
set -e
set -u
### Tweak systemd unit files
# Workaround for https://bugs.debian.org/714957
# Workaround for https://bugs.debian.org/934389
systemctl enable memlockd.service
# Enable our own systemd unit files
......@@ -32,10 +33,9 @@ systemctl --global enable tails-virt-notify-user.service
systemctl --global enable tails-wait-until-tor-has-bootstrapped.service
# Use socket activation only, to delay the startup of cupsd.
# In practice, on Jessie this means that cupsd is started during
# In practice, this means that cupsd is started during
# the initialization of the GNOME session, which is fine: by then,
# the persistent /etc/cups has been mounted.
# XXX: make sure it's the case on Stretch, adjust if not.
systemctl disable cups.service
systemctl enable cups.socket
......@@ -50,7 +50,8 @@ systemctl disable NetworkManager.service
systemctl disable NetworkManager-wait-online.service
# systemd-networkd fallbacks to Google's nameservers when no other nameserver
# is provided by the network configuration. In Jessie, this service is disabled
# is provided by the network configuration. As of Debian Buster,
# this service is disabled
# by default, but it feels safer to make this explicit. Besides, it might be
# that systemd-networkd vs. firewall setup ordering is suboptimal in this respect,
# so let's avoid any risk of DNS leaks here.
......
......@@ -23,13 +23,11 @@ apt-get --yes purge \
dh-autoreconf \
dpkg-dev \
fakeroot \
gcc gcc-6 \
gcc-7 \
gcc \
gcc-8 \
gdbm-l10n \
libc-dev-bin \
libc6-dev \
libgcc-7-dev \
libgcc-8-dev \
libtool \
linux-libc-dev \
......@@ -40,7 +38,6 @@ apt-get --yes purge \
### Deinstall a few unwanted packages that were pulled by tasksel
### since they have Priority: standard.
apt-get --yes purge \
'^exim4*' \
m4 \
mlocate \
nfs-common \
......@@ -54,16 +51,30 @@ apt-get --yes purge \
xfonts-base \
xfonts-scalable
### We'll remove packages listed in this variable. It's purpose is to
### gather *several* packages we might want to remove below and purge
### then at the same time, which has less overhead than purging them
### one at a time.
packages_to_purge=""
### Remove packages that can get a different priority in the security
### archive (see https://bugs.debian.org/867668):
if is_package_installed mutt; then
apt-get --yes purge mutt
fi
### archive (see https://bugs.debian.org/867668).
for package in mutt rpcbind tcpd ; do
if is_package_installed "${package}"; then
packages_to_purge="${packages_to_purge} ${package}"
fi
done
### Hotfix for 3.14: procmail is no longer known by apt in tagged
### snapshots, likely because no longer pulled by monkeysphere:
if is_package_installed procmail; then
apt-get --yes purge procmail
### Remove unwanted packages that might, or might not,
### have been installed during the build.
for package in gcc-7 libgcc-7-dev procmail; do
if is_package_installed "${package}"; then
packages_to_purge="${packages_to_purge} ${package}"
fi
done
if [ -n "${packages_to_purge}" ]; then
apt-get --yes purge "${packages_to_purge}"
fi
### Deinstall some other unwanted packages.
......@@ -71,16 +82,17 @@ apt-get --yes purge \
'^aptitude*' \
libdvdcss2-dbgsym \
live-build \
rpcbind \
tasksel \
tasksel-data \
tcpd
tasksel-data
### Deinstall some other unwanted packages whose regexp might not be match
### anything when building with partial, tagged APT snapshots.
if dpkg --get-selections | grep -qs -E '^geoclue'; then
apt-get --yes purge '^geoclue*'
fi
if dpkg --get-selections | grep -qs -E '^exim4'; then
apt-get --yes purge '^exim4*'
fi
### Deinstall dependencies of the just removed packages.
apt-get --yes --purge autoremove
......@@ -37,7 +37,7 @@ rm -r /var/lib/dkms/*/*/*/*/log
# Post-process /etc/shadow by setting the sp_lstchg field to the number of days
# since SOURCE_DATE_EPOCH instead of 1st Jan 1970. (#12339)
# XXX:Buster: drop this if https://bugs.debian.org/857803 is fixed.
# XXX:Bullseye: drop this as https://bugs.debian.org/917773 is fixed.
cut -d: -f1 /etc/shadow | \
xargs -L1 \
chage --lastday \
......
......@@ -121,7 +121,7 @@ time_is_in_valid_tor_range() {
local curdate="$1"
local vstart="$2"
vendcons=$(date -ud "${vstart} -0230" +'%F %T')
vendcons=$(date -ud "${vstart} -0255" +'%F %T')
order="${vstart}
${curdate}
${vendcons}"
......
#! /bin/bash
# This script is run as root by GDM after user's login.
# It must return exit code 0, otherwise it totally breaks the logon process.
# Input
# =====
#
# * /etc/live/config.d/username.conf : $LIVE_USERNAME
# * /var/lib/gdm3/tails.locale : $TAILS_LOCALE_NAME, $TAILS_XKBMODEL,
# $TAILS_XKBLAYOUT, $TAILS_XKBVARIANT, $TAILS_XKBOPTIONS, $CODESET
# * /var/lib/gdm3/tails.password : $TAILS_USER_PASSWORD
# * /var/lib/gdm3/tails.physical_security : $TAILS_MACSPOOF_ENABLED
# For whatever reason, /usr/sbin (needed by at least chpasswd)
# is not in our PATH
export PATH="/usr/sbin:${PATH}"
LIVE_PASSWORD=live
POLKIT=/etc/polkit-1/localauthority.conf.d/52-tails-greeter.conf
SUDOERS=/etc/sudoers.d/tails-greeter
NO_PASSWORD_LECTURE=/etc/sudoers.d/tails-greeter-no-password-lecture
KBDSET=/etc/default/keyboard
CONSET=/etc/default/console-setup
LOCALE_CFG=/etc/default/locale
CODSET="Uni1" # universal codeset to properly display glyphs in localized console
log() {
echo "$1" >&2
}
log_n_exit() {
log "$1"
log "Leaving PostLogin"
exit 0
}
# enforce value $3 for variable $1 in file $2
force_set() {
sed -i -e "s|^$1=.*$|$1=\"$3\"|" "$2"
}
# check if variable $1 is in file $2, if not - add with value $3 to file $2
# $4 enforce adding $3 only (without $1= prefix)
grep_n_set() {
FCHK=yes
grep -qs "$1" "$2" || FCHK=no
if [ -n "$4" ] ; then
if [ "$FCHK" = "no" ] ; then
echo "$3" >> "$2"
fi
else
if [ "$FCHK" = "no" ] ; then
echo "$1=$3" >> "$2"
else
force_set "$1" "$2" "$3"
fi
fi
}
### Let's go
log "Entering PostLogin"
### Gather general configuration
# Import the name of the live user
. /etc/live/config.d/username.conf || log_n_exit "Username file not found."
if [ -z "${LIVE_USERNAME}" ] ; then
log_n_exit "Username variable not found."
fi
### Physical security
log "Running /usr/local/lib/tails-unblock-network..."
/usr/local/lib/tails-unblock-network
log "tails-unblock-network has exited (status=$?)."
### Localization
# Import locale name
. /var/lib/gdm3/tails.locale || log_n_exit "Locale file not found."
if [ -z "${TAILS_LOCALE_NAME}" ] ; then
log_n_exit "Locale variable not found."
fi
# Set the keyboard mapping for X11 and the console
localectl set-x11-keymap "$TAILS_XKBLAYOUT" "$TAILS_XKBMODEL" "$TAILS_XKBVARIANT" "$TAILS_XKBOPTIONS"
# Set the system locale and formats
localectl set-locale \
"LANG=${TAILS_LOCALE_NAME}.UTF-8" \
"LC_TIME=${TAILS_FORMATS}.UTF-8" \
"LC_NUMERIC=${TAILS_FORMATS}.UTF-8" \
"LC_MONETARY=${TAILS_FORMATS}.UTF-8" \
"LC_MEASUREMENT=${TAILS_FORMATS}.UTF-8" \
"LC_PAPER=${TAILS_FORMATS}.UTF-8" \
# Save keyboard settings so that tails-configure-keyboard can set it
# in the GNOME session.
cat > /var/lib/tails-user-session/keyboard <<EOF
XKBMODEL="$TAILS_XKBMODEL"
XKBLAYOUT="$TAILS_XKBLAYOUT"
XKBVARIANT="$TAILS_XKBVARIANT"
XKBOPTIONS="$TAILS_XKBOPTIONS"
EOF
### Password
# Import password for superuser access
if [ -e /var/lib/gdm3/tails.password ] ; then
. /var/lib/gdm3/tails.password
fi
# Remove password file
rm --interactive=never -f /var/lib/gdm3/tails.password
# Check if password is actually set
if [ -z "${TAILS_USER_PASSWORD}" ] ; then
rm -f "${POLKIT}" "${SUDOERS}"
deluser "${LIVE_USERNAME}" sudo
passwd -d "${LIVE_USERNAME}"
install -o root -g root -m 0440 /dev/null "${NO_PASSWORD_LECTURE}"
echo "Defaults:amnesia lecture=always" > "${NO_PASSWORD_LECTURE}"
echo "Defaults:amnesia lecture_file=/usr/share/tails-greeter/no-password-lecture.txt" >> "${NO_PASSWORD_LECTURE}"
echo "Defaults:amnesia badpass_message=\"The administration password is disabled.\"" >> "${NO_PASSWORD_LECTURE}"
log_n_exit "Password variable not found."
fi
# Sets the password
echo "${LIVE_USERNAME}:${TAILS_USER_PASSWORD}" | chpasswd
# Add sudoers entry
echo "${LIVE_USERNAME} ALL = (ALL) ALL" >> "${SUDOERS}"
chmod 0440 "${SUDOERS}"
# Add PolKit config
echo "[Configuration]" > "${POLKIT}"
echo "AdminIdentities=unix-user:${LIVE_USERNAME}" >> "${POLKIT}"
# Configure su-to-root to use sudo
sudo -u "${LIVE_USERNAME}" sh -c "echo 'SU_TO_ROOT_SU=sudo' >> /home/${LIVE_USERNAME}/.su-to-rootrc"
log "Leaving PostLogin"
[Manage user accounts]
Identity=unix-user:Debian-gdm
Action=org.freedesktop.accounts.user-administration
ResultAny=no
ResultInactive=no
ResultActive=yes
# XXX: Stretch -- the seahorse associations in here fix:
# The seahorse associations in here fix:
# - https://bugs.freedesktop.org/show_bug.cgi?id=93656
# aka. https://gitlab.freedesktop.org/xdg/shared-mime-info/issues/39
# aka. https://bugs.freedesktop.org/show_bug.cgi?id=93656
# aka. https://bugs.debian.org/913550
# - Tails#10889
# - Tails#10571
# - Tails#10943
...