Commit 6deb72fd authored by Tails developers's avatar Tails developers
Browse files

Merge remote-tracking branch 'origin/testing' into stable

parents de98b2e0 28a8dc96
......@@ -49,3 +49,6 @@
# Files generated during the test suite
/features/misc_files/video.mp4
# The test suite's local configuration file
/features/config/local.yml
......@@ -34,7 +34,7 @@ VAGRANT_PATH = File.expand_path('../vagrant', __FILE__)
STABLE_BRANCH_NAMES = ['stable', 'testing']
# Environment variables that will be exported to the build script
EXPORTED_VARIABLES = ['http_proxy', 'MKSQUASHFS_OPTIONS', 'TAILS_RAM_BUILD', 'TAILS_CLEAN_BUILD', 'TAILS_BOOTSTRAP_CACHE']
EXPORTED_VARIABLES = ['http_proxy', 'MKSQUASHFS_OPTIONS', 'TAILS_RAM_BUILD', 'TAILS_CLEAN_BUILD']
# Let's save the http_proxy set before playing with it
EXTERNAL_HTTP_PROXY = ENV['http_proxy']
......@@ -167,10 +167,6 @@ task :parse_build_options do
when 'noram'
ENV['TAILS_RAM_BUILD'] = nil
# Bootstrap cache settings
when 'cache'
ENV['TAILS_BOOTSTRAP_CACHE'] = '1'
when 'nocache'
ENV['TAILS_BOOTSTRAP_CACHE'] = nil
# HTTP proxy settings
when 'extproxy'
abort "No HTTP proxy set, but one is required by TAILS_BUILD_OPTIONS. Aborting." unless EXTERNAL_HTTP_PROXY
......
......@@ -11,6 +11,14 @@ fatal () {
exit 1
}
syslinux_utils_upstream_version () {
dpkg-query -W -f='${Version}\n' syslinux-utils | \
# drop epoch
sed -e 's,.*:,,' | \
# drop +dfsg and everything that follows
sed -e 's,\+dfsg.*,,'
}
### Main
# we require building from git
......@@ -98,6 +106,16 @@ case "$LB_BINARY_IMAGES" in
iso)
BUILD_FILENAME_EXT=iso
BUILD_FILENAME=binary
which isohybrid >/dev/null || fatal 'Cannot find isohybrid in $PATH'
installed_syslinux_utils_upstream_version="$(syslinux_utils_upstream_version)"
if dpkg --compare-versions \
"$installed_syslinux_utils_upstream_version" \
'lt' \
"$REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION" ; then
fatal \
"syslinux-utils '${installed_syslinux_utils_upstream_version}' is installed, " \
"while we need at least '${REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION}'."
fi
;;
iso-hybrid)
BUILD_FILENAME_EXT=iso
......@@ -124,13 +142,18 @@ BUILD_END_FILENAME="${BUILD_DEST_FILENAME}.end.timestamp"
echo "Building $LB_BINARY_IMAGES image ${BUILD_BASENAME}..."
set -o pipefail
date --utc '+%s' > "$BUILD_START_FILENAME"
[ -z "$JENKINS_URL" ] || date --utc '+%s' > "$BUILD_START_FILENAME"
time eatmydata lb build noauto ${@} 2>&1 | tee "${BUILD_LOG}"
RET=$?
if [ -e "${BUILD_FILENAME}.${BUILD_FILENAME_EXT}" ]; then
if [ "$RET" -eq 0 ]; then
date --utc '+%s' > "$BUILD_END_FILENAME"
[ -z "$JENKINS_URL" ] || date --utc '+%s' > "$BUILD_END_FILENAME"
echo "Image was successfully created"
if [ "$LB_BINARY_IMAGES" = iso ]; then
echo "Hybriding it..."
isohybrid $AMNESIA_ISOHYBRID_OPTS \
"${BUILD_FILENAME}.${BUILD_FILENAME_EXT}"
fi
else
echo "Warning: image created, but lb build exited with code $RET"
fi
......
......@@ -15,6 +15,12 @@
# need to set block.events_dfl_poll_msecs
AMNESIA_APPEND="live-media=removable apparmor=1 security=apparmor nopersistent noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails"
# Options passed to isohybrid
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63"
# Minimal upstream version of syslinux-utils we need
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
### You should not have to change anything bellow this line ####################
# sanity checks
......@@ -32,4 +38,4 @@ AMNESIA_FULL_VERSION="${AMNESIA_VERSION} - ${AMNESIA_TODAY}"
# Developpers' data used by git-dch, debcommit and friends in the release script
AMNESIA_DEV_FULLNAME='Tails developers'
AMNESIA_DEV_EMAIL="tails@boum.org"
AMNESIA_DEV_KEYID="BE2CD9C1"
AMNESIA_DEV_KEYID="0D24 B36A A9A2 A651 7878 7645 1202 821C BE2C D9C1"
......@@ -41,15 +41,14 @@ cp "$CHROOT_SYSLINUX_BIN" "$LINUX_BINARY_UTILS_DIR/"
cp "$CHROOT_SYSLINUX_MBR" "$BINARY_MBR_DIR/mbr.bin"
cat chroot/etc/apt/sources.list chroot/etc/apt/sources.list.d/*.list \
| grep --extended-regexp --line-regexp --invert-match \
'deb\s+file:/root/local-packages\s+\./' \
| sed --regexp-extended -e 's,^deb(\s+),deb-src\1,' \
> "$CHROOT_TEMP_APT_SOURCES"
mv chroot/etc/apt/apt.conf.d/{,.}0000runtime-proxy
Chroot chroot apt-get --yes update
Chroot chroot apt-get --yes install dpkg-dev
Chroot chroot apt-get source syslinux="$(syslinux_deb_version_in_chroot)"
cp chroot/syslinux-*/bios/win32/syslinux.exe "$WIN32_BINARY_UTILS_DIR/"
rm -r chroot/syslinux*
rm "$CHROOT_TEMP_APT_SOURCES"
mv chroot/etc/apt/apt.conf.d/{.,}0000runtime-proxy
Chroot chroot apt-get --yes update
Chroot chroot apt-get --yes purge dpkg-dev make # dpkg-dev depends on make
This diff is collapsed.
......@@ -26,10 +26,22 @@ Package: cryptsetup-bin
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: electrum
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: florence
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: gnupg-agent
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: gnupg2
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: hopenpgp-tools
Pin: release o=Debian,n=jessie
Pin-Priority: 999
......@@ -110,6 +122,10 @@ Package: iucode-tool
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: keyringer
Pin: release o=Debian,n=jessie
Pin-Priority: 999
Package: libcryptsetup4
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
......@@ -186,46 +202,58 @@ Package: monkeysign
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: seahorse-nautilus
Package: obfs4proxy
Pin: release o=TorProject,n=obfs4proxy
Pin-Priority: 990
Package: python-six
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: shared-mime-info
Package: python-slowaes
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: tor
Pin: release o=TorProject,n=wheezy
Package: python-ecdsa
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: virtualbox-guest-dkms
Package: python-electrum
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: virtualbox-guest-utils
Package: scdaemon
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: virtualbox-guest-x11
Package: seahorse-nautilus
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: tor-geoipdb
Pin: release o=TorProject,n=wheezy
Package: shared-mime-info
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: ttdnsd
Pin: release o=TorProject,a=unstable
Package: torsocks
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: xul-ext-https-everywhere
Pin: release o=Debian,a=unstable
Package: virtualbox-guest-dkms
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: virtualbox-guest-utils
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: xul-ext-noscript
Package: virtualbox-guest-x11
Pin: release o=Debian Backports,n=wheezy-backports
Pin-Priority: 999
Package: ttdnsd
Pin: release o=TorProject,a=unstable
Pin-Priority: 999
Explanation: weirdness in chroot_apt install-binary
Package: *
Pin: release o=chroot_local-packages
......
......@@ -42,7 +42,7 @@ download_and_verify_files() {
}
install_tor_browser() {
local bundle destination tmp prep
local bundle destination tmp prep torbutton_xpi_path
bundle="${1}"
destination="${2}"
......@@ -75,7 +75,14 @@ install_tor_browser() {
# Remove TBB's torbutton since the "Tor test" will fail and about:tor
# will report an error. We'll install our own Torbutton later, which
# has the extensions.torbutton.test_enabled boolean pref as a workaround.
rm "${prep}/TorBrowser/Data/Browser/profile.default/extensions/torbutton@torproject.org.xpi"
torbutton_xpi_path="${prep}/TorBrowser/Data/Browser/profile.default/extensions/torbutton@torproject.org.xpi"
TORBUTTON_BUNDLED_VERSION="$(7z e -so ${torbutton_xpi_path} install.rdf | \
sed -n 's,^ <em:version>\([0-9\.]\+\)</em:version>,\1,p')"
if [ -z "${TORBUTTON_BUNDLED_VERSION}" ]; then
echo "Couldn't extract Torbutton's bundled version" >&2
exit 1
fi
rm "${torbutton_xpi_path}"
# The Tor Browser will fail, complaining about an incomplete profile,
# unless there's a readable TorBrowser/Data/Browser/Caches
......@@ -207,9 +214,22 @@ FAKE_ICEWEASEL_VERSION=${FIREFOX_VERSION}+fake1
install_fake_iceweasel_pkg "${FAKE_ICEWEASEL_VERSION}"
install_debian_extensions "${TBB_EXT}" ${DEBIAN_EXT_PKGS}
# Make sure that we have installed a Torbutton based on the same
# version as the one bundled with the Tor Browser
TORBUTTON_VERSION="$(dpkg -s xul-ext-torbutton | \
sed -n 's/^Version: \(.*\)-[0-9]\+$/\1/p')"
if [ "${TORBUTTON_VERSION}" != "${TORBUTTON_BUNDLED_VERSION}" ]; then
echo "We have installed a Torbutton based on version '${TORBUTTON_VERSION}' but the version bundled with the Tor Browser is version '${TORBUTTON_BUNDLED_VERSION}'" >&2
exit 1
fi
mkdir -p "${TBB_PROFILE}"
create_default_profile "${TBB_INSTALL}"/TorBrowser/Data/Browser/profile.default "${TBB_EXT}" "${TBB_PROFILE}"
# Create a copy of the Firefox binary, for use e.g. by Tor Launcher.
# It won't be subject to AppArmor confinement.
cp -a "${TBB_INSTALL}/firefox" "${TBB_INSTALL}/firefox-unconfined"
chown -R root:root "${TBB_INSTALL}" "${TBB_PROFILE}" "${TBB_EXT}"
chmod -R a+rX "${TBB_INSTALL}" "${TBB_PROFILE}" "${TBB_EXT}"
......
#!/bin/sh
set -e
echo "Installing AppArmor profile for Tor Browser"
PATCH='/usr/share/tails/torbrowser-AppArmor-profile.patch'
PROFILE='/etc/apparmor.d/torbrowser'
### Functions
toggle_src_APT_sources() {
MODE="$1"
TEMP_APT_SOURCES='/etc/apt/sources.list.d/tmp-deb-src.list'
case "$MODE" in
on)
cat /etc/apt/sources.list /etc/apt/sources.list.d/*.list \
| sed --regexp-extended -e 's,^deb(\s+),deb-src\1,' \
> "$TEMP_APT_SOURCES"
;;
off)
rm "$TEMP_APT_SOURCES"
;;
esac
apt-get --yes update
}
install_torbrowser_AppArmor_profile() {
tmpdir="$(mktemp -d)"
(
cd "$tmpdir"
apt-get source torbrowser-launcher/testing
install -m 0644 \
torbrowser-launcher-*/apparmor/torbrowser.Browser.firefox \
"$PROFILE"
)
rm -r "$tmpdir"
}
### Main
toggle_src_APT_sources on
install_torbrowser_AppArmor_profile
toggle_src_APT_sources off
patch --forward --batch "$PROFILE" < "$PATCH"
rm "$PATCH"
#!/bin/sh
set -e
echo "Moving IBus Unikey binaries to /usr/lib/ibus/"
# Workaround Debian bug #714932 -- we can't just dpkg-divert it, since
# the original path is hardcoded in these binaries.
for infix in engine setup ; do
orig="/usr/lib/ibus-unikey/ibus-$infix-unikey"
dest="/usr/lib/ibus/ibus-$infix-unikey"
ln -s "$orig" "$dest"
done
# Adjust path to the binary in unikey.xml
sed -i -e \
's,/usr/lib/ibus-unikey/ibus-engine-unikey,/usr/lib/ibus/ibus-engine-unikey,' \
/usr/share/ibus/component/unikey.xml
......@@ -24,7 +24,6 @@ laptop-mode
memlockd
network-manager
plymouth
polipo
pulseaudio
resolvconf
saned
......
#!/bin/sh
set -e
echo "Configuring the runtime APT proxy"
cat > /etc/apt/apt.conf.d/0000runtime-proxy <<EOF
// Proxy through Polipo to torify outgoing APT HTTP connections.
// This setting must be overriden at build time by live-build's
// 00http-proxy configuration file.
// That's why it is created in a chroot local hook.
Acquire::http::Proxy "http://127.0.0.1:8118/";
EOF
......@@ -17,7 +17,7 @@ fi
. /usr/local/lib/tails-shell-library/tor.sh
# Import tails_netconf()
. /usr/local/lib/tails-shell-library/tails_greeter.sh
. /usr/local/lib/tails-shell-library/tails-greeter.sh
# It's safest that Tor is not running when messing with its logs.
service tor stop
......
......@@ -14,7 +14,7 @@
. /usr/local/lib/tails-shell-library/tor.sh
# Import tails_netconf()
. /usr/local/lib/tails-shell-library/tails_greeter.sh
. /usr/local/lib/tails-shell-library/tails-greeter.sh
### Init variables
......
......@@ -3,8 +3,11 @@
# I2P isn't started automatically at system boot.
# Instead, it is started with this hook script.
# Import i2p_is_enabled().
. /usr/local/lib/tails-shell-library/i2p.sh
# Don't even try to run this script if I2P is not enabled.
grep -qw "i2p" /proc/cmdline || exit 0
i2p_is_enabled || exit 0
# don't run if interface is 'lo'
[ $1 = "lo" ] && exit 0
......
......@@ -16,23 +16,28 @@
# Deside order in which input methods are preferred
# (chinese needs pinyin, japanese needs anthy, korean needs hangul)
# (chinese needs pinyin, japanese needs anthy, korean needs hangul,
# vietnamese needs Unikey)
# (bopomofo is an alternative input method for chinese)
LANGPREFIX=`echo "$LANG" | sed 's/_.*//'`
PREFLIST='[pinyin,anthy,hangul,bopomofo]'
PREFLIST='[pinyin,anthy,hangul,Unikey,bopomofo]'
NEEDIBUS='n'
case "$LANGPREFIX" in
ja)
PREFLIST='[anthy,pinyin,hangul,bopomofo]'
PREFLIST='[anthy,pinyin,hangul,Unikey,bopomofo]'
NEEDIBUS='y'
;;
ko)
PREFLIST='[hangul,pinyin,anthy,bopomofo]'
PREFLIST='[hangul,pinyin,anthy,Unikey,bopomofo]'
NEEDIBUS='y'
;;
vi)
PREFLIST='[Unikey,pinyin,anthy,hangul,bopomofo]'
NEEDIBUS='y'
;;
zh)
PREFLIST='[pinyin,bopomofo,anthy,hangul]'
PREFLIST='[pinyin,bopomofo,anthy,hangul,Unikey]'
NEEDIBUS='y'
;;
esac
......
# Use PulseAudio by default
pcm.!default {
type pulse
fallback "sysdefault"
hint {
show on
description "Default ALSA Output (currently PulseAudio Sound Server)"
}
}
ctl.!default {
type pulse
fallback "sysdefault"
}
# vim:set ft=alsaconf:
......@@ -51,6 +51,12 @@ create-backup-copy = false
[org/gnome/nautilus/desktop]
volumes-visible = false
[org/gnome/settings-daemon/peripherals/touchpad]
disable-while-typing = true
horiz-scroll-enabled = false
scroll-method = 'two-finger-scrolling'
tap-to-click = true
[org/gnome/settings-daemon/plugins/power]
button-hibernate = 'shutdown'
button-power = 'shutdown'
......
http_proxy=http://127.0.0.1:8118
HTTP_PROXY=http://127.0.0.1:8118
https_proxy=http://127.0.0.1:8118
HTTPS_PROXY=http://127.0.0.1:8118
SOCKS_SERVER=127.0.0.1:9050
SOCKS5_SERVER=127.0.0.1:9050
......@@ -12,7 +8,5 @@ TOR_CONTROL_HOST='127.0.0.1'
TOR_CONTROL_PORT='9052'
TOR_CONTROL_PASSWD='passwd'
GIT_PROXY_COMMAND=/usr/local/bin/connect-socks
# Port that the monkeysphere validation agent listens on
MSVA_PORT='6136'
......@@ -80,12 +80,6 @@ domain ip {
mod owner uid-owner amnesia ACCEPT;
}
# White-list access to polipo
daddr 127.0.0.1 proto tcp syn dport 8118 {
mod owner uid-owner root ACCEPT;
mod owner uid-owner amnesia ACCEPT;
}
# White-list access to I2P services for the amnesia user (IRC, SAM, POP3, SMTP, and Monotone)
# For more information, see https://tails/boum.org/contribute/design/I2P and https://geti2p.net/ports
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (6668 7656 7659 7660 8998) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment