Remove all traces of Polipo: we don't use it anymore (Closes: #5379, #6115).

70c2c590 · Tails developers · 5100f350 · 70c2c590 · 70c2c590 · 70c2c590
Commit 70c2c590 authored Nov 03, 2014 by Tails developers
--- a/config/binary_rootfs/squashfs.sort
+++ b/config/binary_rootfs/squashfs.sort
@@ -849,7 +849,6 @@ sbin/startpar                                                        31635
 etc/init.d/.depend.start                                             31634
 etc/init.d/rsyslog                                                   31633
 etc/init.d/motd                                                      31632
-etc/init.d/polipo                                                    31631
 etc/init.d/sudo                                                      31630
 etc/default/rsyslog                                                  31629
 etc/init.d/tails-set-wireless-devices-state                          31628
@@ -860,18 +859,14 @@ etc/init.d/virtualbox-guest-utils                                    31624
 etc/init.d/open-vm-tools                                             31623
 usr/bin/vmware-checkvm                                               31621
 usr/lib/libvmtools.so.0.0.0                                          31620
-usr/lib/polipo/polipo-control                                        31619
 sbin/start-stop-daemon                                               31618
 usr/lib/i386-linux-gnu/libicui18n.so.48.1.1                          31617
 usr/sbin/rsyslogd                                                    31616
-usr/bin/polipo                                                       31615
 usr/local/bin/tails-get-bootinfo                                     31614
-etc/polipo/config                                                    31613
 etc/memlockd.cfg                                                     31612
 usr/local/bin/tails-boot-to-kexec                                    31611
 usr/local/sbin/tails-set-wireless-devices-state                      31610
 usr/local/sbin/tor-controlport-filter                                31609
-etc/polipo/forbidden                                                 31608
 etc/default/kexec                                                    31607
 usr/sbin/rfkill                                                      31606
 usr/lib/python2.7/socket.py                                          31605

--- a/config/chroot_local-hooks/52-update-rc.d
+++ b/config/chroot_local-hooks/52-update-rc.d
@@ -24,7 +24,6 @@ laptop-mode
 memlockd
 network-manager
 plymouth
-polipo
 pulseaudio
 resolvconf
 saned

--- a/config/chroot_local-includes/etc/environment
+++ b/config/chroot_local-includes/etc/environment
-http_proxy=http://127.0.0.1:8118
-HTTP_PROXY=http://127.0.0.1:8118
-https_proxy=http://127.0.0.1:8118
-HTTPS_PROXY=http://127.0.0.1:8118
 SOCKS_SERVER=127.0.0.1:9050
 SOCKS5_SERVER=127.0.0.1:9050


--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -80,12 +80,6 @@ domain ip {
                    mod owner uid-owner amnesia ACCEPT;
                }

-                # White-list access to polipo
-                daddr 127.0.0.1 proto tcp syn dport 8118 {
-                    mod owner uid-owner root ACCEPT;
-                    mod owner uid-owner amnesia ACCEPT;
-                }
-
                # White-list access to I2P services for the amnesia user (IRC, SAM, POP3, SMTP, and Monotone)
                # For more information, see https://tails/boum.org/contribute/design/I2P and https://geti2p.net/ports
                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (6668 7656 7659 7660 8998) {

--- a/config/chroot_local-includes/etc/polipo/config
+++ b/config/chroot_local-includes/etc/polipo/config
-# Sample configuration file for Polipo. -*-sh-*-
-
-# You should not need to edit this configuration file; all configuration
-# variables have reasonable defaults.
-
-# This file only contains some of the configuration variables; see the
-# list given by ``polipo -v'' and the manual for more.
-
-
-### Basic configuration
-### *******************
-
-# Uncomment one of these if you want to allow remote clients to
-# connect:
-
-# proxyAddress = "::0"        # both IPv4 and IPv6
-# proxyAddress = "0.0.0.0"    # IPv4 only
-
-proxyAddress = "127.0.0.1"
-proxyPort = 8118
-
-# If you are enabling 'proxyAddress' above, then you want to enable the
-# 'allowedClients' variable to the address of your network, e.g.
-# allowedClients = 127.0.0.1, 192.168.42.0/24
-                                            
-allowedClients = 127.0.0.1
-allowedPorts = 1-65535
-
-# Uncomment this if you want your Polipo to identify itself by
-# something else than the host name:
-
-proxyName = "localhost"
-
-# Uncomment this if there's only one user using this instance of Polipo:
-
-cacheIsShared = false
-
-# Uncomment this if you want to use a parent proxy:
-
-# parentProxy = "squid.example.org:3128"
-
-# Uncomment this if you want to use a parent SOCKS proxy:
-
-socksParentProxy = "127.0.0.1:9050"
-socksProxyType = socks5
-
-
-### Memory
-### ******
-
-# Uncomment this if you want Polipo to use a ridiculously small amount
-# of memory (a hundred C-64 worth or so):
-
-# chunkHighMark = 819200
-# objectHighMark = 128
-
-# Uncomment this if you've got plenty of memory:
-
-# chunkHighMark = 50331648
-# objectHighMark = 16384
-
-chunkHighMark = 67108864
-
-### On-disk data
-### ************
-
-# Uncomment this if you want to disable the on-disk cache:
-
-diskCacheRoot = ""
-
-# Uncomment this if you want to put the on-disk cache in a
-# non-standard location:
-
-# diskCacheRoot = "~/.polipo-cache/"
-
-# Uncomment this if you want to disable the local web server:
-
-localDocumentRoot = ""
-
-# Uncomment this if you want to enable the pages under /polipo/index?
-# and /polipo/servers?.  This is a serious privacy leak if your proxy
-# is shared.
-
-# disableIndexing = false
-# disableServersList = false
-
-disableLocalInterface = true
-disableConfiguration = true
-
-### Domain Name System
-### ******************
-
-# Uncomment this if you want to contact IPv4 hosts only (and make DNS
-# queries somewhat faster):
-#
-# dnsQueryIPv6 = no
-
-# Uncomment this if you want Polipo to prefer IPv4 to IPv6 for
-# double-stack hosts:
-#
-# dnsQueryIPv6 = reluctantly
-
-# Uncomment this to disable Polipo's DNS resolver and use the system's
-# default resolver instead.  If you do that, Polipo will freeze during
-# every DNS query:
-
-dnsUseGethostbyname = yes
-
-
-### HTTP
-### ****
-
-# Uncomment this if you want to enable detection of proxy loops.
-# This will cause your hostname (or whatever you put into proxyName
-# above) to be included in every request:
-
-disableVia = true
-
-# Uncomment this if you want to slightly reduce the amount of
-# information that you leak about yourself:
-
-censoredHeaders = from,accept-language,x-pad,link
-censorReferer = maybe
-
-# Uncomment this if you're paranoid.  This will break a lot of sites,
-# though:
-
-# censoredHeaders = set-cookie, cookie, cookie2, from, accept-language
-# censorReferer = true
-
-# Uncomment this if you want to use Poor Man's Multiplexing; increase
-# the sizes if you're on a fast line.  They should each amount to a few
-# seconds' worth of transfer; if pmmSize is small, you'll want
-# pmmFirstSize to be larger.
-
-# Note that PMM is somewhat unreliable.
-
-# pmmFirstSize = 16384
-# pmmSize = 8192
-
-# Uncomment this if your user-agent does something reasonable with
-# Warning headers (most don't):
-
-# relaxTransparency = maybe
-
-# Uncomment this if you never want to revalidate instances for which
-# data is available (this is not a good idea):
-
-# relaxTransparency = yes
-
-# Uncomment this if you have no network:
-
-# proxyOffline = yes
-
-# Uncomment this if you want to avoid revalidating instances with a
-# Vary header (this is not a good idea):
-
-# mindlesslyCacheVary = true
-
-# Suggestions from Incognito configuration
-maxConnectionAge = 5m
-maxConnectionRequests = 120
-serverMaxSlots = 8
-serverSlots = 2
-tunnelAllowedPorts = 1-65535
--- a/config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js
+++ b/config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js
 // As suggested in TBB's start-tor-browser script for system-wide Tor
 // instances
-pref("extensions.torbutton.banned_ports", "631,6136,4444,4445,6668,7656,7657,7658,7659,7660,8998,8118,9040,9050,9061,9062,9150,9052");
+pref("extensions.torbutton.banned_ports", "631,6136,4444,4445,6668,7656,7657,7658,7659,7660,8998,9040,9050,9061,9062,9150,9052");
 pref("extensions.torbutton.custom.socks_host", "127.0.0.1");
 pref("extensions.torbutton.custom.socks_port", 9150);
 pref("extensions.torbutton.launch_warning",  false);

--- a/config/chroot_local-includes/usr/local/sbin/do_not_ever_run_me
+++ b/config/chroot_local-includes/usr/local/sbin/do_not_ever_run_me
@@ -37,9 +37,3 @@ $IP6T -F
 $IP6T -P INPUT ACCEPT
 $IP6T -P FORWARD ACCEPT
 $IP6T -P OUTPUT ACCEPT
-
-echo "You might want to unset http_proxy and HTTP_PROXY environment variables as well:"
-echo "  unset http_proxy"
-echo "  unset https_proxy"
-echo "  unset HTTP_PROXY"
-echo "  unset HTTPS_PROXY"
--- a/config/chroot_local-packageslists/tails-common.list
+++ b/config/chroot_local-packageslists/tails-common.list
@@ -200,7 +200,6 @@ pinentry-gtk2
 pitivi
 plymouth
 poedit
-polipo
 ppp
 pulseaudio
 pwgen

--- a/config/chroot_local-patches/keep_polipo_on_shutdown.diff
+++ b/config/chroot_local-patches/keep_polipo_on_shutdown.diff
-Tails specific: no need to stop properly on shutdown.
-
--- chroot.orig/etc/init.d/polipo	2012-09-24 10:05:13.173051981 +0200
-+++ chroot/etc/init.d/polipo	2012-09-24 10:47:23.717869294 +0200
-@@ -7,1 +7,1 @@
-# Default-Stop:      0 1 6
-+# Default-Stop:
--- a/features/step_definitions/unsafe_browser.rb
+++ b/features/step_definitions/unsafe_browser.rb
@@ -100,18 +100,13 @@ Then /^I cannot configure the Unsafe Browser to use any local proxies$/ do
 #  @screen.waitVanish('UnsafeBrowserPreferences.png', 10)
  sleep 0.5

-  http_proxy  = 'x' # Alt+x is the shortcut to select http proxy
  socks_proxy = 'c' # Alt+c for socks proxy
  no_proxy    = 'y' # Alt+y for no proxy

-  # Note: the loop below depends on that http_proxy is done after any
-  # other proxy types since it will set "Use this proxy server for all
-  # protocols", which will make the other proxy types unselectable.
  proxies = [[socks_proxy, 9050],
             [socks_proxy, 9061],
             [socks_proxy, 9062],
             [socks_proxy, 9150],
-             [http_proxy,  8118],
             [no_proxy,       0]]

  proxies.each do |proxy|
@@ -132,8 +127,6 @@ Then /^I cannot configure the Unsafe Browser to use any local proxies$/ do
    # Configure the proxy
    @screen.type(proxy_type, Sikuli::KeyModifier.ALT)  # Select correct proxy type
    @screen.type("127.0.0.1" + Sikuli::Key.TAB + "#{proxy_port}") if proxy_type != no_proxy
-    # For http proxy we set "Use this proxy server for all protocols"
-    @screen.type("s", Sikuli::KeyModifier.ALT) if proxy_type == http_proxy

    # Close settings
    @screen.type(Sikuli::Key.ENTER)

--- a/wiki/src/contribute/design.mdwn
+++ b/wiki/src/contribute/design.mdwn
@@ -675,7 +675,7 @@ Critical parts of the configuration are based on the ones from
 well-known and trusted sources, namely Tails ancestor
 [Incognito](http://www.browseanonymouslyanywhere.com/incognito/)
 and the [Tor BrowserBundle](https://www.torproject.org/projects/torbrowser.html.en).
-This is for example the case for the firewall, polipo and Tor configurations.
+This is for example the case for the firewall and Tor configurations.

 **NOTICE**: this distribution is provided as-is with no warranty of
 fitness for a particular purpose, including total anonymity. Anonymity
@@ -715,8 +715,6 @@ extension).
  that the Debian distribution does not provide or endorse Tails.
 - [Tor](http://www.torproject.org/): anonymizing overlay network for
  TCP. Our intention is to always use the latest stable version.
- [polipo](http://www.pps.jussieu.fr/%7Ejch/software/polipo/):
-  Caching web proxy.
 - [Vidalia](https://www.torproject.org/projects/vidalia) is used
  to control Tor's behavior.

@@ -1218,7 +1216,7 @@ applications being exploited by attackers.

 We wrap `wget` with `torsocks`, after unsetting the `http_proxy`
 environment variable and friends, so that it talks directly to the Tor
-SOCKS port instead of going through Polipo.
+SOCKS port.

 - [[!tails_gitweb config/chroot_local-includes/usr/local/bin/wget]]


--- a/wiki/src/contribute/design/Tor_enforcement.mdwn
+++ b/wiki/src/contribute/design/Tor_enforcement.mdwn
@@ -10,11 +10,6 @@ DNS

 [[!inline pages="contribute/design/Tor_enforcement/DNS" raw=yes]]

-HTTP Proxy
-==========
-
-[[!inline pages="contribute/design/Tor_enforcement/Proxy" raw=yes]]
-
 Network filter
 ==============


--- a/wiki/src/contribute/design/Tor_enforcement/Network_filter.mdwn
+++ b/wiki/src/contribute/design/Tor_enforcement/Network_filter.mdwn
 One serious security issue is that we don't know what software will
 attempt to contact the network and whether their proxy settings are
-set up to use the Tor SOCKS proxy or polipo HTTP(s) proxy correctly.
+set up to use the Tor SOCKS proxy correctly.
 This is solved by blocking all outbound Internet traffic except Tor
 (and I2P when enabled), and explicitly configure all applications to use either of
 these.

--- a/wiki/src/contribute/design/Tor_enforcement/Proxy.mdwn
+++ b/wiki/src/contribute/design/Tor_enforcement/Proxy.mdwn
-Polipo provides with caching HTTP proxy functionality. It contacts the
-Tor software via SOCKS5 to make the real connections: [[!tails_gitweb
-config/chroot_local-includes/etc/polipo/config]].
-
-In case the firewall is buggy or not properly started, proxy settings
-are used as part of a defence in depth strategy:
-
- The standard `http_proxy` and `HTTP_PROXY` environment variables are
-  globally set in [[!tails_gitweb
-  config/chroot_local-includes/etc/environment]] to point to Polipo.
--- a/wiki/src/contribute/release_process/test.mdwn
+++ b/wiki/src/contribute/release_process/test.mdwn
@@ -140,12 +140,12 @@ tracked by tickets prefixed with `todo/test_suite:`.
 * Check that the firewall-level Tor enforcement is effective:
  - check output of `iptables -L -n -v`
  - check output of `iptables -t nat -L -n -v`
-  - try connecting to the Internet after unsetting `$http_proxy` and
-    `$HTTP_PROXY` using a piece of software that does not obey the
+  - try connecting to the Internet after unsetting `$SOCKS_SERVER` and
+    `$SOCKS5_SERVER` using a piece of software that does not obey the
    GNOME proxy settings, *and* is not explicitly torified in Tails:
    
-        	unset http_proxy ; unset HTTP_PROXY
-        	wget --no-proxy http://monip.org/
+        	unset SOCKS_SERVER ; unset SOCKS5_SERVER
+        	curl --noproxy '*' http://monip.org/
    
    ... should only give you "Connection refused" error message.
 * Check that IPv6 traffic is blocked:
@@ -268,14 +268,6 @@ the appropriate tcpdump or tshark filters.

 * Make sure other applications use the default system-wide
  `SocksPort`:
-  - Polipo — run:
-
-        wget https://tails.boum.org/
-
-    ... with the following command running in another terminal:
-
-        sudo watch -n 0.1 'netstat -taupen | grep polipo'
-
  - Gobby 0.5 — start Gobby 0.5 from the *Applications* menu and
    connect to a server (for example `gobby.debian.org`), with the following command running in
    another terminal: