Commit 8d4471a7 authored by sajolida's avatar sajolida
Browse files

Merge remote-tracking branch 'origin/master' into web/11709-close-tails-support

parents 433172e4 90d68ee3
......@@ -46,7 +46,6 @@
/config/chroot_local-includes/usr/share/applications/tails-reboot.desktop
/config/chroot_local-includes/usr/share/applications/unsafe-browser.desktop
/config/chroot_local-includes/usr/share/applications/tails-shutdown.desktop
/config/chroot_local-includes/usr/share/applications/i2p-browser.desktop
/config/chroot_local-includes/usr/share/applications/tor-browser.desktop
/config/chroot_local-includes/usr/share/applications/tails-about.desktop
/config/chroot_local-includes/usr/share/desktop-directories/Tails.directory
......
wiki/src/contribute/how/code/HACKING.mdwn
\ No newline at end of file
This diff is collapsed.
......@@ -2,15 +2,12 @@
set -x
. "$(dirname $0)/scripts/utils.sh"
umask 022
### functions
fatal () {
echo "$*" >&2
exit 1
}
syslinux_utils_upstream_version () {
dpkg-query -W -f='${Version}\n' syslinux-utils | \
# drop epoch
......@@ -60,6 +57,7 @@ echo "POTFILES_DOT_IN='$(
# fix permissions on some source files that will be copied as is to the chroot.
# they may be wrong, e.g. if the Git repository was cloned with a strict umask.
chown 0:0 config/chroot_local-includes/etc/resolv.conf
chmod -R go+rX config/binary_local-includes/
chmod -R go+rX config/chroot_local-includes/etc
chmod 0440 config/chroot_local-includes/etc/sudoers.d/*
......@@ -90,7 +88,14 @@ DEBOOTSTRAP_OPTIONS="$DEBOOTSTRAP_OPTIONS --no-merged-usr"
DEBOOTSTRAP_GNUPG_HOMEDIR=$(mktemp -d)
gpg --homedir "$DEBOOTSTRAP_GNUPG_HOMEDIR" \
--import config/chroot_sources/tails.chroot.gpg
DEBOOTSTRAP_OPTIONS="$DEBOOTSTRAP_OPTIONS --keyring=$DEBOOTSTRAP_GNUPG_HOMEDIR/pubring.gpg"
if [ -e "$DEBOOTSTRAP_GNUPG_HOMEDIR/pubring.gpg" ]; then
DEBOOTSTRAP_GNUPG_KEYRING="$DEBOOTSTRAP_GNUPG_HOMEDIR/pubring.gpg"
elif [ -e "$DEBOOTSTRAP_GNUPG_HOMEDIR/pubring.kbx" ]; then
DEBOOTSTRAP_GNUPG_KEYRING="$DEBOOTSTRAP_GNUPG_HOMEDIR/pubring.kbx"
else
fatal "No debootstrap GnuPG keyring was created."
fi
DEBOOTSTRAP_OPTIONS="$DEBOOTSTRAP_OPTIONS --keyring=$DEBOOTSTRAP_GNUPG_KEYRING"
export DEBOOTSTRAP_OPTIONS
......@@ -101,15 +106,14 @@ export MKSQUASHFS_OPTIONS
# get git branch or tag so we can set the basename appropriately, i.e.:
# * if we build from a tag: tails-$ARCH-$TAG.iso
# * otherwise: tails-$ARCH-$BRANCH-$VERSION-$TIME-$COMMIT.iso
if GIT_REF="$(git symbolic-ref HEAD)"; then
GIT_BRANCH="${GIT_REF#refs/heads/}"
GIT_BRANCH="$(git_current_branch)"
if [ -n "${GIT_BRANCH}" ]; then
CLEAN_GIT_BRANCH=$(echo "$GIT_BRANCH" | sed 's,/,_,g')
GIT_SHORT_ID="$(git rev-parse --short HEAD)"
GIT_SHORT_ID="$(git_current_commit --short)"
BUILD_BASENAME="tails-${LB_ARCHITECTURE}-${CLEAN_GIT_BRANCH}-${AMNESIA_VERSION}-${AMNESIA_NOW}-${GIT_SHORT_ID}"
else
GIT_CURRENT_COMMIT="$(git rev-parse HEAD)"
if GIT_TAG="$(git describe --tags --exact-match ${GIT_CURRENT_COMMIT})"; then
CLEAN_GIT_TAG=$(echo "$GIT_TAG" | tr '/-' '_~')
if git_on_a_tag; then
CLEAN_GIT_TAG=$(git_current_tag | tr '/-' '_~')
BUILD_BASENAME="tails-${LB_ARCHITECTURE}-${CLEAN_GIT_TAG}"
else
# this shouldn't reasonably happen (e.g. only if you checkout a
......@@ -118,16 +122,14 @@ else
fi
fi
GIT_BASE_BRANCH=$(head -n1 config/base_branch) \
GIT_BASE_BRANCH=$(base_branch) \
|| fatal "GIT_BASE_BRANCH could not be guessed."
# Merge base branch into the branch being built, iff. we're building
# in Jenkins, and not building from a tag, and not building the base
# branch itself
if [ -n "$JENKINS_URL" ] && [ -z "$GIT_TAG" ] \
&& [ "$GIT_BRANCH" != "$GIT_BASE_BRANCH" ] ; then
GIT_BASE_BRANCH_COMMIT=$(git rev-parse "origin/${GIT_BASE_BRANCH}") \
|| fatal "Base branch's top commit could not be guessed."
if [ "${TAILS_MERGE_BASE_BRANCH}" = 1 ] && \
! git_on_a_tag && [ "$GIT_BRANCH" != "$GIT_BASE_BRANCH" ] ; then
GIT_BASE_BRANCH_COMMIT=$(git_base_branch_head)
[ -n "${GIT_BASE_BRANCH_COMMIT}" ] \
|| fatal "Base branch's top commit could not be guessed."
echo "Merging base branch origin/${GIT_BASE_BRANCH}"
echo "(at commit ${GIT_BASE_BRANCH_COMMIT})..."
......@@ -136,8 +138,9 @@ if [ -n "$JENKINS_URL" ] && [ -z "$GIT_TAG" ] \
# Adjust BUILD_BASENAME to embed the base branch name and its top commit
CLEAN_GIT_BASE_BRANCH=$(echo "$GIT_BASE_BRANCH" | sed 's,/,_,g')
GIT_BASE_BRANCH_SHORT_ID=$(git rev-parse --short "origin/${GIT_BASE_BRANCH}") \
|| fatal "Base branch's top commit short ID could not be guessed."
GIT_BASE_BRANCH_SHORT_ID=$(git_base_branch_head --short)
[ -n "${GIT_BASE_BRANCH_SHORT_ID}" ] \
|| fatal "Base branch's top commit short ID could not be guessed."
BUILD_BASENAME="${BUILD_BASENAME}+${CLEAN_GIT_BASE_BRANCH}"
BUILD_BASENAME="${BUILD_BASENAME}@${GIT_BASE_BRANCH_SHORT_ID}"
fi
......@@ -184,8 +187,6 @@ BUILD_MANIFEST="${BUILD_DEST_FILENAME}.build-manifest"
BUILD_APT_SOURCES="${BUILD_DEST_FILENAME}.apt-sources"
BUILD_PACKAGES="${BUILD_DEST_FILENAME}.packages"
BUILD_LOG="${BUILD_DEST_FILENAME}.buildlog"
BUILD_START_FILENAME="${BUILD_DEST_FILENAME}.start.timestamp"
BUILD_END_FILENAME="${BUILD_DEST_FILENAME}.end.timestamp"
# Clone all output, from this point on, to the log file
exec > >(tee -a "$BUILD_LOG")
......@@ -204,14 +205,12 @@ trap "kill -9 $! 2>/dev/null" EXIT HUP INT QUIT TERM
echo "Building $LB_BINARY_IMAGES image ${BUILD_BASENAME}..."
set -o pipefail
[ -z "$JENKINS_URL" ] || date --utc '+%s' > "$BUILD_START_FILENAME"
time eatmydata lb build noauto ${@}
RET=$?
if [ -e "${BUILD_FILENAME}.${BUILD_FILENAME_EXT}" ]; then
echo "Image was successfully created"
[ "$RET" -eq 0 ] || \
echo "Warning: lb build exited with code $RET"
[ -z "$JENKINS_URL" ] || date --utc '+%s' > "$BUILD_END_FILENAME"
if [ "$LB_BINARY_IMAGES" = iso ]; then
ISO_FILE="${BUILD_FILENAME}.${BUILD_FILENAME_EXT}"
print_iso_size "$ISO_FILE"
......
......@@ -43,7 +43,7 @@ if [ "$BASE_BRANCH" = stable ] || [ "$BASE_BRANCH" = testing ] ; then
"which should not happen on a branch based on $BASE_BRANCH"
esac
if version_was_released "$(version_in_changelog)"; then
on_a_tag \
git_on_a_tag \
|| fatal "Not building from a tag, but last version in changelog" \
"was released"
output_tagged_snapshot "$ARCHIVE" "$(version_in_changelog)"
......
......@@ -6,7 +6,8 @@ set -o pipefail
BASE_URL=http://time-based.snapshots.deb.tails.boum.org/
CONFIG=config/APT_snapshots.d
ORIGINS=$(cd $CONFIG; ls -d *)
SERIAL_ONLY=
FREEZE_EXCEPTIONS=debian-security
get_latest_serial() {
origin=$1
......@@ -14,18 +15,38 @@ get_latest_serial() {
| awk -F': ' '/^Archive serial: / {print $2}'
}
action="${1:-cat}"
if [ $# -eq 0 ]; then
action="cat"
ORIGINS="$(cd ${CONFIG}; ls -d *)"
else
action="${1}"
shift
if [ "${1:-}" = --print-serials-only ]; then
SERIAL_ONLY=yes
shift
fi
if [ "${1:-}" = --freeze-debian-security ]; then
FREEZE_EXCEPTIONS=
shift
fi
if [ $# -eq 0 ]; then
ORIGINS="$(cd ${CONFIG}; ls -d *)"
else
ORIGINS="${@}"
fi
fi
case "$action" in
cat)
for origin in $ORIGINS; do
echo -n "$origin: "
[ -z "${SERIAL_ONLY}" ] && echo -n "$origin: "
cat "$CONFIG/$origin/serial"
done
;;
get-latest)
for origin in $ORIGINS; do
online=$(get_latest_serial $origin)
echo "$origin: $online"
[ -z "${SERIAL_ONLY}" ] && echo -n "$origin: "
get_latest_serial $origin
done
;;
freeze)
......@@ -33,7 +54,7 @@ case "$action" in
serial_file="$CONFIG/$origin/serial"
git=$(cat $serial_file)
case "$origin" in
debian-security)
${FREEZE_EXCEPTIONS})
new=latest
;;
*)
......
......@@ -7,7 +7,6 @@ set -u
APT_MIRROR_URL="http://deb.tails.boum.org/"
DEFAULT_COMPONENTS="main contrib non-free"
BASE_BRANCHES="stable testing devel feature/jessie"
output_apt_binary_source() {
local suite="$1"
......@@ -22,18 +21,6 @@ output_overlay_apt_binary_sources() {
done
}
on_base_branch() {
local current_branch=$(current_branch)
for base_branch in $BASE_BRANCHES ; do
if [ "$current_branch" = "$base_branch" ] ; then
return 0
fi
done
return 1
}
### Sanity checks
[ -d config/APT_overlays.d ] || fatal 'config/APT_overlays.d/ does not exist'
......@@ -42,9 +29,9 @@ on_base_branch() {
[ "$(cat config/base_branch | wc -l)" -eq 1 ] \
|| fatal 'config/base_branch must contain exactly one line'
if on_base_branch && ! [ "$(base_branch)" = "$(current_branch)" ] ; then
if on_base_branch && ! [ "$(base_branch)" = "$(git_current_branch)" ] ; then
echo "base_branch: $(base_branch)" >&2
echo "current_branch: $(current_branch)" >&2
echo "current_branch: $(git_current_branch)" >&2
fatal "In a base branch, config/base_branch must match the current branch."
fi
......
# This library is meant to be used in bash, with "set -e" and "set -u".
current_branch() {
git branch | awk '/^\* / { print $2 }'
BASE_BRANCHES="stable testing devel feature/stretch"
# Returns "" if in undetached head
git_current_branch() {
local git_ref
if git_ref="$(git symbolic-ref HEAD 2>/dev/null)"; then
echo "${git_ref#refs/heads/}"
else
echo ""
fi
}
git_in_detached_head() {
[ -z "$(git_current_branch)" ]
}
# Returns "" if ref does not exist
git_commit_from_ref() {
git rev-parse --verify "${@}" 2>/dev/null || :
}
git_current_commit() {
git_commit_from_ref "${@}" HEAD
}
# Returns "" if not a tag
git_tag_from_commit() {
git describe --tags --exact-match "${1}" 2>/dev/null || :
}
# Returns "" if not on a tag
git_current_tag() {
git_tag_from_commit $(git_current_commit)
}
# Try to describe what currently is checked out. Returns "" if we are
# in detached HEAD, otherwise, in order, the tag pointing to HEAD, or
# the current branch.
git_current_head_name() {
local ret
ret="$(git_current_tag)"
if [ -z "${ret}" ]; then
ret="$(git_current_branch)"
fi
echo "${ret}"
}
git_on_a_tag() {
[ -n "$(git_current_tag)" ]
}
on_a_tag() {
git describe --tags --exact-match $(git rev-parse --verify HEAD 2>/dev/null) >/dev/null 2>/dev/null
git_only_doc_changes_since() {
local commit non_doc_diff
commit="$(git_commit_from_ref ${1})"
non_doc_diff="$(git diff \
${commit}... \
-- \
'*' \
':!/wiki' \
':!/ikiwiki.setup' \
':!/ikiwiki-cgi.setup' \
':!*.po' \
)"
[ -z "${non_doc_diff}" ]
}
base_branch() {
cat config/base_branch | head -n1
}
base_branches() {
echo ${BASE_BRANCHES}
}
on_base_branch() {
for base_branch in $BASE_BRANCHES ; do
if [ "$(git_current_branch)" = "${base_branch}" ] ; then
return 0
fi
done
return 1
}
# Returns the top commit ref of the base branch
git_base_branch_head() {
git_commit_from_ref "${@}" origin/"$(base_branch)"
}
branch_name_to_suite() {
local branch="$1"
......@@ -43,3 +121,18 @@ version_in_changelog() {
previous_version_in_changelog() {
dpkg-parsechangelog --offset 1 --count 1 | awk '/^Version: / { print $2 }'
}
# Make it so that when this script is called, any function defined in
# this script can be invoked via arguments, e.g.:
#
# $ auto/scripts/utils.sh git_commit_from_ref 3.0-beta2
# eca83a88a9dd958b16b4d5b04fea3ea503a3815d
#
if grep -q __utils_sh_magic_5773fa52-0d1a-11e7-a606-0021ccc177a7 "${0}" && [ -n "${1}" ]; then
if grep -q "^${1}() {$" "${0}"; then
eval "\"\${@}\""
else
echo "unknown shell function: ${1}" >&2
exit 1
fi
fi
......@@ -22,7 +22,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version
KERNEL_VERSION='4.8.0-0.bpo.2'
KERNEL_VERSION='4.9.0-0.bpo.2'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
......@@ -41,8 +41,8 @@ cp "$CHROOT_SYSLINUX_BIN" "$LINUX_BINARY_UTILS_DIR/"
cp "$CHROOT_SYSLINUX_MBR" "$BINARY_MBR_DIR/mbr.bin"
cat chroot/etc/apt/sources.list chroot/etc/apt/sources.list.d/*.list \
| grep --extended-regexp --line-regexp --invert-match \
'deb\s+file:/root/local-packages\s+\./' \
| grep --extended-regexp --invert-match \
'file:/root/local-packages' \
| grep --extended-regexp --invert-match \
'^deb\s+http://tagged\.snapshots\.deb\.tails\.boum.org/[^/]+/torproject(/|\s)' \
| grep --extended-regexp --invert-match \
......
This diff is collapsed.
......@@ -151,7 +151,7 @@ Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: ttdnsd
Pin: release o=TorProject,n=sid
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: torsocks
......@@ -159,7 +159,7 @@ Pin: release o=Debian,n=jessie-backports
Pin-Priority: 999
Package: virtualbox-guest-utils virtualbox-guest-dkms virtualbox-guest-x11
Pin: release o=Debian,n=jessie-backports
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: xserver-xorg-video-amdgpu
......
#!/bin/sh
set -e
# Create the i2pbrowser user.
#
# We run i2p-browser under this user
echo "Creating the i2pbrowser user"
adduser --system --quiet --group i2pbrowser
......@@ -35,7 +35,7 @@ download_and_verify_files() {
(
cd "${destination}"
echo "Fetching ${base_url}/${tarball} ..."
curl --remote-name "${base_url}/${tarball}"
curl --retry 20 --remote-name "${base_url}/${tarball}"
)
actual_sha256="$(sha256sum "${destination}/${tarball}" | cut -d' ' -f1)"
if [ "${actual_sha256}" != "${expected_sha256}" ]; then
......
#!/bin/sh
set -e
echo "Configuring I2P"
I2P="/usr/share/i2p"
I2PROUTER="/usr/bin/i2prouter"
WRAPPER="/etc/i2p/wrapper.config"
# This must be set in order for the i2p init script to work
sed -i 's/^RUN_DAEMON=.*$/RUN_DAEMON="true"/' /etc/default/i2p
# Remove the "i2prouter" script, its man page, and its apparmor profile
# since these are not used by Tails:
rm /etc/apparmor.d/usr.bin.i2prouter /usr/share/man/man1/i2prouter.1.gz
# Install custom i2prouter stub scripts
for script in ${I2PROUTER} ${I2PROUTER}-nowrapper; do
echo "Removing $script"
dpkg-divert --rename --add "${script}"
cat > "$script" << EOF
#!/bin/sh
echo "This script is not used by Tails."
echo "See https://tails.boum.org/doc/anonymous_internet/i2p/ for more information."
exit 0
EOF
chmod 755 "$script"
done
# Remove the outproxy from the tunnel on port 4444
# This will remove the following lines:
# tunnel.0.proxyList=false.i2p
# tunnel.0.option.i2ptunnel.httpclient.SSLOutproxies=false.i2p
# The SSLOutproxies option was first set in I2P 0.9.15
sed -i '/^.*tunnel\.0\.\(proxyList\|option\.i2ptunnel\.httpclient\.SSLOutproxies\)/d' "$I2P/i2ptunnel.config"
# Disable the https outproxy (port 4445)
sed -i 's|^.*\(tunnel\.6\.startOnLoad\).*|\1=false|' "$I2P/i2ptunnel.config"
# Don't serve the router console on IPv6
sed -i 's|^clientApp\.0\.args=7657\s\+::1,127\.0\.0\.1|clientApp.0.args=7657 127.0.0.1|' "$I2P/clients.config"
# Disable IPv6 in the wrapper
sed -i 's|^.*\(wrapper\.java\.additional\.5=-Djava\.net\.preferIPv4Stack=\).*|\1true|' "$WRAPPER"
sed -i 's|^.*\(wrapper\.java\.additional\.6=-Djava\.net\.preferIPv6Addresses=\).*|\1false|' "$WRAPPER"
# Tails specific router configs:
# * i2cp: allows java clients to communicate with I2P outside of the JVM. Disabled.
# * IPv6: Disabled
# * HiddenMode: Enabled
# * In-I2P Network Updates: Disabled
# * Inbound connections: Disabled (setting is "i2cp.ntcp.autoip")
# * Disable I2P plugins
# * Disable NTP
cat > "$I2P/router.config" << EOF
# NOTE: This I2P config file must use UTF-8 encoding
i2cp.disableInterface=true
i2np.ntcp.ipv6=false
i2np.ntcp.autoip=false
i2np.udp.ipv6=false
router.isHidden=true
router.updateDisabled=true
router.enablePlugins=false
time.disabled=true
EOF
cat > "$I2P/susimail.config" << EOF
susimail.pop3.leave.on.server=true
EOF
# enforce apparmor
echo Setting the I2P apparmor profile to enforce mode
sed -i -re 's|flags=\(complain\)||' /etc/apparmor.d/system_i2p
......@@ -16,8 +16,8 @@ toggle_src_APT_sources() {
case "$MODE" in
on)
cat /etc/apt/sources.list /etc/apt/sources.list.d/*.list \
| grep --extended-regexp --line-regexp --invert-match \
'deb\s+file:/root/local-packages\s+\./' \
| grep --extended-regexp --invert-match \
'file:/root/local-packages' \
| grep --extended-regexp --invert-match \
'^deb\s+http://tagged\.snapshots\.deb\.tails\.boum.org/[^/]+/torproject(/|\s)' \
| grep --extended-regexp --invert-match \
......
......@@ -11,7 +11,6 @@ gdomap
haveged
hdparm
hwclock.sh
i2p
kexec-load
laptop-mode
memlockd
......@@ -46,8 +45,10 @@ systemctl enable tails-tor-has-bootstrapped.target
systemctl enable tails-wait-until-tor-has-bootstrapped.service
systemctl enable tails-tor-has-bootstrapped-flag-file.service
systemctl enable tor-controlport-filter.service
systemctl enable var-tmp.mount
# Enable our own systemd user unit files
systemctl --global enable tails-32-bit-notify-user.service
systemctl --global enable tails-add-GNOME-bookmarks.service
systemctl --global enable tails-configure-keyboard.service
systemctl --global enable tails-create-tor-browser-directories.service
......@@ -78,7 +79,6 @@ systemctl disable ttdnsd.service
# We don't run these services by default
systemctl disable gdomap.service
systemctl disable hdparm.service
systemctl disable i2p.service
# Don't hide tails-kexec's shutdown messages with an empty splash screen
for suffix in halt kexec poweroff reboot shutdown ; do
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment