Commit a158c465 authored by intrigeri's avatar intrigeri
Browse files

Merge remote-tracking branch...

Merge remote-tracking branch 'kibi/bugfix/15695-avoid-breaking-automatic-upgrades-to-tails-3-9' into devel (Fix-committed: #15695, #15407, #15419)
parents 70c4f2ee 6091605f
......@@ -23,11 +23,11 @@
/config/source
/config/chroot_local-includes/etc/amnesia/environment
/config/chroot_local-includes/etc/amnesia/version
/config/chroot_local-includes/usr/share/amnesia/readahead-list
/config/chroot_local-includes/usr/share/amnesia/build/variables
/config/chroot_local-includes/usr/share/doc/Changelog
/config/chroot_local-includes/usr/share/doc/amnesia/Changelog
/config/chroot_local-includes/usr/share/doc/tails/website
/config/chroot_local-includes/usr/share/tails/build/variables
/config/chroot_local-includes/usr/share/tails/readahead-list
/.lock
/.stage
/source
......
......@@ -50,15 +50,15 @@ rm -rf cache/stages_rootfs
# save variables that are needed by chroot_local-hooks
echo "KERNEL_VERSION=${KERNEL_VERSION}" \
>> config/chroot_local-includes/usr/share/amnesia/build/variables
>> config/chroot_local-includes/usr/share/tails/build/variables
echo "KERNEL_SOURCE_VERSION=${KERNEL_SOURCE_VERSION}" \
>> config/chroot_local-includes/usr/share/amnesia/build/variables
echo "LB_DISTRIBUTION=${LB_DISTRIBUTION}" >> config/chroot_local-includes/usr/share/amnesia/build/variables
>> config/chroot_local-includes/usr/share/tails/build/variables
echo "LB_DISTRIBUTION=${LB_DISTRIBUTION}" >> config/chroot_local-includes/usr/share/tails/build/variables
echo "POTFILES_DOT_IN='$(
/bin/grep -E --no-filename '[^ #]*\.in$' po/POTFILES.in \
| sed -e 's,^config/chroot_local-includes,,' | tr "\n" ' '
)'" \
>> config/chroot_local-includes/usr/share/amnesia/build/variables
>> config/chroot_local-includes/usr/share/tails/build/variables
# fix permissions on some source files that will be copied as is to the chroot.
# they may be wrong, e.g. if the Git repository was cloned with a strict umask.
......@@ -111,7 +111,7 @@ DEBOOTSTRAP_OPTIONS="$DEBOOTSTRAP_OPTIONS --keyring=$DEBOOTSTRAP_GNUPG_KEYRING"
export DEBOOTSTRAP_OPTIONS
: ${MKSQUASHFS_OPTIONS:='-comp xz -Xbcj x86 -b 1024K -Xdict-size 1024K -no-exports'}
MKSQUASHFS_OPTIONS="${MKSQUASHFS_OPTIONS} -wildcards -ef chroot/usr/share/amnesia/build/mksquashfs-excludes"
MKSQUASHFS_OPTIONS="${MKSQUASHFS_OPTIONS} -wildcards -ef chroot/usr/share/tails/build/mksquashfs-excludes"
export MKSQUASHFS_OPTIONS
# build the doc wiki
......
......@@ -33,7 +33,7 @@ for list in config/chroot_local-packageslists/*.list ; do
done
# files copied or created in the build stage
rm -f config/chroot_local-includes/usr/share/amnesia/build/variables
rm -f config/chroot_local-includes/usr/share/tails/build/variables
# static wiki
rm -rf config/chroot_local-includes/usr/share/doc/tails/website wiki/src/.ikiwiki
......
......@@ -184,11 +184,11 @@ cp debian/changelog config/chroot_local-includes/usr/share/doc/amnesia/Changelog
# create readahead-list from squashfs.sort
if [ -e config/binary_rootfs/squashfs.sort ]; then
mkdir -p config/chroot_local-includes/usr/share/amnesia
mkdir -p config/chroot_local-includes/usr/share/tails
sort -k2 -n -r config/binary_rootfs/squashfs.sort | \
cut -d' ' -f1 | \
grep --invert-match --extended-regexp "$READAHEAD_EXCLUDE_PATTERN" \
> config/chroot_local-includes/usr/share/amnesia/readahead-list
> config/chroot_local-includes/usr/share/tails/readahead-list
fi
# custom APT sources
......
......@@ -19,7 +19,7 @@ usr/lib/locale/aa_DJ.utf8/LC_COLLATE 32750
usr/lib/locale/en_US.utf8/LC_TIME 32749
usr/lib/locale/aa_ET/LC_NUMERIC 32748
usr/lib/locale/aa_DJ.utf8/LC_CTYPE 32747
usr/share/amnesia/readahead-list 32746
usr/share/tails/readahead-list 32746
bin/kmod 32745
bin/touch 32744
lib/modprobe.d/aliases.conf 32742
......@@ -480,7 +480,7 @@ usr/lib/python3.5/__pycache__/random.cpython-35.pyc 32088
lib/live/mount/overlay/usr/lib/python3.5/__pycache__/hashlib.cpython-35.pyc 32087
usr/lib/python3.5/__pycache__/hashlib.cpython-35.pyc 32086
usr/lib/python3.5/lib-dynload/_hashlib.cpython-35m-x86_64-linux-gnu.so 32085
usr/share/amnesia/firstnames.txt 32084
usr/share/tails/firstnames.txt 32084
usr/bin/od 32083
usr/bin/expr 32082
usr/bin/bc 32081
......
......@@ -6,14 +6,46 @@ set -e
echo "Change GIDs and UIDs"
TPS_GROUP_STEALER=$(getent group 122 | awk -F ':' '{print $1}')
if [ -n "$TPS_GROUP_STEALER" ]; then
groupmod --gid 150 "$TPS_GROUP_STEALER"
find / -wholename /proc -prune -o \( \! -type l -a -gid 122 -exec chgrp 150 '{}' \; \)
fi
TPS_USER_STEALER=$(getent passwd 115 | awk -F ':' '{print $1}')
if [ -n "$TPS_USER_STEALER" ]; then
usermod --uid 150 "$TPS_USER_STEALER"
find / -wholename /proc -prune -o \( \! -type l -a -uid 115 -exec chown 150 '{}' \; \)
fi
Change_uid () {
NAME="$1"
NEW="$2"
OLD="$(getent passwd "$NAME" | awk -F ':' '{print $3}')"
if [ -n "$OLD" ]; then
echo "Changing UID for $NAME ($OLD -> $NEW)"
usermod --uid "$NEW" "$NAME"
find / -wholename /proc -prune -o \( \! -type l -a -uid "$OLD" -exec chown "$NEW" '{}' \; \)
fi
}
Change_gid () {
NAME="$1"
NEW="$2"
OLD="$(getent group "$NAME" | awk -F ':' '{print $3}')"
if [ -n "$OLD" ]; then
echo "Changing GID for $NAME ($OLD -> $NEW)"
groupmod --gid "$NEW" "$NAME"
find / -wholename /proc -prune -o \( \! -type l -a -gid "$OLD" -exec chgrp "$NEW" '{}' \; \)
fi
}
Change_uid tails-persistent-setup 150
Change_gid tails-persistent-setup 150
### Ensure GIDs are stable accross releases
# ... otherwise, things such as tor@service are broken
# after applying an automatic upgrade (#15695, #15424, #13426, #15407)
# Temporarily give these groups a GID that's out of the way, to avoid collisions
Change_gid vboxsf 1120
Change_gid monkeysphere 1130
Change_gid debian-tor 1140
Change_gid lpadmin 1150
# Finally, give these groups the desired GID
Change_gid vboxsf 112
Change_gid monkeysphere 113
Change_gid debian-tor 114
Change_gid lpadmin 115
......@@ -6,7 +6,7 @@ set -x
echo "Setting up a build environment for kernel modules"
. /usr/share/amnesia/build/variables
. /usr/share/tails/build/variables
# Import ensure_hook_dependency_is_installed() and
# install_fake_package()
......
......@@ -5,7 +5,7 @@ set -u
echo "Building the aufs module"
. /usr/share/amnesia/build/variables
. /usr/share/tails/build/variables
# Import ensure_hook_dependency_is_installed()
. /usr/local/lib/tails-shell-library/build.sh
......
......@@ -6,7 +6,7 @@ set -x
echo "Building VirtualBox guest modules"
. /usr/share/amnesia/build/variables
. /usr/share/tails/build/variables
# Import ensure_hook_dependency_is_installed()
# and install_fake_package()
......
......@@ -5,7 +5,7 @@ set -e
echo "Removing unwanted files"
# Get POTFILES_DOT_IN
. /usr/share/amnesia/build/variables
. /usr/share/tails/build/variables
find /usr/share/doc -type f -name changelog.gz -delete
find /usr/share/doc -type f -name changelog.Debian.gz -delete
......
#!/bin/sh
set -e
echo "Checking UIDs and GIDs stability"
if ! cmp "/usr/share/tails/build/passwd" "/etc/passwd" \
|| ! cmp "/usr/share/tails/build/group" "/etc/group" ; then
echo "/etc/passwd and/or /etc/group differs from expected:" >&2
for file in passwd group; do
diff -Naur "/usr/share/tails/build/${file}" "/etc/${file}" >&2 || :
echo >&2
echo "Content of '/etc/${file}':" >&2
cat "/etc/${file}" >&2
echo >&2
done
echo "If these changes are innocuous, update these files in" \
"config/chroot_local-includes/usr/share/tails/build/." >&2
echo "See #15407 and #13426 for more context." >&2
exit 1
fi
......@@ -29,7 +29,7 @@ EOF
/usr/local/lib/boot-profile /var/log/boot-profile
# Put readahead list at the very begining
head -n 1 /usr/share/amnesia/readahead-list >/dev/null || true
head -n 1 /usr/share/tails/readahead-list >/dev/null || true
# Creating state file
touch /var/lib/live/config/boot-profile
......
#!/bin/sh
READAHEAD_LIST="/usr/share/amnesia/readahead-list"
READAHEAD_LIST="/usr/share/tails/readahead-list"
BACKGROUND_AT="^usr/bin/Xorg$"
Readahead ()
......
#!/bin/sh
# List of at least 2000 possible nicknames
NICKS_LIST=/usr/share/amnesia/firstnames.txt
NICKS_LIST=/usr/share/tails/firstnames.txt
# returns true with probability $1
prob()
......
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:pulse
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-timesync:x:102:
systemd-network:x:103:
systemd-resolve:x:104:
input:x:106:
crontab:x:107:
netdev:x:108:
messagebus:x:105:
ssh:x:109:
memlockd:x:110:
ssl-cert:x:111:
monkeysphere:x:113:
debian-tor:x:114:tor-launcher
lpadmin:x:115:
vboxsf:x:112:
scanner:x:116:saned
colord:x:117:
saned:x:118:
pulse:x:119:
pulse-access:x:120:
Debian-gdm:x:121:
tails-persistence-setup:x:122:
clearnet:x:123:
htp:x:124:
tails-iuk-get-target-file:x:125:tails-install-iuk
tails-upgrade-frontend:x:126:
tor-launcher:x:127:
tails-install-iuk:x:128:
......@@ -4,7 +4,6 @@ boot/vmlinuz-*
debootstrap/*
root/.gnupg/S.gpg-agent*
tmp/*
usr/share/amnesia/packages/*
usr/share/doc/tails/website/blueprint/*
usr/share/doc/tails/website/contribute/how/translate/translation_progress.html
usr/share/doc/tails/website/promote/slides/*
......@@ -13,6 +12,7 @@ usr/share/icons/*/.icon-theme.cache
usr/share/icons/*/icon-theme.cache
usr/share/inkscape/examples/*
usr/share/inkscape/tutorials/*
usr/share/tails/packages/*
var/cache/apt/archives/*.deb
var/cache/apt/archives/partial/*.deb
var/cache/apt/pkgcache.bin
......
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:103:105::/var/run/dbus:/bin/false
memlockd:x:105:110:memlockd system account,,,:/usr/lib/memlockd:/bin/false
monkeysphere:x:106:113:monkeysphere authentication user,,,:/var/lib/monkeysphere:/bin/bash
debian-tor:x:107:114::/var/lib/tor:/bin/false
speech-dispatcher:x:108:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
colord:x:109:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:110:118::/var/lib/saned:/bin/false
pulse:x:111:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false
hplip:x:112:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:113:121:Gnome Display Manager:/var/lib/gdm3:/bin/false
tails-persistence-setup:x:115:122::/home/tails-persistence-setup:/bin/false
clearnet:x:114:123::/home/clearnet:/bin/false
htp:x:116:124::/home/htp:/bin/false
tails-iuk-get-target-file:x:117:125::/home/tails-iuk-get-target-file:/bin/false
tails-upgrade-frontend:x:118:126::/home/tails-upgrade-frontend:/bin/false
tor-launcher:x:119:127::/home/tor-launcher:/bin/false
tails-install-iuk:x:120:128::/home/tails-install-iuk:/bin/false
......@@ -161,7 +161,7 @@ A number of files are simply emptied or excluded when creating the
SquashFS (some to optimize size, some because they are not needed in
there so we did not bother generating them in a deterministic manner):
- <https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/usr/share/amnesia/build/mksquashfs-excludes>
- <https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes>
- <https://git-tails.immerda.ch/tails/tree/config/chroot_local-hooks/99-zzzzzz_reproducible-builds-post-processing>
We considered dropping even more stuff such as the fontconfig cache,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment