Merge remote-tracking branch 'origin/master' into italian

a4d8d196 · intrigeri · be1851ff · 3af516b0 · a4d8d196 · a4d8d196
Commit a4d8d196 authored Nov 22, 2015 by intrigeri
--- a/.gitignore
+++ b/.gitignore
@@ -32,6 +32,8 @@
 /vagrant/definitions/squeeze/preseed.cfg
 /vagrant/iso
 /vagrant/squeeze.box
+# Jenkins artifacts directory
+/build-artifacts/

 # Files managed by intltool
 /config/chroot_local-includes/etc/skel/Desktop/tails-documentation.desktop

--- a/auto/build
+++ b/auto/build
@@ -128,7 +128,7 @@ if [ -n "$JENKINS_URL" ] && [ -z "$GIT_TAG" ] \
 fi

 # build the doc wiki
-./build-wiki
+./build-website

 # refresh translations of our programs
 ./refresh-translations || fatal "refresh-translations failed ($?)."

--- a/build-wiki
+++ b/build-wiki
--- a/config/binary_rootfs/squashfs.sort
+++ b/config/binary_rootfs/squashfs.sort
--- a/config/chroot_apt/preferences
+++ b/config/chroot_apt/preferences
@@ -66,6 +66,10 @@ Package: poedit
 Pin: release o=Debian Backports,n=wheezy-backports
 Pin-Priority: 999

+Package: firmware-amd-graphics
+Pin: release o=Debian,a=unstable
+Pin-Priority: 999
+
 Package: firmware-atheros
 Pin: release o=Debian,a=unstable
 Pin-Priority: 999
@@ -106,7 +110,7 @@ Package: firmware-linux-nonfree
 Pin: release o=Debian,a=unstable
 Pin-Priority: 999

-Package: firmware-ralink
+Package: firmware-misc-nonfree
 Pin: release o=Debian,a=unstable
 Pin-Priority: 999


--- a/config/chroot_local-hooks/12-enable-icedove-addons
+++ b/config/chroot_local-hooks/12-enable-icedove-addons
+#!/bin/sh
+
+set -e
+set -u
+
+EXT="/usr/lib/icedove/extensions"
+
+[ -d "$EXT" ] || exit 1
+
+echo "Enabling Torbirdy and Enigmail in Icedove"
+ln -s /usr/share/xul-ext/torbirdy "$EXT"/castironthunderbirdclub@torproject.org
+ln -s /usr/lib/xul-ext/enigmail "$EXT"/\{847b3a00-7ab1-11d4-8f02-006008948af5\}
+
+echo "Enabling the amnesia branding extension in Icedove"
+ln -s /usr/local/share/tor-browser-extensions/branding@amnesia.boum.org "$EXT"
--- a/config/chroot_local-hooks/16-i2p_config
+++ b/config/chroot_local-hooks/16-i2p_config
@@ -5,11 +5,29 @@ set -e
 echo "Configuring I2P"

 I2P="/usr/share/i2p"
+I2PROUTER="/usr/bin/i2prouter"
 WRAPPER="/etc/i2p/wrapper.config"

 # This must be set in order for the i2p init script to work
 sed -i 's/^RUN_DAEMON=.*$/RUN_DAEMON="true"/' /etc/default/i2p

+# Remove the "i2prouter" script, its man page, and its apparmor profile
+# since these are not used by Tails:
+rm /etc/apparmor.d/usr.bin.i2prouter /usr/share/man/man1/i2prouter.1.gz
+
+# Install custom i2prouter stub scripts
+for script in ${I2PROUTER} ${I2PROUTER}-nowrapper; do
+    echo "Removing $script"
+    dpkg-divert --rename --add "${script}"
+    cat > "$script" << EOF
+#!/bin/sh
+echo "This script is not used by Tails."
+echo "See https://tails.boum.org/doc/anonymous_internet/i2p/ for more information."
+exit 0
+EOF
+    chmod 755 "$script"
+done
+
 # Remove the outproxy from the tunnel on port 4444
 # This will remove the following lines:
 #      tunnel.0.proxyList=false.i2p
@@ -48,3 +66,7 @@ EOF
 cat > "$I2P/susimail.config" << EOF
 susimail.pop3.leave.on.server=true
 EOF
+
+# enforce apparmor
+echo Setting the I2P apparmor profile to enforce mode
+sed  -i -re 's|flags=\(complain\)||' /etc/apparmor.d/system_i2p
--- a/config/chroot_local-hooks/70-wget
+++ b/config/chroot_local-hooks/70-wget
+#!/bin/sh
+set -e
+
+# We don't want the real binary to be in $PATH:
+# Also note that wget uses the executable name in some help/error messages,
+# so wget-real/etc. should be avoided.
+mkdir -p /usr/lib/wget
+dpkg-divert --add --rename --divert /usr/lib/wget/wget /usr/bin/wget
+
+# We don't want users or other applications using wget directly:
+cat > /usr/bin/wget << 'EOF'
+#!/bin/sh
+unset http_proxy
+unset HTTP_PROXY
+unset https_proxy
+unset HTTPS_PROXY
+
+exec torsocks /usr/lib/wget/wget --passive-ftp "$@"
+EOF
+
+chmod 755 /usr/bin/wget
--- a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh
+++ b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh
@@ -5,12 +5,12 @@

 # Run only when the interface is not "lo":
 if [ $1 = "lo" ]; then
-   exit 0
+    exit 0
 fi

 # Run whenever an interface gets "up", not otherwise:
 if [ $2 != "up" ]; then
-   exit 0
+    exit 0
 fi

 # Import tor_control_setconf(), TOR_LOG
@@ -35,26 +35,41 @@ rm -f "${TOR_LOG}"
 # a HTTP proxy or allowed firewall ports won't get the sandboxing, but
 # much better than nothing.
 if [ "$(tails_netconf)" = "direct" ]; then
-   tor_set_in_torrc Sandbox 1
+    tor_set_in_torrc Sandbox 1
 fi

-# A SIGHUP should be enough but there's a bug in Tor. Details:
+# We would like Tor to be started during init time, even before the
+# network is up, and then send it a SIGHUP here to make it start
+# bootstrapping swiftly, but it doesn't work because of a bug in
+# Tor. Details:
 # * https://trac.torproject.org/projects/tor/ticket/1247
 # * https://tails.boum.org/bugs/tor_vs_networkmanager/
-restart-tor
-
+# To work around this we restart Tor, in various ways, no matter the
+# case below.
 if [ "$(tails_netconf)" = "obstacle" ]; then
-   # When using a bridge Tor reports TLS cert lifetime errors
-   # (e.g. when the system clock is way off) with severity "info", but
-   # when no bridge is used the severity is "warn". tordate/20-time.sh
-   # depends on grepping these error messages, so we temporarily
-   # increase Tor's logging severity.
-   tor_control_setconf "Log=\"info file ${TOR_LOG}\""
-
-   # Enable the transports we support. We cannot do this in general,
-   # when bridge mode is not enabled, since we then use seccomp
-   # sandboxing.
-   tor_control_setconf 'ClientTransportPlugin="obfs2,obfs3,obfs4 exec /usr/bin/obfs4proxy managed"'
-
-   /usr/local/sbin/tails-tor-launcher &
+    # We do not use restart-tor since it validates that bootstraping
+    # succeeds. That cannot happen until Tor Launcher has started
+    # (below) and the user is done configuring it.
+    service tor restart
+
+    # When using a bridge Tor reports TLS cert lifetime errors
+    # (e.g. when the system clock is way off) with severity "info", but
+    # when no bridge is used the severity is "warn". tordate/20-time.sh
+    # depends on grepping these error messages, so we temporarily
+    # increase Tor's logging severity.
+    tor_control_setconf "Log=\"info file ${TOR_LOG}\""
+
+    # Enable the transports we support. We cannot do this in general,
+    # when bridge mode is not enabled, since we then use seccomp
+    # sandboxing.
+    tor_control_setconf 'ClientTransportPlugin="obfs2,obfs3,obfs4 exec /usr/bin/obfs4proxy managed"'
+
+    /usr/local/sbin/tails-tor-launcher &
+
+    # Wait until the user has done the Tor Launcher configuration.
+    until [ "$(tor_control_getconf DisableNetwork)" = 0 ]; do
+        sleep 1
+    done
+else
+    ( restart-tor ) &
 fi
--- a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/20-time.sh
+++ b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/20-time.sh
@@ -70,7 +70,7 @@ has_only_unverified_consensus() {

 wait_for_tor_consensus_helper() {
 	tries=0
-	while ! has_consensus && [ $tries -lt 5 ]; do
+	while ! has_consensus && [ $tries -lt 10 ]; do
 		inotifywait -q -t 30 -e close_write -e moved_to ${TOR_DIR} || log "timeout"
 		tries=$(expr $tries + 1)
 	done
@@ -81,10 +81,6 @@ wait_for_tor_consensus_helper() {

 wait_for_tor_consensus() {
 	log "Waiting for a Tor consensus file to contain a valid time interval"
-	if ! has_consensus && ! wait_for_tor_consensus_helper; then
-		log "Unsuccessfully waited for Tor consensus, restarting Tor and retrying."
-		restart-tor
-	fi
 	if ! has_consensus && ! wait_for_tor_consensus_helper; then
 		log "Unsuccessfully retried waiting for Tor consensus, aborting."
 	fi
@@ -175,7 +171,7 @@ maybe_set_time_from_tor_consensus() {
 	date -us "${vmid}" 1>/dev/null

 	# Tor is unreliable with picking a circuit after time change
-	restart-tor
+	service tor restart
 }

 tor_cert_valid_after() {
@@ -219,15 +215,6 @@ start_notification_helper() {

 ### Main

-# When the network is obstacled (e.g. we need a bridge) we wait until
-# Tor Launcher has unset DisableNetwork, since Tor's bootstrapping
-# won't start until then.
-if [ "$(tails_netconf)" = "obstacle" ]; then
-	until [ "$(tor_control_getconf DisableNetwork)" = 0 ]; do
-		sleep 1
-	done
-fi
-
 start_notification_helper

 # Delegate time setting to other daemons if Tor connections work

--- a/config/chroot_local-includes/etc/icedove/pref/icedove.js
+++ b/config/chroot_local-includes/etc/icedove/pref/icedove.js
+// This is the Debian specific preferences file for Mozilla Firefox
+// You can make any change in here, it is the purpose of this file.
+// You can, with this file and all files present in the
+// /etc/thunderbird/pref directory, override any preference that is
+// present in /usr/lib/thunderbird/defaults/pref directory.
+// While your changes will be kept on upgrade if you modify files in
+// /etc/thunderbird/pref, please note that they won't be kept if you
+// do them in /usr/lib/thunderbird/defaults/pref.
+
+pref("extensions.update.enabled", false);
+
+// Use LANG environment variable to choose locale
+pref("intl.locale.matchOS", true);
+
+// Disable default mail checking (gnome).
+pref("mail.shell.checkDefaultMail", false);
+
+// if you are not using gnome
+pref("network.protocol-handler.app.http", "x-www-browser");
+pref("network.protocol-handler.app.https", "x-www-browser");
+
+// Tell TorBirdy we're running Tails so that it adapts its behaviour.
+//pref("vendor.name", "Tails");
+
+// Disable mail indexing
+pref("mailnews.database.global.indexer.enabled", false);
+
+// Disable chat
+pref("mail.chat.enabled", false);
+
+// Disable system addons
+pref("extensions.autoDisableScopes", 3);
+pref("extensions.enabledScopes", 4);
+
+// Only show the tab bar if there's more than one tab to display
+pref("mail.tabs.autoHide", true);
+
+// Try to disable "Would you like to help Icedove Mail/News by automatically reporting memory usage, performance, and responsiveness to Mozilla"
+pref("toolkit.telemetry.prompted", 2);
+pref("toolkit.telemetry.rejected", true);
+pref("toolkit.telemetry.enabled", false);
--- a/config/chroot_local-includes/etc/skel/.icedove/profile.default/chrome/userChrome.css
+++ b/config/chroot_local-includes/etc/skel/.icedove/profile.default/chrome/userChrome.css
+/* Required, do not remove */
+
+@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul");
+#torbirdy-jondo-selection,
+#torbirdy-whonix-selection,
+#torbirdy-tor-selection,
+#torbirdy-tor-selection + menuseparator,
+
+#torbirdy-anon-settings,
+#torbirdy-anonservice,
+
+/* Hide "Chat account" on Icedove's start-up page */
+#CreateAccountChat
+
+{ display: none; }
--- a/config/chroot_local-includes/etc/skel/.icedove/profile.default/preferences/0000tails.js
+++ b/config/chroot_local-includes/etc/skel/.icedove/profile.default/preferences/0000tails.js
+user_pref("extensions.enigmail.configuredVersion", "1.7.2");
--- a/config/chroot_local-includes/etc/tor-browser/profile/adblockplus/patterns.ini
+++ b/config/chroot_local-includes/etc/tor-browser/profile/adblockplus/patterns.ini
--- a/config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js
+++ b/config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js
@@ -93,3 +93,7 @@ pref("browser.newtabpage.introShown", true);
 // add-on localizes search-engines in an incompatible but equivalent
 // way.
 pref("browser.search.geoSpecificDefaults", false);
+
+// Without setting this, the Download Management page will not update
+// the progress being made.
+pref("browser.download.panel.shown", true);
--- a/config/chroot_local-includes/etc/tor/torrc
+++ b/config/chroot_local-includes/etc/tor/torrc
@@ -20,7 +20,7 @@ SocksPort 127.0.0.1:9061 IsolateDestAddr
 ## SocksPort for Tails-specific applications
 SocksPort 127.0.0.1:9062 IsolateDestAddr IsolateDestPort
 ## SocksPort for the default web browser
-SocksPort 127.0.0.1:9150
+SocksPort 127.0.0.1:9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth

 ## Entry policies to allow/deny SOCKS requests based on IP address.
 ## First entry that matches wins. If no SocksPolicy is set, we accept

--- a/config/chroot_local-includes/usr/local/bin/icedove
+++ b/config/chroot_local-includes/usr/local/bin/icedove
+#!/bin/sh
+
+set -e
+set -u
+
+PROFILE="${HOME}/.icedove/profile.default"
+
+start_icedove() {
+   # Give Icedove its own temp directory, similar rationale to a1fd1f0f & #9558.
+    TMPDIR="${PROFILE}/tmp"
+    mkdir --mode=0700 -p "$TMPDIR"
+    export TMPDIR
+
+    if [ -z "$XAUTHORITY" ]; then
+        XAUTHORITY=~/.Xauthority
+        export XAUTHORITY
+    fi
+
+    unset SESSION_MANAGER
+
+    /usr/bin/icedove --class "Icedove" -profile "${PROFILE}" "${@}"
+}
+
+start_icedove "${@}"
--- a/config/chroot_local-includes/usr/local/bin/tor-browser
+++ b/config/chroot_local-includes/usr/local/bin/tor-browser
@@ -41,24 +41,6 @@ tor_has_bootstrapped() {
    sudo -n -u debian-tor /usr/local/sbin/tor-has-bootstrapped
 }

-# Workaround bug #8036 by copying any localized search plugins into
-# the profile.
-enable_localized_searchplugins() {
-    local locale plugin
-    locale=$(cat "${PROFILE}"/preferences/0000locale.js | \
-                 sed 's@^pref("general\.useragent\.locale", "\([^"]*\)");$@\1@')
-    if [ "${locale}" = en-US ] || [ -e "${PROFILE}"/searchplugins ]; then
-        return
-    fi
-    # Fallback to a similar locale if there is no exact match
-    plugin="$(ls -1 "${TBB_INSTALL}"/distribution/searchplugins/locale/ | grep -m1 "^${locale}\(-[A-Z]\+\)\?$" || true)"
-    if [ -n "${plugin}" ]; then
-        mkdir -p "${PROFILE}"/searchplugins
-        # The plugins do not load if they are symlinks
-        cp --dereference "${TBB_INSTALL}"/distribution/searchplugins/locale/"${plugin}"/*  "${PROFILE}"/searchplugins
-    fi
-}
-
 start_browser() {
    if [ ! -d "${PROFILE}" ]; then
        /usr/local/bin/generate-tor-browser-profile
@@ -68,11 +50,11 @@ start_browser() {
    mkdir --mode=0700 -p "$TMPDIR"
    export TMPDIR

+    # We need to set general.useragent.locale properly to get
+    # localized search plugins (and perhaps other things too). It is
+    # not enough to simply set intl.locale.matchOS to true.
    configure_best_tor_browser_locale "${PROFILE}"

-    # Workaround bug #8036
-    enable_localized_searchplugins
-
    if [ -z "$XAUTHORITY" ]; then
        XAUTHORITY=~/.Xauthority
        export XAUTHORITY

--- a/config/chroot_local-includes/usr/local/bin/wget
+++ b/config/chroot_local-includes/usr/local/bin/wget
-#!/bin/sh
-
-unset http_proxy
-unset HTTP_PROXY
-unset https_proxy
-unset HTTPS_PROXY
-
-exec torsocks /usr/bin/wget "$@"
--- a/config/chroot_local-includes/usr/local/lib/tails-shell-library/common.sh
+++ b/config/chroot_local-includes/usr/local/lib/tails-shell-library/common.sh
 #!/bin/sh

+# Get monotonic time in seconds. See clock_gettime(2) for details.
+# Note: we limit ourselves to seconds simply because floating point
+# arithmetic is a PITA in the shell.
+clock_gettime_monotonic() {
+    perl -w -MTime::HiRes=clock_gettime,CLOCK_MONOTONIC \
+         -E 'say clock_gettime(CLOCK_MONOTONIC)' | \
+        sed 's/\..*$//'
+}
+
 # Run `check_expr` until `timeout` seconds has passed, and sleep
 # `delay` (optional, defaults to 1) seconds in between the calls.
 # Note that execution isn't aborted exactly after `timeout`
@@ -11,9 +20,9 @@ wait_until() {
    timeout="${1}"
    check_expr="${2}"
    delay="${3:-1}"
-    timeout_at=$(expr $(date +%s) + ${timeout})
+    timeout_at=$(expr $(clock_gettime_monotonic) + ${timeout})
    until eval "${check_expr}"; do
-        if [ "$(date +%s)" -ge "${timeout_at}" ]; then
+        if [ "$(clock_gettime_monotonic)" -ge "${timeout_at}" ]; then
            return 1
        fi
        sleep ${delay}