Commit a4ee61f4 authored by intrigeri's avatar intrigeri
Browse files

Merge remote-tracking branch 'origin/master' into italian

parents 2dcc0f86 c3eebe43
......@@ -231,7 +231,7 @@ po_slave_languages:
# On each release `n` of Tails 3.0, 4.0, etc. this list should be
# updated to disable translations of news/version_*, news/test_*, and
# security/Numerous_security_holes_in_* for release `n-2`.
# Also update ikiwiki.setup, news.mdwn, and security.mdwn.
# Also update ikiwiki.setup, index.html, news.mdwn, and security.mdwn.
po_translatable_pages: '!security/audits and !security/audits/* and !news/report_2* and !news/version_0* and !news/test_0* and !security/Numerous_security_holes_in_0* and (about or bugs or chat or contribute or contribute/how/donate or doc or doc/* or download or download.inline or getting_started or inc/stable_i386_release_notes or index or news or news/* or press or press/* or security or security/* or sidebar or support or support/* or todo or torrents or wishlist or misc or misc/* or install or install/* or upgrade or upgrade/*)'
# internal linking behavior (default/current/negotiated)
po_link_to: current
......
......@@ -208,7 +208,7 @@ po_slave_languages:
# On each release `n` of Tails 3.0, 4.0, etc. this list should be
# updated to disable translations of news/version_*, news/test_*, and
# security/Numerous_security_holes_in_* for release `n-2`.
# Also update ikiwiki-cgi.setup, news.mdwn, and security.mdwn.
# Also update ikiwiki-cgi.setup, index.html, news.mdwn, and security.mdwn.
po_translatable_pages: '!security/audits and !security/audits/* and !news/report_2* and !news/version_0* and !news/test_0* and !security/Numerous_security_holes_in_0* and (about or bugs or chat or contribute or contribute/how/donate or doc or doc/* or download or download.inline or getting_started or inc/stable_i386_release_notes or index or news or news/* or press or press/* or security or security/* or sidebar or support or support/* or todo or torrents or wishlist or misc or misc/* or install or install/* or upgrade or upgrade/*)'
# internal linking behavior (default/current/negotiated)
po_link_to: current
......
RewriteEngine on
RewriteBase /
RewriteRule ^bug_reporting doc/first_steps/report_a_bug [R]
RewriteRule ^bug_reporting doc/first_steps/bug_reporting [R]
RewriteRule ^build contribute/build [R]
RewriteRule ^bugs/FireGPG_may_be_unsafe doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks [R]
RewriteRule ^chat support/chat [R]
......@@ -10,19 +10,19 @@ RewriteRule ^found_a_problem support/found_a_problem [R]
RewriteRule ^git contribute/git [R]
RewriteRule ^GnuPG_key doc/about/openpgp_keys [R]
RewriteRule ^license doc/about/license [R]
RewriteRule ^talk-dev contribute/talk [R]
RewriteRule ^talk-dev about/contact#tails-dev [R,NE]
RewriteRule ^talk-users support/talk [R]
RewriteRule ^customize contribute/customize [R]
RewriteRule ^support/truecrypt doc/encryption_and_privacy/truecrypt [R]
RewriteRule ^support/virtualization doc/advanced_topics/virtualization [R]
RewriteRule ^support/walkthrough doc [R]
RewriteRule ^doc/anonymous_internet/iceweasel doc/anonymous_internet/Tor_Browser [R]
RewriteRule ^doc/installing_onto_a_usb_stick/linux doc/first_steps/manual_usb_installation/linux [R]
RewriteRule ^doc/installing_onto_a_usb_stick/windows doc/first_steps/manual_usb_installation/windows [R]
RewriteRule ^doc/installing_onto_a_usb_stick/mac doc/first_steps/manual_usb_installation/mac [R]
RewriteRule ^doc/installing_onto_a_usb_stick/linux install/linux/usb/overview [R]
RewriteRule ^doc/installing_onto_a_usb_stick/windows install/win/usb/overview [R]
RewriteRule ^doc/installing_onto_a_usb_stick/mac install/mac/usb/overview [R]
RewriteRule ^doc/first_steps/bridge_mode doc/first_steps/startup_options/bridge_mode [R]
RewriteRule ^doc/first_steps/windows_theme doc/first_steps/startup_options/windows_camouflage [R]
RewriteRule ^doc/trusting_tails_signing_key doc/get/trusting_tails_signing_key [R]
RewriteRule ^doc/trusting_tails_signing_key install/download/openpgp#wot [R,NE]
RewriteRule ^doc/first_steps/report_a_bug doc/first_steps/bug_reporting [R]
RewriteRule ^doc/encryption_and_privacy/your_data_wont_be_saved_unless_explicitely_asked doc/encryption_and_privacy/your_data_wont_be_saved_unless_explicitly_asked [R]
RewriteRule ^doc/encryption_and_privacy/openpgp_passphrase_encryption doc/encryption_and_privacy/gpgapplet/passphrase_encryption [R]
......@@ -34,10 +34,10 @@ RewriteRule ^doc/first_steps/usb_reset doc/first_steps/reset [R]
RewriteRule ^doc/first_steps/usb_reset/linux doc/first_steps/reset/linux [R]
RewriteRule ^doc/first_steps/usb_reset/windows doc/first_steps/reset/windows [R]
RewriteRule ^doc/first_steps/usb_upgrade doc/first_steps/upgrade [R]
RewriteRule ^doc/first_steps/manual_usb_installation doc/first_steps/installation/manual [R]
RewriteRule ^doc/first_steps/manual_usb_installation/linux doc/first_steps/installation/manual/linux [R]
RewriteRule ^doc/first_steps/manual_usb_installation/windows doc/first_steps/installation/manual/windows [R]
RewriteRule ^doc/first_steps/manual_usb_installation/mac doc/first_steps/installation/manual/mac [R]
RewriteRule ^doc/first_steps/manual_usb_installation install [R]
RewriteRule ^doc/first_steps/manual_usb_installation/linux install/linux/usb/overview [R]
RewriteRule ^doc/first_steps/manual_usb_installation/windows install/win/usb/overview [R]
RewriteRule ^doc/first_steps/manual_usb_installation/mac install/mac/usb/overview [R]
RewriteRule ^contribute/design/usb_installation contribute/design/installation [R]
RewriteRule ^doc/sensitive_documents/audio doc/sensitive_documents/sound_and_video [R]
RewriteRule ^blueprint/tails-greeter:_revamp_UI blueprint/greeter_revamp_UI [R]
......@@ -46,6 +46,17 @@ RewriteRule ^blueprint/Persistence:_add_iceweasel_client_certificates_preset blu
RewriteRule ^news/Call_for_help:_improve_the_infrastructure_behind_Tails news/improve_the_infrastructure_behind_Tails [R]
RewriteRule ^promote/(.*) contribute/how/promote/material/$1 [R]
RewriteRule ^download install [R]
RewriteRule ^doc/first_steps/dvd install/dvd [R]
RewriteRule ^doc/first_steps/installation install [R]
RewriteRule ^doc/first_steps/installation/manual install [R]
RewriteRule ^doc/first_steps/installation/manual/linux install/linux/usb/overview [R]
RewriteRule ^doc/first_steps/installation/manual/mac install/mac/usb/overview [R]
RewriteRule ^doc/first_steps/installation/manual/windows install/win/usb/overview [R]
RewriteRule ^doc/get/trusting_tails_signing_key install/download/openpgp#wot [R,NE]
RewriteRule ^doc/get/verify_the_iso_image_using_gnome install/download/openpgp [R]
RewriteRule ^doc/get/verify_the_iso_image_using_other_operating_systems install/download/openpgp [R]
RewriteRule ^doc/get/verify_the_iso_image_using_the_command_line install/download/openpgp [R]
RewriteRule ^doc/first_steps/bug_reporting/tails_does_not_start doc/first_steps/bug_reporting#does_not_start [R,NE]
# Legacy tickets URLs
RewriteRule ^todo/custom_plymouth_theme https://labs.riseup.net/code/issues/5948 [R]
......
......@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: Tails i10n Team\n"
"POT-Creation-Date: 2016-03-21 18:14+0100\n"
"POT-Creation-Date: 2016-04-29 13:53+0000\n"
"PO-Revision-Date: 2016-03-14 13:51-0000\n"
"Last-Translator: Tails translators <tails@boum.org>\n"
"Language-Team: Tails translators <tails-l10n@boum.org>\n"
......@@ -409,6 +409,11 @@ msgstr ""
"weitere Details zu [[Funktionen und Software|doc/about/features]], die in "
"Tails enthalten sind,"
#. type: Bullet: ' - '
msgid ""
"our [[installation instructions|install]] to download and install Tails,"
msgstr ""
#. type: Bullet: ' - '
msgid "our [[documentation|doc]] explaining in detail how to use Tails,"
msgstr ""
......
......@@ -7,7 +7,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: tails-l10n@boum.org\n"
"POT-Creation-Date: 2016-03-21 18:14+0100\n"
"POT-Creation-Date: 2016-04-29 13:53+0000\n"
"PO-Revision-Date: 2015-10-21 10:58+0000\n"
"Last-Translator: sprint5 <translation5@451f.org>\n"
"Language-Team: Persian <http://weblate.451f.org:8889/projects/tails/about/fa/"
......@@ -440,6 +440,11 @@ msgstr ""
"جزئیات بیشتر در مورد [[ویژگی‌ها و نرم‌افزارهای|doc/about/features]] موجود در "
"تیلز"
#. type: Bullet: ' - '
msgid ""
"our [[installation instructions|install]] to download and install Tails,"
msgstr ""
#. type: Bullet: ' - '
msgid "our [[documentation|doc]] explaining in detail how to use Tails,"
msgstr "[[مستندات|doc]] شامل جزئیات کامل در مورد چگونگی استفاده از تیلز"
......
......@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: tails-about-fr\n"
"POT-Creation-Date: 2016-03-21 18:14+0100\n"
"POT-Creation-Date: 2016-04-29 13:53+0000\n"
"PO-Revision-Date: 2013-10-13 17:08-0000\n"
"Last-Translator: \n"
"Language-Team: \n"
......@@ -401,6 +401,11 @@ msgstr ""
"une revue détaillée des [[fonctionnalités et logiciels inclus|doc/about/"
"features]] dans Tails,"
#. type: Bullet: ' - '
msgid ""
"our [[installation instructions|install]] to download and install Tails,"
msgstr ""
#. type: Bullet: ' - '
msgid "our [[documentation|doc]] explaining in detail how to use Tails,"
msgstr ""
......
......@@ -138,6 +138,7 @@ To continue discovering Tails, you can now read:
- the [[warning page|doc/about/warning]] to better understand the security limitations of Tails and Tor,
- more details about the [[features and software|doc/about/features]] included in Tails,
- our [[installation instructions|install]] to download and install Tails,
- our [[documentation|doc]] explaining in detail how to use Tails,
- some hints on why [[you should trust Tails|doc/about/trust]],
- our [[design document|contribute/design]] laying out Tails specification, threat model and implementation,
......
......@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: 1\n"
"POT-Creation-Date: 2016-03-21 18:14+0100\n"
"POT-Creation-Date: 2016-04-29 13:53+0000\n"
"PO-Revision-Date: 2016-03-28 09:14-0300\n"
"Last-Translator: Tails Developers <amnesia@boum.org>\n"
"Language-Team: Portuguese <LL@li.org>\n"
......@@ -399,6 +399,11 @@ msgstr ""
"mais detalhes sobre as [[características e aplicativos|doc/about/features]] "
"incluídos no Tails,"
#. type: Bullet: ' - '
msgid ""
"our [[installation instructions|install]] to download and install Tails,"
msgstr ""
#. type: Bullet: ' - '
msgid "our [[documentation|doc]] explaining in detail how to use Tails,"
msgstr "nossa [[documentação|doc]] explicando em detalhes como usar o Tails,"
......
......@@ -107,6 +107,144 @@ model, better see
Here is
[an example configuration file](https://git-tails.immerda.ch/mirror-pool/tree/example-mirrors.json).
<a id="speed"></a>
# Speed
This is mainly for [[!tails_ticket 10295]].
## Fast & reliable enough mirrors
i.e. those that I've seen provide good speed and that have had no
reliability issue in the last N months.
Note: measurements done from lizard are capped to 100Mbps due to
upstream network configuration, so they can barely be used to reliably
compare those fast mirrors with each other. For measurements done from
Germany, upstream network should not be the limiting factor for most
practical purposes here.
* 5.45.108.219 aka https://tails.mirror.metalgamer.eu/tails/ (Germany):
- from lizard: 8.21 MB/s, 6.87 MB/s, 7.48 MB/s
- from D.C.: 10.1 MB/s, 9.84 MB/s, 10.1 MB/s
- from Germany: 37.7 MB/s, 43.4 MB/s, 37.2 MB/s
- from France: avg. 21.1 MB/s, stdev 4.1 MB/s
- from Netherlands: 50.4 MB/s, 41.3 MB/s, 43.7 MB/s
* 85.93.216.116 aka https://tails.c3l.lu/tails/ (Luxembourg):
- from lizard: 6.58 MB/s, 6.72 MB/s, 3.73 MB/s, 5.52 MB/s, 2.97 MB/s, 5.31 MB/s, 4.46 MB/s, 4.50 MB/s, 3.15 MB/s
- from D.C.: 8.76 MB/s, 8.82 MB/s, 9.51 MB/s
- from Germany: 34.7 MB/s, 34.9 MB/s, 31.3 MB/s
- from France: avg. 14.5 MB/s, stdev 3.4 MB/s
- from Netherlands: 54.0 MB/s, 52.7 MB/s, 51.7 MB/s
* 195.154.14.189 aka https://16.dl.amnesia.boum.org/tails/ (France):
- from lizard: 5.08 MB/s, 5.25 MB/s, 6.26 MB/s, 6.33 MB/s, 6.17 MB/s
- from D.C.: 4.65 MB/s, 7.21 MB/s, 7.01 MB/s
- from Germany: 22.4 MB/s, 21.6 MB/s, 22.6 MB/s
- from France: avg. 25.4 MB/s, stdev. 1.5 MB/s
- from Netherlands: 17.2 MB/s, 17.5 MB/s, 18.4 MB/s
* 5.104.106.180 aka https://dl2.crypto-rebels.de/tails/ (Germany):
- from lizard: 7.08 MB/s, 5.23 MB/s, 5.46 MB/s, 5.09 MB/s, 4.45 MB/s, 5.72 MB/s
- from D.C.: 7.58 MB/s, 7.98 MB/s, 7.09 MB/s
- from Germany (from the same network): 24.6 MB/s, 17.6 MB/s, 18.4 MB/s
- from France: avg. 15.7 MB/s, stdev. 2.1 MB/s
- from Netherlands: 38.0 MB/s, 37.9 MB/s
* 212.110.161.69 aka http://mirror.bytemark.co.uk/tails/ (UK):
- from lizard: 5.31 MB/s, 6.62 MB/s, 4.61 MB/s, 6.70 MB/s, 6.34 MB/s, 6.26 MB/s
- from D.C.: 7.65 MB/s, 6.68 MB/s, 7.57 MB/s
- from Germany: 15.5 MB/s, 17.1 MB/s, 16.1 MB/s
- from France: avg. 10.4 MB/s, stdev. 2.7 MB/s
- from Netherlands: 25.2 MB/s, 66.3 MB/s, 43.9 MB/s
## Too slow mirrors
* 62.201.161.88 aka http://tails.mirror.iphh.net/tails/ (Germany):
- from lizard: 2.67 MB/s, 1.84MB/s, 1.82MB/s, 2.44MB/s
- from Germany: 56.7MB/s, 32.1MB/s, 13.7MB/s
- from France: avg. 11.6 MB/s, stdev 3.7 MB/s
* 178.217.184.32 aka https://tails.uk.to/tails/ (Poland):
- from lizard: 4.96 MB/s, 4.96 MB/s
- from Germany: 17.1 MB/s, 18.9 MB/s, 16.7 MB/s
- from France: avg. 8.5 MB/s, stdev 2.1 MB/s
* 176.9.38.37:
- from lizard: 2.81 MB/s, 2.74MB/s, 3.05MB/s, 2.74MB/s
- from Germany: 43.0MB/s, 22.1MB/s, 7.41MB/s
- from France: avg. 11.7 MB/s, stdev 2.6 MB/s
* 195.154.188.146: 3.69 MB/s
* 83.212.104.246:
- from lizard: 3.90 MB/s
- from France: avg. 4.8 MB/s, stdev 2.4 MB/s
* 188.138.127.35 aka https://tails.bl0m.de/tails/: perf. varies too much
* 45.33.79.99
- from France: avg. 4.3 MB/s, stdev 0.6 MB/s
* 80.241.222.98 aka http://dl3.crypto-rebels.de/tails/ (Germany):
- from lizard: 9.18 MB/s, 3.90 MB/s, 6.62 MB/s
- from Germany: 7.83 MB/s, 8.00 MB/s, 7.54 MB/s
* 213.136.84.245 aka https://dl1.crypto-rebels.de/tails/ (Germany):
- from lizard: 7.10 MB/s, 8.46 MB/s
- from Germany: 9.74 MB/s, 7.99 MB/s, 7.60 MB/s
- from France: avg. 6.5 MB/s, stdev. 2.4 MB/s
* 81.7.10.29 aka https://tails.ybti.net/tails/ (Germany):
- from lizard: 6.28 MB/s, 5.17 MB/s, 5.26 MB/s
- from Germany: 7.92 MB/s, 6.04 MB/s, 6.92 MB/s
- from France: avg. 5.2 MB/s, stdev 1.5 MB/s
* 96.126.119.95 aka https://tails.interpipe.net/tails/ (USA):
- from lizard: 6.10 MB/s, 7.04 MB/s
- from Germany: 4.99 MB/s, 4.62 MB/s, 4.59 MB/s
- from France: avg. 3.5 MB/s, stdev 0.1 MB/s
* 5.135.66.221 aka http://24.dl.amnesia.boum.org/tails/ (France):
- from lizard: 3.27MB/s, 2.77MB/s, 2.89MB/s
- from Germany: 6.22MB/s, 6.93MB/s, 5.05MB/s
- from France: avg. 10.2 MB/s, stdev 1.7 MB/s
* 151.80.190.129 (France):
- from lizard: 2.69MB/s, 1.24MB/s, 1.27MB/s
- from Germany: 2.40MB/s, 2.60MB/s, 4.42MB/s
- from France: avg. 7.0 MB/s, stdev 0.6 MB/s
* 158.36.190.173 (Norway):
- from lizard: 3.17MB/s, 3.44MB/s, 2.44MB/s
- from Germany: 24.4MB/s, 23.1MB/s, 23.5MB/s
- from France: avg. 7.0 MB/s, stdev 1.1 MB/s
* 192.42.116.116 aka http://192.42.116.116/tails/ (Netherlands):
- from lizard: 4.36 MB/s, 6.45 MB/s, 5.94 MB/s, 6.53 MB/s
- from D.C.: 3.72 MB/s, 2.80 MB/s, 2.86 MB/s
- from Germany: 45.0 MB/s, 45.5 MB/s, 38.0 MB/s
- from France: avg. 16.8 MB/s, stdev 2.0 MB/s
- from Netherlands: 89 MB/s, 94.8 MB/s, 88.0 MB/s
* 141.138.141.28 aka http://25.dl.amnesia.boum.org/tails/ (Netherlands):
- from lizard: 3.35MB/s, 9.07MB/s, 6.00MB/s, 5.35 MB/s, 4.74 MB/s, 3.97 MB/s
- from D.C.: 5.82 MB/s, 6.37 MB/s, 7.13 MB/s
- from Germany: 16.7MB/s, 27.9MB/s, 24.5MB/s
- from France: avg. 11.9 MB/s, stdev 2.3 MB/s
- from Netherlands: 21.5 MB/s, 21.9 MB/s, 23.3 MB/s
## Inadequate mirrors for other reason
* https://mirrors.ocf.berkeley.edu/tails/ (California): lacks dl.a.b.o vhost
## Not reliable enough mirrors
i.e. mirrors that have had issues at least once in the last 6 months;
let's not include them in the fallback DNS pool:
* 5.196.175.179
* 77.70.69.9
- from France: avg. 0.3 MB/s, stdev 0.1 MB/s ⇒ **TODO** remove from the pool?
* 80.90.43.162
* 84.106.196.237
* 86.59.119.84
* 109.239.48.152
* 137.226.34.46:
- from lizard: 798 KB/s, 9.80MB/s, 2.08MB/s, 1.37MB/s
connection closes in the middle of the download pretty often
- from Germany: 8.73MB/s, 10.4MB/s, 12.2MB/s
- from France: avg. 11.1 MB/s, stdev 2.5 MB/s
* 141.138.136.78
* 144.76.14.145
* 149.202.98.175
* 178.32.220.171
* 192.99.131.144
* 198.199.103.96
* 212.47.229.219
# Initial research
See [[HTTP_mirror_pool/archive]].
[[!meta title="Tails April 2016 report"]]
[[!toc levels=2]]
<div class="caution">
<strong>Deadline: 2016-05-05</strong>
</div>
<div class="note">
Deliverable identifiers and descriptions are not free-form: they must
be copy'n'pasted as-is from the proposal sent to the sponsor.
</div>
[Last month's activity on Redmine](https://labs.riseup.net/code/projects/tails/issues?query_id=208)
can be helpful.
This reports covers the activity of Tails in April 2016.
Everything in this report is public.
# A. Replace Claws Mail with Icedove
## A.n. description of subsection
- A.n.m. description of deliverable: ticket numbers
status summary:
* what was done
* what is the outcome (how it makes Tails better)
* what was not done, and why
# B. Improve our quality assurance process
# C. Scale our infrastructure
## C.1. Change in depth the infrastructure of our pool of mirrors
XXX: see March report for ticket numbers about other C.1.n's.
* DAVE ([[!tails_ticket 11109]])
- The URL used for a new download is now built using our mirror pool
(example) config, using our mirror-dispatcher.js library.
- Next WIP step (as of 20160408): support resuming an existing
download (that may have been started using another mirror than the
one we would like to use this time).
- And then we'll want other people to review and audit our
proposed changes.
* C.1.3. Design and implement the mirrors pool administration process and tools ([[!tails_ticket 8638]], [[!tails_ticket 11122]], [[!tails_ticket 11054]], [[!tails_ticket 11335]])
* C.1.5. Deploy the script and the mirror pool description ([[!tails_ticket 8641]], XXX)
They are now live on our website, but not used yet until C.1.6.
Let's say this now includes [[!tails_ticket 10295]] and
[[!tails_ticket 11284]].
* C.1.6. Adjust download documentation to point to the mirror pool dispatcher's URL ([[!tails_ticket 8642]], [[!tails_ticket 11329]])
* C.1.8. Clean up the remainers of the old mirror pool setup ([[!tails_ticket 8643]])
# D. Migration to Debian Jessie
# E. Release management
......@@ -18,6 +18,8 @@ The best way to reach us is through the [tails-dev](https://mailman.boum.org/lis
* [Persistent Tor state](https://tails.boum.org/blueprint/persistent_Tor_state/)
* [Time syncing](https://tails.boum.org/blueprint/robust_time_syncing/)
If you have an idea yourself and would like to propose it, please write to us through the tails-dev mailinglist.
## User experience
If you're an user interface designer you might be delighted to hear that we have a [mailinglist](https://tails.boum.org/contribute/how/user_interface/) targeted at you!
......
......@@ -63,8 +63,8 @@ The cons:
About the removal of Seahorse Nautilus
======================================
As of now, we are explaining how to [[verify ISO images using
`seahorse-nautilus` for GNOME|doc/get/verify_the_iso_image_using_gnome]].
As of now, we are explaining how to verify ISO images using
`seahorse-nautilus` for GNOME.
While reworking the ISO verification scenarios, we pretty much settled on the
idea of removing Seahorse Nautilus as a verification option, at least from the
assistant. Here is why.
......
......@@ -28,70 +28,49 @@ little value.
- developer (including stable, testing, devel, and `$topic`)
* get the updated documentation + this design reviewed, including
security aspects [i]
* give RM's access to `reprepro-time-based-snapshots@apt.lizard` [i]
* document how to freeze time-based APT snapshots being used:
./auto/scripts/apt-snapshots-serials freeze && \
git commit \
-m 'Freeze APT snapshots to the current ones.' \
config/APT_snapshots.d/*/serial
* document how to thaw time-based APT snapshots being used:
./auto/scripts/apt-snapshots-serials thaw && \
git commit \
-m 'Thaw APT snapshots.' \
config/APT_snapshots.d/*/serial
* document how to bump `Valid-Until` [i], e.g.
ssh reprepro-time-based-snapshots@apt.lizard \
tails-bump-apt-snapshot-valid-until \
tails 2016031304 15
* move relevant content from this blueprint to the "final" design
doc + contributors doc
2. time-based snapshots [i]
a. **done** initial reprepro setup that keeps up-to-date local mirrors of
the APT repositories we need
b. **done** snapshot these mirrors every time they're updated
c. **done** decide how many reprepro instances we want/have to split all
this among
d. **done** mirror relevant suites of deb.tails.b.o as well
d. **done** publish the snapshots over HTTP
d. **done** clean up Wheezy packages (including those referenced by
snapshots)
e. **done** publish the snapshots' serial over HTTP
(e.g. <http://time-based.snapshots.deb.tails.boum.org/debian-security/project/trace/debian-security>)
e. **done** try using such snapshots for building an ISO:
done in `feature/5926-freezable-APT-repository`
e. Avoid re-downloading everything one has in their local
apt-cacher-ng, and filling its cache with files duplicated
many times. It's acceptable not to have optimal caching for `dists/`; what
matters is `pool`. We have a working PoC using the "merging" strategy (documented on
<file:///usr/share/doc/apt-cacher-ng/html/config-serv.html#repmap>),
that is `Remap-tails` with no `TargetURLs` list; it works if
we do that for the `pool/` directory only (we don't want to
merge the cache for the different `dists` directory):
$ echo 'Remap-tailspool: file:tails-time-based-snapshots-debian-pool.list' \
| sudo tee /etc/apt-cacher-ng/tails-time-based-snapshots-debian-pool.conf
$ for origin in $(cd config/APT_snapshots.d/ ; ls -d *) ; do for y in $(seq 2016 2026) ; do for m in $(seq 1 12); do for d in $(seq 1 31) ; do for t in $(seq 1 4) ; do printf 'http://time-based.snapshots.deb.tails.boum.org/%s/%04u%02u%02u%02u/pool/\n' $origin $y $m $d $t ; done ; done ; done ; done | sudo tee /etc/apt-cacher-ng/tails-time-based-snapshots-$origin-pool.list ; done
e. check if/how
[by-hash](http://www.chiark.greenend.org.uk/~cjwatson/blog/no-more-hash-sum-mismatch-errors.html)
impacts our design and implementation
e. deny robots access to that data
e. implement GC of expired snapshots and packages (`tails-delete-expired-apt-snapshots`):
* review [i]
* test, including dry-run, silent & verbose modes, performance,
and removal of expired snapshots' `dist` directories after
`deleteunreferenced` [i]
* deploy with Puppet, redirect output to a log file, logrotate snippet [i]
g. have build system output the snapshots being used,
and have Jenkins publish this info if available
many times. We have a config file generator in:
`auto/scripts/update-acng-config`. We need to use it, somehow,
for:
- **done**: Vagrant build setup: update this file as part of the
build process
- **done** `tails::builder` Puppet class
- manual build setup: we should not bother too much because
now Vagrant should be working for everyone, so a manual build
setup is a corner case, that we can address with some minimal
documentation. What to do depends on where `apt-cacher-ng`
runs; when it's on the build host, then we can update the
configuration as part of the build process, just like for the
Vagrant case; else, if it's run elsewhere, then one should use
a cronjob, just like in the Puppet case, or do it by hand;
let's keep in mind that once generated, the config file should
be valid for a while.
f. handle ever-growing `references.db`, aka. [[!debbug 823629]]: if
`references.db` doesn't fit in the memory disk cache, then at
least our GC process gets very slow); the visible consequence
would be: long periods of heavy disk read, and much slower
snapshots expiration process; so we added an Icinga2 check on
the file size itself. When this problem occurs, our options are:
* add more RAM to the VM if that's still feasible and reasonable
(likely not)
* reset the whole `debian` repository to an empty state (simple
and big hammer, painful as it requires lots of coordination
with developers)
* compact the DB with `db5.3_dump` + `db5.3_load`: it got our
big `debian/db/references.db` down from 5.4 GB to 1.5 GB
* compact the DB with `DB->compact()`, using
[a script we wrote](https://git-tails.immerda.ch/puppet-tails/tree/files/reprepro/snapshots/time_based/tails-compact-reprepro-db)
(<https://docs.oracle.com/cd/E17076_02/html/programmer_reference/am_misc_diskspace.html>,
<https://groups.google.com/forum/#!topic/memcachedb/uiSvgStzYNY>,
<https://docs.oracle.com/cd/E17076_02/html/api_reference/C/dbcompact.html>):
works on small databases, but on our big `debian` the file
doesn't shrink
h. have Jenkins publish the `.apt-sources` file, if available
3. generate set of APT sources [i]
* write automated tests for the generation of APT sources
......@@ -108,32 +87,9 @@ little value.
[[switching to live APT sources at runtime|freezable_APT_repository#runtime-sources]]
4. tagged snapshots
a. **done** PoC of capturing the list of binary packages used during the build
b. **done** PoC of capturing the list of source packages used during the build
c. **done** initial reprepro setup for tagged snapshots
d. **done** debootstrap in jessie-backports
d. **done** Have Jenkins create, publish and manage
`latest.iso.build-manifest` symlinks
e. **WIP** create a partial snapshot from a manifest and
the origin time-based snapshots:
* `generate-build-manifest` (main Git repo), aka. get [[!tails_ticket 10748]]
done in Tails 2.3 [i]
- convert custom `data/debootstrap/tails-wheezy` into a patch,
or set up the process to update/replace it in the future,
or something (we're using Jessie now) [i]
- get rid of the last XXX in `data/wrappers/apt-get`
- move `data/wrappers/apt-get` to a better place
* deploy, update release process doc, grant RM's access
h. publish tagged snapshots over HTTP
h. for some Tails release: generate manifest, import packages into
tagged snapshots, try building *offline* with these tagged
snapshots [i]
k. Update the
[[Listing used packages|freezable APT repository#build-manifest]]
section
k. delete the testing `8.32-alpha` tagged snapshot
l. Point consumers of the now deprecated `*.{bin,src}pkg` (probably
only jenkins.debian.net) to the new build manifest.
m. if needed, implement GC
5. misc
* implement whatever the "freeze exceptions" section requires
......@@ -206,65 +162,8 @@ except:
* if a set of APT repository snapshots is encoded directly in that
branch: use them, even for security.debian.org.
## Different problems ⇒ different solutions
Note that:
* The time-based snapshots of the mirrored APT repositories that are
used basically all the time (except when building a release) should
be *full* snapshots, that is they should contain exactly the same
set of packages as the mirrored repository. This has the advantage
that some workflows are trivially handled, e.g. working on a topic
branch that installs additional Debian packages; if such snapshots
were not full ones, then to work on one such branch, one would need
either that I have the credentials to import new packages from
Debian into our own mirror or repositories (which raises the
barrier for contributing), or that during some phases of Tails
development the regular Debian archive is used instead of our own
mirror, which feels prone to "time to QA vs. time to
release" issues.
* The tagged snapshots used to build releases can be *partial*, that
is they can contain only the subset of the mirrored repositories
that is required for building a specific Tails ISO image.
So, we actually want to manage two sets of snapshots that are vastly
different in terms of goals, users, turnover, garbage collection and
backup strategies:
* **time-based, full snapshots** of the mirrored APT repositories over
the last N days;
- goal: freezable repo feature for the dev process and QA
- this one can be restarted from scratch from time to time if
reprepro becomes too slow for some reason (such as imperfect DB
garbage collection);
- if we lose this content, we lose only N days of data, and we can
immediately rebuild a working data set from scratch ⇒ no need to
sync' this content to the failover server; no need to back it up;
* **tagged, partial snapshots** that were used to build released Tails
ISO images:
- goal: reproducible builds, GPL compliance;
- in there we import only the needed packages;
- we want to back up this data, and expire it very cautiously,
if ever.
Trying to solve both problems in the same `reprepro` instance would be
problematic. Not only, coupling very different problems together, and
trying to address them with the exact same tools and process, is
generally a bad idea. But also, reprepro's database becomes quite big
when we import large chunks of the Debian archive into it, which may
make it slow ([[!tails_ticket 6295]]), and in any case makes it hard
to back up... which we want to, for preserving the releases' tagged
snapshots information.
So we'll use two independent `reprepro` instances to address these
two problems.
# Special cases and implementation
<a id="runtime-sources"></a>
## Custom APT repository
Our custom APT repository (<http://deb.tails.boum.org/>) is not part of
......@@ -281,6 +180,8 @@ upload a package to it, and when we can build an ISO with it; we could
solve this by automatically creating a new snapshot whenever an APT
suite corresponding to a release branch is updated).