Commit bf32c51d authored by sajolida's avatar sajolida
Browse files

Merge remote-tracking branch 'origin/master' into bugfix/17183-seahorse-import-wrapper

parents e6053152 ac01240c
[submodule "submodules/jenkins-tools"]
path = submodules/jenkins-tools
url = https://git-tails.immerda.ch/jenkins-tools
url = https://gitlab.tails.boum.org/tails/jenkins-tools.git
[submodule "submodules/chutney"]
path = submodules/chutney
url = https://git-tails.immerda.ch/chutney
url = https://gitlab.tails.boum.org/tails/chutney.git
branch = feature/tails_test_suite
[submodule "submodules/mirror-pool-dispatcher"]
path = submodules/mirror-pool-dispatcher
url = https://git-tails.immerda.ch/mirror-pool-dispatcher
url = https://gitlab.tails.boum.org/tails/mirror-pool-dispatcher.git
[submodule "submodules/tails-workarounds"]
path = submodules/tails-workarounds
url = https://git-tails.immerda.ch/tails-workarounds
url = https://gitlab.tails.boum.org/tails/workarounds.git
doc/README
\ No newline at end of file
## About Tails
[**Tails**](https://tails.boum.org/) is a portable operating system that protects your privacy and helps you avoid censorship.
[![Drawing of a Tails stick that is marked to be pluged into a labtop](https://tails.boum.org/index/laptop.svg)](https://tails.boum.org/)
- Tails uses the Tor network to protect your privacy online and help you avoid censorship. Enjoy the Internet like it should be.
- Shut down the computer and start on your Tails USB stick instead of starting on Windows, macOS, or Linux. Tails leaves no trace on the computer when shut down.
- Tails includes a selection of applications to work on sensitive documents and communicate securely. Everything in Tails is ready-to-use and has safe defaults.
- You can download Tails for free and independent security researchers can verify our work. Tails is based on Debian GNU/Linux.
[Learn learn how Tails works](https://tails.boum.org/about)
### How to contribute to Tails
There are many ways [you can contribute to Tails](https://tails.boum.org/contribute/). No effort is too small and whatever you bring to this community will be appreciated.
Find out how you can make a difference in Tails: https://tails.boum.org/contribute/.
### How to get started with Gitlab
https://tails.boum.org/contribute/working_together/GitLab/
### How to transition to GitLab
https://tails.boum.org/contribute/working_together/GitLab/transition/
### License and source code distribution
**Tails** is [Free Software](https://www.gnu.org/philosophy/free-sw.html): you can download, use, and share it with no restrictions.
<a href="https://tails.boum.org/doc/about/license/"><img alt="Tails is Free Software" src="https://tails.boum.org/index/gift.svg" width="560"/>
The Tails source code is released under the GNU/GPL (version 3 or above) and is Copyright (C) Tails developers tails@boum.org.
Any exception to this rule is documented either [here](https://tails.boum.org/doc/about/license/) or in the affected source file.
However, Tails includes non-free firmware in order to work on as much hardware as possible.
### Contact
email and mailing lists: https://tails.boum.org/about/contact
XMPP: tails@conference.riseup.net and tails-dev@conference.riseup.net
[![Tails](https://tails.boum.org/contribute/how/promote/material/logo/tails-logo-flat.svg)](https://tails.boum.org)
......@@ -183,6 +183,8 @@ TAILS_PRODUCT_NAME="Tails"
TAILS_VERSION_ID="$AMNESIA_VERSION"
TAILS_DISTRIBUTION="$TAILS_DISTRIBUTION"
EOF
# If you update the following regexp, also update it in
# config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/UpgradeDescriptionFile/Generate.pm
if echo "$AMNESIA_VERSION" | grep -qs -E '~(alpha|beta|rc)[0-9]*$' ; then
echo 'TAILS_CHANNEL="alpha"' >> config/chroot_local-includes/etc/os-release
fi
......
......@@ -8,7 +8,7 @@ import sys
from typing import List
from pathlib import Path
JENKINS_IUKS_BASE_URL = "https://nightly.tails.boum.org/build_IUKs/builds"
JENKINS_IUKS_BASE_URL = "https://nightly.tails.boum.org/parallel_collect_IUKs/builds"
RSYNC_SERVER_HOSTNAME = "rsync.lizard"
LOG_FORMAT = "%(asctime)-15s %(levelname)s %(message)s"
log = logging.getLogger()
......@@ -92,6 +92,41 @@ def download_iuks_from_jenkins(
destdir: str,
jenkins_iuks_base_url: str,
jenkins_build_id: int) -> None:
# This assumes same basename for hashes, locally and in Jenkins:
log.info("Downloading IUK hashes (if available) from Jenkins to %s…" % (desthost))
try:
url = "%s/%s/archive/%s" % (
jenkins_iuks_base_url,
jenkins_build_id,
Path(hashes_file).name
)
jenkins_hashes = '%(d)s/%(f)s' % {
"d": destdir,
"f": '%s.jenkins' % Path(hashes_file).name
}
our_hashes = '%(d)s/%(f)s' % {
"d": destdir,
"f": Path(hashes_file).name,
}
subprocess.run(
["ssh", desthost, "wget", "--quiet", "--no-clobber",
"-O", jenkins_hashes, url],
check=True
)
subprocess.run(
["ssh", desthost,
"sh -c \"if ! cmp -s '%(j_h)s' '%(o_h)s'; then "
"echo 'WARNING: IUK hashes seem different'; else "
"echo 'OK: IUK hashes seem similar'; fi\"" % {
"j_h": jenkins_hashes,
"o_h": our_hashes,
}],
check=True
)
except subprocess.CalledProcessError:
log.error("Unable to download/validate IUK hashes from Jenkins")
log.info("Downloading IUKs from Jenkins to %s…" % (desthost))
iuks = iuks_listed_in(hashes_file)
log.debug("IUKS: %s" % ', '.join(iuks))
......
This diff is collapsed.
......@@ -9,8 +9,6 @@
# This script introduces 'su' function for non-root users. The 'su'
# function executes '/usr/local/bin/replace-su-with-sudo', which asks
# them to use 'sudo' instead of 'su'.
#
# https://redmine.tails.boum.org/code/issues/15583
# Get LIVE_USERNAME
. /etc/live/config.d/username.conf
......
......@@ -9,8 +9,6 @@
# 'is_password_set()' function from 'adminpassword.py' library. If the
# password is set, the user is asked to use 'sudo' instead of 'su'.
# Otherwise, the user is asked to first set the administration password.
#
# https://redmine.tails.boum.org/code/issues/15583
import gettext
import sys
......
......@@ -34,6 +34,9 @@ exec_firefox_helper() {
export TOR_SKIP_LAUNCH=1
fi
# New in 9.5: Avoid overwriting user's dconf values. Fixes #27903.
export GSETTINGS_BACKEND=memory
# The Tor Browser often assumes that the current directory is
# where the browser lives, e.g. for the fixed set of fonts set by
# fontconfig above.
......
......@@ -18,7 +18,9 @@ is:IS
it:IT
ja:JP
ko:KR
lt:LT
mk:MK
ms:ID
nb-NO:NO
nl:NL
pl:PL
......@@ -26,6 +28,7 @@ pt-BR:BR
ro:RO
ru:RU
sv-SE:SE
th:TH
tr:TR
vi:VN
zh-CN:CN
......
......@@ -200,7 +200,7 @@
<property name="can_focus">False</property>
<property name="receives_default">True</property>
<property name="relief">none</property>
<property name="uri">doc/first_steps/startup_options.en.html#locale</property>
<property name="uri">doc/first_steps/welcome_screen.en.html#locale</property>
<signal name="activate-link" handler="cb_linkbutton_help_activate" swapped="no"/>
<child>
<object class="GtkImage" id="image_language_help">
......@@ -481,7 +481,7 @@
<property name="can_focus">False</property>
<property name="receives_default">True</property>
<property name="relief">none</property>
<property name="uri">doc/first_steps/startup_options.en.html#additional</property>
<property name="uri">doc/first_steps/welcome_screen.en.html#additional</property>
<signal name="activate-link" handler="cb_linkbutton_help_activate" swapped="no"/>
<child>
<object class="GtkImage" id="image_settings_help">
......
http://torbrowser-archive.tails.boum.org/9.0.10-build2/
http://torbrowser-archive.tails.boum.org/9.5-build2/
71bdf80a64488b95a621ab3275fa2de79cf7e671df41982d1f43bc1c17749c1d tor-browser-linux64-9.0.10_en-US.tar.xz
f699e2e9ee2f0db3a144801971ea3854604f82a08544db69ba38c05224bc9914 langpacks-tor-browser-linux64-9.0.10.tar.xz
08fca06954b1119291b1d298f59683e9b44bd428db1215a3c562f337bff88e50 tor-browser-linux64-9.5_en-US.tar.xz
90290533e40154b7db7f5ec7a1d8bd248af8d76ca626eabec84e6bff189cd223 langpacks-tor-browser-linux64-9.5.tar.xz
......@@ -24,7 +24,7 @@ copyright_year = 2013
[MetaResources]
homepage = https://tails.boum.org/
repository.url = git://git.tails.boum.org/tails
repository.url = https://gitlab.tails.boum.org/tails/tails.git
repository.type = git
[@Filter]
......
......@@ -25,8 +25,6 @@ my $bindir = path(__FILE__)->parent->parent->parent->parent->child('bin')->absol
use Env qw{@PATH};
unshift @PATH, $bindir;
my $union_type = $ENV{UNION_TYPE} // 'overlayfs';
Given qr{^a usable temporary directory$}, fun ($c) {
my $dirname = Path::Tiny->tempdir(CLEANUP => 0);
$c->{stash}->{scenario}->{tempdir} = $dirname;
......@@ -212,7 +210,6 @@ When qr{^I create an IUK$}, fun ($c) {
# that one needs to be root to create
"sudo SOURCE_DATE_EPOCH=$ENV{SOURCE_DATE_EPOCH} " .
path($bindir, "tails-create-iuk") .
' --union_type ' . $union_type .
' --old_iso "' .
path($c->{stash}->{scenario}->{tempdir}, 'old.iso') . '" ' .
' --new_iso "' .
......@@ -391,17 +388,11 @@ fun squashfs_in_iuk_deletes($iuk_in, $squashfs_name, $deleted_file) {
my $union_workdir = path($union_basedir, 'work');
my $union_mountpoint = path($union_basedir, 'mount');
$_->mkpath for ($union_workdir, $union_mountpoint);
my @mount_args = $union_type eq 'overlayfs'
? (
'-t', 'overlay',
'-o', sprintf("noatime,lowerdir=%s,upperdir=%s,workdir=%s",
$old_dir, $new_dir, $union_workdir),
'overlay'
)
: (
'-t', 'aufs',
'-o', sprintf("noatime,noxino,br=%s=rw:%s=rr+wh", $new_dir, $old_dir),
$new_dir
my @mount_args = (
'-t', 'overlay',
'-o', sprintf("noatime,lowerdir=%s,upperdir=%s,workdir=%s",
$old_dir, $new_dir, $union_workdir),
'overlay'
);
capturex(
......
......@@ -65,13 +65,6 @@ option 'outfile' =>
format => 's',
documentation => q{Location of the created IUK};
option 'union_type' =>
is => 'lazy',
isa => Enum[qw{aufs overlayfs}],
coerce => Enum->coercion,
format => 's',
documentation => q{aufs or overlayfs};
has 'format_version' =>
is => 'lazy',
isa => Str;
......@@ -94,6 +87,22 @@ has 'mksquashfs_options' =>
list_mksquashfs_options => 'elements',
};
option 'mksquashfs_lock_file' =>
is => 'lazy',
isa => AbsPath,
coerce => AbsPath->coercion,
format => 's',
predicate => 1,
documentation => q{Location of the mksquashfs lock file};
has 'mksquashfs_prefix_cmd' =>
is => 'lazy',
isa => ArrayRef,
handles_via => 'Array',
handles => {
list_mksquashfs_prefix_cmd => 'elements',
};
option 'ignore_if_same_content' =>
is => 'lazy',
isa => ArrayRef,
......@@ -246,9 +255,17 @@ method _build_overlay_dir () {
method _build_format_version () { "2"; }
method _build_mksquashfs_options () { [
qw{-no-progress -noappend},
qw{-comp xz -Xbcj x86 -b 1024K -Xdict-size 1024K},
qw{-comp xz},
]}
method _build_mksquashfs_prefix_cmd () { [
("SOURCE_DATE_EPOCH=$ENV{SOURCE_DATE_EPOCH}"),
(
$self->has_mksquashfs_lock_file
? ('flock', '--verbose', $self->mksquashfs_lock_file)
: (),
)
]}
method _build_union_type () { "overlayfs"; }
method _build_delete_files () {
my $old_iso_obj = Device::Cdio::ISO9660::IFS->new(-source=>$self->old_iso->stringify);
......@@ -322,28 +339,24 @@ method create_squashfs_diff () {
croak "SquashFS '$new_squashfs' not found in '$new_iso_mount'" unless -e $new_squashfs;
run_as_root(qw{mount -t squashfs -o loop}, $new_squashfs, $new_squashfs_mount);
if ($self->union_type eq 'aufs') {
run_as_root(
qw{mount -t aufs},
"-o", sprintf("br=%s=rw:%s=ro", $union_upperdir, $old_squashfs_mount),
"none", $union_mount
);
} else {
run_as_root(
qw{mount -t overlay},
"-o", sprintf("lowerdir=%s,upperdir=%s,workdir=%s",
$old_squashfs_mount, $union_upperdir, $union_workdir),
"overlay", $union_mount
);
}
run_as_root(
qw{mount -t overlay},
"-o", sprintf("lowerdir=%s,upperdir=%s,workdir=%s",
$old_squashfs_mount, $union_upperdir, $union_workdir),
"overlay", $union_mount
);
my @rsync_options = qw{--archive --quiet --delete-after --acls --checksum
--xattrs};
my @rsync_options = qw{--archive --quiet --delete-after --acls --checksum};
push @rsync_options, "--xattrs" if $self->union_type eq 'overlayfs';
my $basename = path($self->outfile)->basename;
my $t1 = time;
run_as_root(
"rsync", @rsync_options,
sprintf("%s/", $new_squashfs_mount),
sprintf("%s/", $union_mount),
);
printf "TIME (rsync for $basename): %d seconds\n", (time - $t1);
for my $glob (@{$self->ignore_if_same_content}) {
my @candidates_for_removal = map {
......@@ -361,54 +374,51 @@ method create_squashfs_diff () {
} @candidates_for_removal;
}
if ($self->union_type eq 'aufs') {
run_as_root('auplink', $union_mount, 'flush');
}
run_as_root("umount", $union_mount);
# Remove trusted.overlay.* xattrs
if ($self->union_type eq 'overlayfs') {
my @xattrs_dump = stdout_as_root(
qw{getfattr --dump --recursive --no-dereference --absolute-names},
q{--match=^trusted\.overlay\.},
$union_upperdir->stringify,
);
my %xattrs;
my $current_filename;
foreach (@xattrs_dump) {
defined || last;
chomp;
if (! length($_)) {
$current_filename = undef;
next;
} elsif (my ($filename) = ($_ =~ m{\A [#] \s+ file: \s+ (.*) \z}xms)) {
$current_filename = $filename;
} elsif (my ($xattr, $value) = ($_ =~ m{\A(trusted[.]overlay[.][^=]+)=(.*)\z}xms)) {
push @{$xattrs{$xattr}}, $current_filename;
} else {
croak "Unrecognized line, aborting: '$_'";
}
}
while (my ($xattr, $files) = each %xattrs) {
my $stdin = join(chr(0), @$files);
my ($stdout, $stderr);
IPC::Run::run [
qw{sudo xargs --null --no-run-if-empty},
'setfattr', '--remove=' . $xattr,
'--no-dereference',
'--'
], \$stdin or croak "xargs failed: $?";
my @xattrs_dump = stdout_as_root(
qw{getfattr --dump --recursive --no-dereference --absolute-names},
q{--match=^trusted\.overlay\.},
$union_upperdir->stringify,
);
my %xattrs;
my $current_filename;
foreach (@xattrs_dump) {
defined || last;
chomp;
if (! length($_)) {
$current_filename = undef;
next;
} elsif (my ($filename) = ($_ =~ m{\A [#] \s+ file: \s+ (.*) \z}xms)) {
$current_filename = $filename;
} elsif (my ($xattr, $value) = ($_ =~ m{\A(trusted[.]overlay[.][^=]+)=(.*)\z}xms)) {
push @{$xattrs{$xattr}}, $current_filename;
} else {
croak "Unrecognized line, aborting: '$_'";
}
}
while (my ($xattr, $files) = each %xattrs) {
my $stdin = join(chr(0), @$files);
my ($stdout, $stderr);
IPC::Run::run [
qw{sudo xargs --null --no-run-if-empty},
'setfattr', '--remove=' . $xattr,
'--no-dereference',
'--'
], \$stdin or croak "xargs failed: $?";
}
$t1 = time;
run_as_root(
"SOURCE_DATE_EPOCH=$ENV{SOURCE_DATE_EPOCH}",
$self->list_mksquashfs_prefix_cmd,
qw{mksquashfs},
$union_upperdir,
$self->overlay_dir->child('live', $self->squashfs_diff_name),
$self->list_mksquashfs_options
$self->list_mksquashfs_options,
qw{-Xbcj x86 -b 1024K -Xdict-size 1024K},
);
printf "TIME (main mksquashfs for $basename): %d seconds\n", (time - $t1);
foreach ($union_basedir,
$new_squashfs_mount, $new_iso_mount,
......@@ -452,14 +462,17 @@ method saveas ($outfile_name) {
$self->prepare_overlay_dir;
my $basename = path($self->outfile)->basename;
my $t1 = time;
run_as_root(
"SOURCE_DATE_EPOCH=$ENV{SOURCE_DATE_EPOCH}",
$self->list_mksquashfs_prefix_cmd,
qw{mksquashfs},
$self->squashfs_src_dir,
$outfile_name,
$self->list_mksquashfs_options,
'-all-root',
);
printf "TIME (final mksquashfs for $basename): %d seconds\n", (time - $t1);
return;
}
......
......@@ -113,12 +113,20 @@ method run () {
}
}
for my $previous_version (@{$self->previous_versions}) {
say STDERR q{* Updating upgrade-description file for previous },
'release (', $previous_version, "): \n ",
$self->udf_for($previous_version), ' ...';
$self->update_udf_for_previous_release($previous_version);
say STDERR '';
for my $channel (qw{alpha stable}) {
for my $previous_version (@{$self->previous_versions}) {
# Only generate an UDF on the alpha channel if the previous
# version actually uses that channel, i.e. it is not a final one.
# The version regexp must be the same as in auto/config.
next if $channel eq 'alpha' &&
$previous_version !~ /~(?:alpha|beta|rc)[0-9]*$/;
say STDERR q{* Updating upgrade-description file for previous },
'release (', $previous_version, "), ", $channel, " channel: \n ",
$self->udf_for($previous_version, channel => $channel), ' ...';
$self->update_udf_for_previous_release($previous_version, $channel);
say STDERR '';
}
}
}
......@@ -148,8 +156,8 @@ method create_udf_for_next_release ($version, $channel) {
$udf->spew($description->stringify);
}
method update_udf_for_previous_release ($previous_version) {
my $udf = $self->udf_for($previous_version);
method update_udf_for_previous_release ($previous_version, $channel) {
my $udf = $self->udf_for($previous_version, channel => $channel);
my $description;
if (-e $udf) {
......@@ -160,7 +168,7 @@ method update_udf_for_previous_release ($previous_version) {
product_name => $self->product_name,
initial_install_version => $previous_version,
build_target => $self->build_target,
channel => $self->channel,
channel => $channel,
);
$udf->parent->mkpath;
}
......
......@@ -7,8 +7,6 @@ use Path::Tiny;
use Tails::IUK;
use Test::Fatal qw{dies_ok};
my $union_type = $ENV{UNION_TYPE} // 'overlayfs';
my @genisoimage_opts = qw{--quiet -J -l -cache-inodes -allow-multidot};
my @genisoimage = ('genisoimage', @genisoimage_opts);
......@@ -57,7 +55,6 @@ describe 'An IUK object' => sub {
system(@genisoimage, "-o", $new_iso, $new_iso_tempdir);
$iuk = Tails::IUK->new(
union_type => $union_type,
old_iso => $old_iso,
new_iso => $new_iso,
squashfs_diff_name => 'test.squashfs',
......@@ -90,7 +87,6 @@ describe 'An IUK object' => sub {
system(@genisoimage, "-o", $new_iso, $new_iso_tempdir);
$iuk = Tails::IUK->new(
union_type => $union_type,
old_iso => $old_iso,
new_iso => $new_iso,
squashfs_diff_name => 'test.squashfs',
......@@ -116,7 +112,6 @@ describe 'An IUK object' => sub {
system(@genisoimage, "-o", $new_iso, $new_iso_tempdir);
$iuk = Tails::IUK->new(
union_type => $union_type,
old_iso => $old_iso,
new_iso => $new_iso,
squashfs_diff_name => 'test.squashfs',
......@@ -144,7 +139,6 @@ describe 'An IUK object' => sub {
system(@genisoimage, "-o", $new_iso, $new_iso_tempdir);
$iuk = Tails::IUK->new(
union_type => $union_type,
old_iso => $old_iso,
new_iso => $new_iso,
squashfs_diff_name => 'test.squashfs',
......
......@@ -15,7 +15,7 @@ copyright_year = 2014
[MetaResources]
homepage = https://tails.boum.org/
repository.url = git://git.tails.boum.org/tails
repository.url = https://gitlab.tails.boum.org/tails/tails.git
repository.type = git
[@Filter]
......
tails (4.7) UNRELEASED; urgency=medium
tails (4.7) unstable; urgency=medium
* Dummy entry for next release.
* Security fixes
- Upgrade Tor Browser to 9.5-build2 (Closes: #17710).
- Upgrade APT to 1.8.2.1 (DSA-4685).
- Upgrade BIND to 1:9.11.5.P4+dfsg-5.1+deb10u1 (DSA-4689).
- Upgrade WebKitGTK to 2.28.2-2~deb10u1 (DSA-4681).
- Upgrade Thunderbird to 1:68.8.0-1~deb10u1 (DSA-4683).
* Bugfixes
- Improve Additional Software reliability (Closes: #17278): disable
periodic APT operations entirely, adjust timeouts, force data
synchronization, preserve file ownership.
- Make memory erasure feature compatible with overlayfs (Closes: #15146).
- Adjust various documentation for the new GitLab-based hosting.
* Minor improvements and updates
- Fix title of unlock-veracrypt-volume error dialog in case of incorrect
password (Closes: #17668).
- Clean up confusing torrc (Closes: #17706).
* Build system
- IUK creation: don't use extreme compression options for the outer
SquashFS container refs.
- IUK creation: add support for building several IUKs in parallel locally
(Closes: #17657).
- IUK verification: add support for fetching IUKs built in parallel on
Jenkins (Closes: #17658).
- Release process: generate UDFs on the alpha channel for previous
non-final releases (Closes: #17614).
- Remove aufs-based IUK generation code and doc (Closes: #17489).
* Test suite