Commit bfa3801c authored by anonym's avatar anonym
Browse files

Merge remote-tracking branch...

Merge remote-tracking branch 'origin/bugfix/17769-bump-thunderbird-apparmor-patch' into feature/17620-buster-10.4+force-all-tests

I want the target branch to build, despite the #17769 FTBFS.
parents 2e83ae71 694f5c48
--- a/etc/apparmor.d/usr.bin.thunderbird 2019-09-12 14:52:34.000000000 +0000 --- a/etc/apparmor.d/usr.bin.thunderbird 2020-06-12 13:56:44.453139641 +0200
+++ b/etc/apparmor.d/usr.bin.thunderbird 2019-10-03 13:30:05.876482204 +0000 +++ b/etc/apparmor.d/usr.bin.thunderbird 2020-06-12 14:01:43.694759478 +0200
@@ -15,7 +15,6 @@ @@ -15,7 +15,6 @@
# TODO: finetune this for required accesses # TODO: finetune this for required accesses
#include <abstractions/dbus> #include <abstractions/dbus>
...@@ -16,7 +16,7 @@ ...@@ -16,7 +16,7 @@
#include <abstractions/ubuntu-browsers.d/java> #include <abstractions/ubuntu-browsers.d/java>
#include <abstractions/ubuntu-helpers> #include <abstractions/ubuntu-helpers>
@@ -45,26 +43,19 @@ @@ -45,32 +43,21 @@
# Allow opening attachments # Allow opening attachments
# TODO: create and use abstractions for opening various file formats # TODO: create and use abstractions for opening various file formats
...@@ -27,6 +27,11 @@ ...@@ -27,6 +27,11 @@
/usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper, /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
# Allow opening links # Allow opening links
- # GDesktopAppInfo in GLib 2.64.x uses a very small shell script
- # to launch .desktop files, instead of gio-launch-desktop
- /{usr/,}bin/{dash,bash} ixr,
# With older GLib we might still be on the fallback code path
# (remove this after Debian 11 and Ubuntu 20.04)
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix, /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
- # For Xubuntu to launch the browser - # For Xubuntu to launch the browser
...@@ -34,6 +39,7 @@ ...@@ -34,6 +39,7 @@
- /usr/lib/@{multiarch}/xfce4/exo-[1-9]/exo-helper-[1-9] ixr, - /usr/lib/@{multiarch}/xfce4/exo-[1-9]/exo-helper-[1-9] ixr,
- /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, - /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
- /etc/xdg/xfce4/helpers.rc r, - /etc/xdg/xfce4/helpers.rc r,
- owner @{HOME}/.config/xfce4/helpers.rc r,
- -
# for crash reports? # for crash reports?
ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=@{profile_name},
...@@ -46,7 +52,7 @@ ...@@ -46,7 +52,7 @@
owner @{HOME}/.{cache,config}/dconf/user rw, owner @{HOME}/.{cache,config}/dconf/user rw,
owner @{HOME}/.cache/thumbnails/** r, owner @{HOME}/.cache/thumbnails/** r,
owner /run/user/[0-9]*/dconf/user rw, owner /run/user/[0-9]*/dconf/user rw,
@@ -140,6 +131,10 @@ @@ -146,6 +133,10 @@
deny /boot/vmlinuz* r, deny /boot/vmlinuz* r,
deny /var/cache/fontconfig/ w, deny /var/cache/fontconfig/ w,
...@@ -57,10 +63,16 @@ ...@@ -57,10 +63,16 @@
# noisy file dialog: # noisy file dialog:
# #
# TODO: remove these rules when file dialogs becomes "trusted helpers" that can # TODO: remove these rules when file dialogs becomes "trusted helpers" that can
@@ -264,7 +259,6 @@ @@ -270,7 +261,6 @@
/etc/lsb-release r, /etc/lsb-release r,
/etc/ssl/openssl.cnf r, /etc/ssl/openssl.cnf r,
/usr/lib/thunderbird/crashreporter ix, /usr/lib/thunderbird/crashreporter ix,
- /usr/bin/expr ix, - /usr/bin/expr ix,
/sys/devices/system/cpu/ r, /sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r, /sys/devices/system/cpu/** r,
@@ -430,4 +420,3 @@
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.thunderbird>
}
-
...@@ -677,6 +677,10 @@ suite should be ready, so it is time to: ...@@ -677,6 +677,10 @@ suite should be ready, so it is time to:
Our build system will apply the correct compression settings automatically Our build system will apply the correct compression settings automatically
so don't bother setting it yourself. so don't bother setting it yourself.
1. Make sure the Jenkins build starts. Until the hook is back in place
([[!tails_ticket 17745]]), starting it manually may avoid up to 15
minutes of waiting.
1. Compare the new build manifest with the one from the previous, 1. Compare the new build manifest with the one from the previous,
almost-final build: almost-final build:
...@@ -923,6 +927,21 @@ that is not present locally yet): ...@@ -923,6 +927,21 @@ that is not present locally yet):
Build the Incremental Upgrade Kits locally Build the Incremental Upgrade Kits locally
------------------------------------------ ------------------------------------------
You're encouraged to enable parallelism to avoid waiting for a very
long, serial build (which is still the default at the moment). As
discussed in [[!tails_ticket 17657]], it seems running as many jobs as
there are physical cores is a nice rule of thumb.
For example, set:
JOBS="--jobs 4"
or, attempt to automatically set it to the number of physical cores:
JOBS="--jobs $(grep '^core id' /proc/cpuinfo | sort -u | wc -l)"
before starting the wrapper from `puppet-tails`:
( (
set -eu set -eu
WORK_DIR=$(mktemp -d) WORK_DIR=$(mktemp -d)
...@@ -930,6 +949,8 @@ Build the Incremental Upgrade Kits locally ...@@ -930,6 +949,8 @@ Build the Incremental Upgrade Kits locally
PUPPET_TAILS_REMOTE=$(echo -n "${TAILS_REMOTE?:}" | perl -p -E 's,:tails(:?[.]git)?\z,:puppet-tails,') PUPPET_TAILS_REMOTE=$(echo -n "${TAILS_REMOTE?:}" | perl -p -E 's,:tails(:?[.]git)?\z,:puppet-tails,')
cd "${WORK_DIR?:}" cd "${WORK_DIR?:}"
git clone "$PUPPET_TAILS_REMOTE" git clone "$PUPPET_TAILS_REMOTE"
sudo -l
time \
./puppet-tails/files/jenkins/slaves/isobuilders/wrap_tails_create_iuks \ ./puppet-tails/files/jenkins/slaves/isobuilders/wrap_tails_create_iuks \
--tails-git-remote "file://${RELEASE_CHECKOUT?:}/.git" \ --tails-git-remote "file://${RELEASE_CHECKOUT?:}/.git" \
--tails-git-commit "${TAG?:}" \ --tails-git-commit "${TAG?:}" \
...@@ -939,10 +960,10 @@ Build the Incremental Upgrade Kits locally ...@@ -939,10 +960,10 @@ Build the Incremental Upgrade Kits locally
--output-dir "${IUKS_DIR?:}" \ --output-dir "${IUKS_DIR?:}" \
--source-versions "${IUK_SOURCE_VERSIONS?:}" \ --source-versions "${IUK_SOURCE_VERSIONS?:}" \
--new-version "${VERSION?:}" \ --new-version "${VERSION?:}" \
--verbose --verbose ${JOBS:-}
cd "${IUKS_DIR?:}" cd "${IUKS_DIR?:}"
sha256sum Tails_amd64_*_to_${VERSION?:}.iuk > "${IUKS_HASHES?:}" sha256sum Tails_amd64_*_to_${VERSION?:}.iuk > "${IUKS_HASHES?:}"
) )
This command takes a long time. In parallel, while it is running, This command takes a long time. In parallel, while it is running,
you can follow the next step: you can follow the next step:
...@@ -1658,6 +1679,8 @@ website: ...@@ -1658,6 +1679,8 @@ website:
git push origin master:master \ git push origin master:master \
) )
Remember to also push to lizard until hooks are in place in GitLab.
The release is now public! Woo! The release is now public! Woo!
Bug tracker Bug tracker
...@@ -1813,7 +1836,7 @@ If you just released a final release ...@@ -1813,7 +1836,7 @@ If you just released a final release
git submodule update --init && \ git submodule update --init && \
bare_repo=$(mktemp -d) && \ bare_repo=$(mktemp -d) && \
git clone --bare --reference "${MASTER_CHECKOUT:?}" \ git clone --bare --reference "${MASTER_CHECKOUT:?}" \
git@gitlab.tails.boum.org:tails/tails \ git@gitlab-ssh.tails.boum.org:tails/tails \
"${bare_repo:?}" && \ "${bare_repo:?}" && \
PYTHONPATH=lib/python3 ./bin/delete-merged-git-branches \ PYTHONPATH=lib/python3 ./bin/delete-merged-git-branches \
--repo "${bare_repo:?}" && \ --repo "${bare_repo:?}" && \
...@@ -1935,7 +1958,7 @@ If you just released an RC ...@@ -1935,7 +1958,7 @@ If you just released an RC
1. Follow the "Verify that the snapshots used in the release branch 1. Follow the "Verify that the snapshots used in the release branch
are ok" step for final releases, above. are ok" step for final releases, above.
1. Make sure Jenkins manages to build all updated major branches: 1. Make sure Jenkins manages to build all updated major branches:
<https://jenkins.tails.boum.org/>. <https://jenkins.tails.boum.org/view/RM/>.
1. In [[contribute/calendar]], remove the entries about the version that you've 1. In [[contribute/calendar]], remove the entries about the version that you've
just released. just released.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment