Commit d0a45628 authored by anonym's avatar anonym
Browse files

Merge branch 'doc/6944-document-why-xyz-not-in-Debian' into 'master'

Document why some major Tails features are not packaged for Debian

Closes #6944

See merge request tails/tails!35
parents ff3ccf62 1205d4f6
......@@ -73,3 +73,39 @@ globally]( on the BTS.
See the
[[issues that affect Tails in the GNOME bug tracker|blueprint/GNOME_bugs_that_affect_Tails]].
# Exceptions
A number of Tails features are not available in Debian. For example:
* In order to prevent cold-boot attacks and various memory forensics, Tails
erases most memory on shutdown.
* Tails changes the MAC address of network interfaces to random
Most of the time, we did not contribute these features upstream due to the
combination of these factors:
* The feature is meant to provide certain security guarantees. Users should be
able to rely on this feature to make security decisions.
* The feature requires deep integration into several layers of the operating
system. For example, Tails' MAC address spoofing feature plugs into udev,
NetworkManager, GDM, and more.
The set of Tails systems is very homogeneous, while Debian systems are highly
diverse: multiple init systems, desktop environments, network interface
management software, firewall configuration tools, etc.
In the context of Tails, most of these parameters are constants we can rely
upon. Our automated tests can verify that the feature works in Tails.
While in the context of Debian, these parameters are variables, which leads to
combinatorial explosion. So, sometimes, ensuring a security feature works
reliably in all possible Debian setups, is simply impossible: there are simply
too many cases to consider, reason about, and do quality assurance for.
Additionally, even if we could ensure that a given feature provides
the expected security benefits today in all such combinations,
any package update tomorrow could break it.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment