Merge branch 'doc/6944-document-why-xyz-not-in-Debian' into 'master'

Document why some major Tails features are not packaged for Debian

Closes #6944

See merge request tails/tails!35

wiki/src/contribute/relationship_with_upstream.mdwn

@@ -73,3 +73,39 @@ globally](https://www.debian.org/Bugs/Developer#tags) on the BTS.
 
 See the
 [[issues that affect Tails in the GNOME bug tracker|blueprint/GNOME_bugs_that_affect_Tails]].
+
+# Exceptions
+
+A number of Tails features are not available in Debian. For example:
+
+ * In order to prevent cold-boot attacks and various memory forensics, Tails
+   erases most memory on shutdown.
+
+ * Tails changes the MAC address of network interfaces to random
+   values.
+
+Most of the time, we did not contribute these features upstream due to the
+combination of these factors:
+
+* The feature is meant to provide certain security guarantees. Users should be
+  able to rely on this feature to make security decisions.
+
+* The feature requires deep integration into several layers of the operating
+  system. For example, Tails' MAC address spoofing feature plugs into udev,
+  NetworkManager, GDM, and more.
+
+  The set of Tails systems is very homogeneous, while Debian systems are highly
+  diverse: multiple init systems, desktop environments, network interface
+  management software, firewall configuration tools, etc.
+
+  In the context of Tails, most of these parameters are constants we can rely
+  upon. Our automated tests can verify that the feature works in Tails.
+
+  While in the context of Debian, these parameters are variables, which leads to
+  combinatorial explosion. So, sometimes, ensuring a security feature works
+  reliably in all possible Debian setups, is simply impossible: there are simply
+  too many cases to consider, reason about, and do quality assurance for.
+
+  Additionally, even if we could ensure that a given feature provides
+  the expected security benefits today in all such combinations,
+  any package update tomorrow could break it.