Commit e38ef2ee authored by anonym's avatar anonym
Browse files

Merge branch 'master' into stable

parents aa90d149 f53c3d78
......@@ -11,3 +11,7 @@
[submodule "submodules/tails-workarounds"]
path = submodules/tails-workarounds
url = https://gitlab.tails.boum.org/tails/workarounds.git
[submodule "submodules/sof"]
path = submodules/sof
url = https://github.com/thesofproject/sof-bin.git
branch = stable-v1.5.1
......@@ -3,6 +3,7 @@
set -e
set -u
set -x
set -o pipefail
. "$(dirname $0)/scripts/utils.sh"
......@@ -59,6 +60,12 @@ echo "POTFILES_DOT_IN='$(
| sed -e 's,^config/chroot_local-includes,,' | tr "\n" ' '
)'" \
>> config/chroot_local-includes/usr/share/tails/build/variables
echo "SOF_VERSION='$(
git -C submodules/sof branch --all --contains HEAD \
--format '%(refname:short)' 'origin/stable-v*' \
| cut -d"-" -f 2
)'" \
>> config/chroot_local-includes/usr/share/tails/build/variables
# fix permissions on some source files that will be copied as is to the chroot.
# they may be wrong, e.g. if the Git repository was cloned with a strict umask.
......@@ -146,13 +153,11 @@ BUILD_USB_IMAGE_FILENAME="${BUILD_BASENAME}.img"
cat config/chroot_sources/*.chroot
) > "$BUILD_APT_SOURCES"
# make workarounds available in the chroot, if any:
WORKAROUNDS_SRC="submodules/tails-workarounds"
WORKAROUNDS_DST="config/chroot_local-includes/tmp/"
if [ -d "$WORKAROUNDS_SRC" ]; then
mkdir -p "$WORKAROUNDS_DST"
cp -a "$WORKAROUNDS_SRC" "$WORKAROUNDS_DST"
fi
# make submodules available in the chroot:
SUBMODULES_SRC="submodules/sof submodules/tails-workarounds"
SUBMODULES_DST="config/chroot_local-includes/tmp/submodules"
mkdir -p "$SUBMODULES_DST"
cp -a $SUBMODULES_SRC "$SUBMODULES_DST"/
echo "I: Building ISO image ${BUILD_ISO_FILENAME}..."
time lb build noauto "${@}"
......
......@@ -23,7 +23,7 @@ AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC blo
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
# Kernel version
KERNEL_VERSION='5.7.0-2'
KERNEL_VERSION='5.7.0-3'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
This diff is collapsed.
......@@ -18,12 +18,12 @@ Pin-Priority: 990
Explanation: Electrum 4.0.2 and recent TREZOR firmware need 0.12
Package: python3-trezor trezor
Pin: release o=Debian,n=bullseye
Pin: release o=Debian,n=buster-backports
Pin-Priority: 999
Explanation: python3-trezor needs a version newer than the one in Buster
Package: python3-usb1
Pin: release o=Debian,n=bullseye
Package: python3-construct
Pin: release o=Debian,n=buster-backports
Pin-Priority: 999
Package: firmware-b43-installer
......@@ -52,6 +52,12 @@ Package: grub*
Pin: release o=Debian,n=bullseye
Pin-Priority: 999
Explanation: We want to set default database directory to ~/Persistent, which
Explanation: is only possible since 2.4.0, which is unavailable in Buster.
Package: keepassxc
Pin: release o=Debian,n=buster-backports
Pin-Priority: 999
Package: linux-compiler-* linux-headers-* linux-image-* linux-kbuild-* linux-source-*
Pin: release o=Debian,n=sid
Pin-Priority: 999
......
......@@ -74,9 +74,7 @@ install_tor_browser() {
# instead of the system one, whenever ours is too old.
# For details see projects/firefox/abicheck.cc in
# https://git.torproject.org/builders/tor-browser-build.git
# Tor Browser 9.0a7 requires GLIBCXX_3.4.25, which Buster has,
# so disable this for now.
# cp "${prep}"/TorBrowser/Tor/libstdc++/libstdc++.so.6 "${prep}"
cp "${prep}"/TorBrowser/Tor/libstdc++/libstdc++.so.6 "${prep}"
# We don't need the Tor binary, the shared libraries Tor needs
# (but Firefox doesn't) and documentation shipped in the TBB.
......@@ -90,6 +88,44 @@ install_tor_browser() {
# Otherwise the "General" section in the preferences is not displayed.
install -d -m 0755 "${prep}"/TorBrowser/UpdateInfo
# Apply 10.0-build2 → 10.0-build3 changes:
(
local tmp
tmp="$(mktemp -d)"
cd "${tmp}"
7z x -tzip "${prep}/browser/omni.ja"
# Any $ in the below in-line patch must be escaped!
patch -p1 <<EOF
commit fb9428098b5b85eed400daa6e0010ac63faf8848 (tag: tor-browser-78.3.0esr-10.0-2-build2, origin/tor-browser-78.3.0esr-10.0-2)
Author: Matthew Finkel <sysrqb@torproject.org>
Date: Sat Sep 19 17:03:53 2020 +0000
Revert "fixup! TB4: Tor Browser's Firefox preference overrides."
This reverts commit c386fb3312237fd6c0d123ba9aaad662f8740e56.
We continue using the old webextensions storage backend due to #40137.
diff --git a/browser/app/profile/000-tor-browser.js b/browser/app/profile/000-tor-browser.js
index bac98ce06540..7e29c788b720 100644
--- a/defaults/preferences/000-tor-browser.js
+++ b/defaults/preferences/000-tor-browser.js
@@ -286,6 +286,8 @@ pref("extensions.htmlaboutaddons.recommendations.enabled", false);
pref("extensions.legacy.exceptions", "{972ce4c6-7e08-4474-a285-3208198ce6fd},torbutton@torproject.org");
// Bug 26114: Allow NoScript to access addons.mozilla.org etc.
pref("extensions.webextensions.restrictedDomains", "");
+// Bug 31396: Disable indexedDB WebExtension storage backend.
+pref("extensions.webextensions.ExtensionStorageIDB.enabled", false);
// Bug 28896: Make sure our bundled WebExtensions are running in Private Browsing Mode
pref("extensions.allowPrivateBrowsingByDefault", true);
EOF
touch --date="@${TBB_TIMESTAMP:?}" defaults/preferences/000-tor-browser.js
rm "${prep}/browser/omni.ja"
7z a -mtc=off -tzip "${prep}/browser/omni.ja" *
rm -r "${tmp}"
)
mv "${prep}" "${destination}"
rm -r "${tmp}"
}
......@@ -141,11 +177,8 @@ EOF
rm -r "${tmp}"
}
# TBB works around the lack of code signing for its extensions by
# hacking in exceptions. We do the same!
# Improving this is tracked on #12571.
apply_extension_code_signing_hacks () {
local tbb_install tbb_timestamp
embed_extensions_in_omni_ja () {
local tbb_install tbb_timestamp tmp
tbb_install="${1}"
tbb_timestamp="${2}"
......@@ -153,62 +186,8 @@ apply_extension_code_signing_hacks () {
(
cd "${tmp}"
7z x -tzip "${tbb_install}/omni.ja"
patch -p1 <<EOF
diff -Naur a/chrome/toolkit/content/mozapps/extensions/aboutaddonsCommon.js b/chrome/toolkit/content/mozapps/extensions/aboutaddonsCommon.js
--- a/chrome/toolkit/content/mozapps/extensions/aboutaddonsCommon.js 2019-09-02 15:24:00.000000000 +0200
+++ b/chrome/toolkit/content/mozapps/extensions/aboutaddonsCommon.js 2019-09-08 20:42:24.198382292 +0200
@@ -195,6 +195,10 @@
if (addon.id == "https-everywhere-eff@eff.org") {
return true;
}
+ // Allow uBlock installed from Debian (Tails#12571)
+ if (addon.id == "uBlock0@raymondhill.net") {
+ return true;
+ }
return addon.isCorrectlySigned !== false;
}
diff -Naur a/modules/addons/XPIDatabase.jsm b/modules/addons/XPIDatabase.jsm
--- a/modules/addons/XPIDatabase.jsm 2019-09-02 15:24:00.000000000 +0200
+++ b/modules/addons/XPIDatabase.jsm 2019-09-08 20:40:29.469007744 +0200
@@ -2126,6 +2126,11 @@
return true;
}
+ // Ensure that we allow uBlock installed from Debian (Tails#12571)
+ if (aAddon.id == "uBlock0@raymondhill.net") {
+ return true;
+ }
+
// Ensure that Tor Launcher is never enabled as an add-on. It will be
// removed inside getInstallState() soon.
if (aAddon.id == "tor-launcher@torproject.org")
@@ -2729,7 +2734,8 @@
}
unsigned =
- XPIDatabase.mustSign(aNewAddon.type) && !aNewAddon.isCorrectlySigned;
+ XPIDatabase.mustSign(aNewAddon.type) && !aNewAddon.isCorrectlySigned
+ && aNewAddon.id !== "uBlock0@raymondhill.net";
if (unsigned) {
throw Error(`Extension ${aNewAddon.id} is not correctly signed`);
}
diff -Naur a/modules/addons/XPIInstall.jsm b/modules/addons/XPIInstall.jsm
--- a/modules/addons/XPIInstall.jsm 2019-09-02 15:24:00.000000000 +0200
+++ b/modules/addons/XPIInstall.jsm 2019-09-08 20:41:07.345467589 +0200
@@ -3826,6 +3826,7 @@
if (
XPIDatabase.mustSign(addon.type) &&
addon.id !== "https-everywhere-eff@eff.org" &&
+ addon.id !== "uBlock0@raymondhill.net" &&
addon.signedState <= AddonManager.SIGNEDSTATE_MISSING
) {
throw new Error(
EOF
touch --date="@${tbb_timestamp}" \
chrome/toolkit/content/mozapps/extensions/aboutaddonsCommon.js \
modules/addons/XPIDatabase.jsm \
modules/addons/XPIInstall.jsm
cp -a '/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/uBlock0@raymondhill.net' chrome/torbutton/content/extensions/
find chrome/torbutton/content/extensions/ -exec touch --date="@${tbb_timestamp}" '{}' \;
rm "${tbb_install}/omni.ja"
7z a -mtc=off -tzip "${tbb_install}/omni.ja" *
)
......@@ -217,20 +196,41 @@ EOF
(
cd "${tmp}"
7z x -tzip "${tbb_install}/browser/omni.ja"
# Any $ in the below in-line patch must be escaped!
patch -p1 <<EOF
diff -Naur a/modules/BrowserGlue.jsm b/modules/BrowserGlue.jsm
--- a/modules/BrowserGlue.jsm 2019-09-02 15:24:00.000000000 +0200
+++ b/modules/BrowserGlue.jsm 2019-09-08 20:45:59.323681266 +0200
@@ -1926,7 +1926,8 @@
// disabled. Even if they lack Mozilla's blessing they are enabled
// nevertheless.
if ((addon.signedState <= AddonManager.SIGNEDSTATE_MISSING) &&
- (addon.id !== "https-everywhere-eff@eff.org")) {
+ (addon.id !== "https-everywhere-eff@eff.org") &&
+ (addon.id !== "uBlock0@raymondhill.net")) {
this._notifyUnsignedAddonsDisabled();
break;
}
diff -Naur browser-omni.orig/modules/BrowserGlue.jsm browser-omni/modules/BrowserGlue.jsm
--- browser-omni.orig/modules/BrowserGlue.jsm 2020-09-11 19:25:00.000000000 +0200
+++ browser-omni/modules/BrowserGlue.jsm 2020-09-19 11:44:17.439692582 +0200
@@ -1367,6 +1367,29 @@
}
})();
+ (async () => {
+ const UBLOCK_ORIGIN_ID = "uBlock0@raymondhill.net";
+ const UBLOCK_ORIGIN_BUILTIN_URL =
+ "resource://torbutton/content/extensions/uBlock0@raymondhill.net/";
+ try {
+ const resolvedURI = Services.io.newURI(
+ resProto.resolveURI(Services.io.newURI(UBLOCK_ORIGIN_BUILTIN_URL))
+ );
+ const extensionData = new ExtensionData(resolvedURI);
+ const manifest = await extensionData.loadManifest();
+
+ await AddonManager.maybeInstallBuiltinAddon(
+ UBLOCK_ORIGIN_ID,
+ manifest.version,
+ UBLOCK_ORIGIN_BUILTIN_URL
+ );
+ } catch (e) {
+ const log = Log.repository.getLogger("uBlockOriginBuiltinLoader");
+ log.addAppender(new Log.ConsoleAppender(new Log.BasicFormatter()));
+ log.error("Could not install uBlock Origin extension", e);
+ }
+ })();
+
if (AppConstants.MOZ_NORMANDY) {
Normandy.init();
}
EOF
touch --date="@${tbb_timestamp}" modules/BrowserGlue.jsm
rm "${tbb_install}/browser/omni.ja"
......@@ -266,6 +266,19 @@ apply_prefs_hacks() {
rm -r "${tmp}"
}
disable_update_checks() {
local tbb_install
tbb_install="${1}"
mkdir -p "${tbb_install}/distribution"
cat > "${tbb_install}/distribution/policies.json" <<EOF
{
"policies": {
"DisableAppUpdate": true
}
}
EOF
}
strip_nondeterminism () {
local tbb_install tbb_timestamp
tbb_install="${1}"
......@@ -302,13 +315,27 @@ get_firefox_version() {
}
install_debian_extensions() {
local destination
local destination timestamp fake_firefox_version firefox_version
destination="${1}"
shift
apt-get install --yes "${@}"
ln -s '/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/uBlock0@raymondhill.net' \
"${destination}"/'uBlock0@raymondhill.net'
timestamp="${2}"
# Install a fake firefox equivs package to satisfy the
# dependencies for the extensions we are about to install.
firefox_version=$(get_firefox_version "${destination}"/application.ini)
fake_firefox_version=${firefox_version}+fake1
install_fake_package firefox "${fake_firefox_version}" web
apt-get install --yes webext-ublock-origin
patch -p1 < /usr/share/tails/uBlock-disable-autoUpdate.diff
# Apply the same hack for our extension as the Tor Browser does
# for HTTPS-Everywhere in order to bypass the mandatory extension
# signature check, which we lack since we install our extensions
# from Debian ...
embed_extensions_in_omni_ja "${destination}" "${timestamp}"
# ... and then remove the packages we just installed, since we
# don't need them outside of omni.ja.
apt purge --yes firefox webext-ublock-origin
}
create_default_profile() {
......@@ -331,30 +358,24 @@ create_default_profile() {
TBB_TIMESTAMP="$(date --date='2000-01-01 00:00:00' +%s)"
TBB_SHA256SUMS_FILE=/usr/share/tails/tbb-sha256sums.txt
TBB_DIST_URL_FILE=/usr/share/tails/tbb-dist-url.txt
TBB_TARBALLS_BASE_URL="$(cat "${TBB_DIST_URL_FILE}")"
TBB_TARBALLS="$(grep "\<tor-browser-linux64-.*\.tar.xz$" "${TBB_SHA256SUMS_FILE}")"
# We'll use the en-US bundle as our basis
MAIN_TARBALL="$(echo "${TBB_TARBALLS}" | grep -o "tor-browser-linux64-.*_en-US\.tar\.xz" || :)"
MAIN_TARBALL="$(echo "${TBB_TARBALLS}" | grep -o "tor-browser-linux64-.*_en-US\.tar\.xz")"
NIGHTLY_BUILD=
if [ -z "${MAIN_TARBALL}" ] && [ "$(echo $TBB_TARBALLS | awk '{ print $2 }')" = 'tor-browser-linux64-tbb-nightly_ALL.tar.xz' ]; then
# Except for TBB nightly builds; then there is only one bundle
# containing all langpacks
MAIN_TARBALL='tor-browser-linux64-tbb-nightly_ALL.tar.xz'
if echo "${TBB_TARBALLS}" | grep --quiet 'tor-browser-linux64-tbb-nightly'; then
NIGHTLY_BUILD=yes
fi
TBB_DIST_URL_FILE=/usr/share/tails/tbb-dist-url.txt
TBB_TARBALLS_BASE_URL="$(cat "${TBB_DIST_URL_FILE}")"
# The Firefox extensions we want to install from Debian and make
# available in the Tor Browser.
DEBIAN_EXT_PKGS="webext-ublock-origin"
TMP="$(mktemp -d)"
download_and_verify_files "${TBB_TARBALLS_BASE_URL}" "${TBB_TARBALLS}" "${TMP}"
install_tor_browser "${TMP}/${MAIN_TARBALL}" "${TBB_INSTALL}"
apply_extension_code_signing_hacks "${TBB_INSTALL}" "${TBB_TIMESTAMP}"
apply_prefs_hacks "${TBB_INSTALL}" "${TBB_TIMESTAMP}"
install_debian_extensions "${TBB_INSTALL}" "${TBB_TIMESTAMP}"
disable_update_checks "${TBB_INSTALL}"
strip_nondeterminism "${TBB_INSTALL}" "${TBB_TIMESTAMP}"
install_tor_launcher "${TBB_INSTALL}" "${TOR_LAUNCHER_INSTALL}"
......@@ -371,13 +392,6 @@ rm -r "${TMP}"
mv "${TBB_INSTALL}"/TorBrowser/Data/Browser/profile.default/extensions/* "${TBB_EXT}"
rmdir "${TBB_INSTALL}"/TorBrowser/Data/Browser/profile.default/extensions
# ... and then install a few Firefox extension by using a fake
# firefox equivs package to satisfy the dependencies.
FIREFOX_VERSION=$(get_firefox_version "${TBB_INSTALL}"/application.ini)
FAKE_FIREFOX_VERSION=${FIREFOX_VERSION}+fake1
install_fake_package firefox "${FAKE_FIREFOX_VERSION}" web
install_debian_extensions "${TBB_EXT}" ${DEBIAN_EXT_PKGS}
mkdir -p "${TBB_PROFILE}"
create_default_profile "${TBB_INSTALL}"/TorBrowser/Data/Browser/profile.default "${TBB_EXT}" "${TBB_PROFILE}"
......
#!/bin/sh
set -e
set -u
echo "Adding Intel SOF firmware and topology binaries (#17898)"
# Get $SOF_VERSION
. /usr/share/tails/build/variables
SRC_DIR='/tmp/submodules/sof/lib/firmware/intel'
INTEL_FIRMWARE_DIR='/lib/firmware/intel'
SOF_DEST_DIR="${INTEL_FIRMWARE_DIR}/sof"
SOF_TPLG_DEST_DIR="${INTEL_FIRMWARE_DIR}/sof-tplg"
# Sanity check
for dir in "$SOF_DEST_DIR" "$SOF_TPLG_DEST_DIR"; do
if [ -e "$dir" ]; then
echo "E: $dir already exists, maybe this hook could be dropped"
exit 1
fi
done
# Install topology
cp -r "$SRC_DIR/sof-tplg-${SOF_VERSION}" "$SOF_TPLG_DEST_DIR"
# Install firmware
mkdir "$SOF_DEST_DIR"
cd "$SOF_DEST_DIR"
for versioned_firmware in "${SRC_DIR}/sof/${SOF_VERSION}"/*.ri \
"${SRC_DIR}/sof/${SOF_VERSION}"/intel-signed/*.ri ; do
cp "$versioned_firmware" ./
unversioned_firmware=$(python3 -c "print('$(basename "$versioned_firmware")'.replace('-${SOF_VERSION}', ''))")
ln -s "$(basename "$versioned_firmware")" "$unversioned_firmware"
done
ln -s sof-apl-"${SOF_VERSION}".ri sof-glk.ri
ln -s sof-cnl-"${SOF_VERSION}".ri sof-cfl.ri
ln -s sof-cnl-"${SOF_VERSION}".ri sof-cml.ri
[Connection sharing via a protected Wi-Fi network]
Identity=unix-user:amnesia
Action=org.freedesktop.NetworkManager.wifi.share.protected
ResultAny=no
ResultActive=no
ResultInactive=no
[Connection sharing via an open Wi-Fi network]
Identity=unix-user:amnesia
Action=org.freedesktop.NetworkManager.wifi.share.open
ResultAny=no
ResultActive=no
ResultInactive=no
......@@ -3,7 +3,7 @@ AutoSaveAfterEveryChange=true
BackupBeforeSave=true
OpenPreviousDatabasesOnStartup=true
ShowToolbar=true
LastOpenedDatabases=/home/amnesia/Persistent/keepassx.kdbx
LastOpenedDatabases=/home/amnesia/Persistent/Passwords.kdbx
LastDir=/home/amnesia/Persistent/
[security]
......
// This is the Debian specific preferences file for Mozilla Firefox
// You can make any change in here, it is the purpose of this file.
// You can, with this file and all files present in the
// /etc/thunderbird/pref directory, override any preference that is
// present in /usr/lib/thunderbird/defaults/pref directory.
// While your changes will be kept on upgrade if you modify files in
// /etc/thunderbird/pref, please note that they won't be kept if you
// do them in /usr/lib/thunderbird/defaults/pref.
// This is the Tails specific preferences file for Mozilla Thunderbird
// This file is parsed after the file containing the Debian defaults
// found in /etc/thunderbird/pref/thunderbird.js
// Disable updates of extensions to have control over versions used
pref("extensions.update.enabled", false);
// Use LANG environment variable to choose locale from system
// The old environment setting 'pref("intl.locale.matchOS", true);' is
// currently not working anymore. The new introduced setting
// 'intl.locale.requested' is now used for this. Setting an empty string is
// pulling the system locale into Thunderbird.
pref("intl.locale.requested", "");
// Disable default mail checking (gnome).
pref("mail.shell.checkDefaultMail", false);
// if you are not using gnome
pref("network.protocol-handler.app.http", "x-www-browser");
pref("network.protocol-handler.app.https", "x-www-browser");
// Disable mail indexing
pref("mailnews.database.global.indexer.enabled", false);
......@@ -347,9 +329,6 @@ pref("general.useragent.override", "");
// Disable WebGL.
pref("webgl.disabled", true);
// Disable Telemetry completely.
pref("toolkit.telemetry.enabled", false);
// Disable Geolocation.
pref("geo.enabled", false);
......
/* Required, do not remove */
@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul");
/* Hide the Tools -> Apps link to the Firefox Marketplace. It doesn't
seem to work in the Tor Browser, and may have privacy issues. */
#menu_openApps,
/* Hide the "Share this page" button in the Tool bar, which encourages
the use of social (= tracking) networks. Note that this one likely
will be removed upstream in the final Tor Browser 5.0 release. */
#social-share-button,
/* Hide HTTPS Everywhere button in the toolbar */
#https-everywhere-button { display: none; }
......@@ -25,7 +25,8 @@
["file", {"user": "tails-persistence-setup", "path": "/live/persistence/TailsData_unlocked/persistence.conf"}],
["file", {"user": "tails-persistence-setup", "path": "/live/persistence/TailsData_unlocked/live-additional-software.conf"}],
["directory", {"user": "root", "path": "/live/persistence/TailsData_unlocked/apt-sources.list.d"}],
["file", {"user": "root", "path": "/lib/live/mount/medium/live/Tails.module"}],
["file", {"user": "root", "path": "/var/log/live-persist"}],
["file", {"user": "root", "path": "/lib/live/mount/medium/live/Tails.module"}],
["file", {"user": "root", "path": "/lib/live/mount/rootfs/filesystem.squashfs/etc/os-release"}],
["command", {"args": ["/bin/journalctl", "--catalog", "--no-pager"]}]
]
......@@ -19,6 +19,7 @@ import locale
import logging
from typing import TYPE_CHECKING
import gi
import glob
import os
import sh
......@@ -350,11 +351,8 @@ class GreeterMainWindow(Gtk.Window, TranslatableWindow):
return False
def cb_button_start_clicked(self, widget, user_data=None):
# Cherry-pick the settings we want to persist
# (currently only the Unsafe Browser setting)
sh.cp("-a",
os.path.join(settings_dir, unsafe_browser_setting_filename),
persistent_settings_dir)
for setting in glob.glob(os.path.join(settings_dir, 'tails.*')):
sh.cp("-a", setting, persistent_settings_dir)
self.greeter.login()
return False
......
import logging
import gi
import glob
import os
import sh
import threading
......@@ -116,11 +117,51 @@ class PersistentStorage(object):
self.box_storage_unlocked.set_visible(True)
self.button_start.set_sensitive(True)
# Cherry-pick the settings we want to load from the persistent settings
# (currently only the Unsafe Browser setting)
sh.cp("-a",
os.path.join(persistent_settings_dir, unsafe_browser_setting_filename),
settings_dir)
# Copy all settings from the "persistent settings directory". This is
# a workaround for an issue that caused the "Settings were loaded"-
# notification to be displayed even if no settings were actually
# loaded, including on the first boot after activating persistence (
# which is confusing for users). FTR, the explanation for this is:
#
# When persistence is activated, live-persist copies the mount
# destination directory (/var/lib/gdm3/settings) to the source
# directory (/live/persistence/TailsData_unlocked/greeter-settings),
# if the source directory doesn't exist yet.
# In addition with the fact that we immediately store the settings
# on the file system as soon as the user changes them, that means
# that when we look at the destination directory after activating
# persistence, and see that there are settings stored there, it's
# unclear whether those were loaded from the persistence or simply
# set by the user in the same Welcome Screen session before unlocking
# persistence.
# One workaround we tried was to check if the values of any of the
# settings on the filesystem are actually different than the values
# in memory, but that doesn't work well for the admin password, which
# is stored hashed on the filesystem, but in cleartext in memory.
#
# So the current workaround is to have this separate "persistent
# settings directory" instead of simply persisting the "normal"
# settings directory, copying all settings from the former
# to the latter after persistence was activated, and copying all
# settings back to persistent directory when the Welcome Screen
# is left. That means that even if the user already set settings
# in the Welcome Screen before unlocking persistence, those will
# be stored in the "normal" settings directory, so the "persistent"
# settings directory will always be empty if no settings were
# persisted yet.
#
# This workaround will no longer be necessary once #11529 is done,
# because with #11529, the source directory
# (/live/persistence/TailsData_unlocked/greeter-settings), will
# be created immediately, so live-persist will never copy the
# destination directory to the source directory.
#
# Both the commit which introduced the persistent settings directory
# (e5653981228b375c28bf4d1ace9be3367e080900) and the commit which
# extended its usage and introduced this lengthy comment, can be
# reverted once #11529 is done.
for setting in glob.glob(os.path.join(persistent_settings_dir, 'tails.*')):
sh.cp("-a", setting, settings_dir)
if not os.listdir(settings_dir):
self.apply_settings_cb()
......
......@@ -8,7 +8,7 @@ TEXTDOMAIN="tails"
export TEXTDOMAIN
PERSISTENT_DATA_DIR="${HOME}/Persistent"
NEW_DB="${PERSISTENT_DATA_DIR}/keepassx.kdbx"
NEW_DB="${PERSISTENT_DATA_DIR}/Passwords.kdbx"
prompt_for_database_renaming() {
local filename="${1}"
......@@ -18,7 +18,9 @@ You have a <i>KeePassXC</i> database in your <i>Persistent</i> folder:
<i>\\\${filename}</i>
Renaming it to <i>keepassx.kdbx</i> would allow <i>KeePassXC</i> to open it automatically in the future.\"`
<i>KeePassXC</i> changed the default name of the database to <i>Passwords.kdbx</i>.