Commit e4267074 authored by intrigeri's avatar intrigeri
Browse files

Merge remote-tracking branch 'origin/devel' into feature/15292-usb-image

parents 64d58e43 b8bf6b87
......@@ -27,7 +27,6 @@
/config/chroot_local-includes/usr/share/doc/amnesia/Changelog
/config/chroot_local-includes/usr/share/doc/tails/website
/config/chroot_local-includes/usr/share/tails/build/variables
/config/chroot_local-includes/usr/share/tails/readahead-list
/.lock
/.stage
/source
......
......@@ -34,6 +34,7 @@ STABLE_BRANCH_NAMES = ['stable', 'testing']
EXPORTED_VARIABLES = [
'MKSQUASHFS_OPTIONS',
'APT_SNAPSHOTS_SERIALS',
'TAILS_BUILD_FAILURE_RESCUE',
'TAILS_DATE_OFFSET',
'TAILS_MERGE_BASE_BRANCH',
......@@ -54,6 +55,8 @@ INTERNAL_HTTP_PROXY = "http://#{VIRTUAL_MACHINE_HOSTNAME}:3142"
ENV['ARTIFACTS'] ||= '.'
ENV['APT_SNAPSHOTS_SERIALS'] ||= ''
class CommandError < StandardError
attr_reader :status, :stderr
......@@ -314,7 +317,8 @@ end
def list_artifacts
user = vagrant_ssh_config('User')
stdout = capture_vagrant_ssh("find '/home/#{user}/amnesia/' -maxdepth 1 " +
"-name 'tails-amd64-*'").first
"-name 'tails-amd64-*' " +
"-o -name tails-build-env.list").first
stdout.split("\n")
rescue VagrantCommandError
return Array.new
......
......@@ -101,7 +101,19 @@ RUN_LB_CONFIG="lb config noauto"
$RUN_LB_CONFIG --distribution stretch ${@}
# set up everything for time-based snapshots:
apt-snapshots-serials prepare-build
if [ -n "${APT_SNAPSHOTS_SERIALS:-}" ]; then
echo "Fixing 'latest' APT snapshots serials to: '${APT_SNAPSHOTS_SERIALS}'."
apt-snapshots-serials prepare-build "${APT_SNAPSHOTS_SERIALS}"
else
apt-snapshots-serials prepare-build
fi
# record what APT snapshots this build is going to use, so that one
# can try to reproduce it more reliably
JENKINS_ENV_PROPERTIES=tails-build-env.list
echo "# This file is in Java property file format" >> "$JENKINS_ENV_PROPERTIES"
echo "# (https://en.wikipedia.org/wiki/.properties)" >> "$JENKINS_ENV_PROPERTIES"
echo "APT_SNAPSHOTS_SERIALS = $(apt-snapshots-serials cat-json tmp/APT_snapshots.d)" \
>> "$JENKINS_ENV_PROPERTIES"
DEBIAN_MIRROR="$(apt-mirror debian)"
DEBIAN_SECURITY_MIRROR="$(apt-mirror debian-security)"
......@@ -182,15 +194,6 @@ fi
# changelog
cp debian/changelog config/chroot_local-includes/usr/share/doc/amnesia/Changelog
# create readahead-list from squashfs.sort
if [ -e config/binary_rootfs/squashfs.sort ]; then
mkdir -p config/chroot_local-includes/usr/share/tails
sort -k2 -n -r config/binary_rootfs/squashfs.sort | \
cut -d' ' -f1 | \
grep --invert-match --extended-regexp "$READAHEAD_EXCLUDE_PATTERN" \
> config/chroot_local-includes/usr/share/tails/readahead-list
fi
# custom APT sources
tails-custom-apt-sources > config/chroot_sources/tails.chroot \
|| fatal "tails-custom-apt-sources failed with exit code $?"
......
......@@ -7,6 +7,7 @@ set -o pipefail
BASE_URL=http://time-based.snapshots.deb.tails.boum.org/
CONFIG=config/APT_snapshots.d
SERIAL_ONLY=
APT_SNAPSHOTS_SERIALS=
FREEZE_EXCEPTIONS=debian-security
get_latest_serial() {
......@@ -29,11 +30,27 @@ else
FREEZE_EXCEPTIONS=
shift
fi
if [ $# -eq 0 ]; then
ORIGINS="$(cd ${CONFIG}; ls -d *)"
else
ORIGINS="${@}"
fi
case "$action" in
prepare-build)
if [ $# -eq 1 ]; then
APT_SNAPSHOTS_SERIALS="${1}"
shift
fi
;;
cat-json)
if [ $# -eq 1 ]; then
CONFIG="${1}"
shift
fi
;;
cat|get-latest|freeze|thaw)
if [ $# -eq 0 ]; then
ORIGINS="$(cd ${CONFIG}; ls -d *)"
else
ORIGINS="${@}"
fi
;;
esac
fi
case "$action" in
......@@ -43,6 +60,9 @@ case "$action" in
cat "$CONFIG/$origin/serial"
done
;;
cat-json)
$(dirname "$0")/apt-snapshots-serials-cat-json "$CONFIG"
;;
get-latest)
for origin in $ORIGINS; do
[ -z "${SERIAL_ONLY}" ] && echo -n "$origin: "
......@@ -77,7 +97,13 @@ case "$action" in
rm -rf tmp/APT_snapshots.d
mkdir -p tmp
cp -r config/APT_snapshots.d tmp/
$0 get-latest > tmp/cached_APT_snapshots_serials
if [ "${APT_SNAPSHOTS_SERIALS}" ]; then
$(dirname "$0")/apt-snapshots-serials-load-json \
"$APT_SNAPSHOTS_SERIALS" \
> tmp/cached_APT_snapshots_serials
else
$0 get-latest > tmp/cached_APT_snapshots_serials
fi
for origin_dir in tmp/APT_snapshots.d/*; do
origin=$(basename $origin_dir)
if grep -qs '^latest$' $origin_dir/serial; then
......@@ -88,7 +114,7 @@ case "$action" in
done
;;
*)
printf "unknown action ($action), use either 'cat', 'get-latest', 'prepare-build', 'freeze' or 'thaw'\n" >&2
printf "unknown action ($action), use either 'cat', 'cat-json', 'get-latest', 'prepare-build', 'freeze' or 'thaw'\n" >&2
exit 1
;;
esac
#!/usr/bin/ruby
#
# Usage: apt-snapshots-serials-cat-json APT_SNAPSHOTS_CONFIG_DIR
# Example: apt-snapshots-serials-cat-json config/APT_snapshots.d/
require 'json'
usage_str = "Usage: apt-snapshots-serials-cat-json APT_SNAPSHOTS_CONFIG_DIR"
!ARGV.empty? or raise usage_str
config_dir = ARGV[0]
!config_dir.empty? or raise usage_str
serials = {}
origins = Dir.glob("#{config_dir}/*").map do |origin_dir|
origin_dir.sub("#{config_dir}/", '')
end
origins.map do |origin|
serials[origin] = File.open("#{config_dir}/#{origin}/serial") { |f| f.read.chomp }
end
puts JSON.dump(serials)
#!/usr/bin/ruby
#
# Usage:
#
# apt-snapshots-serials-load-json SERIALS_JSON
#
# Example:
#
# apt-snapshots-serials-load-json \
# '{"torproject":"2017120803","debian-security":"2017120902","debian":"2017120903"}'
require 'json'
usage_str = "Usage: apt-snapshots-serials-load-json SERIALS_JSON"
ARGV.size == 1 or raise usage_str
serials = JSON.load(ARGV[0])
serials.each { |origin, serial|
serial != 'latest' or raise "Only numeric serials are supported"
puts "#{origin}: #{serial}\n"
}
......@@ -26,16 +26,12 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version
KERNEL_VERSION='4.18.0-3'
KERNEL_VERSION='4.19.0-1'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
)
# Files to exclude from the readahead list
# (passed to `grep --extended-regexp`)
READAHEAD_EXCLUDE_PATTERN='^lib/live/mount/medium/'
### You should not have to change anything below this line ####################
# sanity checks
......
......@@ -88,6 +88,12 @@ Package: systemd systemd-sysv systemd-container systemd-journal-remote systemd-c
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Explanation: src:systemd
Explanation: systemd >= v240 required to fix CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866 (#16352)
Package: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump systemd-tests libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: openpgp-applet
Pin: release o=Debian,n=sid
Pin-Priority: 999
......@@ -96,6 +102,11 @@ Package: tails-installer
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Explanation: #16348
Package: tor tor-geoipdb
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: virtualbox*
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
......
......@@ -27,5 +27,5 @@ done
# Redirect to existing wrapper
sed -i'' --regexp-extended 's,^Exec=pidgin$,Exec=/usr/local/bin/pidgin,' \
"/usr/share/applications/pidgin.desktop"
sed -i'' --regexp-extended 's,^Exec=/usr/bin/totem$,Exec=/usr/local/bin/totem,' \
sed -i'' --regexp-extended 's,^Exec=/usr/bin/totem(\s+.*)?$,Exec=/usr/local/bin/totem,' \
"/usr/share/dbus-1/services/org.gnome.Totem.service"
......@@ -12,8 +12,8 @@ echo "Setting up a build environment for kernel modules"
# install_fake_package()
. /usr/local/lib/tails-shell-library/build.sh
# Install gcc-6 and fake linux-compiler-gcc-7-x86
# (linux-headers-4.14+ depends on it, but Stretch hasn't GCC 7)
# Install gcc-6 and fake linux-compiler-gcc-8-x86
# (linux-headers-4.19+ depends on it, but Stretch hasn't GCC 8)
# XXX:Buster: remove this hack.
ensure_hook_dependency_is_installed gcc-6
NEWEST_INSTALLED_KERNEL_VERSION="$(
......@@ -21,9 +21,9 @@ NEWEST_INSTALLED_KERNEL_VERSION="$(
| sort --version-sort | tail -n1
)"
install_fake_package \
linux-compiler-gcc-7-x86 \
linux-compiler-gcc-8-x86 \
"${NEWEST_INSTALLED_KERNEL_VERSION}~0tails1"
ln -s /usr/bin/gcc-6 /usr/bin/gcc-7
ln -s /usr/bin/gcc-6 /usr/bin/gcc-8
ensure_hook_dependency_is_installed \
build-essential \
......
......@@ -18,6 +18,7 @@ systemctl enable tails-shutdown-on-media-removal.service
systemctl enable tails-tor-has-bootstrapped.target
systemctl enable tails-wait-until-tor-has-bootstrapped.service
systemctl enable tails-tor-has-bootstrapped-flag-file.service
systemctl enable run-initramfs.mount
systemctl enable var-tmp.mount
# Enable our own systemd user unit files
......
HTP_POOL_PAL="boum.org,espiv.net,db.debian.org,epic.org,mail.riseup.net,leap.se,squat.net,tachanka.org,www.1984.is,www.eff.org,www.immerda.ch,www.privacyinternational.org,www.torproject.org"
HTP_POOL_NEUTRAL="cve.mitre.org,en.wikipedia.org,lkml.org,thepiratebay.org,www.apache.org,getfedora.org,www.democracynow.org,www.duckduckgo.com,www.gnu.org,www.kernel.org,www.mozilla.org,www.stackexchange.com,www.startpage.com,www.xkcd.com"
HTP_POOL_FOE="encrypted.google.com,github.com,login.live.com,login.yahoo.com,secure.flickr.com,tumblr.com,twitter.com,www.adobe.com,www.gandi.net,www.myspace.com,www.paypal.com,www.rackspace.com,www.sony.com"
HTP_POOL_1="boum.org,espiv.net,db.debian.org,epic.org,mail.riseup.net,leap.se,squat.net,tachanka.org,www.1984.is,www.eff.org,www.immerda.ch,www.privacyinternational.org,www.torproject.org"
HTP_POOL_2="cve.mitre.org,en.wikipedia.org,lkml.org,thepiratebay.org,www.apache.org,getfedora.org,www.democracynow.org,www.duckduckgo.com,www.gnu.org,www.kernel.org,www.mozilla.org,www.stackexchange.com,www.startpage.com,www.xkcd.com"
HTP_POOL_3="encrypted.google.com,github.com,login.live.com,login.yahoo.com,secure.flickr.com,tumblr.com,twitter.com,www.adobe.com,www.gandi.net,www.myspace.com,www.paypal.com,www.rackspace.com,www.sony.com"
fs.protected_fifos = 2
fs.protected_regular = 2
......@@ -28,9 +28,6 @@ EOF
echo 32768 >/proc/sys/fs/inotify/max_user_watches
/usr/local/lib/boot-profile /var/log/boot-profile
# Put readahead list at the very begining
head -n 1 /usr/share/tails/readahead-list >/dev/null || true
# Creating state file
touch /var/lib/live/config/boot-profile
}
......
#!/bin/sh
READAHEAD_LIST="/usr/share/tails/readahead-list"
BACKGROUND_AT="^usr/bin/Xorg$"
Readahead ()
{
# Do not readahead when "profile" appears on kernel command line
if grep -qw "profile" /proc/cmdline
then
return 0
fi
if ! test -e "$READAHEAD_LIST"
then
echo "the readahead list (${READAHEAD}) does not exist."
return
fi
echo " readahead"
Start_readahead
}
Start_readahead ()
{
FG_FILES="sed -n -e \\:$BACKGROUND_AT:q;p $READAHEAD_LIST"
BG_FILES="sed -n -e \\:$BACKGROUND_AT:,\$p $READAHEAD_LIST"
FG_SIZE=$(
cd /
$FG_FILES |
xargs du -bc 2>/dev/null |
awk '$2 ~ /^total$/ { t = t + $1 } END { print t }')
(cd /
$BG_FILES |
xargs stat >/dev/null 2>/dev/null || :)
(cd /
$FG_FILES |
xargs cat 2>/dev/null |
pv -f -s ${FG_SIZE} >/dev/null || :)
(cd /
start-stop-daemon \
--start --background --make-pidfile --startas /bin/sh \
--pidfile /run/background-readahead.pid -- \
-c "$BG_FILES | xargs cat >/dev/null 2>&1")
# Creating state file
touch /var/lib/live/config/readahead
}
Readahead
......@@ -8,9 +8,6 @@ set -x
# initramfs during shutdown: in the initramfs, this script is
# overwritten with /usr/local/lib/initramfs-pre-shutdown-hook.
# Otherwise systemd-shutdown cannot execute /run/initramfs/shutdown
/bin/mount -o remount,exec /run
# Debugging
/bin/ls -l /run/initramfs
......
......@@ -11,10 +11,10 @@ Environment=SUCCESS_FILE=/run/htpdate/success
Environment=LOG=/var/log/htpdate.log
EnvironmentFile=/etc/default/htpdate.*
ExecStartPre=/bin/sh -c \
'[ -n "${HTTP_USER_AGENT}" ] && \
[ -n "${HTP_POOL_PAL}" ] && \
[ -n "${HTP_POOL_NEUTRAL}" ] && \
[ -n "${HTP_POOL_FOE}" ]'
'[ -n "${HTTP_USER_AGENT}" ] && \
[ -n "${HTP_POOL_1}" ] && \
[ -n "${HTP_POOL_2}" ] && \
[ -n "${HTP_POOL_3}" ]'
ExecStartPre=/bin/rm -f "${DONE_FILE}"
ExecStartPre=/bin/rm -f "${SUCCESS_FILE}"
ExecStartPre=/usr/bin/install -o htp -g nogroup -m 0644 /dev/null "${LOG}"
......@@ -26,9 +26,9 @@ ExecStart=/usr/local/sbin/htpdate \
--user htp \
--done_file "${DONE_FILE}" \
--success_file "${SUCCESS_FILE}" \
--pal_pool "${HTP_POOL_PAL}" \
--neutral_pool "${HTP_POOL_NEUTRAL}" \
--foe_pool "${HTP_POOL_FOE}" \
--pool1 "${HTP_POOL_1}" \
--pool2 "${HTP_POOL_2}" \
--pool3 "${HTP_POOL_3}" \
--proxy 127.0.0.1:9062
RemainAfterExit=yes
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_SETUID CAP_SYS_TIME
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment