Commit e9537d84 authored by anonym's avatar anonym
Browse files

Merge branch 'testing' into devel

Conflicts:
	debian/changelog
parents 6a2096e5 36461295
This diff is collapsed.
......@@ -9,6 +9,7 @@
I2P_DEFAULT_CONFIG="/usr/share/i2p"
I2P_CONFIG="/var/lib/i2p/i2p-config"
I2P_TUNNEL_CONFIG="${I2P_CONFIG}/i2ptunnel.config"
I2P_WRAPPER_LOG="/var/log/i2p/wrapper.log"
i2p_is_enabled() {
grep -qw "i2p" /proc/cmdline
......@@ -27,7 +28,29 @@ i2p_eep_proxy_address() {
echo ${listen_host}:${listen_port}
}
i2p_has_bootstrapped() {
i2p_reseed_started() {
grep -q 'Reseed start$' "${I2P_WRAPPER_LOG}"
}
i2p_reseed_failed() {
grep -q 'Reseed failed, check network connection$' "${I2P_WRAPPER_LOG}"
}
i2p_reseed_completed() {
grep -q "Reseed complete" "${I2P_WRAPPER_LOG}"
}
i2p_reseed_status() {
if i2p_reseed_completed; then
echo success
elif i2p_reseed_failed; then
echo failure
elif i2p_reseed_started; then
echo running
fi
}
i2p_built_a_tunnel() {
netstat -nlp | grep -qwF "$(i2p_eep_proxy_address)"
}
......
......@@ -82,15 +82,16 @@ migrate_persistence_preset()
-e "$(escape_dots ${NEW_PRESET})\s+source=${NEW_PRESET_SOURCE}" \
"$CONFIG"
then
warning "Need to make $NEW_PRESET persistent"
if [ "$PERSISTENCE_READONLY" = true ]
then
error "Persistence configuration needs to be migrated, but read only was selected; please retry in read-write mode"
fi
echo "$NEW_PRESET source=$NEW_PRESET_SOURCE" \
>> "$CONFIG" \
|| error "Failed to make $NEW_PRESET: $?"
warning "Successfully made $NEW_PRESET persistent"
warning "Need to make $NEW_PRESET persistent"
if [ "$PERSISTENCE_READONLY" = true ]
then
warning "Persistence configuration needs to be migrated, but read only was selected; please retry in read-write mode"
else
echo "$NEW_PRESET source=$NEW_PRESET_SOURCE" \
>> "$CONFIG" \
|| error "Failed to make $NEW_PRESET: $?"
warning "Successfully made $NEW_PRESET persistent"
fi
fi
}
......
......@@ -7,9 +7,13 @@ debug_command() {
}
debug_file() {
local user="${1}"
shift
file="${1}"
[ ! -e "${file}" ] && return
echo
echo "===== content of $1 ====="
cat "$1"
sudo -u "${user}" -- cat "${file}"
}
debug_command /usr/sbin/dmidecode -s system-manufacturer
......@@ -21,19 +25,39 @@ debug_command "/bin/mount"
debug_command "/usr/bin/lspci"
debug_command grep spoof-mac: /var/log/messages
debug_file "/etc/X11/xorg.conf"
debug_file "/home/amnesia/.xsession-errors"
debug_file "/proc/asound/cards"
debug_file "/proc/asound/devices"
debug_file "/proc/asound/modules"
debug_file "/var/log/Xorg.0.log"
debug_file "/var/log/gdm3/:0-slave.log"
debug_file "/var/log/gdm3/:0-greeter.log"
debug_file "/var/log/gdm3/tails-greeter.errors"
debug_file "/var/log/live-persist"
debug_file "/var/log/live/boot.log"
debug_file "/var/log/live/config.log"
debug_file "/var/lib/gdm3/tails.persistence"
debug_file "/var/lib/live/config/tails.physical_security"
debug_file "/live/persistence/TailsData_unlocked/persistence.conf"
debug_file "/live/persistence/TailsData_unlocked/live-additional-software.conf"
# Great attention must be given to the ownership situation of these
# files and their parent directories in order to avoid a symlink-based
# attack that could read the contents of any file and make it
# accessible to the user running this script (typicall the live
# user). Therefore, when adding a new file, give as the first argument
# 'root' only if the complete path to it (including the file itself)
# is owned by root and already exists before the system is connected to
# the network (that is, before GDM's PostLogin script is run).
# If not, the following rules must be followed strictly:
#
# * only one non-root user is involved in the ownership situation (the
# file, its dir and the parent dirs). From now on let's assume it is
# the case and call it $USER.
#
# * if any non-root group has write access, it must not have any
# members.
#
# If any of these rules does not apply, the file cannot be added here
# safely and something is probably quite wrong and should be
# investigated carefully.
debug_file root "/etc/X11/xorg.conf"
debug_file amnesia "/home/amnesia/.xsession-errors"
debug_file root "/proc/asound/cards"
debug_file root "/proc/asound/devices"
debug_file root "/proc/asound/modules"
debug_file root "/var/log/Xorg.0.log"
debug_file Debian-gdm "/var/log/gdm3/:0-slave.log"
debug_file Debian-gdm "/var/log/gdm3/:0-greeter.log"
debug_file Debian-gdm "/var/log/gdm3/tails-greeter.errors"
debug_file root "/var/log/live-persist"
debug_file root "/var/log/live/boot.log"
debug_file root "/var/log/live/config.log"
debug_file root "/var/lib/gdm3/tails.persistence"
debug_file root "/var/lib/live/config/tails.physical_security"
debug_file root "/live/persistence/TailsData_unlocked/persistence.conf"
debug_file root "/live/persistence/TailsData_unlocked/live-additional-software.conf"
#!/bin/sh
set -e
set -u
ZSH_VERSION="${ZSH_VERSION:-}"
# Get LANG
. /etc/default/locale
......@@ -11,25 +13,29 @@ export LANG
TEXTDOMAIN="tails"
export TEXTDOMAIN
# Must be set after gettext initialization
set -u
# Import wait_until()
. /usr/local/lib/tails-shell-library/common.sh
# Import i2p_has_bootstrapped(), i2p_router_console_is_ready() and
# set_best_i2p_router_console_lang().
# Import i2p_built_a_tunnel, i2p_reseed_failed, i2p_router_console_is_ready(),
# and set_best_i2p_router_console_lang().
. /usr/local/lib/tails-shell-library/i2p.sh
I2P_STARTUP_TIMEOUT=60
# We'll give up once 6 minutes have passed. Even with ridiculously
# subpar network conditions I've not seen bootstrapping take longer
# than this.
I2P_BOOTSTRAP_TIMEOUT=360
# When there are network problems (either local or remote), it can take up to 3
# minutes for all of the current reseed servers to be tried.
I2P_BOOTSTRAP_TIMEOUT=210
# After the router infos (RIs) are downloaded from the reseed servers
# it can take 3-5 minutes for a tunnel to be built, e.g.
# once we get to this point I2P should be ready to be used.
I2P_TUNNEL_BUILD_TIMEOUT=300
startup_failure() {
/usr/local/sbin/tails-notify-user \
"`gettext \"I2P failed to start\"`" \
"`gettext \"Something went wrong when I2P was starting. Check the logs in /var/log/i2p for more information.\"`"
service i2p dump # generate a thread dump
sleep 5 # Give thread dump ample time to complete
service i2p stop # clean up, just in case
exit 1
}
......@@ -38,6 +44,10 @@ wait_until_i2p_router_console_is_ready() {
wait_until ${I2P_STARTUP_TIMEOUT} i2p_router_console_is_ready
}
wait_until_i2p_has_bootstrapped() {
wait_until ${I2P_BOOTSTRAP_TIMEOUT} '[ "$(i2p_reseed_status)" = success ]'
}
notify_router_console_success() {
/usr/local/sbin/tails-notify-user \
"`gettext \"I2P's router console is ready\"`" \
......@@ -51,8 +61,10 @@ bootstrap_failure() {
exit 1
}
wait_until_i2p_has_bootstrapped() {
wait_until ${I2P_BOOTSTRAP_TIMEOUT} i2p_has_bootstrapped
wait_until_i2p_builds_a_tunnel() {
wait_until ${I2P_TUNNEL_BUILD_TIMEOUT} i2p_built_a_tunnel
# static sleep to work around upstream bug.
sleep 240
}
notify_bootstrap_success() {
......@@ -76,6 +88,7 @@ case "${1}" in
wait_until_i2p_router_console_is_ready || startup_failure
notify_router_console_success
wait_until_i2p_has_bootstrapped || bootstrap_failure
wait_until_i2p_builds_a_tunnel || bootstrap_failure
notify_bootstrap_success
;;
stop)
......
http://torbrowser-archive.tails.boum.org/5.0.3/
http://torbrowser-archive.tails.boum.org/5.0.4/
42169e9c727e10b3e376ba260a3a143a6309c7316ec667e69fa74d401d4d7c4c tor-browser-linux32-5.0.3_ar.tar.xz
b5f56d37ea5a93a8c5f45f85d610da23cb768e8ccd2f0562b0f65a00e0937379 tor-browser-linux32-5.0.3_de.tar.xz
0e94498cb83a07895bf8becf76d3c3b071d8cfadd50048971f701819f80a56aa tor-browser-linux32-5.0.3_en-US.tar.xz
e6382d5b2cbf8db45fb02388a85e953f236b486bf4146396d6521e9f5ed20a13 tor-browser-linux32-5.0.3_es-ES.tar.xz
5666669aaeb695045a9263775d108a9fbe04899d3ef70aa27906a58245d713f4 tor-browser-linux32-5.0.3_fa.tar.xz
e8d667bd356185ee1a4a51ad14f75a2a338ca49a2e56697a8f3f74f7bb8ac04c tor-browser-linux32-5.0.3_fr.tar.xz
1cc8f0488c2b2f851eb7d7a5412a7ade130e2a9db769b87f5889146673034d6d tor-browser-linux32-5.0.3_it.tar.xz
fccf7493864ef2eba80368f8c98e6463be2f97b36392a84c29609c8be174ecfa tor-browser-linux32-5.0.3_ko.tar.xz
dc577b97aeba0b095a2d49df23893bdfdf0f8b8f36207ab97d4e59103b67728b tor-browser-linux32-5.0.3_nl.tar.xz
a022dd5e3d0aebba1f4f67e327e292b72d042a102806943c9693adf0692f63f8 tor-browser-linux32-5.0.3_pl.tar.xz
34c278bfd818a8d29f36bfcebbd1a77276ef61918f107540ce5b9caf4712cd0f tor-browser-linux32-5.0.3_pt-PT.tar.xz
c1391ded41dc3c59adb6fb0286c5262b962ccb12a062c2300d1da5fdea103b46 tor-browser-linux32-5.0.3_ru.tar.xz
44bdcd53aaefc894f8556258b42fadc5fd10458db01f568734a47a9f6d070e5c tor-browser-linux32-5.0.3_tr.tar.xz
87e08f755d3551e9ef3086695d0a976e0ea9be0ff5c88833e5bedb057f64280e tor-browser-linux32-5.0.3_vi.tar.xz
f1d5a0084d06e838a5acfe4352995c40c54ac4488006acb014ab7cf81360f62e tor-browser-linux32-5.0.3_zh-CN.tar.xz
c4d38b8a0d42f19f4883f2ecc58bcc0ae2f1abe6d707442821ddc2de844fc0a6 tor-browser-linux32-5.0.4_ar.tar.xz
ff441589c7a01f051092430405fdd1bccb61f6dcc0a3191018c427297acc30a9 tor-browser-linux32-5.0.4_de.tar.xz
3d0fd640693c91ddc9ffce744695b9a46e4cfc4b4aecd5d57b9044c1fa335c0f tor-browser-linux32-5.0.4_en-US.tar.xz
e70fd621f9fcec94b1c015d041031e73df2f0c84eba024a26adb39168ee50ad1 tor-browser-linux32-5.0.4_es-ES.tar.xz
4dd0ed35bcafde800fc0f87ec3d7b66b74d743e4fe95693d880efce1cf4d7611 tor-browser-linux32-5.0.4_fa.tar.xz
5402d358075782db6419bd7af014e158a06926be216a6ac603dbec3074828dbe tor-browser-linux32-5.0.4_fr.tar.xz
6d274dcc6ae4ee7b3da062fb1ad3266efb50f917e75f18d9c48b4c1431a84f9d tor-browser-linux32-5.0.4_it.tar.xz
69a5f26328a4ae43d2132434700d422583919068e2da9863dc14355ff78bc8da tor-browser-linux32-5.0.4_ko.tar.xz
a666205eccb8f745ed1ce5d80df5a61c2c9f555e807c37f018294caef52d0a99 tor-browser-linux32-5.0.4_nl.tar.xz
a5b8e423b28742f7c0bf8eb94739131820eec4a54a1b42ea3ed346a8ce3603b4 tor-browser-linux32-5.0.4_pl.tar.xz
19c65d9c8ec0cb56c3afa7d97a076a0f7b891503e77c484381e0c03bd69e3307 tor-browser-linux32-5.0.4_pt-PT.tar.xz
c635438b8dbaef18da891f6b298f61a31babe6925a0e208fae390b9d995498d6 tor-browser-linux32-5.0.4_ru.tar.xz
c3597cbfdfb625f3f9135b629b8713cb9fcdfd49a93bffbfe5d5aa0cd3cb2775 tor-browser-linux32-5.0.4_tr.tar.xz
adb8bc1db36490e07c0302e22bf0a5252dbda44d107c214e6205bd5bdce31560 tor-browser-linux32-5.0.4_vi.tar.xz
aff2788ef059cef86c12cfa0a83e5857cb38b876d4d05a9915a05f0f03130d92 tor-browser-linux32-5.0.4_zh-CN.tar.xz
......@@ -173,6 +173,7 @@ nautilus
nautilus-wipe
nautilus-gtkhash
network-manager-gnome
nmh
ntfs-3g
ntfsprogs
obfs4proxy
......
......@@ -4,13 +4,14 @@ tails (1.9) UNRELEASED; urgency=medium
-- Tails developers <tails@boum.org> Thu, 29 Oct 2015 09:06:56 +0000
tails (1.7~rc1) unstable; urgency=medium
tails (1.7) unstable; urgency=medium
* Major new features and changes
- Upgrade Tor Browser to 5.0.4. (Closes: #10456)
- Add a technology preview of the Icedove Email client (a
rebranded version of Mozilla Thunderbird), including OpenPGP
support via the Enigmail add-on, general security and anonymity
improvements via the Torbirdy add-on, and complete persitence
improvements via the Torbirdy add-on, and complete persistence
support (which will be enabled automatically if you already have
Claws Mail persistence enabled). Icedove will replace Claws Mail
as the supported email client in Tails in a future
......@@ -19,7 +20,7 @@ tails (1.7~rc1) unstable; urgency=medium
improvement of this new Tor major release, the new
KeepAliveIsolateSOCKSAuth option allows us to drop the
bug15482.patch patch (taken from the Tor Browse bundle) that
enabled similar (but inferiour) functionality for *all*
enabled similar (but inferior) functionality for *all*
SocksPort:s -- now the same circuit is only kept alive for
extended periods for the SocksPort used by the Tor
Browser. (Closes: #10194, #10308)
......@@ -30,13 +31,38 @@ tails (1.7~rc1) unstable; urgency=medium
* Security fixes
- Fix CVE-2015-7665, which could lead to a network interface's IP
address being exposed through wget. (Closes: #10364)
- Prevent a symlink attack on ~/.xsession-errors via
tails-debugging-info which could be used by the amnesia user to
read the contents of any file, no matter the
permissions. (Closes: #10333)
- Upgrade libfreetype6 to 2.4.9-1.1+deb7u2.
- Upgrade gdk-pixbuf packages to 2.26.1-1+deb7u2.
- Upgrade Linux to 3.16.7-ckt11-1+deb8u5.
- Upgrade openjdk-7 packages to 7u85-2.6.1-6~deb7u1.
- Upgrade unzip to 6.0-8+deb7u4.
* Bugfixes
- Add a temporary workaround for an issue in our code which checks
whether i2p has bootstrapped, which (due to some recent change
in either I2P or Java) could make it appear it had finished
prematurely. (Closes: #10185)
- Fix a logical bug in the persistence preset migration code while
real-only persistence is enabled. (Closes: #10431)
* Minor improvements
- Rework the wordings of the various installation and upgrade
options available in Tails installer in Wheezy. (Closes: #9672)
- Restart Tor if bootstrapping stalls for too long when not using
pluggable transports. (Closes: #9516)
- Install firmware-amd-graphics, and firmware-misc-nonfree instead
of firmware-ralink-nonfree, both from Debian Sid.
- Update the Tails signing key. (Closes: #10012)
- Update the Tails APT repo signing key. (Closes: #10419)
- Install the nmh package. (Closes: #10457)
- Explicitly run "sync" at the end of the Tails Upgrader's upgrade
process, and pass the "sync" option when remounting the system
partition as read-write. This might help with some issues we've
seen, such as #10239, and possibly for #8449 as well.
* Test suite
- Add initial automated tests for Icedove. (Closes: #10332)
......@@ -59,8 +85,25 @@ tails (1.7~rc1) unstable; urgency=medium
- Extract TBB languages from the Tails source code. This will
ensure that valid locales are tested. As an added bonus, the
code is greatly simplified. (Closes: #9897)
-- Tails developers <tails@boum.org> Mon, 26 Oct 2015 23:06:59 +0100
- Automatically test that tails-debugging-info is not susceptible
to the type of symlink attacks fixed by #10333.
- Save all test suite artifacts in a dedicated directory with more
useful infromation encoded in the path. This makes it easier to
see which artifacts belongs to which failed scenario and which
run. (Closes: #10151)
- Log all useful information via Cucumber's formatters instead of
printing to stderr, which is not included when logging to file
via `--out`. (Closes: #10342)
- Continue running the automated test suite's vnc server even if
the client disconnects. (Closes: #10345)
- Add more automatic tests for I2P. (Closes: #6406)
- Bump the Tor circuit retry count to 10. (Closes: #10375)
- Clean up dependencies: (Closes: #10208)
* libxslt1-dev
* radvd
* x11-apps
-- Tails developers <tails@boum.org> Tue, 03 Nov 2015 01:09:41 +0100
tails (1.6) unstable; urgency=medium
......
......@@ -80,3 +80,7 @@ Feature: Various checks
Given I have started Tails from DVD without network and logged in
When I request a reboot using the emergency shutdown applet
Then Tails eventually restarts
Scenario: tails-debugging-info does not leak information
Given I have started Tails from DVD without network and logged in
Then tails-debugging-info is not susceptible to symlink attacks
CAPTURE: false
CAPTURE_ALL: false
MAX_NEW_TOR_CIRCUIT_RETRIES: 5
MAX_NEW_TOR_CIRCUIT_RETRIES: 10
PAUSE_ON_FAIL: false
SIKULI_RETRY_FINDFAILED: false
TMPDIR: "/tmp/TailsToaster"
......
......@@ -4,31 +4,86 @@ Feature: I2P
I *might* want to use I2P
Scenario: I2P is disabled by default
Given a computer
And I start the computer
And the computer boots Tails
And I log in to a new session
And the Tails desktop is ready
And Tor is ready
And all notifications have disappeared
Given I have started Tails from DVD without network and logged in
Then the I2P Browser desktop file is not present
And the I2P Browser sudo rules are not present
And the I2P firewall rules are disabled
Scenario: I2P is enabled when the "i2p" boot parameter is added
Given a computer
And I set Tails to boot with options "i2p"
And I start the computer
And the computer boots Tails
And I log in to a new session
And the Tails desktop is ready
And Tor is ready
And I2P is running
And the I2P router console is ready
And all notifications have disappeared
Given I have started Tails from DVD with I2P enabled and logged in
Then the I2P Browser desktop file is present
And the I2P Browser sudo rules are enabled
And the I2P Browser sudo rules are present
And the I2P firewall rules are enabled
Scenario: I2P's AppArmor profile is in enforce mode
Given I have started Tails from DVD with I2P enabled and logged in and the network is connected
When I2P is running
Then the running process "i2p" is confined with AppArmor in enforce mode
Scenario: The I2P Browser works as it should
Given I have started Tails from DVD with I2P enabled and logged in and the network is connected
And the I2P router console is ready
When I start the I2P Browser through the GNOME menu
Then I see "I2P_router_console.png" after at most 120 seconds
Then the I2P router console is displayed in I2P Browser
And the I2P Browser uses all expected TBB shared libraries
Scenario: Closing the I2P Browser shows a stop notification and properly tears down the chroot.
Given I have started Tails from DVD with I2P enabled and logged in and the network is connected
And the I2P router console is ready
When I successfully start the I2P Browser
And I close the I2P Browser
Then I see the I2P Browser stop notification
And the I2P Browser chroot is torn down
Scenario: The I2P internal websites can be viewed in I2P Browser
Given I have started Tails from DVD with I2P enabled and logged in and the network is connected
And the I2P router console is ready
When I start the I2P Browser through the GNOME menu
Then the I2P router console is displayed in I2P Browser
And I2P successfully built a tunnel
When I open the address "http://i2p-projekt.i2p" in the I2P Browser
Then the I2P homepage loads in I2P Browser
Scenario: I2P is configured to run in Hidden mode
Given I have started Tails from DVD with I2P enabled and logged in and the network is connected
And the I2P router console is ready
When I start the I2P Browser through the GNOME menu
Then the I2P router console is displayed in I2P Browser
And I2P is running in hidden mode
Scenario: Connecting to the #i2p IRC channel with the pre-configured account
Given I have started Tails from DVD with I2P enabled and logged in and the network is connected
And the I2P router console is ready
And I2P successfully built a tunnel
When I start Pidgin through the GNOME menu
Then I see Pidgin's account manager window
When I activate the "I2P" Pidgin account
And I close Pidgin's account manager window
Then Pidgin successfully connects to the "I2P" account
And I can join the "#i2p" channel on "I2P"
Scenario: I2P displays a notice when bootstrapping fails
Given I have started Tails from DVD with I2P enabled and logged in
And I2P is not running
When the network is plugged
And Tor has built a circuit
And I2P is running
And I2P's reseeding started
And the network is unplugged
Then I see a notification that I2P is not ready
And I2P's reseeding failed
But I2P is still running
When I start the I2P Browser through the GNOME menu
Then the I2P router console is displayed in I2P Browser
Scenario: I2P displays a notice when it fails to start
Given I have started Tails from DVD with I2P enabled and logged in
And I2P is not running
And I block the I2P router console port
Then I2P is not running
When the network is plugged
And Tor has built a circuit
Then I2P is running
But the network is unplugged
Then I see a notification that I2P failed to start
And I2P is not running
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment