Update changelog for 1.1~rc1.

debian/changelog

-tails (1.1) UNRELEASED; urgency=medium
+tails (1.1~rc1) unstable; urgency=medium
 
-  * Dummy entry for next release.
+  * Security fixes
+    - Don't allow the desktop user to pass arguments to
+      tails-upgrade-frontend (Closes: #7410).
+    - Make persistent file permissions safer (Closes #7443):
+      * Make the content of /etc/skel non-world-readable. Otherwise,
+        such files may be copied to /home/amnesia, and in turn to the
+        persistent volume, with unsafe permissions. That's no big deal
+        in /home/amnesia (that is itself not world-readable), *but*
+        the root of the persistent volume has to be world-readable.
+      * Have activate_custom_mounts create new directories with safe
+        permissions.
+      * Set strict permissions on /home/amnesia (Closes: #7463).
+      * Fix permissions on persistent directories that were created
+        with unsafe permissions (Closes: #7458).
+      * Fix files ownership while copying persistence (Closes: #7216).
+        The previous instructions to copy the persistent data were
+        creating personal files that belong to root. I don't think
+        there is a way of preserving the original ownership using
+        Nautilus (unless doing a "move" instead of a "copy" but that's
+        not what we are trying to do here).
+    - Disable FoxyProxy's proxy:// protocol handler (Closes: #7479).
+      FoxyProxy adds the proxy:// protocol handler, which can be used
+      to configure the proxy via an URI. A malicious web page can
+      include (or a malicious exit node can inject) some JavaScript
+      code to visit such an URI and disable or otherwise change
+      Iceweasel's proxy settings. While using this to disable
+      proxying will be dealt with safely by our firewall, this could
+      be used to defeat stream isolation, although the user must be
+      tricked into accepting the new proxy settings.
+
+  * Bugfixes
+    - Disable GNOME keyring's GnuPG functionality. (Closes: #7330) In
+      feature/regular-gnupg-agent, we installed the regular GnuPG
+      agent so that it is used instead of GNOME keyring's one. This is
+      not enough on Wheezy, so let's disable the starting of the "gpg"
+      component of GNOME keyring.
+    - Prevent iproute2 from being installed from wheezy-backports
+      (Closes: #7337).
+    - Remove dselect when purging other unwanted packages. (Closes: #7336)
+    - Make sure /etc/default/locale exists, with a sensible default
+      value (Closes: #7333). Before Tails Greeter's PostLogin script
+      are run, /etc/default/locale does not exist on Wheezy. Our
+      tails-kexec initscript (and quite a few other scripts we run)
+      depends on this file to exist. So, let's make sure it exists,
+      with a sensible default value.
+    - Create the tails-persistence-setup user with the same UID/GID it
+      had on Tails/Squeeze. (Closes: #7343) Else, our various checks
+      for safe access rights on persistence.conf fail.
+    - Revert back to browsing the offline documentation using Iceweasel
+      instead of Yelp (Closes: #7390, #7285).
+    - Make the new NetworkManager configuration directory persistent,
+      when the old one was, but disable the old one (Closes: #7338).
+    - The Unsafe Web Browser can now be started while the Windows 8
+      camouflage feature is activated (Closes: #7329).
 
- -- Tails developers <tails@boum.org>  Fri, 30 May 2014 17:03:06 +0200
+  * Minor improvements
+    - Various improvements to the Windows 8 camouflage:
+      * Set iceweasel and pidgin camouflage icons.
+      * Set claws-mail application icon.
+      * Set florence tray icon.
+      * Set gpgApplet tray icon.
+      * Set volume tray icon.
+      * Configure Iceweasel camouflage.
+      * Remove launchers (Closes #7381).
+      * Make the Unsafe Browser use the Windows 8 camouflage.
+    - Also install linux-base and linux-compiler-gcc-4.8-x86 from
+      sid. This way, we can get rid of our linux-compiler-gcc-4.8-x86
+      3.12, and it makes things a bit more consistent.
+   - Include the syslinux binary, and its MBR, in the ISO filesystem.
+     This in turn allows Tails Installer to use this binary and MBR,
+     which is critical for avoiding problems (such as #7345) on
+     "Upgrade from ISO".
+   - Include syslinux.exe for win32 in utils/win32/ on the ISO
+     filesystem (Closes: #7425).
+   - Tails Installer:
+     * Increase font size (Closes: #5673).
+     * Add consistent marigins in GUI.
+     * Always reset the target drive's MBR, without asking for
+       confirmation, after installing or upgrading.
+     * Install the bootloader using the syslinux binary found on the
+       target device, once the Live OS has been extracted/copied
+       there.
+   - Enable double-clicking to pick entries in the language or
+     keyboard layout lists in Tails Greeter.
+   - Install backport of shared-mime-info 1.3 (Closes: #7079).
+   - Make sanity-check prompts closable in Tails Persistence Setup
+     (Closes: #7119.
+
+  * Automated test suite
+    - Actually run "Upgrade from ISO" from a USB drive running the old
+      version. That's what users do, and is buggy.
+    - Automatically test persistent directories permissions (Closes: #7560).
+    - Use read-write persistence when testing upgraded USB
+      installations.  Otherwise e.g. the permission fixes won't get
+      applied, and the subsequent steps testing the permissions will
+      fail.
+    - Actually check that the ISO's Tails is installed. The step
+      "Tails is installed on USB drive $TARGET" only checks that the
+      *running* Tails is installed on $TARGET, which obviously fails
+      when doing an upgrade from ISO running an old Tails. That it
+      worked for the same scenario running the current Tails is just
+      coincidental.
+
+ -- Tails developers <tails@boum.org>  Wed, 02 Jul 2014 03:11:43 +0200
 
 tails (1.0.1) unstable; urgency=medium