GitLab

... instead of copying it, so the chroot's DNS configuration stays
up-to-date in case we switch network or similar.

Will-fix: #7903

This way any mounts made by users of this library (e.g. the Unsafe
Browser) can mount targets inside the chroot and let the automatic
teardown of the chroot browser deal with the umounting.

We don't enable Tor Launcher in Tor Browser, so they're just noise.

Will-fix: #8243

We want to allow something in Tor's rule that is blocked in the LAN
rules, so the Tor rule must be listed first.

So now users can input a human-readable hostname for proxies and
bridges (and we can support meek_lite!).

Will-fix: #8775
Refs: #8243

This is cleaner, and will help us on our path to #8775.

Refs: #8775

This has been broken since we migrated from our custom Iceweasel to
TBB.

As the comment in the removed code says, Tor Browser 7.5 does not ship
these files any more.

For reasons that still are elusive to me, the `7z u` this commit
replaces with `7z a` seems to be broken. I inserted `md5sum omni.ja`
before and after the `7z u` and it printed the same value, despite `7z
u` saying that that the expected files were changed and updated.

By updating the hack used to make Tor Browser consider uBlock Origin
to be a verified add-on.

At least with Tor Browser 7.5 without this pref set the default
becomes "tor-browser" (which presumably is the executable's directory,
i.e. /usr/local/lib/tor-browser) that we do not have permissions to
write to.

Will-fix: #15024

I will prepare Tails Installer 5.0.4 for Tails 3.5 in a few minutes,
so we don't need this overlay.

Refs: #14622

There was a rebuild due to last minute Firefox changes.

Will-fix: #15197

Will-fix: #15033

Since Tor Browser 7.5, it is enabled in stable releases.

Refs: #15197

Will-fix: #15197

Spotted on feature/buster that's the first branch that exercises
this code, but there's no reason to fix it only there.

Upgrade snapshot of the Debian APT repository to 2018011503 ⇒ upgrade to Linux 4.14.13 (refs: #15148).

Linux 4.14.13 is the first kernel that has the "[x86] microcode/AMD: Add support
for fam17h microcode loading" commit, that's needed to load the AMD fam17h
microcode for mitigating the Spectre vulnerability (CVE-2017-5715).

It causes too many regressions: https://bugs.debian.org/886998.

Partially reverts commit 9e6aec2c.

On the short term, this allows us to get the mitigation against
Spectre (CVE-2017-5715).

While this could be done via our freeze exception mechanism, instead I chose to
bump APT snapshots and add APT pinning to install these packages from sid for
the foreseeable future: keeping CPU microcode up-to-date has become an important
factor in securing systems these days and such security updates land faster in
sid than anywhere else in Debian.

i.e. one that has intel-microcode 3.20180108 and amd64-microcode 3.20171205.1,
with mitigation against the Spectre vulnerability (CVE-2017-5715).

We now install newer binary packages (built from src:aufs) from Debian.

The `apt-cache policy` approach doesn't work for tagged
snapshots (e.g. when building releases) since they include only the
exact packages we use.

Refs: #14976

This reverts commit 9cf42c44.

i.e. the first one that has Linux 4.14.12-2, that fixes
https://bugs.debian.org/886366.

Linux 4.14 brings new AppArmor mediation features and the policy shipped in
Stretch may not be ready for it. So let's disable these new features to avoid
breaking stuff: it's too hard to check if all the policy for apps we ship (and
that users install themselves) has the right rules to cope with these new
mediation features.

This feature set file will be:

 - either removed: once we install an apparmor package that ships its own,
   maintained elsewhere, feature set (probably via Debian#879585);

 - or upgraded: to the Buster kernel's, when we move to Buster, iff.
   Debian does not ship any pinned feature set then (refs: #15149).

This commit ports to our build system the changes that are in Buster/sid
currently, except we include the Stretch's kernel feature set while Buster/sid
is pinned to Linux 4.14's feature set (the policy in Buster/sid was updated to
support it). This is exactly what will likely land in the next Debian Stretch
point release. I'm using a different filename from the one used on Debian, in
order to make it easier to compare the "upstream" (Debian) file with ours.
And while I'm at it I'm adding a build-time sanity check that will warn us if
there's some maintenance work to do on our side.

XXX: don't merge

Let's drop this commit once we get Linux 4.14.12-2 which fixes that bug for
real (likely today around 5pm UTC). I'm only committing this now in order to
have automated tests results with Linux 4.14.12 ASAP.

It's a recurring source of headaches, let's ease debugging.

This hook is a recurring cause of headaches, let's simplify debugging.