1. 30 Aug, 2018 1 commit
    • intrigeri's avatar
      APT: pin intel-microcode/stretch-backports and binary packages built from... · 8f614cb7
      intrigeri authored
      APT: pin intel-microcode/stretch-backports and binary packages built from src:firmware-nonfree/sid to the same level as our custom APT repo.
      
      This allows us to upgrade these packages to a newer version than the one found
      in the currently used time-based APT snapshots, by uploading newer packages to
      our custom APT repo. But once the version in our time-based APT snapshots of
      respectively stretch-backports and sid becomes newer than the one in our custom
      APT repo, the former will supersede the latter.
      8f614cb7
  2. 14 Aug, 2018 1 commit
  3. 08 Aug, 2018 1 commit
  4. 04 Aug, 2018 1 commit
  5. 01 Aug, 2018 1 commit
  6. 01 Jul, 2018 1 commit
  7. 28 Jun, 2018 1 commit
  8. 05 Jun, 2018 4 commits
  9. 26 May, 2018 1 commit
    • intrigeri's avatar
      Install virtualbox from our custom APT repository (refs: #15621) · 477e417f
      intrigeri authored
      As per https://labs.riseup.net/code/issues/12048#note-12:
      
      "we'll ship virtualbox-guest-x11 from sid as long as it's installable on
      Stretch; then we'll import the last working version in our custom APT repo.
      And if/when that last working version breaks (e.g. because we get a new xorg
      from stretch-backports and the virtualbox driver doesn't build against it
      anymore, there's no ABI compatibility between major X.Org versions, all drivers
      need to be rebuilt against the new one; it's happened a few times already that
      whatever virtualbox backport we were shipping wasn't compatible with the xorg
      from backports, etc.), then we'll reconsider and possibly drop
      VirtualBox support."
      477e417f
  10. 23 May, 2018 1 commit
  11. 29 Mar, 2018 1 commit
  12. 28 Mar, 2018 1 commit
  13. 16 Mar, 2018 1 commit
    • intrigeri's avatar
      Import current persistence-setup.git's and perl5lib.git's... · 9ecb8270
      intrigeri authored
      Import current persistence-setup.git's and perl5lib.git's feature/14594-asp-gui branches; accordingly add new package dependencies.
      
      Respectively at commit 85fe743ec9818bb77bb35dc133c019c955d02148
      and f10204fa5035ebae6a2e682ede3518c7e3dd245c.
      9ecb8270
  14. 10 Mar, 2018 1 commit
  15. 27 Feb, 2018 1 commit
  16. 26 Feb, 2018 5 commits
  17. 24 Feb, 2018 1 commit
  18. 23 Feb, 2018 1 commit
    • bertagaz's avatar
      Ship systemd from stretch-backports. · bf317f15
      bertagaz authored
      Install systemd v236, required to get the meek_lite PT to work, and have
      the unsafe browser and the Tor launcher applications do clearnet DNS
      resolution. This is required to get systemd's `BindReadOnlyPaths`
      directive introduced in commit 4fc2cd47.
      
      Refs: #8243, #8775
      bf317f15
  19. 22 Feb, 2018 1 commit
  20. 14 Feb, 2018 1 commit
    • intrigeri's avatar
      Install Intel processor microcode firmware from stretch-backports (refs: #15173). · 20b79c23
      intrigeri authored
      The maintainer of intel-microcode in Debian carefully uploads to
      stretch-backports updates he thinks are safe for stable users. For example,
      right now stretch-backports has 3.20171117.1~bpo9+1 which is the latest
      available version that's not affected by the many regressions introduced by
      3.20180108.1.
      
      This commit does *not* currently give us IBRS/IBPB/STIPB microcode support for
      Spectre variant 2 mitigation: the currently available firmware with that support
      is too buggy. Instead, it:
      
       - updates microcode firmware to the latest good enough version, which usually
         brings important bugfixes;
       - paves the way for us to get this mitigation whenever it is ready in a form
         that the maintainer of intel-microcode in Debian thinks can be safely pushed
         to Debian stable users.
      20b79c23
  21. 07 Feb, 2018 1 commit
    • intrigeri's avatar
      Revert to xorg-xserver from Stretch (refs: #15232) · 2579876c
      intrigeri authored
      For #12219 we've tried upgrading to xorg-xserver 2:1.19.3-1 but that did not fix
      the bug. Since then we've stuck to that version, which has a greater version
      that the one in Stretch, but 1. does not get any security updates; 2. does not
      track new versions from testing/sid either.
      
      So let's get back to a saner situation and instead track the version in Stretch.
      2579876c
  22. 05 Feb, 2018 1 commit
  23. 30 Jan, 2018 1 commit
  24. 16 Jan, 2018 1 commit
  25. 11 Jan, 2018 1 commit
    • intrigeri's avatar
      Install amd64-microcode and intel-microcode from sid (refs: #15148). · 9e6aec2c
      intrigeri authored
      On the short term, this allows us to get the mitigation against
      Spectre (CVE-2017-5715).
      
      While this could be done via our freeze exception mechanism, instead I chose to
      bump APT snapshots and add APT pinning to install these packages from sid for
      the foreseeable future: keeping CPU microcode up-to-date has become an important
      factor in securing systems these days and such security updates land faster in
      sid than anywhere else in Debian.
      9e6aec2c
  26. 06 Jan, 2018 2 commits
  27. 05 Jan, 2018 2 commits
  28. 03 Jan, 2018 1 commit
    • Loic Dachary's avatar
      Add pdf-redact-tools to tails pre-installed software · 520acf91
      Loic Dachary authored
      While there's definitely some overlap between pdf-redact-tools and
      MAT's mission, the UX and functionality pdf-redact-tools provides
      would not really fit in MAT.
      
      It complements MAT functions and is useful to journalists working
      with sensitive documents.
      
      refs: #15052
      520acf91
  29. 02 Jan, 2018 3 commits