GitLab

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Themes#Documentation
says that "Lightweight themes have been deprecated", which explains why our old,
custom lightweight theme is ignored.

The only options to fix this are:

 - Create our own theme, get it automatically signed by Mozilla on AMO, download
   the resulting XPI, and somehow make it available at build time.

 - Use an existing theme with a GPL-3+ compliant license.

I've chosen the latter option: this theme is almost identical to the one we
had before.

The XPI is 7.7K so I don't think it's worth devising a more complicated
solution than just adding it to Git.

In the Browser Console of the Unsafe Browser, I see:

  Warning: unrecognized command line flag -DISPLAY

The Tor Browser is apparently going to do the same. But let's not wait for their
next alpha, as I suspect the about:newtab we currently get is what makes our
test suite brittle in new tabs (pressing Enter after pasting a URL in the
address bar, in a newly opened tab, often has no visible effect).

Now that Torbutton is integrated in Tor Browser
(https://trac.torproject.org/projects/tor/ticket/10760),
we only have to patch its own localized branding files.

Our previous tweaks, when applied to Firefox 68, made it segfault on startup.

The layout of omni.ja has changed a lot so let's adapt our code.
Besides, there are no localized search extensions anymore
so we can simplify things a bit.

There's no strong reason to handle Google Analytics differently than all
other trackers. The security model of Tor Browser does not rely on
arbitrary blocking of specific trackers, but instead on isolating
different web activities from each other.

This reverts commit 63d11a4d.

The underlying bug this was working around has been fixed in uBlock
a while ago, but that was in a way that only worked for Firefox >= 62.

 - Allow new path for the Firefox IPC.
 - Remove duplicate rules that I've added upstream.
 - Pass the environment to Firefox content processes.
   This makes 9.0a6 actually start and incidentally, it fixes #17018.

commit 9efaffaf moved this unit to
desktop.target, which has an unfortunate side-effect: the places-menu GNOME
Shell extension has already loaded, and thus the bookmarks we're adding won't
appear in the Places menu.

So let's start this unit earlier, as part of gnome-early-initialization.target,
that is during X-GNOME-Autostart-Phase=EarlyInitialization.

I.e. integrate as code comments all the relevant explanations
that were in commit messages, in the previous non-squashed branch
for refs: #12092.

Terminate GDM's GNOME session after the amnesia user logs in, in order to free memory (refs: #12092)

I've heard rumors that we can drop this hack when we switch to Wayland (#12213).
We'll see :)

We kill it as part of desktop.target, i.e. during the "Applications" phase of
the initialization of the GNOME session. We cannot do this earlier reliably:

 - basic.target is started by "systemd --user" for almost every command run as
   the amnesia user and may thus be triggered too early, at a time when we still
   need GDM's processes.

 - If we do this as part of basic.target, it sometimes happens before amnesia's
   X.Org has started, and sometimes after that, which causes racy behaviour,
   weird bugs, and amnesia's $DISPLAY can be either :0 or :1, which breaks our
   code that relies on that value to be always the same.

We're in no rush to kill GDM's GNOME session super early anyway.

Note that we keep GDM running while we kill its GNOME session,
otherwise, the amnesia user can't unlock the screen:

  Failed to open reauthentication channel: Gio:DBusError:
  GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name
  org.gnome.DisplayManager was not provided by any .service files

Also, we ensure gdm-session-worker does not start new sessions once the amnesia
user has logged in, which should hopefully prevent GDM from activating
such a session while we want the amnesia's user session to remain active.

OnionShare fails to open the URL providing more information about
Stealth Onion Services. The added AppArmor rules allow executing
xdg-open and dependencies to fix this.

Edited by intrigeri:

 - Remove unnecessary permission to execute cut, head, awk, mawk, sed, tr, and
   xdg-mime.
 - Add missing permission to execute gio-launch-desktop.

The former redirects to the latter.

For some reason I am not aware of, the IP of the former points to A/I,
which replies with an invalid SSL certificate.

This reverts commit 0c000cf8.

This was a workaround for https://bugs.debian.org/934483, which is now
fixed.

Sleeping 5 seconds unconditionally harms UX.

The assumption here is that:

 - #9012 was caused by an aufs bug that somehow affects how udev (and the
   kernel?) monitor /etc/modprobe.d/, and make them need time until they notice
   that all-net-blacklist.conf was deleted.

 - The same bug would also affect the "-e" test done by the shell this script
   runs under. That is, it would affect essentially any process that accesses
   /etc/modprobe.d/.

 - So for example, this bug can't be "the inode number of /etc/modprobe.d
   changed between the time udev started monitoring it, and the time we trigger
   a replay of the kernel 'add' events". According to the aufs documentation,
   inode numbers can change when using the noxino mount option, which we do,
   and actually that's been one of my primary suspects when investigating
   #9012.

This will give us UTF-8 support.

Note the switch from raw bytes IO to StringIO: the equivalent of what we used to
do in Python 3 is io.BytesIO(), but that won't work out of the box: the code
we're running prints strings on stdout/stderr, not bytes, and Python 3 knows
the difference. So accordingly, remove decoding of the output, since we get
a string already.

Drop anonym's "showingOnly" patch that was merged upstream :)

Otherwise, it gets lost (or at least I could not find it).
In any case, it does not make sense to print "The error was:"
somewhere and the actual error elsewhere.

We should only lose the "shared folders" functionality, which seems
acceptable and in line with our "best effort" strategy wrt. VirtualBox
guest support.

We used to ship patched files in the Greeter, which tend to be behind the
original files shipped in Debian. This can potentially cause serious
issues.

This copies the GNOME files as shipped in Debian and applies our patches
on top.

tordate: treat clock as correct if it is in the [valid-after, valid-after + 2 hours + 55 minutes] range (refs: #16972).

Let's avoid "fixing" a valid clock, as much as possible: this can break
obfs4 in cases when it would have otherwise worked.

This should still leave tor enough time to notice that its consensus is about to
expire, and refresh it.

We don't use this anymore on Buster: see commit
abad17b657f376dda634658abd256d0db6fed8f1 in greeter.git.

Apply greeter-buster-blocking-tails-unblock-network.diff to the Greeter files now shipped here (refs: #16912)