Otherwise it eats so much storage that usb_*.feature fail to create their
temporary disks.

Merge remote-tracking branch 'origin/bugfix/12375-keepassx-prompt-for-moving-database' into feature/stretch

refs: #12375

Fix-committed: #12511

Closes: #12554

Merge remote-tracking branch 'origin/bugfix/12354-drop-kexec-memory-wipe' into feature/stretch (Fix-committed: #12428, #12354)

The corresponding documentation is missing and I haven't seen this coordinated
with our tech writers:

 * https://labs.riseup.net/code/issues/11973#note-24
 * https://labs.riseup.net/code/issues/11964#note-25

I'd rather not break parts of the UX without a clear plan to explain
it to our users.

Fix-committed: #12364

Refs: #12375

It has no translatable strings anymore, so the build fails because
thunderbird.pot is not generated.

I've seen a number of test suite failures caused by starting interacting with
the desktop earlier.

I'm updating the picture to make it language-independent. It was unused since
commit:5010dff6 so updating it should not
break anything.

Fix-committed: #12501

Fix-committed: #12458

It breaks the tests on Jenkins since we don't share our secrets repo
in the way I assumed.

In my tests for #12354, for some reason ejecting the boot CD like it was done
before this commit immediately halts the machine, as opposed to ejecting the
virtual CD using virt-manager, which does what I expect (triggers emergency
shutdown). So let's go back to ejecting CDs like we did before
commit:62fb8faa, but keep the code
(that's used in another places where /usr/bin/eject would probably not work)
under a different name.

This will allow us to notice if emergency shutdown ever works only when
network-related services are off: it might be that some of our network
services need some time to terminate.

I want to confirm that we successfully erase memory during emergency shutdown as
well, by returning to the initramfs as intended, and that several kinds of
filesystems are unmounted and their caches erased.

Return to the initramfs (unpacked in /run/initramfs) on shutdown (refs: #12428, #12354, Debian#778849).

… otherwise the aufs read-write (tmpfs) branch, among possibly other things,
can't be properly unmounted and its content remains in memory.

Notes:

 * We have to handle some unmounting ourselves in initramfs-pre-shutdown-hook:
   systemd-shutdown doesn't manage to unmount the aufs read-write
   branch (/oldroot/lib/live/mount/overlay) as it is needed by the
   aufs (/oldroot) filesystem, and reciprocally it cannot unmount /oldroot as it
   is kept busy by /oldroot/lib/live/mount/*. So we disentangle this mess
   ourselves. And we have to manually empty the aufs read-write (tmpfs) branch,
   otherwise for some reason its content remains in memory. This code will of
   course need to be adapted for overlayfs some day.

 * We lock /bin/kill in memory: apparently systemd-exit.service needs it.

 * We remount /run on shutdown *before* dropping caches, just in case dropping
   caches removes what we've locked into memory.

 * We unpack the initramfs to /run/initramfs at *boot* time: sadly, I was not
   able to have it unpacked reliably in udev-watchdog-wrapper when the boot
   medium is ejected, so we'll use a little bit more RAM (instead of locking the
   compressed initramfs into memory, we're storing the uncompressed one there)
   and probably slow down the boot a bit, in order to make emergency shutdown
   robust. Note, however, that we save some of the RAM used by the uncompressed
   initramfs by deleting the worst offenders (kernel modules).

 * For now the whole procedure is quite noisy on the screen: the pre-shutdown
   hook runs under "set -x", doesn't run "clear", and spits out lots of
   debugging information. The goal is to enable users to provide useful
   debugging data if they have problems with emergency shutdown. Once we have
   shipped this code in a few releases and trust it's robust enough, we can
   surely reconsider and polish the UX by making the output less noisy.

 * We use absolute paths in many places to avoid $PATH lookup which might
   fail if the root filesystem is not there anymore.

Let's optimize how much memory the kernel memory poisoning feature acts on.

It's not reliable enough and provides poor UX. Linux memory poisoning
works well enough to get rid of it.

Drop hook that renames the kernel: since the -unsigned suffix was dropped, live-build manages to handle the renaming itself.

It has replaced 4.9.0-2 in Debian testing so that's necessary for
Stretch-based builds using recent APT snapshots to work.

It was 1½ years ago we dropped Claws Mail, and we shouldn't waste time
on adapting this for the Thunderbird migration.

Note that the backslash in the removed `\_${pattern}_`-style sed
patterns just says "the next character will be the delimiter", so _
becomes the delimiter. That allows you to use another delimiter than /
in compination with d, which is nice when the pattern is a path (that
tend to include /). It's a little known sed-feature. Just FYI! :)

This reverts commit b3abf4e5.

Refs: #12375

I could not find where we were doing that previously. Looks like
it was part of what we expect release managers to guess.

This way, we can keep using the "alpha" channel for pre-releases (e.g. betas and
RCs) without advertising not-released-yet upgrades to their users.