1. 19 Oct, 2019 1 commit
    • intrigeri's avatar
      Use keys.openpgp.org's Onion service as the default keyserver (refs: #12689, #14770) · dbfbfa7b
      intrigeri authored
      For background, see #12689 and its various duplicates. The short version is:
      
       - Unfortunately, hkp://jirk5u4osbsr34t5.onion is way too unreliable.
      
       - Most non-tech-savvy OpenPGP users don't use keyservers at all,
         so this change should not affect them much.
      
       - Tech-savvy OpenPGP users who want to use the Web-of-Trust (which
         keys.openpgp.org's design essentially kills) should be able
         to switch to a keyserver of their choosing, that includes
         non-self certifications.
      
      Let's use the Onion service instead of hkps://keys.openpgp.org/, so that we
      don't lose end-to-end encryption and authentication of the keyserver in
      Seahorse, which doesn't support hkps://. Alternatively, we could use
      hkps://keys.openpgp.org/ everywhere else, but it feels simpler to use the same
      keyserver everywhere.
      
      At this point, the only Tails systems that are affected by this change are those
      run without GnuPG persistence, and newly created persistent GnuPG configuration.
      Pre-existing persistent GnuPG configuration is not updated (yet).
      
      On the test suite front:
      
       - This commit keeps the Chutney-based redirector setup as-is, except it will
         proxy requests to keys.openpgp.org, instead of pool.sks-keyservers.net
         previously. This should work as long as keys.openpgp.org supports cleartext
         communication on port 11371.
      
       - In theory, our long-term plan is to replace this with a local mock keyserver
         Onion service. We'll see if that's still worth the effort once we redirect
         requests to a more reliable upstream keyserver.
      
       - I'm removing the @fragile tag for torified_gnupg.feature. There might
         be other reasons why these scenarios are fragile; let's learn about them.
      dbfbfa7b
  2. 11 Jul, 2019 2 commits
  3. 31 Jan, 2017 1 commit
  4. 17 Nov, 2016 3 commits
  5. 08 Jul, 2015 1 commit
  6. 25 Nov, 2009 1 commit
    • amnesia's avatar
      set time with NTP when a network interface is brought up · 83de04c2
      amnesia authored
      DNS queries about pool.ntp.org are made using the DHCP-provided nameservers,
      when possible, in the script that sets the clock:
      /etc/NetworkManager/dispatcher.d/50-ntp.sh.
      
      Else, we use OpenDNS as Incognito does.
      
      However, we really need /etc/resolv.conf to be setup in a way that makes the
      rest of the system use the local (torified) DNS cache. This is achieved thanks
      to the − properly configured − resolvconf package. Our custom dhclient
      configuration can then be dropped: it was only useful to supersede
      DHCP-provided nameservers, which we do not want to do anymore since we need this
      information, as explained above.
      
      As live-helper manages /etc/resolv.conf in a way that makes it too hard for us
      to ensure the image ends up with the needed symlink to
      /etc/resolvconf/run/resolv.conf, this symlink mangling is done at boot time,
      thanks to a live-initramfs script:
      config/chroot_local-includes/usr/share/initramfs-tools/scripts/live-bottom/00resolv_conf
      83de04c2