1. 25 May, 2021 1 commit
  2. 20 Mar, 2021 1 commit
    • intrigeri's avatar
      APT: use non-onion HTTPS sources for Debian repositories · ec836747
      intrigeri authored
      We've observed too much unreliability with Debian's onion APT sources,
      so let's switch to APT sources that should be more reliable.
      Still, to avoid re-introducing fragility wrt. attacks like
      https://www.debian.org/security/2016/dsa-3733 (see refs #8143), we need APT
      sources that support HTTPS, which is not that common.
      My initial intent was to use https://deb.debian.org/, but we lack support for
      SRV records, so that service would HTTP redirect us to one of the CDN instances.
      So I figured skipping this redirection step could be more reliable,
      hence the hard-coding of the Fastly CDN repository sources.
      I'm not too worried about things breaking any time soon due to this hard-coding:
       - The Fastly CDN has backed deb.debian.org since it exists.
       - This configuration is explicitly documented on https://deb.debian.org/.
      So I would expect we would learn about a decommission plan for
      cdn-fastly.deb.debian.org sufficiently in advance to update our config
      in Tails releases before this APT source stops working.
      refs #17993
  3. 08 Oct, 2020 1 commit
  4. 20 Sep, 2020 1 commit
  5. 10 Aug, 2019 1 commit
  6. 11 Jul, 2019 2 commits
  7. 30 Sep, 2018 1 commit
  8. 29 Sep, 2018 1 commit
  9. 23 Sep, 2018 1 commit
    • segfault's avatar
      Fix APT pinning for stretch-backports · d4bd6d00
      segfault authored
      In our own repo, we use "o=Debian", but the official Debian repo uses
      "o=Debian Backports" for backports. Since we change the repo from ours
      to Debian, we also have to change the origin.
      In passing, add a log message and simplify another regex.
  10. 20 Sep, 2018 1 commit
  11. 19 Sep, 2018 1 commit
    • segfault's avatar
      Reconfigure custom APT repo in APT preferences (refs: #15837) · ccbed75e
      segfault authored
      We change our repository from deb.tails.boum.org to jenw7xbd6tf7vfhp.onion
      in the APT sources, so we also have to change it in the APT preferences,
      or else the pinning is ignored and packages from Debian repos are
      installed with higher priority.
  12. 17 Feb, 2017 1 commit
  13. 25 Jan, 2017 2 commits
    • anonym's avatar
      Remove empty APT source files. · bfe9c0ea
      anonym authored
    • anonym's avatar
      Disable -proposed-updates at boot time. · f0e18dec
      anonym authored
      If a Debian point release happens right after a freeze but we have
      decided to enable it before the freeze to get (at least most of) it,
      then we get in the situation where -proposed-updates is enabled in the
      final release, which we don't want. We only want it enabled at build
      Will-fix: #12169
  14. 10 Jan, 2017 1 commit
  15. 27 Aug, 2016 1 commit
  16. 17 May, 2016 1 commit
  17. 03 Jan, 2016 1 commit
  18. 22 Nov, 2015 1 commit
  19. 19 Jan, 2015 2 commits
    • Tails developers's avatar
    • Tails developers's avatar
      Switch to tor+http:// APT sources at boot time instead of at build time (Will-Fix: #8715). · 716fd0b7
      Tails developers authored
      live-build expects to be the only one that manages APT sources.
      Since feature/8194-APT-socks was merged, we're breaking this assumption of its,
      by mangling APT sources under live-build's feet via chroot_local-hooks.
      More specifically, if:
         as is the case when building with Vagrant or when following our manual
         build setup instructions accurately (live-build defaults to
         ftp.de.debian.org for some of its APT configuration),
       * one has dropped .deb's in config/chroot_local-packages, as contributors
         without write access to our APT repository may want to do,
      then after completing the chroot_local-hooks stage, lb_chroot_sources would
      rewrite APT sources to match what we have previously configured (see the check
      at lines 490-498 in live-build 2.x tree), and therefore the ISO image would have
      http:// URLs configured instead of the expected tor+http://.
      Therefore, let's mangle APT sources configuration at boot time instead.