Commit eaddbf52 authored by intrigeri's avatar intrigeri

Merge branch 'stable' into bugfix/16177-ftbfs-mksquashfs-oom-killed

parents 178237f9 535a2d38
...@@ -53,6 +53,7 @@ ...@@ -53,6 +53,7 @@
/config/chroot_local-includes/usr/share/applications/unlock-veracrypt-volumes.desktop /config/chroot_local-includes/usr/share/applications/unlock-veracrypt-volumes.desktop
/config/chroot_local-includes/usr/share/desktop-directories/Tails.directory /config/chroot_local-includes/usr/share/desktop-directories/Tails.directory
/config/chroot_local-includes/usr/share/polkit-1/actions/org.boum.tails.root-terminal.policy /config/chroot_local-includes/usr/share/polkit-1/actions/org.boum.tails.root-terminal.policy
/config/chroot_local-includes/usr/share/polkit-1/actions/org.boum.tails.additional-software.policy
/config/chroot_local-includes/usr/share/unlock-veracrypt-volumes/ui/*.ui /config/chroot_local-includes/usr/share/unlock-veracrypt-volumes/ui/*.ui
/tmp/ /tmp/
......
...@@ -101,11 +101,11 @@ class ImageCreator(object): ...@@ -101,11 +101,11 @@ class ImageCreator(object):
with self.setup_loop_device(): with self.setup_loop_device():
self.create_gpt() self.create_gpt()
self.create_partition() self.create_partition()
self.set_partition_flags() # udisks' create_partition function seems to ignore arg_type
# set_partition_flags() resets the partition type # in Stretch, so we set it via sgdisk.
# before Buster's udisks2 + libblockdev 2.15-1 # XXX:Buster: Remove set_partition_type
# (https://github.com/storaged-project/udisks/issues/418)
self.set_partition_type() self.set_partition_type()
self.set_partition_flags()
# XXX: Rescan? # XXX: Rescan?
self.format_partition() self.format_partition()
with self.mount_partition(): with self.mount_partition():
...@@ -187,38 +187,14 @@ class ImageCreator(object): ...@@ -187,38 +187,14 @@ class ImageCreator(object):
self._partition = partition self._partition = partition
def set_partition_flags(self): def set_partition_flags(self):
logger.info("Setting partition flags") # We use sgdisk directly instead of udisks' set_flags method, because the
# latter sometimes resets the partition type / partition table type
start_time = time.perf_counter() # before Buster's udisks2 + libblockdev 2.15-1
while time.perf_counter() - start_time < WAIT_FOR_PARTITION_TIMEOUT: # (https://github.com/storaged-project/udisks/issues/418)
try: execute(["/sbin/sgdisk", "--attributes=1:=:%x" % SYSTEM_PARTITION_FLAGS, self.image])
self.partition.props.partition.call_set_flags_sync(
arg_flags=SYSTEM_PARTITION_FLAGS,
arg_options=GLib.Variant('a{sv}', None)
)
except GLib.Error as e:
if "GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface" in e.message:
time.sleep(0.1)
continue
raise
return
def set_partition_type(self): def set_partition_type(self):
logger.info("Setting partition type") execute(["/sbin/sgdisk", "--typecode=1:%s" % ESP_GUID, self.image])
start_time = time.perf_counter()
while time.perf_counter() - start_time < WAIT_FOR_PARTITION_TIMEOUT:
try:
self.partition.props.partition.call_set_type_sync(
ESP_GUID,
GLib.Variant('a{sv}', None)
)
except GLib.Error as e:
if "GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface" in e.message:
time.sleep(0.1)
continue
raise
return
def format_partition(self): def format_partition(self):
logger.info("Formatting partition") logger.info("Formatting partition")
...@@ -329,9 +305,7 @@ class ImageCreator(object): ...@@ -329,9 +305,7 @@ class ImageCreator(object):
'--offset', str(self.partition.props.partition.props.offset), '--offset', str(self.partition.props.partition.props.offset),
'--directory', '/syslinux/', '--directory', '/syslinux/',
'--install', self.image '--install', self.image
], ])
as_root=True # XXX: Why does this only work as root?
)
def reset_timestamps(self): def reset_timestamps(self):
logger.info("Resetting timestamps") logger.info("Resetting timestamps")
...@@ -355,9 +329,7 @@ class ImageCreator(object): ...@@ -355,9 +329,7 @@ class ImageCreator(object):
"::%s" % FILESYSTEM_LABEL]) "::%s" % FILESYSTEM_LABEL])
def execute(cmd: list, as_root=False): def execute(cmd: list):
if as_root and os.geteuid() != 0:
cmd = ['pkexec'] + cmd
logger.info("Executing '%s'" % ' '.join(cmd)) logger.info("Executing '%s'" % ' '.join(cmd))
subprocess.check_call(cmd) subprocess.check_call(cmd)
...@@ -390,6 +362,9 @@ def main(): ...@@ -390,6 +362,9 @@ def main():
if not args.ISO.endswith(".iso"): if not args.ISO.endswith(".iso"):
parser.error("Input file is not an ISO (no .iso extension)") parser.error("Input file is not an ISO (no .iso extension)")
if os.geteuid() != 0:
raise PermissionError("This script must be run as root")
logging.basicConfig(level=logging.INFO) logging.basicConfig(level=logging.INFO)
logging.getLogger('sh').setLevel(logging.WARNING) logging.getLogger('sh').setLevel(logging.WARNING)
......
#! /usr/bin/python3
import hashlib
import io
import json
import sys
from pathlib import Path, PurePath
def sha256_file(filename):
sha256 = hashlib.sha256()
with io.open(filename, mode="rb") as fd:
content = fd.read()
sha256.update(content)
return sha256.hexdigest()
def to_json(data):
return json.dumps(data, indent=4, sort_keys=True)
def target_file_url(channel, filename):
basename = PurePath(filename).name
return '%(baseurl)s/%(channel)s/%(subdir)s/%(basename)s' % {
'baseurl': 'http://dl.amnesia.boum.org/tails',
'channel': channel,
'subdir': PurePath(basename).stem,
'basename': basename,
}
def idf_content(build_target, channel, product_name, version, img, iso):
installation_paths = [
{
'type': 'iso',
'target-files': [{
'url': target_file_url(channel, iso),
'sha256': sha256_file(iso),
'size': Path(iso).stat().st_size,
}],
},
]
if img is not None:
installation_paths += {
'type': 'img',
'target-files': [{
'url': target_file_url(channel, img),
'sha256': sha256_file(img),
'size': Path(img).stat().st_size,
}],
}
return to_json({
'build_target': build_target,
'channel': channel,
'product-name': product_name,
'installations': [{
'version': version,
'installation-paths': installation_paths,
}],
})
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--build-target', dest='build_target', default='amd64')
parser.add_argument('--channel', default='stable')
parser.add_argument('--product-name', dest='product_name', default='Tails')
parser.add_argument('--version', default=None, required=True,
help='Version of Tails .')
parser.add_argument('--img', default=None,
help='Path to the USB image.')
parser.add_argument('--iso', default=None, required=True,
help='Path to the ISO file.')
args = parser.parse_args()
print(idf_content(build_target=args.build_target,
channel=args.channel,
product_name=args.product_name,
version=args.version,
img=args.img,
iso=args.iso))
...@@ -26,7 +26,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose" ...@@ -26,7 +26,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20" REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version # Kernel version
KERNEL_VERSION='4.18.0-2' KERNEL_VERSION='4.18.0-3'
KERNEL_SOURCE_VERSION=$( KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \ echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms' | perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
This diff is collapsed.
...@@ -44,8 +44,9 @@ Package: libfunction-parameters-perl ...@@ -44,8 +44,9 @@ Package: libfunction-parameters-perl
Pin: release o=Debian,n=stretch-backports Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999 Pin-Priority: 999
Explanation: freeze exception for #15936. Remove with: git revert $(git blame -L "/#15936/",+1 -l config/chroot_apt/preferences | cut -d' ' -f1)
Package: linux-compiler-* linux-headers-* linux-image-* linux-kbuild-* linux-source-* Package: linux-compiler-* linux-headers-* linux-image-* linux-kbuild-* linux-source-*
Pin: release o=Debian,n=sid Pin: origin deb.tails.boum.org
Pin-Priority: 999 Pin-Priority: 999
Explanation: We ship our custom-built Thunderbird for now, see #6156 Explanation: We ship our custom-built Thunderbird for now, see #6156
......
...@@ -74,13 +74,6 @@ EOF ...@@ -74,13 +74,6 @@ EOF
# (below) and the user is done configuring it. # (below) and the user is done configuring it.
systemctl restart [email protected] systemctl restart [email protected]
# When using a bridge Tor reports TLS cert lifetime errors
# (e.g. when the system clock is way off) with severity "info", but
# when no bridge is used the severity is "warn". tordate/20-time.sh
# depends on grepping these error messages, so we temporarily
# increase Tor's logging severity.
tor_control_setconf "Log=\"info file ${TOR_LOG}\""
# Enable the transports we support. We cannot do this in general, # Enable the transports we support. We cannot do this in general,
# when bridge mode is not enabled, since we then use seccomp # when bridge mode is not enabled, since we then use seccomp
# sandboxing. # sandboxing.
......
...@@ -233,11 +233,6 @@ fi ...@@ -233,11 +233,6 @@ fi
wait_for_working_tor wait_for_working_tor
# Disable "info" logging workaround from 10-tor.sh
if [ "$(tails_netconf)" = "obstacle" ]; then
tor_control_setconf "Log=\"notice file ${TOR_LOG}\""
fi
touch $TORDATE_DONE_FILE touch $TORDATE_DONE_FILE
log "Restarting htpdate" log "Restarting htpdate"
......
...@@ -14,6 +14,25 @@ thunderbird_config_is_persistent() { ...@@ -14,6 +14,25 @@ thunderbird_config_is_persistent() {
[ "$(findmnt --noheadings --output SOURCE --target "${THUNDERBIRD_CONFIG_DIR}")" = "/dev/mapper/TailsData_unlocked[/thunderbird]" ] [ "$(findmnt --noheadings --output SOURCE --target "${THUNDERBIRD_CONFIG_DIR}")" = "/dev/mapper/TailsData_unlocked[/thunderbird]" ]
} }
configure_locale() {
# Thunderbird will set the locale based on the environment when
# this pref is empty, but will then save the result to this pref
# disabling this "guess" for the next time. We want Thunderbird to
# always match the locale of the Tails session.
set_mozilla_pref "${PROFILE}/prefs.js" \
"intl.locale.requested" \
'""' \
user_pref
}
disable_autocrypt() {
# Disable Autocrypt since it is not safe (#15923).
set_mozilla_pref "${PROFILE}/prefs.js" \
"mail.server.default.enableAutocrypt" \
"false" \
user_pref
}
configure_default_incoming_protocol() { configure_default_incoming_protocol() {
# For extensions.torbirdy.defaultprotocol, POP = 0, IMAP = 1 # For extensions.torbirdy.defaultprotocol, POP = 0, IMAP = 1
local default_protocol local default_protocol
...@@ -22,13 +41,26 @@ configure_default_incoming_protocol() { ...@@ -22,13 +41,26 @@ configure_default_incoming_protocol() {
else else
default_protocol=1 default_protocol=1
fi fi
mkdir -p "${PROFILE}"
set_mozilla_pref "${PROFILE}/prefs.js" \ set_mozilla_pref "${PROFILE}/prefs.js" \
"extensions.torbirdy.defaultprotocol" \ "extensions.torbirdy.defaultprotocol" \
"${default_protocol}" \ "${default_protocol}" \
user_pref user_pref
} }
reconfigure_profile() {
mkdir -p "${PROFILE}"
configure_locale
disable_autocrypt
configure_default_incoming_protocol
# Suppress Enigmail's configuration wizard by pretending that the current
# version was already configured. Only do this on first run though:
# once we've done this we let Enigmail manage this setting itself
# so it can run any migration code it wants to on upgrades.
if thunderbird_profile_is_new; then
initialize_enigmail_configured_version
fi
}
thunderbird_profile_is_new() { thunderbird_profile_is_new() {
[ ! -f "${PROFILE}/extensions.ini" ] [ ! -f "${PROFILE}/extensions.ini" ]
...@@ -50,17 +82,7 @@ initialize_enigmail_configured_version() { ...@@ -50,17 +82,7 @@ initialize_enigmail_configured_version() {
start_thunderbird() { start_thunderbird() {
export GNOME_ACCESSIBILITY=1 export GNOME_ACCESSIBILITY=1
unset SESSION_MANAGER unset SESSION_MANAGER
reconfigure_profile
configure_default_incoming_protocol
# Suppress Enigmail's configuration wizard by pretending that the current
# version was already configured. Only do this on first run though:
# once we've done this we let Enigmail manage this setting itself
# so it can run any migration code it wants to on upgrades.
if thunderbird_profile_is_new; then
initialize_enigmail_configured_version
fi
exec /usr/bin/thunderbird --class "Thunderbird" -profile "${PROFILE}" "${@}" exec /usr/bin/thunderbird --class "Thunderbird" -profile "${PROFILE}" "${@}"
} }
......
...@@ -69,15 +69,13 @@ my ($body, $summary); ...@@ -69,15 +69,13 @@ my ($body, $summary);
chomp($vm_name); chomp($vm_name);
if (grep {$_ eq $vm_name} @whitelist) { if (grep {$_ eq $vm_name} @whitelist) {
$summary = gettext("Warning: virtual machine detected!"); $summary = gettext("Warning: virtual machine detected!");
$body =
gettext("Both the host operating system and the virtualization software are able to monitor what you are doing in Tails.");
} }
else { else {
$summary = gettext("Warning: non-free virtual machine detected!"); $summary = gettext("Warning: non-free virtual machine detected!");
$body =
gettext("Both the host operating system and the virtualization software are able to monitor what you are doing in Tails. Only free software can be considered trustworthy, for both the host operating system and the virtualization software.");
} }
$body = gettext("Both the host operating system and the virtualization software are able to monitor what you are doing in Tails. Only free software can be considered trustworthy, for both the host operating system and the virtualization software.");
$notify->create(summary => $summary, $notify->create(summary => $summary,
body => $body, body => $body,
actions => { "moreinfo_$PID" => gettext('Learn more'), }, actions => { "moreinfo_$PID" => gettext('Learn more'), },
......
...@@ -142,7 +142,8 @@ def _notify_failure(summary, details=None): ...@@ -142,7 +142,8 @@ def _notify_failure(summary, details=None):
log. log.
""" """
if details: if details:
# Translators: Don't translate {details}, it's a placeholder and will be replaced. # Translators: Don't translate {details}, it's a placeholder and will
# be replaced.
details = _("{details} Please check your list of additional " details = _("{details} Please check your list of additional "
"software or read the system log to " "software or read the system log to "
"understand the problem.").format(details=details) "understand the problem.").format(details=details)
...@@ -216,7 +217,8 @@ def _format_iterable(iterable): ...@@ -216,7 +217,8 @@ def _format_iterable(iterable):
if len(iterable) == 1: if len(iterable) == 1:
return iterable[0] return iterable[0]
elif len(iterable) > 1: elif len(iterable) > 1:
# Translators: Don't translate {beginning} or {last}, they are placeholders and will be replaced. # Translators: Don't translate {beginning} or {last}, they are
# placeholders and will be replaced.
return _("{beginning} and {last}").format( return _("{beginning} and {last}").format(
beginning=_(", ").join(iterable[:-1]), last=iterable[-1]) beginning=_(", ").join(iterable[:-1]), last=iterable[-1])
else: else:
...@@ -282,7 +284,8 @@ def handle_installed_packages(packages): ...@@ -282,7 +284,8 @@ def handle_installed_packages(packages):
""" """
logging.info("New packages manually installed: %s" % packages) logging.info("New packages manually installed: %s" % packages)
if has_unlocked_persistence(search_new_persistence=True): if has_unlocked_persistence(search_new_persistence=True):
# Translators: Don't translate {packages}, it's a placeholder and will be replaced. # Translators: Don't translate {packages}, it's a placeholder and will
# be replaced.
if _notify(_("Add {packages} to your additional software?").format( if _notify(_("Add {packages} to your additional software?").format(
packages=_format_iterable(packages)), packages=_format_iterable(packages)),
_("To install it automatically from your persistent " _("To install it automatically from your persistent "
...@@ -311,7 +314,8 @@ def handle_installed_packages(packages): ...@@ -311,7 +314,8 @@ def handle_installed_packages(packages):
logging.warning("Warning: persistence storage is locked, can't add " logging.warning("Warning: persistence storage is locked, can't add "
"additional software.") "additional software.")
elif is_tails_media_writable(): elif is_tails_media_writable():
# Translators: Don't translate {packages}, it's a placeholder and will be replaced. # Translators: Don't translate {packages}, it's a placeholder and will
# be replaced.
if _notify(_("Add {packages} to your additional software?").format( if _notify(_("Add {packages} to your additional software?").format(
packages=_format_iterable(packages)), packages=_format_iterable(packages)),
_("To install it automatically when starting Tails, you " _("To install it automatically when starting Tails, you "
...@@ -332,7 +336,8 @@ def handle_installed_packages(packages): ...@@ -332,7 +336,8 @@ def handle_installed_packages(packages):
logging.warning("Cannot create persistent storage on this media.") logging.warning("Cannot create persistent storage on this media.")
if not os.path.isfile(ASP_STATE_INSTALLER_ASKED): if not os.path.isfile(ASP_STATE_INSTALLER_ASKED):
open(ASP_STATE_INSTALLER_ASKED, 'a').close() open(ASP_STATE_INSTALLER_ASKED, 'a').close()
# Translators: Don't translate {packages}, it's a placeholder and will be replaced. # Translators: Don't translate {packages}, it's a placeholder and
# will be replaced.
_notify(_("You could install {packages} automatically when " _notify(_("You could install {packages} automatically when "
"starting Tails").format( "starting Tails").format(
packages=_format_iterable(packages)), packages=_format_iterable(packages)),
...@@ -349,10 +354,12 @@ def handle_removed_packages(packages): ...@@ -349,10 +354,12 @@ def handle_removed_packages(packages):
actually remove them if requested. actually remove them if requested.
""" """
logging.info("Additional packages removed: %s" % packages) logging.info("Additional packages removed: %s" % packages)
# Translators: Don't translate {packages}, it's a placeholder and will be replaced. # Translators: Don't translate {packages}, it's a placeholder and will be
# replaced.
if _notify(_("Remove {packages} from your additional software?").format( if _notify(_("Remove {packages} from your additional software?").format(
packages=_format_iterable(packages)), packages=_format_iterable(packages)),
# Translators: Don't translate {packages}, it's a placeholder and will be replaced. # Translators: Don't translate {packages}, it's a placeholder
# and will be replaced.
_("This will stop installing {packages} automatically.").format( _("This will stop installing {packages} automatically.").format(
packages=_format_iterable(packages)), packages=_format_iterable(packages)),
_("Remove"), _("Remove"),
...@@ -473,15 +480,17 @@ def apt_hook_post(): ...@@ -473,15 +480,17 @@ def apt_hook_post():
os.remove(ASP_STATE_PACKAGES) os.remove(ASP_STATE_PACKAGES)
additional_packages_names = { additional_packages_names = {
filter_package_details(pkg) for pkg in get_additional_packages(search_new_persistence=True) filter_package_details(pkg) for pkg in
get_additional_packages(search_new_persistence=True)
} }
apt_cache = apt.cache.Cache() apt_cache = apt.cache.Cache()
# Filter automatically installed packages and packages already configured # Filter automatically installed packages and packages already configured
# as additional software # as additional software
new_manually_installed_packages = { new_manually_installed_packages = {
pkg for pkg in packages["installed"] if not apt_cache[pkg].is_auto_installed and pkg for pkg in packages["installed"] if (
pkg not in additional_packages_names not apt_cache[pkg].is_auto_installed and
pkg not in additional_packages_names)
} }
if new_manually_installed_packages: if new_manually_installed_packages:
...@@ -493,6 +502,7 @@ def apt_hook_post(): ...@@ -493,6 +502,7 @@ def apt_hook_post():
if additional_packages_removed: if additional_packages_removed:
handle_removed_packages(additional_packages_removed) handle_removed_packages(additional_packages_removed)
def install_additional_packages(upgrade_mode=False): def install_additional_packages(upgrade_mode=False):
"""Subcommand which activates and installs all additional packages. """Subcommand which activates and installs all additional packages.
......
http://torbrowser-archive.tails.boum.org/8.0.3-build1/ http://torbrowser-archive.tails.boum.org/8.0.4-build2/