Clickx 115

home *** CD-ROM | disk | FTP | other *** search

/ Clickx 115 / Clickx 115.iso / software / tools / windows / tails-i386-0.16.iso / live / filesystem.squashfs / usr / share / doc / amnesia / Changelog next >

Wrap

Text File | 2013-01-10 | 81.6 KB | 1,882 lines

tails (0.16) unstable; urgency=low * Minor improvements - Replace the too-easy-to-misclick shutdown button with a better "Shutdown Helper" Gnome applet. - Display ~/Persistent in GNOME Places and GtkFileChooser if it is mounted. - Set Unsafe Browser's window title to "Unsafe Browser". - Install ekeyd to support the EntropyKey. - Install font for Sinhala. - Update Poedit to 1.5.4. - Kill Vidalia when restarting Tor. Doing this as early as possible exposes Vidalia's "broken onion" icon to users less. - Hide the persistence setup launchers in kiosk mode. - Add a shell library for Tor functions. These are shared among multiple of our scripts. - Install dictionaries for supported languages. Install hunspell dictionaries when possible, fall back on myspell ones else. * Bugfixes - Disable IPv6 on all network interfaces. This is a workaround for the IPv6 link-local multicast leak that was recently discovered. Tails has no local service that listens on IPv6, so there should be no regression, hopefully, unless one wants to play with OnionCat and VoIP, but those of us should know how to workaround this anyway. - live-persist: Fix variable mismatch, fixing probe white-list. Tails may previously have been able to list GPT partitions labelled "TailsData" on hard drives (!) as valid persistence volumes... - live-persist: Fix --media option when no devices are attached. Earlier, if it was set to e.g. 'removable-usb' and no USB storage was connected, $whitelistdev would be empty, which is interpreted like all devices are ok by the rest of the code. - Fix SCIM in the autostarted web browser: save IM environment variables to a file during Desktop session startup, and export them into the autostarted browser's environment. - Talk of DVD, not of CD, in the shutdown messages. - Make tordate work in bridge mode with an incorrect clock. When using a bridge Tor reports TLS cert lifetime errors (e.g. when the system clock is way off) with severity "info", but when no bridge is used the severity is "warn". tordate/20-time.sh depends on grepping these error messages, so we termporarily increase Tor's logging severity when using bridge mode. If we don't do this tordate will sleep forever, leaving Tor in a non-working state. ┬╖ White-list root to use Tor's ControlPort. ┬╖ Add logging for is_clock_way_off(). ┬╖ Remove Tor's log before time syncing. We depend on grepping stuff from the Tor log (especially for tordate/20-time.sh), so deleting it seems like a Good Thing(TM). ┬╖ Stop Tor before messing with its log or data dir. - live-persist: limit searched devices the same way as live-boot. If no --media argument is specified, use live-boot's "(live-media|bootfrom)=removable(|-usb)" argument to limit devices searched for a persistent volume. - tails-greeter: do not pass media=removable to live-persist. Now that we have autodetection with kernel command-line, it should not be needed anymore. - Start memlockd after configuring it, instead of starting it before and restarting it after. This avoids running memlockd twice, and prevents other possibly surprising race-conditions. As a consequence, also have tails-sdmem-on-media-removal start after the memlockd service *and* tails-reconfigure-memlockd: to start the watchdog, we need memlockd to be properly configured *and* running. * iceweasel - Set iceweasel homepage to the news section on the Tails website. ... using the localized one when possible. - Hide the iceweasel add-on bar by default. Now that we don't want to ship the Monkeysphere addon anymore, that was the only one displayed in there, we can as well hide the whole bar. - Don't hide the AdBlock-Plus button in the add-on bar anymore. Now that we hide the whole addon bar, we can get rid of this old UX improvement. - Do not install a placeholder (fake) FireGPG iceweasel extension anymore. It was shipped from 0.10 (early 2012) to 0.15 (late November), so the migration period should be over now. - Don't install xul-ext-monkeysphere anymore. The implication of the current keyserver policy are not well understood, Monkeysphere is little used in Tails, and we're not sure anymore it would be our first bet for the web browser profile with no CA. Let's keep the various configuration bits (e.g. FoxyProxy, patching MSVA), though, so that advanced users who are used to have Monkeysphere in Tails just have to install the package. * Build system - Install the "standard" task with tasksel for better consistency in the Tails ISO images built in various environments. - Install p7zip-full. It's a dep by file-roller, but we explicily use it elsewhere, and it's better to be safe than sorry. - Remove pinning of libvpx0 to sid. This package is part of Squeeze, and not from testing/sid. We have been shipping the version from Squeeze for a while. - Remove config/chroot_local-packages/ from .gitignore. The documented way for "external" contributors to add custom packages is to put them in chroot_local-packages, and once we pull we import any such package into our APT repo and rewrite the history appropriately. Also, the ability to add packages in there and not see them in "git status" makes it very easy to build tainted ISO images with non-standard packages, which makes some of us fear can lead to hard to debug situations. - Make it clearer what can and cannot be done in terms of local packages. -- Tails developers <amnesia@boum.org> Thu, 10 Jan 2013 12:47:42 +0100 tails (0.15) unstable; urgency=low * Major new features - Persistence for browser bookmarks. - Support for obfsproxy bridges. * Minor improvements - Add the Hangul (Korean) Input Method Engine for SCIM. - Add vendor-specific dpkg origin information. This makes dpkg-vendor return correct information. - Install pcscd and libccid from squeeze-backports. This is needed to support, to some extent, some OpenPGP SmartCard readers. - Install HPIJS PPD files and the IJS driver (hpijs). This adds support for some printers, such as Xerox DocumentCenter400. - Optimize fonts display for LCD. - Update TrueCrypt to version 7.1a. * Bugfixes - Do not use pdnsd anymore. It has been orphaned in Debian, has quite some bugs in there, and apparently Tor's DNSPort's own caching is be good enough. - Remove useless iceweasel cookies exceptions. They are useless as per-session cookies are allowed. - Do not run setupcon on X. This call is only needed on the Linux console, no need to annoy the user with a weird "Press enter to activate this console" when the open a root shell in a GNOME Terminal. - Allow the tails-iuk-get-target-file user to connect to the SOCKSPort dedicated for Tails-specific software. - Fix gpgApplet menu display in Windows camouflage mode. - Fix Tor reaching an inactive state if it's restarted in "bridge mode", e.g. during the time sync' process. * Iceweasel - Update iceweasel to 10.0.11esr-1+tails1. - User profile is now generated at build time in order to support persistent bookmarks. - Update HTTPS Everywhere to version 3.0.4. - Update NoScript to version 2.6. - Fix bookmark to I2P router console. - Re-enable Monkeysphere extension to connect to the validation agent. * Localization - The Tails USB installer, tails-persistence-setup and tails-greeter are now translated into Bulgarian. - Update Chinese translation for tails-greeter. - Update Euskadi translation for WhisperBack. * Build system - Custom packages are now retrieved from Tails APT repository instead of bloating the Git repository. - Allow '~' in wiki filenames. This makes it possible to ship update-description files for release candidates. - Document how to create incremental update kit. - Handle release candidates when generating custom APT sources. - Remove pinning for xul-ext-adblock-plus. It is obsolete since we've added this package to our APT repository. -- Tails developers <amnesia@boum.org> Sun, 25 Nov 2012 12:59:17 +0100 tails (0.14) unstable; urgency=low * Major new features - Enable Tor stream isolation; several new SocksPorts with appropriate Isolate* options have been added for different use cases (i.e. applications). All application's have been reconfigured to use these new SocksPorts, which should increase anonymity by making it more difficulte to correlate traffic from different applications or "online identities". - The web browser now has the anonymity enhancing patches from the TorBrowser applied. - gpgApplet can now handle public-key cryptography. - Install an additional, PAE-enabled kernel with NX-bit support. This kernel is auto-selected when the hardware supports it and will: * provide executable space protection, preventing certain types of buffer overflows from being exploitable. * enable more than 4 GiB of system memory. * make all processors/cores available, including their power-saving functionality. - Add a persistence preset for NetworkManager connections. * Minor improvements - On kexec reboot, make the boot quiet only if debug=wipemem was not enabled. - Update torproject.org's APT repo key. - Update the embedded Tails signing key. - Use symlinks instead of duplicating localized searchplugins. - Rewrite Tails firewall using ferm. Tails firewall was written in very unsophisticated iptables-save/restore format. As more feature creeped in, it started to be quite unreadable. - Optimize VirtualBox modules build at runtime to avoid installing the userspace utils N times. - Drop most of Vidalia's configuration. Our custom lines just caused trouble (with multiple SocksPorts) and the default works well. - Blacklist PC speaker module. On some computers, having the pcspkr module loaded means loud beeps at bootup, shutdown and when using the console. As it draws useless attention to Tails users, it is better to prevent Linux from loading it by default. - Remove all addons from the Unsafe Browser. No addons are essential for the Unsafe Browser's intent. If anything they will modify the network fingerprint compared to a normal Iceweasel install, which is undesirable. - Prevent some unwanted packages to be installed at all, rather than uninstalling them later. This should speed up the build a bit. - Add a symlink from /etc/live/config to /etc/live/config.d. This makes the system compatible with live-config 3.0.4-1, without breaking backward compatibility with various parts of the system that use the old path. - Do not run unecessary scripts during shutdown sequence, to make shutdown faster. - Make live-persist deal with persistent ~/.gconf subdirs so that any options saved therein actually get persistent. - Prevent memlockd unload on shutdown, to make sure that all necessary tools for memory wiping are available when the new kernel has kexec'd. - Patch initscripts headers instead of fiddling with update-rc.d. We now let insserv figure out the correct ordering for the services during startup and shutdown, i.e. use dependency-based boot sequencing. - Remove the last absolute path in our isolinux config, which makes it easier to migrate from isolinux to syslinux (just rename the directory), and hence might make it easier for 3rd party USB installers (like the Universal USB Installer) to support Tails. * Bugfixes - Include `seq` in the ramdisk environment: it is used to wipe more memory. This fixes the long-standing bug about Tails not cleaning all memory on shutdown. - Fix Yelp crashing on internal links - Allow amnesia user to use Tor's TransPort. This firewall exception is necessary for applications that doesn't have in-built SOCKS support and cannot use torsocks. One such example is Claws Mail, which uses tsocks since torsocks makes it leak the hostname. This exception, together with Tor's automatic .onion mapping makes Claws Mail able to use hidden service mail providers again. - Force threads locking support in Python DBus binding. Without this liveusb-creator doesn't work with a PAE-enabled kernel. - Fix localized search plugins for 'es' and 'pt' - Fix live-boot's readahead, which caused an unnecessary pause during boot. - Factorize GCC wanted / available version numbers in VirtualBox modules building hook. This, incidentally, fixes a bug caused by duplication and not updating all instances. - Fix tordate vs. Tor 0.2.3.x. Since 0.2.3.x Tor doesn't download a consensus for clocks that are more than 30 days in the past or 2 days in the future (see commits f4c1fa2 and 87622e4 in Tor's git repo). For such clock skews we set the time to the Tor authority's cert's valid-after date to ensure that a consensus can be downloaded. * Tor - Update to version 0.2.3.24-rc-1~~squeeze+1, a new major version. It's not a stable release, but we have been assured by the Tor developers that this is the right move. - Stop setting custom value for the Tor LongLivedPorts setting. Gobby's port was upstreamed in Tor 0.2.3.x. * Iceweasel - Update to 10.0.10esr-1+tails1, which has all the anonymity enhancing patches from the TorBrowser applied. - Install iceweasel from our own repo, http://deb.tails.boum.org. - Fix Iceweasel's file associations. No more should you be suggested to open a PDF in the GIMP. * htpdate - Use curl instead of wget, and add a --proxy option passed through to curl. - Remove the --fullrequest option, we don't need it anymore. - Remove --dns-timeout option, we don't need it anymore. - Change --proxy handling to support Debian Squeeze's curl. - Clarify what happens if --proxy is not used. - Compute the median of the diffs more correctly. * Hardware support - Update Linux to 3.2.32-1. * Software - Update vidalia to 0.2.20-1+tails1. - Update bundled WhisperBack package to 1.6.2: * Raise the socket library timeout to 120 seconds * Use smtplib's timeout parameter * Fix error output when calling send a 2nd time - Update liveusb-creator to 3.11.6-3. - Update i2p to 0.9.2. - Update tails-persistence-setup to 0.20-1, which should make it possible to install Tails on large (>= 32 GiB) USB drives. - Install console-setup and keyboard-configuration from unstable (required by new initramfs-tools). - Update tails-greeter to 0.7.3: * Import pt_BR translation. * Let langpanel usable during option selection stage * Print less debugging messages by default (below are changes in tails-greeter 0.7.2:) * Use correct test operators. * Generate language codes of available locales at package build time. * Read list of language codes from where we have saved it at package build time. * Drop tails-lang-helper, not used anymore. * Do not compile locales at login time anymore. Tails now ships locales-all. - Import live-config{,-sysvinit} 3.0.8-1. live-config >= 3.0.9-1 has basically nothing useful for us, and it migrates to new paths brought by live-boot 3.0~b7, which we're not ready for yet (see: todo/newer_live-boot). * Localization - Fix Tails specific Iceweasel localization for pt-BR - Add Japanese input system: scim-anthy. - whisperback is now also translated into German, Hebrew, Hungarian, Italian and Korean. - tails-persistence-setup is now also translated into Arabic. - tails-greeter is now also translated into Arabic, Hebrew, Basque, Hungarian, Italian and Chinese. * Build system - Catch more errors in during build time: - Ensure that all local hooks start with 'set -e'. - Fail hard if adduser fails in local hooks. - Fail hard if 'rm' fails in local hooks. - vagrant: Ensure we have the set of Perl packages needed by our Ikiwiki - vagrant: Configure live-build to ship with ftp.us.debian.org. Using cdn.debian.net leads to bad interactions with Tor. - vagrant: Don't use gzip compression when building from a tag, i.e. a release. - vagrant: Optionally use bootstrap stage cache for faster builds via the 'cache' build option. - vagrant: Make sure release builds are clean, i.e. they don't use any potentially dangerous build options. - vagrant: Disable live-build package caching. This build system is meant to use an external caching proxy, so live-build's cache just wastes RAM (for in-memory builds) or disk space. - vagrant: use aufs magic instead of copying source into tmpfs. This reduces the amount of RAM required for building Tails in. - vagrant: Allow in-memory builds when a VM with enough memory is already started. -- Tails developers <amnesia@boum.org> Sat, 10 Nov 2012 12:34:56 +0000 tails (0.13) unstable; urgency=low * Major new features - Use white-list/principle of least privelege approach for local services. Only users that need a certain local (i.e. hosted on loopback) service (according to our use cases) are granted access to it by our firewall; all other users are denied access. - Ship a first version of the incremental update system. Updates are not currently triggered automatically, but this will allow tests to be done on larger scales. * Minor improvements - Enable four workspaces in the Windows XP camouflage. This allows users to quickly switch to a more innocent looking workspace in case they are working on sensitive data and attract unwanted attention. The workspace switcher applet isn't there, though, since there's no such thing in Windows XP, so switching is only possible via keyboard shortcuts. - Ship with precompiled locales instead of generating them upon login. - Add support for wireless regulation. - Use color for Git output, not intended for machine consumption, written to the terminal. - Have ttdnsd use OpenDNS. Using Google's DNS servers was very glitchy, and rarely succeeded when it should. It can probably be attributed to Google's DNS, which is known to take issue with Tor exits. - Upgrade WhisperBack to 1.6, with many UI improvements and new translations. - Include GDM logs and dmidecode informations in the reports. - Allow to modify language and layout in the "Advanced options" screen of the greeter. - GnuPG: bump cert-digest-algo to SHA512. - Update torproject.org's APT repo key. * Bugfixes - Make Claws Mail save local/POP emails in its dot-directory. The default is to save them at ~/Mail, which isn't included in our current Claws Mail persistence preset. - Fix the System Monitor applet. - Remove broken ttdnsd from the default DNS resolution loop. - Hide the 'TailsData' partition in desktop applications. - Ship unrar-free again, so that the GNOME archive manager knows about it. - Ship with an empty whitelist for Noscript. - Disable FoxyProxy's advertisement on proxy error page. - Fix slow browsing experience for offline documentation. - Raise the socket timeout to 120 seconds in WhisperBack. - Enable the ikiwiki trail plugin for the locally built wiki too. * Iceweasel - Upgrade iceweasel to 10.0.6esr-1 (Extended Support Release) and install it and its dependencies from squeeze-backports. * Hardware support - Upgrade Linux to 3.2.23-1. * Software - Update tor to version 0.2.2.39. - Update Iceweasel to version 10.0.7esr-2. - Update i2p to version 0.9.1. * Build system - vagrant: Install Ikiwiki from Debian unstable. The 'mirrorlist' patches have finally been merged in upstream Ikiwiki. So instead of building Ikiwiki by hand, we can now install the package directly from Debian unstable. - Do not build the ikiwiki forum on the bundled static website copy. -- Tails developers <amnesia@boum.org> Mon, 17 Sep 2012 15:19:25 +0200 tails (0.12.1) unstable; urgency=low This is a brown paper bag release to fix two major problems introduced in Tails 0.12. * Iceweasel - Upgrade Torbutton to 1.4.6. - Upgrade AdBlock Plus to 2.1. - Update AdBlock Plus patterns. * Hardware support - Upgrade Linux to 3.2.21-3 (linux-image-3.2.0-3-486). * Software - Install MAT from Debian backports, drop custom package. - Install python-pdfrw to re-add PDF support to the MAT. - Upgrade tails-greeter to 0.7.1, which fixes the race condition that broke administration password and locale settings on some systems. * Boot - Remove the Tails specific plymouth theme. The theme interfers heavily with the boot process on some hardware. -- Tails developers <amnesia@boum.org> Mon, 17 Sep 2012 13:06:03 +0200 tails (0.12) unstable; urgency=low * Major new features - Add the Unsafe Web Browser, which has direct access to the Internet and can be used to login to captive portals. - The (previously experimental, now deemed stable) Windows camouflage can now be enabled via a check box in Tails greeter. * Tor - Upgrade to 0.2.2.37-1~~squeeze+1. * Iceweasel - Upgrade iceweasel to 10.0.5esr-1 (Extended Support Release) and install it and its dependencies from squeeze-backports. - Add a bookmark for the offline Tails documentation. - Update AdBlock patterns. * Persistence - Allow using larger USB drives by increasing the mkfs timeout to 10 minutes. - Tell the user what's going on when the Tails boot device cannot be found. * Hardware support - Upgrade Linux to 3.2.20-1 (linux-image-3.2.0-2-amd64). * Software - Install rfkill. - Install torsocks. Note that this makes `torify' use `torsocks' instead of `tsocks'. The `tsocks' binary is dropped to avoid problems, but remaining files (the library) are kept since ttdnsd depends on them. - Fetch live-config-sysvinit from sid so that it matches live-config version. - Update virtualbox backports to 4.1.10-dfsg-1~bpo60+1. - Install pciutils (needed by virtualbox-guest-utils). - Install mousetweaks. This is needed to use the mouse accessibility settings in System -> Preferences -> Mouse -> Accessibility. - Install the "hardlink" files deduplicator. - Do not install cryptkeeper anymore. See todo/remove_cryptkeeper for reason. Users of cryptkeeper are encouraged to install cryptkeeper via `apt-get update; apt-get install --yes cryptkeeper`, open their volume and move their to Tails' built-in persistence instead, as a one-time migration. - Upgrade I2P to version 0.9. - Don't install GParted. GNOME Disk Utility has been on par with GParted since Squeeze was released. - Upgrade live-boot to 3.0~a27-1+tails2~1.gbp319fe6. - Upgrade live-config to 3.0~a39-1 and install it from Debian experimental. - Upgrade tails-greeter to 0.7. - Upgrade tails-persistence-setup to 0.17-1. - Install libyaml-libyaml-perl. - Upgrade MAT, the metadata anonymisation toolkit, 0.3.2-1~bpo60+1. - Fetch python-pdfrw from backports, drop custom package. * Internationalization - The Tails website and documentation now has a (partial) Portuguese translation. * Build system - Tails can now be built without using a HTTP proxy. - Tails can now easily be built by using Vagrant. See the updated contribute/build page for instructions. * Boot - Remove obsolete noswap boot parameter. live-boot now handles swap on an opt-in basis. - The squashfs.sort files generated with boot-profile should now be ok which makes the generate images boot noticeably faster on optical media. See bugs/weird_squashfs.sort_entries for more information. - Set Tails specific syslinux and plymouth themes. - Add NVidia KMS video drivers to the initrd in order to show our shiny new plymouth theme on more systems. -- Tails developers <amnesia@boum.org> Mon, 11 Jun 2012 13:37:00 +0200 tails (0.11) unstable; urgency=low * Major new features - Do not grant the desktop user root credentials by default. - A graphical boot menu (tails-greeter 0.6.3) allows choosing among many languages, and setting an optional sudoer password. - Support opt-in targeted persistence ┬╖ tails-persistence-setup 0.14-1 ┬╖ live-boot 3.0~a25-1+tails1~5.gbp48d06c ┬╖ live-config 3.0~a35-1 - USB installer: liveusb-creator 3.11.6-1 * iceweasel - Install iceweasel 10.0.4esr-1 (Extended Support Release). Let's stop tracking a too fast moving target. Debian Wheezy will ship ESR versions. - Install needed dependencies from squeeze-backports. - Search plugins: ┬╖ Remove bing. bing appeared due to our upgrading iceweasel. Removing it makes things consistent with the way they have been until now, that is: let's keep only the general search engines we've been asked to add, plus Google, and a few specialized ones. ┬╖ Replace Debian-provided DuckDuckGo search plugin with the "HTML SSL" one, version 20110219. This is the non-JavaScript, SSL, POST flavour. ┬╖ Add ixquick.com. ┬╖ Install localized search engines in the correct place. No need to copy them around at boot time anymore. ┬╖ Remove Scroogle. RIP. - Enable TLS false start, like the TBB does since December. - Adblock Plus: don't count and save filter hits, supress first run dialog. - Install neither the GreaseMonkey add-on, nor any GreaseMonkey script. YouTube's HTML5 opt-in program is over. HTML5 video support is now autodetected and used. * Vidalia - Upgrade to 0.2.17-1+tails1: drop Do-not-warn-about-Tor-version.patch, applied upstream. - Set SkipVersionCheck=true. Thanks to chiiph for implementing this upstream (needs Vidalia 0.2.16+). * Internationalization - Install all available iceweasel l10n packages. - Remove syslinux language choosing menu. tails-greeter allows choosing a non-English language. - Add fonts for Hebrew, Thai, Khmer, Lao and Korean languages. - Add bidi support. - Setup text console at profile time. Context: Tails runs with text console autologin on. These consoles now wait, using a "Press enter to activate this console" message, for the user. When they press enter in there, they should have chosen their preferred keyboard layout in tails-greeter by now. Then, we run setupcon. As a result, the resulting shell is properly localized, and setupcon sets the correct keyboard layout, both according to the preferences expressed by the user in tails-greeter. - Don't use localepurge, don't remove any Scribus translations anymore, don't localize environment at live-config time: tails-greeter allows us to support many, many more languages. * Hardware support - Linux 3.2.15-1 (linux-image-3.2.0-2-amd64). - Fix low sound level on MacBook5,2. - Disable laptop-mode-tools automatic modules. This modules set often needs some amount of hardware-specific tweaking to work properly. This makes them rather not well suited for a Live system. * Software - Install GNOME keyring. This is needed so that NetworkManager remembers the WEP/WPA secrets for the time of a Tails session. Initialize GNOME keyring at user creation time. - Install usbutils to have the lsusb command. - Install the Traverso multitrack audio recorder and editor. * Miscellaneous - GNOME Terminal: keep 8192 scrollback lines instead of the smallish default. - Replaced tails-wifi initscript with laptop-mode-tools matching feature. - Disable gdomap service. - Fetch klibc-utils and libklibc from sid. The last initramfs-tools depends on these. - Set root password to "root" if debug=root is passed on the kernel cmdline. Allow setting root password on kernel cmdline via rootpw=. Looks like we implemented this feature twice. - Append a space on the kernel command line. This eases manually adding more options. - Rename sudoers.d snippets to match naming scheme. Sudo credentials that shall be unconditionally granted to the Tails default user are named zzz_*, to make sure they are applied. - WhisperBack: also include /var/log/live-persist and /var/lib/gdm3/tails.persistence. - Add a wrapper to torify whois. - Rework the VirtualBox guest modules building hook to support multiple kernels. - Consistently wait for nm-applet when waiting for user session to come up. Waiting for gnome-panel or notification-daemon worked worse. - Don't start the NetworkManager system service via init. Some Tails NM hooks need the user to be logged in to run properly. That's why tails-greeter starts NetworkManager at PostLogin time. - Also lock /bin/echo into memory. For some reason, kexec-load needs it. - Pidgin: don't use the OFTC hidden service anymore. It proved to be quite unreliable, being sometimes down for days. - Do not display storage volumes on Desktop, by disabling /apps/nautilus/desktop/volumes_visible GConf entry. Enabling that GConf setting avoids displaying the bind-mounted persistent directories on the Desktop, and reduces user confusion. It also is a first step towards a bigger UI change: GNOME3 does not manage the Desktop anymore, so volume icons and other Desktop icons are meant to disappear anyway. It implies we'll have to move all Desktop icons elsewhere. Let's start this move now: this will smooth the UI change Wheezy will carry for our users, by applying some of it progressively. * Build system - Don't build hybrid ISO images anymore. They boot less reliably on a variety of hardware, and are made less useful by us shipping a USB installer from now on. - Append .conf to live-config configuration filenames: live-config >3.0~a36-1 only takes into account files named *.conf in there. Accordingly update scripts that source these files. - Remove long-obsolete home-refresh script and its configuration. * Virtualization support - Support Spice and QXL: install the Spice agent from Debian sid, install xserver-xorg-video-qxl from squeeze-backports. -- Tails developers <amnesia@boum.org> Tue, 17 Apr 2012 14:54:00 +0200 tails (0.10.2) unstable; urgency=low * Iceweasel - Update to 10.0.2-1. - Disable HTTPS-Everywhere's SSL Observatory (plus first-run pop-up). - Revert "FoxyProxy: don't enclose regexps between ^ and $." Currently "http://www.i2p2.de" (and everything similar) is captured by the I2P filter, which is incorrect. It seems isMultiLine="false" does *not* make RE into ^RE$ any longer. - Remove file:// from NoScript's exception lists. This will fix the JavaScript toggles in the local copy of the documentation. - Update AdBlock patterns. * Software - Upgrade I2P to 0.8.13. - Install libvpx0 from sid. - Fetch klibc-utils and libklibc from sid. The last initramfs-tools depends on these. * Hardware support - Upgrade Linux kernel to 3.2.7-1. - Install firmware-libertas. This adds support for wireless network cards with Marvell Libertas 8xxx chips supported by the libertas_cs, libertas_sdio, libertas_spi, libertas_tf_usb, mwl8k and usb8xxx drivers. * Miscellaneous - Revert "Set time to middle of [valid-after, fresh-until] from consensus." This reverts commit 18d23a500b9412b4b0fbe4e38a9398eb1a3eadef. With this vmid clocks that are E minutes back in time may cause issues (temporary Tor outages) after consensus updates that happen at the (60-E):th minute or later during any hour. Full analysis: https://mailman.boum.org/pipermail/tails-dev/2012-January/000873.html - Add the default user to the vboxsf group. This will allow the user to get full access to automounted VirtualBox shared folders as they are mounted with guid vboxsf and rwx group permissions. -- Tails developers <amnesia@boum.org> Thu, 01 Mar 2012 20:26:21 +0100 tails (0.10.1) unstable; urgency=low * Iceweasel - Make Startpage the default web search engine. Scroogle does not look reliable enough these days. * Software - Upgrade WhisperBack to 1.5.1 (update link to bug reporting documentation). - Update MAT to 0.2.2-2~bpo60+1 (fixes a critical bug in the GUI). * Hardware support - Upgrade Linux kernel to 3.2.1-2 * Time synchronization Serious rework that should fix most, if not all, of the infamous time-sync' related bugs some Tails users have experienced recently. - Make htpdate more resilient by using three server pools, and allowing some failure ratio. - Set time from Tor's unverified-consensus if needed. - Set time to middle of [valid-after, fresh-until] from consensus. - Many robustness, performance and fingerprinting-resistance improvements. - Display time-sync' notification much earlier. * Miscellaneous - Fix access to "dumb" git:// protocol by using a connect-socks wrapper as GIT_PROXY_COMMAND. - SSH client: fix access to SSH servers on the Internet by correcting Host / ProxyCommand usage. - Pidgin: use OFTC hidden service to workaround Tor blocking. - Claws Mail: disable draft autosaving. When composing PGP encrypted email, drafts are saved back to the server in plaintext. This includes both autosaved and manually saved drafts. - tails-security-check-wrapper: avoid eating all memory when offline. -- Tails developers <amnesia@boum.org> Sat, 28 Jan 2012 10:00:31 +0100 tails (0.10) unstable; urgency=low * Tor: upgrade to 0.2.2.35-1. * Iceweasel - Install Iceweasel 9.0 from the Debian Mozilla team's APT repository. - Update Torbutton to 1.4.5.1-1. - Support viewing any YouTube video that is available in HTML5 format: install xul-ext-greasemonkey and the "Permanently Enable HTML5 on YouTube" GreaseMonkey script. - Stop using Polipo in Iceweasel. Its SOCKS support was fixed. - Install from Debian sid the iceweasel extensions we ship, for compatibility with FF9. - Use Scroogle (any languages) instead of Scroogle (English only) when booted in English. Many users choose English because their own language is not supported yet; let's not hide them search results in their own language. - Install Iceweasel language packs from Debian unstable: unfortunately they are not shipped on the mozilla.debian.net repository. - Install the NoScript Firefox extension; configure it the same way as the TBB does. - Disable third-party cookies. They can be used to track users, which is bad. Besides, this is what TBB has been doing for years. - FoxyProxy: allow direct connections to RFC1918 IPs. * Do not transparent proxy outgoing Internet connections through Tor. - Torify the SSH client using connect-proxy to all IPs but RFC1918 ones. - Torify APT using Polipo HTTP. - Torify wget in wgetrc. - Torify gobby clients using torsocks. It does not support proxies yet. - Torify tails-security-check using LWP::UserAgent's SOCKS proxy support. - Fix enabling of GNOME's HTTP proxy. * Software - Upgrade Vidalia to 0.2.15-1+tails1. ┬╖ New upstream release. ┬╖ Do not warn about Tor version. - Upgrade MAT to 0.2.2-1~bpo60+1. - Upgrade VirtualBox guest software to 4.1.6-dfsg-2~bpo60+1, built against the ABI of X.Org backports. - Upgrade I2P to 0.8.11 using KillYourTV's Squeeze packages; additionally, fix its start script that was broken by the tordate merge. - Install unar (The Unarchiver) instead of the non-free unrar. - Install Nautilus Wipe instead of custom Nautilus scripts. * Hardware support - Upgrade Linux kernel to 3.1.6-1. - Upgrade to X.Org from squeeze-backports. - Install more, and more recent b43 firmwares. - Upgrade barry to 0.15-1.2~bpo60+1. * Internationalization - Add basic language support for Russian, Farsi and Vietnamese. - Install some Indic fonts. - Install some Russian fonts. - Add Alt+Shift shortcut to switch keyboard layout. * Miscellaneous - Support booting in "Windows XP -like camouflage mode": ┬╖ Install homebrewn local .debs for a Windows XP look-alike Gnome theme. ┬╖ Add the "Windows XP Bliss" desktop wallpaper. ┬╖ Added a script that's sets up Gnome to look like Microsoft Windows XP. ┬╖ Add Windows XP "camouflage" icons for some programs. ┬╖ Make Iceweasel use the IE icon when Windows XP camouflage is enabled. ┬╖ Add special launcher icons for the Windows XP theme so that they're not too big. - Decrease Florence focus zoom to 1.2. - Do not fetch APT translation files. Running apt-get update is heavy enough. - Add MSN support thanks to msn-pecan. - Add custom SSH client configuration: ┬╖ Prefer strong ciphers and MACs. ┬╖ Enable maximum compression level. ΓÇ»┬╖ Explicitly disable X11 forwarding. ┬╖ Connect as root by default, to prevent fingerprinting when username was not specified. - Replace flawed FireGPG with a home-made GnuPG encryption applet; install a feature-stripped FireGPG that redirects users to the documentation, and don't run Seahorse applet anymore. - Enable Seahorse's GnuPG agent. - Blank screen when lid is closed, rather than shutting down the system. The shutdown "feature" has caused data losses for too many people, it seems. There are many other ways a Tails system can be shut down in a hurry these days. - Import Tails signing key into the keyring. - Fix bug in the Pidgin nick generation that resulted in the nick "XXX_NICK_XXX" once out of twenty. - Pre-configure the #tor IRC discussion channel in Pidgin. - Fix "technology preview" of bridge support: it was broken by tordate merge. - Install dependencies of our USB installer to ease its development. - Make vidalia NM hook sleep only if Vidalia is already running. - Reintroduce the htpdate notification, telling users when it's safe to use Tor Hidden Services. - htpdate: omit -f argument to not download full pages. - htpdate: write success file even when not within {min,max}adjust. Otherwise htpdate will not "succeed" when the time diff is 0 (i.e. the clock was already correct) so the success file cannot be used as an indicator that the system time now is correct, which arguably is its most important purpose. * Build system - Name built images according to git tag. -- Tails developers <tails@boum.org> Wed, 04 Jan 2012 09:56:38 +0100 tails (0.9) unstable; urgency=low * Tor - Upgrade to 0.2.2.34 (fixes CVE-2011-2768, CVE-2011-2769). * Iceweasel - Upgrade to 3.5.16-11 (fixes CVE-2011-3647, CVE-2011-3648, CVE-2011-3650). - Upgrade FireGPG to 0.8-1+tails2: notify users that the FireGPG Text Editor is the only safe place for performing cryptographic operations, and make it impossible to do otherwise. Other ways open up several severe attacks through JavaScript (e.g. leaking plaintext when decrypting, signing messages written by the attacker). - Install Cookie Monster extension instead of CS Lite. - Always ask where to save files. - Upgrade Torbutton to 1.4.4.1-1, which includes support for the in-browser "New identity" feature. * Software - Install MAT, the metadata anonymisation toolkit. - Upgrade TrueCrypt to 7.1. - Upgrade WhisperBack to 1.5~rc1 (leads the user by the hand if an error occurs while sending the bugreport, proposes to save it after 2 faild attempts, numerous bugfixes). - Linux: upgrade to linux-image-3.0.0-2-486 (version 3.0.0-6); fixes a great number of bugs and security issues. * Miscellaneous - Fully rework date and time setting system. - Remove the htp user firewall exception. - Saner keyboard layouts for Arabic and Russian. - Use Plymouth text-only splash screen at boot time. - Color the init scripts output. - Suppress Tor's warning about applications doing their own DNS lookups. This is totally safe due to our Tor enforcement. - Disable hdparm boot-time service. We only want hdparm so that laptop-mode-tools can use it. - Run Claws Mail using torify. It's not as good as if Claws Mail supported SOCKS proxies itself, but still better than relying on the transparent netfilter torification. - Install HPLIP and hpcups for better printing support. * Erase memory at shutdown - Run many sdmem instances at once. In hope of erasing more memory until we come up with a proper fix for [[bugs/sdmem_does_not_clear_all_memory]]. - Kill gdm3 instead of using its initscript on brutal shutdown. - Use absolute path to eject for more robust memory wipe on boot medium removal. * Space savings - Exclude kernel and initramfs from being put into the SquashFS. Those files are already shipped where they are needed, that is in the ISO filesystem. Adapt kexec and memlockd bits. - Do not ship the GNOME icon theme cache. - Do not ship .pyc files. - Do not ship NEWS.Debian.gz files. * Build system - Re-implement hook that modifies syslinux config to make future development easier. -- Tails developers <amnesia@boum.org> Tue, 01 Nov 2011 13:26:38 +0100 tails (0.8.1) unstable; urgency=low * Iceweasel - Update to 3.5.16-10 (fixes DSA-2313-1). - FireGPG: force crypto action results to appear in a new window, otherwise JavaScript can steal decrypted plaintext. Advice: always use FireGPG's text editor when writing text you want to encrypt. If you write it in a textbox the plaintext can be stolen through JavaScript before it is encrypted in the same way. - Update HTTPS Everywhere extension to 1.0.3-1. - Stop using the small version of the Tor check page. The small version incorrectly tells Tails users to upgrade their Torbrowser, which has confused some users. * Software - Update Linux to 3.0.0-2 (fixes DSA-2310-1, CVE-2011-2905, CVE-2011-2909, CVE-2011-2723, CVE-2011-2699, CVE-2011-1162, CVE-2011-1161). - Update usb-modeswitch to 1.1.9-2~bpo60+1 and usb-modeswitch-data to 20110805-1~bpo60+1 from Debian backports. This adds support for a few devices such as Pantech UMW190 CDMA modem. - Install libregexp-common-perl 2011041701-3 from Debian unstable. This fixes the bug: [[bugs/msva_does_not_use_configured_keyserver]]. - Install hdparm so the hard drives can be spinned down in order to save battery power. - Install barry-util for better BlackBerry integration. - Debian security upgrades: OpenOffice.org (DSA-2315-1), openjdk-6 (DSA-2311-1), policykit-1 (DSA-2319-1) * Protecting against memory recovery - Set more appropriate Linux VM config before wiping memory. These parameters should make the wipe process more robust and efficient. -- Tails developers <amnesia@boum.org> Sun, 16 Oct 2011 11:31:18 +0200 tails (0.8) unstable; urgency=low * Rebase on the Debian Squeeze 6.0.2.1 point-release. * Tor - Update to 0.2.2.33-1. - Disabled ControlPort in favour of ControlSocket. - Add port 6523 (Gobby) to Tor's LongLivedPorts list. * I2P - Update to 0.8.8. - Start script now depends on HTP since I2P breaks if the clock jumps or is too skewed during bootstrap. * Iceweasel - Update to 3.5.16-9 (fixes CVE-2011-2374, CVE-2011-2376, CVE-2011-2365, CVE-2011-2373, CVE-2011-2371, CVE-2011-0083, CVE-2011-2363, CVE-2011-0085, CVE-2011-2362, CVE-2011-2982, CVE-2011-2981, CVE-2011-2378, CVE-2011-2984, CVE-2011-2983). - Enable HTTP pipelining (like TBB). - Update HTTPS Everywhere extension to 1.0.1-1 from Debian unstable. - Suppress FoxyProxy update prompts. - Prevent FoxyProxy from "phoning home" after a detected upgrade. - Fixed a bunch of buggy regular expressions in FoxyProxy's configuration. See [[bugs/exploitable_typo_in_url_regex?]] for details. Note that none of these issues are critical due to the transparent proxy. - Add DuckDuckGo SSL search engine. * Torbutton - Update to torbutton 1.4.3-1 from Debian unstable. - Don't show Torbutton status in the status bar as it's now displayed in the toolbar instead. * Pidgin - More random looking nicks in pidgin. - Add IRC account on chat.wikileaks.de:9999. * HTP - Upgrade htpdate script (taken from Git 7797fe9) that allows setting wget's --dns-timeout option. * Software - Update Linux to 3.0.0-1. -686 is now deprecated in favour of -486 and -686-pae; the world is not ready for -pae yet, so we now ship -486. - Update OpenSSL to 0.9.8o-4squeeze2 (fixes CVE-2011-1945 (revoke compromised DigiNotar certificates), CVE-2011-1945). - Update Vidalia to 0.2.14-1+tails1 custom package. - Install accessibility tools: - gnome-mag: screen magnifier - gnome-orca: text-to-speech - Replace the onBoard virtual keyboard with Florence. - Install the PiTIVi non-linear audio/video editor. - Install ttdnsd. - Install tor-arm. - Install lzma. * Arbitrary DNS queries - Tor can not handle all types of DNS queries, so if the Tor resolver fails we fallback to ttdnsd. This is now possible with Tor 0.2.2.x, since we fixed Tor bug #3369. * Hardware support - Install ipheth-utils for iPhone tethering. - Install xserver-xorg-input-vmmouse (for mouse integration with the host OS in VMWare and KVM). - Install virtualbox-ose 4.x guest packages from Debian backports. * Miscellaneous - Switch gpg to use keys.indymedia.org's hidden service, without SSL. The keys.indymedia.org SSL certificate is now self-signed. The hidden service gives a good enough way to authenticate the server and encrypts the connection, and just removes the certificates management issue. - The squashfs is now compressed using XZ which reduces the image size quite drastically. - Remove Windows autorun.bat and autorun.inf. These files did open a static copy of our website, which is not accessible any longer. * Build system - Use the Git branch instead of the Debian version into the built image's filename. - Allow replacing efficient XZ compression with quicker gzip. - Build and install documentation into the chroot (-> filesystem.squashfs). Rationale: our static website cannot be copied to a FAT32 filesystem due to filenames being too long. This means the documentation cannot be browsed offline from outside Tails. However, our installer creates GPT hidden partitions, so the doc would not be browseable from outside Tails anyway. The only usecase we really break by doing so is browsing the documentation while running a non-Tails system, from a Tails CD. -- Tails developers <amnesia@boum.org> Thu, 09 Sep 2011 11:31:18 +0200 tails (0.7.2) unstable; urgency=high * Iceweasel - Disable Torbutton's external application launch warning. ... which advises using Tails. Tails *is* running Tails. - FoxyProxy: install from Debian instead of the older one we previously shipped. * Software - haveged: install an official Debian backport instead of a custom backport. - unrar: install the version from Debian's non-free repository. Users report unrar-free does not work well enough. -- Tails developers <amnesia@boum.org> Sun, 12 Jun 2011 15:34:56 +0200 tails (0.7.1) unstable; urgency=high * Vidalia: new 0.2.12-2+tails1 custom package. * Iceweasel - Don't show Foxyproxy's status / icon in FF statusbar to prevent users from accidentaly / unconsciously put their anonymity at risk. - "amnesia branding" extension: bump Iceweasel compatibility to 4.0 to ease development of future releases. * Software - Upgrade Linux kernel to Debian's 2.6.32-33: fixes tons of bugs, including the infamous missing mouse cursor one. Oh, and it closes a few security holes at well. - Install unrar-free. - Do not install pppoeconf (superseeded by NetworkManager). - Upgrade macchanger to Debian testing package to ease development of future Tails releases. - Debian security upgrades: x11-xserver-utils (DSA-2213-1), isc-dhcp (DSA-2216-1), libmodplug (DSA-2226-1), openjdk-6 (DSA-2224-1). * Protecting against memory recovery - Add Italian translation for tails-kexec. Thanks to Marco A. Calamari. - Make it clear what it may mean if the system does not power off automatically. - Use kexec's --reset-vga option that might fix display corruption issues on some hardware. * WhisperBack (encrypted bug reporting software) - Upgrade WhisperBack to 1.4.1: localizes the documentation wiki's URL, uses WebKit to display the bug reporting help page, now is usable on really small screens. - Extract wiki's supported languages at build time, save this information to /etc/amnesia/environment, source this file into the Live user's environment so that WhisperBack 1.4+ can make good use of it. * Miscellaneous - Fix boot in Chinese. - Install mobile-broadband-provider-info for better 3G support. - Add back GNOME system icons to menus. - tails-security-check: avoid generating double-slashes in the Atom feeds URL. - Remove "vga=788" boot parameter which breaks the boot on some hardware. - Remove now useless "splash" boot parameter. - Fix a bunch of i386-isms. - Pass the noswap option to the kernel. This does not change actual Tails behaviour but prevents users from unnecessarily worrying because of the "Activating swap" boot message. - Make use of check.torproject.org's Arabic version. * Build system - Enable squeeze-backports. It is now ready and will be used soon. - Install eatmydata in the chroot. - Convert ikiwiki setup files to YAML. -- Tails developers <amnesia@boum.org> Fri, 29 Apr 2011 17:14:53 +0200 tails (0.7) unstable; urgency=low * Hardware support - Install foomatic-filters-ppds to support more printers. - Give the default user the right to manage printers. * Software - Deinstall unwanted packages newly pulled by recent live-build. -- Tails developers <amnesia@boum.org> Wed, 06 Apr 2011 22:58:51 +0200 tails (0.7~rc2) unstable; urgency=low ** SNAPSHOT build @824f39248a08f9e190146980fb1eb0e55d483d71 ** * Rebase on Debian Squeeze 6.0.1 point-release. * Vidalia: new 0.2.10-3+tails5 custom package.. * Hardware support - Install usb-modeswitch and modemmanager to support mobile broadband devices such as 3G USB dongles. Thanks to Marco A. Calamari for the suggestion. * Misc - Website relocated to https://tails.boum.org/ => adapt various places. - Configure keyboard layout accordingly to the chosen language for Italian and Portuguese. -- Tails developers <amnesia@boum.org> Fri, 25 Mar 2011 15:44:25 +0100 tails (0.7~rc1) UNRELEASED; urgency=low ** SNAPSHOT build @98987f111fc097a699b526eeaef46bc75be5290a ** * Rebase on Debian Squeeze. * T(A)ILS has been renamed to Tails. * Protecting against memory recovery New, safer way to wipe memory on shutdown which is now also used when the boot media is physically removed. * Tor - Update to 0.2.1.30-1. * Iceweasel - Add HTTPS Everywhere 0.9.4 extension. - Better preserve Anonymity Set: spoof US English Browser and timezone the same way as the Tor Browser Bundle, disable favicons and picture iconification. - Install AdBlock Plus extension from Debian. - Add Tor-related bookmarks. - Support FTP, thanks to FoxyProxy. - Update AdBlock patterns. - Disable geolocation and the offline cache. * Software - Update Vidalia to 0.2.10-3+tails4. - Install gnome-disk-utility (Palimpsest) and Seahorse plugins. - Add opt-in i2p support with Iceweasel integration through FoxyProxy. - onBoard: fix "really quits when clicking the close window icon" bug. - Optionally install TrueCrypt at boot time. - Install laptop-mode-tools for better use of battery-powered hardware. - Replace xsane with simple-scan which is part of GNOME and way easier to use. - Upgrade WhisperBack to 1.3.1 (bugfixes, French translation). - Install scribus-ng instead of scribus. It is far less buggy in Squeeze. * Firewall - Drop incoming packets by default. - Forbid queries to DNS resolvers on the LAN. - Set output policy to drop (defense-in-depth). * Hardware support - Install Atheros and Broadcom wireless firmwares. - Install libsane-hpaio and sane-utils, respectively needed for multi-function peripherals and some SCSI scanners. * live-boot 2.0.15-1+tails1.35f1a14 - Cherry-pick our fromiso= bugfixes from upstream 3.x branch. * Miscellaneous - Many tiny user interface improvements. - More robust HTP time synchronization wrt. network failures. Also, display the logs when the clock synchronization fails. - Disable GNOME automatic media mounting and opening to protect against a class of attacks that was recently put under the spotlights. Also, this feature was breaking the "no trace is left on local storage devices unless explicitly asked" part of Tails specification. - Make configuration more similar to the Tor Browser Bundle's one. - GnuPG: default to stronger digest algorithms. - Many more or less proper hacks to get the built image size under 700MB. - Compress the initramfs using LZMA for faster boot. * Build system - Run lb build inside eatmydata fsync-less environment to greatly improve build time. -- Tails developers <amnesia@boum.org> Fri, 11 Mar 2011 15:52:19 +0100 tails (0.6.2) unstable; urgency=high * Tor: upgrade to 0.2.1.29 (fixes CVE-2011-0427). * Software - Upgrade Linux kernel, dpkg, libc6, NSS, OpenSSL, libxml2 (fixes various security issues). - Upgrade Claws Mail to 3.7.6 (new backport). - Install Liferea, tcpdump and tcpflow. * Seahorse: use hkp:// transport as it does not support hkps://. * FireGPG: use hkps:// to connect to the configured keyserver. * Build system: take note of the Debian Live tools versions being used to make next point-release process faster. * APT: don't ship package indices. -- T(A)ILS developers <amnesia@boum.org> Wed, 19 Jan 2011 16:59:43 +0100 tails (0.6.1) unstable; urgency=low * Tor: upgrade to 0.1.28 (fixes CVE-2010-1676) * Software: upgrade NSS, Xulrunner, glibc (fixes various security issues) * FireGPG: use the same keyserver as the one configured in gpg.conf. * Seahorse: use same keyserver as in gpg.conf. * HTP: display the logs when the clock synchronization fails. * Update HTP configuration: www.google.com now redirects to encrypted.google.com. * Use the light version of the "Are you using Tor?" webpage. * Update AdBlock patterns. -- T(A)ILS developers <amnesia@boum.org> Fri, 24 Dec 2010 13:28:29 +0100 tails (0.6) unstable; urgency=low * Releasing 0.6. * New OpenPGP signing-only key. Details are on the website: https://amnesia.boum.org/GnuPG_key/ * Iceweasel - Fixed torbutton has migrated to testing, remove custom package. * HTP - Query ssl.scroogle.org instead of lists.debian.org. - Don't run when the interface that has gone up is the loopback one. * Nautilus scripts - Add shortcut to securely erase free space in a partition. - The nautilus-wipe shortcut user interface is now translatable. * Misc - Really fix virtualization warning display. - More accurate APT pinning. - Disable Debian sid APT source again since a fixed live-config has migrated to Squeeze since then. * live-boot: upgrade to 2.0.8-1+tails1.13926a - Sometimes fixes the smem at shutdown bug. - Now possible to create a second partition on the USB stick T(A)ILS is running from. * Hardware support - Support RT2860 wireless chipsets by installing firmware-ralink from Debian Backports. - Install firmware-linux-nonfree from backports. - Fix b43 wireless chipsets by having b43-fwcutter extract firmwares at build time. * Build system - Install live-build and live-helper from Squeeze. - Update SquashFS sort file. -- T(A)ILS developers <amnesia@boum.org> Wed, 20 Oct 2010 19:53:17 +0200 tails (0.6~rc3) UNRELEASED; urgency=low ** SNAPSHOT build @a3ebb6c775d83d1a1448bc917a9f0995df93e44d ** * Iceweasel - Autostart Iceweasel with the GNOME session. This workarounds the "Iceweasel first page is not loaded" bug. * HTP - Upgrade htpdate script (taken from Git 7797fe9). * Misc - Disable ssh-agent auto-starting with X session: gnome-keyring is more user-friendly. - Fix virtualization warning display. - Boot profile hook: write desktop file to /etc/skel. * Build system - Convert build system to live-build 2.0.1. - APT: fetch live-build and live-helper from Debian Live snapshots. - Remove dependency on live-build functions in chroot_local-hooks. This makes the build environment more robust and less dependent on live-build internals. - Remove hand-made rcS.d/S41tails-wifi: a hook now does this. - Measure time used by the lh build command. - Fix boot profile hook. - Boot profiling: wait a bit more: the current list does not include /usr/sbin/tor. -- T(A)ILS developers <amnesia@boum.org> Sat, 02 Oct 2010 23:06:46 +0200 tails (0.6~rc2) UNRELEASED; urgency=low ** SNAPSHOT build @c0ca0760ff577a1e797cdddf0e95c5d62a986ec8 ** * Iceweasel - Refreshed AdBlock patterns (20100926). - Set network.dns.disableIPv6 to true (untested yet) - Torbutton: install patched 1.2.5-1+tails1 to fix the User-Agent bug, disable extensions.torbutton.spoof_english again. * Software - WhisperBack: upgrade to 1.3~beta3 (main change: let the user provide optional email address and OpenPGP key). - Remove mc. - Update haveged backport to 0.9-3~amnesia+lenny1. - Update live-boot custom packages (2.0.6-1+tails1.6797e8): fixes bugs in persistency and smem-on-shutdown. - Update custom htpdate script. Taken from commit d778a6094cb3 in our custom Git repository: fixes setting of date/time. * Build system - Bugfix: failed builds are now (hopefully) detected. - Fix permissions on files in /etc/apt/ that are preserved in the image. - Install version 2.0~a21-1 of live-build and live-helper in the image. We are too late in the release process to upgrade to current Squeeze version (2.0~a29-1). * Misc - Pidgin/OTR: disable the automatic OTR initiation and OTR requirement. -- T(A)ILS developers <amnesia@boum.org> Wed, 29 Sep 2010 19:23:17 +0200 tails (0.6~1.gbpef2878) UNRELEASED; urgency=low ** SNAPSHOT build @ef28782a0bf58004397b5fd303f938cc7d11ddaa ** * Hardware support - Use a 2.6.32 kernel: linux-image-2.6.32-bpo.5-686 (2.6.32-23~bpo50+1) from backports.org. This should support far more hardware and especially a lot of wireless adapters. - Add firmware for RTL8192 wireless adapters. - Enable power management on all wireless interfaces on boot. * Software - Install inkscape. - Install poedit. - Install gfshare and ssss: two complementary implementations of Shamir's Secret Sharing. - Install tor-geoipdb. - Remove dialog, mc and xterm. * Iceweasel - Set extensions.torbutton.spoof_english to its default true value in order to workaround a security issue: https://amnesia.boum.org/security/Iceweasel_exposes_a_rare_User-Agent/ * Monkeysphere - Install the Iceweasel extension. - Use a hkps:// keyserver. * GnuPG - Install gnupg from backports.org so that hkps:// is supported. - Use a hkps:// keyserver. - Proxy traffic via polipo. - Prefer up-to-date digests and ciphers. * Vidalia: rebased our custom package against 0.2.10. * Build system - Built images are now named like this: tails-i386-lenny-0.5-20100925.iso - Use live-helper support for isohybrid options instead of doing the conversion ourselves. The default binary image type we build is now iso-hybrid. - Remove .deb built by m-a after they have been installed. - Setup custom GConf settings at build time rather than at boot time. - Move $HOME files to /etc/skel and let adduser deal with permissions. - Convert to live-boot / live-config / live-build 2.x branches. - Replaced our custom live-initramfs with a custom live-boot package; included version is 2.0.5-1+tails2.6797e8 from our Git repository: git clone git://git.immerda.ch/tails_live-boot.git - Install live-config* from the live-snapshots Lenny repository. Rationale: live-config binary packages differ depending on the target distribution, so that using Squeeze's live-config does not produce fully-working Lenny images. - Rename custom scripts, packages lists and syslinux menu entries from the amnesia-* namespace to the tails-* one. * HTP - Use (authenticated) HTP instead of NTP. - The htpdate script that is used comes from commit 43f5f83c0 in our custom repository: git://git.immerda.ch/tails_htp.git - Start Tor and Vidalia only once HTP is done. * Misc - Fix IPv6 firewall restore file. It was previously not used at all. - Use ftp.us.debian.org instead of the buggy GeoIP-powered cdn.debian.net. - Gedit: don't autocreate backup copies. - Build images with syslinux>=4.01 that has better isohybrid support. - amnesia-security-check: got rid of the dependency on File::Slurp. - Take into account the migration of backports.org to backports.debian.org. - Make GnuPG key import errors fatal on boot. - Warn the user when T(A)ILS is running inside a virtual machine. - DNS cache: forget automapped .onion:s on Tor restart. * Documentation: imported Incognito's walkthrough, converted to Markdown, started the needed adaptation work. -- T(A)ILS developers <amnesia@boum.org> Sun, 26 Sep 2010 11:06:50 +0200 tails (0.5) unstable; urgency=low * The project has merged efforts with Incognito. It is now to be called "The (Amnesic) Incognito Live System". In short: T(A)ILS. * Community - Created the amnesia-news mailing-list. - Added a forum to the website. - Created a chatroom on IRC: #tails on irc.oftc.net * Fixed bugs - Workaround nasty NetworkManager vs. Tor bug that often prevented the system to connect to the Tor network: restart Tor and Vidalia when a network interface goes up. - onBoard now autodetects the keyboard layout... at least once some keys have been pressed. - New windows don't open in background anymore, thanks to a patched Metacity. - Memory wiping at shutdown is now lightning fast, and does not prevent the computer to halt anymore. - GNOME panel icons are right-aligned again. - Fixed permissions on APT config files. - Repaired mouse integration when running inside VirtualBox. * Iceweasel - Torbutton: redirect to Scroogle when presented a Google captcha. - Revamped bookmarks . moved T(A)ILS own website to the personal toolbar . moved webmail links (that are expected to be more than 3 soon) to a dedicated folder. - Don't show AdBlock Plus icon in the toolbar. - Adblock Plus: updated patterns, configured to only update subscriptions once a year. Which means never, hopefully, as users do update their Live system on a regular basis, don't they? * Vidalia: rebased our custom package against 0.2.8. * Claws Mail - Install Claws Mail from backports.org to use the X.509 CA certificates provided by Debian. - Enable PGP modules with basic configuration: . Automatically check signatures. . Use gpg-agent to manage passwords. . Display warning on start-up if GnuPG doesn't work. - Set the IO timeout to 120s (i.e. the double of the default 60s). * Pidgin - Automatically connect to irc.oftc.net with a randomized nickname, so as not to advertize the use of T(A)ILS; this nickname is made of: . a random firstname picked from the 2000 most registered by the U.S. social security administration in the 70s; . two random digits. Good old irc.indymedia.org is still configured - with same nickname - but is not enabled by default anymore. - Disabled MSN support, that is far too often affected by security flaws. * Build $HOME programmatically - Migrated all GConf settings, including the GNOME panel configuration, to XML files that are loaded at boot time. - Configure iceweasel profile skeleton in /etc/iceweasel. A brand new profile is setup from this skeleton once iceweasel is started after boot. . build sqlite files at build time from plain SQL. . FireGPG: hard-code current firegpg version at build time to prevent the extension to think it was just updated. . stop shipping binary NSS files. These were here only to install CaCert's certificate, that is actually shipped by Debian's patched libnss. * Build system - Updated Debian Live snapshots APT repository URL. - Purge all devel packages at the end of the chroot configuration. - Make sure the hook that fixes permissions runs last. - Remove unwanted Iceweasel search plugins at build time. * Misc - Added a progress bar for boot time file readahead. - Readahead more (~37MB) stuff in foreground at boot time. - Make the APT pinning persist in the Live image. - localepurge: keep locales for all supported languages, don't bother when installing new packages. - Removed syslinux help menu: these help pages are either buggy or not understandable by non-geeks. - Fixed Windows autorun. - Disable a few live-initramfs scripts to improve boot time. - Firewall: forbid any IPv6 communication with the outside. - Virtualization support: install open-vm-tools. - WhisperBack: updated to 1.2.1, add a random bug ID to the sent mail subject. - Prompt for CD removal on shutdown, not for USB device. * live-initramfs: new package built from our Git (e2890a04ff) repository. - Merged upstream changes up to 1.177.2-1. - New noprompt=usb feature. - Fix buggy memory wiping and shutdown. - Really reboot when asked, rather than shutting down the system. * onBoard - Upgraded to a new custom, patched package (0.93.0-0ubuntu4~amnesia1). - Added an entry in the Applications menu. * Software - Install vim-nox with basic configuration - Install pwgen - Install monkeysphere and msva-perl - Replaced randomsound with haveged as an additional source of entropy. * Hardware support - Build ralink rt2570 wifi modules. - Build rt2860 wifi modules from Squeeze. This supports the RT2860 wireless adapter, found particularly in the ASUS EeePC model 901 and above. - Build broadcom-sta-source wifi modules. - Bugfix: cpufreq modules were not properly added to /etc/modules. - Use 800x600 mode on boot rather than 1024x768 for compatibility with smaller displays. -- amnesia <amnesia@boum.org> Fri, 30 Apr 2010 16:14:13 +0200 amnesia (0.4.2) unstable; urgency=low New release, mainly aimed at fixing live-initramfs security issue (Debian bug #568750), with an additional set of small enhancements as a bonus. * live-initramfs: new custom package built from our own live-initramfs Git repository (commit 8b96e5a6cf8abc) - based on new 1.173.1-1 upstream release - fixed live-media=removable behaviour so that filesystem images found on non-removable storage are really never used (Debian bug #568750) * Vidalia: bring back our UI customizations (0.2.7-1~lenny+amnesia1) * APT: consistently use the GeoIP-powered cdn.debian.net * Software: make room so that {alpha, future} Squeeze images fit on 700MB CD-ROM - only install OpenOffice.org's calc, draw, impress, math and writer components - removed OpenOffice.org's English hyphenation and thesaurus - removed hunspell, wonder why it was ever added * Boot - explicitly disable persistence, better safe than sorry - removed compulsory 15s timeout, live-initramfs knows how to wait for the Live media to be ready * Build system: don't cache rootfs anymore -- amnesia <amnesia@boum.org> Sun, 07 Feb 2010 18:28:16 +0100 amnesia (0.4.1) unstable; urgency=low * Brown paper bag bugfix release: have amnesia-security-check use entries publication time, rather than update time... else tagging a security issue as fixed, after releasing a new version, make this issue be announced to every user of this new, fixed version. -- amnesia <amnesia@boum.org> Sat, 06 Feb 2010 03:58:41 +0100 amnesia (0.4) unstable; urgency=low * We now only build and ship "Hybrid" ISO images, which can be either burnt on CD-ROM or dd'd to a USB stick or hard disk. * l10n: we now build and ship multilingual images; initially supported (or rather wanna-be-supported) languages are: ar, zh, de, en, fr, it, pt, es - install Iceweasel's and OpenOffice.org's l10n packages for every supported language - stop installing localized help for OpenOffice.org, we can't afford it for enough languages - when possible, Iceweasel's homepage and default search engine are localized - added Iceweasel's "any language" Scroogle SSL search engine - when the documentation icon is clicked, display the local wiki in currently used language, if available - the Nautilus wipe script is now translatable - added gnome-keyboard-applet to the Gnome panel * software - replaced Icedove with claws mail, in a bit rough way; see https://amnesia.boum.org/todo/replace_icedove_with_claws/ for best practices and configuration advices - virtual keyboard: install onBoard instead of kvkbd - Tor controller: install Vidalia instead of TorK - install only chosen parts of Gnome, rather than gnome-desktop-environment - do not install xdialog, which is unused and not in Squeeze - stop installing grub as it breaks Squeeze builds (see Debian bug #467620) - install live-helper from snapshots repository into the Live image * Iceweasel - do not install the NoScript extension anymore: it is not strictly necessary but bloodily annoying * Provide WhisperBack 1.2 for anonymous, GnuPG-encrypted bug reporting. - added dependency on python-gnutls - install the SMTP hidden relay's certificate * amnesia-security-check: new program that tells users that the amnesia version they are running is affected by security flaws, and which ones they are; this program is run at Gnome session startup, after sleeping 2 minutes to let Tor a chance to initialize. Technical details: - Perl - uses the Desktop Notifications framework - fetches the security atom feed from the wiki - verifies the server certificate against its known CA - tries fetching the localized feed; if it fails, fetch the default (English) feed * live-initramfs: new custom package built from our own live-initramfs Git repository (commit 40e957c4b89099e06421) - at shutdown time, ask the user to unplug the CD / USB stick, then run smem, wait for it to finish, then attempt to immediately halt * build system - bumped dependency on live-helper to >= 2.0a6 and adapted our config - generate hybrid ISO images by default, when installed syslinux is recent enough - stop trying to support building several images in a row, it is still broken and less needed now that we ship hybrid ISO images - scripts/config: specify distribution when initializing defaults - updated Debian Live APT repository's signing key * PowerPC - disable virtualbox packages installing and module building on !i386 && !amd64, as PowerPC is not a supported guest architecture - built and imported tor_0.2.1.20-1~~lenny+1_powerpc.deb * Squeeze - rough beginnings of a scratch Squeeze branch, currently unsupported - install gobby-infinote * misc - updated GnuPG key with up-to-date signatures - more improvements on boot time from CD - enhanced the wipe in Nautilus UI (now asks for confirmation and reports success or failure) - removed the "restart Tor" launcher from the Gnome panel -- amnesia <amnesia@boum.org> Fri, 05 Feb 2010 22:28:04 +0100 amnesia (0.3) unstable; urgency=low * software: removed openvpn, added - Audacity - cups - Git - Gobby - GParted - lvm2 (with disabled initscript as it slows-down too much the boot in certain circumstances) - NetworkManager 0.7 (from backports.org) to support non-DHCP networking - ntfsprogs - randomsound to enhance the kernel's random pool * Tor - install the latest stable release from deb.torproject.org - ifupdown script now uses SIGHUP signal rather than a whole tor restart, so that in the middle of it vidalia won't start it's own tor - configure Gnome proxy to use Tor * iceweasel - adblockplus: upgraded to 1.0.2 - adblockplus: subscribe to US and DE EasyList extensions, updated patterns - firegpg is now installed from Debian Squeeze rather than manually; current version is then 0.7.10 - firegpg: use better keyserver ... namely pool.sks-keyservers.net - added bookmark to Amnesia's own website - use a custom "amnesiabranding" extension to localize the default search engine and homepage depending on the current locale - updated noscript whitelist - disable overriden homepage redirect on iceweasel upgrade * pidgin - nicer default configuration with verified irc.indymedia.org's SSL cert - do not parse incoming messages for formatting - hide formatting toolbar * hardware compatibility - b43-fwcutter - beginning of support for the ppc architecture - load acpi-cpufreq, cpufreq_ondemand and cpufreq_powersave kernel modules * live-initramfs: custom, updated package based on upstream's 1.157.4-1, built from commit b0a4265f9f30bad945da of amnesia's custom live-initramfs Git repository - securely erases RAM on shutdown using smem - fixes the noprompt bug when running from USB - disables local swap partitions usage, wrongly enabled by upstream * fully support for running as a guest system in VirtualBox - install guest utils and X11 drivers - build virtualbox-ose kernel modules at image build time * documentation - new (translatable) wiki, using ikiwiki, with integrated bugs and todo tracking system a static version of the wiki is included in generated images and linked from the Desktop * build system - adapt for live-helper 2.0, and depend on it - get amnesia version from debian/changelog - include the full version in ISO volume name - save .list, .packages and .buildlog - scripts/clean: cleanup any created dir in binary_local-includes - updated Debian Live snapshot packages repository URL and signing key - remove duplicated apt/preferences file, the live-helper bug has been fixed * l10n: beginning of support for --language=en * misc - improved boot time on CD by ordering files in the squashfs in the order they are used during boot - added a amnesia-version script to built images, that outputs the current image's version - added a amnesia-debug script that prepares a tarball with information that could be useful for developpers - updated Amnesia GnuPG key to a new 4096R one - set time with NTP when a network interface is brought up - import amnesia's GnuPG pubkey into the live session user's keyring - do not ask DHCP for a specific hostname - install localepurge, only keep en, fr, de and es locales, which reduces the generated images' size by 100MB - added a hook to replace /sbin/swapon with a script that only runs /bin/true - moved networking hooks responsibility from ifupdown to NetworkManager -- amnesia <amnesia@boum.org> Thu, 26 Nov 2009 11:17:08 +0100 amnesia (0.2) unstable; urgency=low * imported /home/amnesia, then: - more user-friendly shell, umask 077 - updated panel, added launcher to restart Tor - mv $HOME/bin/* /usr/local/bin/ - removed metacity sessions - removed gstreamer's registry, better keep this dynamically updated - rm .qt/qt_plugins_3.3rc, better keep this dynamically updated - removed .gnome/gnome-vfs/.trash_entry_cache - removed kconf_update log - removed and excluded Epiphany configuration (not installed) - cleanup .kde * iceweasel - enable caching in RAM - explicitly disable ssl v2, and enable ssl v3 + tls - removed prefs for the non-installed webdeveloper - removed the SSL Blacklist extension (not so useful, licensing issues) - deep profile directory cleanup - extensions cleanup: prefer Debian-packaged ones, cleanly reinstalled AddBlock Plus and CS Lite to allow upgrading them - updated pluginreg.dat and localstore.rdf - moved some settings to user.js - made cookie/JavaScript whitelists more consistent - force httpS on whitelisted sites - NoScript: marked google and gmail as untrusted - some user interface tweaks, mainly for NoScript - FireGPG: disable the buggy auto-detection feature, the link to firegpg's homepage in generated pgp messages and the GMail interface (which won't work without JavaScript anyway) - updated blocklist.xml - removed and excluded a bunch of files in the profile directory * icedove: clean the profile directory up just like we did for iceweasel * software: install msmtp and mutt * home-refresh - use rsync rather than tar * documentation - various fixes - reviewed pidgin-otr security (see TODO) * build system - stop calling home-refresh in lh_build - include home-refresh in generated images - gitignore update - fix permissions on local includes at build time - updated scripts/{build,clean} wrt. new $HOME handling - scripts/{build,config}: stop guessing BASEDIR, we must be run from the root of the source directory anyway - stop storing /etc/amnesia/version in Git, delete it at clean time * release - converted Changelog to the Debian format and location, updated build scripts accordingly - added a README symlink at the root of the source directory - basic debian/ directory (not working for building packages yet, but at least we can now use git-dch) - added debian/gbp.conf with our custom options for git-dch - config/amnesia: introduce new $AMNESIA_DEV_* variables to be used by developpers' scripts - added ./release script: a wrapper around git-dch, git-commit and git-tag -- amnesia <amnesia@boum.org> Tue, 23 Jun 2009 14:42:03 +0200 amnesia (0.1) UNRELEASED; urgency=low * Forked Privatix 9.03.15, by Markus Mandalka: http://mandalka.name/privatix/index.html.en Everything has since been rewritten or so heavily changed that nothing remains from the original code... apart of a bunch of Gnome settings. * hardware support: - install a bunch of non-free wifi firmwares - install xsane and add the live user to the scanner group - install aircrack-ng - install xserver-xorg-video-geode on i386 (eCafe support) - install xserver-xorg-video-all - install firmware-linux from backports.org - install system-config-printer - added instructions in README.eCAFE to support the Hercules eCAFE EC-800 netbook * APT: - configure pinning to support installing chosen packages from squeeze; the APT source for testing is hardcoded in chroot_sources/, since there is no way to use $LH_CHROOT_MIRROR in chroot_local-hooks - give backports.org priority 200, so that we track upgrades of packages installed from there * release: include the Changelog and TODO in the generated images, in the /usr/share/doc/amnesia/ directory * software: install gnomebaker when building Gnome-based live OS, to easily clone myself when running from CD * build system - build i386 images when the build host is amd64 - added a version file: /etc/amnesia/version - use snapshot live-* packages inside the images - setup timezone depending on the chosen build locale - rely on standard live-initramfs adduser to do our user setup (including sudo vs. Gnome/KDE, etc.) - stop "supporting" KDE - allow building several images at once - migrated most of lh_config invocations to scripts/config - append "noprompt" so that halting/rebooting work with splashy - moved our own variables to config/amnesia, using the namespace $AMNESIA_* * iceweasel - default search engine is now Scroogle SSL, configured to search pages in French language; the English one is also installed - never ask to save passwords or forms content - configured the torbutton extension to use polipo - installed the CACert root certificate - installed the SSL Blacklist extension and the blacklist data - installed the FireGPG extension - installed the CS Lite extension - installed the NoScript extension - NoScript, CS Lite: replaced the default whitelists with a list of trusted, non-commercial Internet Service Providers - configure extensions (add to prefs.js): user_pref("extensions.torbutton.startup", true); user_pref("extensions.torbutton.startup_state", 1); user_pref("extensions.torbutton.tor_enabled", true); user_pref("noscript.notify.hide", true); user_pref("capability.policy.maonoscript.sites", "about: about:blank about:certerror about:config about:credits about:neterror about:plugins about:privatebrowsing about:sessionrestore chrome: resource:"); user_pref("extensions.firegpg.no_updates", true); - install the NoScript plugin from Debian squeeze - delete urlclassifier3.sqlite on $HOME refresh: as we disabled "safebrowsing", this huge file is of no use - torbutton: install newer version from Squeeze * linux: removed non-686 kernel flavours when building i386 images * compatibility: append "live-media=removable live-media-timeout=15", to prevent blindly booting another debian-live installed on the hard disk * software: added - gnome-app-install - iwconfig - cryptkeeper: Gnome system tray applet to encrypt files with EncFS - kvkbd: virtual keyboard (installed from backports.org) - sshfs (and added live user to the fuse group) - less, secure-delete, wipe, seahorse, sshfs, ntfs-3g - scribus * Tor - enable the transparent proxy, the DNS resolver, and the control port - save authentication cookie to /tmp/control_auth_cookie, so that the live user can use Tork and co. - autostart Tork with Gnome - Tork: installed, disabled most notifications and startup tips - added a restart tor hook to if-up.d (used by Network Manager as well), so that Tor does work immediately even if the network cable was plugged late in/after the boot process * $HOME - added a nautilus-script to wipe files and directories - bash with working completion for the live user * polipo: install and configure this HTTP proxy to forward requests through Tor * DNS: install and configure pdnsd to forward any DNS request through the Tor resolver * firewall: force every outgoing TCP connection through the Tor transparent proxy, discard any outgoing UDP connection * misc - set syslinux timeout to 4 seconds - use splashy for more user-friendly boot/halt sequences -- amnesia <amnesia@boum.org> Sat, 20 Jun 2009 21:09:15 +0200