The Tails developers have released The Amnesic Incognito Live System 2.0 on 26-January-2016. https://wikipedia.org/wiki/Tails_(operating_system) Home: https://tails.boum.org/ Announcement and Release Notes: https://tails.boum.org/news/version_2.0/index.en.html Changelogs: https://git-tails.immerda.ch/tails/plain/debian/changelog Spoiler tails (2.0) unstable; urgency=medium * Major new features and changes - Upgrade to Debian 8 (Jessie). - Migrate to GNOME Shell in Classic mode. - Use systemd as PID 1, and convert all custom initscripts to systemd units. - Remove the Windows camouflage feature: our call for help to port it to GNOME Shell (issued in January, 2015) was unsuccessful. - Remove Claws Mail: Icedove is now the default email client (Closes: #10167). - Upgrade Tor Browser to 5.5 (Closes: #10858, #10983). * Security fixes - Minimally sandbox many services with systemd's namespacing features. - Upgrade Linux to 3.16.7-ckt20-1+deb8u3. - Upgrade Git to 1:2.1.4-2.1+deb8u1. - Upgrade Perl to 5.20.2-3+deb8u3. - Upgrade bind9-related packages to 1:9.9.5.dfsg-9+deb8u5. - Upgrade FUSE to 2.9.3-15+deb8u2. - Upgrade isc-dhcp-client tot 4.3.1-6+deb8u2. - Upgrade libpng12-0 to 1.2.50-2+deb8u2. - Upgrade OpenSSH client to 1:6.7p1-5+deb8u1. * Bugfixes - Restore the logo in the "About Tails" dialog. - Don't tell the user that "Tor is ready" before htpdate is done (Closes: #7721). - Upgrader wrapper: make the check for free memory more accurate (Closes: #10540, #8263). - Allow the desktop user, when active, to configure printers; fixes regression introduced in Tails 1.1 (Closes: #8443). - Close Vidalia before we restart Tor. Otherwise Vidalia will be running and showing errors while we make sure that Tor bootstraps, which could take a while. - Allow Totem to read DVDs, by installing apparmor-profiles-extra from jessie-backports (Closes: #9990). - Make memory erasure on shutdown more robust (Closes: #9707, #10487): · don't forcefully overcommit memory · don't kill the allocating task · make sure the kernel doesn't starve from memory · make parallel sdmem handling faster and more robust - Don't offer the option, in Tor Browser, to open a downloaded file with an external application (Closes: #9285). Our AppArmor confinement was blocking most such actions anyway, resulting in poor UX; bugfix on 1.3. Accordingly, remove the now-obsolete exception we had in the Tor Browser AppArmor profile, that allowed executing seahorse-tool. - Fix performance issue in Tails Upgrader, that made it very slow to apply an automatic upgrade; bugfix on 1.7 (Closes: #10757). - Use our wrapper script to start Icedove from the GNOME menus. - Make it possible to localize our Icedove wrapper script. - List Icedove persistence option in the same position where Claws Mail used to be, in the persistent volume assistant (Closes: #10832). - Fix Electrum by installing the version from Debian Testing (Closes: #10754). We need version >=2.5.4-2, see #9713; bugfix on 2.0~beta1. And, explicitly install python-qt4 to enable Electrum's GUI: it's a Recommends, and we're not pulling it ourselves via other means anymore. - Restore default file associations (Closes: #1079; bugfix on 2.0~beta1. - Update 'nopersistent' boot parameter to 'nopersistence'; bugfix on 0.12 (Closes: #10831). Thanks to live-media=removable, this had no security impact in practice. - Repair dotfiles persistence feature, by adding a symlink from /lib/live/mount/persistence to /live/persistence; bugfix on 2.0~beta1 (Closes: #10784). - Fix ability to re-configure an existing persistent volume using the GUI; bugfix on 2.0~beta1 (Closes: #10809). - Associate armored OpenPGP public keys named *.key with Seahorse, to workaround https://bugs.freedesktop.org/show_bug.cgi?id=93656; bugfix on 1.1 (Closes: #10889). - Update the list of enabled GNOME Shell extensions, which might fix the "GNOME Shell sometimes leaves Classic mode" bug seen in 2.0~beta1: · Remove obsolete "Alternative Status Menu", that is not shipped in Debian anymore. · Explicitly enable the GNOME Shell extensions that build the Classic mode. - Make _get_tg_setting() compatible with set -u (Closes: #10785). - laptop-mode-tools: don't control autosuspend. Some USB input devices don't support autosuspend. This change might help fix #10850, but even if it doesn't, it makes sense to me that we don't let laptop-mode-tools fiddle with this on a Live system (Closes (for now): #10850). * Minor improvements - Remove obsolete code from various places. - Tails Greeter: · hide all windows while logging in · resize and re-position the panel when the screen size grows · PostLogin: log into the Journal instead of a dedicated log file · use localectl to set the system locale and keyboard mapping · delete the Live user's password if no administration password is set (Closes: #5589) · port to GDBus greeter interface, and adjust to other GDM and GNOME changes - Tails Installer: · port to UDisks2, and from Qt4 to GTK3 · adapt to work on other GNU/Linux operating systems than Tails · clean up enough upstream code and packaging bits to make it deserve being uploaded to Debian · rename everything from liveusb-creator to tails-installer - Port tails-perl5lib to GTK3 and UDisks2. In passing, do some minor refactoring and a GUI improvement. - Persistent Volume Assistant: · port to GTK3 and UDisks2 · handle errors when deleting persistent volume (Closes: #8435) · remove obsolete workarounds - Don't install UDisks v1. - Adapt custom udev and polkit rules to UDisks v2 (Closes: #9054, #9270). - Adjust import-translations' post-import step for Tails Installer, to match how its i18n system works nowadays. - Use socket activation for CUPS, to save some boot time. - Set memlockd.service's OOMScoreAdjust to -1000. - Don't bother creating /var/lib/live in tails-detect-virtualization. If it does not exist at this point, we have bigger and more noticeable problems. - Simplify the virtualization detection & reporting system, and do it as a non-root user with systemd-detect-virt rather than virt-what. - Replace rsyslog with the systemd Journal (Closes: #8320), and adjust WhisperBack's logs handling accordingly. - Drop tails-save-im-environment. It's not been used since we stopped automatically starting the web browser. - Add a hook that aborts the build if any *.orig file is found. Such files appear mainly when a patch of ours is fuzzy. In most cases they are no big deal, but in some cases they end up being taken into account and break things. - Replace the tor+http shim with apt-transport-tor (Closes: #819. - Install gnome-tweak-tool. - Don't bother testing if we're using dependency based boot. - Drop workaround to start spice-vdagent in GDM (Closes: #8025). This has been fixed in Jessie proper. - Don't install ipheth-utils anymore. It seems to be obsolete in current desktop environments. - Stop installing the buggy unrar-free, superseded in Jessie (Closes: #583 - Drop all custom fontconfig configuration, and configure fonts rendering via dconf. - Drop zenity patch (zenity-fix-whitespacing-box-sizes.diff), that was applied upstream. - Install libnet-dbus-perl (currently 1.1.0) from jessie-backports, it brings new features we need. - Have the security check and the upgrader wait for Tor having bootstrapped with systemd unit ordering. - Get rid of tails-security-check's wrapper. Its only purpose was to wait for Tor to have bootstrapped, which is now done via systemd. - Don't allow the amnesia and tails-upgrade-frontend users to run tor-has-bootstrapped as root with sudo. They don't need it anymore, thanks to using systemd for starting relevant units only once Tor has bootstrapped. - Install python-nautilus, that enables MAT's context menu item in Nautilus. (Closes: #9151). - Configure GDM with a snippet file instead of patching its greeter.dconf-defaults. - WhisperBack: · port to Python 3 and GObject Introspection (Closes: #7755) · migrate from the gnutls module to the ssl one · use PGP/MIME for better attachments handling · migrate from the gnupginterface module to the gnupg one · natively support SOCKS ⇒ don't wrap with torsocks anymore (Closes: #9412) · don't try to include the obsolete .xession-errors in bug reports (Closes: #9966) - chroot-browser.sh: don't use static DISPLAY. - Simplify debugging: · don't hide the emergency shutdown's stdout · tails-unblock-network: trace commands so that they end up in the Journal - Configure the console codeset at ISO build time, instead of setting it to a constant via the Greeter's PostLogin.default. - Order the AppArmor policy compiling in a way that is less of a blocker during boot. - Include the major KMS modules in the initramfs. This helps seamless transition to X.Org when booting, and back to text mode on shutdown, can help for proper graphics hardware reinitialization post-kexec, and should improve GNOME Shell support in some virtual machines. - Always show the Universal Access menu icon in the GNOME panel. - Drop notification for not-migrated-yet persistence configuration, and persistence settings disabled due to wrong access rights. That migration happened more two years ago. - Remove the restricted network detector, that has been broken for too long; see #10560 for next steps (Closes: #832. - Remove unsupported, never completed kiosk mode support. - clock_gettime_monotonic: use Perl's own function to get the integer part, instead of forking out to sed. - Don't (try to) disable lvm2 initscripts anymore. Both the original reason and the implementation are obsolete on Jessie. - Lower potential for confusion (#8443), by removing system-config-printer. One GUI to configure printers is enough (Closes: #8505). - Add "set -u" to tails-unblock-network. - Add a systemd target whose completion indicates that Tor has bootstrapped, and use it everywhere sensible (Closes: #9393). - Disable udev's 75-persistent-net-generator.rules, to preventing races between MAC spoofing and interface naming. - Replace patch against NetworkManager.conf with drop-in files. - Replace resolvconf with simpler NetworkManager and dhclient configuration. (Closes: #770 - Replace patching of the gdomap, i2p, hdparm, tor and ttdnsd initscripts with 'systemctl disable' (Closes: #9881). - Replace patches that wrapped apps with torsocks with dynamic patching with a hook, to ease maintenance. Also, patch D-Bus services as needed (Closes: #10603). - Notify the user if running Tails inside non-free virtualization software that does not try to hide its nature (Closes: #5315). Thanks to Austin English <austinenglish@gmail.com> for the patch. - Declare htpdate.service as being needed for time-sync.target, to ensure that "services where correct time is essential should be ordered after this unit". - Convert some of the X session startup programs to `systemd --user' units. - Let the Pidgin wrapper pass through additional command-line arguments (Closes: #10383) - Move out of the $PATH a bunch of programs that users should generally not run directly: connect-socks, end-profile, getTorBrowserUserAgent, generate-tor-browser-profile, kill-boot-profile, tails-spoof-mac, tails-set-wireless-devices-state, tails-configure-keyboard, do_not_ever_run_me, boot-profile, tails-unblock-network, tor-controlport-filter, tails-virt-notify-user, tails-htp-notify-user, udev-watchdog-wrapper (Closes: #1065 - Upgrade I2P to 0.9.23-2~deb8u+1. - Disable I2P's time syncing support. - Install Torbirdy from official Jessie backports, instead of from our own APT repository (Closes: #10804). - Make GNOME Disks' passphrase strength checking new feature work, by installing cracklib-runtime (Closes: #10862). - Add support for Japanese in Tor Browser. - Install xserver-xorg-video-intel from Jessie Backports (currently: 2.99.917-2~bpo8+1). This adds support for recent chips such as Intel Broadwell's HD Graphics (Closes: #10841). - Improve a little bit post-Greeter network unblocking: · Sleep a bit longer between deleting the blacklist, and triggering udev; this might help cure #9012. · Increase logging, so that we get more information next time someone sees #9012. · Touch /etc/modprobe.d/ after deleting the blacklist; this might help, in case all this is caused by some aufs bug. - Enable and use the Debian jessie-proposed-updates APT repository, anticipating on the Jessie 8.3 point-release (Closes: #10897). - Upgrade most firmware packages to 20160110-1. - Upgrade Intel CPU microcodes to 3.20151106.1~deb8u1. - Disable IPv6 for the default wired connection, so that NetworkManager does not spam the logs with IPv6 router solicitation failure. Note that this does not fix the problem for other connections (Partially closes: #10939). * Test suite - Adapt to the new desktop environment and applications' look. - Adapt new changed nmcli syntax and output. - New NetworkManager connection files must be manually loaded in Jessie. - Adapt to new pkexec behavior. - Adapt to how we now disable networking. - Use sysctl instead of echo:ing into /proc/sys. - Use oom_score_adj instead of the older oom_adj. - Adapt everything depending on logs to the use of the Journal. - Port to UDisks v2. - Check that the system partition is an EFI System Partition. - Add ldlinux.c32 to the list of bootloader files that are expected to be modified when we run syslinux (Closes: #9053). - Use apt( instead of apt-get(. - Don't hide the cursor after opening the GNOME apps menu. - Convert the remote shell to into a systemd native service and a Python 3, script that uses the sd_notify facility (Closes: #9057). Also, set its OOM score adjustment value via its unit file, and not from the test suite. - Adjust to match where screenshots are saved nowadays. - Check that all system units have started (Closes: #8262) - Simplify the "too small device" test. - Spawn `poweroff' and `halt' in the background, and don't wait for them to return: anything else would be racy vs. the remote shell's stopping. - Bump video memory allocated to the system under test, to fix out of video memory errors. - When configuring the CPU to lack PAE support, use a qemu32 CPU instead of a Pentium one: the latter makes GNOME Shell crash. See #8778 for details about how Mesa's CPU features detection has room for improvement. - Adjust free(1) output parsing for Jessie. - vm-execute: rename --type option to --spawn. - Add method to set the X.Org clipboard, and install its dependency (xsel) in the ISO. - Paste URLs in one go, to work around issue with lost key presses in the browser (Closes: #10467). - Reliably wait for Synaptic's search button to fade in. - Take into account that the sticky bit is not set on block devices on Jessie anymore. - Ensure that we can use a NetworkManager connection stored in persistence (Closes: #7966). - Use a stricter regexp when extracting logs for dropped packets. - Clone the host CPU for the test suite guests (Closes: #877. - Run ping as root (aufs does not support file capabilities so we don't get cap_net_raw+ep, and if built on a filesystem that does support file capabilities, then /bin/ping is not setupd root). - Escape regexp special characters when constructing the firewall log parsing regexp, and pass -P to grep, since Ruby uses PCRE. - Adjust is_persistent?() helper to findmnt changes in Jessie. - Rework in depth how we measure pattern coverage in memory, with more reliable Linux OOM and VM settings, fundamental improvements in what exactly we measure, and custom OOM adjutments for fillram processes (Closes: #9705). - Use blkid instead of parted to determine the filesystem type. - Use --kiosk mode instead of --fullscreen in virt-viewer, to remove the tiny border of the in-viewer menu. - Remove now redundant desktop screenshot directory scenario. - Adapt GNOME notification handling for Debian Jessie (Closes: #8782) - Disable screen blanking in the automated test suite, which occasionally breaks some test cases (Closes: #10403). - Move upgrade scenarios to the feature dedicated to them. - Don't make libvirt storage volumes executable. - Refactor the PAUSE_ON_FAIL functionality, so that we can use `pause()` as a breakpoint when debugging. - Drop non-essential Totem test that is mostly a duplicate, and too painful to be worth automating on Jessie. - Retry Totem HTTPS test with a new Tor circuit on failure. - Replace iptables status regexp-based parser with a new XML-based status analyzer: the previous implementation could not be adjusted to the new ip6tables' output (Closes: #9704). - Don't reboot in one instance when it is not needed. - Optimize memory erasure anti-test: block the boot to save CPU on the host. - Update I2P tests for Jessie, and generally make them more robust. - Update Electrum tests for 2.5.4-2 (Closes: #1075. - Add workaround for libvirt vs. guestfs permissions issue, to allow running the test suite on current Debian sid. - Fix buggy code, that happened to work by mistake, in the Seahorse test cases; bugfix on 1.8. - Update test suite images due to CSS change on Tails' website. - Adapt Tor Browser tests to work with the 5.5 series. - Automatically test downloading files in Tor Browser. - Remove obsolete scenario, that tested opening a downloaded file with an external application, which we do not support anymore. - Improve robustness of the "Tails OpenPGP keys" scenario (Closes: #1037. - Automatically test the "Diable all networking" feature (Closes: #10430). - Automatically test that SSH works over LAN (Closes: #9087). - Bump some statuc sleeps to fix a few race conditions (Closes: #5330). - Automatically test that an emergency shutdown triggers on boot medium removal (Closes: #5472). - Make the AppArmor checks actually detect errors (Closes: #10926). * Build system - Bump amount of disk space needed to build Tails with Vagrant. The addition of the Japanese Tor Browser tarball made us reach the limit of the previous value. * Adjustments for Debian 8 (Jessie) with no or very little user-visible impact - Free the fixed UIDs/GIDs we need before creating the corresponding users. - Replace the real gnome-backgrounds with a fake, equivs generated one (Closes: #8055). Jessie's gnome-shell depends on gnome-backgrounds, which is too fat to ship considering we're not using it. - AppArmor: adjust CUPS profile to support our Live system environment (Closes: #8261): · Mangle lib/live/mount/overlay/... as usual for aufs. · Pass the the attach_disconnected flag, that's needed for compatibility with PrivateTmp. - Make sure we don't ship geoclue* (Closes: #7949). - Drop deprecated GDM configuration file. - Don't add the Live user to the deprecated 'fuse' group. - Drop hidepid mount option for /proc (Closes: #8256). In its current, simplistic form it cannot be supported by systemd. - Don't manually load acpi-cpufreq at boot time. It fails to load whenever no device it supports is present, which makes the systemd-modules-load.service fail. These days, the kernel should just automatically load such modules when they are needed. - Drop sysvinit-specific (sensigs.omit.d) tweaks for memlockd. - Disable the GDM unit file's Restart=always, that breaks our "emergency shutdown on boot medium removal" feature. - Update the implementation of the memory erasure on shutdown feature: · check for rebooting state using systemctl, instead of the obsolete $RUNLEVEL (Closes: #8306) · the kexec-load initscript normally silently exits unless systemd is currently running a reboot job. This is not the case when the emergency shutdown has been triggered, so we removed this check · migrate tails-kexec to the /lib/systemd/system-shutdown/ facility · don't (try to) switch to tty1 on emergency shutdown: it apparently requires data that we haven't locked into memory, and then it blocks the whole emergency shutdown process - Display a slightly darker version of the desktop wallpaper on the screen saver, instead of the default flashy "Debian 8" branding (Closes: #903. - Disable software autorun from external media. - Disable a few unneeded D-Bus services. Some of these services are automatically started (via D-Bus activation) when GNOME Shell tries to use them. The only "use" I've seen for them, except eating precious RAM, is to display "No appointment today" in the calendar pop-up. (Closes: #9037) - Prevent NetworkManager services from starting at boot time (Closes: #8313). We start them ourselves after changing the MAC address. - Unfuzzy all patches (Closes: #826 and drop a few obsolete ones. - Adapt IBus configuration for Jessie (Closes: #8270), i.e. merge the two places where we configure keyboard layout and input methods: both are now configured in the same place in Jessie's GNOME. - Migrate panel launchers to the favorite apps list (Closes: #7992). - Drop pre-GNOME Shell menu tweaks. - Hide "Log out" button in the GNOME Shell menu (Closes: #8364). - Add a custom shutdown-helper GNOME Shell extension (Closes: #8302, #5684 and #587 that removes the press-Alt-to-turn-shutdown-button-into-Suspend functionality from the GNOME user menu, and makes Restart and Shutdown immediate, without further user interaction. Accordingly remove our custom Shutdown Helper panel applet (#8302). - Drop GNOME Panel configuration, now deprecated. - Disable GNOME Shell's screen lock feature. We're not there yet (see #5684). - Disable GNOME Shell screen locker's user switch feature. - Explicitly install libany-moose-perl (Closes: #8051). It's needed by our OpenPGP applet. On Wheezy, this package was pulled by some other dependency. This is not the case anymore on Jessie. - Don't install notification-daemon nor gnome-mag: GNOME Shell has taken over this functionality (Closes: #7481). - Don't install ntfsprogs: superseded on Jessie. - Don't install barry-util: not part of Jessie. - Link udev-watchdog dynamically, and lock it plus its dependencies in memory. - Migrate from gdm-simple-greeter to a custom gdm-tails session (Closes: #7599). - Update Plymouth installation and configuration: · install the plymouth packages via chroot_local-hooks: lb 2.x's "standard" packages list pulls console-common in, which plymouth now conflicts with · don't patch the plymouth initscript anymore, that was superseded by native systemd unit files · mask the plymouth-{halt,kexec,poweroff,reboot,shutdown} services, to prevent them from occupying the active TTY with an (empty) splash screen on shutdown/reboot, that would hide the messages we want to show to the user via tails-kexec (Closes: #9032) - Migrate GNOME keyboard layout settings from libgnomekbd to input-sources (Closes: #789. - Explicitly install syslinux-efi, that we need and is not automatically pulled by anything else anymore. - Workaround #7248 for GDM: use a solid blue background picture, instead of a solid color fill, in the Greeter session. - De-install gcc-4.8-base and gcc-4.9 at the end of the ISO build process. - Revert the "Wrap syndaemon to always use -t" Wheezy-specific workaround. - htpdate: run date(1) in a Jessie-compatible (and nicer) way. - Remove obsolete dconf screenshot settings and the corresponding test. - Drop our patched python-dbus{,-dev} package (Closes: #9177). - live-persist: stop overriding live-boot's functions, we now have a recent enough blkid. - Adjust sdmem initramfs bits for Jessie: · Directly call poweroff instead of halt -p. · Don't pass -n to poweroff and reboot, it's not supported anymore. - Wrap text in the Unsafe Browser startup warning dialog (Jessie's zenity does not wrap it itself). - Associate application/pgp-keys with Seahorse's "Import Key" application (Closes: #10571). - Install topIcons GNOME Shell extension (v2, to work around the fact that a few of the applets we use hijack the notification area. - "cd /" to fix permissions issue at tails-persistence-setup startup (Closes: #8097). - Install gstreamer1.0-libav, so that Totem can play H264-encoded videos. - Adjust APT sources configuration: · remove explicit jessie and jessie-updates sources: automatically added by live-build · add Debian testing · add jessie-backports - Firewall: white-list access to the accessibility daemon (Closes: #8075). - Adjust to changed desktop notification behavior and supported feature set (Closes: #7989): · pass the DBUS_SESSION_BUS_ADDRESS used by the GNOME session to notify-send · update waiting for a notification handler: gnome-panel and nm-applet are obsolete, GNOME Shell is now providing this facility, so instead wait for a process that starts once GNOME Shell is ready, namely ibus-daemon (Closes: #8685) · port tails-warn-about-disabled-persistence and tails-virt-notify-user to notification actions (instead of hyperlinks), and make the latter transient; to this end, add support to Desktop::Notify for "hints" and notification actions · tails-security-check: use a dialog box instead of desktop notifications · MAC spoofing failure notification: remove the link to the documentation; it was broken on Tails/Wheezy already, see #10559 for next steps - Don't explicitly install gnome-panel nor gnome-menus, so that they go away whenever the Greeter does not pull them in anymore. - Install gkbd-capplet, that provides gkbd-keyboard-display (Closes: #8363). - Install Tor 0.2.7 from deb.torproject.org: we don't need to rebuild it ourselves for seccomp support anymore. - Wrap Seahorse with torsocks when it is started as a D-Bus service too (Closes: #9792). - Rename the AppArmor profile for Tor, so it applies to the system-wide Tor service we run (Closes: #1052. - Essentially revert ALSA state handling to how it was pre-Jessie, so that mixer levels are unmuted and sanitized at boot time (Closes: #7591). - Pass --yes to apt-get when installing imagemagick. - Make removable devices, that we support installing Tails to, user writable: Tails Installer requires raw block device access to such devices (Closes: #8273). Similarly, allow the amnesia user, when active, to open non-system devices for writing with udisks2. This is roughly udisks2's equivalent of having direct write access to raw block storage devices. Here too, Tails Installer uses this functionality. - Disable networkd to prevent any risk of DNS leaks it might cause; and disable timesyncd, as we have our own time synchronization mechanism. They are not enabled by default in Jessie, but may be in Stretch, so let's be explicit about it. - Mask hwclock-save.service, to avoid sync'ing the system clock to the hardware clock on shutdown (Closes: #9363). - apparmor-adjust-cupsd-profile.diff: adjust to parse fine on Jessie (Closes: #9963) - Explicitly use tor@default.service when it's the one we mean. - Refactor GNOME/X env exporting to Tails' shell library, and grab more of useful bits of the desktop session environment. Then, use the result in the test suite's remote shell. - Stop tweaking /etc/modules. It's 2015, the kernel should load these things automatically (Closes: #10609). - Have systemd hardening let Tor modify its configuration (needed by Tor Launcher), and start obfs4proy (Closes: #10696, #10724). - Bump extensions.adblockplus.currentVersion and extensions.enigmail.configuredVersion to match what we currently get on Jessie. - I2P: switch from 'service' to 'systemctl' where possible. -- Tails developers <tails@boum.org> Mon, 25 Jan 2016 18:06:33 +0100 Download ISO & PGP Signing Key: http://dl.amnesia.boum.org/tails/stable/tails-i386-2.0/ SHA-256 Hash: https://tails.boum.org/inc/stable_i386_hash/ OpenPGP Keys: https://tails.boum.org/doc/about/openpgp_keys/index.en.html VT: The ISO image file size does not permit a VT analysis.
The Tails developers have released The Amnesic Incognito Live System 2.0.1 on 13-February-2016. https://wikipedia.org/wiki/Tails_(operating_system) Home: https://tails.boum.org/ Announcement and Release Notes: https://tails.boum.org/news/version_2.0.1/index.en.html Changelogs: https://git-tails.immerda.ch/tails/plain/debian/changelog Spoiler tails (2.0.1) unstable; urgency=medium * Major new features and changes - Enable the Tor Browser's font fingerprinting protection (Closes: #11000). We do it for all browsers (including the Unsafe Browser and I2P Browser mainly to avoid making our automated test suite overly complex. This implied to set an appropriate working directory when launching the Tor Browser, to accommodate for the assumptions it makes about this. * Security fixes - Upgrade Tor Browser to 5.5.2 (Closes: #11105). * Bugfixes - Repair 32-bit UEFI support (Closes: #11007); bugfix on 2.0. - Add libgnome2-bin to installed packages list to provide gnome-open, which fixes URL handling at least in KeePassX, Electrum and Icedove (Closes: #11031); bugfix on 2.0. Thanks to segfault for the patch! * Minor improvements - Refactor and de-duplicate the chrooted browsers' configuration: prefs.js, userChrome.css (Closes: #9896). - Make the -profile Tor Launcher workaround simpler (Closes: #7943). - Move Torbutton environment configuration to the tor-browser script, instead of polluting the default system environment with it. - Refresh patch against the Tor Browser AppArmor profile (Closes: #1107. - Propagate Tor Launcher options via the wrapper. - Move tor-launcher script to /usr/local/bin. - Move tor-launcher-standalone to /usr/local/lib. - Move Tor Launcher env configuration closer to the place where it is used, for simplicity's sake. * Test suite - Mass update browser and Tor Launcher related images due to font change, caused by Tor Browser 5.5's font fingerprinting protection (Closes: #11097). And then, use separate PrintToFile.png for the browsers, and Evince, since it cannot be shared anymore. - Adjust to the refactored chrooted browsers configuration handling. - Test that Tor Launcher uses the correct Tor Browser libraries. - Allow more slack when verifying that the date that was set. - Bump a bit the timeout used when waiting for the remote shell. - Bump timeout for the process to disappear, when closing Evince. - Bump timeout when saving persistence configuration. - Bump timeout for bootstrapping I2P. * Build system - Remove no longer relevant places.sqlite cleanup procedure. -- Tails developers <tails@boum.org> Fri, 12 Feb 2016 13:00:15 +0000 Download ISO & PGP Signing Key: http://dl.amnesia.boum.org/tails/stable/tails-i386-2.0.1/ SHA-256 Hash: https://tails.boum.org/inc/stable_i386_hash/ SHA-256 Hash: e175f67b455ce09ee03760330af572f9de34dce51cc9c429b45ab8528d0a471f OpenPGP Keys: https://tails.boum.org/doc/about/openpgp_keys/index.en.html VT: The ISO image file size does not permit a VT analysis.
The Tails developers have released The Amnesic Incognito Live System 2.2 on 08-March-2016. https://wikipedia.org/wiki/Tails_(operating_system) Home: https://tails.boum.org/ Announcement and Release Notes: https://tails.boum.org/news/version_2.2/index.en.html Changelogs: https://git-tails.immerda.ch/tails/plain/debian/changelog Spoiler tails (2.2) unstable; urgency=medium * Major new features and changes - Replace Vidalia (which has been unmaintained for years) with: (Closes: #6841) * the Tor Status GNOME Shell extension, which adds a System Status icon indicating whether Tor is ready or not. * Onion Circuits, a simple Tor circuit monitoring tool. * Security fixes - Upgrade Tor Browser to 5.5.3 (Closes: #11189). - Upgrade Linux to 3.16.7-ckt20-1+deb8u4. - Upgrade cpio to 2.11+dfsg-4.1+deb8u1. - Upgrade glibc to 2.19-18+deb8u3. - Upgrade libav to 6:11.6-1~deb8u1. - Upgrade libgraphite2 to 1.3.5-1~deb8u1. - Upgrade libjasper1 to 1.900.1-debian1-2.4+deb8u1. - Upgrade libreoffice to 4.3.3-2+deb8u3. - Upgrade libssh2 to 1.4.3-4.1+deb8u1. - Upgrade openssl to 1.0.1k-3+deb8u4. - Upgrade perl to 5.20.2-3+deb8u4. - Upgrade python-imaging, python-pil to 2.6.1-2 2.6.1-2+deb8u2. * Bugfixes - Hide "Laptop Mode Tools Configuration" menu entry. We don't support configuring l-m-t in Tails, and it doesn't work out of the box. (Closes: #11074) - WhisperBack: * Actually write a string when saving bug report to disk. (Closes: #11133) * Add missing argument to OpenPGP dialog so the optional OpenPGP key can be added again. (Closes: #11033) * Minor improvements - Upgrade I2P to 0.9.24-1~deb8u+1. - Add support for viewing DRM protected DVD videos using libdvdcss2. Patch series submitted by Austin English <austinenglish@gmail.com>. (Closes: #7674) - Automatically save KeePassX database after every change by default. (Closes: #11147) - Implement Tor stream isolation for WhisperBack - Delete unused tor-tsocks-mua.conf previously used by Claws Mail. (Closes: #10904) - Add set -u to all gettext:ized shell scripts. In gettext-base < 1.8.2, like the one we had in Wheezy, gettext.sh references the environment variable ZSH_VERSION, which we do not set. This has prevented us from doing `set -u` without various hacks. (Closes: #9371) - Also set -e in some shell scripts which lacked it for no good reason. - Make Git verify the integrity of transferred objects. (Closes: #11107) - Remove LAlt+Shift and LShift+RShift keyboard layout toggling shortcuts. (Closes: #10913, #11042) * Test suite - Reorder the execution of feature to decrease peak disk usage. (Closes: #10503) - Paste into the GTK file chooser, instead of typing. (Closes: #10775) - Pidgin: wait a bit for text to have stopped scrolling before we click on it. (Closes: #10783) - Fix step that runs commands in GNOME Terminal, that was broken on Jessie when a Terminal is running already. (Closes: #11176) - Let ruby-rjb guess JAVA_HOME instead fixing on one jvm version. (Closes: #11190) * Build system - Upgrade build system to Debian Jessie. This includes migrating to a new Vagrant basebox based on Debian Jessie. - Rakefile: print git status when there are uncommitted changes. Patch submitted by Austin English <austinenglish@gmail.com>. (Closes: #1110 - .gitignore: add .rake_tasks~. Patch submitted by Austin English <austinenglish@gmail.com>. (Closes: #11134) - config/amnesia: use --show-field over sed filtering. Patch submitted by Chris Lamb <lamby@debian.org>. - Umount and clean up leftover temporary directories from old builds. (Closes: #10772) -- Tails developers <tails@boum.org> Mon, 07 Mar 2016 18:09:50 +0100 Download ISO & PGP Signing Key: http://dl.amnesia.boum.org/tails/stable/tails-i386-2.2/ SHA-256 Hash: https://tails.boum.org/inc/stable_i386_hash/ SHA-256 Hash: e175f67b455ce09ee03760330af572f9de34dce51cc9c429b45ab8528d0a471f OpenPGP Keys: https://tails.boum.org/doc/about/openpgp_keys/index.en.html VT: The ISO image file size does not permit a VT analysis.
The Tails developers have released The Amnesic Incognito Live System 2.2.1 on 18-March-2016. https://wikipedia.org/wiki/Tails_(operating_system) Home: https://tails.boum.org/ Announcement and Release Notes: https://tails.boum.org/news/version_2.2.1/index.en.html Changelogs: https://git-tails.immerda.ch/tails/plain/debian/changelog Spoiler tails (2.2.1) unstable; urgency=medium * Security fixes - Upgrade Tor Browser to 5.5.4. (Closes: #11254) - Upgrade bind9-related packages to 1:9.9.5.dfsg-9+deb8u6 - Upgrade libotr to 4.1.0-2+deb8u1 - Upgrade samba-related packages to 2:4.1.17+dfsg-2+deb8u2. - Upgrade libgraphite2 to 1.3.6-1~deb8u1. -- Tails developers <tails@boum.org> Thu, 17 Mar 2016 15:03:52 +0100 Download ISO & PGP Signing Key: http://dl.amnesia.boum.org/tails/stable/tails-i386-2.2.1/ SHA-256 Hash: https://tails.boum.org/inc/stable_i386_hash/ SHA-256 Hash: 1a82cdbfc162a54e488f260fdbca7d9251e9a83a9faec63e8df23a9d4d97099f OpenPGP Keys: https://tails.boum.org/doc/about/openpgp_keys/index.en.html VT: The ISO image file size does not permit a VT analysis.
https://tails.boum.org/news/signing_key_transition/index.en.html Code: Here is the full description of the new signing key: pub 4096R/0xDBB802B258ACD84F 2015-01-18 [expires: 2017-01-11] Key fingerprint = A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F uid [ unknown] Tails developers (offline long-term identity key) uid [ unknown] Tails developers sub 4096R/0x98FEC6BC752A3DB6 2015-01-18 [expires: 2017-01-11] sub 4096R/0x3C83DCB52F699C56 2015-01-18 [expires: 2017-01-11] I was playing around with Kleopatra, and found I couldn't certify the tails-signing.key because "certificate expired". Upon inspection: Code: > gpg2 --list-keys -v gpg: NOTE: signature key 56987A65 expired 01/11/16 09:22:10 Eastern Standard Time gpg: NOTE: signature key 56987A65 has been revoked pub 4096R/58ACD84F 2015-01-18 [expires: 2017-01-11] uid [ full ] Tails developers (offline long-term identity key) <tails@boum.org> uid [ full ] Tails developers <tails@boum.org> sub 4096R/752A3DB6 2015-01-18 [expires: 2017-01-11] sub 4096R/2F699C56 2015-01-18 [expires: 2017-01-11] sub 4096R/56987A65 2015-01-18 [revoked: 2015-10-29] > gpg2 --fingerprint 0x58ACD84F pub 4096R/58ACD84F 2015-01-18 [expires: 2017-01-11] Key fingerprint = A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F uid [ full ] Tails developers (offline long-term identity key) <tails@boum.org> uid [ full ] Tails developers <tails@boum.org> sub 4096R/752A3DB6 2015-01-18 [expires: 2017-01-11] sub 4096R/2F699C56 2015-01-18 [expires: 2017-01-11] Fingerprints match. I read it is common to include revocations due to users not deleting previous certificates plus merging. Cmdline trust and sign seems to work OK. Download did verify. So I'm thinking things are OK except for what I am assuming is a Kleopatra issue. Wanted to mention it here in case someone more experienced than I has input on the subject.
The Tails developers have released The Amnesic Incognito Live System 2.3 on 26-April-2016. https://wikipedia.org/wiki/Tails_(operating_system) Home: https://tails.boum.org/ Announcement and Release Notes: https://tails.boum.org/news/version_2.3/index.en.html Changelogs: https://git-tails.immerda.ch/tails/plain/debian/changelog Spoiler tails (2.3) unstable; urgency=medium * Security fixes - Upgrade Tor Browser to 5.5.5. (Fixes: #11362) - Upgrade icedove to 38.7.0-1~deb8u1 - Upgrade git to 1:2.1.4-2.1+deb8u2 - Upgrade libgd3 to 2.1.0-5+deb8u1 - Upgrade pidgin-otr to 4.0.1-1+deb8u1 - Upgrade srtp to 1.4.5~20130609~dfsg-1.1+deb8u1 - Upgrade imagemagick to 8:6.8.9.9-5+deb8u1 - Upgrade samba to 2:4.2.10+dfsg-0+deb8u2 - Upgrade openssh to 1:6.7p1-5+deb8u2 * Bugfixes - Refresh Tor Browser's AppArmor profile patch against the one from torbrowser-launcher 0.2.4-1. (Fixes: #11264) - Pull monkeysphere from stretch to avoid failing to install under eatmydata. (Fixes: #11170) - Start gpg-agent with no-grab option due to issues with pinentry and GNOME's top bar. (Fixes: #1103 - Tails Installer: Update error message to match new name of 'Clone & Install'. (Fixes: #1123 - Onion Circuits: * Cope with a missing geoipdb. (Fixes: #11203) * Make both panes of the window scrollable. (Fixes #11192) - WhisperBack: Workaround socks bug. When the Tor fails to connect to the host, WisperBack used to display a ValueError. This is caused by a socks bug that is solved in upstream's master but not in Tails. This commit workarounds this bug Unclear error message in WhisperBack when failing to connect to the server. (Fixes: #11136) * Minor improvements - Upgrade to Debian 8.4, a Debian point release with many minor upgrades and fixes to various packages . (Fixes: #11232) - Upgrade I2P to 0.9.25. (Fixes: #11363) - Pin pinentry-gtk2 to jessie-backports. The new version allows pasting passwords from the clipboard. (Fixes: #11239) - config/chroot_local-hooks/59-libdvd-pkg: cleanup /usr/src/libdvd-pkg. (Fixes: #11273) - Make the Tor Status "disconnected" icon more contrasted with the "connected" one. (Fixes: #11199) * Test suite - Add UTF-8 support to OTR Bot. (Fixes: #10866) - Don't explicitly depend on openjdk-7-jre or any JRE for that matter. Sikuli will pull in a suitable one, so depending on one ourselves is only risks causing trouble. (Fixes: #11335) -- Tails developers <tails@boum.org> Mon, 25 Apr 2016 14:12:22 +0200 Download ISO & PGP Signing Key: http://dl.amnesia.boum.org/tails/stable/tails-i386-2.3/ SHA-256 Hash: https://tails.boum.org/inc/stable_i386_hash/ SHA-256 Hash: 3E62AB45A3E4105C8353A495F5774CE970F7C3B2736B420A5DB7F7F79223B8EF OpenPGP Keys: https://tails.boum.org/doc/about/openpgp_keys/index.en.html VT: The ISO image file size does not permit a VT analysis.
The Tails developers have released The Amnesic Incognito Live System 2.4~rc1 on 26-May-2016. Announcement and Release Notes: https://tails.boum.org/news/test_2.4-rc1/index.en.html Download ISO & PGP Signing Key: http://dl.amnesia.boum.org/tails/alpha/tails-i386-2.4~rc1/
In the tails-support mailing list, Tails 2.4 will include version 6.0.1 of the Tor Browser which means that the Tails team are sync'ing Tails releases with newer fixed versions of the Tor Firefox-based browser. -- Tom
Hello lotuseclat79: It seems this has been the general practice of the TAILS developers. First a TOR Browser release soon followed by a TAILS release. It seems logical.
The Tails developers have released The Amnesic Incognito Live System 2.4 on 07-June-2016. https://wikipedia.org/wiki/Tails_(operating_system) Home: https://tails.boum.org/ Announcement and Release Notes: https://tails.boum.org/news/version_2.4/index.en.html Changelogs: https://git-tails.immerda.ch/tails/plain/debian/changelog Spoiler tails (2.4) unstable; urgency=medium * Major new features and changes - Upgrade Tor Browser to 6.0.1 based on Firefox 45.2. (Closes: #11403, #11513). - Enable Icedove's automatic configuration wizard. We patch the wizard to only use secure protocols when probing, and only accept secure protocols, while keeping the improvements done by TorBirdy in its own non-automatic configuration wizard. (Closes: #6158, #11204) * Security fixes - Upgrade bsdtar and libarchive13 to 3.1.2-11+deb8u1. - Upgrade icedove to 38.8.0-1~deb8u1+tails3. - Upgrade imagemagick to 8:6.8.9.9-5+deb8u3. - Upgrade libexpat1 to 2.1.0-6+deb8u2. - Upgrade libgd3 to 2.1.0-5+deb8u3. - Upgrade gdk-pixbuf-based packages to 2.31.1-2+deb8u5. - Upgrade libidn11 to 1.29-1+deb8u1. - Upgrade libndp0 to 1.4-2+deb8u1. - Upgrade poppler-based packages to 0.26.5-2+deb8u1. - Upgrade librsvg2-2 to 2.40.5-1+deb8u2. - Upgrade libsmbclient to 2:4.2.10+dfsg-0+deb8u3. - Upgrade OpenSSL to 1.0.1k-3+deb8u5. - Upgrade libtasn1-6 to 4.2-3+deb8u2. - Upgrade libxml2 to 2.9.1+dfsg1-5+deb8u2. - Upgrade openjdk-7-jre to 7u101-2.6.6-1~deb8u1. * Bugfixes - Enable Packetization Layer Path MTU Discovery for IPv4. If any system on the path to the remote host has a MTU smaller than the standard Ethernet one, then Tails will receive an ICMP packet asking it to send smaller packets. Our firewall will drop such ICMP packets to the floor, and then the TCP connection won't work properly. This can happen to any TCP connection, but so far it's been reported as breaking obfs4 for actual users. Thanks to Yawning for the help! (Closes: #926 - Make Tails Upgrader ship other locales than English. (Closes: #10221) - Make it possible to add local USB printers again. Bugfix on Tails 2.0. (Closes #10965). * Minor improvements - Remove custom SSH ciphers and MACs settings. (Closes: #7315) - Bring back "minimize" and "maximize" buttons in titlebars by default. (Closes: #11270) - Icedove improvements: * Stop patching in our default into Torbirdy. We've upstreamed some parts, and the rest we set with pref branch overrides in /etc/xul-ext/torbirdy.js. (Closes: #10905) * Use hkps keyserver in Enigmail. (Closes: #10906) * Default to POP if persistence is enabled, IMAP is not. (Closes: #10574) * Disable remote email account creation in Icedove. (Closes: #10464) - Firewall hardening (Closes: #11391): * Don't accept RELATED packets. This enables quite a lot of code in the kernel that we don't need. Let's reduce the attack surface a bit. * Restrict debian-tor user to NEW TCP syn packets. It doesn't need to do more, so let's do a little bit of security in depth. * Disable netfilter's nf_conntrack_helper. * Fix disabling of automatic conntrack helper assignment. - Kernel hardening: * Set various kernel boot options: slab_nomerge slub_debug=FZ mce=0 vsyscall=none. (Closes: #11143) * Remove the kernel .map files. These are only useful for kernel debugging and slightly make things easier for malware, perhaps and otherwise just occupy disk space. Also stop exposing kernel memory addresses through /proc etc. (Closes: #10951) - Drop zenity hacks to "focus" the negative answer. Jessie's zenity introduced the --default-cancel option, finally! (Closes: #11229) - Drop useless APT pinning for Linux. - Remove gnome-tweak-tool. (Closes: #11237) - Install python-dogtail, to enable accessibility technologies in our automated test suite (see below). (Part of: #10721) - Install libdrm and mesa from jessie-backports. (Closes: #11303) - Remove hledger. (Closes: #11346) - Don't pre-configure the #tails chan on the default OFTC account. (Part of: #11306) - Install onioncircuits from jessie-backports. (Closes: #11443) - Remove nmh. (Closes: #10477) - Drop Debian experimental APT source: we don't use it. - Use APT codenames (e.g. "stretch") instead of suites, to be compatible with our tagged APT snapshots. - Drop module-assistant hook and its cleanup. We've not been using it since 2010. - Remove 'Reboot' and 'Power Off' entries from Applications → System Tools. (Closes: #11075) - Pin our custom APT repo to the same level as Debian ones, and explicitly pin higher the packages we want to pull from our custom APT repo, when needed. - config/chroot_local-hooks/59-libdvd-pkg: verify libdvdcss package installation. (Closes: #11420) - Make Tails Upgrader use our new mirror pool design. (Closes: #11123) - Drop custom OpenSSH client ciphers and MACs settings. We did a pretty bad job at maintaining them compared to the Debian upstream. (Closes: #7315) - Install jessie-backports version of all binary packages built from src:hplip. This adds support for quite a few new printers. - Install printer-driver-postscript-hp, which adds support for some more printers. * Build system - Use a freezable APT repo when building Tails. This is a first step towards reproducible builds, and improves our QA and development processes by making our builds more predictable. For details, see: https://tails.boum.org/contribute/APT_repository/ - There has been a massive amount of improvements to the Vagrant-based build system, and now it could be considered the de-facto build system for Tails! Improvements and fixes include: * Migrate Vagrant to use libvirt/KVM instead of Virtualbox. (Closes: #6354) * Make apt-get stuff non-interactive while provisioning. Because there is no interaction, so that will results in errors. * Bump disk space (=> RAM for RAM builds) needed to build with Vagrant. Since the Jessie migration it seems impossible to keep this low enough to fit in 8 GiB or RAM. For this reason we also drop the space optimization where we build inside a crazy aufs stack; now we just build in a tmpfs. * Clean up apt-cacher-ng cache on vmrovision to save disk space on the builder. * Add convenient Rake task for SSH:ing into the builder VM: `rake vm:ssh`. * Add rake task for generating a new Vagrant base box. * Automatically provision the VM on build to keep things up-to-date. * Don't enable extproxy unless explicitly given as an option. Previously it would automatically be enabled when `http_proxy` is set in the environment, unlike what is documented. This will hopefully lead to fewer surprises for users who e.g. point http_proxy to a torified polipo, or similar. * Re-fetch tags when running build-tails with Vagrant. That should fix an annoyance related to #7182 that I frequently encounter: when I, as the RM, rebuild the release image the second time from the force-updated tag, the build system would not have the force-updated tag. (Closes: #7182) * Make sure we use the intended locale in the Tails builder VM. Since we communicate via SSH, and e.g. Debian forward the locale env vars by default, we have to take some steps ensuring we do not do that. - Pull monkeysphere from stretch to avoid failing to install under eatmydata. Patch submitted by Cyril Brulebois <cyril@debamax.com>. * Test suite - Add wrapper around dogtail (inside Tails) for "remote" usage in the automated test suite. This provides a simple interface for generating dogtail python code, sending it to the guest, and executing it, and should allow us to write more robust tests leveraging assistive technologies. (Closes: #10721) - A few previously sikuli-based tests has been migrated to use dogtail instead, e.g. GNOME Applications menu interaction. - Add a test for re-configuring an existing persistent volume. This is a regression test for #10809. (Closes: #10834) - Use a simulated Tor network provided by Chutney in the automated test suite. The main motivation here is improved robustness -- since the "Tor network" we now use will exit from the host running the automated test suite, we won't have to deal with Tor network blocking, or unreliable circuits. Performance should also be improved. (Closes: #9521) - Drop the usage of Tor Check in our tests. It doesn't make sense now when we use Chutney since that always means it will report that Tor is not being used. - Stop testing obsolete pluggable transports. - Completely rewrite the firewall leak detector to something more flexible and expressive. - Run tcpdump with --immediate-mode for the network sniffer. With this option, "packets are delivered to tcpdump as soon as they arrive, rather than being buffered for efficiency" which is required to make the sniffing work reliable the way we use it. - Remove most scenarios testing "tordate". It just isn't working well in Tails, so we shouldn't expect the tests to actually work all of the time. (Closes: #10440) - Close Pidgin before we inspect or persist its accounts.xml. I've seen a case when that file is _not_ saved (and thus, not persisted) if we shut down the system while Pidgin is still running. (Closes: #11413) - Close the GNOME Notification bar by pressing ESC, instead of opening the Applications menu. The Applications menu often covers other elements that we're looking for on the screen. (Closes #11401) - Hide Florence keyboard window when it doesn't vanish by itself (Closes: #1139 and wait a bit less for Florence to disappear (Closes: #11464). -- Tails developers <tails@boum.org> Mon, 06 Jun 2016 20:10:56 +0200 Download ISO & PGP Signing Key: http://dl.amnesia.boum.org/tails/stable/tails-i386-2.4/ SHA-256 Hash: E35916E5B22EA0CE351445889A0BCBFFEAC8A97129242EC65CA24F601B4034B2 OpenPGP Keys: https://tails.boum.org/doc/about/openpgp_keys/index.en.html VT: The ISO image file size does not permit a VT analysis.
The Tails developers have released The Amnesic Incognito Live System 2.5 on 02-August-2016. https://wikipedia.org/wiki/Tails_(operating_system) Home: https://tails.boum.org/ Announcement and Release Notes: https://tails.boum.org/news/version_2.5/index.en.html Changelogs: https://git-tails.immerda.ch/tails/plain/debian/changelog Spoiler tails (2.5) unstable; urgency=medium * Major new features and changes - Upgrade Icedove to 1:45.1.0-1~deb8u1+tails2. (Closes: #11530) · Fix long delay causing bad UX in the autoconfig wizard, when it does not manage to guess proper settings on some domains. (Closes: #11486) · Better support sending email through some ISPs, such as Riseup. (Closes: #10933) · Fix spurious error message when creating an account and providing its password. (Closes: #11550) * Security fixes - Upgrade Tor Browser to 6.0.3 based on Firefox 45.3. (Closes: #11611) - Upgrade GIMP to 2.8.14-1+deb8u1. - Upgrade libav to 6:11.7-1~deb8u1. - Upgrade expat to 2.1.0-6+deb8u3. - Upgrade libgd3 to 2.1.0-5+deb8u6. - Upgrade libmodule-build-perl to 0.421000-2+deb8u1. - Upgrade perl to 5.20.2-3+deb8u6. - Upgrade Pidgin to 2.11.0-0+deb8u1. - Upgrade LibreOffice to 1:4.3.3-2+deb8u5. - Upgrade libxslt1.1 to 1.1.28-2+deb8u1. - Upgrade Linux to 3.16.7-ckt25-2+deb8u3. - Upgrade OpenSSH to 1:6.7p1-5+deb8u3. - Upgrade p7zip to 9.20.1~dfsg.1-4.1+deb8u2. * Minor improvements - htpdate: replace obsolete and unreliable URIs in HTP pools, and decrease timeout for HTTP operations for more robust time synchronization. (Closes: #11577) - Hide settings panel for the Online Accounts component of GNOME, that we don't support. (Closes: #11545) - Vastly improve graphics performance in KVM guest with QXL driver. (Closes: #11500) - Fix graphics artifacts in Tor Browser in KVM guest with QXL driver. (Closes: #11489) * Build system - Wrap Pidgin in a more maintainable way. (Closes: #11567) * Test suite - Add a test scenario for the persistence "dotfiles" feature. (Closes: #10840) - Improve robustness of most APT, Git, SFTP and SSH scenarios, enough to enable them on Jenkins. (Closes: #10444, #10496, #1049 - Improve robustness of checking for persistence partition. (Closes: #1155 - Treat Tails booting from /dev/sda as OK, to support all cases including a weird one caused by hybrid ISO images. (Closes: #10504) - Bump a bunch of timeouts to cope with the occasional slowness on Jenkins. - Only query A records when exercising DNS lookups, to improve robustness. -- Tails developers <tails@boum.org> Sun, 31 Jul 2016 16:50:35 +0000 Download ISO & PGP Signing Key: http://dl.amnesia.boum.org/tails/stable/tails-i386-2.5/ SHA-256 Hash: AC1E5C08DBA8FD6CDB4149DE9956821247BDC9E991A000EC8838B8C613575578 OpenPGP Keys: https://tails.boum.org/doc/about/openpgp_keys/index.en.html VT: The ISO image file size does not permit a VT analysis.
Tails 2.11 Released 03/07/2017 Announcement and further information Spoiler: New Features, Upgrades and changes, Fixed problems New features If running on a 32-bit processor, notify the user that it won't be able to start Tails 3.0 anymore. (#12193) Notify I2P users that I2P will be removed in Tails 2.12. (#12271 Upgrades and changes Upgrade Tor Browser to 6.5.1. Fix CVE-2017-6074 (local root privilege escalation) by disabling the dccp module. (#12280) Also disable kernel modules for some other uncommon network protocols. (Part of #6457) Fixed problems Tor Browser: Don't show offline warning when opening the local documentation of Tails. (#12269) Fix rare issue causing automatic upgrades to not apply properly (#8449 and #11839) Install Linux 4.8.15 to prevent GNOME from freezing with Intel GM965/GL960 Integrated Graphics. (#12217) For more details, read our changelog. Spoiler: Detailed Changelog tails (2.11) unstable; urgency=medium * Security fixes - Upgrade Tor Browser to 6.5.1 based on Firefox 45.8. (Closes: #12283) - Fix CVE-2017-6074 (local root privilege escalation) by disabling the 'dccp' module. (Closes: #12280) - Disable kernel modules for some uncommon network protocol. These are the ones recommended by CIS. (Part of: #6457) - Disable modules we blacklist for security reasons. Blacklisted (via `blacklist MODULENAME`) modules are only blocked from being loaded during the boot process, but are still loadable with an explicit `modprobe MODULENAME`, and (worse!) via kernel module auto-loading. - Upgrade linux-image-4.8.0-0.bpo.2-686-unsigned to 4.8.15-2~bpo8+2. - Upgrade bind9 to 1:9.9.5.dfsg-9+deb8u10. - Upgrade imagemagick to 8:6.8.9.9-5+deb8u7. - Upgrade libevent-2.0-5 to 2.0.21-stable-2+deb8u1. - Upgrade libgd3 to 2.1.0-5+deb8u9. - Upgrade libjasper1 to 1.900.1-debian1-2.4+deb8u2. - Upgrade liblcms2-2 to 2.6-3+deb8u1. - Upgrade libxpm4 to 1:3.5.12-0+deb8u1. - Upgrade login to 1:4.2-3+deb8u3. - Upgrade ntfs-3g to 1:2014.2.15AR.2-1+deb8u3. - Upgrade openjdk-7-jre to 7u121-2.6.8-2~deb8u1. - Upgrade openssl to 1.0.1t-1+deb8u6. - Upgrade tcpdump to 4.9.0-1~deb8u1. - Upgrade vim to 2:7.4.488-7+deb8u2. - Upgrade libreoffice to 1:4.3.3-2+deb8u6. * Minor improvements - import-translations: also import PO files for French from Transifex. The translation team for French switched to Transifex even for our custom programs: https://mailman.boum.org/pipermail/tails-l10n/2016-November/004312.html - Notify the user, if running on a 32-bit processor, that it won't be supported in Tails 3.0 anymore. (Closes: #12193) - Notify I2P users that I2P will be removed in Tails 2.12. (Closes: #12271) * Bugfixes - Disable -proposed-updates at boot time. If a Debian point release happens right after a freeze but we have decided to enable it before the freeze to get (at least most of) it, then we get in the situation where -proposed-updates is enabled in the final release, which we don't want. We only want it enabled at build time. (Closes: #12169) - Ferm: Use the variable when referring to the Live user. The firewall will fail to start during early boot otherwise since the "amnesia" user hasn't been created yet. (Closes: #12208) - Tor Browser: Don't show offline warning when opening local documentation. (Closes: #12269) - tails-virt-notify-user: use the tails-documentation helper to improve UX when one is not connected to Tor yet, and display localized doc when available. - Fix rare issue causing automatic upgrades to not apply properly (Closes: #8449, and hopefully #11839 as well): * Allow the tails-install-iuk user to run "/usr/bin/nocache /bin/cp *" as root. * Install tails-iuk 2.8, which will use nocache for various file operations, and sync writes to the installation medium. - Install Linux 4.8.15 to prevent GNOME from freezing with Intel GM965/GL960 Integrated Graphics. (Closes: #12217, but fixes tons of other small bugs) * Build system - Add 'offline' option, making it possible to build Tails offline (if all needed resources are present in your cache). (Closes: #12272) * Test suite - Encapsulate exec_helper's class to not "pollute" the global namespace with all our helpers. This is an example of how we can work towards #9030. - Extend remote shell with *safe* file operations. Now we can read/write/append *any* characters without worrying that it will do crazy things by being passed through the shell, as was the case before. This commit also: * adds some better reporting of errors happening on the server side by communicating back the exception thrown. * removes the `user` parameter from the VM.file_* methods. They were not used, any way, and simply do not feel like they fit. I think the only reason we had it initially was because it was implemented via the command interface, where a user concept makes a lot of sense. - debug_log() Dogtail script content on failure. - Add a very precise timestamp to each debug_log(). - Make robust_notification_wait() ensure the applet is closed. In robust_notification_wait() when we close the notification applet, other windows may change position, creating a racy situation for any immediately following action aimed at one such window. (Closes: #10381) - Fix I2P's Pidgin test. The initial conversation (that determines the title of the conversation window) is now made by a different IRC service than before. - Use lossless compression for the VNC viewer with --view. Otherwise the VNC viewer is not a good place to extract test suite images from, at least with xtigervncviewer. - Add optional pause() notification feature to the test suite. It will run a user-configurable arbitrary shell command when pause() is called, e.g. on failure when --interactive-debugging is used. This is pretty useful when multitasking with long test suite runs, so you immediately are notified when a test fails (or when you reached a temporary pause() breakpoint). (Closes: #12175) - Add the possibility to run Python code in a persistent session in the remote shell and use this for Dogtail to significantly improve its performance by saving state and reusing it between commands. This changes the semantics of the creation of Dogtail objects. Previously they just created the code that then would be run once an actionable method was called (.wait, .click etc), but now it works like in Python, that Dogtail will try to find the graphical element upon object creation. (Closes: #12059) - Test that we don't ship any -proposed-updates APT sources. (Closes: #12169) - Make force_new_tor_circuit() respect NEWNYM rate limiting. - Add retry magic for lost click when opening Tails' documentation from the desktop launcher. (Closes: #12131) -- Tails developers <tails@boum.org> Mon, 06 Mar 2017 17:14:52 +0100
Even though is does not to appear have been announced, Tails 2.12 (i386) was released yesterday at 16:55. You can download the ISO file and its signature here. -- Tom
Tails is a Portable "privacy orientated" version of Linux for those not familiar. It happens to be the same version of Linux used by Edward Snowden.
Also read the warning page as to what it doesn't protect you from. I think DEbian OS that sends everything encrypted through TOR.
https://en.wikipedia.org/wiki/Tails_(operating_system) Read the part about if you did a search or went to the Tails site.
There is already a thread for announcements for Tails, maybe post it there: Tails Release Announcements https://www.wilderssecurity.com/threads/tails-release-announcements.345122/
The 3.x releases of Tails now only work on 64-bit hardware, whereas the 2.x releases are for 32-bit, and are being abandoned from a development point of view, I think after 2.12 as I do not see any scheduled 2.x releases beyond 2.12 on the Tails Calendar. -- Tom
