date:20140708

Re: [Tails-dev] quickstart for new developer?

2014-07-08 Thread intrigeri

Hi,

Alasdair Young wrote (07 Jul 2014 21:05:03 GMT) :
 I'm looking at contributing to tails.

Excellent! Welcome aboard :)

 Do you happen to have any quickstart docs available?

I'm not sure it qualifies as *quick*start documentation,
but the best we have is:

  https://tails.boum.org/contribute/

... and then, you'll find the most relevant entry point for the kind
of skills you have / want to learn :)

 Ideally I'd like to use a mac over building a debian box - is this possible
 with the current toolchain?

I have never heard of anyone trying our Vagrant setup and
configuration works on OSX. It would be interesting to know if
it works.

Still, if what you're interested in is code / development, we have
quite some tasks that can be worked on without building a Tails ISO.
I suspect these will be more suitable to get you started:

https://labs.riseup.net/code/projects/tails/issues?utf8=✓set_filter=1f[]=cf_17op[cf_17]==v[cf_17][]=1f[]=status_idop[status_id]=of[]=assigned_to_idop[assigned_to_id]=!*f[]=cf_15op[cf_15]==v[cf_15][]=Codef[]=cf_9op[cf_9]=!v[cf_9][]=Passf[]=c[]=statusc[]=priorityc[]=fixed_versionc[]=subjectc[]=categoryc[]=cf_15c[]=assigned_toc[]=cf_9group_by=

(How to reproduce: go to our Redmine, click the Easy link in the
sidebar, add Type of work == Code and QA Check != Pass
filters, apply.)

Also, something that has worked very well in the past is to tell us
a bit more about your skills and areas of interest, and then we'll be
happy to propose you a list of tasks that match it.

Cheers,
-- 
intrigeri
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Firefox extension for downloading Tails

2014-07-08 Thread intrigeri

Giorgio Maone wrote (07 Jul 2014 11:48:38 GMT) :
 Furthermore, if tails-dev has or can obtain a code signing certificate
 compatible with Mozilla XPIs (
 https://developer.mozilla.org/en-US/docs/Signing_a_XPI ), we could ship
 a signed XPI as a mitigation against MITM concerns.

Data point: we have no such certificate yet.

Cheers,
-- 
intrigeri
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Fwd: [SUA 60-1] Upcoming Debian 7 Update (7.6)

2014-07-08 Thread intrigeri

Hi,

it would be good to e.g. run our automated test suite on an ISO built
with wheezy-proposed-updates enabled (and pinned adequately, if needed).

---BeginMessage---
-
Debian Stable Updates Announcement SUA 60-1http://www.debian.org/
debian-rele...@lists.debian.org   Adam D. Barratt
July 7th, 2014
-

Upcoming Debian 7 Update (7.6)

An update to Debian 7 is scheduled for Saturday, July 12th,
2014. As of now it will include the following bug fixes. They can be
found in wheezy-proposed-updates, which is carried by all official
mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through wheezy-updates.

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying debian-rele...@lists.debian.org on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes
--

This stable update adds a few important corrections to the following
packages:

Package Reason

apache2 Support ECC keys and ECDH ciphers; 
mod_proxy: fix crashes under load; mod_dav: fix potential DoS [CVE-2013-6438]; 
mod_log_config: fix cookie logging
apt-cacher-ng   Fix cross-site scripting via 403 responses 
[CVE-2014-4510]
automake1.9-nonfree Add empty prerm to ensure a clean upgrade 
path in case of install-info removal
base-files  Update for the point release
catfish Fix regression from previous security update
clamav  New upstream release; fix a crash while 
using clamscan
cmusFix build failure related to the libmodplug 
upgrade in DSA 2751
cupsFix XSS in the CUPS web interface; fix 
syntax errors in Hungarian templates
cyrus-imapd-2.4 Fix missing GUID for binary appends; fix 
broken nntpd
dbusFix denial of service [CVE-2014-3477]
duo-unixUpdate upstream HTTPS certificates; improve 
support for SHA2 in HTTPS
eglibc  Fix issues which could break dynamic linker 
on biarch systems; fix regression in IPv6 name resolution; fix February month 
name in de_AT locale; fix backtrace() on mips; fix nl_langinfo() when used in 
static binaries
elibRebuild with current debhelper
firebug Take over xul-ext-firecookie, as firebug 
now provides all its functionality; remove copyrighted ICC profile
hdf5Rebuild against current wheezy gfortran
intel-microcode Updated microcode
ldnsFix default permissions on private DNSKEYs 
generated by ldns-keygen [CVE-2014-3209]
libdatetime-timezone-perl   New upstream release
libdbi-perl Remove dependency on to-be-removed 
libplrpc-perl
libflickr-api-perl  Update URLs in line with upstream changes
libjpeg6b   Fix memory disclosure vulnerabilities 
[CVE-2013-6629 CVE-2013-6630]
libjpeg8Fix memory disclosure vulnerabilities 
[CVE-2013-6629 CVE-2013-6630]
libopenobex Fix segfault when transferring files
linux   Update to stable 3.2.60, drm/agp 3.4.92, rt 
3.2.60-rt87; security fixes [CVE-2014-3940 CVE-2014-3917 CVE-2014-4508 
CVE-2014-4652 CVE-2014-4653 CVE-2014-4654, CVE-2014-4655 CVE-2014-4656 
CVE-2014-4027]
maitreyaReplace font to avoid copyright issues
mobile-broadband-provider-info  Update included data
nostalgyAdd support for newer icedove versions
openchange  Remove packages which depend on previously 
removed samba4 packages
openssh Restore patch to disable OpenSSL version 
check
openssl Don't prefer ECDHE_ECDSA with some Safari 
versions; actually restart the services when restart-without-asking is set
policyd-weight  Fix infinite loop if resolver only 
reachable via IPv6
proftpd-mod-geoip   Remove useless and buggy 
proftpd-mod-geoip.postrm script
py3dns  Fix timeouts associated with only one of 
several available nameservers being unavailable; correctly deal with source 
port already in use errors
pydap   Add dap to namespace_packages in setup.py
quassel Fix certificate permissions

Re: [Tails-dev] quickstart for new developer?

2014-07-08 Thread Alasdair Young

Thanks for the feedback :)

Vagrant itself works perfectly fine - I can run vagrant up and connect no
problem.

As for coding, I've been a developer for around 12 years now and have
strong skills in a bunch of web technologies (my day job). I'm also
moderately decent at things involving hardware (a few years of reverse
engineering protocols for physical security systems). My main languages are
java, ruby and js/coffeescript (frontend and node.js) and a somewhat rusty
knowledge of C (but not much c++).

I think I know more than the average developer about security and different
attack vectors.

My main interests lie in finding new attacks against tails (and fixing
them) and making the software absurdly easy to use on just about every
machine. At some point I'd also be interested in porting tails to run on
android - an obvious way would just to run a modified version of tails in a
chroot environment, similar to what the pwnpad people do. (Of course, the
ideal case is being able to dual boot via an SD card).

Right now, I was planning on picking an easy task like adding a reboot
button to the installer for the persistence setup but even something like
that needs the full toolchain it seems. I'm happy to go install wheezy on a
spare box but it would be nice in the long run if things worked on a mac as
well.

Is this enough information?

- alasdair

I was going to take on one of the easy tasks like add a reboot button to
the installer for persistence




On Mon, Jul 7, 2014 at 11:40 PM, intrigeri intrig...@boum.org wrote:

 Hi,

 Alasdair Young wrote (07 Jul 2014 21:05:03 GMT) :
  I'm looking at contributing to tails.

 Excellent! Welcome aboard :)

  Do you happen to have any quickstart docs available?

 I'm not sure it qualifies as *quick*start documentation,
 but the best we have is:

   https://tails.boum.org/contribute/

 ... and then, you'll find the most relevant entry point for the kind
 of skills you have / want to learn :)

  Ideally I'd like to use a mac over building a debian box - is this
 possible
  with the current toolchain?

 I have never heard of anyone trying our Vagrant setup and
 configuration works on OSX. It would be interesting to know if
 it works.

 Still, if what you're interested in is code / development, we have
 quite some tasks that can be worked on without building a Tails ISO.
 I suspect these will be more suitable to get you started:

 https://labs.riseup.net/code/projects/tails/issues?utf8=
 ✓set_filter=1f[]=cf_17op[cf_17]==v[cf_17][]=1f[]=status_idop[status_id]=of[]=assigned_to_idop[assigned_to_id]=!*f[]=cf_15op[cf_15]==v[cf_15][]=Codef[]=cf_9op[cf_9]=!v[cf_9][]=Passf[]=c[]=statusc[]=priorityc[]=fixed_versionc[]=subjectc[]=categoryc[]=cf_15c[]=assigned_toc[]=cf_9group_by=

 (How to reproduce: go to our Redmine, click the Easy link in the
 sidebar, add Type of work == Code and QA Check != Pass
 filters, apply.)

 Also, something that has worked very well in the past is to tell us
 a bit more about your skills and areas of interest, and then we'll be
 happy to propose you a list of tasks that match it.

 Cheers,
 --
 intrigeri
 ___
 Tails-dev mailing list
 Tails-dev@boum.org
 https://mailman.boum.org/listinfo/tails-dev
 To unsubscribe from this list, send an empty email to
 tails-dev-unsubscr...@boum.org.




-- 
- alasdair

Alasdair Young
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Firefox extension for downloading Tails

2014-07-08 Thread sajolida

Giorgio Maone wrote:
Hi everybody.

The blueprint should be enough for me to start hacking a prototype together.

If nobody has suggestions, I'd propose to call the extension with the
catchy (!) name of Tails Catcher.

I'd just add that a future version might embed tails developer's key and
perform OpenPGP authentication itself.

I didn't put that idea on the blueprint so far, for the following reasons:

- OpenPGP for verifying our ISO image is only stronger than SHA256 if
the WoT is used to build strong trust in the signing key. Otherwise, you
might as well get an HTTPS MitM while receiving the key, as much as
while receiving the hash.
- Our past experience with Firegpg [1] taught us that doing GPG inside
of a browser is usually a bad idea. The same might not apply to an ISO
verification but I would check this very carefully before going this way.
- I don't know how portable it would be to do such GPG operations from
inside the browser. Would the user need to have GPG installed on their
Windows or Mac OS X? Would we ship a GPG ourselves? All those options
sounds scary to me :)

Those are the reasons why I'm not convinced by that idea. We might also
want to further discuss the role of the OpenPGP verification in the
broad installation process with UX people. But anyway, that discussion
shouldn't block in any way the first implementation...

[1]:
https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html

--
sajolida

signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Firefox extension for downloading Tails

2014-07-08 Thread Griffin Boyce

OpenPGP.js doesn't require the user to have GPG installed on their system.

Ideally, in this case, the pubkey would be already packaged within the
extension, with only signed updates being able to overwrite it. However, I
think to some extent this still relies on a user making an effort to verify the
key's validity via its web of trust.

best,
Griffin

On July 8, 2014 6:19:07 PM EDT, sajol...@pimienta.org wrote:
Giorgio Maone wrote:
Hi everybody.

The blueprint should be enough for me to start hacking a prototype
together.

If nobody has suggestions, I'd propose to call the extension with the
catchy (!) name of Tails Catcher.

I'd just add that a future version might embed tails developer's key
and
perform OpenPGP authentication itself.

I didn't put that idea on the blueprint so far, for the following
reasons:

- OpenPGP for verifying our ISO image is only stronger than SHA256 if
the WoT is used to build strong trust in the signing key. Otherwise,
you
might as well get an HTTPS MitM while receiving the key, as much as
while receiving the hash.
- Our past experience with Firegpg [1] taught us that doing GPG inside
of a browser is usually a bad idea. The same might not apply to an ISO
verification but I would check this very carefully before going this
way.
- I don't know how portable it would be to do such GPG operations from
inside the browser. Would the user need to have GPG installed on their
Windows or Mac OS X? Would we ship a GPG ourselves? All those options
sounds scary to me :)

[1]:
https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html

--
sajolida

___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.

--
Sent from my tracking device. Please excuse brevity and cat photos.___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Firefox extension for downloading Tails

2014-07-08 Thread Giorgio Maone

On 09/07/2014 00:46, Griffin Boyce wrote:
OpenPGP.js doesn't require the user to have GPG installed on their
system.
And keeps things cross-platform.

Ideally, in this case, the pubkey would be already packaged within the
extension, with only signed updates being able to overwrite it.
Yes, that was the idea.

However, I think to some extent this still relies on a user making an
effort to verify the key's validity via its web of trust.
It would be nice, but if the user cannot trust the extension he
installed he pretty much lost anyway, so this setup would generally
mitigate the risk of a MITM while grabbing the hash.

However I agree, this is for a future version and shouldn't prevent us
from shipping basic download+verification.
-- G

best,
Griffin

On July 8, 2014 6:19:07 PM EDT, sajol...@pimienta.org wrote:

Giorgio Maone wrote:

Hi everybody. The blueprint should be enough for me to start
hacking a prototype together. If nobody has suggestions, I'd
propose to call the extension with the catchy (!) name of
Tails Catcher. I'd just add that a future version might
embed tails developer's key and perform OpenPGP authentication
itself.

I didn't put that idea on the blueprint so far, for the following reasons:

- OpenPGP for verifying our ISO image is only stronger than SHA256 if
the WoT is used to build strong trust in the signing key. Otherwise, you
might as well get an HTTPS MitM while receiving the key, as much as
while receiving the hash.
- Our past experience with Firegpg [1] taught us that doing GPG inside
of a browser is usually a
bad idea. The same might not apply to an ISO
verification but I would check this very carefully before going this way.
- I don't know how portable it would be to do such GPG operations from
inside the browser. Would the user need to have GPG installed on their
Windows or Mac OS X? Would we ship a GPG ourselves? All those options
sounds scary to me :)

[1]:

https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html

--
Sent from my tracking device. Please excuse brevity and cat photos.

--
--
Giorgio Maone
http://maone.net

___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.

[Tails-dev] INSTITUTIONS

2014-07-08 Thread SECURE NOTIFICATION

WHOM IT MAY CONCERN,

Please get in touch with several computer science institutions or 
departments and request that an assignment be related to a bug fix 
or feature for the TAILS platform. Or, for a final project, have 
students choose several bug fixes or features. Many options can be 
done here, which will progress TAILS updates faster.




















/s/ p.p. COMMUNICATION  RELATIONS INTERMEDIARY

*This message was sent from a fixed NGO device terminal and may be 
an automated robo-message. Endorsed Service Usage Rates @ 
$144.99/hour pro tem. Address all replies with a header as 
Sir/Madam.

DISCLAIMER  EXPRESS ACTUAL NOTICE: This message and all subsequent 
messages contains private, confidential information and is intended 
only for the individual, recipient, or addressee named, and not for 
public view. If you are not the named or designated addressee, you 
should not disseminate, print, distribute or copy this and all 
subsequent emails in any form without prior approval. A monetary 
fee will be billed to recipient when applicable, especially to 
discovery of the listed prohibited actions aforementioned. Please 
notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. If you are 
not the intended recipient, you are notified that sharing, 
disclosing, copying, altering, distributing or taking any action in 
reliance on the entire contents of this information is strictly 
prohibited as it may contain information that is privileged, 
confidential, and exempt from disclosure under applicable or 
copyright law. Due to the integrity risk of sending emails over the 
Internet, the sender will accept no liability for any comments, 
errors, and/or attachments contained within this email, and all 
contents should not be construed as medical, legal, or professional 
advice. This account may be accessible by more than one person, 
therefore anything received from this particular account and its 
associated IP address may not be the actual owner or creator of the 
account. This is not a permanent communications account, but 
temporary, and all activities therein and thereof may be or has 
been subject to surveillance under P.L. 99-508 by any state, 
federal, or international agencies and/or analysts. This account 
may be permanently terminated if associated account users do not 
log-in after a 3 week hiatus. Without protest and/or prejudice. All 
rights reserved.

___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Firefox extension for downloading Tails

2014-07-08 Thread Alasdair Young

I'm not a fan of openpgp.js for a lot of reasons.
http://tonyarcieri.com/whats-wrong-with-webcrypto explains why in a much
better way than I ever could.

- alasdair
On Jul 8, 2014 3:47 PM, Griffin Boyce grif...@cryptolab.net wrote:

OpenPGP.js doesn't require the user to have GPG installed on their system.

best,
Griffin

On July 8, 2014 6:19:07 PM EDT, sajol...@pimienta.org wrote:

Giorgio Maone wrote:

Hi everybody.