Re: [Tails-dev] quickstart for new developer?
Hi, Alasdair Young wrote (07 Jul 2014 21:05:03 GMT) : I'm looking at contributing to tails. Excellent! Welcome aboard :) Do you happen to have any quickstart docs available? I'm not sure it qualifies as *quick*start documentation, but the best we have is: https://tails.boum.org/contribute/ ... and then, you'll find the most relevant entry point for the kind of skills you have / want to learn :) Ideally I'd like to use a mac over building a debian box - is this possible with the current toolchain? I have never heard of anyone trying our Vagrant setup and configuration works on OSX. It would be interesting to know if it works. Still, if what you're interested in is code / development, we have quite some tasks that can be worked on without building a Tails ISO. I suspect these will be more suitable to get you started: https://labs.riseup.net/code/projects/tails/issues?utf8=✓set_filter=1f[]=cf_17op[cf_17]==v[cf_17][]=1f[]=status_idop[status_id]=of[]=assigned_to_idop[assigned_to_id]=!*f[]=cf_15op[cf_15]==v[cf_15][]=Codef[]=cf_9op[cf_9]=!v[cf_9][]=Passf[]=c[]=statusc[]=priorityc[]=fixed_versionc[]=subjectc[]=categoryc[]=cf_15c[]=assigned_toc[]=cf_9group_by= (How to reproduce: go to our Redmine, click the Easy link in the sidebar, add Type of work == Code and QA Check != Pass filters, apply.) Also, something that has worked very well in the past is to tell us a bit more about your skills and areas of interest, and then we'll be happy to propose you a list of tasks that match it. Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
Giorgio Maone wrote (07 Jul 2014 11:48:38 GMT) : Furthermore, if tails-dev has or can obtain a code signing certificate compatible with Mozilla XPIs ( https://developer.mozilla.org/en-US/docs/Signing_a_XPI ), we could ship a signed XPI as a mitigation against MITM concerns. Data point: we have no such certificate yet. Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Fwd: [SUA 60-1] Upcoming Debian 7 Update (7.6)
Hi, it would be good to e.g. run our automated test suite on an ISO built with wheezy-proposed-updates enabled (and pinned adequately, if needed). ---BeginMessage--- - Debian Stable Updates Announcement SUA 60-1http://www.debian.org/ debian-rele...@lists.debian.org Adam D. Barratt July 7th, 2014 - Upcoming Debian 7 Update (7.6) An update to Debian 7 is scheduled for Saturday, July 12th, 2014. As of now it will include the following bug fixes. They can be found in wheezy-proposed-updates, which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through wheezy-updates. Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying debian-rele...@lists.debian.org on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes -- This stable update adds a few important corrections to the following packages: Package Reason apache2 Support ECC keys and ECDH ciphers; mod_proxy: fix crashes under load; mod_dav: fix potential DoS [CVE-2013-6438]; mod_log_config: fix cookie logging apt-cacher-ng Fix cross-site scripting via 403 responses [CVE-2014-4510] automake1.9-nonfree Add empty prerm to ensure a clean upgrade path in case of install-info removal base-files Update for the point release catfish Fix regression from previous security update clamav New upstream release; fix a crash while using clamscan cmusFix build failure related to the libmodplug upgrade in DSA 2751 cupsFix XSS in the CUPS web interface; fix syntax errors in Hungarian templates cyrus-imapd-2.4 Fix missing GUID for binary appends; fix broken nntpd dbusFix denial of service [CVE-2014-3477] duo-unixUpdate upstream HTTPS certificates; improve support for SHA2 in HTTPS eglibc Fix issues which could break dynamic linker on biarch systems; fix regression in IPv6 name resolution; fix February month name in de_AT locale; fix backtrace() on mips; fix nl_langinfo() when used in static binaries elibRebuild with current debhelper firebug Take over xul-ext-firecookie, as firebug now provides all its functionality; remove copyrighted ICC profile hdf5Rebuild against current wheezy gfortran intel-microcode Updated microcode ldnsFix default permissions on private DNSKEYs generated by ldns-keygen [CVE-2014-3209] libdatetime-timezone-perl New upstream release libdbi-perl Remove dependency on to-be-removed libplrpc-perl libflickr-api-perl Update URLs in line with upstream changes libjpeg6b Fix memory disclosure vulnerabilities [CVE-2013-6629 CVE-2013-6630] libjpeg8Fix memory disclosure vulnerabilities [CVE-2013-6629 CVE-2013-6630] libopenobex Fix segfault when transferring files linux Update to stable 3.2.60, drm/agp 3.4.92, rt 3.2.60-rt87; security fixes [CVE-2014-3940 CVE-2014-3917 CVE-2014-4508 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654, CVE-2014-4655 CVE-2014-4656 CVE-2014-4027] maitreyaReplace font to avoid copyright issues mobile-broadband-provider-info Update included data nostalgyAdd support for newer icedove versions openchange Remove packages which depend on previously removed samba4 packages openssh Restore patch to disable OpenSSL version check openssl Don't prefer ECDHE_ECDSA with some Safari versions; actually restart the services when restart-without-asking is set policyd-weight Fix infinite loop if resolver only reachable via IPv6 proftpd-mod-geoip Remove useless and buggy proftpd-mod-geoip.postrm script py3dns Fix timeouts associated with only one of several available nameservers being unavailable; correctly deal with source port already in use errors pydap Add dap to namespace_packages in setup.py quassel Fix certificate permissions
Re: [Tails-dev] quickstart for new developer?
Thanks for the feedback :) Vagrant itself works perfectly fine - I can run vagrant up and connect no problem. As for coding, I've been a developer for around 12 years now and have strong skills in a bunch of web technologies (my day job). I'm also moderately decent at things involving hardware (a few years of reverse engineering protocols for physical security systems). My main languages are java, ruby and js/coffeescript (frontend and node.js) and a somewhat rusty knowledge of C (but not much c++). I think I know more than the average developer about security and different attack vectors. My main interests lie in finding new attacks against tails (and fixing them) and making the software absurdly easy to use on just about every machine. At some point I'd also be interested in porting tails to run on android - an obvious way would just to run a modified version of tails in a chroot environment, similar to what the pwnpad people do. (Of course, the ideal case is being able to dual boot via an SD card). Right now, I was planning on picking an easy task like adding a reboot button to the installer for the persistence setup but even something like that needs the full toolchain it seems. I'm happy to go install wheezy on a spare box but it would be nice in the long run if things worked on a mac as well. Is this enough information? - alasdair I was going to take on one of the easy tasks like add a reboot button to the installer for persistence On Mon, Jul 7, 2014 at 11:40 PM, intrigeri intrig...@boum.org wrote: Hi, Alasdair Young wrote (07 Jul 2014 21:05:03 GMT) : I'm looking at contributing to tails. Excellent! Welcome aboard :) Do you happen to have any quickstart docs available? I'm not sure it qualifies as *quick*start documentation, but the best we have is: https://tails.boum.org/contribute/ ... and then, you'll find the most relevant entry point for the kind of skills you have / want to learn :) Ideally I'd like to use a mac over building a debian box - is this possible with the current toolchain? I have never heard of anyone trying our Vagrant setup and configuration works on OSX. It would be interesting to know if it works. Still, if what you're interested in is code / development, we have quite some tasks that can be worked on without building a Tails ISO. I suspect these will be more suitable to get you started: https://labs.riseup.net/code/projects/tails/issues?utf8= ✓set_filter=1f[]=cf_17op[cf_17]==v[cf_17][]=1f[]=status_idop[status_id]=of[]=assigned_to_idop[assigned_to_id]=!*f[]=cf_15op[cf_15]==v[cf_15][]=Codef[]=cf_9op[cf_9]=!v[cf_9][]=Passf[]=c[]=statusc[]=priorityc[]=fixed_versionc[]=subjectc[]=categoryc[]=cf_15c[]=assigned_toc[]=cf_9group_by= (How to reproduce: go to our Redmine, click the Easy link in the sidebar, add Type of work == Code and QA Check != Pass filters, apply.) Also, something that has worked very well in the past is to tell us a bit more about your skills and areas of interest, and then we'll be happy to propose you a list of tasks that match it. Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org. -- - alasdair Alasdair Young ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
Giorgio Maone wrote: Hi everybody. The blueprint should be enough for me to start hacking a prototype together. If nobody has suggestions, I'd propose to call the extension with the catchy (!) name of Tails Catcher. I'd just add that a future version might embed tails developer's key and perform OpenPGP authentication itself. I didn't put that idea on the blueprint so far, for the following reasons: - OpenPGP for verifying our ISO image is only stronger than SHA256 if the WoT is used to build strong trust in the signing key. Otherwise, you might as well get an HTTPS MitM while receiving the key, as much as while receiving the hash. - Our past experience with Firegpg [1] taught us that doing GPG inside of a browser is usually a bad idea. The same might not apply to an ISO verification but I would check this very carefully before going this way. - I don't know how portable it would be to do such GPG operations from inside the browser. Would the user need to have GPG installed on their Windows or Mac OS X? Would we ship a GPG ourselves? All those options sounds scary to me :) Those are the reasons why I'm not convinced by that idea. We might also want to further discuss the role of the OpenPGP verification in the broad installation process with UX people. But anyway, that discussion shouldn't block in any way the first implementation... [1]: https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html -- sajolida signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
OpenPGP.js doesn't require the user to have GPG installed on their system. Ideally, in this case, the pubkey would be already packaged within the extension, with only signed updates being able to overwrite it. However, I think to some extent this still relies on a user making an effort to verify the key's validity via its web of trust. best, Griffin On July 8, 2014 6:19:07 PM EDT, sajol...@pimienta.org wrote: Giorgio Maone wrote: Hi everybody. The blueprint should be enough for me to start hacking a prototype together. If nobody has suggestions, I'd propose to call the extension with the catchy (!) name of Tails Catcher. I'd just add that a future version might embed tails developer's key and perform OpenPGP authentication itself. I didn't put that idea on the blueprint so far, for the following reasons: - OpenPGP for verifying our ISO image is only stronger than SHA256 if the WoT is used to build strong trust in the signing key. Otherwise, you might as well get an HTTPS MitM while receiving the key, as much as while receiving the hash. - Our past experience with Firegpg [1] taught us that doing GPG inside of a browser is usually a bad idea. The same might not apply to an ISO verification but I would check this very carefully before going this way. - I don't know how portable it would be to do such GPG operations from inside the browser. Would the user need to have GPG installed on their Windows or Mac OS X? Would we ship a GPG ourselves? All those options sounds scary to me :) Those are the reasons why I'm not convinced by that idea. We might also want to further discuss the role of the OpenPGP verification in the broad installation process with UX people. But anyway, that discussion shouldn't block in any way the first implementation... [1]: https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html -- sajolida ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org. -- Sent from my tracking device. Please excuse brevity and cat photos.___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
On 09/07/2014 00:46, Griffin Boyce wrote: OpenPGP.js doesn't require the user to have GPG installed on their system. And keeps things cross-platform. Ideally, in this case, the pubkey would be already packaged within the extension, with only signed updates being able to overwrite it. Yes, that was the idea. However, I think to some extent this still relies on a user making an effort to verify the key's validity via its web of trust. It would be nice, but if the user cannot trust the extension he installed he pretty much lost anyway, so this setup would generally mitigate the risk of a MITM while grabbing the hash. However I agree, this is for a future version and shouldn't prevent us from shipping basic download+verification. -- G best, Griffin On July 8, 2014 6:19:07 PM EDT, sajol...@pimienta.org wrote: Giorgio Maone wrote: Hi everybody. The blueprint should be enough for me to start hacking a prototype together. If nobody has suggestions, I'd propose to call the extension with the catchy (!) name of Tails Catcher. I'd just add that a future version might embed tails developer's key and perform OpenPGP authentication itself. I didn't put that idea on the blueprint so far, for the following reasons: - OpenPGP for verifying our ISO image is only stronger than SHA256 if the WoT is used to build strong trust in the signing key. Otherwise, you might as well get an HTTPS MitM while receiving the key, as much as while receiving the hash. - Our past experience with Firegpg [1] taught us that doing GPG inside of a browser is usually a bad idea. The same might not apply to an ISO verification but I would check this very carefully before going this way. - I don't know how portable it would be to do such GPG operations from inside the browser. Would the user need to have GPG installed on their Windows or Mac OS X? Would we ship a GPG ourselves? All those options sounds scary to me :) Those are the reasons why I'm not convinced by that idea. We might also want to further discuss the role of the OpenPGP verification in the broad installation process with UX people. But anyway, that discussion shouldn't block in any way the first implementation... [1]: https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html -- Sent from my tracking device. Please excuse brevity and cat photos. -- -- Giorgio Maone http://maone.net ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] INSTITUTIONS
WHOM IT MAY CONCERN, Please get in touch with several computer science institutions or departments and request that an assignment be related to a bug fix or feature for the TAILS platform. Or, for a final project, have students choose several bug fixes or features. Many options can be done here, which will progress TAILS updates faster. /s/ p.p. COMMUNICATION RELATIONS INTERMEDIARY *This message was sent from a fixed NGO device terminal and may be an automated robo-message. Endorsed Service Usage Rates @ $144.99/hour pro tem. Address all replies with a header as Sir/Madam. DISCLAIMER EXPRESS ACTUAL NOTICE: This message and all subsequent messages contains private, confidential information and is intended only for the individual, recipient, or addressee named, and not for public view. If you are not the named or designated addressee, you should not disseminate, print, distribute or copy this and all subsequent emails in any form without prior approval. A monetary fee will be billed to recipient when applicable, especially to discovery of the listed prohibited actions aforementioned. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. If you are not the intended recipient, you are notified that sharing, disclosing, copying, altering, distributing or taking any action in reliance on the entire contents of this information is strictly prohibited as it may contain information that is privileged, confidential, and exempt from disclosure under applicable or copyright law. Due to the integrity risk of sending emails over the Internet, the sender will accept no liability for any comments, errors, and/or attachments contained within this email, and all contents should not be construed as medical, legal, or professional advice. This account may be accessible by more than one person, therefore anything received from this particular account and its associated IP address may not be the actual owner or creator of the account. This is not a permanent communications account, but temporary, and all activities therein and thereof may be or has been subject to surveillance under P.L. 99-508 by any state, federal, or international agencies and/or analysts. This account may be permanently terminated if associated account users do not log-in after a 3 week hiatus. Without protest and/or prejudice. All rights reserved. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
I'm not a fan of openpgp.js for a lot of reasons. http://tonyarcieri.com/whats-wrong-with-webcrypto explains why in a much better way than I ever could. - alasdair On Jul 8, 2014 3:47 PM, Griffin Boyce grif...@cryptolab.net wrote: OpenPGP.js doesn't require the user to have GPG installed on their system. Ideally, in this case, the pubkey would be already packaged within the extension, with only signed updates being able to overwrite it. However, I think to some extent this still relies on a user making an effort to verify the key's validity via its web of trust. best, Griffin On July 8, 2014 6:19:07 PM EDT, sajol...@pimienta.org wrote: Giorgio Maone wrote: Hi everybody. The blueprint should be enough for me to start hacking a prototype together. If nobody has suggestions, I'd propose to call the extension with the catchy (!) name of Tails Catcher. I'd just add that a future version might embed tails developer's key and perform OpenPGP authentication itself. I didn't put that idea on the blueprint so far, for the following reasons: - OpenPGP for verifying our ISO image is only stronger than SHA256 if the WoT is used to build strong trust in the signing key. Otherwise, you might as well get an HTTPS MitM while receiving the key, as much as while receiving the hash. - Our past experience with Firegpg [1] taught us that doing GPG inside of a browser is usually a bad idea. The same might not apply to an ISO verification but I would check this very carefully before going this way. - I don't know how portable it would be to do such GPG operations from inside the browser. Would the user need to have GPG installed on their Windows or Mac OS X? Would we ship a GPG ourselves? All those options sounds scary to me :) Those are the reasons why I'm not convinced by that idea. We might also want to further discuss the role of the OpenPGP verification in the broad installation process with UX people. But anyway, that discussion shouldn't block in any way the first implementation... [1]: https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html -- Sent from my tracking device. Please excuse brevity and cat photos. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
On 09/07/2014 01:41, Alasdair Young wrote: I'm not a fan of openpgp.js for a lot of reasons. http://tonyarcieri.com/whats-wrong-with-webcrypto explains why in a much better way than I ever could. I'm very new to this community and its mindset, so I know I've got a lot to learn and I'm certainly missing something essential, but I fail to understand how those (mostly valid) objections apply to our scenario, since they are directed either against the webcrypto standardization process or aganst cryptography performed in the context of a web page: 1. OpenPGP.js does not *depend* on webcrypto, even if it supports it 2. We wouldn't run as web content, but as privileged code, with the same powers and the same isolation as the browser itself (much like any platform-native program, even if written in cross-platform JavaScript). 3. We don't need to deal with private keys -- G On Jul 8, 2014 3:47 PM, Griffin Boyce grif...@cryptolab.net mailto:grif...@cryptolab.net wrote: OpenPGP.js doesn't require the user to have GPG installed on their system. Ideally, in this case, the pubkey would be already packaged within the extension, with only signed updates being able to overwrite it. However, I think to some extent this still relies on a user making an effort to verify the key's validity via its web of trust. best, Griffin On July 8, 2014 6:19:07 PM EDT, sajol...@pimienta.org mailto:sajol...@pimienta.org wrote: Giorgio Maone wrote: Hi everybody. The blueprint should be enough for me to start hacking a prototype together. If nobody has suggestions, I'd propose to call the extension with the catchy (!) name of Tails Catcher. I'd just add that a future version might embed tails developer's key and perform OpenPGP authentication itself. I didn't put that idea on the blueprint so far, for the following reasons: - OpenPGP for verifying our ISO image is only stronger than SHA256 if the WoT is used to build strong trust in the signing key. Otherwise, you might as well get an HTTPS MitM while receiving the key, as much as while receiving the hash. - Our past experience with Firegpg [1] taught us that doing GPG inside of a browser is usually a bad idea. The same might not apply to an ISO verification but I would check this very carefully before going this way. - I don't know how portable it would be to do such GPG operations from inside the browser. Would the user need to have GPG installed on their Windows or Mac OS X? Would we ship a GPG ourselves? All those options sounds scary to me :) Those are the reasons why I'm not convinced by that idea. We might also want to further discuss the role of the OpenPGP verification in the broad installation process with UX people. But anyway, that discussion shouldn't block in any way the first implementation... [1]: https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html -- Sent from my tracking device. Please excuse brevity and cat photos. ___ Tails-dev mailing list Tails-dev@boum.org mailto:Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org mailto:tails-dev-unsubscr...@boum.org. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org. -- -- Giorgio Maone http://maone.net ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.