Re: [Tails-dev] Sandboxing Tor Browser: strategy for tracking "upstream" AppArmor profile

[bertagaz]

On Fri, Jan 23, 2015 at 08:50:28PM +0100, intrigeri wrote:
> 
> I'm working on #5525 ("Sandbox the web browser"), and have an AppArmor
> profile that works locally for most basic use cases. Now, I'm
> wondering how to integrate it into Tails and I need your input.
> 
> I think we have two solutions:
> 
>1. Download "upstream" profile and apply Tails-specific patch at
>   ISO build time
> 
>2. Ship a forked profile in our Git repository
> 
> => I'm in favor of #1.
> 
> Thoughts, opinions, volunteers?

While I think I could help with maintaining this profile when it breaks
the build, I'm not much comfortable with this option from my CI hat point
of view. It means that every devs would be notified of this breakage if/when
automatic builds will be deployed. I can see the mailbombing coming, and
devs and contributors ranting on the list.

If #1 is chosen, we could maybe have a dedicated jenkins jobs to test if
our Tails specific patches don't apply.

Also, I'm running myself a Torbrowser contained by an apparmor profile
since something like 4 or 5 Torbrowser releases, and it did break for only
one of them, so this scenario might not happen so often.

Maybe we could also make this build time automatic merge being less
destructive for the build: if the merge doesn't work, the build goes on
but notify that the apparmor profile is out of sync, and that the
torbrowser is probably broken.

So I'm not firmly opposed to #1, and I dislike #2, but would prefer #1 to
be a bit more gentle.

bert.

___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Sandboxing Tor Browser: strategy for tracking "upstream" AppArmor profile

[intrigeri]

Hi,

u wrote (24 Jan 2015 19:54:11 GMT) :
>> => I'm in favor of #1.

> Me too.

OK, I'll start preparing things in this direction, then.
(Not to say we can't revert to #2 or something else later,
so more input is still welcome until the end of the month :)

> Indeed, as I am co-maintaining torbrowser-launcher in Debian and work on
> AppArmor a lot these days, I can commit to track changes to the upstream
> profile.

Yay \o/

> Do you want to point me at the Tails-specific patch so I can see what we
> are talking about?

I'll do that once I have implemented it as a patch. In the meantime:
https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/etc/apparmor.d/torbrowser?h=feature/5525-sandbox-web-browser

> Anything else i should know or do?

So far, I don't think so. I'll soon ask for input on this web browser
sandboxing on tails-ux@ for other reasons (spoiler:
https://tails.boum.org/blueprint/sandbox_the_web_browser/#index3h1),
and I hope to send a call for testing in a next few days or, failing
that, February 6.

Cheers!
-- 
intrigeri
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Jenkins build is back to normal : build_Tails_ISO_experimental #1690

[intrigeri]

tim smy wrote (25 Jan 2015 05:18:53 GMT) :
> Is . password protected

Yes. On the other hand, most of these failures can be reproduced
locally by anyone wanting to help fix them.


___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.