Re: [Tails-dev] [tails-dev] [#10972] Port Tails to arm platforms

[Tails]

Hi,

intrigeri:
> ... or look into
> http://deb.tails.boum.org/dists/devel/main/source/Sources directly.
Thanks a lot, that's it! And Grub seems to be ported (at least for
uboot). I'll see the next days.

> To understand more about our custom APT repository, start at
> https://tails.boum.org/contribute/APT_repository/ :)
I did, of course. But led me directly into the scrub of the git
repository instad of http://deb.tails.boum.org/dists/devel/ - anyhow, I
must get more familar with the debian package concept.

-- 
Best Regards!
n9iu7pk

PGP pool.sks-keyservers.net 0x4D12FFCB
7426 4598 B5AD 4D12 1699 C710 D602 E331 4D12 FFCB

intrigeri:
> I think it's much simpler.
> 
> Basically, the only custom APT suite we'll be using in next Tails
> major release is the 'devel' one ⇒ just rebuild the packages that are
> currently in there. What are these packages?
> 
> Either get yourself a Debian system (debootstrap chroot, VM, Tails,
> whatever) and add this APT source:
> 
>   deb-src http://deb.tails.boum.org/ devel main
> 
> ... or look into
> http://deb.tails.boum.org/dists/devel/main/source/Sources directly.
> 
> You can even skip some packages that are currently not used (and might
> not build on Jessie): gnome-theme-windows8, gnome-theme-xpluna,
> gnome-xp-icon-theme, window-picker-applet and xp-cursor-theme.
> 
> ⇒ we're talking of 12 source packages to rebuild.
> 
> To understand more about our custom APT repository, start at
> https://tails.boum.org/contribute/APT_repository/ :)
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] About the download and verification of test images

[sajolida]

intrigeri:
> Also, I'm concerned that so few of us have time to spend on this
> questions from the technical/security PoV, which hasn't been
> motivating me to reply promptly. I'll be the one to do it once more,
> because hey, our dear UX/web/design/doc people will have to make
> a decision anyway, so better have at least another pair of eyes with
> a different skillset look at it. I'd love to see us improve the UX/dev
> interface in the future, though. I think that all parties have
> something to learn, something to gain, and some things to improve on
> this topic. Time to re-read the notes from our 2015 summit about
> it? :)

+1 :)

> sajolida wrote (12 Jan 2016 15:47:16 GMT) :
>> As part of our work on integrating the new installation assistant and
>> ISO verification extension in the rest of the website, we need to decide
>> how to advertise the download and verification of test ISO images as
>> these ones won't be available through the ISO verification extension
>> (the extension only allows downloading the latest official ISO image).
> 
>> Until now we were using buttons to the direct download of ISO images and
>> their signature. See for example
>> https://tails.boum.org/news/test_2.0-beta1/index.en.html.
> 
> [snipping bits about OpenPGP verification -- anyone who cares, this is
> now #11027, that is a related but quite broader topic]
> 
>> Does this sound reasonable to you for test images?
> 
> When reading this initially I didn't understand what was the actual
> proposal, and am still struggling to find it in the message I'm
> replying to. But it's my bad in the end: I've asked clarifications to
> sajolida last month about it, and failed to take note of his reply, so
> I'm kinda back to square one. Oops, sorry!
> 
> So please take my comments with a grain of salt, it's entirely
> possible that I misunderstood what is the exact proposal we
> should discuss.

Until now the proposal was, from the calls for testing, to we point to:

1. a direct download link on https://archive.torproject.org/
2. a Torrent file on https://tails.boum.org/
3. a detached OpenPGP signature on https://tails.boum.org/
4. whatever OpenPGP verification instructions we might have (open
   question dealt with elsewhere but we'll have *something*)

> In principle, I'm totally fine with _not_ integrating test images into
> the installation assistant (IA). I have three half-good reasons to think
> it's OK:
> 
>  * We clearly state that such images are not as trustworthy as actual
>releases, which (I guess) implies that most users who choose to
>test them entrust them with sensitive data, which implies that
>a poor verification process is no big deal in most cases.
> 
>  * Our dear IA/DAVE team has already spent much more time than planned
>on producing the great thing that is live on our website.
> 
>  * I expect mostly power-users to try our test images, so hopefully
>they will be able to download, verify and install them in some
>other way:
> - download: direct link to the ISO is enough
> - verify: see below
> - install: I think it's fair enough to assume that the majority of
>   thetarget user base of these test images will know how to do
>   this; I'll leave it as an exercice for our dear sajolida to find
>   out how to nicely convey this message in calls for testing we
>   issue :)
> 
> From my perspective, none of these reasons would be fully convincing
> in itself, but all added up the conclusion totally makes sense to me.

Cool, I'm agree we agree on this as this would have been the most
problematic point if we disagreed.

> I find it important that we preserve the ability, for skilled users
> who desire so, to verify such an image with a proper cryptographic
> trust path leading from Tails developers to the end-user. I don't mean
> to interfere with the IA/DAVE team's work, in terms of how exactly
> this is implemented, so I'll stick to phrase what I think we should do
> at this abstraction level. For the mere purpose of illustrating why
> I say "preserve" above, not meaning the need has to be satisfied
> exactly this way forever and ever: currently we provide this ability
> thanks to a detached OpenPGP signature, made with a key whose security
> and usage policy is well thought and advertised, and that is pretty
> well linked to the OpenPGP web-of-trust.

I propose to keep the OpenPGP signature as we do it know. See point 4 of
the proposal.

>> As an improvement, shall we point people to
>> https://archive.torproject.org/ when downloading these?
> 
> If the administrators of this service are fine with it, why not: it
> will give better download verification for non-power-users. But then
> these very same people might be stuck with a nice ISO image and no
> documentation about how to install it (see above).

Ok, see #7. Shall I write to phobos, weasel, someone else?

> There's certainly
> a set of Tails users who know by heart how to install an ISO without
> any 

Re: [Tails-dev] Dynamically changing ISO URL in DAVE

[sajolida]

intrigeri:
>> Beside that, I think the JSON should be fetched every time the UI page
>> is reloaded (of course obeying to server-side caching directives), just
>> like we currently do with the IDF.
> 
> I'm afraid I don't know under which circumstances the UI page is
> reloaded, so I lack the background info to integrate this proposal
> into my mental representation of the problem.
> 
> @sajolida + @Giorgio: is this done as part of the Installation
> Assistant or DAVE course of operation, or only due to external factors
> (e.g. the user manually reloading the page, or restarting their
> browser)?

I *think* that Giorgio is only referring to a possible manual refresh
from the user. Keep in mind that DAVE is supposed to follow up on
download in the background and a user coming back to the download page
after possibly closing the tab, or to survive a manual page refresh or
browser restart.

The only other issue I see that relates to my work on the assistant, is
the fallback solution outside of DAVE so maybe that's off-topic here.
>From the blueprint I wonder whether it's really worth writing a version
of the JavaScript that works outside of DAVE. You're considering several
cases outside of DAVE and BitTorrent:

 A. Release candidates. We're discussing in another thread the
possibility of only relying on archive.torproject.org
for these. I think we need HTTPS there so your JavaScript
outside of DAVE might not be enough to replace this here.
 B. People with no JavaScript, wget, etc. It seems like we need the
minimal DNS pool if we want to support these anyway.
 C. Direct download link, as proposed on #11024. These people
should anyway be able to do OpenPGP verification on their own so it
won't be advertised very prominently and maybe the minimal DNS pool
you are proposing for (B) could be reused here. Also, having a
constant URL might be nice for these people to bookmark it for
example.
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] About the download and verification of test images

[intrigeri]

sajolida wrote (13 Feb 2016 12:13:49 GMT) :
> Ok, see #7. Shall I write to phobos, weasel, someone else?

https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure
says N/A in the Maintainers column ⇒ I would ask weasel (Cc Lunar, who
helps a bit on the rsync side IIRC).

phobos has left the Tor project.

>> Minor implementation detail: last time I checked carefully, only one
>> of the two mirrors behind this hostname was serving our stuff, which
>> is why (last time I checked) only one of those was in our round-robin
>> pool of HTTP mirrors. If it's still the case, then we cannot do what
>> you propose. This situation may very well have changed, I dunno.

> I'll check before writing to archive.torproject.org then. Now #11120.

The title of that ticket doesn't reflect what I wrote above, so
I wonder if I conveyed what I meant clearly enough: it's not about
"how many servers are behind archive.torproject.org" (that is
trivially answered by a DNS query), but about whether all of them
_actually serve our stuff_.

>> sajolida wrote (13 Jan 2016 11:55:33 GMT) :
>>> Now I see that anonym reported #10915: "Consider publishing torrents for
>>> betas and RCs" which would work great to solve the basic download
>>> verification problem. I'm all for it.
>> 
>> Indeed, this would be another way to improve security for the "set of
>> Tails users who know by heart how to install an ISO without any doc,
>> but don't know how to use the WoT, and are keen to try our test
>> images". And regardless, as we see on #10915 we have good reasons to
>> do so anyway. Let's do it. sajolida, will your team take it as part of
>> the question this thread is about, or shall we organize
>> things differently?

> If I understand correctly, this would mean adjust the release process
> document to add instructions to create Torrents for release candidates
> as well, right?

I would have said that it's about checking what needs to be done,
coordinating it and making it happen :)

I've had a look to help with the 1st part.

Our release process doc already makes us generate a Torrent and its
detached signature, even for RC:s (check for yourself: the "Generate
the OpenPGP signatures and Torrents" seems to have no condition
attached). It also makes us seed this Torrent unconditionally.

So what needs to be done is:

 * in the "Update the website and Git repository" section: don't skip
   the Torrent publication steps when preparing a RC; also deal with
   cleaning RC:s' Torrent files later; indeed anonym or I would be the
   best placed to do that, although bertagaz should be able to do it too

 * on our call for testing (non-existing yet) "template": link to the
   Torrent, its signature, and the corresponding documentation;
   I guess that you (sajolida) would be better placed to handle it.
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Dynamically changing ISO URL in DAVE

[Giorgio Maone]

On 13/02/2016 13:49, sajolida wrote:
> intrigeri:
>>> Beside that, I think the JSON should be fetched every time the UI page
>>> is reloaded (of course obeying to server-side caching directives), just
>>> like we currently do with the IDF.
>> I'm afraid I don't know under which circumstances the UI page is
>> reloaded, so I lack the background info to integrate this proposal
>> into my mental representation of the problem.
>>
>> @sajolida + @Giorgio: is this done as part of the Installation
>> Assistant or DAVE course of operation, or only due to external factors
>> (e.g. the user manually reloading the page, or restarting their
>> browser)?
> I *think* that Giorgio is only referring to a possible manual refresh
> from the user. Keep in mind that DAVE is supposed to follow up on
> download in the background and a user coming back to the download page
> after possibly closing the tab, or to survive a manual page refresh or
> browser restart.
>
Whenever a page matching the pattern for a possible UI page (i.e.
"https://tails.boum.org/*;), DAVE currently fetches the IDF. This is
basically the only way to fix https://labs.riseup.net/code/issues/10685,
as noted in https://labs.riseup.net/code/issues/10685#note-5

Of course you can and should limit the actual network activity by
properly using Chache-Control and/or ETag headers.

The same should apply to mirrors, if you want to keep them up-to-date.

-- 
Giorgio Maone
https://maone.net


___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Fallback download URL outside of DAVE [Was: Dynamically changing ISO URL in DAVE]

[intrigeri]

hi,

[@u: I'd like to decide on a strategy by February 25, so if we decide
to go find a very specific kind of mirrors we have time to do this by
the end of March.]

sajolida wrote (13 Feb 2016 12:49:46 GMT) :
> The only other issue I see that relates to my work on the assistant, is
> the fallback solution outside of DAVE so maybe that's off-topic here.

Just a tiny bit :) Retitled this sub-thread accordingly.

> From the blueprint I wonder whether it's really worth writing a version
> of the JavaScript that works outside of DAVE.

Thanks for raising this topic! I was wondering too.

> You're considering several
> cases outside of DAVE and BitTorrent:

>  A. Release candidates. We're discussing in another thread the
> possibility of only relying on archive.torproject.org
> for these. I think we need HTTPS there so your JavaScript
> outside of DAVE might not be enough to replace this here.

Sounds like a pretty simple matter of programming to me. Our new
mirror pool design allows us to point to TLS-enabled (HTTPS) mirrors.
I guess it would be easy to give the JS function a boolean argument
that specifies whether non-TLS mirrors shall be used, and on calls for
testing we can use that to pick a mirror among the ones the
TLS-enabled ones only.

Also note that my secret plan is to leverage this new mirror pool
design to transition to TLS-enabled downloads only. With Let's Encrypt
around, plus us allowing mirrors to use whatever virtualhost name they
want, it looks like this could finally happen :)

>  B. People with no JavaScript, wget, etc. It seems like we need the
> minimal DNS pool if we want to support these anyway.

Sure, we will need this pool anyway.

But the less we rely on that DNS pool, the better: the less load we
put on it (i.e. the less users we send to it), the more reliable it
is, and the less daily maintenance effort is required. This is
especially true until we have recruited very fast and reliable mirrors
to put into this pool.

Now, indeed it may be more worth our time to go after such new
mirrors, than writing code to workaround the lack thereof :)

>  C. Direct download link, as proposed on #11024. These people
> should anyway be able to do OpenPGP verification on their own so it
> won't be advertised very prominently and maybe the minimal DNS pool
> you are proposing for (B) could be reused here. Also, having a
> constant URL might be nice for these people to bookmark it for
> example.

Right, and same answer as for B.

Let's add to this:

D. Users of web browsers that DAVE does not support

... which is similar to B and C the way I see it.

So, all in all: I'm now tempted to invest time into looking for a few
very reliable and fast mirrors, and put aside the "dynamic mirror URL
picked with JS outside of DAVE" idea for now. We can always come back
to it, if the mirrors recruitment is not successful enough: we already
have code that basically does the job, so it shouldn't be a big deal
to switch back to this option at the last minute, if required.

Thoughts, opinions?

Cheers,
-- 
intrigeri
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.