Re: [Tails-dev] Last steps toward enabling incremental upgrades by default [Was: Please test incremental upgrades (from 0.22~rc1 to 0.22~rc2)]

[bertagaz]

On Tue, Dec 17, 2013 at 06:13:41PM +0100, intrigeri wrote:
 Hi,
 
 I've just released Tails-IUK 0.13, that fixes all coding tasks left
 for phase three. I'm giving it a manual testing session as we speak.
 Please use this version (or later) for any further testing,
 documentation work and comments.
 
 If you want to test the incremental upgrader itself, install Tails
 0.22~rc2, set an admin password, retrieve the latest tails-iuk package
 from our APT repo (http://deb.tails.boum.org/pool/main/t/tails-iuk/,
 or preferably by adding our feature-incremental-upgrades-integration
 suite to your APT sources), install it and run:
 
$ tails-upgrade-frontend-wrapper
 
 Given sajolida agreed and nobody objected, I'm now targetting to ship
 Tails 0.22.1 with incremental upgrades enabled by default (that's the
 stuff in feature/incremental-upgrades-integration), and I've flagged
 the remaining phase three tickets accordingly:
 
https://labs.riseup.net/code/issues/6014
 
 Yay.

Congrats, I'm excited to see this coming in the wild!

 Next steps:
 
  * bertagaz reviews feature/incremental-upgrades-integration (but does
not merge it yet) and hopefully ACK's it; ETA?

I'll try to do that tomorrow if I have remaining time after the other
review'n'merge I have planned to do, but that sounds unlikely, so if not I
should be able to do that before the end of the week. I wanted to test
this incremental upgrade feature since a while anyway.

 while, in parallel:
 
  1. sajolida writes doc (based on the
 feature/incremental-upgrades-integration branch!) and proposes
 various phrasing changes to the UI
  2. I update the code accordingly.
 
 And then, we merge feature/incremental-upgrades-integration, I'll tag
 a 0.22.1~beta1 or something, and I'll prepare a test IUK so that
 anyone can try the latest stuff in realistic settings.
 
 And hopefully the Transifex situation improves soon enough...
 
 Sounds good, did I miss anything?

You have a far better idea of the situation than me, so I'd say you're
probably right. :)

bert.
___
tails-dev mailing list
tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev

Re: [Tails-dev] Last steps toward enabling incremental upgrades by default [Was: Please test incremental upgrades (from 0.22~rc1 to 0.22~rc2)]

[Jacob Appelbaum]

intrigeri:

 Sounds good, did I miss anything?
 

I would suggest including a small shell script and one utility to test
the integrity of a tails release - something as simple as md5deep. Once
we start to change the Tails disk, we really want to ensure that an
attacker can't stick around past a reboot.

I could write such a utility but I'd like some feedback - for example -
should we run this after install and put the current state into the
persistence? Should we keep a list of hashes of all possible updates, so
that we can check a user's data set against a known good list?

The easy bit is basically to write something to check the MBR, the
partitions and then walk the file systems. It won't detect firmware
changes to the disk drive (usb, sata, whatever) but it should be able to
very easily detect any binaries that are changed. Obviously we'd need
two tails disks to really be able to do this kind of basic forensics.

Thoughts?

All the best,
Jacob
___
tails-dev mailing list
tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev