This report covers the activity of Tails in August 2016.

Everything in this report is public.

A. Replace Claws Mail with Icedove

A.1.1. Secure the Icedove autoconfig wizard

In June we reported that some account setup issues have been discovered with the introduction of our patches which should protect the user by forcing the use of secure protocols in Icedove. We've managed to fix the intermittently failing TLS connections and released this in Tails 2.5 (#11550, #10933). The OAuth issue has been identified and a fix has been committed (#11536). We are currently thoroughly testing this patch and as soon as the tests conclude positive, we will resubmit this patch upstream.

A.1.2. Make our improvements maintainable for future versions of Icedove

We've successfully provided an AppArmor profile to Debian's Icedove package. It can now also be used by other Debian users and thus it profits from their testing, bug reports and patches (#11058).

We've started incorporating this AppArmor profile into Tails in the meantime, until our patches get merged and we can start to ship the default Debian Icedove package. However, this still needs some small adjustments as well as testing (#10750).

As for our patches, we've greatly improved them and upstream has now even asked us for news, which is good! As soon as we have tested the aforementioned OAuth issue, we'll resubmit them upstream (#6165).

As for our Torbirdy patches which had already landed upstream, they've now also landed in Debian unstable as well as in jessie-backports.

B. Improve our quality assurance process

B.2 Continuously run our test suite on ISO images built by Jenkins

We want to identify which ones, among the flaky automated tests that are currently disabled on our continuous integration infrastructure, will be fixed simply by porting Tails to Debian 9 (Stretch). So we introduced a way to force running all tests for a given branch, even the ones flagged as "fragile". In a few months we will have enough data to adjust these test flakiness annotations, and hopefully to re-allow a number of these tests to run on our Jenkins infrastructure.

B.3. Extend the coverage of our test suite

B.3.11. Fix newly identified issues to make our test suite more robust and faster

  • We started porting Tails to Debian 9 (Stretch). Adjusting our test suite to make it able to provide feedback about our early Tails 3.0 ISO images is a critical part of this project. To do so, in the past we had to go through a tedious process of updating the dozens of pictures that we ask Sikuli to recognize; but this time, thanks to the work we recently did to support Dogtail in our test suite, we are able to remove many such pictures, and replace them with higher-level means of interacting with graphical user interfaces. So far we could remove 31 such images. This change brings two major benefits: it makes our test suite more robust, and it makes our project more sustainable, by decreasing the cost of porting Tails to future versions of Debian.

  • As part of porting Tails to Debian 9 (Stretch), we fixed one root cause of flakiness in our test suite by integrating the Florence virtual keyboard more reliably into the GNOME desktop (#11479, #8312).

  • Until recently, the parts of our test suite that rely on emulated USB storage devices were fragile on our Jenkins setup. This prevented us from running a number of tests there, e.g. those involving persistence. We kept working on it, as reported last month, both in Tails Installer itself and in our test suite (#11588, #11582). As a result, we were able to re-enable these tests on production branches in August.

  • The branch fixing the Synaptic scenario that was marked as fragile has been merged for Tails 2.6 (#10441). This also fixes two other problems regarding this scenario (#10412 and #10900). In the end, all tests about the installation of Debian packages in Tails are back in our test suite.

B.3.12. Reliably wait for post-Greeter hooks (#5666)

We plan to complete this by the end of October.

B.3.14. Write tests for incremental upgrades (#6309)

We plan to complete this by the end of October.

B.4. Freezable APT repository

This was completed already, but still we have a couple updates about it.

This piece of infrastructure has already proven its great usefulness in practice, for a use case that we had not imagined yet: we've just had a first one-week sprint to kick-start porting Tails to Debian 9 (Stretch). Thanks to our Debian archive snapshots, we were able to select a known-good state of the Debian archive and use it for the entire week, without having to cope with a landscape that would be constantly changing under our feet. This way we could focus on the task at hand.

We solved a design problem in how we handle frozen APT repositories for bugfix releases, that we had identified in July during the Tails 2.5 release process.

C. Scale our infrastructure

C.1. Change in depth the infrastructure of our pool of mirrors:

  • C.1.2. Write & audit the code that makes the redirection decision from our website (#8639, #8640, #11109)

    • mirror-dispatcher.js: we are still waiting for the auditor to do a final security review.

    • Download And Verification Extension (DAVE) for Firefox: no progress was made on this front in August. Improving and testing the code for resuming downloads is among our top priorities in September.

  • C.1.6. Adjust download documentation to point to the mirror pool dispatcher's URL (#8642, #11329, #10295)

    This was completed back in May.

  • C.1.8. Clean up the remainers of the old mirror pool setup (#8643, #11284)

    This is only blocked by the work that is in progress on DAVE (C.1.2).

C.4. Maintain our already existing services

C.4.6. Administer our services upto milestone VI

We kept on answering the requests from the community and taking care of security updates.

  • We've downgraded the Puppet agent installed in a VM that is running Debian Sid so that it remains compatible with out Puppetmaster. #11543

  • We tuned the Icinga2 memory check limits on one of our VMs to avoid false positives.

E. Release management

E.1.12. Tails 2.5

Tails 2.5 was released on August 2.