[Trisquel-devel] 10 days worth of updates

Ruben Rodriguez ruben at trisquel.info
Tue Feb 20 03:47:09 CET 2018

Hi folks!

As I announced earlier I've taken the last week on vacation from the FSF
to give a push to the T8 release. Combined with the weekends it was 10
days of pretty intense work (10-15h/day). I did some progress cleaning
the MR queue, although some items will take a deeper look. Thanks to
Kevin, mtsio, Pablo Correa, Legimet, and everybody who contributed code!

Closed Merge Requests:

## Dist-upgrade t7 > t8

Although it was already possible to upgrade a T7 machine into T8, the
manual steps can be tricky. The guided/graphical process for the upgrade
is now in place and can be tested by running the following commands on a
fully up to date Trisquel 7 installation:

  update-manager -d
  do-release-upgrade -d

If you want to do a dry run (so the whole upgrade is tested but no
actual changes are made to the disk) add '-s', which stands for 'sandbox'.

I tried it on a VM and it worked correctly. Please give it a go and
report any errors by attaching the contents of "/var/log/dist-upgrade".
I haven't tried upgrading from Trisquel-mini or other desktops.

Related commits:

## Changes to update system

A general privacy and security oriented rule that we have been
progressively implementing on each new release is the idea that the
default installation should not take or make network requests on its
own. This means no pre-installed network services (like ssh or samba),
which would be up to the user to add as their decision and
responsibility. A deeper implication is that no applications in the
system should initiate network connections without asking the user's
permission first.

To accomplish that, the update system (which is implemented by apt,
systemd, update-manager, update-notifier and unattended-upgrades) should
not automatically download package lists or package updates without
asking. I made changes to the apt settings (to disable the automated
check for updates), and to update-notifier adding an interface to inform
the user about this, and give them options. This prompt should happen
automatically the same way that the update prompt would happen before,
but without performing any connections.

This whole system needs testing, comments, and translations. Running
'update-manager' in a new installation of T8 would show the new interface.

Related commits:

## Changes to Abrowser

Following with the previous rule of no automated connections, a lot of
work needed to be done on Abrowser. Here is a list of the changes to the
latest Abrowser update for T8 (when this is tested we can push the
changes to T7 as well).

 * Data-collection: Firefox has several data-collection systems that can
be concerning for privacy. We have been disabling some of these, but
this update does a more thorough job at it.
 * Automated updates: The same as for OS-level updates, the browser
should not check for updates on its own, only if the user request it.
 * Tracking blockers: Out of a concern for the great privacy and
security risk of browsing without any blocker, a few releases ago I
added uBlock to be pre-installed with Abrowser. Seems like Mozilla
thinks the same and they added a tracker-blocking mechanism that now can
be used at all times. I think that this is a more balanced default for
blocking, so I've removed uBlock from the bundle. A problem with either
blocking system is that they need to fetch an updated blacklist file
first, in order to be functional. As a result, the browser would connect
to download those lists automatically on the first run (and once a day
afterwards). The new default is to disable the blocker, but make its
activation easier so users can opt-in if that fits them.
 * Captive portal detection: if you connect to public networks like
those on airports, schools, etc, you may need a captive portal detector
to be able to log in to the network. The downside is that the browser
makes a test connection when you open it, to distinguish if it is
operating under such a network. The new default is to disable the system
by default.
 * Configuration interface: all the previously mentioned functionality
should be disabled by default but easy to change by the user. To
implement this, I added a new "Privacy settings" section to the
home/new-tab pages, so at any time the user has the opportunity to
change a range of important settings and extensions. These are the
currently listed switches (all unchecked by default):

 Disable javascript
 Disable custom fonts
 Enable Tracking protection
 Enable Automated updates
 Enable Spoof referers
 Enable Captive portal detection
 Enable Geolocation
 Enable WebGL
 Enable LibreJS (if installed)
 Enable uBlock (if installed)

More switches are trivial to add. The current set needs testing and the
strings need translation to at least Spanish. This interface will also
be included in IceCat starting on the next major release.

Related commits:

## Thunderbird > Icedove

We used to distribute the rebranded version of Thunderbird maintained by
Debian, Icedove. They have reverted their position on rebranding Mozilla
products but we still consider the trademark license to be incompatible
with freedom #0. As a result, I used the artwork from Debian's Icedove
and applied it to our own rebranded version keeping the name. The name
can be changed in the future if we choose. I also tuned up some privacy
settings in a similar way to what I described for Abrowser, although I
didn't do as much testing in that regard. Please test Icedove v52 for
usability and privacy (report if it makes connections on its own).

Related commits:

## Wrapping up the release:

The reminding steps to finish the release are:

 * Test the iso set I'm building today, test the upgrade system, fix
major problems if needed (most things can be fixed through updates).
 * Add two packages to the build system that should be pre-installed by
default: GNU Ring and the Electrum wallet.
 * Make and package the artwork.

Please help test all of the above, and don't hesitate to ping me with
anything I may have left behind, it is hard to follow up with everything
(and I don't commonly follow the forums, so don't assume I know about
all issues being discussed!).

Also, remember to join the development meetings ("Freedom Fridays"), at
the #trisquel-dev channel on irc.freenode.org, at 11AM EST. (4PM UTC).


More information about the Trisquel-devel mailing list