Debian Bug report logs - #814432
tails-installer should download and authenticate live ISO images

version graph

Package: tails-installer; Maintainer for tails-installer is (unknown);

Reported by: Antoine Beaupré <anarcat@debian.org>

Date: Thu, 11 Feb 2016 14:42:07 UTC

Severity: wishlist

Tags: upstream, wontfix

Found in version tails-installer/4.4.6+dfsg-1~bpo8+1

Fixed in version 5.0.14+dfsg-1+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://labs.riseup.net/code/issues/9798

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>:
Bug#814432; Package tails-installer. (Thu, 11 Feb 2016 14:42:11 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupré <anarcat@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>. (Thu, 11 Feb 2016 14:42:11 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tails-installer should download and authenticate live ISO images
Date: Thu, 11 Feb 2016 09:39:39 -0500
Package: tails-installer
Version: 4.4.6+dfsg-1~bpo8+1
Severity: wishlist

I just tried tails-installer from backports today.

I got presented with this dialog:

http://paste.anarc.at/snap-2016.02.11-09.21.24.png

Here, if I click on the "(Aucun)" ("(None)") button below "Use
existing Live system ISO:", I get presented with a file browser.

It is not clear to me what I am expected to do at this point.

I will take a wild guess, and assume I am supposed to go on
https://tails.boum.org/ and download an ISO. But I actually get served
with another Wizard where I need to click through and eventually am
asked to switch web browsers and install a firefox addon or download
some torrent thing.

That all sounds very strange to my insecure little mind.

I am exaggerating, of course, but I was expecting something more like
the tor browser launcher, which actually downloads the software for me
and does the busy things of verifying crypto signatures and
everything. That way there is a trust path between me and the
developpers that does not depend on the CA cartel (as I understand the
current approach seem to depend on).

Maybe such a trust path already exists and the installer does some
more verification later on - I haven't checked in the code (or more
precisely, couldn't find that it does actually check the .sig) and it
doesn't provide any visual feedback that it does check the signature.

But it sure would help in usability if the launcher could download
some stuff on its own. There's a python-libtorrent library in Debian
which could be used to download through bittorrent, even:

http://libtorrent.org/

It is the library behind the Deluge client:

http://deluge-torrent.org/

Some sample code is available from Stack Overflow (CC-BY-SA 3.0):

http://stackoverflow.com/questions/5400828/how-to-write-a-simple-bittorrent-application

This should be fairly simple to implement...

Still: it is a huge improvement to have this software available to
install tails! Previously, setting up Tails was a surprisingly
difficult undertaking and this is a huge leap forward in
usability. Congratulations to everyone involved and thanks!

-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages tails-installer depends on:
ii  gdisk              0.8.10-2
ii  genisoimage        9:1.1.11-3
ii  gir1.2-glib-2.0    1.42.0-2.2
ii  gir1.2-gtk-3.0     3.14.5-1+deb8u1
ii  gir1.2-udisks-2.0  2.1.3-5
ii  mtools             4.0.18-2
ii  p7zip-full         9.20.1~dfsg.1-4.1+deb8u1
ii  policykit-1        0.105-8
ii  python             2.7.9-1
ii  python-configobj   5.0.6-1
ii  python-gi          3.14.0-1
ii  python-urlgrabber  3.9.1-4.1
ii  syslinux           3:6.03+dfsg-5+deb8u1

tails-installer recommends no packages.

tails-installer suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>:
Bug#814432; Package tails-installer. (Thu, 10 Mar 2016 10:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>. (Thu, 10 Mar 2016 10:33:03 GMT) (full text, mbox, link).

Message #10 received at 814432@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: Antoine Beaupré <anarcat@debian.org>
Cc: 814432@bugs.debian.org
Subject: Re: [Pkg-privacy-maintainers] Bug#814432: tails-installer should download and authenticate live ISO images
Date: Thu, 10 Mar 2016 11:31:36 +0100
Control: forwarded -1 https://labs.riseup.net/code/issues/9798

Hi,

Antoine Beaupré wrote (11 Feb 2016 14:39:39 GMT) :
> I am exaggerating, of course, but I was expecting something more like
> the tor browser launcher, which actually downloads the software for me
> and does the busy things of verifying crypto signatures and
> everything.

OK, so we have two problems here:

1. You were expecting something else than what the software actually
   does; the package description reads "Tails Installer is a graphical
   tool to install or upgrade Tails on a USB stick from an ISO image";
   I'm not quite sure how we can improve it to make it clearer that
   one needs to have "an ISO image" to start with. Any suggestion?

2. Tails Installer currently can't download and verify the ISO image
   itself. This is an upstream feature request, that is being tracked
   at https://labs.riseup.net/code/issues/9798.

> That way there is a trust path between me and the
> developpers that does not depend on the CA cartel (as I understand the
> current approach seem to depend on).

Almost: the current approach depends on one specific CA.

Cheers,
-- 
intrigeri

Set Bug forwarded-to-address to 'https://labs.riseup.net/code/issues/9798'. Request was from intrigeri <intrigeri@debian.org> to 814432-submit@bugs.debian.org. (Thu, 10 Mar 2016 10:33:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>:
Bug#814432; Package tails-installer. (Fri, 16 Feb 2018 09:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to vadyba@klientai.eu:
Extra info received and forwarded to list. Copy sent to Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org>. (Fri, 16 Feb 2018 09:09:03 GMT) (full text, mbox, link).

Added tag(s) upstream and wontfix. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 19 Apr 2018 17:09:12 GMT) (full text, mbox, link).

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Sat, 26 Oct 2019 07:06:06 GMT) (full text, mbox, link).

Notification sent to Antoine Beaupré <anarcat@debian.org>:
Bug acknowledged by developer. (Sat, 26 Oct 2019 07:06:07 GMT) (full text, mbox, link).

Message #24 received at 814432-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 814190-done@bugs.debian.org,814432-done@bugs.debian.org,924660-done@bugs.debian.org,938623-done@bugs.debian.org,939112-done@bugs.debian.org,
Cc: tails-installer@packages.debian.org
Subject: Bug#942790: Removed package(s) from unstable
Date: Sat, 26 Oct 2019 07:04:12 +0000
Version: 5.0.14+dfsg-1+rm

Dear submitter,

as the package tails-installer has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/942790

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 23 Nov 2019 07:27:32 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Nov 21 23:59:04 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.