zerotracepen (3.4)

  • Security fixes

    • Install Linux 4.14.0-3 from sid (Closes: #14976). This enables
      the kernel-side mitigations for Meltdown.

    • Upgrade curl to 7.52.1-5+deb9u3.

    • Upgrade enigmail to 2:1.9.9-1~deb9u1.

    • Upgrade gimp to 2.8.18-1+deb9u1.

    • Upgrade imagemagick to 8:6.9.7.4+dfsg-11+deb9u4.

    • Upgrade libav (ffmpeg) to 7:3.2.9-1~deb9u1.

    • Upgrade libxcursor to 1:1.1.14-1+deb9u1.

    • Upgrade libxml-libxml-perl to 2.0128+dfsg-1+deb9u1.

    • Upgrade poppler to 0.48.0-2+deb9u1.

    • Upgrade rsync to 3.1.2-1 3.1.2-1+deb9u1.

    • Upgrade samba to 2:4.5.12+dfsg-2+deb9u1.

    • Upgrade sensible-utils to 0.0.9+deb9u1.

    • Upgrade tor to 0.3.1.9-1~d90.stretch+1.

    • Minor improvements

    • Display TopIcons systray on the left of the system menu. This
      fixes #14796 (on Buster, it is displayed in the middle of the
      screen, on the left of the clock) and an annoying UX problem we
      have on Stretch: OpenPGP applet is in the middle of icons that
      share the exact same (modern, GNOME Shell-like) behaviour, which
      is disturbing when opening one of the modern menus and moving
      the mouse left/right to the others, because in the middle one
      icon won't react as expected, and the nice blue bottom border
      continuity is broken.

    • Use the "intel" X.Org driver for integrated graphics in Intel
      i5-7300HQ (Closes: #14990).

    • Enable HashKnownHosts in the OpenSSH client (Closes: #14995).
      Debian enables HashKnownHosts by default via /etc/ssh/ssh_config
      for good reasons, let's not revert to the upstream default.

    • Pin the AppArmor feature set to the Stretch's kernel one. Linux
      4.14 brings new AppArmor mediation features and the policy
      shipped in Stretch may not be ready for it. So let's disable
      these new features to avoid breaking stuff: it's too hard to
      check if all the policy for apps we ship (and that users install
      themselves) has the right rules to cope with these new mediation
      features.

    • Bugfixes

    • Don't delete downloaded debs after install (Closes: #10958).

    • Install xul-ext-ublock-origin from sid to make the dashboard
      work again(Closes: #14993). Thanks to cacahuatl
      cacahuatl@autistici.org for the patch!

    • Additional software feature: use debconf priority critical to
      prevent failure when installing packages otherwise requiring
      manual configuration (Closes: #6038)

    • Don't include anything under /lib/live/mount/medium/ in the
      readahead list (Closes: #14964). This fixes the boot time
      regression introduced in Zero Trace Pen 3.3.

    • Build system

    • Display a more helpful error message when the 'origin' remote
      does not point to the official Zero Trace Pen Git repository. This task
      calls git_base_branch_head() which relies on the fact 'origin'
      points to our official repo.

    • Vagrant: never build the wiki early. This has caused several
      issues throughout the years, the lastest instance being the
      reopening of #14933. (Closes: #14933)

    • Install libelf-dev during the time we need it for building DKMS modules.

    • Make the DKMS build hook verbose, and display DKMS modules build
      logs on failure. This hook is a recurring cause of headaches,
      let's simplify debugging.

    • Remove obsolete duplicate build of the virtualbox-guest DKMS
      module.

    • Test suite

    • Log the list of systemd jobs when systemctl is-system-running
      fails (Closes: #14772). Listing the units is not enough: in most
      cases I've seen, is-system-running returns "starting" which
      means the job queue is not empty, and to debug that we need the
      list of jobs.

    • Only support SikuliX; drop support for Sikuli.

    • Disable SPICE clipboard sharing in the guest. It could only mess
      things up, and in fact has confused me by suddenly setting my
      host's clipboard to "ATTACK AT DAWN"... 😀

    • Decode Base64.decode64 return value appropriately; it returns
      strings encoded in ASCII-8bit.

    • Don't flood the debug logger with the journal contents.

    • Handle case where $vm is undefined during an extremely early
      scenario failure.

    • Allow more time for 'systemctl is-system-running' to
      succeed. (Refs: #14772)

    • Make Sikuli attempt to find replacements on FindFailed by
      employing fuzz, or "lowering the similarity factor". The
      replacements (if found) are saved among the artifacts, and
      serves as potential drop-in-replacements for outdated
      images. The main use case for this is when the font
      configuration in Zero Trace Pen changes, which normally invalidates a
      large part of our images given that our default high similarity
      factor. We also add the --fuzzy-image-matching where the
      replacements are used in case of FindFailed, so the tests can
      proceed beyond the first FindFailed. The idea is that a full
      test suite run will produce replacements for potentially all
      outdated images.

    • Fix our findAny() vs findfailed_hook. For findAny() it might be
      expected that some images won't be found, so we shouldn't use
      our findfailed_hook, which is about dealing with the situation
      where images need to be updated.

    • Make sure Pidgin's D-Bus policy changes are applied (Closes:

      15007). Without the HUP there's a race that we sometimes lose.

    • Nump the Unsafe Browser's start page image (Closes: #15006).

    • Hot-plug a 'pcnet' network device instead of 'virtio' on Sid,
      since the latter is not detected on Sid (Closes: #14819).