Security fixes
Install Linux 4.14.0-3 from sid (Closes: #14976). This enables
the kernel-side mitigations for Meltdown.
Upgrade curl to 7.52.1-5+deb9u3.
Upgrade enigmail to 2:1.9.9-1~deb9u1.
Upgrade gimp to 2.8.18-1+deb9u1.
Upgrade imagemagick to 8:6.9.7.4+dfsg-11+deb9u4.
Upgrade libav (ffmpeg) to 7:3.2.9-1~deb9u1.
Upgrade libxcursor to 1:1.1.14-1+deb9u1.
Upgrade libxml-libxml-perl to 2.0128+dfsg-1+deb9u1.
Upgrade poppler to 0.48.0-2+deb9u1.
Upgrade rsync to 3.1.2-1 3.1.2-1+deb9u1.
Upgrade samba to 2:4.5.12+dfsg-2+deb9u1.
Upgrade sensible-utils to 0.0.9+deb9u1.
Upgrade tor to 0.3.1.9-1~d90.stretch+1.
Minor improvements
Display TopIcons systray on the left of the system menu. This
fixes #14796 (on Buster, it is displayed in the middle of the
screen, on the left of the clock) and an annoying UX problem we
have on Stretch: OpenPGP applet is in the middle of icons that
share the exact same (modern, GNOME Shell-like) behaviour, which
is disturbing when opening one of the modern menus and moving
the mouse left/right to the others, because in the middle one
icon won't react as expected, and the nice blue bottom border
continuity is broken.
Use the "intel" X.Org driver for integrated graphics in Intel
i5-7300HQ (Closes: #14990).
Enable HashKnownHosts in the OpenSSH client (Closes: #14995).
Debian enables HashKnownHosts by default via /etc/ssh/ssh_config
for good reasons, let's not revert to the upstream default.
Pin the AppArmor feature set to the Stretch's kernel one. Linux
4.14 brings new AppArmor mediation features and the policy
shipped in Stretch may not be ready for it. So let's disable
these new features to avoid breaking stuff: it's too hard to
check if all the policy for apps we ship (and that users install
themselves) has the right rules to cope with these new mediation
features.
Bugfixes
Don't delete downloaded debs after install (Closes: #10958).
Install xul-ext-ublock-origin from sid to make the dashboard
work again(Closes: #14993). Thanks to cacahuatl
cacahuatl@autistici.org for the patch!
Additional software feature: use debconf priority critical to
prevent failure when installing packages otherwise requiring
manual configuration (Closes: #6038)
Don't include anything under /lib/live/mount/medium/ in the
readahead list (Closes: #14964). This fixes the boot time
regression introduced in Zero Trace Pen 3.3.
Build system
Display a more helpful error message when the 'origin' remote
does not point to the official Zero Trace Pen Git repository. This task
calls git_base_branch_head() which relies on the fact 'origin'
points to our official repo.
Vagrant: never build the wiki early. This has caused several
issues throughout the years, the lastest instance being the
reopening of #14933. (Closes: #14933)
Install libelf-dev during the time we need it for building DKMS modules.
Make the DKMS build hook verbose, and display DKMS modules build
logs on failure. This hook is a recurring cause of headaches,
let's simplify debugging.
Remove obsolete duplicate build of the virtualbox-guest DKMS
module.
Test suite
Log the list of systemd jobs when systemctl is-system-running
fails (Closes: #14772). Listing the units is not enough: in most
cases I've seen, is-system-running returns "starting" which
means the job queue is not empty, and to debug that we need the
list of jobs.
Only support SikuliX; drop support for Sikuli.
Disable SPICE clipboard sharing in the guest. It could only mess
things up, and in fact has confused me by suddenly setting my
host's clipboard to "ATTACK AT DAWN"... 😀
Decode Base64.decode64 return value appropriately; it returns
strings encoded in ASCII-8bit.
Don't flood the debug logger with the journal contents.
Handle case where $vm is undefined during an extremely early
scenario failure.
Allow more time for 'systemctl is-system-running' to
succeed. (Refs: #14772)
Make Sikuli attempt to find replacements on FindFailed by
employing fuzz, or "lowering the similarity factor". The
replacements (if found) are saved among the artifacts, and
serves as potential drop-in-replacements for outdated
images. The main use case for this is when the font
configuration in Zero Trace Pen changes, which normally invalidates a
large part of our images given that our default high similarity
factor. We also add the --fuzzy-image-matching where the
replacements are used in case of FindFailed, so the tests can
proceed beyond the first FindFailed. The idea is that a full
test suite run will produce replacements for potentially all
outdated images.
Fix our findAny() vs findfailed_hook. For findAny() it might be
expected that some images won't be found, so we shouldn't use
our findfailed_hook, which is about dealing with the situation
where images need to be updated.
Make sure Pidgin's D-Bus policy changes are applied (Closes:
Nump the Unsafe Browser's start page image (Closes: #15006).
Hot-plug a 'pcnet' network device instead of 'virtio' on Sid,
since the latter is not detected on Sid (Closes: #14819).