| Age | Commit message (Collapse) | Author |
|---|
|
The leap-archive keyring expired March 8th 2018.
We updated it, and published updated installation
docs at https://bitmask.net/en/install/linux.
For jessie, we dont install the leap-archive-keyring
package anymore but directly deploy the keys to
apt's trusted keystore.
- Fixes: https://0xacab.org/leap/bitmask-dev/issues/9279
|
|
As part of webapp#8815 we want to retrieve multiple types of
keys through nickserver. This requires the new couchdb view
on Identities this commit provides.
The webapp and platform version of couchdb design docs need to
be in sync. Therefore this mr should be merged at the same time
as webapp!61 .
|
|
Resolves: #8891
|
|
They might be meaningful response codes for some scenarios. But
so far we are not conciously sending them out. If they occur that
is because we handed them down from couch. So we might want to
fix the underlying issue. Couch 409s should be caught by the webapp
and handled there.
|
|
Fix the order of the leap repository so it matches the correct repository
layout. Fixes #8888.
|
|
|
|
webapp#8806 needs couch design docs that allow invite codes
to be sorted by date. This updated needs to be deployed in sync
with the new webapp version.
|
|
subrepo:
subdir: "puppet/modules/tor"
merged: "4380e2ea"
upstream:
origin: "https://leap.se/git/puppet_tor"
branch: "master"
commit: "4380e2ea"
git-subrepo:
version: "0.3.1"
origin: "https://github.com/ingydotnet/git-subrepo"
commit: "a7ee886"
|
|
Resolves: #8879
|
|
0255d8a42fc2c37cfaa660a43936ae546b6178ef removed this class, but it still was
being referenced. Since it is not needed, we can just remove the reference.
Fixes: #8878
|
|
|
|
In order to refactor the tor services, we need to split them out into three
different services. This adds the hidden service class that is necessary to
support the previous commits. Fixes #8864.
|
|
Simply disabling exit policies is not enough to disable an exit node, it also
needs to be explicitly disabled. This may change in future versions of tor, but
for now, explicitly adding 'ExitRelay 0' to the configuration is needed. This
fixes #8863.
|
|
The 'tor' service is now three separate services, 'tor_exit', 'tor_relay', or 'hidden_service'.
|
|
The apt sources lines for people using more experimental software was
wrong, we abolished the 'experimental' repository some time ago and
develoment happens now in the master branch.
solves #8862, #8876
|
|
For newer than jessie the 'old' code was enough. This bug didn't show up
because our testing images had the keys and sources lines already
included within /etc/apt…
solves #8862
|
|
|
|
Soledad is now taking care of the design of said database.
Closes #8428
|
|
Boolean facts must be escaped with str2bool. This commit includes
new tests to catch VPN problems like this in the future.
|
|
hidden service should be activated iff tor is among the active services and
tor.hidden_service.active == true
|
|
Add a .placeholder file so the directory doesn't get removed by
deb-systemd-helper when a package runs a purge in its postrm. This is a
work-around and fixes #8841. It probably wont be needed post-jessie.
|
|
|
|
Needed to satisfy leap-mx dependency (>=17.0)
- Resolves: #8837
|
|
New soledad-common depends on `python-treq`, which
is only available in debian stretch.
We pin all stretch packages to 1 (same as for sid), which
means (from `man apt_preferences`):
"causes a version to be installed only if there is no
installed version of the package"
- Resolves: #8836
|
|
|
|
leap-mx is now independent of leap-keymanager and
we can remove this dependency now.
see https://0xacab.org/leap/leap_mx/issues/8558
|
|
Resolves: #8792
|
|
|
|
Delay a hard state of the APT check for 1 day
so unattended_upgrades has time to upgrade packages.
Resolves: #8748
|
|
It's just too much mail...
And there are other tools like nagstamon that are better suited to get
an overview what's failing.
Resolves: #8772
|
|
|
|
Eth0 is vagrant's main interface to access the box
|
|
|
|
|
|
Virtualbox adds eth1 as second interface when private networking
is enabled.
- Related: #7769
|
|
Depending whether couchdb is running on the same node as
nickserver, couchdb is available on localhost:
- When couchdb is running on a different node: Via stunnel, which is
bound to 4000.
- When couchdb is running on the same node: On port 5984
Resolves: #8793
|
|
We should include this in soledad-server package as
dependency but until we sorted out this, we depend
soledad-server on ssl-cert in the platform.
see https://0xacab.org/leap/soledad/issues/8849 for
|
|
The newer version is needed for the single-hop functionality.
|
|
This makes a more clear site_tor::relay class that the leap service
includes, and a more generic site_tor class that other classes can
depend on for setting up the initial install.
|
|
This gets us a simple apt repository privilege separation:
(a) our key can't be used to forge other repos
(b) other keys can't be used to forge our repo.
From sources.list(5):
· Signed-By (signed-by) is either an absolute path to a keyring
file (has to be accessible and readable for the _apt user, so ensure
everyone has read-permissions on the file) or one or more
fingerprints of keys either in the trusted.gpg keyring or in the
keyrings in the trusted.gpg.d/ directory (see apt-key
fingerprint). If the option is set, only the key(s) in this keyring
or only the keys with these fingerprints are used for the
apt-secure(8) verification of this repository. Defaults to the value
of the option with the same name if set in the previously acquired
Release file. Otherwise all keys in the trusted keyrings are
considered valid signers for this repository.
|
|
|
|
This cuts the number of hops for a tor onion service from 6 to 3,
speeding it up considerably. This removes the anonymity aspect of the
service, so it must be enabled intentionally, knowing that the server's
location no longer is hidden.
|
|
|
|
subrepo:
subdir: "puppet/modules/tor"
merged: "5ef29012"
upstream:
origin: "https://leap.se/git/puppet_tor"
branch: "master"
commit: "5ef29012"
git-subrepo:
version: "0.4.0"
origin: "https://github.com/ingydotnet/git-subrepo"
commit: "2e78d5d"
|
|
This replaces the secret_token from rails 4.1 on.
Both are used for securing cookies in the browser. The secret_key_base
will also encrypt the cookies while the token will only sign them.
Keeping the token in there for now allows us to migrate existing sessions
/ cookies to the new secrets. We can remove it in the next version once
all providers have run with secret_key_base for a while.
|
|
|
|
|
|
|
|
We used haproxy because we had multiple bigcouch nodes but now
with a single couchdb node this is not needed anymore.
- Resolves: #8144
|
|
|
