Closes: #2533.
See https://salsa.debian.org/freedombox-team/freedombox/-/issues/2533 for
rationale.
Tests:
- Build Debian package with changes and incremented version number. Install it
in the development container and run unattended-upgrade -d. libpam-abl package
is removed by unattended-upgrades.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Build a Debian package before and after the patch and notice that binary
packages have no differences when compared with diffoscope. Source packages show
only the change in the patch but no other change.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- The most pleasant font on any system is the default system font.
- It is the most optimized and styled font for the system considering screen
type and screen sizes.
- Used by all the system apps. Websites can become consistent with system apps
by using system fonts. GNOME, KDE, Ubuntu, Android, Chrome OS, iOS, and MacOS,
all have their own system fonts.
- Changed by the user using OS settings if they don't like it.
- Many popular sites have started using system fonts.
- No extra fonts have to be loaded making page loading jerk free and much
faster. On the first FreedomBox UI page load, the largest item is the font.
- We won't have carry the binary woff files in FreedomBox source tree anymore.
Also eliminates a bunch of lintian warnings.
- Lato font was used because it is prescribed by the FreedomBox identity manual.
Lato can still be used in other places such as marketing materials.
Tests:
- System font is used in the UI. When system font is changed in Gnome settings
and browser is restarted, the new font is shown in the UI.
- Check that the overall layout of the app grids is not effected by the font
size change.
- Check that all the tables in the UI are not affected by the font change.
- Backups repository listing shows each backup archive in one line.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
Thanks to git blame I found why python3-tomli had been added back then:
6199718a19383d8d070b7bdc9d26ead71a9d26dd
python3-tomli is slowly being sunset in favor of tomllib from the Standard
Library: https://wiki.debian.org/Python/Backports
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
dnsutils package is not available anymore.
Closes: #1094944
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
- Latest version of libjs-bootstrap5 depends on
node-popper2. However, version in Debian bookworm still continue to have
incorrect dependency. So, add explicit dependency on node-popper2 until we stop
supporting Bookworm.
Tests:
- In stable and testing VMs, install node-popper2 and notices that the following
work as expected:
- User menu dropdown in desktop and mobile layouts.
- Help menu dropdown in desktop and mobile layouts.
- Notification dropdown.
- App extra actions dropdown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- In current stable and testing, verifying SSH remote hosts using RSA is not
working. After selecting the verified RSA fingerprint, paramiko fails to connect
- A change introduced in paramiko 2.9 lead to failures when connecting to hosts
that have a verified RSA host key[1][2][3]. To fix the issue,
disabled_algorithms must be used to drop some of the other algorithms supported
by the server to force paramiko behavior. A better solution to the problem was
introduced in paramiko 3.2. Both these solutions require careful update to the
code. Considering the utility paramiko provides, the regression annoyance,
effort required for this fix, and the security implications (it is an completely
independent SSH implementation), the library does not seem to be worth the
effort in our case.
- Switch to using sshpass command line utility instead of paramiko library. The
only reason to use paramiko seems that 'ssh' command by default does not allow
us to input password easily while paramiko does.
- Another place where paramiko is being used is to check if a host is already
verified in the known_hosts file. This has been trivially replaced with
'ssh-keygen -F'.
- Exit codes provided by sshpass can replace the specific exception raised by
paramiko.
Links:
1) https://www.paramiko.org/changelog.html
2) https://github.com/paramiko/paramiko/issues/2017
3) https://github.com/paramiko/paramiko/issues/1984
Tests:
- Add a remote backup repository with and without encryption.
- Add remote backup repository with all three types of algorithms.
- Add a remote repository again with wrong password. Authentication error is
properly shown.
- Add a remote backup repository and remove it. Host remains verified. Add a
repository again.
- Add a remote backup repository and remove it. Host remains verified. Change
the fingerprint the /var/lib/plinth/.ssh/known_hosts file. Add a repository
again. A proper error is shown that remote host could not be verified.
- Add a remote backup repository and remove it. Host remains verified. Stop SSH
server on the remote host. A generic error is shown that ssh command on remote
host failed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- These tools are not strictly needed for FreedomBox operation in anyway.
- Slightly Reduce the size of the built images.
- Some of these tools are outdated or not typically used on a modern GNU/Linux
system and make FreedomBox seem less shiny.
- Originally thought of splitting them into a separate metapackage but it does
not seem worth it.
- killall from psmisc is used in the Makefile, it is kept for now.
- FreedomBox already has many dependency and so it is now important to start
paying attention to unnecessary ones.
Tests:
- For each binary executable provided in each of the packages, verify that it
not being used in our code anywhere.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- We don't support Debian Bullseye or older in latest versions of FreedomBox. We
can drop any minimum version specifications that are only relevant on those
release.
Tests:
- Potential issues with tomli/coverage will be caught during autopkgtests.
- For version specifications, it has been verified that for each of the
packages, version available in Bookworm is newer than the minimum version
specification.
- freedombox-setup and plinth packages don't exist on Bookworm or newer. We
don't support upgrade from older version with the latest code.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: Debian bug #1088760.
- OpenSSL.crypto.sign has been deprecated and in the current version of
python3-openssl in Debian testing, it has been dropped. The recommended
alternative is cryptography.hazmat.primitives. So, use this instead.
- The entire OpenSSL.crypto module is planned to be deprecated in the future.
So, stop using it entirely by using cryptography.hazmat.primitives.
- sso app does not use openssl anymore, so drop dependency on it. Other apps
such as Let's Encrypt do depend on it and but they have their own dependency
declared. The freedombox package on the overall retains on 'openssl' package.
- We are not using the python OpenSSL module anywhere else, so drop dependency
on it.
- Use pathlib to simplify some code.
- Ensure proper permissions on private and public keys as they are being written
to.
Tests:
- Freshly setup container and ensure that first run succeeds. Permission on the
public/private key files and the parent directly are correct. Users are able
login to FreedomBox. SSO works when accessing apps such as transmission.
- Without patches, setup freedombox container. Apply patches. Permission for
keys directory is updated but keys are not overwritten. Login to FreedomBox
works. SSO works when accessing apps such as transmission.
- Run code to perform signatures using old code and ensure that newer code
generates bit-identical signatures.
- Running ./run --list-dependencies show 'openssl' and python3-cryptography.
- Running unit tests works.
- Building debian package works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
nscd daemon caches queries made to NSS via glibc. In our case queries to passwd
and group databases are cached. But this leads to many problems.
See: https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2520
The bug that this MR fixes, that is, the inaccuracy of the authentication data,
is horrible and only acceptable if the caching provides very important
functionality. Already, having to purge nscd caches after modifying user
accounts is not nice.
I believe that we have encountered this bug before and blamed libpam-abl due to
the time sensitive nature of the problem.
nscd itself recommends that it should be used if NSS lookup are expensive (such
as in case of NIS, NIS+ queries according to /etc/init.d/nscd). In case of
FreedomBox, LDAP queries are unlikely to be made using network. LDAP server is
likely always local. I believe we can safely remove nscd by masking and stopping
nscd.service and unscd.service.
Tests:
- After applying the patches, users app setup is re-run. Service nscd is stopped
and masked. unscd is also masked.
- Running 'id tester' shows expected value 'uid=10001(tester) gid=100(users)
groups=100(users),10002(admin)'.
- Adding, removing, renaming a user immediately reflects in 'id <user>'.
- Adding and removing a user from groups immediately reflects in 'id <user>'.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Disable mDNS resolution. While we can migrate our DNS-SD service definition
files to systemd-resolved and switch from using avahi to systemd-resolved, many
programs still solely depend on avahi-daemon. Examples include cups and GNOME.
It is not clear if they will work any mDNS daemon or if they interact with
avahi-daemon in other ways that the mDNS protocol. So, for now, disable mDNS in
systemd-resolved and continue to use avahi-daemon for it. This is also Fedora's
default.
- Re-introduce Fallback DNS servers with the value same as the upstream systemd
project. Debian removes the default fallback DNS servers likely because they
could be considered a privacy violation. However, when systemd-resolved package
is first installed, the post install script recommends a reboot instead of
feeding the currently configured nameservers from /etc/resolve.conf into
systemd-resolved. Immediately, this causes the system not be able to connect to
any external servers. While this may be acceptable solution for interactive
systems and pre-built images, FreedomBox has to a) be available for remote
access b) perform upgrades without user intervention (and without reboot until a
day). To mitigate privacy concerns, an option to disable these fallback servers
will be provided in the UI.
- systemd-resolved's stub resolver runs on 127.0.0.53%lo:53 and 127.0.0.54. This
does not conflict either with shared connections which listen on 10.42.x.1 or
with bind which listens on 127.0.0.1 (and other IP addresses). This MR does not
address the existing conflict between bind and shared network connections.
However, it does not cause any further conflicts.
Tests:
* mDNS
- Avahi diagnostics works. daemon is running. mdns port is exposed in the
firewall.
- systemd-resolved does not listen on mDNS ports.
- Running avahi-browse shows freedombox on local network.
- Running avahi-browse shows the services ssh, sftp-ssh, http and ejabberd.
- Machine can be discovered in Gnome Files.
* NetworkManager shared connections
- After install/upgrade to systemd-resolved, 'shared' connections can be
created.
- With a 'shared' connection configured and active, it is possible to upgrade to
using systemd-resolved.
- Resolving domains from a machine on shared network goes via systemd-resolved
on FreedomBox.
* Bind
- Installing, running tests on bind works.
- Programs connecting from outside network can connect to bind as expected.
- Programs connecting from local machine can connect to bind as expected.
* Upgrading works
- Upgrading to new FreedomBox package works
- systemd-resolved is installed and running. 'resolvectl' shows a proper name
server (or fallback nameserver like 1.1.1.1).
- libnss-resolve is installed and configured in /etc/nsswitch.conf
- /etc/resolv.conf has proper link to /run/systemd/resolve/stub-resolv.conf.
- Programs using /etc/resolv.conf directly work. Install python3-pycares.
python3 -m pycares freedombox.org.
- NetworkManager has passed on proper DNS entries. In logs dns=systemd-resolved,
rc-manager=unmanaged, plugin=systemd-resolved
- DNS resolution works after first setup. Installing packages works.
- 'resolvectl query' resolution works.
- Programs using glibc API resolution such as 'ping' work.
* Fresh image
- Building an image with new freedombox package works without error.
- Booting from fresh images works.
- systemd-resolved is installed and running. 'resolvectl' show proper name
server.
- libnss-resolve is installed and configured in /etc/nsswitch.conf
- /etc/resolv.conf has proper link to /run/systemd/resolve/stub-resolv.conf
- Programs using /etc/resolv.conf directly work. Install python3-pycares.
python3 -m pycares wikipedia.org
- NetworkManager has passed on proper DNS entries. In logs dns=systemd-resolved,
rc-manager=unmanaged, plugin=systemd-resolved
- DNS resolution works after first setup. Installing packages works.
* Installing package on Debian
- Installing new freedombox package in Debian machine works.
- systemd-resolved is installed and running.
- libnss-resolve is installed and configured.
- /etc/resolv.conf has proper link to /run
- NetworkManager has passed on proper DNS entries to systemd-resolved using
'nmcli reload dns-rc'.
- Resolution works with fallback DNS servers when network interfaces are
configured with /etc/network/interfaces
* OpenVPNs works
- As a server, we don't push DNS servers to the client. So, a client continues
to use its old DNS servers. With systemd-resolved running on server, the client
is able to connect to OpenVPN server, route traffic to the internet, and resolve
DNS queries.
* WireGuard works
- As a server, we can't push DNS servers to the client. So, a client continues
to use its old DNS servers. With systemd-resolved running on server, the client
is able to connect to WireGuard server, route traffic to the internet, and
resolve DNS queries.
- As a client, server does not push DNS servers to the client. So, a client
continues to use its old DNS servers. With systemd-resolved running on the
client, the client is able to connect to WireGuard server, route traffic to the
internet, and resolve DNS queries.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Closes: Debian bug #1069240
Closes: Debian bug #877935
- libnss-gw-name resolves 'gateway.localhost' to the ip address currently
configured as default route. This has been abandoned upstream[2], deprecated in
Debian[1]. Using libnss-myhostname (part of systemd) instead is recommended[2].
- libnss-gw-name has been removed from testing and unstable. Installing
freedombox package in these distributions no longer installs the libnss-gw-name
package but freedombox installation succeeds as this is only a recommends.
Latest images don't contain the libnss-gw-name package either.
- We already recommend libnss-myhostname and this package is typically installed
along with freedombox package.
- libnss-myhostname resolves '_gateway' where as libnss-gw-name resolves
'gateway.localhost'. This is technically a breaking change. However, we have
neither used nor documented gateway resolution on FreedomBox machines. So, any
disruption is likely minimal.
Tests:
- On a FreedomBox container, running 'ping _gateway' shows that it resolves to
the same IP address as default route shown in 'ip route'.
Links:
1) https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#deprecated-components
2) https://github.com/nomeata/libnss-gw-name
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: Debian bug #961733.
- The version of Linux kernel supported in FreedomBox is from Debian Bookworm
and that is 6.1, released on Sun, 11 Dec 2022[4][5].
- Around 2014, in Linux kernel version 5.4, a way to extract entropy from CPU
execution jitter every second was implemented. This is similar to
HAVAGE/havaged's approach[1][2]. This ensures that user space applications never
hang indefinitely when entropy is not available.
- Since 2020, /dev/random only blocks until it is initialized and after that
never blocks. It provides cryptographically secure psuedo-random numbers after
initialization (which is believed to be as good as blocking pool even for
security sensitive applications). This the same behavior as getrandom() call[6].
This means that even on embedded systems, haveged is not necessary once the
initialization of the random pool has been completed.
- Since Feb/Mar 2022, /dev/urandom no longer provides insecure random
numbers[3]. Earlier, if it was used before full initialization, it provided
insecure random numbers. Now it blocks the caller until initialization and then
provides cryptographically secure pseudo-random numbers. The initialization
itself won't take too much time due to the "Jitter Dance" technique of
extracting entropy from CPU execution jitter. The only way to request for
insecure random number (without even blocking for 1 second) is to use
getrandom(GRND_INSECURE) which systemd uses to initialize hash tables. This
change was reverted because Jitter Dance did not work on several architectures
including arm[3]. Later it was added back as an opportunistic approach, where
secure random numbers would be provided by urandom if Jitter Dance worked.
- Git repository for haveged mentions that it is less relevant now[7]. It also
lists circumstances where haveged might still help (old kernels, user-space RNG,
additional source of entry and early boot). Of these, only early boot scenario is
of interest for us.
- In summary, the understanding of relevance of haveged is as follows:
Request Random Number
---------------------
Is this during initialization of the random pool?
No:
- Linux never blocks after initialization. It uses CSPRNG now instead of
blocking for entropy.
Yes:
Is this for secure purposes?
No:
- It does not block and provides insecure (or secure in most practical
cases) numbers with getrandom(GRND_INSECURE), used by systemd hash tables,
etc.
Yes:
Does the architecture provide hardware random numbers?
Yes:
- Use RDSEED (Intel/AMD) CPU instruction or HWRNG (SOCs) to initialize the
random pool.
- If on virtual machine, use virtio-rng, ACPI VM ID, etc. to initialize the
random pool.
No:
Is this on architectures with time stamp counter?
Yes:
- The system will block for 1-2 seconds and provide secure random numbers
using "Jitter Dance" (similar to haveged).
- ARMv7 (Allwinner A20, etc.) the lowest ARM architecture we support,
seems to have time stamp counters but we not sure kernel uses it and
implements "Jitter Dance".
No:
- On urandom, The system will not block and provide insecure random
numbers. This is as per the original definition of /dev/urandom.
- The system will block until entropy is available through interrupts,
etc.
- haveged will likely not help here because it also requires time stamp
counter provided by CPU.
Links:
1) https://lwn.net/Articles/802360/
2) https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=50ee7529ec45
3) https://www.zx2c4.com/projects/linux-rng-5.17-5.18/
4) https://lkml.org/lkml/2022/12/11/206
5) https://packages.debian.org/search?searchon=names&keywords=linux-image-6.1.0
6) https://lwn.net/Articles/808575/
7) https://github.com/jirka-h/haveged
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
- The library performs a large number of tests to determine if various features
are available in the browser. In Debian most tests seem to be present unlike
other methods of distribution where users select which tests they want and build
a customized library for their app. This leads to increased page load time.
- The only functionality we use from Modernizr library are the .js and .no-js
classes we use in our CSS styling. Modernizr is not needed by Bootstrap library.
We don't use 'Modernizr.' properties in Javascript.
- A bug in the test to determine if an <input> element with type="number" allows
localization or not causes the page to scroll down to the end. This behavior
appeared in version 3.x of modernizr and despite the bug report and the fix, it
is not gone. Dropping modernizr fixes this issue.
Tests:
- The logout link in the header bar is visible only when Javascript is disabled.
- The dropdown icons next to header menus only appear when Javascript is
enabled.
- For each feature detection provided by Modernizr library, search if our
project is using that in CSS styling.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
[sunil's changes]
- Add copyright information the logo.
- Deluge: undo an unintended change.
- Drop wrapper calls over privileged methods. The new privileged method
decorators make is easy to avoid these.
- Styling updates: docstrings, single quotes for strings, casing for UI strings.
- Drop "DO NOT EDIT" comment for files located in /usr as they are not expected
to be editable by the user.
- Fix 'miniflux' to 'Miniflux' in web client name.
- Overwrite FreedomBox settings onto the existing configuration file when setup
is re-run. This is to ensure that FreedomBox settings take priority.
- Use return value of the miniflux command to raise errors.
- Use pathlib module where possible.
- Move message parsing into the privileged module from views module.
- Resize SVG and PNG logo files for consistency with icon styling.
- Use hypens instead of underscores in URLs and Django URL names.
- Rename miniflux_configure.html to miniflux.html.
- Use base method for minor simplification in backup functional test. Ensure
that the test can be run independently when other tests are not run.
- Update tests to reflect code changes.
- Avoid concatenating internationalized strings so that they can be translated
properly.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- This allows those tests to be invoked on console and not just in CI pipelines.
Tests:
- Running make check works.
- CI pipeline succeeds.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
[jvalleroy: Remove phony test target]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- setuptools aims to a build library instead of being invoked by setup.py.
Launching setup tools using ./setup.py is deprecated. Launching it using
generic build tools that use pyproject.toml is recommended.
- With the new approach customizing the build is not possible to the earlier
extent. So, introduce is a simple and sufficient build system using 'make'.
Tests:
- Check the pyproject.toml using validate-pyproject tool.
- Run diffoscope on old and new packages and verify that no unexpected changes
were introduced by the build system change.
- None of the files part of .deb package have different file permissions
compared to before.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Add explicit dependency on django-ipware >=3. django-axes >= 6 adds
only and optional dependency on django-ipware. Adding explicit dependency make
the behavior safer.
- Depend on django-axes >= 5 where the authentication backend and other features
are available. The new code won't work with older versions. The new approach
uses and authentication backend to deny access to the login form on lockout and
a middleware to redirect user to locked out form when limit of attempts have
been reached.
- Drop old code used for compatibility with django-axes 3.x.
- Suppress verbose and debug messages as django-axes is too chatty.
- Re-implment the CAPTCHA form entirely. In the old style, we have a login form
with CAPTCHA field. That would not work with the new django-axes authentication
middle. On submission of the form, auth.authenticate() will be called. This
call invokes various authentication backends include django-axes authentication
backend. This backend's behavior is to reject all authentication attempts when
the IP is listed in locked table. The new approach is to provide a simple
CAPTCHA form with just the CAPTCHA field. If the form is successfully
validated (correct CAPTCHA is provided), then the lock on the IP address is
reset. The user is then free to perform 3 more attempts to login.
- Update firstboot form to send the request parameter when using
auth.authenticate() method. This needed by Django axes' authentication method
which will be triggered.
Tests:
- Run tests on Debian Bookworm and Debian testing.
- Axes verbose messages and debug messages are not printed on the console when
running FreedomBox in debug mode.
- Only three invalid attempts are allowed at the login page. After the final
incorrect attempt, user is redirected to CAPTCHA page. Visiting the login page
using the URL works but entering the correct credentials still takes the user to
CAPTCHA page.
- CAPTCHA form appears as expected. Clicking the CAPTCHA images downloads the
audio file corresponding to the image. Incorrect CAPTCHA shows an error. Correct
CAPTCHA takes the user to login form where they are able to login with correct
credentials. Entering incorrect credentials 3 times will take the user again to
CAPTCHA page.
- Creating user account during firstboot works.
- Blocked IP address the IP of the client such as 10.42.0.1 and not the local IP
address 127.0.0.1 according the django-axes log messages. While one client IP
address is blocked, another IP is able to login to the same user account that
was attempted by the blocked client.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Some VPS providers preconfigure ufw which can break the
FreedomBox installation process on plain Debian. To
prevent this, make the freedombox package remove ufw.
Tests I made:
1. Enabled ufw on a Debian system
2. Built a custom package with the modification in the
control file
3. Installed the custom packge.
Result: ufw gets removed before the execution of
`update-initramfs: Generating /boot/initrd.img-5.10.0-17-amd64`
Signed-off-by: nbenedek <contact@nbenedek.me>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes: #2169.
python3-coverage >= 6.0 requires python3-tomli to be installed when using
pyproject.toml. There is no hard dependency on tomli for the coverage package
perhaps due to its optional nature.
However, python3-toml is not available in Bullseye. So, require a version of
python3-coverage that does not require python3-tomli.
Tests:
- Run git-pbuilder for stable and unstable. Builds were successful.
- Run autopkgtest for stable and unstable. Dependencies were satisfied but there
was an unrelated error during test collection.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
python3-all:any means that python3 interpreter of any architecture could be used
to build the package. python3-all means that same architecture as the build
process would be needed. This is a stricter restriction and is unnecessary for
the case of freedombox package.
See discussion in: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995498
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2100.
- wireless-tools package is being orphaned. https://bugs.debian.org/963896 .
- We use Network Manager to manage network and don't use iw* tools from
wireless-tools package. Network Manager itself does not need wireless-tools
package to configure and manage Wi-Fi connections. This is seen on typical
desktops.
- FreedomBox service uses NM D-Bus API to scan for available networks.
- Code does not refer to the tools iwconfig, iwevent, iwgetid, iwlist, iwpriv or
iwspy. These are the binaries provided by the wireless-tools package.
Tests:
- After removal of the wireless-tools package, wireless scan functionality does
not result in an error.
- Not tested: Attaching actual Wi-Fi hardware and seeing the list of available
Wi-Fi networks.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #1818. The new navbar collapse handles items better without a scrollbar.
- Switch dependency to newer bootstrap4 library.
- Bootstrap 4 has 5 grid levels instead of 4. Adjust all classes accordingly to
retain current semantics.
- Update for newer markup for dropdowns.
- Replace use for labels with badges. Labels have been removed. Use
badge-secondary instead of label-default.
- Replace use of btn-xs with btn-sm. Size is roughly the same.
- Accommodate removal of form-horizontal.
- .hidden* and .visible* classes have been removed. Use alternate utilities.
- Replace use of table-condensed with table-sm.
- Update progress bar background styling. .progress-bar-* have been replaced
with bg-*.
- Drop support for IE9 and below. Bootstrap 4 does not support those browsers.
- Use the new simplified markup for navs, navbar and navbar-toggler. Accommodate
removal of .navbar-fixed-top.
- Update the JSXC page too.
- Update all values that are using rem units. The base font size is now 1rem =
16px instead of 1rem = 10px. This the default for bootstrap 4.
- A button inside a dropdown menu is natively supported by bootstrap 4. Remove
custom styling done earlier.
- Drop use of removed class thumbnail.
- Override colors for buttons and warnings to keep the old style.
- Use new markup for close buttons inside alerts.
- Use .collapse.show instead of .collapse.in as per bootstrap 4 styling.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Required only by tests when run as superuser. However, it's addition makes it
very uniform to ensure that all dependencies are pre-installed in a container
when running tests.
- We may find ways to run root user tests in future.
- The package seems very stable.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
This change prevents the plinth user to set the ssh-keys without
knowing the user password.
- Debian: added new dependency python3-pampy to authenticate users.
- Added additional required parameter --auth-user to the
'actions/ssh set-keys' command. A password should be
provided through STDIN.
Tests performed:
- running 'actions/ssh set-keys' with empty or wrong admin credentials
fails.
- running 'actions/ssh set-keys' with correct admin credentials
succeeds.
- running 'actions/ssh set-keys' with correct non-admin credentials
succeeds if the --username is the same user.
- running 'actions/ssh set-keys' with correct non-admin credentials
fails if the --username is a different user.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
GPT scheme has two mostly identical partition table headers. One at the
beginning of the disk and one at the end. When an image is written to larger
disk, the second header is not at the end of the disk. Fix that by moving second
partition to end of the disk before attempting partition
Tests:
- Unit tests run as root work.
- On A64-OLinuXino board, boot with eMMC and UEFI image. The partition does not
expand on initial setup. Trying to manually expand in storage app fails. Apply
patch. Manual expansion works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
From documentation[1][2], it appears that the proper way to rename the source
package is simply to change the source package name. The binaries will be
treated generated from a new source package name. The old source package will
then not have any binaries associated with it. This will prompt the 'dak
cruft-report' tool to automatically remove the old source package[3]. No further
action will necessary to remove the old source package.
Links:
1) https://wiki.debian.org/RenamingPackages
2) https://www.debian.org/doc/manuals/developers-reference/pkgs.html#moving-removing-renaming-orphaning-adopting-and-reintroducing-packages
3) https://wiki.debian.org/ftpmaster_Removals
Tests:
- Build .deb package. Package is built successfully. Source package name is
'freedombox'.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This is a slightly hacky way to ensure that nscd package is installed
rather than unscd (which provides nscd as a virtual package).
This will work as long as unscd does not jump to a version 2. It is
currently 0.53-1 and has little recent activity, so this condition
seems likely to hold in the near future.
Tests:
- In vagrant box, installed unscd. Installed modified freedombox deb.
Saw that unscd was removed and nscd was installed.
- In DigitalOcean droplet, reproduced issue from #1877. Installed
modified freedombox deb. Saw that unscd was removed (no other
packages were removed) and nscd was installed. FreedomBox interface
was available again.
- Built a freedom-maker image with modified freedombox deb. Checked
build log that nscd was installed and unscd was not installed.
Closes: #1877.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Module systemd.journal is used for writing proper structured messages to
systemd-journald. This was earlier only a recommends.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
See #1841 for discussion on why Turbolinks needs to be removed.
Closes: #1841.
Closes: #1804.
Tests performed:
- There are no more references to 'turbolinks' in source code other than .po(t)
files and the manual.
- When loading a page, turbolinks.js is no longer loaded.
- The following links don't have data-turbolinks attribute and work well when
clicked.a
- Gitweb repository links
- Download manual links (en, es)
- Ikiwiki wiki links
- Sharing app web share links
- TT-RSS mobile app link
- 'Launch web client' button
- 'Launch' button in web section of clients table
- Active and regular front page shortcut
- Roundcube does not have a link to /roundcube in description.
- turblinks not present in /static/jslicense.html . LibreJs accepts all scripts.
Reported-by: Veiko Aasa <veiko17@disroot.org>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Tested-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Issue was reported by multiarch hinter on
https://tracker.debian.org/pkg/plinth.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- The repository has been renamed from 'plinth' to 'freedombox'.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
