This is about #14570 which we plan to implement for Tails 3.5.

Goal

Have Additional software packages to work offline forever, but to upgrade when connecting to the Internet.

Current status

According to #6260 Additional Software Packages works offline for a few days after being connected, but then fails.

We researched the possible root causes of this class of issues and identified three:

APT indices have expired

This was the hypothesis on #6260.

Release file corresponding to the packages to be installed is expired. This is controlled by the Valid-Until field of the Release file (https://wiki.debian.org/DebianRepository/Format#Date.2C_Valid-Until).

Looking at Valid-Until fields on Tails, it seems to be :

  • ~1 week for unstable and stable/update
  • ~1 month for torproject.org
  • unlimited for stable

Testing and study of the APT source code show that this problem does not exist anymore on Tails 3.3: APT checks the indices expiration date only when it downloads them, not when it reads them to install packages.

Testing procedure

I tried installing packages offline in Tails 3.3 using the following procedure on 14 Dec 2017:

  • start Tails online with persistence of apt packages and apt lists
  • install optipng (currently pulled from stretch/updates, which expires on 22 Dec 2017) and wdiff (from stretch, which doesn't expire) and add them to additional software list
  • reboot offline
  • the install works and optipng version is the one from stretch/updates
  • set the date 1 year in the future in the BIOS
  • reboot offline
  • the install works and optipng version is the one from stretch/updates

I went through the entire procedure 3 times and got the same results. Basic offline operation is thus already working, and #6260 seems to be have been resolved: recent APT doesn't check Valid-Until on package installation.

One of the packages was not cached in the first place

When I run Tails 3.3, install a package with apt and add it to my list of Additional Software Packages, then if I am offline when I start Tails the next time, this package won't be installed.

The root cause of this problem was identified and a fix has been committed for Tails 3.5 (#10958).

Incomplete online upgrade process

Assume that during an online Tails session, the APT indices are successfully updated, but then Tails is shut down before the upgraded Debian packages were downloaded. Then, if Tails is started offline the next time, the packages that needed to be upgraded cannot be installed.

This is the only remaining problem we should consider fixing.

Proposed solution

  • in the upgrade operation : save a copy of /var/lib/apt/lists/ before running the apt-get update. It could be stored to a specific location, e.g. /live/persistence/TailsData_unlocked/tails-additional-software/apt/lists.old/. After a successful apt-get upgrade, remove this copy of the old APT lists.
  • in the install operation : if there is a copy of the old APT lists, restore it before running apt-get install

Testing procedure

We should find a testing procedure, which doesn't look trivial, as the problem only occurs when there is an upgrade of an additional software package.

  • setup offline Tails with persistence including APT lists and APT cache
  • setup an Additional Software Package that has been upgraded in the last point release, e.g. abiword was updated from 3.0.2-2 to 3.0.2-2+deb9u1 in Stretch 9.3.
  • copy APT lists from before the last Debian point release to /var/lib/apt/lists, e.g.:

        deb [check-valid-until=no] tor+http://snapshot.debian.org/archive/debian/20171207T033657Z/ stretch main contrib
    
  • copy the old version of the package in /var/lib/apt/archives

  • shut down Tails
  • backup the persistent volume
  • reboot online. The installation should work.
  • restore the persistent volume from the backup, reboot online and shut down the network after APT update, but before the upgrade. The lists should be up-to-date, but the packages not upgraded.
  • reboot offline. The installation currently fails, while it should work once we've fixed this bug.