Re: [Tails-dev] Pip is not torified by default
On 06/02/2024 19.02, sajolida wrote: Stored for now in https://gitlab.tails.boum.org/tails/tails/-/issues/19320. I think David was mostly referring to the importance of documenting how users can add any custom persistence features themselves. I'm wondering why we don't support this in the GUI yet. We rejected a ticket about that [0] 10 years ago for reasons I doubt are valid still so I opened a new issue [1] where we can discuss this. Cheers! [0] https://gitlab.tails.boum.org/tails/tails/-/issues/5383 [1] https://gitlab.tails.boum.org/tails/tails/-/issues/20184 David A. Wheeler: On Feb 1, 2024, at 5:25 AM, anonym wrote: But, as already shown above, Tails allows you to customize it extensively through the persistence feature. The Additional Software persistence feature [3] allows you to keep any package from Debian installed and up-to-date, so just install python3-pip and the other tools you like that way. [3] https://tails.net/doc/persistent_storage/additional_software/ A persistent storage feature for user installed python packages could also be designed to be a hook that adds the appropriate corresponding .local folders to the persistence.conf upon activation of the feature. It is not a documented feature any more (I think because of bugs like #19267) but you can also make any folder persistent yourself. Start Tails with an administration password, login, start a Root Terminal. This makes ~/.local persistent: echo '/home/amnesia/.local source=dot-local' \ >> /live/persistence/TailsData_unlocked/persistence.conf You can do this multiple times, so this also makes the pip cache persistent: echo '/home/amnesia/.cache/pip source=pip-cache' \ >> /live/persistence/TailsData_unlocked/persistence.conf The `source=pip-cache` part means that the data will be stored on the persistent storage in `/live/persistence/TailsData_unlocked/pip-cache`, so just make sure to never re-use the same source as any other line in that file. You must restart Tails for lines added like this to take effect. I strongly recommend *documenting* this capability (e.g., in "additional software"). There's no way this group can directly support all special needs, but documenting how people can self-help would be really valuable. A few specific examples of common cases (I'd put pip in that category) would be especially helpful. --- David A. Wheeler ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org. ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Pip is not torified by default
Stored for now in https://gitlab.tails.boum.org/tails/tails/-/issues/19320. David A. Wheeler: On Feb 1, 2024, at 5:25 AM, anonym wrote: But, as already shown above, Tails allows you to customize it extensively through the persistence feature. The Additional Software persistence feature [3] allows you to keep any package from Debian installed and up-to-date, so just install python3-pip and the other tools you like that way. [3] https://tails.net/doc/persistent_storage/additional_software/ A persistent storage feature for user installed python packages could also be designed to be a hook that adds the appropriate corresponding .local folders to the persistence.conf upon activation of the feature. It is not a documented feature any more (I think because of bugs like #19267) but you can also make any folder persistent yourself. Start Tails with an administration password, login, start a Root Terminal. This makes ~/.local persistent: echo '/home/amnesia/.local source=dot-local' \ >> /live/persistence/TailsData_unlocked/persistence.conf You can do this multiple times, so this also makes the pip cache persistent: echo '/home/amnesia/.cache/pip source=pip-cache' \ >> /live/persistence/TailsData_unlocked/persistence.conf The `source=pip-cache` part means that the data will be stored on the persistent storage in `/live/persistence/TailsData_unlocked/pip-cache`, so just make sure to never re-use the same source as any other line in that file. You must restart Tails for lines added like this to take effect. I strongly recommend *documenting* this capability (e.g., in "additional software"). There's no way this group can directly support all special needs, but documenting how people can self-help would be really valuable. A few specific examples of common cases (I'd put pip in that category) would be especially helpful. --- David A. Wheeler ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org. -- sajolida ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Pip is not torified by default
Hey, > There are many open-source intelligence (OSINT) tools that you can > install with pip. > > > Derya > > > > The Privacy Advocate > > There also may be different privacy tools that you can install with pip > that are not in apt or included with tails. > A guide could be added to advanced topics for these use cases > https://tails.net/doc/advanced_topics/python_packages Keep in mind, that installing software via pip is downloading random stuff from the internet - there is no way of signature, with that you could check, that you are downloading the thing you wanted to download. I would highly recommend from a security point of view:Find already in Debian packaged software or download the source code and build the python packages from the source. That at least makes sure, that we can look into the code, what it does. With Tails 6.0 based on bookworm Python will shout loudly if you try to install anything via pip, if you don't use a venv, as you may break the system. But those are "just warnings" why this is a topic for advanced users and should not recommended to everyone. Feel free to create a merge request for this at that gitlab: https://gitlab.tails.boum.org/tails All the website you find under wiki/src. the file you thought of means you need to create that file wiki/src/doc/advanced_topics/python_packages.mdwn Regards, hefee signature.asc Description: This is a digitally signed message part. ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Pip is not torified by default
>It never was installed in any Tails release. My bad I thought it was in 5.20 but upon further investigation it was indeed not included like you said. >and none of them are into Python development. Thats fair and makes sense. Could python3-pip be included or would it cause issues with build or other dependencies or security? >Our focus are on the needs of our personas [2] >[2] https://tails.net/contribute/personas/ > Cris > > The Information Gatherer There are many open-source intelligence (OSINT) tools that you can install with pip. > Derya > > The Privacy Advocate There also may be different privacy tools that you can install with pip that are not in apt or included with tails. A guide could be added to advanced topics for these use cases https://tails.net/doc/advanced_topics/python_packages * Example: Start Tails with an administration password Open root terminal under Applications -> System Tools -> Root Terminal Update and install pip apt update apt install python3-pip -y Create pip.conf file to use tor mkdir -p ~/.config/pip/ echo '[global] proxy = socks5h:127.0.0.1:9050' >> ~/.config/pip/pip.conf Copy pip.conf to dotfiles mkdir -p /live/persistence/TailsData_unlocked/dotfiles/.config/pip cp /home/amnesia/.config/pip/pip.conf /live/persistence/TailsData_unlocked/dotfiles/.config/pip/ Add python packages folders to persistence.conf for persistence echo '/home/amnesia/.local/libsource=python-packages' \ >> /live/persistence/TailsData_unlocked/persistence.conf echo '/home/amnesia/.local/binsource=local/bin' \ >> /live/persistence/TailsData_unlocked/persistence.conf echo '/home/amnesia/.cache/pipsource=pip-cache' \ >> /live/persistence/TailsData_unlocked/persistence.conf Reboot tails and install the pip packages you want :) On 2/1/24 19:01, tails-dev-requ...@boum.org wrote: Re: Pip is not torified by default ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Pip is not torified by default
> On Feb 1, 2024, at 5:25 AM, anonym wrote: > But, as already shown above, Tails allows you to customize it extensively > through the persistence feature. The Additional Software persistence feature > [3] allows you to keep any package from Debian installed and up-to-date, so > just install python3-pip and the other tools you like that way. > > [3] https://tails.net/doc/persistent_storage/additional_software/ > >> A persistent storage feature for user installed python packages could also >> be designed to be a hook that adds the appropriate corresponding .local >> folders to the persistence.conf upon activation of the feature. > > It is not a documented feature any more (I think because of bugs like #19267) > but you can also make any folder persistent yourself. Start Tails with an > administration password, login, start a Root Terminal. > > This makes ~/.local persistent: > >echo '/home/amnesia/.local source=dot-local' \ > >> /live/persistence/TailsData_unlocked/persistence.conf > > You can do this multiple times, so this also makes the pip cache persistent: > >echo '/home/amnesia/.cache/pip source=pip-cache' \ > >> /live/persistence/TailsData_unlocked/persistence.conf > > The `source=pip-cache` part means that the data will be stored on the > persistent storage in `/live/persistence/TailsData_unlocked/pip-cache`, so > just make sure to never re-use the same source as any other line in that > file. You must restart Tails for lines added like this to take effect. I strongly recommend *documenting* this capability (e.g., in "additional software"). There's no way this group can directly support all special needs, but documenting how people can self-help would be really valuable. A few specific examples of common cases (I'd put pip in that category) would be especially helpful. --- David A. Wheeler ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Pip is not torified by default
On 01/02/2024 04.46, Patrick wrote: Python3-pip should be added back next release It never was installed in any Tails release. and with a global config to torify it by default. You can make any single file (like `~/.config/pip/pip.conf`) persistent with the Dotfiles persistence feature. [0] [0] https://tails.net/doc/persistent_storage/configure/#dotfiles There are many nice python tools not included with tails that users may like to install. Also pip seems like a easy way to test different python tools for use and possible integration onto tails. Tails is not a general purpose operating system, we simply do not have resources to support all use cases. [1] Our focus are on the needs of our personas [2], and none of them are into Python development. :) [1] https://tails.net/support/faq/#new-software [2] https://tails.net/contribute/personas/ But, as already shown above, Tails allows you to customize it extensively through the persistence feature. The Additional Software persistence feature [3] allows you to keep any package from Debian installed and up-to-date, so just install python3-pip and the other tools you like that way. [3] https://tails.net/doc/persistent_storage/additional_software/ A persistent storage feature for user installed python packages could also be designed to be a hook that adds the appropriate corresponding .local folders to the persistence.conf upon activation of the feature. It is not a documented feature any more (I think because of bugs like #19267) but you can also make any folder persistent yourself. Start Tails with an administration password, login, start a Root Terminal. This makes ~/.local persistent: echo '/home/amnesia/.local source=dot-local' \ >> /live/persistence/TailsData_unlocked/persistence.conf You can do this multiple times, so this also makes the pip cache persistent: echo '/home/amnesia/.cache/pip source=pip-cache' \ >> /live/persistence/TailsData_unlocked/persistence.conf The `source=pip-cache` part means that the data will be stored on the persistent storage in `/live/persistence/TailsData_unlocked/pip-cache`, so just make sure to never re-use the same source as any other line in that file. You must restart Tails for lines added like this to take effect. Cheers! ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Pip is not torified by default
>You could get some stream isolation by adding a "username" with a value not used by other apps. >The file /usr/local/bin/curl shows how to create a random one each time. >That'd be hard to do in a pip.conf file, but even a "username" created once would create a different stream compared to other applications on Tails, and that would provide *some* isolation. Update: python3-pip is not included in latest Tails release I was doing some more testing and noticed that its not included anymore as of the latest release. Not exactly sure what in the building process removed it. When typing `pip`, `pip install ` returns bash not found and `which pip` returns nothing. `apt list --installed |grep python3-pip` returns nothing. Python3-pip should be added back next release and with a global config to torify it by default. There are many nice python tools not included with tails that users may like to install. Also pip seems like a easy way to test different python tools for use and possible integration onto tails. A persistent storage feature for user installed python packages could also be designed to be a hook that adds the appropriate corresponding .local folders to the persistence.conf upon activation of the feature. ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Pip is not torified by default
> On Jan 30, 2024, at 9:01 PM, Patrick > wrote: > > Pip requires torsocks to even work when it comes installing things through > pip. > Despite other binaries being set to use torsocks --isolate or set in their > own config, pip is not set to use tor by default in tails. > New users might not know that torsocks is required to launch many > applications so they may get confused. > pip install hangs up (errors out) due to it unable to reach and > even fetch things from pypi.org. > > Setting a global config for pip to use tor as a proxy would fix this and > force pip to use tor. > > > Creating a config file for pip to use globally: > > /etc/pip.conf or /etc/xdg/pip/pip.conf with this line: > > [global] > proxy = socks5h:127.0.0.1:9050 > > The only issue I can see with this is no stream isolation for pip. You could get some stream isolation by adding a "username" with a value not used by other apps. The file /usr/local/bin/curl shows how to create a random one each time. That'd be hard to do in a pip.conf file, but even a "username" created once would create a different stream compared to other applications on Tails, and that would provide *some* isolation. --- David A. Wheeler ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.