Re: [Tails-dev] Please test feature/unsafe-browser

04/13/2012 11:24 PM, intrigeri:
> hi,
>
> Glad to see things moving forward.

I just noticed that the 'owner' iptables packet matching module
unfortunately only supports matching a user's primary GID, not its
supplementary GID:s (which hardly is surprising in hindsight), so the
group approach I proposed is toast. We need to make one rule per user *
service combination we want to allow :/. The todo has been updated to
accommodate this (commit 61e2e74).

I've implemented this (and changed some necessary application
configurations) in feature/firewall_lockdown. The iptables rules will
certainly look more beautiful with ferm.

> anonym wrote (13 Apr 2012 13:45:38 GMT) :
>> I also realized that the rule accepting all loopback connections
>> need to exclude the clearnet user. Done in commit b98c377.
>
>>> Would you please update todo/add_support_for_free_wifi_hotspots to
>>> match the current status of the implementation, and the remaining
>>> problems that are still to be fixed?
>
>> Done in commit b1e5c92.
>
> Great. "This will be useful when the windows camouflage is activated, since
> it disables other" looks like an unfinished sentence.

Thanks. Fixed.

> Added link to kiosk mode in TODO, since it's a blocker IMHO.
>
>> Since there's already a section for future stuff in the existing ticked
>> I put it there (also commit b1e5c92).
>
> Great. We'll have to move such future stuff into other tickets when we
> want to close the main one, though. It feels good to be able to decide
> some given feature set is *done*, close its ticket, and move to fix
> next tiny improvements one after the other, instead of editing a huge
> ticket for years.

Definitely.

Cheers!