Tails Changelog

What's new in Tails 6.1

Mar 28, 2024

CHANGES AND UPDATES:
Update Tor Browser to 13.0.13. This includes the changes brought by 13.0.12.
Update Thunderbird to 115.9.0.
FIXED PROBLEMS:
Fix Onion Circuits. #20233
Fix Welcome Screen frequently showing a "Welcome to Tails!" is not responding error. #20236
Fix Videos showing an error message during playback. #20243
Fix problems with changing the passphrase of the Persistent Storage. #20217
Tails Cloner can now install and upgrade to devices with multiple mounted partitions. #20149
The Persistent Storage settings now display all enabled custom Persistent Storage features. #19267
Mitigate the RFDS Intel CPU vulnerabilities. #20274

New in Tails 6.0 RC 1 (Feb 2, 2024)

New features:
Mount external devices automatically:
When you plug in an external storage device, a USB stick or an external hard disk, Tails 6.0~rc1 mounts it automatically. If the storage device contains an encrypted partition, Tails 6.0~rc1 offers you to unlock the encryption automatically.
Protection against malicious USB devices:
If an attacker manages to plug a malicious USB device in your computer, they could run software that breaks the security built in Tails without your knowledge.
To protect from such attacks while you are away from your computer, Tails 6.0~rc1 ignores any USB device that is plugged in while your screen is locked.
You can only use new USB devices if they are plugged in while the screen is unlocked.
Dark Mode and Night Light:
From the system menu of Tails 6.0~rc1, you can now switch between:
The default light mode with colder colors and more brightness
A dark mode
A night light mode with warmer colors and less brightness
A combination of both the dark mode and night light mode
Easier screenshots and screencasts:
GNOME 43 introduces a new Take Screenshot shortcut in the system menu that makes it easier to take a screenshot or record a screencast.
Easier Gmail in Thunderbird:
Thanks to changes in both Thunderbird and Gmail, it's much easier to configure a Gmail account in Thunderbird in Tails 6.0~rc1.
You don't have to configure anything special in your Gmail account, other than the usual 2-Step Verification.
You can sign in to your Gmail account directly when configuring it in Thunderbird.
Diceware passphrases in 5 more languages:
When creating a Persistent Storage, suggested passphrases are now also generated in Catalan, German, Italian, Portuguese, and Spanish.
Thanks to jawlensky who created the word lists for Catalan, Italian, and Spanish for Tails, but also made them available to all users of diceware.
CHANGES AND UPDATES:
Included software:
Tails 6.0~rc1 updates many of the applications included in Tails, among others:
Electrum from 4.0.9 to 4.3.4
Improve support for the Lightning protocol and hardware wallets.
KeePassXC from 2.6.2 to 2.7.4
Add entry tags.
Support dark mode.
Redesign history view.
Metadata Cleaner from 1.0.2 to 2.4.0
Redesign the whole user interface.
Support dark mode.
Add support for AIFF and HEIC files.
OnionShare from 2.2-3 to 2.6-5
Redesign the whole user interface.
Allow creating chat rooms.
Allow hosting static websites.
Text Editor from gedit to gnome-text-editor
Support dark mode.
Inkscape from 1.0.2 to 1.2.2
Audacity from 2.4.2 to 3.2.4
Gimp from 2.10.22 to 2.10.34
Kleopatra from 4:20.08 to 4:22.12
Removed features:
Remove the item Remove metadata from the shortcut menu of the Files browser.
The developers of MAT2, the metadata removal library used by Metadata Cleaner are not providing this option anymore.
Remove the item Wipe and Wipe available disk space from the shortcut menu of the Files browser.
Secure deletion is not reliable enough on USB sticks and SSDs for us to keep advertising this feature. We are still discussing which alternatives to explain in our documentation on secure deletion. (#19121)
Remove GtkHash
You can still install GtkHash as Additional Software.
Fixed problems:
Fix several issues with special characters and non-Latin scripts in the screen keyboard. (#18076)

New in Tails 5.22 (Jan 31, 2024)

New in Tails 5.21 (Jan 3, 2024)

New in Tails 5.20 (Dec 2, 2023)

New in Tails 5.19.1 (Nov 18, 2023)

New in Tails 5.19 (Nov 2, 2023)

New in Tails 5.18 (Oct 5, 2023)

New in Tails 5.17.1 (Sep 17, 2023)

New in Tails 5.17 (Sep 5, 2023)

New in Tails 5.16.1 (Aug 16, 2023)

New in Tails 5.16 (Aug 7, 2023)

New in Tails 5.15.1 (Jul 13, 2023)

New in Tails 5.14 (Jun 13, 2023)

New in Tails 5.13 (May 17, 2023)

New in Tails 5.12 (Apr 20, 2023)

New in Tails 5.11 (Mar 22, 2023)

New in Tails 5.10 (Feb 19, 2023)

New in Tails 5.9 (Jan 25, 2023)

New in Tails 5.8 (Dec 20, 2022)

NEW FEATURES:
New Persistent Storage:
After 2 years of hard work, we are extremelly proud to present you a complete redesign of the Persistent Storage.
The Persistent Storage hasn't changed much since its first release in 2012 because the code was hard to modify and improve. But, we learned from users that the Persistent Storage could do a lot more for you if it had more features and was easier to use.
You don't have to restart anymore after creating the Persistent Storage or each time you activate a new feature.
You can change the password of your Persistent Storage from this new application.
You can choose to create a Persistent Storage directly from the Welcome Screen, if you don't have one already.
Wayland and better Unsafe Browser:
We replaced the deprecated X.Org display system with Wayland.
Even if you won't notice any visual difference, Wayland brings more security in depth to Tails by making it harder for a compromised application in Tails to compromise or misuse another application.
For example, since Tails 4.8, the Unsafe Browser was disabled by default because a security vulnerability in another application in Tails could start an invisible Unsafe Browser, reveal your IP address, and deanonymize you.
Wayland fixes this vulnerability and makes it safe to reenable the Unsafe Browser by default. You can still disable the Unsafe Browser in the Welcome Screen.
Wayland also brings in other features that were not working yet in the Unsafe Browser:
Sound
Uploads and downloads
Alternative input methods for Chinese and other non-Latin languages
Accessibility features like the screen reader and virtual keyboard
QR code scanning of Tor bridges:
We made it easier to enter new Tor bridges in Tails by scanning a QR code.
To get a QR code, you can either:
Send an empty email to [email protected] from a Gmail or Riseup email address.
Get bridges from https://bridges.torproject.org/ and print the QR code on paper.
We are aware that the QR codes that are currently provided are too big to be easy to scan. We are working with Tor to make them smaller and easier to scan.
Changes and updates:
Update Tor Browser to 12.0.1.
Update Thunderbird to 102.6.0.
Update Tor to 0.4.7.12.
Fixed problems:
We fixed 3 usability issues in the Tor Connection assistant:
Display a percentage on the connection progress bar. (#19208)
Fix links to documentation. (#19172)
Add a Bridge label in front of the line to enter a custom bridge. (#19169)
Known issues:
The switches that turn on and off the different features of the Persistent Storage are very slow to respond on some USB sticks. Please report on #19291 if this happens to you.
The top of the Welcome Screen is cut out on small displays (800×600), like virtual machines. (#19324)
You can press Alt+S to start Tails.
When using a custom Tor obfs4 bridge, the progress bar of Tor Connection sometimes gets stuck halfway through and becomes extremelly slow. (#19173)
To fix this, you can either:
Close and reopen Tor Connection to speed up the initial connection.
Try a different obfs4 bridge.
This issue only affects outdated obfs4 bridges and does not happen with obfs4 bridges that run version 0.0.12 or later.

New in Tails 5.7 (Nov 22, 2022)

New in Tails 5.8 Beta 1 (Nov 3, 2022)

New in Tails 5.6 (Oct 26, 2022)

New in Tails 5.5 (Oct 17, 2022)

New in Tails 5.4 (Aug 26, 2022)

New in Tails 5.3.1 (Aug 3, 2022)

New in Tails 5.3 (Jul 28, 2022)

New in Tails 5.2 (Jul 12, 2022)

New in Tails 5.1.1 (Jun 27, 2022)

New in Tails 5.1 (Jun 7, 2022)

The Tor Connection assistant now automatically fixes the computer clock if you choose to connect to Tor automatically.
This makes is much easier for people in Asia to circumvent censorship.
Tails learns the current time by connecting to the captive portal detection service of Fedora, which is used by most Linux distributions. This connection does not go through the Tor network and is an exception to our policy of only making Internet connections through the Tor network.
You can learn more about our security assessment of this time synchronization in our design documentation about non-Tor traffic.
The time displayed in the top navigation uses the time zone selected when fixing the clock in the Tor Connection assistant.
In the future, we will make it possible to change the displayed time zone for everybody from the desktop (#10819) and store it in the Persistent Storage (#12094).
The last screen of the Tor Connection assistant makes it clear whether you are connected using Tor bridges or not.
Connected to Tor successfully with bridges
Unsafe Browser and captive portals:
We wrote a new homepage for the Unsafe Browser when you are not connected to the Tor network yet. This new version makes it easier to understand how to sign in to the network using a captive portal.
Example of captive portal: Free Wi-Fi hotspot
Tails now asks for confirmation before restarting when the Unsafe Browser was not enabled in the Welcome Screen. This prevents losing work too easily.
Kleopatra:
Associate OpenPGP files with Kleopatra in the Files browser.
You can now double-click on .gpg files to decrypt them.
Add Kleopatra to the Favorites applications.
Included software:
Update tor to 0.4.7.7.
Update Tor Browser to 11.0.14.
Update Thunderbird to 91.9.
Update the Linux kernel to 5.10.113. This should improve the support for newer hardware: graphics, Wi-Fi, and so on.
FIXED PROBLEMS:
Remove the automatic selection of the option Configure a bridge when rolling back from the option to hide that you are connecting to Tor. (#18546)
Give the same instructions on both screens where you have to configure a bridge. (#18596)
Help rename the default KeePassXC database to open it automatically in the future. (#18966)
Fix sharing files using OnionShare from the Files browser. (#18990)
Share via OnionShare
Disable search providers in the Activities overview: files, calculator, and terminal. (#18952)

New in Tails 5.0 (May 3, 2022)

NEW FEATURES:
Kleopatra:
We added Kleopatra to replace the OpenPGP Applet and the Password and Keys utility, also known as Seahorse.
The OpenPGP Applet was not actively developped anymore and was complicated for us to keep in Tails. The Password and Keys utility was also poorly maintained and Tails users suffered from too many of its issues until now, like #17183.
Kleopatra provides equivalent features in a single tool and is more actively developed.
CHANGES AND UPDATES:
the Additional Software feature of the Persistent Storage is enabled by default to make it faster and more robust to configure your first additional software package.
You can now use the Activities overview to access your windows and applications. To access the Activities overview, you can either:
Click on the Activities button.
Throw your mouse pointer to the top-left hot corner.
Press the Super () key on your keyboard.
You can see your windows and applications in the overview. You can also start typing to search your applications, files, and folders.
Included software:
Most included software has been upgraded in Debian 11, for example:
Update Tor Browser to 11.0.11.
Update GNOME from 3.30 to 3.38, with lots of small improvements to the desktop, the core GNOME utilities, and the locking screen.
Update MAT from 0.8 to 0.12, which adds support to clean metadata from SVG, WAV, EPUB, PPM, and Microsoft Office files.
Update Audacity from 2.2.2 to 2.4.2.
Update Disk Utility from 3.30 to 3.38.
Update GIMP from 2.10.8 to 2.10.22.
Update Inkscape from 0.92 to 1.0.
Update LibreOffice from 6.1 to 7.0.
Hardware support:
The new support for driverless printing and scanning in Linux makes it easier to make recent printers and scanners work in Tails.
Fixed problems:
Fix unlocking VeraCrypt volumes that have very long passphrases. (#17474)
Known issues:
Additional Software sometimes doesn't work when restarting for the first time right after creating a Persistent Storage. (#18839)
To solve this, install the same additional software package again after restarting with the Persistent Storage for the first time.
Thunderbird displays a popup to choose an application when opening links. (#18913)
Tails Installer sometimes fails to clone. (#18844)

New in Tails 4.29 (Apr 6, 2022)

New in Tails 5.0 Beta 1 (Apr 5, 2022)

New in Tails 4.28 (Mar 9, 2022)

New in Tails 4.26 (Jan 12, 2022)

New in Tails 4.25 (Dec 7, 2021)

New in Tails 4.24 (Nov 26, 2021)

New in Tails 4.2.2 (Jan 14, 2020)

New in Tails 4.2 (Jan 7, 2020)

New in Tails 4.1.1 (Dec 17, 2019)

New in Tails 4.1 (Dec 3, 2019)

New in Tails 4.0 RC1 (Oct 11, 2019)

New in Tails 3.16 (Sep 5, 2019)

New in Tails 4.0 Beta 1 (Aug 16, 2019)

New in Tails 3.15 (Jul 12, 2019)

New in Tails 3.14.2 (Jun 25, 2019)

New in Tails 3.14.1 (Jun 21, 2019)

New in Tails 3.14 (May 21, 2019)

New in Tails 3.13.2 (May 6, 2019)

New in Tails 3.13.1 (Mar 23, 2019)

New in Tails 3.13 (Mar 20, 2019)

New in Tails 3.12.1 (Feb 14, 2019)

New in Tails 3.12 (Jan 29, 2019)

New in Tails 3.11 (Dec 12, 2018)

New in Tails 3.10.1 (Oct 24, 2018)

New in Tails 3.9.1 (Oct 4, 2018)

New in Tails 3.7.1 (Jun 11, 2018)

New in Tails 3.7 (May 9, 2018)

New in Tails 3.6.2 (Mar 31, 2018)

New in Tails 3.6.1 (Mar 19, 2018)

New in Tails 3.6 (Mar 13, 2018)

New in Tails 3.5 (Jan 23, 2018)

New in Tails 3.4 (Jan 9, 2018)

New in Tails 3.3 (Nov 15, 2017)

New in Tails 3.2 RC1 (Sep 18, 2017)

New in Tails 3.1 (Aug 9, 2017)

New in Tails 3.0.1 (Jul 6, 2017)

New in Tails 3.0 RC1 (May 21, 2017)

New in Tails 3.0 Beta 2 (Mar 9, 2017)

New in Tails 2.11 (Mar 7, 2017)

New in Tails 2.10 (Jan 25, 2017)

New in Tails 2.10 RC1 (Jan 15, 2017)

Major new features and changes:
Upgrade the Linux kernel to 4.8.0-0.bpo.2 (Closes: #11886).
Install OnionShare from jessie-backports. Also install python3-stem from jessie-backports to allow the use of ephemeral onion services (Closes: #7870).
Completely rewrite tor-controlport-filter. Now we can safely support OnionShare, Tor Browser's per-tab circuit view and similar.
Port to python3.
Handle multiple sessions simultaneously.
Separate data (filters) from code.
Use python3-stem to allow our filter to be a lot more oblivious of the control language (Closes: #6788).
Allow restricting STREAM events to only those generated by the subscribed client application.
Allow rewriting commands and responses arbitrarily.
Make tor-controlport-filter reusable for others by e.g. making it possible to pass the listen port, and Tor control cookie/socket paths as arguments (Closes: #6742). We hear Whonix plan to use it! :)
Upgrade Tor to 0.2.9.8-2~d80.jessie+1, the new stable series (Closes: #12012).
Security fixes:
Upgrade Icedove to 1:45.6.0-1~deb8u1+tail1s.
Minor improvements:
Enable and use the Debian Jessie proposed-updates APT repository, anticipating on the Jessie 8.7 point-release (Closes: #12124).
Enable the per-tab circuit view in Tor Browser (Closes: #9365).
Change syslinux menu entries from "Live" to "Tails" (Closes: #11975). Also replace the confusing "failsafe" wording with "Troubleshooting Mode" (Closes: #11365).
Make OnionCircuits use the filtered control port (Closes: #9001).
Make tor-launcher use the filtered control port.
Run OnionCircuits directly as the Live user, instead of a separate user. This will make it compatible with the Orca screen reader (Closes: #11197).
Run tor-controlport-filter on port 9051, and the unfiltered one on 9052. This simplifies client configurations and assumptions made in many applications that use Tor's ControlPort. It's the exception that we connect to the unfiltered version, so this seems like the more sane approach.
Remove tor-arm (Nyx) (Closes: #9811).
Remove AddTrust_External_Root.pem from our website CA bundle. We now only use Let's Encrypt (Closes: #11811).
Configure APT to use Debian's Onion services instead of the clearnet ones (Closes: #11556).
Replaced AdBlock Plus with uBlock Origin (Closes: #9833). This incidentally also makes our filter lists lighter by de-duplicating common patterns among the EasyList filters (Closes: #6908). Thanks to spriver for this first major code contribution!
Install OpenPGP Applet 1.0 (and libgtk3-simplelist-perl) from Jessie backports (Closes: #11899).
Add support for exFAT (Closes: #9659).
Disable unprivileged BPF. Since upgrading to kernel 4.6, unprivileged users can use the bpf() syscall, which is a security concern, even with JIT disabled. So we disable that. This feature wasn't available before Linux 4.6, so disabling it should not cause any regressions (Closes: #11827).
Add and enable AppArmor profiles for OnionCircuits and OnionShare.
Raise the maximum number of loop devices to 32 (Closes: #12065).
Drop kernel.dmesg_restrict customization: it's enabled by default since 4.8.4-1~exp1 (Closes: #11886).
Upgrade Electrum to 2.7.9-1.
Bugfixes:
Tails Greeter:
use gdm-password instead of gdm-autologin, to fix switching to the VT where the desktop session lives on Stretch (Closes: #11694)
Fix more options scrolledwindow size in Stretch (Closes: #11919)
Tails Installer: remove unused code warning about missing extlinux in Tails Installer (Closes: #11196).
Update APT pinning to cover all binary packages built from src:mesa so we ensure installing mesa from jessie-backports (Closes: #11853).
Install xserver-xorg-video-amdgpu. This should help supporting newer AMD graphics adapters. (Closes #11850)
Fix firewall startup during early boot, by referring to the "amnesia" user via its UID (Closes: #7018).
Include all amd64-microcodes.

New in Tails 2.9.1 (Dec 18, 2016)

New in Tails 2.7.1 (Dec 1, 2016)

New in Tails 2.6 (Sep 20, 2016)

New in Tails 2.6 RC1 (Sep 4, 2016)

Major new features and changes:
Install Tor 0.2.8.6. (Closes: #11351)
Enable kASLR in the Linux kernel. (Closes: #11281)
Upgrade Icedove to 1:45.2.0-1~deb8u1+tails1: (Closes: #11714) · Drop auto-fetched configurations using Oauth2. They do not work together with Torbirdy since it disables needed functionality (like JavaScript and cookies) in the embedded browser. This should make auto-configuration work for GMail again, for instance. (Closes: ##11536) · Pin Icedove to be installed from our APT repo. Debian's Icedove packages still do not have our secure Icedove autoconfig wizard patches applied, so installing them would be a serious security regression. (Closes: #11613) · Add missing icedove-l10n-* packages to our custom APT repository (Closes: #11550)
Upgrade to Linux 4.6: (Closes: #10298) · Install the 686 kernel flavour instead of the obsolete 586 one. · APT, dpkg: add amd64 architecture. The amd64 kernel flavour is not built anymore for the i386 architecture, so we need to use multiarch now. · Build and install the out-of-tree aufs4 module. (Closes: #10298) · Disable kernel modesetting for QXL: it's not compatible with Jessie's QXL X.Org driver.
Security fixes:
Hopefully fixed an issue which would sometimes make the Greeter ignore the "disable networking" or "bridge mode" options. (Closes: #11593)
Minor improvements:
Install firmware-intel-sound and firmware-ti-connectivity. This adds support for some sound cards and Wi-Fi adapters. (Closes: #11502)
Install OpenPGP Applet from Debian. (Closes: #10190)
Install gnome-sound-recorder (again). (Closes: #10950)
Port the "About Tails" dialog to python3.
Run our initramfs memory erasure hook earlier (Closes: #10733). The goal here is to: · save a few seconds on shutdown (it might matter especially for the emergency one); · work in a less heavily multitasking / event-driven environment, for more robust operation.
Install rngd, and make rng-tools initscript return success when it can't find any hardware RNG device. Most Tails systems around probably have no such device, and we don't want systemd to believe they failed to boot properly. (Closes: #5650)
Don't force using the vboxvideo X.Org driver. According to our tests, this forced setting is: · harmful: it breaks X startup when the vboxvideo kernel driver is loaded; · useless: X.Org now autodetects the vboxvideo X.Org driver and uses it when running in VirtualBox and the vboxvideo kernel is not present.
Port boot-profile to python3 (Closes: #10083). Thanks to heartsucker [email protected] for the patch!
Include /proc/cmdline and the content of persistent APT sources in WhisperBack bug reports. (Closes: #11675, #11635)
Disable non-free APT sources at boot time. (Closes: #10130)
Have a dedicated page for the homepage of Tor Browser in Tails. (Closes: # 11725)
Only build the VirtualBox kernel modules for the 32-bit kernel. It's both hard and useless to build it for 64-bit in the current state of things, as long as we're shipping a 32-bit userspace. Also, install virtualbox-* from jessie-backports, since the version in Jessie is not compatible with Linux 4.x.

New in Tails 2.5 (Aug 2, 2016)

New in Tails 2.4 (Jun 7, 2016)

Major new features and changes:
Upgrade Tor Browser to 6.0 based on Firefox 45.2. (Closes: #11403).
Enable Icedove's automatic configuration wizard. We patch the wizard to only use secure protocols when probing, and only accept secure protocols, while keeping the improvements done by TorBirdy in its own non-automatic configuration wizard. (Closes: #6158, #11204)
Bugfixes:
Enable Packetization Layer Path MTU Discovery for IPv4. If any system on the path to the remote host has a MTU smaller than the standard Ethernet one, then Tails will receive an ICMP packet asking it to send smaller packets. Our firewall will drop such ICMP packets to the floor, and then the TCP connection won't work properly. This can happen to any TCP connection, but so far it's been reported as breaking obfs4 for actual users. Thanks to Yawning for the help! (Closes: #9268)
Make Tails Upgrader ship other locales than English. (Closes: #10221)
Minor improvements:
Icedove improvements:
Stop patching in our default into Torbirdy. We've upstreamed some parts, and the rest we set with pref branch overrides in /etc/xul-ext/torbirdy.js. (Closes: #10905)
Use hkps keyserver in Engimail. (Closes: #10906)
Default to POP if persistence is enabled, IMAP if not. (Closes: #10574)
Disable remote email account creation in Icedove. (Closes: #10464)
Firewall hardening (Closes: #11391):
Don't accept RELATED packets. This enables quite a lot of code in the kernel that we don't need. Let's reduce the attack surface a bit.
Restrict debian-tor user to NEW TCP syn packets. It doesn't need to do more, so let's do a little bit of security in depth.
Disable netfilter's nf_conntrack_helper.
Fix disabling of automatic conntrack helper assignment.
Kernel hardening:
Set various kernel boot options: slab_nomerge slub_debug=FZ mce=0 vsyscall=none. (Closes: #11143)
Remove the kernel .map files. These are only useful for kernel debugging and slightly make things easier for malware, perhaps and otherwise just occupy disk space. Also stop exposing kernel memory addresses through /proc etc. (Closes: #10951)
Drop zenity hacks to "focus" the negative answer. Jessie's zenity introduced the --default-cancel option, finally! (Closes: #11229)
Drop useless APT pinning for Linux.
Remove gnome-tweak-tool. (Closes: #11237)
Install python-dogtail, to enable accessibility technologies in our automated test suite. (Part of: #10721)
Install libdrm and mesa from jessie-backports. (Closes: #11303)
Remove hledger. (Closes: #11346)
Don't pre-configure the #tails chan on the default OFTC account. (Part of: #11306)
Install onioncircuits from jessie-backports. (Closes: #11443)
Remove nmh. (Closes: #10477)
Drop Debian experimental APT source: we don't use it.
Use APT codenames (e.g. "stretch") instead of suites, to be compatible with our tagged APT snapshots.
Drop module-assistant hook and its cleanup. We've not been using it since 2010.
Remove 'Reboot' and 'Power Off' entries from Applications → System Tools. (Closes: #11075)
Pin our custom APT repo to the same level as Debian ones, and explicitly pin higher the packages we want to pull from our custom APT repo, when needed.
config/chroot_local-hooks/59-libdvd-pkg: verify libdvdcss package installation. (Closes: #11420)
Make Tails Upgrader use our new mirror pool design. (Closes: #11123)

New in Tails 2.4 RC1 (May 26, 2016)

Major new features and changes:
Upgrade Tor Browser to 6.0 based on Firefox 45.2. (Closes: #11403).
Enable Icedove's automatic configuration wizard. We patch the wizard to only use secure protocols when probing, and only accept secure protocols, while keeping the improvements done by TorBirdy in its own non-automatic configuration wizard. (Closes: #6158, #11204)
Bugfixes:
Enable Packetization Layer Path MTU Discovery for IPv4. If any system on the path to the remote host has a MTU smaller than the standard Ethernet one, then Tails will receive an ICMP packet asking it to send smaller packets. Our firewall will drop such ICMP packets to the floor, and then the TCP connection won't work properly. This can happen to any TCP connection, but so far it's been reported as breaking obfs4 for actual users. Thanks to Yawning for the help! (Closes: #9268)
Make Tails Upgrader ship other locales than English. (Closes: #10221)
Minor improvements:
Icedove improvements:
Stop patching in our default into Torbirdy. We've upstreamed some parts, and the rest we set with pref branch overrides in /etc/xul-ext/torbirdy.js. (Closes: #10905)
Use hkps keyserver in Engimail. (Closes: #10906)
Default to POP if persistence is enabled, IMAP if not. (Closes: #10574)
Disable remote email account creation in Icedove. (Closes: #10464)
Firewall hardening (Closes: #11391):
Don't accept RELATED packets. This enables quite a lot of code in the kernel that we don't need. Let's reduce the attack surface a bit.
Restrict debian-tor user to NEW TCP syn packets. It doesn't need to do more, so let's do a little bit of security in depth.
Disable netfilter's nf_conntrack_helper.
Fix disabling of automatic conntrack helper assignment.
Kernel hardening:
Set various kernel boot options: slab_nomerge slub_debug=FZ mce=0 vsyscall=none. (Closes: #11143)
Remove the kernel .map files. These are only useful for kernel debugging and slightly make things easier for malware, perhaps and otherwise just occupy disk space. Also stop exposing kernel memory addresses through /proc etc. (Closes: #10951)
Drop zenity hacks to "focus" the negative answer. Jessie's zenity introduced the --default-cancel option, finally! (Closes: #11229)
Drop useless APT pinning for Linux.
Remove gnome-tweak-tool. (Closes: #11237)
Install python-dogtail, to enable accessibility technologies in our automated test suite. (Part of: #10721)
Install libdrm and mesa from jessie-backports. (Closes: #11303)
Remove hledger. (Closes: #11346)
Don't pre-configure the #tails chan on the default OFTC account. (Part of: #11306)
Install onioncircuits from jessie-backports. (Closes: #11443)
Remove nmh. (Closes: #10477)
Drop Debian experimental APT source: we don't use it.
Use APT codenames (e.g. "stretch") instead of suites, to be compatible with our tagged APT snapshots.
Drop module-assistant hook and its cleanup. We've not been using it since 2010.
Remove 'Reboot' and 'Power Off' entries from Applications → System Tools. (Closes: #11075)
Pin our custom APT repo to the same level as Debian ones, and explicitly pin higher the packages we want to pull from our custom APT repo, when needed.
config/chroot_local-hooks/59-libdvd-pkg: verify libdvdcss package installation. (Closes: #11420)
Make Tails Upgrader use our new mirror pool design. (Closes: #11123)

New in Tails 2.3 (Apr 26, 2016)

New in Tails 2.2 (Mar 9, 2016)

New in Tails 2.2 RC1 (Feb 26, 2016)

New in Tails 2.0 (Jan 27, 2016)

New in Tails 2.0 RC1 (Jan 13, 2016)

New in Tails 1.8.2 (Jan 10, 2016)

New in Tails 2.0 Beta 1 (Dec 23, 2015)

New in Tails 1.8 (Dec 16, 2015)

New in Tails 1.7 (Nov 4, 2015)

New in Tails 1.6 (Sep 22, 2015)

New in Tails 1.5.1 (Aug 28, 2015)

New in Tails 1.5 (Aug 12, 2015)

New in Tails 1.5 RC1 (Aug 7, 2015)

Major new features:
Move LAN web browsing from Tor Browser to the Unsafe Browser, and forbid access to the LAN from the former.
Install a 32-bit GRUB EFI boot loader. This at least works on some Intel Baytrail systems.
Upgrade Tor Browser to 5.0a4-build3.
Security fixes:
Fix panic mode on MAC spoofing failure.
Deny Tor Browser access to global tmp directories with AppArmor.
Tails Installer: don't use a predictable file name for the subprocess error log.
Pidgin AppArmor profile: disable the launchpad-integration abstraction.
Use aliases so that our AppArmor policy applies to /lib/live/mount/overlay/ and /lib/live/mount/rootfs/*.squashfs/ as well as it applies to /.
Upgrade Linux to 3.16.7-ckt11-1+deb8u2.
Upgrade bind9-host, dnsutils and friends to 1:9.8.4.dfsg.P1-6+nmu2+deb7u6.
Upgrade cups-filters to 1.0.18-2.1+deb7u2.
Upgrade ghostscript to 9.05~dfsg-6.3+deb7u2.
Upgrade libexpat1 to 2.1.0-1+deb7u2.
Upgrade libicu48 to 4.8.1.1-12+deb7u3.
Upgrade libwmf0.2-7 to 0.2.8.4-10.3+deb7u1.
Upgrade openjdk-7 to 7u79-2.5.6-1~deb7u1.
Bugfixes:
Upgrade Tor to 0.2.6.10-1~d70.wheezy+1+tails1.
Minor improvements:
Tails Installer: let the user know when it has rejected a candidate destination device because it is too small.
Tails Installer: prevent users from trying to "upgrade" a device that contains no Tails, or that was not installed with Tails Installer.
Install libotr5 and pidgin-otr 4.x from wheezy-backports. This adds support for the OTRv3 protocol and for multiple concurrent connections to the same account.
Skip warning dialog when starting Tor Browser while being offline, in case it is already running. Thanks to Austin English for the patch!
Install the apparmor-profiles package, but don't ship a bunch of AppArmor profiles we don't use, to avoid increasing boot time.
Ship a /etc/apparmor.d/tunables/home.d/tails snippet, instead of patching /etc/apparmor.d/tunables/home.
live-boot: don't mount tmpfs twice on /live/overlay, so that the one which is actually used as the read-write branch of the root filesystem's union mount, is visible.

New in Tails 1.4 (May 13, 2015)

New features:
Tor Browser 4.5 now has a security slider that you can use to disable browser features, such as JavaScript, as a trade-off between security and usability. The security slider is set to low by default to provide the same level of security as previous versions and the most usable experience.
We disabled in Tails the new circuit view of Tor Browser 4.5 for security reasons. You can still use the network map of Vidalia to inspect your circuits.
Tails OpenPGP Applet now has a shortcut to the gedit text editor, thanks to Ivan Bliminse.
Paperkey lets you print a backup of your OpenPGP secret keys on paper.
Upgrades and changes:
Tor Browser 4.5 protects better against third-party tracking. Often when visiting a website, many connections are created to transfer both the content of the main website (its page, images, and so on) and third-party content from other websites (advertisements, Like buttons, and so on). In Tor Browser 4.5, all such content, from the main website as well as the third-party websites, goes through the same Tor circuits. And these circuits are not reused when visiting a different website. This prevents third-party websites from correlating your visits to different websites.
Tor Browser 4.5 now keeps using the same Tor circuit while you are visiting a website. This prevents the website from suddenly changing language, behavior, or logging you out.
Disconnect is the new default search engine. Disconnect provides Google search results to Tor users without captchas or bans.
Better support for Vietnamese in LibreOffice through the installation of fonts-linuxlibertine.
Disable security warnings when connecting to POP3 and IMAP ports that are mostly used for StartTLS nowadays.
Support for more printers through the installation of printer-driver-gutenprint.
Upgrade Tor to 0.2.6.7.
Upgrade I2P to 0.9.19 that has several fixes and improvements for floodfill performance.
Remove the obsolete #i2p-help IRC channel from Pidgin.
Remove the command line email client mutt and msmtp.
There are numerous other changes that might not be apparent in the daily operation of a typical user.
Fixed problems:
Make the browser theme of the Windows 8 camouflage compatible with the Unsafe Browser and the I2P Browser.
Remove the Tor Network Settings... from the Torbutton menu.
Better support for Chromebook C720-2800 through the upgrade of syslinux.
Fix the localization of Tails Upgrader.
Fix the OpenPGP key servers configured in Seahorse.
Prevent Tor Browser from crashing when Orca is enabled.

New in Tails 1.4 RC1 (May 4, 2015)

Major new features:
Upgrade Tor Browser to 4.5, which introduces many major new features for usability, security and privacy. Unfortunately its per-tab circuit view did not make it into Tails yet since it requires exposing more Tor state to the user running the Tor Browser than we are currently comfortable with. (Closes: ticket #9031)
Upgrade Tor to 0.2.6.7-1~d70.wheezy+1+tails2. Like in the Tor bundled with the Tor Browser, we patch it so that circuits used for SOCKSAuth streams have their lifetime increased indefinitely while in active use. This currently only affects the Tor Browser in Tails, and should improve the experience on certain websites that otherwise would switch language or log you out every ten minutes or so when Tor switches circuit. (Closes: ticket #7934)
Security fixes:
Upgrade Linux to 3.16.7-ckt9-3.
Upgrade curl to 7.26.0-1+wheezy13.
Upgrade dpkg to 1.16.16.
Upgrade gstreamer0.10-plugins-bad to 0.10.23-7.1+deb7u2.
Upgrade libgd2-xpm to 2.0.36~rc1~dfsg-6.1+deb7u1.
Upgrade openldap to 2.4.31-2.
Upgrade LibreOffice to 1:3.5.4+dfsg2-0+deb7u4.
Upgrade libruby1.9.1 to 1.9.3.194-8.1+deb7u5.
Upgrade libtasn1-3 to 2.13-2+deb7u2.
Upgrade libx11 to 2:1.5.0-1+deb7u2.
Upgrade libxml-libxml-perl to 2.0001+dfsg-1+deb7u1.
Upgrade libxml2 to 2.8.0+dfsg1-7+wheezy4.
Upgrade OpenJDK to 7u79-2.5.5-1~deb7u1.
Upgrade ppp to 2.4.5-5.1+deb7u2.
Bugfixes:
Make the Windows 8 browser theme compatible with the Unsafe and I2P browsers. (Closes: ticket #9138)
Hide Torbutton's "Tor Network Settings..." context menu entry. (Closes: ticket #7647)
Upgrade the syslinux packages to support booting Tails on Chromebook C720-2800. (Closes: ticket #9044)
Enable localization in Tails Upgrader. (Closes: ticket #9190)
Make sure the system clock isn't before the build date during early boot. Our live-config hook that imports our signing keys depend on that the system clock isn't before the date when the keys where created. (Closes: ticket #9149)
Set GNOME's OpenPGP keys via desktop.gnome.crypto.pgp to prevent us from getting GNOME's default keyserver in addition to our own. (Closes: ticket #9233)
Prevent Firefox from crashing when Orca is enabled: grant it access to assistive technologies in its Apparmor profile. (Closes: ticket #9261)
Add Jessie APT source. (Closes: ticket #9278)
Fix set_simple_config_key(). If the key already existed in the config file before the call, all other lines would be removed due to the sed option -n and p combo. (Closes: ticket #9122)
Minor improvements:
Upgrade I2P to 0.9.19-3~deb7u+1. (Closes: ticket #9229)
Install Tor Browser's bundled Torbutton instead of custom .deb. As of Torbutton 1.9.1.0 everything we need has been upstreamed.
Install Tor Browser's bundled Tor Launcher instead of our in-tree version. With Tor 0.2.6.x our custom patches for the ClientTransportPlugin hacks are not needed any more. (Closes: ticket #7283)
Don't install msmtp and mutt. (Closes: ticket #8727)
Install fonts-linuxlibertine for improved Vietnamese support in LibreOffice. (Closes: ticket #8996)
Remove obsoletete #i2p-help IRC channel from the Pidgin configuration (Closes: ticket #9137)
Add Gedit shortcut to gpgApplet's context menu. Thanks to Ivan Bliminse for the patch. (Closes: ticket #9069).
Install printer-driver-gutenprint to support more printer models. (Closes: ticket #8994).
Install paperkey for off-line OpenPGP key backup. (Closes: ticket #8957)
Hide the Tor logo in Tor Launcher. (Closes: ticket #8696)
Remove useless log() instance in tails-unblock-network. (Closes: ticket #9034)

New in Tails 1.3.2 (Mar 31, 2015)

New in Tails 1.3.1 (Mar 23, 2015)

New in Tails 1.3 (Feb 25, 2015)

New in Tails 1.3 RC1 (Feb 13, 2015)

New in Tails 1.2.3 (Jan 15, 2015)

New in Tails 1.1.1 (Sep 2, 2014)

New in Tails 1.1 (Jul 23, 2014)

New in Tails 1.1 RC1 (Jul 15, 2014)

New in Tails 1.1 Beta 1 (May 30, 2014)

New in Tails 1.0 (Apr 29, 2014)

New in Tails 0.23 RC1 (Mar 8, 2014)

Major improvements:
Spoof the network interfaces' MAC address by default (Closes: ticket #5421), as specified in our on design document .
Rework the way to configure how Tor connects to the network (bridges, proxies, restrictive firewalls): add an option to Tails Greeter, start Tor Launcher when needed (Closes: ticket #5920, ticket #5343).
Bugfixes:
Additional software: do not crash when persistence is disabled (Closes: ticket #6440).
Upgrade Pidgin to 2.10.9, that fixes some regressions introduced in the 2.10.8 security update (Closes: ticket #6661).
Wait for Tor to have fully bootstrapped, plus a bit more time, before checking for upgrades (Closes: ticket #6728) and unfixed known security issues.
Disable the Intel Management Engine Interface driver (Closes: ticket #6460). We don't need it in Tails, it might be dangerous, and it causes bugs on various hardware such as systems that reboot when asked to shut down.
Add a launcher for the Tails documentation. This makes it available in Windows Camouflage mode (Closes: ticket #5374, ticket #6767).
Remove the obsolete wikileaks.de account from Pidgin (Closes: ticket #6807).
Minor improvements:
Upgrade Tor to 0.2.4.21-1~d60.squeeze+1.
Upgrade obfsproxy to 0.2.6-2~~squeeze+1.
Upgrade I2P to 0.9.11-1deb6u1.
Install 64-bit kernel instead of the 686-pae one (Closes: ticket #5456). This is a necessary first step towards UEFI boot support.
Install Monkeysign (in a not-so-functional shape yet).
Disable the autologin text consoles (Closes: ticket #5588). This was one of the blockers before a screen saver can be installed in a meaningful way (ticket #5684).
Don't localize the text consoles anymore: it is broken on Wheezy, the intended users can as well use loadkeys, and we now do not have to trust setupcon to be safe for being run as root by the desktop user.
Make it possible to manually start IBus.
Reintroduce the possibility to switch identities in the Tor Browser, using a filtering proxy in front of the Tor ControlPort to avoid giving full control over Tor to the desktop user (Closes: ticket #6383).
Incremental upgrades improvements:
Drop the Tails Upgrader launcher, to limit users' confusion (Closes: ticket #6513).
Lock down sudo credentials a bit.
Hide debugging information (Closes: ticket #6505).
Include ~/.xsession-errors in WhisperBack bug reports. This captures the Tails Upgrader errors and debugging information.
Report more precisely why an incremental upgrade cannot be done (Closes: ticket #6575).
Various user interface and phrasing improvements.
Don't install the Cookie Monster browser extension (Closes: ticket #6790).
Add a browser bookmark pointing to Tor's Stack Exchange (Closes: ticket #6632).
Remove the preconfigured #tor channel from Pidgin: apparently, too many Tails users go ask Tails questions there, without making it clear that they are running Tails, hence creating a user-support nightmare (Closes: ticket #6679).
Use (most of) Tor Browser's mozconfig (Closes: ticket #6474).
Rebase the browser on top of iceweasel 24.3.0esr-1, to get the certificate authorities added by Debian back (Closes: ticket #6704).
Give access to the relevant documentation pages from Tails Greeter.
Hide Tails Greeter's password mismatch warning when entry is changed.
Persistent Volume Assistant:
Take into account our installer is now called Tails Installer.
Optimize window height (Closes: ticket #5458).
Display device paths in a more user-friendly way (Closes: ticket #5311).
Build system:
Ease updating POT and PO files at release time, and importing translations from Transifex (Closes: ticket #6288, ticket #6207).
Drop custom poedit backport, install it from squeeze-backports-sloppy.
Make ISO and IUK smaller (Closes: ticket #6390, ticket #6425):
Exclude more files from being included in the ISO.
Remove *.pyc later so that they are not recreated.
Truncate log files later so that they are not filled again.
At ISO build time, set mtime to the epoch for large files whose content generally does not change between releases. This forces rsync to compare the actual content of these files, when preparing an IUK, instead of blindly adding it to the IUK merely because the mtime has changed, while the content is the same.
Make local hooks logging consistent.
Test suite:
Migrate from JRuby to native Ruby + rjb.
The test suite can now be run on Debian Wheezy + backports.
Fix buggy "persistence is not enabled" step (Closes: ticket #5465).
Use IPv6 private address as of RFC 4193 for the test suite's virtual network. Otherwise dnsmasq from Wheezy complains, as it is not capable of handling public IPv6 addresses.
Delete volumes after each scenario unless tagged @keep_volumes.
Add an anti-test to make sure the memory erasure test works fine.
A *lot* of bugfixes, simplifications and robustness improvements.

New in Tails 0.22.1 (Feb 4, 2014)

New in Tails 0.22.1 RC1 (Jan 11, 2014)

New in Tails 0.22 (Dec 12, 2013)

New in Tails 0.22 RC1 (Dec 2, 2013)

New in Tails 0.21 (Oct 30, 2013)

New in Tails 0.21 RC1 (Oct 21, 2013)

New in Tails 0.20 (Aug 9, 2013)

New in Tails 0.19 (Jun 27, 2013)

New in Tails 0.18 (May 19, 2013)

New in Tails 0.17.2 (Apr 10, 2013)

New in Tails 0.17.1 (Mar 25, 2013)

New in Tails 0.17 (Feb 26, 2013)

New in Tails 0.16 (Jan 12, 2013)

New in Tails 0.15 (Nov 29, 2012)

New in Tails 0.12 (Jun 18, 2012)

New in Tails 0.10.1 (Feb 2, 2012)

New in Tails 0.10 (Jan 6, 2012)

Tor: upgrade to 0.2.2.35-1.
Iceweasel
Install Iceweasel 9.0 from the Debian Mozilla team's APT repository.
Update Torbutton to 1.4.5.1-1.
Support viewing any YouTube video that is available in HTML5 format.
Use Scroogle (any languages) instead of Scroogle (English only) when booted in English. Many users choose English because their own language is not supported yet; let's not hide them search results in their own language.
Install the NoScript Firefox extension; configure it the same way as the TBB does.
Disable third-party cookies. They can be used to track users, which is bad. Besides, this is what TBB has been doing for years.
Do not transparently proxy outgoing Internet connections through Tor. Instead drop all non-Torified Internet traffic. Hence applications has to be explicitly configured to use Tor in order to reach the Internet from now on.
Software
Upgrade Vidalia to 0.2.15-1+tails1. This version will not warn about new Tor versions (this is handled by Tails security check instead).
Upgrade MAT to 0.2.2-1~bpo60+1.
Upgrade VirtualBox guest software to 4.1.6-dfsg-2~bpo60+1, built against the ABI of X.Org backports.
Upgrade I2P to 0.8.11; the start script (which was broken in Tails 0.9) is now fixed.
Install unar (The Unarchiver) instead of the non-free unrar.
Install Nautilus Wipe instead of custom Nautilus scripts.
Hardware support
Upgrade Linux kernel to 3.1.6-1.
Upgrade to X.Org from squeeze-backports.
Install more, and more recent b43 firmwares.
Upgrade barry to 0.15-1.2~bpo60+1.
Internationalization
Add basic language support for Russian, Farsi and Vietnamese.
Install some Indic fonts.
Install some Russian fonts.
Add Alt+Shift shortcut to switch keyboard layout.
Miscellaneous
Support booting in "Windows XP-like camouflage mode".
Do not fetch APT translation files. Running apt-get update is heavy enough.
Add MSN support thanks to msn-pecan.
Add custom SSH client configuration:
Prefer strong ciphers and MACs.
Enable maximum compression level.
Explicitly disable X11 forwarding.
Connect as root by default, to prevent fingerprinting when username was not specified.
Replace flawed FireGPG with a home-made GnuPG encryption applet; install a feature-stripped FireGPG that redirects users to the documentation, and don't run Seahorse applet anymore.
Blank screen when lid is closed, rather than shutting down the system. The shutdown "feature" has caused data losses for too many people, it seems. There are many other ways a Tails system can be shut down in a hurry these days.
Fix bug in the Pidgin nick generation that resulted in the nick "XXX_NICK_XXX" once out of twenty.
Pre-configure the #tor IRC discussion channel in Pidgin.
Reintroduce the htpdate notification, telling users when it's safe to use Tor Hidden Services.
Various htpdate improvements.

New in Tails 0.9 (Nov 17, 2011)

Tor:
Upgrade to 0.2.2.34. This fixes CVE-2011-2768 and CVE-2011-2769 which prompted for manual updates for users of Tails 0.8.1.
Suppress Tor's warning about applications doing their own DNS lookups. Some users have reported concerns about these warnings, but it should be noted that they are completely harmless inside Tails as its system DNS resolver is Torified.
Linux 3.0.0-6, which fixed a great number of bugs and security issues.
Iceweasel:
Upgrade to 3.5.16-11 ((fixes CVE-2011-3647, CVE-2011-3648, CVE-2011-3650).
Torbutton: upgrade to 1.4.4.1-1, including support for the in-browser "New identity" feature.
FireGPG: upgrade to 0.8-1+tails2. Users are notified that the FireGPG Text Editor is the only safe place for performing cryptographic operations, and these operations has been disabled in other places. Performing them outside of the editor opens up several severe attacks through JavaScript (e.g. leaking plaintext when decrypting, signing messages written by the attacker).
Replace CS Lite with Cookie Monster for cookie management. Cookie Monster has an arguably nicer interface, is being actively maintained and is packaged in Debian.
Software:
Install MAT, the Metadata Anonymisation Toolkit. Its goal is to remove file metadata which otherwise could leak information about you in the documents and media files you publish. This is the result of a Tails developer's suggestion for GSoC 2011, although it ended up being mentored by The Tor Project.
Upgrade WhisperBack to 1.5~rc1. Users are guided how to send their bug reports through alternative channels upon errors sending them. This will make bug reporting easier when there's no network connection available.
Upgrade TrueCrypt to 7.1.
Miscellaneous:
The date and time setting system was completely reworked. This should prevent time syncing issues that may prevent Tor from working properly, which some users have reported. The new system will not leave a fingerprintable network signature, like the old system did. Previously that signature could be used to identify who is using Tails (but not deanonymize them).
Erase memory at shutdown: run many instances of the memory wiper. Due to architectural limitations of i386 a process cannot access all memory at the same time, and hence a single memory wipe instance cannot clear all memory.
Saner keyboard layouts for Arabic and Russian.
Use Plymouth text-only splash screen at boot time.

New in Tails 2008.1-r1 (Oct 6, 2008)