Tails

#7 Updated by cbrownstein 2017-11-07 08:45:10

I believe the following issue is unrelated to this ticket, but I noticed it while reviewing: /lib/js/mirror-dispatcher.js is being sourced but is nonexistent. It appears to be brought in by wiki/src/templates/page.tmpl at line 26.

#12 Updated by sajolida 2017-11-10 18:36:55

Pending issues:

• Integrate the mirror pool
• Add missing BitTorrent explanation
• Add missing download links

#17 Updated by cbrownstein 2017-11-17 02:44:37

> Verifying using OpenPGP but without authenticating our signing key through the OpenPGP Web of Trust is equivalent in terms of security to verifying using our browser extension or BitTorrent because it relies on downloading a genuine signing key from our website.

I’m going to try to clean that up. That’s a lot of words in one sentence.

> Authenticating our signing key through the OpenPGP Web of Trust is the only verification technique that can protect you in case our website is compromised. It is also the most complicated technique and might not be possible for everyone to perform because it relies on trust relationships between individuals.

These sentences seem to suggest that authenticating the Tails signing key is a verification technique, which it isn’t. I propose to rewrite these sentences as follows: “Authenticating our signing key through the OpenPGP Web of Trust is the only way you can be protected in case our website is compromised. However, it is complicated to do this and it might not be possible for everyone because it relies on trust relationships between individuals.”

I’m maintaining a branch here:

https://github.com/cbrownstein/tails/tree/web/14630-adjust-to-new-verification-extension

#19 Updated by sajolida 2017-11-17 15:34:24

Ah, and I also removed 8da9a5a4c1 from my branch and then only cherry-picked your 3 commits on top. I wanted to keep 8da9a5a4c1 as the very last commit before the release and I shouldn’t have pushed it to the main repo yesterday. Sorry about that!

This means that I will do a push --force and that you’ll have to be careful when fetching my changes. Maybe do git fetch and the git reset --hard origin/web/14630-adjust-to-new-verification-extension but make sure that you don’t have any local changes that you didn’t push yet (if you have some just push your branch as usual and I’ll deal with the mess).

#21 Updated by spriver 2017-11-19 18:14:31

My reviewing and remarks (beside the already awesome work done (: ), based on web/14630-adjust-to-new-verification-extension, which differs a bit from https://tails.boum.org/install/download_2:

Direct download

• the sentence “I already downloaded Tails 3.3 .” looks a bit weird to me because of the period at the end (which implies that there might be a following sentence. Perhaps it’s a bit more weird looking for me because of the whitespace before the period at the end). Maybe that’s some weird nitpicking (:

BitTorrent download:

• we actually don’t tell users what to do with the BitTorrent file. We explain what BitTorrent and it’s client are but neither direct users to open the .torrent file, nor what the content of the torrent archive actually is (maybe the last point I mentioned is not necessary as the only needed file is the .iso. But at least we’re not explaining that the downloaded torrent folder is containing the .iso file which is later needed for installation/upgrading/whatever)

Verifying with OpenPGP:

• we don’t tell users that the necessary tools (GPG4Win/GPGTools) have to be installed first. Maybe this explanation is not needed, as verifying via OpenPGP is for more skilled persons (perhaps we should mark it then as a verification method for skilled users who understand what a OpenPGP signature, etc. is).

• the whole section “Verify using OpenPGP (optional)” looks a bit “huge” and important (in comparison to the " Download and verify" section). It’s only optional so it maybe should be grayed out in a way similar to the upper sections

• the screenshot verifying_in_tails.png does not comply with our screenshot guidelines (https://tails.boum.org/contribute/how/documentation/guidelines/#index5h1).

I checked links, etc. which are fine for me, I could not find anything suspicious. Translations are also fine, also translating the newly added content (tried with strings in several places). There might be some inline translation errors due to the known ikiwiki bug, but let’s see, I did not try a whole translation of the page as I don’t have one so far.

#22 Updated by sajolida 2017-11-26 18:54:19

> * the sentence “I already downloaded Tails 3.3 .” looks a bit weird to me because of the period at the end (which implies that there might be a following sentence. Perhaps it’s a bit more weird looking for me because of the whitespace before the period at the end). Maybe that’s some weird nitpicking (:

Cody also said that to me. Sorry! My rationale here is that it deserve a
period because it’s a full sentence, with a subject, a verb and all.
The other bits of text on the page are either heading or button labels
without being full sentences.

See for example the homepage of Facebook (https://www.facebook.com/).
They write:

• Create Account: not a complete sentence, button label → no period.
• Create a Page for a celebrity, band or business.: complete sentence,
  not a button label → period.

> BitTorrent download:
> * we actually don’t tell users what to do with the BitTorrent file. We explain what BitTorrent and it’s client are but neither direct users to open the .torrent file, nor what the content of the torrent archive actually is (maybe the last point I mentioned is not necessary as the only needed file is the .iso. But at least we’re not explaining that the downloaded torrent folder is containing the .iso file which is later needed for installation/upgrading/whatever)

I’m not super convinced but I added a note in f390c808a8. I’m putting
this in the branch for Feature #14921 so that Cody has only one branch to review
from now on.

> Verifying with OpenPGP:
> * we don’t tell users that the necessary tools (GPG4Win/GPGTools) have to be installed first. Maybe this explanation is not needed, as verifying via OpenPGP is for more skilled persons (perhaps we should mark it then as a verification method for skilled users who understand what a OpenPGP signature, etc. is).

Keep in mind that we’re adding these instructions here as a reminder for
people who already know these tools but not as full instructions. And
clearly, if you don’t have OpenPGP installed, you’re not the target
audience for these instructions.

> * the whole section “Verify using OpenPGP (optional)” looks a bit “huge” and important (in comparison to the " Download and verify" section). It’s only optional so it maybe should be grayed out in a way similar to the upper sections

I could be grayed at the beginning (before clicking on the download)
like the other verification methods. I’ll try to do that in Feature #14921, thanks!

> * the screenshot verifying_in_tails.png does not comply with our screenshot guidelines (https://tails.boum.org/contribute/how/documentation/guidelines/#index5h1).

Moving this to Feature #14921.

> I checked links, etc. which are fine for me, I could not find anything suspicious. Translations are also fine, also translating the newly added content (tried with strings in several places). There might be some inline translation errors due to the known ikiwiki bug, but let’s see, I did not try a whole translation of the page as I don’t have one so far.

Cool! Thanks for triple checking!

#23 Updated by sajolida 2017-11-27 00:37:51

>> the whole section “Verify using OpenPGP (optional)” looks a bit “huge” and important (in comparison to the " Download and verify" section). It’s only optional so it maybe should be grayed out in a way similar to the upper sections

> I could be grayed at the beginning (before clicking on the download)
like the other verification methods. I’ll try to do that in Feature #14921, thanks!

Nah, I tried to do that and it was too complicated to be worth it.