Feature #8447

Propose to delete data from a persistence feature when it is deactivated

Added by sajolida 2014-12-16 12:09:25 . Updated 2019-01-23 10:38:14 .

Status:
Confirmed
Priority:
Normal
Assignee:
Gaff
Category:
Persistence
Target version:
Start date:
2014-12-16
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

When you deactivate a persistence feature, the corresponding data is not erased from the persistent volume. This is nothing new, but I’m realizing that this is not made clear to the user and this is a problem:

  • People might believe that this data has been deleted when it is not.
  • People might have bad surprises as Tails autoconnecting to networks that they had configured in the past but disabled since then.

First we should discuss whether we think that this is a problem, and its gravity. Then we can move on to proposing solutions: wiping disabled features by default, prompting the user to choose whether wiping or not, mentioning this in the documentation only, etc.


Subtasks


Related issues

Related to Tails - Feature #14544: Spend software developer time on smallish UX improvements In Progress 2018-08-31
Has duplicate Tails - Feature #12448: Propose to delete data from deactivated persistent features Duplicate 2017-04-14

History

#1 Updated by sajolida 2014-12-16 12:12:28

  • Description updated

#2 Updated by intrigeri 2014-12-16 21:58:36

sajolida wrote:
> * People might have bad surprises as Tails autoconnecting to networks that they had configured in the past but disabled since then.

Just to be clear: this shouldn’t happen for networks that were individually disabled, but only when one has disabled the Network Connections persistence preset entirely, right?

> First we should discuss whether we think that this is a problem, and its gravity.

Looks like a normal priority problem to me.

> Then we can move on to proposing solutions: wiping disabled features by default, prompting the user to choose whether wiping or not, mentioning this in the documentation only, etc.

Wiping by default seems to be out-of-question to me without a prompt. With a prompt, well, maybe that would be a fine place to draw the line, yeah.

Code-wise, I see only one obvious way to do it given how the codebase is opiniated. It would happen in the persistence-setup Git repo.

One would add what is called a “step” to the code, e.g. Tails::Persistence::Step::Clean, that takes some of its code as parameters from Tails::Persistence::Setup (what?! oh crap I wrote it). Learn the basics of Moose if needed, and see examples in the Tails::Persistence::Step:: namespace. The interaction with the data model would happen in Tails::Persistence::Configuration (saving the initial configuration, looking for removed atoms or lines — pick the best layer of abstraction, enjoy — between them). Plugging it all together would be done in Tails::Persistence::Setup.

Maybe an “Easy” code ticket?

Don’t be discouraged, at least another person (kurono) has already successfully patched it in non-trivial ways. Maybe he would be interested playing with it again :)

#3 Updated by BitingBird 2014-12-19 14:15:59

  • Type of work changed from Discuss to Code

+1 for the prompt.

#4 Updated by sajolida 2014-12-24 13:25:43

I think that this prompt should suggest that deleting data as the default option. It would be more like a confirmation prompt than a scary warning prompt.

It could be something like:

You are about to disable the following persistent features:

* Pidgin
* GnuPG

Do you want to securely delete the data associated with those features?

[Keep]                 [Delete]

#5 Updated by intrigeri 2014-12-24 15:41:53

> I think that this prompt should suggest that deleting data as the default option.
> It would be more like a confirmation prompt than a scary warning prompt.

Perfect, thanks!

#6 Updated by sajolida 2014-12-30 15:48:20

This has also been added to the agenda for the January meeting. We could use it to validate the current proposal but it seems like we have already reached a consensus here as the type of work has been changed from Discuss to Code.

#7 Updated by sajolida 2015-01-03 23:50:33

During the January meeting, we said that:

  • We acknowledged the proposal from comment 4.
  • We can’t really say “securely delete” on flash media. So that needs rephrasing.

https://tails.boum.org/contribute/meetings/201501/

#8 Updated by Anonymous 2017-06-29 14:32:19

  • Target version set to Hole in the Roof

#9 Updated by nodens 2017-09-06 18:05:16

  • Assignee set to nodens

Tentatively assigning this to myself, will look into it at the very least.

#10 Updated by Anonymous 2018-01-18 17:08:20

@nodens: are you still willing to look into this? If yes, good! If not, you can unassign yourself or find somebody else to take care of it.

#11 Updated by Anonymous 2018-01-18 18:31:58

  • related to Feature #12448: Propose to delete data from deactivated persistent features added

#12 Updated by nodens 2018-01-25 16:30:11

  • Assignee deleted (nodens)

I give up, at least for now: there is no way I’ll manage to find enough time for that in the coming weeks/months

#13 Updated by sajolida 2018-01-26 07:43:16

> I give up, at least for now: there is no way I’ll manage to find enough time for that in the coming weeks/months

Thanks for making that clear; and take care!

#14 Updated by sajolida 2018-07-03 17:10:59

  • related to Feature #14544: Spend software developer time on smallish UX improvements added

#15 Updated by Anonymous 2018-07-03 17:13:50

  • Assignee set to Gaff

Gaff will have a look.

#16 Updated by sajolida 2018-08-17 17:32:04

  • related to deleted (Feature #12448: Propose to delete data from deactivated persistent features)

#17 Updated by sajolida 2018-08-17 17:32:07

  • has duplicate Feature #12448: Propose to delete data from deactivated persistent features added

#18 Updated by sajolida 2018-08-17 17:33:32

  • Tracker changed from Bug to Feature
  • Subject changed from Persistent data is not erased when persistence features are disabled to Propose to delete data from a persistence feature when it is deactivated

#19 Updated by intrigeri 2019-01-23 10:38:14

One (corner?) case that can make this harder to implement: software may be started and using the very persistent data we want to delete; then all kinds of things can happen, e.g. the software misbehaving, data not being really deleted, the software re-saving it after it’s been deleted, etc. So the only way to do this reliably might be to store on the persistent volume a list of data that needs to be deleted next time the persistent volume is unlocked.