From 79c487ecead88e4be28360f121ac9dbb7e2fa2bc Mon Sep 17 00:00:00 2001
From: NubsCarson <nubs@nubs.site>
Date: Tue, 19 May 2026 02:55:30 +0000
Subject: [PATCH 1/4] fix elizaOS live polish and updater materialization

---
 .../milady-tails/scripts/security-smoke.sh    |  6 ++
 .../milady-tails/scripts/static-smoke.sh      | 11 ++++
 .../usr/lib/live/config/2000-aesthetics       |  2 +-
 .../usr/lib/live/config/2000-import-gnupg-key |  4 +-
 .../usr/local/bin/milady                      |  2 +-
 .../usr/local/lib/elizaos/update-manager      | 62 ++++++++++++++++---
 .../desktop-directories/Tails.directory.in    |  4 +-
 .../scripts/init-premount/partitioning        |  4 +-
 .../read-and-update-random-seed-sector        |  4 +-
 9 files changed, 81 insertions(+), 18 deletions(-)

diff --git a/packages/os/linux/variants/milady-tails/scripts/security-smoke.sh b/packages/os/linux/variants/milady-tails/scripts/security-smoke.sh
index d5dabf586da84..6a62163f3db1c 100755
--- a/packages/os/linux/variants/milady-tails/scripts/security-smoke.sh
+++ b/packages/os/linux/variants/milady-tails/scripts/security-smoke.sh
@@ -301,6 +301,12 @@ require_fixed 'contains unlisted file' "${update_manager}" \
     "update manager must reject files outside the signed runtime inventory"
 require_fixed 'runtime_store' "${update_manager}" \
     "update manager must materialize verified runtimes into a root-owned store"
+require_fixed 'os.O_NOFOLLOW' "${update_manager}" \
+    "update manager must materialize files without following source symlinks"
+require_fixed 'tempfile.mkstemp' "${update_manager}" \
+    "update manager must materialize files through temporary files"
+require_fixed 'verified runtime file changed while copying' "${update_manager}" \
+    "update manager must re-check manifest digests during materialization"
 if grep -q 'ELIZAOS_ALLOW_RUNTIME_ENV_OVERRIDES' "${runtime_env}"; then
     fail "runtime selector must not expose caller-controlled runtime override escape hatches"
 fi
diff --git a/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh b/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh
index ef356dd40fdf9..54cee2389174b 100755
--- a/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh
+++ b/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh
@@ -276,6 +276,17 @@ then
     echo "High-visibility inherited Tails strings still need elizaOS branding." >&2
     exit 1
 fi
+if rg -n \
+    'Preparing Tails for first use|Checking the Tails system partition|Configuring Tails|Tails specific tools|Tails live user' \
+    tails/config/chroot_local-includes/usr/share/initramfs-tools/scripts/init-premount/partitioning \
+    tails/config/chroot_local-includes/usr/share/initramfs-tools/scripts/init-top/read-and-update-random-seed-sector \
+    tails/config/chroot_local-includes/usr/lib/live/config/2000-aesthetics \
+    tails/config/chroot_local-includes/usr/local/bin/milady \
+    tails/config/chroot_local-includes/usr/share/desktop-directories/Tails.directory.in
+then
+    echo "First-boot and launcher polish still exposes inherited Tails wording." >&2
+    exit 1
+fi
 launcher_paths=(
     tails/config/chroot_local-includes/usr/share/applications/tails-documentation.desktop
     tails/config/chroot_local-includes/usr/share/applications/tails-backup.desktop
diff --git a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/lib/live/config/2000-aesthetics b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/lib/live/config/2000-aesthetics
index 07847f0ddbcb0..6948ae5090891 100755
--- a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/lib/live/config/2000-aesthetics
+++ b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/lib/live/config/2000-aesthetics
@@ -1,4 +1,4 @@
 #!/bin/sh
 
 echo ""
-echo "Configuring Tails"
+echo "Configuring elizaOS"
diff --git a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/lib/live/config/2000-import-gnupg-key b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/lib/live/config/2000-import-gnupg-key
index 2b9aed3901352..37ca7806fa2f3 100755
--- a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/lib/live/config/2000-import-gnupg-key
+++ b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/lib/live/config/2000-import-gnupg-key
@@ -1,10 +1,10 @@
 #!/bin/sh
 
 Import_GnuPG_key() {
-    echo "- importing Tails' GnuPG keys into the ${LIVE_USERNAME}'s keyring"
+    echo "- importing upstream live-OS GnuPG keys into the ${LIVE_USERNAME}'s keyring"
     sudo -H -u "${LIVE_USERNAME}" gpg --batch --import /usr/share/doc/tails/website/*.key
 
-    echo "- importing Tails help desk's GnuPG key into WhisperBack's keyring"
+    echo "- importing inherited feedback GnuPG key into WhisperBack's keyring"
     gpg --batch --no-default-keyring \
         --keyring /usr/share/keyrings/whisperback-keyring.gpg \
         --import /usr/share/doc/tails/website/tails-bugs.key
diff --git a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/local/bin/milady b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/local/bin/milady
index 26482e7fc1b4d..5435fbb5aea01 100755
--- a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/local/bin/milady
+++ b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/local/bin/milady
@@ -8,7 +8,7 @@ if [ "$(id -u)" -eq 0 ]; then
 fi
 
 if [ "$(id -un)" != "amnesia" ]; then
-    echo "elizaOS must run as the Tails live user 'amnesia'." >&2
+    echo "elizaOS must run as the live user 'amnesia'." >&2
     exit 1
 fi
 
diff --git a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/local/lib/elizaos/update-manager b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/local/lib/elizaos/update-manager
index b87214814ec5e..2c825551ac7d1 100755
--- a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/local/lib/elizaos/update-manager
+++ b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/local/lib/elizaos/update-manager
@@ -149,6 +149,7 @@ import pathlib
 import re
 import shutil
 import shlex
+import stat
 import sys
 import tempfile
 
@@ -242,11 +243,44 @@ def ensure_safe_dir(path, field):
             fail(f"{field} must not be group/world writable")
     return path
 
-def copy_verified_file(src, dst):
+def copy_verified_file(src, dst, expected_sha256):
     dst.parent.mkdir(mode=0o755, parents=True, exist_ok=True)
-    shutil.copyfile(src, dst, follow_symlinks=False)
-    mode = src.stat().st_mode
-    os.chmod(dst, 0o755 if mode & 0o111 else 0o644)
+    if dst.parent.is_symlink():
+        fail(f"destination parent must not be a symlink: {dst.parent}")
+    flags = os.O_RDONLY
+    if hasattr(os, "O_NOFOLLOW"):
+        flags |= os.O_NOFOLLOW
+    try:
+        src_fd = os.open(src, flags)
+    except OSError as exc:
+        fail(f"unable to open verified runtime file without following symlinks: {src}: {exc}")
+    tmp_name = None
+    try:
+        src_stat = os.fstat(src_fd)
+        if not stat.S_ISREG(src_stat.st_mode):
+            fail(f"verified runtime path is not a regular file: {src}")
+        tmp_fd, tmp_name = tempfile.mkstemp(prefix=f"{dst.name}.", dir=str(dst.parent))
+        digest = hashlib.sha256()
+        with os.fdopen(src_fd, "rb", closefd=True) as src_handle, os.fdopen(
+            tmp_fd,
+            "wb",
+            closefd=True,
+        ) as dst_handle:
+            src_fd = -1
+            for chunk in iter(lambda: src_handle.read(1024 * 1024), b""):
+                digest.update(chunk)
+                dst_handle.write(chunk)
+        actual = digest.hexdigest()
+        if actual.lower() != expected_sha256.lower():
+            fail(f"verified runtime file changed while copying: {src}")
+        os.chmod(tmp_name, 0o755 if src_stat.st_mode & 0o111 else 0o644)
+        os.replace(tmp_name, dst)
+        tmp_name = None
+    finally:
+        if src_fd >= 0:
+            os.close(src_fd)
+        if tmp_name and os.path.exists(tmp_name):
+            os.unlink(tmp_name)
 
 def chown_tree_root(path):
     if os.geteuid() != 0:
@@ -350,6 +384,7 @@ if runtime.get("filesComplete") is not True:
     fail("runtime.filesComplete must be true")
 hashed_entrypoint_paths = set()
 declared_files = {}
+declared_hashes = {}
 for item in files:
     if not isinstance(item, dict):
         fail("runtime.files entries must be objects")
@@ -368,6 +403,7 @@ for item in files:
     if rel_text in declared_files:
         fail(f"runtime.files contains duplicate path: {rel_text}")
     declared_files[rel_text] = path
+    declared_hashes[rel_text] = expected.lower()
 
 for candidate in bundle_dir.rglob("*"):
     if candidate.is_symlink():
@@ -403,6 +439,7 @@ if floor_path.exists():
         fail("manifest sequence is below the stored channel floor")
 
 model_catalog_path = ""
+model_catalog_digest = ""
 model_catalog = manifest.get("modelCatalog")
 if model_catalog is not None:
     if not isinstance(model_catalog, dict):
@@ -417,6 +454,7 @@ if model_catalog is not None:
     actual = file_sha256(catalog_path)
     if actual.lower() != expected.lower():
         fail("model catalog hash mismatch")
+    model_catalog_digest = expected.lower()
     catalog = read_json(catalog_path, "modelCatalog")
     if catalog.get("schemaVersion") != 1 or catalog.get("kind") != "elizaos.modelCatalog":
         fail("model catalog kind/schemaVersion mismatch")
@@ -432,14 +470,22 @@ else:
     tmp_runtime = tmp_store / "runtime"
     try:
         for rel_text, src in declared_files.items():
-            copy_verified_file(src, tmp_runtime / pathlib.PurePosixPath(rel_text))
+            copy_verified_file(
+                src,
+                tmp_runtime / pathlib.PurePosixPath(rel_text),
+                declared_hashes[rel_text],
+            )
         node_modules_rel = pathlib.Path(
             os.path.relpath(resolved_entrypoints["nodeModules"], bundle_dir)
         )
         (tmp_runtime / node_modules_rel).mkdir(mode=0o755, parents=True, exist_ok=True)
-        copy_verified_file(manifest_path, tmp_store / "manifest.json")
+        copy_verified_file(manifest_path, tmp_store / "manifest.json", manifest_digest)
         if model_catalog_path:
-            copy_verified_file(pathlib.Path(model_catalog_path), tmp_store / "model-catalog.json")
+            copy_verified_file(
+                pathlib.Path(model_catalog_path),
+                tmp_store / "model-catalog.json",
+                model_catalog_digest,
+            )
             model_catalog_path = str(tmp_store / "model-catalog.json")
         chown_tree_root(tmp_store)
         for root, dirs, files in os.walk(tmp_store):
@@ -463,7 +509,7 @@ if not materialized_manifest_path.is_file():
 if file_sha256(materialized_manifest_path) != manifest_digest:
     fail("materialized update manifest hash mismatch")
 for rel_text, src in declared_files.items():
-    expected = file_sha256(src)
+    expected = declared_hashes[rel_text]
     materialized_file = materialized_runtime / pathlib.PurePosixPath(rel_text)
     if materialized_file.is_symlink():
         fail(f"materialized runtime contains unsupported symlink: {rel_text}")
diff --git a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/share/desktop-directories/Tails.directory.in b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/share/desktop-directories/Tails.directory.in
index 332a4c2b147f7..6629792e464d3 100644
--- a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/share/desktop-directories/Tails.directory.in
+++ b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/share/desktop-directories/Tails.directory.in
@@ -1,5 +1,5 @@
 [Desktop Entry]
-_Name=Tails
-_Comment=Tails specific tools
+_Name=elizaOS
+_Comment=elizaOS live tools
 Icon=preferences-system
 Type=Directory
diff --git a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/share/initramfs-tools/scripts/init-premount/partitioning b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/share/initramfs-tools/scripts/init-premount/partitioning
index b5f29ade7ff4c..cf27c2f4e281e 100755
--- a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/share/initramfs-tools/scripts/init-premount/partitioning
+++ b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/share/initramfs-tools/scripts/init-premount/partitioning
@@ -90,7 +90,7 @@ GUID=$(sgdisk --print "${PARENT_DEVICE}" |
 
 if [ "${GUID}" = "17B81DA0-8B1E-4269-9C39-FE5C7B9B58A3" ]; then
     log "This is the first boot, so repartitioning"
-    PLYMOUTH_MSG="Preparing Tails for first use..."
+    PLYMOUTH_MSG="Preparing elizaOS for first use..."
     plymouth display-message --text="${PLYMOUTH_MSG}"
     if ! /scripts/lib/first_boot_repartition "${PARENT_DEVICE}" "${SYSTEM_PARTITION}"; then
         log "Repartitioning failed"
@@ -109,7 +109,7 @@ else
     verify_partition_table
 
     log "This is not the first boot, so repairing filesystem"
-    PLYMOUTH_MSG="Checking the Tails system partition for errors..."
+    PLYMOUTH_MSG="Checking the elizaOS system partition for errors..."
     plymouth display-message --text="${PLYMOUTH_MSG}"
     repair_system_partition
     # `plymouth hide-message` doesn't work (#20401)
diff --git a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/share/initramfs-tools/scripts/init-top/read-and-update-random-seed-sector b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/share/initramfs-tools/scripts/init-top/read-and-update-random-seed-sector
index 4185e77192749..8145b10d45b65 100755
--- a/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/share/initramfs-tools/scripts/init-top/read-and-update-random-seed-sector
+++ b/packages/os/linux/variants/milady-tails/tails/config/chroot_local-includes/usr/share/initramfs-tools/scripts/init-top/read-and-update-random-seed-sector
@@ -74,13 +74,13 @@ log "Restoring random seed from LBA 34"
 dd bs=512 skip=34 count=1 status=none if="${PARENT_DEVICE}" of=/dev/urandom
 log "Random seed restored from LBA 34"
 
-# We try to obfuscate the number of times Tails has been booted by
+# We try to obfuscate the number of times elizaOS has been booted by
 # writing a random number of times (1-500) to the seed during the first
 # boot.
 if [ -n "${FIRST_BOOT:-}" ]; then
   ITERATIONS=$((1 + $(od -An -N2 -t uI /dev/urandom) % 500))
   log "First boot, writing random seed $ITERATIONS times..."
-  PLYMOUTH_INIT_MSG="Preparing Tails for first use..."
+  PLYMOUTH_INIT_MSG="Preparing elizaOS for first use..."
   plymouth display-message --text="${PLYMOUTH_INIT_MSG}"
 
   # Debug output for the following loop would be too verbose

From b2049849cad963ff02a8bff0814ac9a6b8840714 Mon Sep 17 00:00:00 2001
From: NubsCarson <nubs@nubs.site>
Date: Tue, 19 May 2026 03:10:39 +0000
Subject: [PATCH 2/4] make elizaOS live app staging reproducible

---
 .../os/linux/variants/milady-tails/Justfile   | 62 ++++++++++++++++---
 .../milady-tails/scripts/static-smoke.sh      |  3 +
 2 files changed, 57 insertions(+), 8 deletions(-)

diff --git a/packages/os/linux/variants/milady-tails/Justfile b/packages/os/linux/variants/milady-tails/Justfile
index 11061ac66bdd8..a46f43ecd69a8 100644
--- a/packages/os/linux/variants/milady-tails/Justfile
+++ b/packages/os/linux/variants/milady-tails/Justfile
@@ -37,23 +37,69 @@ setup:
 milady-app:
     #!/usr/bin/env bash
     set -euo pipefail
-    milady_root="$(cd ../../../../../.. && pwd)"
-    app_out="${milady_root}/eliza/packages/app-core/platforms/electrobun/build/dev-linux-x64/Milady-dev"
+    eliza_root="$(git rev-parse --show-toplevel)"
+    outer_root="$(cd "${eliza_root}/.." && pwd)"
+    app_out="${ELIZAOS_MILADY_APP_ARTIFACT:-${eliza_root}/packages/app-core/platforms/electrobun/build/dev-linux-x64/Milady-dev}"
     stage="tails/config/chroot_local-includes/usr/share/elizaos/milady-app"
+
+    ensure_plugin_runtime_dist() {
+        local package_rel="$1"
+        local mode="$2"
+        local package_dir="${eliza_root}/${package_rel}"
+        local dist_index="${package_dir}/dist/index.js"
+
+        if [ -s "${dist_index}" ]; then
+            return 0
+        fi
+
+        echo "Building ${package_rel} runtime dist for elizaOS Live"
+        case "${mode}" in
+            package-js)
+                ( cd "${package_dir}" && bun run build:js )
+                ;;
+            tsup-index)
+                ( cd "${package_dir}" && bunx tsup src/index.ts --format esm --clean )
+                ;;
+            *)
+                echo "Unknown runtime package build mode: ${mode}" >&2
+                exit 1
+                ;;
+        esac
+
+        test -s "${dist_index}" || {
+            echo "missing ${dist_index} after runtime package build" >&2
+            exit 1
+        }
+    }
+
     if [ ! -x "${app_out}/bin/launcher" ]; then
         if [ "${ELIZAOS_BUILD_MILADY_APP:-0}" != "1" ]; then
             echo "Milady app build not found at ${app_out}/bin/launcher"
-            echo "Build it separately, or rerun with ELIZAOS_BUILD_MILADY_APP=1 to permit this recipe to build it."
+            echo "Build it separately, set ELIZAOS_MILADY_APP_ARTIFACT, or rerun with ELIZAOS_BUILD_MILADY_APP=1 to permit this recipe to build it."
             exit 1
         fi
         echo "Milady app build not found; ELIZAOS_BUILD_MILADY_APP=1 so building it now"
-        ( cd "${milady_root}" && bun install --no-frozen-lockfile --ignore-scripts )
-        ( cd "${milady_root}" && bun install --cwd eliza --no-frozen-lockfile --ignore-scripts )
-        ( cd "${milady_root}" && MILADY_ELIZA_SOURCE=local node scripts/setup-upstreams.mjs )
-        ( cd "${milady_root}/eliza/packages/electrobun-carrots" && bun run build )
-        ( cd "${milady_root}" && MILADY_ELIZA_SOURCE=local bun run build:desktop )
+        ( cd "${eliza_root}" && bun install --no-frozen-lockfile --ignore-scripts )
+        if [ -f "${outer_root}/package.json" ] && [ -d "${outer_root}/eliza" ]; then
+            ( cd "${outer_root}" && bun install --no-frozen-lockfile --ignore-scripts )
+            ( cd "${outer_root}" && bun install --cwd eliza --no-frozen-lockfile --ignore-scripts )
+            ( cd "${outer_root}" && MILADY_ELIZA_SOURCE=local node scripts/setup-upstreams.mjs )
+            ( cd "${outer_root}/eliza/packages/electrobun-carrots" && bun run build )
+            ( cd "${outer_root}" && MILADY_ELIZA_SOURCE=local bun run build:desktop )
+        else
+            ( cd "${eliza_root}" && MILADY_ELIZA_SOURCE=local node packages/app-core/scripts/setup-upstreams.mjs )
+            ( cd "${eliza_root}/packages/electrobun-carrots" && bun run build )
+            ( cd "${eliza_root}" && \
+                ELIZA_APP_NAME=Milady \
+                ELIZA_APP_ID=ai.milady.milady \
+                ELIZA_URL_SCHEME=milady \
+                ELIZA_NAMESPACE=milady \
+                bun run --cwd packages/app-core/platforms/electrobun build )
+        fi
     fi
     test -x "${app_out}/bin/launcher" || { echo "missing ${app_out}/bin/launcher"; exit 1; }
+    ensure_plugin_runtime_dist "plugins/plugin-health" package-js
+    ensure_plugin_runtime_dist "plugins/plugin-calendly" tsup-index
     if [ -e "${stage}" ] && ! rm -rf "${stage}"; then
         sudo -n rm -rf "${stage}"
     fi
diff --git a/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh b/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh
index 54cee2389174b..91bcc955331d3 100755
--- a/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh
+++ b/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh
@@ -67,6 +67,9 @@ node --check scripts/generate-release-evidence.mjs
 node --check scripts/validate-model-catalog.mjs
 node --check scripts/validate-runtime-overlay.mjs
 node --check tails/config/chroot_local-includes/usr/local/lib/elizaos/renderer-server.mjs
+grep -q 'ELIZAOS_MILADY_APP_ARTIFACT' Justfile
+grep -q 'ensure_plugin_runtime_dist "plugins/plugin-health" package-js' Justfile
+grep -q 'ensure_plugin_runtime_dist "plugins/plugin-calendly" tsup-index' Justfile
 python3 -m json.tool schemas/update-manifest.schema.json >/dev/null
 python3 -m json.tool schemas/model-catalog.schema.json >/dev/null
 python3 - \

From e7af75955c7a7300e548fc49a7ed69d7522f75e1 Mon Sep 17 00:00:00 2001
From: NubsCarson <nubs@nubs.site>
Date: Tue, 19 May 2026 03:16:28 +0000
Subject: [PATCH 3/4] vendor required Tails build data

---
 .../milady-tails/scripts/static-smoke.sh      |   3 +
 .../debootstrap/scripts/debian-common.patch   |  11 ++
 .../milady-tails/tails/data/splash.png        | Bin 0 -> 2291 bytes
 .../milady-tails/tails/data/splash.svg        | 120 ++++++++++++++++++
 .../milady-tails/tails/data/wrappers/apt-get  |  71 +++++++++++
 5 files changed, 205 insertions(+)
 create mode 100644 packages/os/linux/variants/milady-tails/tails/data/debootstrap/scripts/debian-common.patch
 create mode 100644 packages/os/linux/variants/milady-tails/tails/data/splash.png
 create mode 100644 packages/os/linux/variants/milady-tails/tails/data/splash.svg
 create mode 100755 packages/os/linux/variants/milady-tails/tails/data/wrappers/apt-get

diff --git a/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh b/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh
index 91bcc955331d3..1be13a832c13a 100755
--- a/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh
+++ b/packages/os/linux/variants/milady-tails/scripts/static-smoke.sh
@@ -28,6 +28,9 @@ stat_mode() {
 }
 
 echo "==> shell syntax"
+test -f tails/data/debootstrap/scripts/debian-common.patch
+test -f tails/data/splash.png
+test -x tails/data/wrappers/apt-get
 bash -n build.sh build-iso.sh tails/auto/build \
     scripts/dev-sign-update-manifest.sh \
     scripts/usb-write.sh \
diff --git a/packages/os/linux/variants/milady-tails/tails/data/debootstrap/scripts/debian-common.patch b/packages/os/linux/variants/milady-tails/tails/data/debootstrap/scripts/debian-common.patch
new file mode 100644
index 0000000000000..bb194bc6a3bde
--- /dev/null
+++ b/packages/os/linux/variants/milady-tails/tails/data/debootstrap/scripts/debian-common.patch
@@ -0,0 +1,11 @@
+--- /usr/share/debootstrap/scripts/debian-common	2019-07-06 13:22:30.000000000 +0200
++++ /usr/share/debootstrap/scripts/debian-common	2019-08-05 14:15:07.165451726 +0200
+@@ -217,4 +217,8 @@
+ 
+ 	progress $bases $bases CONFBASE "Configuring base system"
+ 	info BASESUCCESS "Base system installed successfully."
++
++	# Tails-specific part:
++	chroot $TARGET /usr/bin/dpkg-divert --divert /usr/bin/apt-get.real --rename /usr/bin/apt-get
++	cp -f %%topdir%%/data/wrappers/apt-get $TARGET/usr/bin/apt-get
+ }
diff --git a/packages/os/linux/variants/milady-tails/tails/data/splash.png b/packages/os/linux/variants/milady-tails/tails/data/splash.png
new file mode 100644
index 0000000000000000000000000000000000000000..3345e630c92892d3334e3565239c0f402f50d596
GIT binary patch
literal 2291
zcmd5-X*k<?9{&eJm9`R7wQW!#j=Dl;2-T=ILRd%8MrnwnIz`1TERwd<5z}B=v=*Tl
zy;N0QZR&`wYw8*;GLA^fq^`ONiD3Wx?5lmAeZ9~A-h7|$=X-xXFMb&wZjOfz9zO^G
zz#+U7))N3^=l}o_8~_18g?$?h8o6usuJ!;>ldU8T{08(-20MAW0zk4J0MLH~00{`u
zX8|A{1pxD80I<mifMZcbY=SKqkO^{e!~*;2*}bixrx1sCbx@d=KXz1GGiFN#3L-mr
zti3mNY>~G>^d%lw5NrW4P?e^~8J$CKMqY^b_lw+I3qwAR9ADTy81v<V2Vtl{@54_?
z#b(-F8r(wRK<b&Db8=wk|BJVR7XCeA2)UB-bGfPD!CDV-as3m4*j8(p$)=z9pj3M~
zx%FGy(p(uI|A=dYMohMHv6l_R*sM2nkcSaR58YWQ@>C=z)vz4e)2HVM#P_w%I&@)2
zf*Py&4x`(Vq%?5q4&Y|e52jC=n*6Adzi*`|7Zq)IcWERbdrtCNB%Px<lFayCGLWJ^
z$!d>|Cj3^dD9HM`44MEtKyH6>TXNY7F;%LK4mZhjBpL8YFbMPM%M{x*>h7TLb0*uV
z_#6Vld{)m-Kuoo0`$+XJo`NtV-ZsSZRgBYejP3zTjp6228quS&YCZbgfRq~a?;kOr
zL-2q0htKfbu<?&xG_G@LqZ7I8j65emXMf{wnz9$7L@`2kT~!s~VV4&kNr#TN#_7oa
z^oM9{Xqan?Bf;H~_ke~<XxDP2>G`nJM6*L}s^Fvt+;J!i<Zj(XmwvCR>4SV^M?6L(
z;X0Dk-NEn|Xe{Mtar~snvLAs6iX6&Yt%E5FME=;|vs20J#D*Fz=wMhD`@3Rq1mtU~
z)FgW?bG2bB&<+uFeW+sfSC}HXJ)kvVI{5=J3`-+;#^PvYNL3Dc44v@?<V-8zihs#|
zIzPMS7bl?d4x`_!`KH72RN>xqTV^jtAP4UBX(5j>nOXEbw-tWV@Dimix8t|_PC)r<
z%=%S%s>Z9B>7J5I0=HAu8A&Jjq(ZrOe@S^%9;+60AF0BzMP&8ss1bLLy=E*`^D3+L
zV?yrf-#Z7?GSK5_X1-zju*yV$D&K2rqDS(y^2?6XNjel7y}A(EE~w)7zgyg^ob;F;
zsT9`>Ur258ro=Nab-pBZa%9fg9D!I)N9{Ma9*MQwFq?;(`|Z|V6h~p^r^L97I7A-<
zP368z+OD7}Z$>?hS36dCt)5Fr4cFC7%#e$kb2Xp(+JCm?_U+QXR=2MayG>pUgI)BQ
z`43{t3^^2~r3&{aw4;I{IY%g5wo`7zWEroy)3DeE>Bo$=ng^iZrzqplK?&DWt?%X&
z`>exDvufEkn{VI+GkmHeKN`%i3%~{nFRBd(Ew6|A`_Z-!{I$iexmf!BB$G{Tu}45A
z_6O|Sub3x~+wInD?v>SvRwkBWw}#_CfAXSj@$f_#q!+Q4V_UW*e!_nTO<(S>6>4b~
zjFTcR$>aQMIpz;I7&6vBKfnM-xmHQrU;H}5?YlGIb*4mq&jLB|tdYA9j~`7@Q0x`V
zxO6=1J5Sk}-WxufozjXX6<aqslj8-@&jTRW9;`@zQObC+pH=`~?v-bEBIYaqjWB^a
zX<YAaMu}5aK#A5WgMDStoiO!V>x`T&-Z(LFfapTm`=ceyBBb)2El65|qVf5(1>B85
zs&;f!bV2i#H1f@87_(JQhT0SjQ%a1`Pqa)3PFUPC9pju)gyqZPDAk^Zjfc}^>r1R2
z`*!gdVGHwPLO80->f+AYdw3MHLWR@4RpwuGRs-V~pJL$^R>I<GaL}{W7v!RtNGOL<
zUK?6^wCe(Q;K=ccO9^p_!1Q*Ao)QEe4(ivRRnUPGNB!`2oX0Zd8qNG;90gvQ_PfDB
zfsYH4J~$el`+W0u>H3y<(z|NxjlVMg068x4NskP=|Gpx5Bf%)o%q7e3Fgx>Ry`&Go
zwOCzL1qpWpbof2<9U}3H&Pmo>+raGD+hM$BoLiIM`)y|f`fi0&Lfm@L_0>&5`P`_7
ze$pvgu<<jXbCgi)QGH1BmZ?cg<V4d6&!WYmEVf%qVV#URt6Ab*kyNjL7T(I}4vkE_
z&#Z2jQEzT`t{B41VJB2u8H_@f?zC||xWmI?rNz5B2F*U#ClbF6e3TQ?grpWVZ!9ym
zjY?8iim+SdfmDPpR~DE1MW@ViccmIv%8P}E!*ta-&m2=Nokol`Fpo8^y9jIrH?mnr
zd#jL9MTL}HGN48JxRHEgsD7=g)0%ExZ@E6(@T*~)HMweY_VMMO;*ETlR|?YStWpO`
zj?E-Yx|&MDS2YT&!`yvg%H-vR0wP~;n<l7%Nk1>92@6}Uq+AWc<8L)iAqtGL15U&@
zHhu#N_7{#p^(8H?hqRMa0Aapg3l;^nQ>4h_9EMnH@8x%^g>t{iqvor%nud+ia<q9s
z=g|CaV{!+@Qy0$Z_UEl%5>8oJdmbjYPmr`O=%nT7E&`n!^NSgewp|~z%c@rlpD4Ku
z!g`wkuAz>)=_}Q9UxP4z*s?o{m+B3w%b}iEUR^Epo>t))m=GHh+mHNDKhdR4yCzn5
z_k4F=F*p|)=in0;5*T;YCOGCQXaEb8xwQ$((!}Dlw}rXQ>C-l+&5ckf8x-o}@}Bp9
h6x^VMTn|n9F9oQ77kty<dgWi2;T_ztFVB;2{S)xv;u8P>

literal 0
HcmV?d00001

diff --git a/packages/os/linux/variants/milady-tails/tails/data/splash.svg b/packages/os/linux/variants/milady-tails/tails/data/splash.svg
new file mode 100644
index 0000000000000..07dae9f85c3df
--- /dev/null
+++ b/packages/os/linux/variants/milady-tails/tails/data/splash.svg
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   viewBox="0 0 640 480"
+   height="480"
+   width="640"
+   id="svg116"
+   version="1.1">
+  <metadata
+     id="metadata122">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <defs
+     id="defs120" />
+  <image
+     y="1.4305115e-05"
+     x="0"
+     id="image124"
+     xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAoAAAAHgCAQAAACf2BRvAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAA
+DdcAAA3XAUIom3gAAAAHdElNRQfjBhcQEh/3UIdcAAAGvUlEQVR42u3bzZKiMBSAUXpqXqhZ3vev
+LJlH6ln0jxgSIIKtyDmLqbIViZnyM5HyrfvoAE7pjykABBBAAAEEEEAAAQQQQAABBBBAAAEEEEAA
+AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQEEEEAAAQQQQAAB
+BBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ
+QAABBAQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA
+AAEEEEAAAQQQQAABBBBAAAEBNAWAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAA
+AggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAgggIIAAAggggAACCCCAAAIIIIAAAggggAAC
+CCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAgAACCCCAAAII
+IIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCA
+AAIIICCApgAQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB
+BBBAAAEEEEAAAQQQQAABBBBAAAEEBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE
+EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQEEAAAQQQQAABBBBAAAEEEEAAAQQQ
+QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECAvf01BUfzbgpO5Z8psAIEsAJkYshu99VH9dkxvcnD
+CpDj6xuDJn0ggC+Vv/mw9aIHtsCvnL/vW8Pknvkt72BliBUgr5PE/iqE82EbikeAFSCH1Jaxvhu6
+oeut/7AC5DXy1/aN3+faz+oPAeS0m2YbYASQE64Yh9E6EM7krfswCcfyXtn2fkfscs13yP5y+Zav
+9Pjx/TwPP4UTQBYCiABiCwwggAACCFDlO0DAChDgbPwU7vBSdjuqj4rsmGg+T6w+39J4Y/FvLcev
+OSpm5uOWeZh/jvlR3n52rACZiMYoxIa3/S3nWzp3bDy+9UNijw+dtGGUcYcxIYCnzt/82y42rThS
+5Sxx4DnbNva0w/+ZBNoCs2P+8jfW2i1vagpafr708+94a3g9mihuwteOpzy+VL0/FWdjfMZ8tKXx
+x+qN6nR8acP8YgXI5tVNrH7jpeIR7WuZGG0Nl5+vfm9+fPn5UvX+/Hb8bNjLK9f4erb8+Ln8RRa7
+6/GVUh/WfFaA/I62t1l06SsnW9YnccMRaXJpovQKyuN79FoqVn5dsM+GGQGkIX9tq43PxGyPyn5R
+iruM7xlziS0wT7FpfuZ1ig0kAsidVoyXCwBpZgWTHjSyNeNre6WPnunaRpnf56dwL7PtvWy1plcx
+8+vCpccvbdVS5fjaNef6eOpXTddf1Y3iZr/+etLC+eaerzYP8+dfer3yJ4Dw1B8qImULDKf8SgAr
+QDj9FwoIIIAtMIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAA
+AggggAACCCCAAAICCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAAC
+CCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAII
+IIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACAggggAACCCCAAAIIIIAAAggg
+gAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIICCCA
+AAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAAC
+CCCAAAIIIIAAAgggIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAII
+IIAAAggggAACCCCAAAIIIIAAAggggAACCAgggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggg
+gAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIICCAAAIIcCL/AQobvXH/Ty0r
+AAAAAElFTkSuQmCC
+"
+     preserveAspectRatio="none"
+     height="480"
+     width="640" />
+  <g
+     transform="matrix(0.82971736,0,0,0.82971736,121.83456,212.31315)"
+     id="g5374-3"
+     style="fill:#2c2c2c;fill-opacity:1">
+    <path
+       d="m 88.342066,56.730068 v 16.662869 c 0,0.510289 -0.341075,0.643984 -0.760689,0.296591 L 79.077314,66.649116 C 78.658103,66.302056 78.317029,65.609 78.317029,65.098711 v -2.097683 l -2.657657,-2.16078 c -2.850156,-2.317289 -5.132376,-7.0217 -5.132376,-10.464763 0,-3.442323 2.29778,-4.339449 5.132376,-2.002743 l 2.657657,2.160782 v -2.097681 c 0,-0.510046 0.341074,-0.643737 0.760285,-0.296677 l 8.503862,7.040243 c 0.420546,0.346435 0.76089,1.040613 0.76089,1.550659 z M 75.81131,51.432227 c -1.50022,-1.236708 -2.716309,-0.761675 -2.716309,1.060197 0,1.822367 1.216089,4.301887 2.716309,5.538595 l 2.505719,2.035532 V 53.467516 L 75.81131,51.431984 Z"
+       id="path5189-4-6"
+       style="fill:#2c2c2c;fill-opacity:1" />
+    <g
+       transform="matrix(0.46410314,0.9267926,-0.9267926,0.46410314,77.258376,-14.89278)"
+       id="g3500-7"
+       style="fill:#2c2c2c;fill-opacity:1">
+      <path
+         d="M 97.976,37.8 C 97.972,37.779 97.968,37.758 97.963,37.737 97.947,37.669 97.927,37.602 97.901,37.538 97.898,37.53 97.896,37.522 97.893,37.515 97.863,37.446 97.826,37.38 97.786,37.317 97.775,37.299 97.762,37.283 97.75,37.266 97.715,37.216 97.676,37.169 97.634,37.125 97.623,37.113 97.613,37.101 97.601,37.089 97.548,37.037 97.49,36.989 97.428,36.946 97.413,36.935 97.396,36.927 97.38,36.917 97.349,36.898 97.32,36.877 97.288,36.86 L 96.743,36.576 71.837016,47.695585 25.252,24.269 l -0.666,0.33 c -0.006,0.003 -0.01,0.007 -0.016,0.01 -0.047,0.024 -0.09,0.055 -0.134,0.084 -0.029,0.019 -0.06,0.036 -0.087,0.057 -0.034,0.027 -0.063,0.059 -0.094,0.09 -0.031,0.03 -0.065,0.059 -0.093,0.092 -0.022,0.026 -0.039,0.056 -0.06,0.084 -0.031,0.043 -0.063,0.086 -0.088,0.132 -0.003,0.005 -0.007,0.01 -0.01,0.015 -0.015,0.028 -0.022,0.057 -0.035,0.085 -0.02,0.046 -0.041,0.09 -0.056,0.138 -0.013,0.041 -0.02,0.082 -0.029,0.123 -0.009,0.043 -0.019,0.085 -0.024,0.128 -0.005,0.043 -0.004,0.085 -0.005,0.127 -0.001,0.044 -0.003,0.087 0.001,0.13 0.002,0.023 0.005,0.046 0.009,0.069 -0.006,0.051 -0.015,0.1 -0.015,0.152 L 23.854,41.674 27.21708,40.107419 63.622,58.211 38.537615,69.347048 l -18.939,-9.469 L 2.6090632,51.38471 c -0.012,-0.006 -0.025,-0.009 -0.038,-0.014 -0.042,-0.02 -0.086,-0.035 -0.131,-0.05 -0.04,-0.014 -0.08,-0.028 -0.121,-0.038 -0.038,-0.009 -0.078,-0.014 -0.117,-0.019 -0.049,-0.007 -0.098,-0.014 -0.148,-0.015 -0.013,0 -0.024,-0.004 -0.037,-0.004 -0.025,0 -0.049,0.006 -0.074,0.007 -0.05,0.004 -0.099,0.007 -0.148,0.016 -0.04,0.007 -0.079,0.017 -0.118,0.027 -0.043,0.011 -0.085,0.024 -0.127,0.039 -0.039,0.015 -0.077,0.032 -0.114,0.051 -0.039,0.019 -0.077,0.039 -0.115,0.062 -0.035,0.022 -0.068,0.045 -0.1,0.07 -0.035,0.027 -0.07,0.054 -0.103,0.085 -0.031,0.029 -0.059,0.059 -0.087,0.09 -0.028,0.032 -0.056,0.064 -0.082,0.099 -0.028,0.038 -0.052,0.079 -0.076,0.12 -0.013,0.023 -0.03,0.042 -0.042,0.066 -0.006,0.012 -0.008,0.025 -0.014,0.037 -0.02,0.043 -0.036,0.089 -0.051,0.135 -0.013,0.039 -0.027,0.078 -0.036,0.117 -0.009,0.04 -0.014,0.081 -0.02,0.122 -0.007,0.048 -0.013,0.095 -0.014,0.142 0.001,0.014 -0.003,0.026 -0.003,0.039 v 19.531 c 0,0.026 0.006,0.051 0.008,0.077 0.003,0.048 0.006,0.096 0.014,0.143 0.007,0.042 0.017,0.082 0.028,0.122 0.011,0.042 0.023,0.083 0.038,0.123 0.015,0.04 0.033,0.079 0.052,0.117 0.019,0.038 0.038,0.076 0.061,0.112 0.022,0.035 0.046,0.069 0.071,0.102 0.027,0.035 0.054,0.069 0.084,0.102 0.028,0.031 0.059,0.059 0.09,0.087 0.032,0.029 0.064,0.056 0.1,0.082 0.038,0.027 0.077,0.051 0.118,0.075 0.023,0.014 0.043,0.031 0.068,0.043 L 37.945615,91.543048 c 0.007,0.004 0.015,0.004 0.022,0.008 0.017,0.008 0.032,0.017 0.049,0.025 0.01,0.004 0.02,0.007 0.03,0.011 0.056,0.022 0.113,0.041 0.171,0.055 0.012,0.003 0.024,0.006 0.036,0.009 0.016,0.003 0.032,0.005 0.048,0.008 0.077,0.014 0.154,0.024 0.232,0.024 0.001,0 0.002,0 0.003,0 h 0.001 10e-4 c 10e-4,0 0.002,0 0.003,0 0.078,0 0.156,-0.01 0.232,-0.024 0.016,-0.003 0.032,-0.005 0.048,-0.008 0.012,-0.003 0.024,-0.006 0.036,-0.009 0.058,-0.014 0.115,-0.033 0.17,-0.055 0.01,-0.004 0.021,-0.007 0.031,-0.011 0.017,-0.007 0.032,-0.017 0.049,-0.024 0.007,-0.003 0.015,-0.004 0.022,-0.008 L 61.746,81.642 l 9.462,5.221 c 0.018,0.01 0.037,0.017 0.056,0.026 0.019,0.01 0.038,0.02 0.058,0.029 0.008,0.003 0.016,0.007 0.024,0.01 0.031,0.013 0.063,0.023 0.095,0.033 0.019,0.006 0.038,0.013 0.058,0.019 0.021,0.006 0.043,0.011 0.064,0.015 0.015,0.003 0.029,0.006 0.044,0.008 0.007,0.001 0.015,0.003 0.022,0.004 0.014,0.002 0.028,0.006 0.042,0.008 0.059,0.008 0.117,0.013 0.176,0.013 h 0.001 0.001 c 10e-4,0 0.002,0 0.003,0 0.078,0 0.155,-0.01 0.232,-0.024 0.013,-0.002 0.026,-0.003 0.039,-0.006 0.01,-0.002 0.019,-0.006 0.029,-0.008 0.07,-0.017 0.14,-0.037 0.207,-0.065 0.007,-0.003 0.014,-0.007 0.021,-0.01 0.004,-0.002 0.008,-0.004 0.012,-0.006 0.006,-0.003 0.012,-0.003 0.018,-0.006 L 97.238,75.317 C 97.703,75.098 98,74.631 98,74.117 V 38.034 C 98,38.028 97.998,38.023 97.998,38.017 97.997,37.943 97.989,37.871 97.976,37.8 Z m -60.762385,40.617048 -7.614,3.666 3.972,1.986 3.641,-1.986 v 6.29 L 3.3410632,71.43771 v -9.829 l 8.6775518,4.241338 -7.2569997,3.35 3.972,1.986 7.2689997,-3.378 4.313,2.051 -7.487,3.456 3.972,1.986 7.503,-3.482 4.621,2.344 -7.381,3.407 3.972,1.986 7.395,-3.434 4.303,2.111 z M 65.228,76.939 39.861615,88.216048 v -16.57 L 65.228,60.37 Z M 3.3410632,58.52771 v -3.31 L 37.213615,71.821048 v 3.31 z"
+         id="path3502-5"
+         style="fill:#2c2c2c;fill-opacity:1" />
+    </g>
+    <polygon
+       points="39.407,53.262 45.366,56.241 39.076,59.22 33.117,56.241 "
+       transform="rotate(63.400001,48.43115,48.892589)"
+       id="polygon3506-3"
+       style="fill:#2c2c2c;fill-opacity:1" />
+    <polygon
+       points="22.855,50.613 29.145,47.634 35.103,50.613 28.814,53.593 "
+       transform="rotate(63.400001,48.414793,48.413403)"
+       id="polygon3508-5"
+       style="fill:#2c2c2c;fill-opacity:1" />
+    <g
+       transform="matrix(0,-0.2492475,0.19547686,0.16114179,71.005984,62.192969)"
+       id="Captions-6"
+       style="fill:#2c2c2c;fill-opacity:1" />
+    <g
+       transform="translate(122.10986,-55.111168)"
+       id="Captions-7-2"
+       style="fill:#2c2c2c;fill-opacity:1" />
+    <path
+       d="m 45.058193,34.347585 c 2.124399,2.704098 4.295157,7.985437 4.295157,12.865587 0,4.87818 -2.170758,6.542025 -4.295157,5.703941 0,-1.998055 0,-16.795084 0,-18.569528 z"
+       id="path4818-2-4-3-9"
+       style="fill:#2c2c2c;fill-opacity:1" />
+    <g
+       transform="translate(74.936297,109.72221)"
+       id="Your_Icon-1"
+       style="fill:#2c2c2c;fill-opacity:1" />
+  </g>
+  <rect
+     y="249.24408"
+     x="216.27974"
+     height="32.796768"
+     width="248.79677"
+     id="rect1186"
+     style="fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1.20323312;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+</svg>
diff --git a/packages/os/linux/variants/milady-tails/tails/data/wrappers/apt-get b/packages/os/linux/variants/milady-tails/tails/data/wrappers/apt-get
new file mode 100755
index 0000000000000..b0696b77a8836
--- /dev/null
+++ b/packages/os/linux/variants/milady-tails/tails/data/wrappers/apt-get
@@ -0,0 +1,71 @@
+#!/bin/sh
+set -e
+set -u
+
+mode=unknown
+for param in "$@"; do
+  case "$param" in
+    install | download | purge | remove | upgrade | dist-upgrade)
+      mode=binuris
+      break
+    ;;
+    source)
+      mode=srcuris
+      break
+    ;;
+    update)
+      mode=update
+      break
+    ;;
+    check | autoclean | autoremove)
+      mode=noop
+      break
+    ;;
+  esac
+done
+
+# let's fail as early as possible:
+if [ "$mode" = unknown ]; then
+  echo "E: unsupported apt-get operation, mode is still unknown" >&2
+  echo "E: requested operation follows:" "$@"                    >&2
+  exit 1
+fi
+
+building_with_tagged_APT_snapshots() {
+  grep --recursive --quiet --silent --fixed-strings \
+	tagged.snapshots.deb.tails.boum.org \
+	/etc/apt/sources.list.d/
+}
+
+if [ "$mode" = binuris ]; then
+  apt-get.real "$@" --print-uris|perl -ne 'if (/^'\''(.+)'\'' ([^_]+)_([^_]+)_/) { my ($url, $package, $version)=($1,$2,$3); $version =~ s/%3a/:/g; print "$package $version $url\n"; }' >> /debootstrap/$mode
+  apt-get.real "$@"
+elif [ "$mode" = srcuris ]; then
+  # all uris: perl -ne 'if (/^'\''(.+)'\'' (\S+)/) { my ($url, $filename) = ($1, $2); print "$filename $url\n"; }'
+  # only dsc: perl -ne 'if (/^'\''(.+)'\'' (\S+\.dsc)/) { my ($url, $filename) = ($1, $2); print "$filename $url\n"; }'
+  apt-get.real "$@" --print-uris|perl -ne 'if (/^'\''(.+)'\'' (\S+\.dsc)/) { my ($url, $filename) = ($1, $2); print "$filename $url\n"; }' >> /debootstrap/$mode.tmp
+  apt-get.real "$@"
+  while read -r filename uri; do
+    # extract source and version w/o taking the GnuPG version in the signature section, and add uri after that
+    s_v=$(awk '/^(Source|Version):/ {print $2}' "$filename" | head -2 | xargs)
+    echo "$s_v $uri" >> /debootstrap/$mode
+  done < /debootstrap/$mode.tmp
+  rm /debootstrap/$mode.tmp
+elif [ "$mode" = update ]; then
+  echo "command:" "$@" >> /debootstrap/noop
+  set +e
+  apt-get.real "$@"
+  RET=$?
+  set -e
+  if [ $RET -ne 0 ] && building_with_tagged_APT_snapshots ; then
+    echo "APT update failed."
+    echo "You may be experiencing a known issue,"
+    echo "that thankfully has a documented workaround:"
+    echo "see https://gitlab.tails.boum.org/tails/tails/-/issues/20009"
+  fi
+  exit $RET
+else
+  # handle both noop and unknown here, each into its own file; unknown should be empty:
+  echo "command:" "$@" >> /debootstrap/$mode
+  apt-get.real "$@"
+fi

From 477abe5f1eb83396517cab367661aaa215511a4d Mon Sep 17 00:00:00 2001
From: NubsCarson <nubs@nubs.site>
Date: Tue, 19 May 2026 03:21:39 +0000
Subject: [PATCH 4/4] fix homepage smoke scope on shallow PR history

---
 .github/workflows/quality.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
index d71c266deb4d1..63714826d2c2a 100644
--- a/.github/workflows/quality.yml
+++ b/.github/workflows/quality.yml
@@ -77,8 +77,13 @@ jobs:
             exit 0
           fi
 
-          git fetch --no-tags --depth=1 origin "${{ github.base_ref }}"
-          changed_files="$(git diff --name-only "origin/${{ github.base_ref }}...HEAD")"
+          git fetch --no-tags origin "${{ github.base_ref }}"
+          if merge_base="$(git merge-base "origin/${{ github.base_ref }}" HEAD)"; then
+            changed_files="$(git diff --name-only "${merge_base}" HEAD)"
+          else
+            echo "No merge base found with origin/${{ github.base_ref }}; falling back to direct base/head diff." >&2
+            changed_files="$(git diff --name-only "origin/${{ github.base_ref }}" HEAD)"
+          fi
           if grep -Eq '^(packages/homepage/|packages/shared-brand/|packages/app-core/scripts/write-homepage-release-data\.mjs|\.github/workflows/(deploy-homepage|release-electrobun|release-orchestrator)\.yml)' <<< "${changed_files}"; then
             echo "run=true" >> "$GITHUB_OUTPUT"
           else