- tbb-commits - lists.torproject.org

[Git][tpo/applications/tor-browser][tor-browser-115.0esrbase-13.0-1] fixup! Base Browser's .mozconfigs.
by Pier Angelo Vendrame (＠pierov) 17 Jul '23

17 Jul '23

Pier Angelo Vendrame pushed to branch tor-browser-115.0esrbase-13.0-1 at The Tor Project / Applications / Tor Browser Commits: 3b4752bb by Pier Angelo Vendrame at 2023-07-14T15:54:30+02:00 fixup! Base Browser's .mozconfigs. Bug 41890: Let tor-browser-build set the update channel it prefers. - - - - - 1 changed file: - browser/config/mozconfigs/base-browser-android Changes: ===================================== browser/config/mozconfigs/base-browser-android ===================================== @@ -38,9 +38,6 @@ if test -n "$LOCAL_DEV_BUILD"; then # You must use the "default" bogus channel for dev builds ac_add_options --enable-update-channel=default ac_add_options --with-base-browser-version=dev-build -else - # We only use beta GeckoView for now, for official builds - ac_add_options --enable-update-channel=beta fi if test -z "$WASI_SYSROOT"; then View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/3b4752b… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/3b4752b… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][main] Bug 40089: Change how we set MOZ_BUILD_DATE
by boklm (＠boklm) 14 Jul '23

14 Jul '23

boklm pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: 69317005 by Nicolas Vigier at 2023-07-14T09:49:46+02:00 Bug 40089: Change how we set MOZ_BUILD_DATE For normal alpha/release builds, we use the date from the commit, on which we add the numbers from the version string as seconds (in order to keep increasing the build date when we release a new version without adding new commits). For nightly-testbuild, we use the date from the commit. For nightly we try to parse the day from the version number, or use the current day at 00:00:01. - - - - - 9 changed files: - projects/android-components/build - − projects/common/get-moz-build-date - projects/fenix/build - projects/firefox/build - projects/firefox/config - − projects/firefox/get-moz-build-date - projects/geckoview/build - projects/geckoview/config - rbm.conf Changes: ===================================== projects/android-components/build ===================================== @@ -9,10 +9,6 @@ builddir=/var/tmp/build/[% project %] mkdir $distdir/[% project %] mkdir /var/tmp/build -cat > get-moz-build-date << "EOF" -[% INCLUDE "get-moz-build-date" %] -EOF - [% IF !c("var/fetch_gradle_dependencies") %] tar -C $distdir -xf [% c('input_files_by_name/geckoview') %] gradle_repo=$rootdir/[% c('input_files_by_name/gradle-dependencies') %] @@ -60,12 +56,7 @@ sed -i 's/tag = getGitHash()/tag = \"[% c('abbrev') %]\"/' publish.gradle export LANG=C.UTF-8 patch -p1 < $rootdir/mavenLocal.patch - eval $(perl $rootdir/get-moz-build-date [% pc("fenix", "var/copyright_year") %] [% pc("fenix", "var/torbrowser_version") %]) - if [ -z $MOZ_BUILD_DATE ] - then - echo "MOZ_BUILD_DATE is not set" - exit 1 - fi + [% c("var/set_MOZ_BUILD_DATE") %] # Increase the maximum memory usage, for when compiling with --disable-install-strip gradle_args="--offline --no-daemon -Dmaven.repo.local=$gradle_repo -Dorg.gradle.jvmargs=-Xmx8g" ===================================== projects/common/get-moz-build-date deleted ===================================== @@ -1,30 +0,0 @@ -#!/usr/bin/perl -w -# Generate a MOZ_BUILD_DATE based on Tor Browser version number - -use strict; - -die "wrong number of arguments" unless @ARGV == 2; -my ($year, $version) = @ARGV; -my $date; -if ($version =~ m/^tbb-nightly\.([^\.]+)\.([^\.]+)\.([^\.]+)$/) { - $date = sprintf("%d%02d%02d010101", $1, $2, $3); -} elsif ($version eq 'testbuild') { - # There is no need for an increasing build date in test builds. Just hardcode - # it to a value that is compatible with the v1 versionCode scheme on Android, - # see: #34163. We adjust the date to the new cutoff according to - # https://github.com/mozilla-mobile/fenix/pull/14952, following Mozilla. - # This should be unproblematic for test builds anyway. - $date = 20141228000000; -} else { - my @v = split(/[\.ab]/, $version); - push @v, '0' if @v < 4; - push @v, '0' if @v < 4; - # When MOZ_BUILD_DATE was based on the firefox version, with - # Tor Browser 8.0.6 and firefox 60.5.1 it was 20190204060201 - # We can remove 5 from the month, while keeping it increasing. - my $month = $v[0] - 5; - $date = 1010101 + $year * 10000000000 + $month * 100000000 - + $v[1] * 1000000 + $v[2] * 10000 + $v[3]; - $date += 1000000 unless $version =~ m/[ab]/; -} -print "export MOZ_BUILD_DATE=$date\n"; ===================================== projects/fenix/build ===================================== @@ -9,10 +9,6 @@ builddir=/var/tmp/build/[% project %] mkdir -p $distdir/[% project %] mkdir -p /var/tmp/build -cat > get-moz-build-date << "EOF" -[% INCLUDE "get-moz-build-date" %] -EOF - [% IF !c("var/fetch_gradle_dependencies") %] tar -C $distdir -xf [% c('input_files_by_name/geckoview') %] gradle_repo=$rootdir/[% c('input_files_by_name/gradle-dependencies') %] @@ -71,12 +67,7 @@ v=[% c("variant") %] export LANG=C.UTF-8 patch -p1 < $rootdir/mavenLocal.patch - eval $(perl $rootdir/get-moz-build-date [% c("var/copyright_year") %] [% c("var/torbrowser_version") %]) - if [ -z $MOZ_BUILD_DATE ] - then - echo "MOZ_BUILD_DATE is not set" - exit 1 - fi + [% c("var/set_MOZ_BUILD_DATE") %] # Bug 40485: Inject deterministic build date into Glean. echo "ext.gleanBuildDate = \"0\"" >> app/build.gradle ===================================== projects/firefox/build ===================================== @@ -70,12 +70,7 @@ MOZCONFIG_EOF export ASAN_OPTIONS="detect_leaks=0" [% END -%] -eval $(perl $rootdir/get-moz-build-date [% c("var/copyright_year") %] [% c("var/torbrowser_version") %]) -if [ -z $MOZ_BUILD_DATE ] -then - echo "MOZ_BUILD_DATE is not set" - exit 1 -fi +[% c("var/set_MOZ_BUILD_DATE") %] [% IF c("var/windows") %] # Make sure widl is not inserting random timestamps, see #21837. ===================================== projects/firefox/config ===================================== @@ -153,7 +153,6 @@ input_files: - project: container-image - name: '[% c("var/compiler") %]' project: '[% c("var/compiler") %]' - - filename: get-moz-build-date - project: binutils name: binutils enable: '[% c("var/linux") %]' ===================================== projects/firefox/get-moz-build-date deleted ===================================== @@ -1,27 +0,0 @@ -#!/usr/bin/perl -w -# Generate a MOZ_BUILD_DATE based on Tor Browser version number - -use strict; - -die "wrong number of arguments" unless @ARGV == 2; -my ($year, $version) = @ARGV; -my $date; -if ($version =~ m/^tbb-nightly\.([^\.]+)\.([^\.]+)\.([^\.]+)$/) { - $date = sprintf("%d%02d%02d010101", $1, $2, $3); -} elsif ($version eq 'testbuild') { - # There is no need for an increasing build date in test builds. Just hardcode - # it. - $date = 20010101010101; -} else { - my @v = split(/[\.ab]/, $version); - push @v, '0' if @v < 4; - push @v, '0' if @v < 4; - # When MOZ_BUILD_DATE was based on the firefox version, with - # Tor Browser 8.0.6 and firefox 60.5.1 it was 20190204060201 - # We can remove 5 from the month, while keeping it increasing. - my $month = $v[0] - 5; - $date = 1010101 + $year * 10000000000 + $month * 100000000 - + $v[1] * 1000000 + $v[2] * 10000 + $v[3]; - $date += 1000000 unless $version =~ m/[ab]/; -} -print "export MOZ_BUILD_DATE=$date\n"; ===================================== projects/geckoview/build ===================================== @@ -8,13 +8,6 @@ distdir=/var/tmp/dist mkdir -p /var/tmp/build mkdir -p $distdir/[% project %] -# We need to have the get-moz-build-date script available in the container -# but we can't include it via input_files as it is a script shared between -# projects. -cat > get-moz-build-date << "EOF" -[% INCLUDE "get-moz-build-date" %] -EOF - tar -C /var/tmp/dist -xf [% c('input_files_by_name/rust') %] tar -C /var/tmp/dist -xf [% c('input_files_by_name/cbindgen') %] tar -C /var/tmp/dist -xf [% c('input_files_by_name/nasm') %] @@ -49,12 +42,7 @@ export MOZ_SOURCE_REPO="[% c('var/gitlab_project') %]" export MOZ_SOURCE_CHANGESET=[% c("var/git_commit") %] MOZCONFIG_EOF -eval $(perl $rootdir/get-moz-build-date [% c("var/copyright_year") %] [% c("var/torbrowser_version") %]) -if [ -z $MOZ_BUILD_DATE ] -then - echo "MOZ_BUILD_DATE is not set" - exit 1 -fi +[% c("var/set_MOZ_BUILD_DATE") %] export JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64 gradle_repo=/var/tmp/dist/gradle-dependencies ===================================== projects/geckoview/config ===================================== @@ -48,10 +48,6 @@ steps: mkdir -p /var/tmp/build mkdir -p $distdir/[% project %] - cat > get-moz-build-date << "EOF" - [% INCLUDE "get-moz-build-date" %] - EOF - tar -C $distdir -xf [% c('input_files_by_name/node') %] export PATH="/var/tmp/dist/node/bin:$PATH" @@ -73,12 +69,7 @@ steps: ln -s mozconfig-android-all .mozconfig echo 'mk_add_options MOZ_PARALLEL_BUILD=[% c("num_procs") %]' >> .mozconfig - eval $(perl $rootdir/get-moz-build-date [% c("var/copyright_year") %] [% c("var/torbrowser_version") %]) - if [ -z $MOZ_BUILD_DATE ] - then - echo "MOZ_BUILD_DATE is not set" - exit 1 - fi + [% c("var/set_MOZ_BUILD_DATE") %] export JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64 gradle_repo=/var/tmp/dist/gradle-dependencies ===================================== rbm.conf ===================================== @@ -218,6 +218,7 @@ var: [% END -%] DOCSDIR_project: '[% project %]' + set_MOZ_BUILD_DATE: 'export MOZ_BUILD_DATE=[% c("var_p/MOZ_BUILD_DATE") %]' targets: notarget: linux-x86_64 @@ -717,5 +718,31 @@ gpg_allow_expired_keys: 1 } return [@res]; }, + MOZ_BUILD_DATE => sub { + use POSIX qw(strftime); + my ($project, $options) = @_; + my $nightly = project_config($project, 'var/nightly', $options); + my $testbuild = project_config($project, 'var/testbuild', $options); + + if ($nightly && !$testbuild) { + my $torbrowser_version = project_config($project, 'var/torbrowser_version', $options); + return sprintf("%d%02d%02d000001", $1, $2, $3) + if $torbrowser_version =~ m/^tbb-nightly\.([^\.]+)\.([^\.]+)\.([^\.]+)$/; + return strftime("%Y%m%d000001", gmtime); + } + + my $timestamp = project_config($project, 'timestamp', $options); + if (!$nightly) { + my $torbrowser_version = project_config($project, 'var/torbrowser_version', $options); + my @n = reverse split /[\.\D]/, $torbrowser_version; + my $i = 1; + unshift @n, 0 if @n < 3; + for my $n (@n) { + $timestamp += $n * $i; + $i = $i * 10; + } + } + return strftime "%Y%m%d%H%M%S", gmtime($timestamp); + }, }, ) View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/6… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/6… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][main] Bug 40898: Add doc from tor-browser-spec/processes/ReleaseProcess to gitlab issue templates
by richard (＠richard) 13 Jul '23

13 Jul '23

richard pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: 0a782e66 by Nicolas Vigier at 2023-07-13T11:09:15+02:00 Bug 40898: Add doc from tor-browser-spec/processes/ReleaseProcess to gitlab issue templates - - - - - 2 changed files: - .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md - .gitlab/issue_templates/Release Prep - Tor Browser Stable.md Changes: ===================================== .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md ===================================== @@ -169,6 +169,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch ### signing - **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long - [ ] On `$(STAGING_SERVER)`, ensure updated: + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)` - [ ] `tor-browser-build/tools/signing/set-config.hosts` - `ssh_host_builder` : ssh hostname of machine with unsigned builds - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) @@ -215,6 +216,35 @@ Tor Browser Alpha (and Nightly) are on the `main` branch </details> +<details> + <summary>Signature verification</summary> + + <details> + <summary>Check whether the .exe files got properly signed and timestamped</summary> + ``` + # Point OSSLSIGNCODE to your osslsigncode binary + pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION + OSSLSIGNCODE=/path/to/osslsigncode + ../../../tools/authenticode_check.sh + popd + ``` + </details> + <details> + <summary>Check whether the MAR files got properly signed</summary> + ``` + # Point NSSDB to your nssdb containing the mar signing certificate + # Point SIGNMAR to your signmar binary + # Point LD_LIBRARY_PATH to your mar-tools directory + pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION + NSSDB=/path/to/nssdb + SIGNMAR=/path/to/mar-tools/signmar + LD_LIBRARY_PATH=/path/to/mar-tools/ + ../../../tools/marsigning_check.sh + popd + ``` + </details> +</details> + <details> <summary>Publishing</summary> @@ -233,6 +263,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch ### blog: https://gitlab.torproject.org/tpo/web/blog.git - [ ] Duplicate previous Stable or Alpha release blog post as appropriate to new directory under `content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)` and update with info on release : + - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) - [ ] Update Tor Browser version numbers - [ ] Note any ESR rebase - [ ] Link to any Firefox security updates from ESR upgrade ===================================== .gitlab/issue_templates/Release Prep - Tor Browser Stable.md ===================================== @@ -166,6 +166,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE ### signing - **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long - [ ] On `$(STAGING_SERVER)`, ensure updated: + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)` - [ ] `tor-browser-build/tools/signing/set-config.hosts` - `ssh_host_builder` : ssh hostname of machine with unsigned builds - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) @@ -212,6 +213,35 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE </details> +<details> + <summary>Signature verification</summary> + + <details> + <summary>Check whether the .exe files got properly signed and timestamped</summary> + ``` + # Point OSSLSIGNCODE to your osslsigncode binary + pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION + OSSLSIGNCODE=/path/to/osslsigncode + ../../../tools/authenticode_check.sh + popd + ``` + </details> + <details> + <summary>Check whether the MAR files got properly signed</summary> + ``` + # Point NSSDB to your nssdb containing the mar signing certificate + # Point SIGNMAR to your signmar binary + # Point LD_LIBRARY_PATH to your mar-tools directory + pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION + NSSDB=/path/to/nssdb + SIGNMAR=/path/to/mar-tools/signmar + LD_LIBRARY_PATH=/path/to/mar-tools/ + ../../../tools/marsigning_check.sh + popd + ``` + </details> +</details> + <details> <summary>Publishing</summary> @@ -230,6 +260,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE ### blog: https://gitlab.torproject.org/tpo/web/blog.git - [ ] Duplicate previous Stable or Alpha release blog post as appropriate to new directory under `content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)` and update with info on release : + - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) - [ ] Update Tor Browser version numbers - [ ] Note any ESR rebase - [ ] Link to any Firefox security updates from ESR upgrade View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/0… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/0… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-spec][main] 2 commits: Bug 40049: processes/ReleaseProcess is replaced by gitlab issue templates
by richard (＠richard) 13 Jul '23

13 Jul '23

richard pushed to branch main at The Tor Project / Applications / tor-browser-spec Commits: 2b13c342 by Nicolas Vigier at 2023-07-13T11:20:54+02:00 Bug 40049: processes/ReleaseProcess is replaced by gitlab issue templates - - - - - b79d4e8a by richard at 2023-07-13T20:07:11+00:00 Merge branch 'bug_40049' into 'main' Bug 40049: processes/ReleaseProcess is replaced by gitlab issue templates Closes #40049 See merge request tpo/applications/tor-browser-spec!45 - - - - - 1 changed file: - processes/ReleaseProcess Changes: ===================================== processes/ReleaseProcess ===================================== @@ -1,362 +1,8 @@ # Magical Tor Browser Release Process Incantations # -# "May this part of our job one day be replaced by a small shell script" +# The Tor Browser Release Process is now documented as gitlab issue templates: +# - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/mai… +# - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/mai… # - -##################### -### Prepare build ### -##################### - -#. Tag any relevant component versions. -# In particular: before tagging the tor-browser tag, the final code from -# Torbutton needs to get included and in order to avoid unnecessary commit -# inflation the commit for bumping the git submodule should be a fixup commit -# to the one with "Bug 25013: Add torbutton as a tor-browser submodule" in -# its commit message. - -#. Update changelog and relevant config files in tor-browser-build. - cd tor-browser-build - vim projects/firefox/config - vim ChangeLog.txt - vim rbm.conf - -#. Tag a build tag in tor-browser-build. - make signtag-release # or `make signtag-alpha` for an alpha build - -#. Push tag and version to tor-browser-build.git. In case of doing a stable -# release with a maintenance branch use that one instead of `master`. - torsocks git push origin master:master - torsocks git push origin --tags - - -##################### -### Build ### -##################### - -#. Build and generate incremental MAR files. - git tag -v tbb-$TORBROWSER_VERSION-buildN - git checkout tbb-$TORBROWSER_VERSION-buildN - make && make incrementals-release # `make alpha && make incrementals-alpha` - -#. Compare the SHA256 sums of the bundles and MAR files with an independent -# builder. - sha256sum tor-browser-build/release/unsigned/$TORBROWSER_BUILDDIR/sha256sums-unsigned-build.txt - sha256sum tor-browser-build/release/unsigned/$TORBROWSER_BUILDDIR/sha256sums-unsigned-build.incrementals.txt - -#. If the sums match (download and) upload the bundles to your build dir on -# people.torproject.org. Fix permissions. - chmod 755 $TORBROWSER_BUILDDIR - chmod 644 $TORBROWSER_BUILDDIR/* - chmod 644 $TORBROWSER_BUILDDIR/.htaccess - torsocks ssh people.torproject.org "mkdir ~/public_html/builds/${TORBROWSER_BUILDDIR}" - torsocks rsync -avP $TORBROWSER_BUILDDIR/ people.torproject.org:public_html/builds/$TORBROWSER_BUILDDIR - -#. (Optional): Upload your binaries to people using partial rsync over old version - torsocks ssh people.torproject.org "mv ~/public_html/builds/${TORBROWSER_VERSION}-build1 ~/public_html/builds/$TORBROWSER_BUILDDIR" - torsocks rsync -avP $TORBROWSER_BUILDDIR/ people.torproject.org:public_html/builds/$TORBROWSER_BUILDDIR - -#. Distribute build to tor-qa(a)lists.torproject.org - # XXX: Currently manual email with link to candidate build, important changes, - # and changelog. - # For stable releases put tails-dev(a)boum.org into Cc. - - -####################### -### Android signing ### -####################### - -#. The Android signing is done separately from the desktop signing. To -# do the Android signing you'll need to boot from a Tails usb stick, -# with persistent storage enabled. - -#. Install the openjdk-11-jdk-headless package - apt install openjdk-11-jdk-headless - -#. Make sure you have the android keys, for example in the -# ~/Persistent/android-keys directory. This directory should include -# the tba_alpha.p12 and tba_release.p12 files. - -#. Clone tor-browser-build, and checkout the tag for the release - git tag -v tbb-$TORBROWSER_VERSION-buildN - git checkout tbb-$TORBROWSER_VERSION-buildN - -#. Update set-config.tbb-version and set-config.android-signing - cd tools/signing - vim set-config.tbb-version - vim set-config.android-signing - -#. Run the android-signing script. This script will download the -# unsigned apks from the `pkgstage` machine (where `do-all-signing` -# is run), signed them, and upload back the signed apks to the -# `pkgstage` machine. It should be done before the hash_signed_bundles.sh -# step. - ./android-signing - - -########################## -### Signing and upload ### -########################## - -#. You need a `pkgstage` machine to store the bundles during the signing -# process. This machine should be: -# - secure (you will ssh to the signing machines and staticiforme -# from there) -# - with good bandwidth (you will download/upload bundles from there) -# -# All steps from the `Signing and upload` are run from the `pkgstage` -# machine unless mentioned otherwise. -# -# The signing scripts are located in the tor-browser-build/tools/signing -# directory. -# -# Alternatively, you can run the script `./do-all-signing`, which will -# do all the signing steps automatically, until the static-update-component -# commands on staticiforme. Also the script does not currently handle -# removing the old versions on staticiforme, so you have to do that -# manually. The script is also not running `./macos-signer-proxy` which -# needs to be started and stopped manually. - -#. Checkout the tor-browser-build.git commit corresponding to the -# tor browser version you need to sign/publish. - cd tor-browser-build - git tag -v tbb-$TORBROWSER_VERSION-buildN - git checkout tbb-$TORBROWSER_VERSION-buildN - -#. Change to the tor-browser-build/tools/signing directory. All following -# commands are run from this directory. - cd tor-browser-build/tools/signing - -#. Set hosts information. - vim set-config.hosts - -#. Set tor browser version information. You should set tbb_version, -# tbb_version_build, tbb_version_type. This should match the information -# in rbm.conf. - vim set-config.tbb-version - -#. Download the tor browser build to the `pkgstage` machine from your -# build machine (configured in set-config.hosts). - ./sync-builder-unsigned-to-local-signed - -#. Codesign the macOS dmg files. -# -# Updload the tor browser dmg files to `macos-signer` - ./sync-macos-local-to-macos-signer - -# Upload updated signing scripts to `macos-signer`. The scripts are -# located in the `signing-release` or `signing-alpha` directory on -# `macos-signer`. - ./sync-scripts-to-macos-signer - -# Run proxy for `macos-signer`. You may need to kill an old proxy -# process on `macos-signer` if it was still running. - ./macos-signer-proxy - -# Enable networking on the `macos-signer`. - macos-signer$ networksetup -setsecurewebproxystate Ethernet on - -# Sign the bundles. On `macos-signer`. -# (replace signing-release with signing-alpha for an alpha release) - macos-signer$ ~/signing-release/macos-signer-gatekeeper-signing - -# Notarize the bundles. On `macos-signer`. -# (replace signing-release with signing-alpha for an alpha release) - macos-signer$ ~/signing-release/macos-signer-notarization - -# Staple the bundles. On `macos-signer`. -# (replace signing-release with signing-alpha for an alpha release) - macos-signer$ ~/signing-release/macos-signer-stapler - -# Disable networking on the `macos-signer`. - macos-signer$ networksetup -setsocksfirewallproxystate Ethernet off - -# Download the stapled bundles to `pkgstage`. - ./sync-macos-signer-stapled-to-macos-local-stapled - -#. Regenerate macOS DMG files from stapled zip files. - ./gatekeeper-bundling.sh - -#. Regenerate macOS MAR files from code signed dmg files. - ./dmg2mar - -#. Sync bundles to `linux-signer`. - ./sync-local-to-linux-signer - -#. Upload updated signing scripts to `linux-signer`. The scripts are -# located in the `signing-release` or `signing-alpha` directory on -# `linux-signer`. - ./sync-scripts-to-linux-signer - -#. Sign the MAR files. On `linux-signer`. -# (replace signing-release with signing-alpha for an alpha release) - linux-signer$ ~/signing-release/linux-signer-signmars - -#. Authenticode signing of exe files. On `linux-signer`. - linux-signer$ ~/signing-release/linux-signer-authenticode-signing - -#. Authenticode timestamping. - ./sync-linux-signer-to-local - ./authenticode-timestamping.sh - -#. Create sha256sums-signed-build files - ./hash_signed_bundles.sh - -#. Upload sha256sums-signed-build and updated exe files to `linux-signer`. - ./sync-local-to-linux-signer - -#. Gpg signing. - ./linux-signer-gpg-sign - -#. Fetch signatures on unsigned sha256sums from other builds - ./download-unsigned-sha256sums-gpg-signatures-from-people-tpo - -#. Remove old builds on `staticiforme` - # IMPORTANT: Remove the oldest version in a series in case there is more - # than 1 available on dist.torproject.org before proceeding - # XXX: TORBROWSER_VERSION_OLDEST needs to be set - staticiforme$ rm -rf /srv/dist-master.torproject.org/htdocs/torbrowser/$TORBROWSER_VERSION_OLDEST - staticiforme$ static-update-component dist.torproject.org - -#. Upload new build to `staticiforme` - ./sync-local-to-staticiforme - -#. Check diskspace available on cdn.tpo -# We currently have enough disk space to host two alpha and stable -# releases. However with the size of each Tor Browser release increasing, -# it may become necessary to increase disk space. The server hosting -# the files for cdn.tpo is savii.tpo and its disk usage can be monitored -# by going to https://grafana.torproject.org/d/Z7T7Cfemz/node-exporter-full -# and selecting the hosts: web-fsn-02.torproject.org, web-cymru-01.torproject.org, -# web-fsn-01.torproject.org, and cdn-backend-sunet-01.torproject.org - -#. Remove the oldest *.mar files from cdn.tpo to save space - staticiforme$ rm -rf /srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/$TORBROWSER_VERSION_OLDEST - staticiforme$ static-update-component cdn.torproject.org - -#. Sync files to dist.tpo and cdn.tpo mirrored web servers -# (replace signing-release with signing-alpha for an alpha release) -# It is a good idea to run the static-update-component inside screen -# or tmux so that the upload continues if your connection to -# staticiforme is closed. - $ ./sync-scripts-to-staticiforme - staticiforme$ ~/signing-release/staticiforme-prepare-cdn-dist-upload - staticiforme$ static-update-component cdn.torproject.org && \ - static-update-component dist.torproject.org - -#. Make sure we really built from the proper Mozilla build tag by consulting - # the respective ESR release branch (for a good overview for ESR78 see - # https://hg.mozilla.org/releases/mozilla-esr78/graph/) For the platforms following - # rapid release (only Android, currently), consult the beta repo - # (https://hg.mozilla.org/releases/mozilla-beta/graph/) or the release repo - # (https://hg.mozilla.org/releases/mozilla-release/graph/) - -#. Update website's torbrowser versions file in the website git - cd tpo - torsocks git pull origin - # Update `win32` in the `torbrowser-stable` section as well if we - # include a new stable tor version (called the Windows Expert Bundle - # on the website). See: #14152. - vim databags/versions.ini - git commit databags/versions.ini -m "Add new Tor Browser version" - torsocks git push origin master:master - cd .. - # Check build success/failure: - # https://jenkins.torproject.org/job/lektor-website-tpo-translation/ - # https://jenkins.torproject.org/job/lektor-website-tpo-translation-install/ - -#. Add new locales to the download page - # If this release is introducing new locales, add them to the - # databags/download-alternatives.ini file (for a stable release) or - # the databags/download-alternatives-alpha.ini file (for an alpha - # release). - cd tpo - torsocks git pull origin - vim databags/download-alternatives.ini # or databags/download-alternatives-alpha.ini - git commit databags/download-alternatives.ini -m "Add new Tor Browser locales" - torsocks git push origin master:master - cd .. - -#. Create blog post from changelog -# Edit set-config.blog to set you local blog directory. -# Don't forget to link to Mozilla's security advisories if this is a security -# update. - ./create-blog-post - -#. Check whether the .exe files got properly signed and timestamped - # Point OSSLSIGNCODE to your osslsigncode binary - pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION - OSSLSIGNCODE=/path/to/osslsigncode - ../../../tools/authenticode_check.sh - popd - -#. Check whether the MAR files got properly signed - # Point NSSDB to your nssdb containing the mar signing certificate - # Point SIGNMAR to your signmar binary - # Point LD_LIBRARY_PATH to your mar-tools directory - pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION - NSSDB=/path/to/nssdb - SIGNMAR=/path/to/mar-tools/signmar - LD_LIBRARY_PATH=/path/to/mar-tools/ - ../../../tools/marsigning_check.sh - popd - -#. Generate and upload update_responses to staticiforme - ./upload-update_responses-to-staticiforme - -#. Enable update. On `staticiforme`. -# (for alpha release, use deploy_update_responses-alpha.sh instead) - staticiforme$ ~/deploy_update_responses-release.sh - -#. Clean linux-signer and macos-signer - ./finished-signing-clean-linux-signer - ./finished-signing-clean-macos-signer - -# Upload APKs to Google Play - Log into https://play.google.com/apps/publish - Select correct app (Tor Browser or Tor Browser Alpha) - Under left-side navigation bar, select "Production" under "Release" - Select "Create new release" button at upper right-side - Under "App bundles and APKs" section, "Upload" each signed APK - After uploading APKs: - - The "Release Name" should be automatically filled with the Firefox version - - Next to "Release notes" click "Copy from a previous release" - - Select the previous release and adjust the blog post url for this release - - Save, review, and configure rollout percentage at the bottom - - Use 25% rollout when publishing a scheduled update (without a security driver) - - Use 100% rollout when publishing an unscheduled update or security-driven release - Roll out. - - Note, you may receive three warning messages about: - 1) app is larger than it is necessary (android app bundle), - 2) missing deobfuscation file for better crash analysis - 3) missing debug symbol file - - These warnings are expected and should be accepted. - - See below for updating the rollout percentage. - -# Release on F-Droid - Publication on F-Droid via the Guardian Project's repository should be - automatic. Hans is responsible for maintaining this automation. - -# Update rollout percentage - After 24 hours, check the Release Daskboard: - - "Release"->"Production" and select the "Release Dashboard" tab - If the Release Dashboard does not show any concerning trends (significant - increase in crashes or ANRs (Application Not Responding)), then continue on - to the next paragraph and increase rollout from 25% to 100%. Otherwise - consider halting rollout as described in the `RollingBackUpdate` process. - - Select the "Releases" tab on the "Production" page. The current released - version should indicate 25% rollout: "Available to 25% of users on Google Play" - On the right-side of the "View release details" button of the release there - should be a button labeled "Manage rollout" with a down-arrow. Clicking on - that button should show two options: - - Update rollout - - Halt rollout - - Select "Update rollout" and increase to 100% and click "Update". The change - should be immediately implemented and the "Manage rollout" button disappears. - -#. Write an email to tor-announce in case this release is concerned with getting -# a stable version out. Using the contents of the blog entry should do it. +# See also the open release prep issues: +# https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=update… View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/compare/2… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/compare/2… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-115.0esrbase-13.0-1] fixup! Bug 23247: Communicating security expectations for .onion
by ma1 (＠ma1) 13 Jul '23

13 Jul '23

ma1 pushed to branch tor-browser-115.0esrbase-13.0-1 at The Tor Project / Applications / Tor Browser Commits: 82c31751 by cypherpunks1 at 2023-07-12T16:18:15-08:00 fixup! Bug 23247: Communicating security expectations for .onion Bug 41399: Enable brotli encoding for http onions - - - - - 1 changed file: - netwerk/protocol/http/HttpBaseChannel.cpp Changes: ===================================== netwerk/protocol/http/HttpBaseChannel.cpp ===================================== @@ -340,6 +340,7 @@ void HttpBaseChannel::AddClassificationFlags(uint32_t aClassificationFlags, static bool isSecureOrTrustworthyURL(nsIURI* aURI) { return aURI->SchemeIs("https") || + nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(aURI) || (StaticPrefs::network_http_encoding_trustworthy_is_https() && nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(aURI)); } @@ -366,7 +367,6 @@ nsresult HttpBaseChannel::Init(nsIURI* aURI, uint32_t aCaps, // Construct connection info object nsAutoCString host; int32_t port = -1; - bool isHTTPS = isSecureOrTrustworthyURL(mURI); nsresult rv = mURI->GetAsciiHost(host); if (NS_FAILED(rv)) return rv; @@ -395,7 +395,7 @@ nsresult HttpBaseChannel::Init(nsIURI* aURI, uint32_t aCaps, if (NS_FAILED(rv)) return rv; rv = gHttpHandler->AddStandardRequestHeaders( - &mRequestHead, isHTTPS, aContentPolicyType, + &mRequestHead, isSecureOrTrustworthyURL(mURI), aContentPolicyType, nsContentUtils::ShouldResistFingerprinting(this)); if (NS_FAILED(rv)) return rv; View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/82c3175… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/82c3175… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-spec][main] Bug 31161: Document Android signing key creation/usage
by boklm (＠boklm) 13 Jul '23

13 Jul '23

boklm pushed to branch main at The Tor Project / Applications / tor-browser-spec Commits: 2b940775 by Matthew Finkel at 2023-07-13T10:14:42+02:00 Bug 31161: Document Android signing key creation/usage - - - - - 2 changed files: - + processes/APKSigning - processes/KeyGeneration Changes: ===================================== processes/APKSigning ===================================== @@ -0,0 +1,29 @@ +Signing Tor Browser for Android on a Linux machine +================================================== + +Signing +------- + +1) Ensure pkcs11 configuration file is available + +# Create a file containing the Provider arguments +- cat > /tmp/pkcs11_java.cfg << EOF +name = OpenSC-PKCS11 +description = SunPKCS11 via OpenSC +library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so +slotListIndex = 0 +EOF + +2) Test the configuration file with `keytool` and confirm it can access the smartcard +- keytool -providerClass sun.security.pkcs11.SunPKCS11 \ + -providerArg /tmp/pkcs11_java.cfg -keystore NONE \ + -storetype PKCS11 -list + + +3) Signing the exectuable(s): + +- path/to/apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 \ + --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 \ + --debuggable-apk-permitted=false \ + --out tor-browser-${VERSION}-android-${arch}-multi-qa.apk \ + tor-browser-${VERSION}-android-${arch}-multi-unsigned.apk ===================================== processes/KeyGeneration ===================================== @@ -100,3 +100,71 @@ certtool r CertificateSigningRequest.certSigningRequest security add-certificates ~/developerID_application.cer security find-identity + + +APK Signing Key +=============== + +These instructions are for a Nitrokey, as described in +https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536 + +Software needed: +---------------- + +1) Android SDK build tools + + - Latest (at time of writing): + - https://developer.android.com/studio?hl=i#downloads + - https://dl.google.com/android/repository/commandlinetools-linux-6609375_lat… + - 89f308315e041c93a37a79e0627c47f21d5c5edbe5e80ea8dc0aac8a649e0e92 + +Installation +------------ + +1) Requirements + +- for the signing: sudo apt-get install nitrokey-app opensc-pkcs11 opensc openjdk-8-jdk + - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536#n… + +`nitrokey-app` should automatically detect the nitrokey if it is connected +Debian Stretch provides version 0.6.3-1. + + $ nitrokey-app + +Expect: "Application started successfully." + + +Key Generation +-------------- + +1) Generate 4096-bit RSA key pair + + $ openssl genrsa -out secretkey.pem -aes128 -rand /dev/urandom 4096 + +2) Create CSR + + $ openssl req -new -key secretkey.pem -out request.pem -subj "/CN=Tor Browser/O=The Tor Project/L=Seattle/ST=WA/C=US" + +3) Generate certificate (Google Play requires minimum expiratation date of 22 October 2033 + # If you plan to publish your apps on Google Play, the key you use to sign + # your app must have a validity period ending after 22 October 2033. Google + # Play enforces this requirement to ensure that users can seamlessly + # upgrade apps when new versions are available. + # https://developer.android.com/studio/publish/app-signing#considerations + + $ openssl x509 -req -days 5475 -in request.pem -signkey secretkey.pem -out certificate.pem -extfile openssl.cnf -extensions usr_cert + +4) Export secret key and certificate in PKCS12 + + $ openssl pkcs12 -export -out secret_and_certificate.p12 -in certificate.pem -inkey secretkey.pem -aes128 + +5) Extract RSA public key + + $ openssl rsa -in secretkey.pem -pubout -out publickey.pem + +Install private signing key on Nitrokey +--------------------------------------- + +- pkcs15-init --delete-objects privkey,pubkey,chain \ + --id 3 --store-private-key secret_and_certificate.p12 \ + --format pkcs12 --auth-id 3 --verify-pin View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/commit/2b… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/commit/2b… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][base-browser-115.0esrbase-13.0-1] Bug 41092: Add a RemoteSettings JSON dump for query-stripping
by ma1 (＠ma1) 12 Jul '23

12 Jul '23

ma1 pushed to branch base-browser-115.0esrbase-13.0-1 at The Tor Project / Applications / Tor Browser Commits: 0a89389f by cypherpunks1 at 2023-07-13T00:40:56+02:00 Bug 41092: Add a RemoteSettings JSON dump for query-stripping - - - - - 2 changed files: - services/settings/static-dumps/main/moz.build - + services/settings/static-dumps/main/query-stripping.json Changes: ===================================== services/settings/static-dumps/main/moz.build ===================================== @@ -5,6 +5,7 @@ FINAL_TARGET_FILES.defaults.settings.main += [ "doh-config.json", "doh-providers.json", + "query-stripping.json", ] if CONFIG["MOZ_BUILD_APP"] == "browser": ===================================== services/settings/static-dumps/main/query-stripping.json ===================================== @@ -0,0 +1,44 @@ +{ + "data": [ + { + "schema": 1678379807899, + "allowList": [], + "stripList": [ + "gclid", + "dclid", + "msclkid", + "_openstat", + "yclid", + "wickedid", + "twclid", + "_hsenc", + "__hssc", + "__hstc", + "__hsfp", + "hsctatracking", + "wbraid", + "gbraid", + "ysclid" + ], + "id": "85078bad-f31e-4d93-bb8a-81088b25d6dd", + "last_modified": 1678736907773 + }, + { + "schema": 1649695008608, + "allowList": [], + "stripList": [ + "mc_eid", + "oly_anon_id", + "oly_enc_id", + "__s", + "vero_id", + "_hsenc", + "mkt_tok", + "fbclid" + ], + "id": "76495cfc-fac9-4079-9b5f-9ff0784484de", + "last_modified": 1649762862679 + } + ], + "timestamp": 1678736907773 +} View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/0a89389… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/0a89389… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][base-browser-115.0esrbase-13.0-1] Bug 33955: When copying an image only copy the image contents to the clipboard
by richard (＠richard) 12 Jul '23

12 Jul '23

richard pushed to branch base-browser-115.0esrbase-13.0-1 at The Tor Project / Applications / Tor Browser Commits: 53c25feb by cypherpunks1 at 2023-07-12T22:21:16+00:00 Bug 33955: When copying an image only copy the image contents to the clipboard - - - - - 2 changed files: - browser/base/content/browser-context.inc - dom/base/nsCopySupport.cpp Changes: ===================================== browser/base/content/browser-context.inc ===================================== @@ -219,7 +219,7 @@ #ifdef CONTEXT_COPY_IMAGE_CONTENTS <menuitem id="context-copyimage-contents" data-l10n-id="main-context-menu-image-copy" - oncommand="goDoCommand('cmd_copyImage');"/> + oncommand="goDoCommand('cmd_copyImageContents');"/> #endif <menuitem id="context-copyimage" data-l10n-id="main-context-menu-image-copy-link" ===================================== dom/base/nsCopySupport.cpp ===================================== @@ -503,7 +503,7 @@ nsresult nsCopySupport::ImageCopy(nsIImageLoadingContent* aImageElement, trans->SetReferrerInfo(referrerInfo); } -#ifdef XP_WIN +#if defined(XP_WIN) && !defined(BASE_BROWSER_VERSION) rv = AppendImagePromise(trans, imgRequest, aImageElement); NS_ENSURE_SUCCESS(rv, rv); #endif View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/53c25fe… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/53c25fe… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-115.0esrbase-13.0-1] Bug 33955: When copying an image only copy the image contents to the clipboard
by richard (＠richard) 12 Jul '23

12 Jul '23

richard pushed to branch tor-browser-115.0esrbase-13.0-1 at The Tor Project / Applications / Tor Browser Commits: 1fde2e0f by cypherpunks1 at 2023-07-12T22:20:31+00:00 Bug 33955: When copying an image only copy the image contents to the clipboard - - - - - 2 changed files: - browser/base/content/browser-context.inc - dom/base/nsCopySupport.cpp Changes: ===================================== browser/base/content/browser-context.inc ===================================== @@ -219,7 +219,7 @@ #ifdef CONTEXT_COPY_IMAGE_CONTENTS <menuitem id="context-copyimage-contents" data-l10n-id="main-context-menu-image-copy" - oncommand="goDoCommand('cmd_copyImage');"/> + oncommand="goDoCommand('cmd_copyImageContents');"/> #endif <menuitem id="context-copyimage" data-l10n-id="main-context-menu-image-copy-link" ===================================== dom/base/nsCopySupport.cpp ===================================== @@ -503,7 +503,7 @@ nsresult nsCopySupport::ImageCopy(nsIImageLoadingContent* aImageElement, trans->SetReferrerInfo(referrerInfo); } -#ifdef XP_WIN +#if defined(XP_WIN) && !defined(BASE_BROWSER_VERSION) rv = AppendImagePromise(trans, imgRequest, aImageElement); NS_ENSURE_SUCCESS(rv, rv); #endif View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/1fde2e0… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/1fde2e0… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-115.0esrbase-13.0-1] 2 commits: fixup! Firefox preference overrides.
by ma1 (＠ma1) 12 Jul '23

12 Jul '23

ma1 pushed to branch tor-browser-115.0esrbase-13.0-1 at The Tor Project / Applications / Tor Browser Commits: 44eff978 by cypherpunks1 at 2023-07-12T14:35:28+00:00 fixup! Firefox preference overrides. Bug 41092: Enable URL query stripping to protect against cross-site tracking - - - - - 9740e17d by cypherpunks1 at 2023-07-12T14:35:28+00:00 Bug 41092: Add a RemoteSettings JSON dump for query-stripping - - - - - 3 changed files: - browser/app/profile/001-base-profile.js - services/settings/static-dumps/main/moz.build - + services/settings/static-dumps/main/query-stripping.json Changes: ===================================== browser/app/profile/001-base-profile.js ===================================== @@ -505,6 +505,11 @@ pref("corroborator.enabled", false); // stop using .textContent. pref("intl.multilingual.liveReload", false); +// Enable URL query stripping to protect against cross-site tracking (tor-browser#41092) +pref("privacy.query_stripping.enabled", true); +pref("privacy.query_stripping.enabled.pbmode", true); +pref("privacy.query_stripping.strip_on_share.enabled", true); + #ifdef XP_WIN // prefs to disable jump-list entries in the taskbar on Windows (see bug #12885) // this pref changes the app's set AUMID to be dependent on the profile path, rather than ===================================== services/settings/static-dumps/main/moz.build ===================================== @@ -5,6 +5,7 @@ FINAL_TARGET_FILES.defaults.settings.main += [ "doh-config.json", "doh-providers.json", + "query-stripping.json", ] if CONFIG["MOZ_BUILD_APP"] == "browser": ===================================== services/settings/static-dumps/main/query-stripping.json ===================================== @@ -0,0 +1,44 @@ +{ + "data": [ + { + "schema": 1678379807899, + "allowList": [], + "stripList": [ + "gclid", + "dclid", + "msclkid", + "_openstat", + "yclid", + "wickedid", + "twclid", + "_hsenc", + "__hssc", + "__hstc", + "__hsfp", + "hsctatracking", + "wbraid", + "gbraid", + "ysclid" + ], + "id": "85078bad-f31e-4d93-bb8a-81088b25d6dd", + "last_modified": 1678736907773 + }, + { + "schema": 1649695008608, + "allowList": [], + "stripList": [ + "mc_eid", + "oly_anon_id", + "oly_enc_id", + "__s", + "vero_id", + "_hsenc", + "mkt_tok", + "fbclid" + ], + "id": "76495cfc-fac9-4079-9b5f-9ff0784484de", + "last_modified": 1649762862679 + } + ], + "timestamp": 1678736907773 +} View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/5b4fa6… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/5b4fa6… You're receiving this email because of your account on gitlab.torproject.org.

1 0