GitLab

at 2024-10-25T00:31:34+00:00

Update release prep issue templates

+# Release Prep Mullvad Browser Alpha

+

+- **NOTE** It is assumed the `mullvad-browser` alpha rebase and security backport tasks have been completed

+- **NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue

+

 <details>

   <summary>Explanation of variables</summary>

 

-- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release

-- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)

-  - **example** : `pierov`

-- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process

-- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc

-  - **example** : `91.6.0`

-- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version

-  - **example** : `11`

-- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version

-  - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`

-- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format

-  - **example** : `12.5a3`, `12.0.3`

-- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.

-    - **example** : `build1`

-- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits

-    - **example** : `build2`

-    - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :

-      - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)

-      - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.

-- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version

-    - **example** : `11.5a6`, `11.0.7`

-- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version

-    - **example** : `mb-12.0.7-build1`

+- `${BUILD_SERVER}`: the server the main builder is using to build a browser release

+- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER}

+  - **example**: `pierov`

+- `${STAGING_SERVER}`: the server the signer is using to to run the signing process

+- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc

+  - **example**: `91.6.0`

+- `${MULLVAD_BROWSER_MAJOR}`: the Mullvad Browser major version

+  - **example**: `11`

+- `${MULLVAD_BROWSER_MINOR}`: the Mullvad Browser minor version

+  - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`

+- `${MULLVAD_BROWSER_VERSION}`: the Mullvad Browser version in the format

+  - **example**: `12.5a3`, `12.0.3`

+- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${MULLVAD_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build.

+  - **example**: `build1`

+- `${MULLVAD_BROWSER_BUILD_N}`: the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits

+  - **example**: `build2`

+    - **⚠️ WARNING**: A project's `${BUILD_N}` and `${MULLVAD_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For **example** :

+      - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${MULLVAD_BROWSER_BUILD_N}` value may stay at `build1` (but the `${MULLVAD_BROWSER_VERSION}` will increase)

+      - if we have build failures unrelated to `mullvad-browser`, the `${MULLVAD_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same.

+- `${MULLVAD_BROWSER_VERSION}`: the published Mullvad Browser version

+    - **example**: `11.5a6`, `11.0.7`

+- `${MB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Mullvad Browser version

+  - **example**: `mb-12.0.7-build1`

+- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date

+  - **example**: `2024-10-29`

+

 </details>

 

-**NOTE** It is assumed that the `tor-browser` alpha rebase and security backport tasks have been completed

+<details>

+  <summary>Build Configuration</summary>

 

-**NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue

+### mullvad-browser: https://gitlab.torproject.org/tpo/applications/mullvad-browser.git

 

-<details>

-  <summary>Building</summary>

+- [ ] Tag `mullvad-browser` commit:

+  - **example**: `mullvad-browser-128.4.0esr-14.5-1-build1`

 

 ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git

 Mullvad Browser Alpha (and Nightly) are on the `main` branch

 

-- [ ] Update `rbm.conf`

-  - [ ] `var/torbrowser_version` : update to next version

-  - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`

-  - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building.

-  - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version

-    - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update

-    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail

-- [ ] Update build configs

-  - [ ] Update `projects/firefox/config`

-    - [ ] `browser_build` : update to match `mullvad-browser` tag

-    - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased

-  - [ ] Update `projects/translation/config`:

-    - [ ] run `make list_translation_updates-alpha` to get updated hashes

-    - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch

-    - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch

-- [ ] Update common build configs

-  - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript

-    - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`

-      - [ ] `URL`

-      - [ ] `sha256sum`

-  - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/

-    - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`

-      - [ ] `URL`

-      - [ ] `sha256sum`

-  - [ ] Check for Mullvad Browser Extension updates here : https://github.com/mullvad/browser-extension/releases

-    - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`

-      - [ ] `URL`

-      - [ ] `sha256sum`

-- [ ] Update `ChangeLog-MB.txt`

-  - [ ] Ensure `ChangeLog-MB.txt` is sync'd between alpha and stable branches

-  - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones

-  - [ ] Run `./tools/fetch_changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`

-    - Make sure you have `requests` installed (e.g., `apt install python3-requests`)

-    - The first time you run this script you will need to generate an access token; the script will guide you

-    - `$updateArgs` should be these arguments, depending on what you actually updated:

-      - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)

-      - [ ] `--no-script`

-      - [ ] `--ublock`

-      - E.g., `./tools/fetch_changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0`

-    - `--date $date` is optional, if omitted it will be the date on which you run the command

-  - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output

+- [ ] Changelog bookkeeping:

+  - [ ] Ensure all commits to `mullvad-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue

+  - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels

+- [ ] Create a release preparation branch from the `main` branch

+- [ ] Run release preparation script:

+  - **NOTE**: You can omit the `--mullvad-browser` argument if this is for a joint Tor and Mullvad Browser release

+  - **⚠️ WARNING**: You may need to manually update the `firefox/config` file's `browser_build` field if `mullvad-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged)

+  ```bash

+  ./tools/relprep.py --mullvad-browser  --date ${RELEASE_DATE} ${MULLVAD_BROWSER_VERSION}

+  ```

+- [ ] Review build configuration changes:

+  - [ ] `rbm.conf`

+    - [ ] `var/torbrowser_version`: updated to next browser version

+    - [ ] `var/torbrowser_build`: updated to `${MULLVAD_BROWSER_BUILD_N}`

+    - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building.

+      - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` tag, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrowser_build` to build2, build3, etc due to non-firefox related build issues)

+    - [ ] `var/torbrowser_incremental_from`: updated to previous Desktop version

+      - **NOTE**: We try to build incrementals for the previous 3 desktop versions

+      - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail

+  - [ ] `projects/firefox/config`

+    - [ ] `browser_build`: updated to match `mullvad-browser` tag

+    - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased

+  - [ ] ***(Optional)*** `projects/translation/config`:

+    - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch

+    - [ ] `steps/mullvad-browser/git_hash`: updated with `HEAD` commit of project's `mullvad-browser` branch

+  - [ ] ***(Optional)*** `projects/browser/config`:

+    - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript

+      - [ ] `URL` updated

+        - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url

+      - [ ] `sha256sum` updated

+    - [ ] uBlock-origin: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

+      - [ ] `URL` updated

+        - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url

+      - [ ] `sha256sum` updated

+    - [ ] Mullvad Browser extension: https://github.com/mullvad/browser-extension/releases

+      - [ ] `URL` updated

+      - [ ] `sha256sum` updated

+  - [ ] `ChangeLog-MB.txt`: ensure correctness

+    - [ ] Browser name correct

+    - [ ] Release date correct

+    - [ ] No Android updates

+    - [ ] All issues added under correct platform

+    - [ ] ESR updates correct

+    - [ ] Component updates correct

 - [ ] Open MR with above changes, using the template for release preparations

+  - **NOTE**: target the `main` branch

 - [ ] Merge

 - [ ] Sign+Tag

   - **NOTE** this must be done by one of:

     - ma1

     - morgan

     - pierov

-  - [ ] Run: `make mullvadbrowser-signtag-alpha`

+  - [ ] Run:

+    ```bash

+    make mullvadbrowser-signtag-alpha

+    ```

   - [ ] Push tag to `upstream`

 - [ ] Build the tag:

-  - Run `make mullvadbrowser-alpha && make mullvadbrowser-incrementals-alpha` on:

+  - [ ] Run:

+    ```bash

+    make mullvadbrowser-alpha && make mullvadbrowser-incrementals-alpha

+    ```

     - [ ] Tor Project build machine

     - [ ] Local developer machine

   - [ ] Submit build request to Mullvad infrastructure:

     - **NOTE** this requires a devmole authentication token

-    - Run `make mullvadbrowser-kick-devmole-build`

-- [ ] Ensure builders have matching builds

+    - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit

+    - [ ] Run:

+      ```bash

+      make mullvadbrowser-kick-devmole-build

+      ```

 

 </details>

 

 ### release signing

 - [ ] Assign this issue to the signer, one of:

   - boklm

+  - ma1

   - morgan

-- [ ] On `$(STAGING_SERVER)`, ensure updated:

-  - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N) && git checkout tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N)`

+  - pierov

+- [ ] Ensure all builders have matching builds

+- [ ] On `${STAGING_SERVER}`, ensure updated:

+  - **NOTE** Having a local git branch with `main` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file

+  - [ ] `tor-browser-build` is on the right commit: `git tag -v mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N} && git checkout mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N}`

   - [ ] `tor-browser-build/tools/signing/set-config.hosts`

-    - `ssh_host_builder` : ssh hostname of machine with unsigned builds

-      - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)

-    - `ssh_host_linux_signer` : ssh hostname of linux signing machine

+    - `ssh_host_builder`: ssh hostname of machine with unsigned builds

+    - `ssh_host_linux_signer`: ssh hostname of linux signing machine

+    - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds

   - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`

-    - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos

+    - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos

   - [ ] `set-config.update-responses`

-    - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`

+    - `update_responses_repository_dir`: directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`

   - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`

-    - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)

-    - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)

-    - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases

-- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050

-- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:

-  - `cd tor-browser-build/tools/signing/`

-  - `./do-all-signing.mullvadbrowser`

-- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`

-- [ ] Update `staticiforme.torproject.org`:

-  - From `screen` session on `staticiforme.torproject.org`:

-  - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`

-  - [ ] Static update components (again) : `static-update-component dist.torproject.org`

+    - `tbb_version`: mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)

+    - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)

+    - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases

+- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050

+- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script:

+  - [ ] Run:

+    ```bash

+    cd tor-browser-build/tools/signing/ && ./do-all-signing.mullvadbrowser

+    ```

+  - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed

 

 </details>

 

 <details>

   <summary>Publishing</summary>

 

+### website

+- [ ] On `staticiforme.torproject.org`, remove old release and publish new:

+  - [ ] `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`

+  - [ ] Run:

+    ```bash

+    static-update-component dist.torproject.org

+    ```

+

 ### mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/

 - [ ] Assign this issue to someone with mullvad commit access, one of:

     - boklm

     - ma1

     - morgan

     - pierov

+- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:

+  - **Tag**: `${MULLVAD_BROWSER_VERSION}`

+    - **example**: `12.5a7`

+  - **Message**: `${ESR_VERSION}esr-based ${MULLVAD_BROWSER_VERSION}`

+    - **example**: `102.12.0esr-based 12.5a7`

 - [ ] Push this release's associated `mullvad-browser.git` branch to github

 - [ ] Push this release's associated tags to github:

   - [ ] Firefox ESR tag

-    - **example** : `FIREFOX_102_12_0esr_BUILD1`

+    - **example**: `FIREFOX_102_12_0esr_BUILD1`

   - [ ] `base-browser` tag

-    - **example** : `base-browser-102.12.0esr-12.0-1-build1`

-  - [ ] `mullvad-browser` tag

-    - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`

-- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:

-  - **Tag**: `$(MULLVAD_BROWSER_VERSION)`

-    - **example** : `12.5a7`

-  - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`

-    - **example** : `102.12.0esr-based 12.5a7`

-  - [ ] Push tag to github

-

-### email

-- [ ] **(Once branch+tags pushed to GitHub)** Email Mullvad with release information:

-  - [ ] support alias: support@mullvadvpn.net

-  - [ ] Rui: rui@mullvad.net

+    - **example**: `base-browser-102.12.0esr-12.0-1-build1`

+  - [ ] `mullvad-browser` build tag

+    - **example**: `mullvad-browser-102.12.0esr-12.0-1-build1`

+  - [ ] `mullvad-browser` release tag

+    - **example**: `12.0.11`

+

+</details>

+

+<details>

+  <summary>Communications</summary>

+

+### Mullvad

+- [ ] Email Mullvad with release information:

+  - **Recipients**

+    - Mullvad support alias: support@mullvadvpn.net

+    - Rui Hildt: rui@mullvad.net

+    ```

+    support@mullvadvpn.net rui@mullvad.net

+    ```

   - **Subject**

     ```

-    New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)

+    New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed)

     ```

   - **Body**

     ```

 

     Branch+Tags have been pushed to Mullvad's GitHub repo.

 

-    - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)

-    - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)

+    - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION}

+    - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}

 

     changelog:

+    # paste changelog as quote here

     ...

     ```

 

-</details>

-

-<details>

-  <summary>Downstream</summary>

-

-### notify packagers

-These steps depend on Mullvad having updated their [GitHub Releases](https://github.com/mullvad/mullvad-browser/releases/) page with the latest release

-- [ ] **(Optional)** Email downstream consumers:

+### packagers

+- [ ] **(Optional, Once Packages are pushed to GitHub)**

   - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of

-  - [ ] flathub package maintainer: proletarius101@protonmail.com

-  - [ ] arch package maintainer: bootctl@gmail.com

-  - [ ] nixOS package maintainer: dev@felschr.com

+  - **Recipients**

+    - flathub package maintainer: proletarius101@protonmail.com

+    - arch package maintainer: bootctl@gmail.com

+    - nixOS package maintainer: dev@felschr.com

+    ```

+    proletarius101@protonmail.com bootctl@gmail.com dev@felschr.com

+    ```

   - **Subject**

     ```

-    Mullvad Browser $(MULLVAD_BROWSER_VERSION) released

+    Mullvad Browser ${MULLVAD_BROWSER_VERSION} released

     ```

   - **Body**

     ```

 

 /label ~"Release Prep"

 /label ~"Sponsor 131"
-
+# Release Prep Mullvad Browser Stable

+

+- **NOTE** It is assumed the `mullvad-browser` release rebase and security backport tasks have been completed

+- **NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue

+

 <details>

   <summary>Explanation of variables</summary>

 

-- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release

-- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)

-  - **example** : `pierov`

-- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process

-- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc

-  - **example** : `91.6.0`

-- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version

-  - **example** : `11`

-- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version

-  - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`

-- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format

-  - **example** : `12.5a3`, `12.0.3`

-- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.

-    - **example** : `build1`

-- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits

-    - **example** : `build2`

-    - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :

-      - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)

-      - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.

-- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version

-    - **example** : `11.5a6`, `11.0.7`

-- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version

-    - **example** : `mb-12.0.7-build1`

+- `${BUILD_SERVER}`: the server the main builder is using to build a browser release

+- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER}

+  - **example**: `pierov`

+- `${STAGING_SERVER}`: the server the signer is using to to run the signing process

+- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc

+  - **example**: `91.6.0`

+- `${MULLVAD_BROWSER_MAJOR}`: the Mullvad Browser major version

+  - **example**: `11`

+- `${MULLVAD_BROWSER_MINOR}`: the Mullvad Browser minor version

+  - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`

+- `${MULLVAD_BROWSER_VERSION}`: the Mullvad Browser version in the format

+  - **example**: `12.5a3`, `12.0.3`

+- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${MULLVAD_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build.

+  - **example**: `build1`

+- `${MULLVAD_BROWSER_BUILD_N}`: the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits

+  - **example**: `build2`

+    - **⚠️ WARNING**: A project's `${BUILD_N}` and `${MULLVAD_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For **example** :

+      - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${MULLVAD_BROWSER_BUILD_N}` value may stay at `build1` (but the `${MULLVAD_BROWSER_VERSION}` will increase)

+      - if we have build failures unrelated to `mullvad-browser`, the `${MULLVAD_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same.

+- `${MULLVAD_BROWSER_VERSION}`: the published Mullvad Browser version

+    - **example**: `11.5a6`, `11.0.7`

+- `${MB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Mullvad Browser version

+   - **example**: `mb-12.0.7-build1`

+- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date

+  - **example**: `2024-10-29`

+

 </details>

 

-**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed

+<details>

+  <summary>Build Configuration</summary>

 

-**NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue

+### mullvad-browser: https://gitlab.torproject.org/tpo/applications/mullvad-browser.git

 

-<details>

-  <summary>Building</summary>

+- [ ] Tag `mullvad-browser` commit:

+  - **example**: `mullvad-browser-128.3.0esr-14.0-1-build1`

 

 ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git

-Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MULLVAD_BROWSER_MINOR)` (and possibly more specific) branches

-

-- [ ] Update `rbm.conf`

-  - [ ] `var/torbrowser_version` : update to next version

-  - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`

-  - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building.

-  - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version

-    - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update

-    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail

-- [ ] Update build configs

-  - [ ] Update `projects/firefox/config`

-    - [ ] `browser_build` : update to match `mullvad-browser` tag

-    - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased

-  - [ ] Update `projects/translation/config`:

-    - [ ] run `make list_translation_updates-release` to get updated hashes

-    - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch

-    - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch

-- [ ] Update common build configs

-  - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript

-    - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`

-      - [ ] `URL`

-      - [ ] `sha256sum`

-  - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/

-    - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`

-      - [ ] `URL`

-      - [ ] `sha256sum`

-  - [ ] Check for Mullvad Browser Extension updates here : https://github.com/mullvad/browser-extension/releases

-    - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`

-      - [ ] `URL`

-      - [ ] `sha256sum`

-- [ ] Update `ChangeLog-MB.txt`

-  - [ ] Ensure `ChangeLog-MB.txt` is sync'd between alpha and stable branches

-  - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones

-  - [ ] Run `./tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`

-    - Make sure you have `requests` installed (e.g., `apt install python3-requests`)

-    - The first time you run this script you will need to generate an access token; the script will guide you

-    - `$updateArgs` should be these arguments, depending on what you actually updated:

-      - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)

-      - [ ] `--no-script`

-      - [ ] `--ublock`

-      - E.g., `./tools/fetch-changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0`

-    - `--date $date` is optional, if omitted it will be the date on which you run the command

-  - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output

+Mullvad Browser Stable is on the `maint-${MULLVAD_BROWSER_MAJOR}.${MULLVAD_BROWSER_MINOR}` branch

+

+- [ ] Changelog bookkeeping:

+  - [ ] Ensure all commits to `mullvad-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue

+  - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels

+- [ ] Create a release preparation branch from the current `maint-XX.Y` branch

+- [ ] Run release preparation script:

+  - **NOTE**: You can omit the `--mullvad-browser` argument if this is for a joint Tor and Mullvad Browser release

+  - **⚠️ WARNING**: You may need to manually update the `firefox/config` file's `browser_build` field if `mullvad-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged)

+  ```bash

+  ./tools/relprep.py --mullvad-browser --date ${RELEASE_DATE} ${MULLVAD_BROWSER_VERSION}

+  ```

+- [ ] Review build configuration changes:

+  - [ ] `rbm.conf`

+    - [ ] `var/torbrowser_version`: updated to next browser version

+    - [ ] `var/torbrowser_build`: updated to `${MULLVAD_BROWSER_BUILD_N}`

+    - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building.

+      - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` tag, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrowser_build` to build2, build3, etc due to non-firefox related build issues)

+    - [ ] `var/torbrowser_incremental_from`: updated to previous Desktop version

+      - **NOTE**: We try to build incrementals for the previous 3 desktop versions

+      - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail

+  - [ ] `projects/firefox/config`

+    - [ ] `browser_build`: updated to match `mullvad-browser` tag

+    - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased

+  - [ ] ***(Optional)*** `projects/translation/config`:

+    - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch

+    - [ ] `steps/mullvad-browser/git_hash`: updated with `HEAD` commit of project's `mullvad-browser` branch

+  - [ ] ***(Optional)*** `projects/browser/config`:

+    - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript

+      - [ ] `URL` updated

+        - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url

+      - [ ] `sha256sum` updated

+    - [ ] uBlock-origin: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

+      - [ ] `URL` updated

+        - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url

+      - [ ] `sha256sum` updated

+    - [ ] Mullvad Browser extension: https://github.com/mullvad/browser-extension/releases

+      - [ ] `URL` updated

+      - [ ] `sha256sum` updated

+  - [ ] `ChangeLog-MB.txt`: ensure correctness

+    - [ ] Browser name correct

+    - [ ] Release date correct

+    - [ ] No Android updates

+    - [ ] All issues added under correct platform

+    - [ ] ESR updates correct

+    - [ ] Component updates correct

 - [ ] Open MR with above changes, using the template for release preparations

+  - **NOTE**: target the `maint-14.0` branch

 - [ ] Merge

 - [ ] Sign+Tag

   - **NOTE** this must be done by one of:

     - ma1

     - morgan

     - pierov

-  - [ ] Run: `make mullvadbrowser-signtag-release`

+  - [ ] Run:

+    ```bash

+    make mullvadbrowser-signtag-release

+    ```

   - [ ] Push tag to `upstream`

 - [ ] Build the tag:

-  - Run `make mullvadbrowser-release && make mullvadbrowser-incrementals-release`

+  - [ ] Run:

+    ```bash

+    make mullvadbrowser-release && make mullvadbrowser-incrementals-release

+    ```

     - [ ] Tor Project build machine

     - [ ] Local developer machine

   - [ ] Submit build request to Mullvad infrastructure:

     - **NOTE** this requires a devmole authentication token

-    - Run `make mullvadbrowser-kick-devmole-build`

-- [ ] Ensure builders have matching builds

+    - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit

+    - [ ] Run:

+      ```bash

+      make mullvadbrowser-kick-devmole-build

+      ```

 

 </details>

 

 ### release signing

 - [ ] Assign this issue to the signer, one of:

   - boklm

+  - ma1

   - morgan

-- [ ] On `$(STAGING_SERVER)`, ensure updated:

-  - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N) && git checkout tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N)`

-  - [ ]  `tor-browser-build/tools/signing/set-config.hosts`

-    - `ssh_host_builder` : ssh hostname of machine with unsigned builds

-      - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)

-    - `ssh_host_linux_signer` : ssh hostname of linux signing machine

+  - pierov

+- [ ] Ensure all builders have matching builds

+- [ ] On `${STAGING_SERVER}`, ensure updated:

+  - **NOTE** Having a local git branch with `maint-14.0` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file

+  - [ ] `tor-browser-build` is on the right commit: `git tag -v mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N} && git checkout mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N}`

+  - [ ] `tor-browser-build/tools/signing/set-config.hosts`

+    - `ssh_host_builder`: ssh hostname of machine with unsigned builds

+    - `ssh_host_linux_signer`: ssh hostname of linux signing machine

+    - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds

   - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`

-    - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos

+    - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos

   - [ ] `set-config.update-responses`

-    - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`

+    - `update_responses_repository_dir`: directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`

   - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`

-    - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)

-    - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)

-    - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases

-- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050

-- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:

-  - `cd tor-browser-build/tools/signing/`

-  - `./do-all-signing.mullvadbrowser`

-- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`

-- [ ] Update `staticiforme.torproject.org`:

-  - From `screen` session on `staticiforme.torproject.org`:

-  - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`

-  - [ ] Static update components (again) : `static-update-component dist.torproject.org`

+    - `tbb_version`: mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)

+    - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)

+    - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases

+- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050

+- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script:

+  - [ ] Run:

+    ```bash

+    cd tor-browser-build/tools/signing/ && ./do-all-signing.mullvadbrowser

+    ```

+  - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed

 

 </details>

 

 <details>

   <summary>Publishing</summary>

 

+### website

+- [ ] On `staticiforme.torproject.org`, remove old release and publish new:

+  - [ ] `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`

+  - [ ] Run:

+    ```bash

+    static-update-component dist.torproject.org

+    ```

+

 ### mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/

 - [ ] Assign this issue to someone with mullvad commit access, one of:

     - boklm

     - ma1

     - morgan

     - pierov

+- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:

+  - **Tag**: `${MULLVAD_BROWSER_VERSION}`

+    - **example**: `12.5a7`

+  - **Message**: `${ESR_VERSION}esr-based ${MULLVAD_BROWSER_VERSION}`

+    - **example**: `102.12.0esr-based 12.5a7`

 - [ ] Push this release's associated `mullvad-browser.git` branch to github

 - [ ] Push this release's associated tags to github:

   - [ ] Firefox ESR tag

-    - **example** : `FIREFOX_102_12_0esr_BUILD1`

+    - **example**: `FIREFOX_102_12_0esr_BUILD1`

   - [ ] `base-browser` tag

-    - **example** : `base-browser-102.12.0esr-12.0-1-build1`

-  - [ ] `mullvad-browser` tag

-    - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`

-- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:

-  - **Tag**: `$(MULLVAD_BROWSER_VERSION)`

-    - **example** : `12.0.7`

-  - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`

-    - **example** : `102.12.0esr-based 12.0.7`

-  - [ ] Push tag to github

-

-### email

-- [ ] **(Once branch+tags pushed to GitHub)** Email Mullvad with release information:

-  - [ ] support alias: support@mullvadvpn.net

-  - [ ] Rui: rui@mullvad.net

+    - **example**: `base-browser-102.12.0esr-12.0-1-build1`

+  - [ ] `mullvad-browser` build tag

+    - **example**: `mullvad-browser-102.12.0esr-12.0-1-build1`

+  - [ ] `mullvad-browser` release tag

+    - **example**: `12.0.11`

+

+</details>

+

+<details>

+  <summary>Communications</summary>

+

+### Mullvad

+- [ ] Email Mullvad with release information:

+  - **Recipients**

+    - Mullvad support alias: support@mullvadvpn.net

+    - Rui Hildt: rui@mullvad.net

+    ```

+    support@mullvadvpn.net rui@mullvad.net

+    ```

   - **Subject**

     ```

-    New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)

+    New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed)

     ```

   - **Body**

     ```

 

     Branch+Tags have been pushed to Mullvad's GitHub repo.

 

-    - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)

-    - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)

+    - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION}

+    - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}

 

     changelog:

+    # paste changelog as quote here

     ...

     ```

 

-</details>

-

-<details>

-  <summary>Downstream</summary>

-

-### notify packagers

-These steps depend on Mullvad having updated their [GitHub Releases](https://github.com/mullvad/mullvad-browser/releases/) page with the latest release

-- [ ] Email downstream consumers:

-  - [ ] flathub package maintainer: proletarius101@protonmail.com

-  - [ ] arch package maintainer: bootctl@gmail.com

-  - [ ] nixOS package maintainer: dev@felschr.com

+### packagers

+- [ ] **(Once Packages are pushed to GitHub)**

+  - **Recipients**

+    - flathub package maintainer: proletarius101@protonmail.com

+    - arch package maintainer: bootctl@gmail.com

+    - nixOS package maintainer: dev@felschr.com

+    ```

+    proletarius101@protonmail.com bootctl@gmail.com dev@felschr.com

+    ```

   - **Subject**

     ```

-    Mullvad Browser $(MULLVAD_BROWSER_VERSION) released

+    Mullvad Browser ${MULLVAD_BROWSER_VERSION} released

     ```

   - **Body**

     ```

     ```

 

 ### merge requests

-- [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/m/mullvad-browser.rb

-  - **NOTE**: should just need to update `version` and `sha256` to latest

+- [ ] **(Once Packages are pushed to GitHub)**

+  - [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/m/mullvad-browser.rb

+    - **NOTE**: a bot seems to pick this up without needing our intervention these days

+    - **NOTE**: should just need to update `version` and `sha256` to latest

 

 </details>

 

 /label ~"Release Prep"

-/label  ~"Sponsor 131"

-
+/label ~"Sponsor 131"
+# Release Prep Tor Browser Alpha

+

+- **NOTE** It is assumed the `tor-browser` alpha rebase and security backport tasks have been completed

+- **NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue

+

 <details>

   <summary>Explanation of variables</summary>

 

-- `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release

-- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)

-  - **example** : `pierov`

-- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process

-- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc

-  - **example** : `91.6.0`

-- `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version

-  - **example** : `11`

-- `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version

-  - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`

-- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format

-  - **example** : `12.5a3`, `12.0.3`

-- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.

-  - **example** : `build1`

-- `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits

-  - **example** : `build2`

-  - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :

-    - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)

-    - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.

-- `$(TOR_BROWSER_VERSION)` : the published Tor Browser version

-    - **example** : `11.5a6`, `11.0.7`

-- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version

-    - **example** : `tbb-12.5a7-build1`

-</details>

+- `${BUILD_SERVER}`: the server the main builder is using to build a browser release

+- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER}

+  - **example**: `pierov`

+- `${STAGING_SERVER}`: the server the signer is using to to run the signing process

+- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc

+  - **example**: `91.6.0`

+- `${TOR_BROWSER_MAJOR}`: the Tor Browser major version

+  - **example**: `11`

+- `${TOR_BROWSER_MINOR}`: the Tor Browser minor version

+  - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`

+- `${TOR_BROWSER_VERSION}`: the Tor Browser version in the format

+  - **example**: `12.5a3`, `12.0.3`

+- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${TOR_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build.

+  - **example**: `build1`

+- `${TOR_BROWSER_BUILD_N}`: the tor-browser build revision for a given Tor Browser release; used in tagging git commits

+  - **example**: `build2`

+  - **⚠️ WARNING**: A project's `${BUILD_N}` and `${TOR_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For example :

+    - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${TOR_BROWSER_BUILD_N}` value may stay at `build1` (but the `${TOR_BROWSER_VERSION}` will increase)

+    - if we have build failures unrelated to `tor-browser`, the `${TOR_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same.

+- `${TOR_BROWSER_VERSION}`: the published Tor Browser version

+    - **example**: `11.5a6`, `11.0.7`

+- `${TBB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Tor Browser version

+  - **example**: `tbb-12.5a7-build1`

+- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date

+  - **example**: `2024-10-29`

 

-**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed

-**NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue

+</details>

 

 <details>

-  <summary>Building</summary>

+  <summary>Build Configuration</summary>

+

+### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git

+

+- [ ] Tag `tor-browser` in tor-browser.git

+  - **example**: `tor-browser-128.4.0esr-14.5-1-build1`

 

 ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git

 Tor Browser Alpha (and Nightly) are on the `main` branch

 

-- [ ] Update `rbm.conf`

-  - [ ] `var/torbrowser_version` : update to next version

-  - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`

-  - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building.

-  - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from` : update to previous Desktop version

-    - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update

-    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail

-- [ ] Update Desktop-specific build configs

-  - [ ] Update `projects/firefox/config`

-    - [ ] `browser_build` : update to match `tor-browser` tag

-    - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased

-- [ ] Update Android-specific build configs

-  - [ ] Update `projects/geckoview/config`

-    - [ ] `browser_build` : update to match `tor-browser` tag

-    - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased

-  - [ ] ***(Optional)*** Update `projects/application-services/config`:

-    **NOTE** we don't currently have any of our own patches for this project

-    - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`

-- [ ] Update `projects/translation/config`:

-  - [ ] run `make list_translation_updates-alpha` to get updated hashes

-  - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch

-  - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch

-  - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch

-- [ ] Update common build configs

-  - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript

-    - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`

-      - [ ] `URL`

-      - [ ] `sha256sum`

-  - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/

-    - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config`

-      - [ ] `version` : update to next 3.0.X version

-      - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball

-  - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases

-    - [ ] **(Optional)** If new tag available, update `projects/zlib/config`

-      - [ ] `version` : update to next release tag

-  - [ ] Check for Zstandard updates here: https://github.com/facebook/zstd/releases

-    - [ ] **(Optional)** If new tag available, update `projects/zstd/config`

-      - [ ] `version` : update to next release tag

-      - [ ] `git_hash`: update to the commit corresponding to the tag (we don't check signatures for Zstandard)

-  - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags

-    - [ ] ***(Optional)*** Update `projects/tor/config`

-      - [ ] `version` : update to latest `-alpha` tag or release tag if newer (ping dgoulet or ahf if unsure)

-  - [ ] Check for go updates here : https://go.dev/dl

-    - **NOTE** : In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities.

-    - [ ] ***(Optional)*** Update `projects/go/config`

-      - [ ] `version` : update go version

-      - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)

-  - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/update_manual.py`

-    - [ ] ***(Optional)*** If new version is available:

-      - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org`

-        - The script will tell if it's necessary to

-      - [ ] Deploy to `tb-builder`'s `public_html` directory:

-        - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.`

-      - [ ] Add `projects/manual/config` to the stage area if the script updated it.

-- [ ] Update `ChangeLog-TBB.txt`

-  - [ ] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches

-  - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones

-  - [ ] Run `./tools/fetch_changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`

-    - Make sure you have `requests` installed (e.g., `apt install python3-requests`)

-    - The first time you run this script you will need to generate an access token; the script will guide you

-    - `$updateArgs` should be these arguments, depending on what you actually updated:

-      - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)

-      - [ ] `--tor`

-      - [ ] `--no-script`

-      - [ ] `--openssl`

-      - [ ] `--zlib`

-      - [ ] `--zstd`

-      - [ ] `--go`

-      - E.g., `./tools/fetch_changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12`

-    - `--date $date` is optional, if omitted it will be the date on which you run the command

-  - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output

+- [ ] Changelog bookkeeping:

+  - [ ] Ensure all commits to `tor-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue

+  - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Android, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels

+- [ ] Create a release preparation branch from the `main` branch

+- [ ] Run release preparation script:

+  - **NOTE**: You can omit the `--tor-browser` argument if this is for a jointt Tor and Mullvad Browser release

+  - **⚠️ WARNING**: You may need to manually update the `firefox/config` and `geckoview/config` files' `browser_build` field if `tor-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged)

+  ```bash

+  ./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION}

+  ```

+- [ ] Review build configuration changes:

+  - [ ] `rbm.conf`

+    - [ ] `var/torbrowser_version`: updated to next browser version

+    - [ ] `var/torbrowser_build`: updated to `${TOR_BROWSER_BUILD_N}`

+    - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building.

+      - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` or `geckoview` tags, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues)

+    - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version

+      - **NOTE**: We try to build incrementals for the previous 3 desktop versions

+      - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail

+  - [ ] `projects/firefox/config`

+    - [ ] `browser_build`: updated to match `tor-browser` tag

+    - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased

+  - [ ] `projects/geckoview/config`

+    - [ ] `browser_build`: updated to match `tor-browser` tag

+    - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased

+  - [ ] ***(Optional)*** `projects/translation/config`:

+    - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch

+    - [ ] `steps/tor-browser/git_hash`: updated with `HEAD` commit of project's `tor-browser` branch

+    - [ ] `steps/fenix/git_hash`: updated with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch

+  - [ ] ***(Optional)*** `projects/browser/config`:

+    - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript

+      - [ ] `URL` updated

+        - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url

+      - [ ] `sha256sum` updated

+  - [ ] ***(Optional)*** `projects/openssl/config`: https://www.openssl.org/source/

+    - **NOTE**: Only if new LTS version (3.0.X currrently) available

+    - [ ] `version`: updated to next LTS version

+    - [ ] `input_files/sha256sum`: updated to sha256 sum of source tarball

+  - [ ] **(Optional)** `projects/zlib/config`: https://github.com/madler/zlib/releases

+    - **NOTE**: Only if new tag available

+    - [ ] `version`: updated to next release tag

+  - [ ] **(Optional)** `projects/zstd/config`: https://github.com/facebook/zstd/releases

+    - **NOTE**: Only if new tag available; Android-only for now

+    - [ ] `version`: updated to next release tag

+    - [ ] `git_hash`: updated to the commit corresponding to the tag (we don't check signatures for Zstandard)

+  - [ ] **(Optional)** `projects/tor/config` https://gitlab.torproject.org/tpo/core/tor/-/tags

+    - [ ] `version`: updated to latest `-alpha` tag or release tag if newer (ping **dgoulet** or **ahf** if unsure)

+  - [ ] **(Optional)** `projects/go/config` https://go.dev/dl

+    - **NOTE**: In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities.

+    - [ ] `version`: updated go version

+    - [ ] `input_files/sha256sum` for `go`: update sha256sum of archive (sha256 sums are displayed on the go download page)

+  - [ ] **(Optional)** `projects/manual/config`

+    - [ ] `version`: updated to latest pipeline id

+    - [ ] `input_files/shasum` for `manual`: updated to manual hash

+    - [ ] Upload the downloaded `manual_${PIPELINEID}.zip` file to `tb-build-02.torproject.org`

+    - [ ] Deploy to `tb-builder`'s `public_html` directory:

+      - [ ] Run:

+        ```bash

+        sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/.

+        ```

+      - `sudo` documentation for TPO machines: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#changingresetting-your-passwords

+  - [ ] `ChangeLog-TBB.txt`: ensure correctness

+    - [ ] Browser name correct

+    - [ ] Release date correct

+    - [ ] No Android updates on a desktop-only release and vice-versa

+    - [ ] All issues added under correct platform

+    - [ ] ESR updates correct

+    - [ ] Component updates correct

 - [ ] Open MR with above changes, using the template for release preparations

+  - **NOTE**: target the `main` branch

 - [ ] Merge

 - [ ] Sign+Tag

   - **NOTE** this must be done by one of:

     - ma1

     - morgan

     - pierov

-  - [ ] Run: `make torbrowser-signtag-alpha`

+  - [ ] Run:

+    ```bash

+    make torbrowser-signtag-alpha

+    ```

   - [ ] Push tag to `upstream`

 - [ ] Build the tag:

-  - Run `make torbrowser-alpha && make torbrowser-incrementals-alpha`

+  - [ ] Run:

+    ```bash

+    make torbrowser-alpha && make torbrowser-incrementals-alpha

+    ```

     - [ ] Tor Project build machine

     - [ ] Local developer machine

   - [ ] Submit build request to Mullvad infrastructure:

     - **NOTE** this requires a devmole authentication token

-    - Run `make torbrowser-kick-devmole-build`

-- [ ] Ensure builders have matching builds

+    - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit

+    - [ ] Run:

+      ```bash

+      make torbrowser-kick-devmole-build

+      ```

 

 </details>

 

 <details>

-  <summary>Communications</summary>

-

-### notify stakeholders

-- [ ] **(Once builds confirmed matching)** Email tor-qa mailing list with release information

-  - [ ] tor-qa: tor-qa@lists.torproject.org

-  - **Subject**

-    ```

-    Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)

-    ```

-  - **Body**

-    ```

-    Hello,

-

-    Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing:

-

-    - https://tb-build-02.torproject.org/~$(BUILDER)/builds/torbrowser/alpha/unsigned/$(TOR_BROWSER_VERSION)/

-

-    The full changelog can be found here:

-

-    - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TBB_BUILD_TAG)/projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt

-    ```

-- [ ] ***(Optional, only around build/packaging changes)*** Email packagers:

-  - [ ] Tails dev mailing list: tails-dev@boum.org

-  - [ ] Guardian Project: nathan@guardianproject.info

-  - [ ] FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->

-  - [ ] OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->

-  - [ ] Anti-Censorship: meskio@torproject.org

-  - [ ] Note any changes which may affect packaging/downstream integration

-- [ ] ***(Optional, only after internal API-breaking changes)*** Email downstream project maintainers:

-  - [ ] selenium-tor: matzfan@tempr.email <!-- Forum user Noino -->

-- [ ] ***(Optional, after ESR migration)*** Email external partners:

-  - [ ] Cloudflare: ask-research@cloudflare.com

-    - **NOTE** :  We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs

-  - [ ]  Startpage: admin@startpage.com

-    - **NOTE** : Startpage also needs the updated user-agent string for better experience on their onion service sites.

+  <summary>Website</summary>

+

+  ### downloads: https://gitlab.torproject.org/tpo/web/tpo.git

+  - [ ] `databags/versions.ini`: Update the downloads versions

+      - `torbrowser-stable/version`: catch-all for latest stable version

+      - `torbrowser-alpha/version`: catch-all for latest alpha version

+      - `torbrowser-legacy/version`: catch-all for latest ESR-115 version

+      - `torbrowser-*-stable/version`: platform-specific stable versions

+      - `torbrowser-*-alpha/version`: platform-specific alpha versions

+      - `torbrowser-*-legacy/version`: platform-specific legacy versions

+  - [ ] Push to origin as new branch and create MR

+  - [ ] Review

+  - [ ] Merge

+    - **⚠️ WARNING**: Do not deploy yet!

+

+  ### blog: https://gitlab.torproject.org/tpo/web/blog.git

+  - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)

+    - [ ] Note any ESR update

+    - [ ] Thank any users which have contributed patches

+    - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc

+  - [ ] Push to origin as new branch and open MR

+  - [ ] Review

+  - [ ] Merge

+    - **⚠️ WARNING**: Do not deploy yet!

 

 </details>

 

   <summary>Signing</summary>

 

 ### release signing

-- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long

 - [ ] Assign this issue to the signer, one of:

   - boklm

+  - ma1

   - morgan

-- [ ] On `$(STAGING_SERVER)`, ensure updated:

-  - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)`

+  - pierov

+- [ ] Ensure all builders have matching builds

+- [ ] On `${STAGING_SERVER}`, ensure updated:

+  - **NOTE** Having a local git branch with `main` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file

+  - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}`

   - [ ] `tor-browser-build/tools/signing/set-config.hosts`

-    - `ssh_host_builder` : ssh hostname of machine with unsigned builds

-      - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)

-    - `ssh_host_linux_signer` : ssh hostname of linux signing machine

+    - `ssh_host_builder`: ssh hostname of machine with unsigned builds

+    - `ssh_host_linux_signer`: ssh hostname of linux signing machine

+    - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds

   - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`

-    - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos

+    - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos

   - [ ] `set-config.update-responses`

-    - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git`

+    - `update_responses_repository_dir`: directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git`

   - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`

-    - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)

-    - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)

-    - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases

-- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050

-- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:

-  - `cd tor-browser-build/tools/signing/`

-  - `./do-all-signing.torbrowser`

-- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`

-- [ ] Update `staticiforme.torproject.org`:

-  - From `screen` session on `staticiforme.torproject.org`:

-  - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`

-  - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh`

-  - [ ] Remove old release data from following places:

-    - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)

-    - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`

-    - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`

-  - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`

+    - `tbb_version`: tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)

+    - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)

+    - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases

+- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050

+- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script:

+  - [ ] Run:

+    ```bash

+    cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser

+    ```

+  - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed

 

 </details>

 

 <details>

   <summary>Publishing</summary>

 

+### website

+- [ ] On `staticiforme.torproject.org`, static update components:

+  - [ ] Run:

+    ```bash

+    static-update-component cdn.torproject.org && static-update-component dist.torproject.org

+    ```

+- [ ] Deploy `tor-website` MR

+- [ ] Deploy `tor-blog` MR

+- [ ] On `staticiforme.torproject.org`, enable update responses:

+  - [ ] Run:

+    ```bash

+    sudo -u tb-release ./deploy_update_responses-alpha.sh

+    ```

+- [ ] On `staticiforme.torproject.org`, remove old release:

+  - **NOTE**: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)

+  - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`

+  - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`

+  - [ ] Run:

+    ```bash

+    static-update-component cdn.torproject.org && static-update-component dist.torproject.org

+    ```

+

 ### Google Play: https://play.google.com/apps/publish

 - [ ] Publish APKs to Google Play:

   - Select `Tor Browser (Alpha)` app

     - [ ] 100% rollout when publishing a security-driven release

   - [ ] Update rollout percentage to 100% after confirmed no major issues

 

-### website: https://gitlab.torproject.org/tpo/web/tpo.git

-- [ ] `databags/versions.ini` : Update the downloads versions

-    - `torbrowser-stable/version` : sort of a catch-all for latest stable version

-    - `torbrowser-alpha/version` : sort of a catch-all for latest stable version

-    - `torbrowser-*-stable/version` : platform-specific stable versions

-    - `torbrowser-*-alpha/version` : platform-specific alpha versions

-    - `tor-stable`,`tor-alpha` : set by tor devs, do not touch

-- [ ] Push to origin as new branch, open 'Draft :' MR

-- [ ] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org

-- [ ] Merge

-- [ ] Publish after CI passes and builds are published

-

-### blog: https://gitlab.torproject.org/tpo/web/blog.git

-- [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)

-  - [ ] Note any ESR update

-  - [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc)

-  - [ ] Thank any users which have contributed patches  

-  - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc

-- [ ] Push to origin as new branch, open `Draft:` MR

-- [ ] Merge once signed-packages are accessible on https://dist.torproject.org

-- [ ] Publish after CI passes and website has been updated

+</details>

+

+<details>

+  <summary>Communications</summary>

 

 ### tor-announce mailing list

-- [ ] Email tor-announce mailing list: tor-announce@lists.torproject.org

+- [ ] Email tor-announce mailing list

+  - **Recipients**

+    ```

+    tor-announce@lists.torproject.org

+    ```

   - **Subject**

     ```

-    New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)

+    New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux)

     ```

   - **Body**

     ```

     Hi everyone,

 

-    Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:

-    - $(BLOG_POST_URL)

+    Tor Browser ${TOR_BROWSER_VERSION} has now been published for all platforms. For details please see our blog post:

+    - ${BLOG_POST_URL}

 

     Changelog:

-    # paste changleog as quote here

+    # paste changelog as quote here

     ```

 

+### packagers

+- [ ] ***(Optional, only around build/packaging changes)*** Email packagers:

+  - **Recipients**

+    - Tails dev mailing list: tails-dev@boum.org

+    - Guardian Project: nathan@guardianproject.info

+    - FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->

+    - OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->

+    - torbrowser-launcher: mail@asciiwolf.com <!-- Gitlab user asciiwolf -->

+    - Anti-Censorship: meskio@torproject.org <!-- Gitlab user meskio -->

+    ```

+    tails-dev@boum.org nathan@guardianproject.info freebsd@sysctl.cz caspar@schutijser.com mail@asciiwolf.com meskio@torproject.org

+    ```

+  - **Subject**

+    ```

+    New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux)

+    ```

+  - [ ] Note any changes which may affect packaging/downstream integration

+

+### downstream projects

+- [ ] ***(Optional, only after internal API-breaking changes)*** Email downstream project maintainers:

+  - **Recipients**

+    - selenium-tor: matzfan@tempr.email <!-- Forum user Noino -->

+    ```

+    matzfan@tempr.email

+    ```

+  - **Subject**

+    ```

+    Breaking Changes in Tor Browser ${TOR_BROWSER_VERSION}

+    ```

+  - [ ] Note any internal API changes which may affect browser automation

+

+### upstream services

+- [ ] ***(Optional, after ESR migration)*** Email external partners:

+  - [ ] Cloudflare: ask-research@cloudflare.com

+    - **NOTE**:  We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs

+  - [ ]  Startpage: admin@startpage.com

+    - **NOTE**: Startpage also needs the updated user-agent string for better experience on their onion service sites.

+

 </details>

 

 /label ~"Release Prep"
-
+# Release Prep Tor Browser Legacy

+

+- **NOTE** It is assumed the `tor-browser` release rebase and security backport tasks have been completed

+

+<details>

+  <summary>Explanation of variables</summary>

+

+- `${BUILD_SERVER}`: the server the main builder is using to build a browser release

+- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER}

+  - **example**: `pierov`

+- `${STAGING_SERVER}`: the server the signer is using to to run the signing process

+- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc

+  - **example**: `91.6.0`

+- `${TOR_BROWSER_MAJOR}`: the Tor Browser major version

+  - **example**: `11`

+- `${TOR_BROWSER_MINOR}`: the Tor Browser minor version

+  - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`

+- `${TOR_BROWSER_VERSION}`: the Tor Browser version in the format

+  - **example**: `12.5a3`, `12.0.3`

+- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${TOR_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build.

+  - **example**: `build1`

+- `${TOR_BROWSER_BUILD_N}`: the tor-browser build revision for a given Tor Browser release; used in tagging git commits

+  - **example**: `build2`

+  - **⚠️ WARNING**: A project's `${BUILD_N}` and `${TOR_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For example :

+    - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${TOR_BROWSER_BUILD_N}` value may stay at `build1` (but the `${TOR_BROWSER_VERSION}` will increase)

+    - if we have build failures unrelated to `tor-browser`, the `${TOR_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same.

+- `${TOR_BROWSER_VERSION}`: the published Tor Browser version

+    - **example**: `11.5a6`, `11.0.7`

+- `${TBB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Tor Browser version

+  - **example**: `tbb-12.5a7-build1`

+- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date

+  - **example**: `2024-10-29`

+

+</details>

+

+<details>

+  <summary>Build Configuration</summary>

+

+### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git

+

+- [ ] Tag `tor-browser` in tor-browser.git

+  - **example**: `tor-browser-115.17.0esr-13.5-1-build1`

+

+### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git

+Tor Browser Legacy is on the `maint-13.5` branch

+

+- [ ] Changelog bookkeeping:

+  - [ ] Ensure all commits to `tor-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue

+  - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels

+- [ ] Create a release preparation branch from the `maint-13.5` branch

+- [ ] Run release preparation script:

+  - **⚠️ WARNING**: You may need to manually update the `firefox/config` file's `browser_build` field if `tor-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged)

+  ```bash

+  ./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION}

+  ```

+- [ ] Review build configuration changes:

+  - [ ] `rbm.conf`

+    - [ ] `var/torbrowser_version`: updated to next browser version

+    - [ ] `var/torbrowser_build`: updated to `${TOR_BROWSER_BUILD_N}`

+    - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building.

+      - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox`, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues)

+    - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version

+      - **NOTE**: We try to build incrementals for the previous 3 desktop versions

+      - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail

+  - [ ] `projects/firefox/config`

+    - [ ] `browser_build`: updated to match `tor-browser` tag

+    - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased

+  - [ ] ***(Optional)*** `projects/translation/config`:

+    - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch

+    - [ ] `steps/tor-browser/git_hash`: updated with `HEAD` commit of project's `tor-browser` branch

+  - [ ] ***(Optional)*** `projects/browser/config`:

+    - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript

+      - [ ] `URL` updated

+        - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url

+      - [ ] `sha256sum` updated

+  - [ ] ***(Optional)*** `projects/openssl/config`: https://www.openssl.org/source/

+    - **NOTE**: Only if new LTS version (3.0.X currrently) available

+    - [ ] `version`: updated to next LTS version

+    - [ ] `input_files/sha256sum`: updated to sha256 sum of source tarball

+  - [ ] **(Optional)** `projects/zlib/config`: https://github.com/madler/zlib/releases

+    - **NOTE**: Only if new tag available

+    - [ ] `version`: updated to next release tag

+  - [ ] **(Optional)** `projects/zstd/config`: https://github.com/facebook/zstd/releases

+    - **NOTE**: Only if new tag available

+    - [ ] `version`: updated to next release tag

+    - [ ] `git_hash`: updated to the commit corresponding to the tag (we don't check signatures for Zstandard)

+  - [ ] **(Optional)** `projects/tor/config` https://gitlab.torproject.org/tpo/core/tor/-/tags

+    - [ ] `version`: updated to latest non `-alpha` tag or release tag if newer (ping **dgoulet** or **ahf** if unsure)

+  - [ ] **(Optional)** `projects/go/config` https://go.dev/dl

+    - [ ] `go_1_22`: updated to latest 1.22 version

+    - [ ] `input_files/sha256sum` for `go`: update sha256sum of archive (sha256 sums are displayed on the go download page)

+  - [ ] **(Optional)** `projects/manual/config`

+    - [ ] `version`: updated to latest pipeline id

+    - [ ] `input_files/shasum` for `manual`: updated to manual hash

+    - [ ] Upload the downloaded `manual_${PIPELINEID}.zip` file to `tb-build-02.torproject.org`

+    - [ ] Deploy to `tb-builder`'s `public_html` directory:

+      - [ ] Run:

+        ```bash

+        sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/.

+        ```

+      - `sudo` documentation for TPO machines: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#changingresetting-your-passwords

+  - [ ] `ChangeLog-TBB.txt`: ensure correctness

+    - [ ] Browser name correct

+    - [ ] Release date correct

+    - [ ] No Android updates

+    - [ ] All issues added under correct platform

+    - [ ] ESR updates correct

+    - [ ] Component updates correct

+- [ ] Open MR with above changes, using the template for release preparations

+  - **NOTE**: target the `maint-13.5` branch

+- [ ] Merge

+- [ ] Sign+Tag

+  - **NOTE** this must be done by one of:

+    - boklm

+    - dan

+    - ma1

+    - morgan

+    - pierov

+  - [ ] Run:

+    ```bash

+    make torbrowser-signtag-release

+    ```

+  - [ ] Push tag to `upstream`

+- [ ] Build the tag:

+  - [ ] Run:

+    ```bash

+    make torbrowser-release && make torbrowser-incrementals-release

+    ```

+    - [ ] Tor Project build machine

+    - [ ] Local developer machine

+  - [ ] Submit build request to Mullvad infrastructure:

+    - **NOTE** this requires a devmole authentication token

+    - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit

+    - [ ] Run:

+      ```bash

+      make torbrowser-kick-devmole-build

+      ```

+

+</details>

+

+<details>

+  <summary>Website</summary>

+

+  ### downloads: https://gitlab.torproject.org/tpo/web/tpo.git

+  - [ ] `databags/versions.ini`: Update the downloads versions

+      - `torbrowser-stable/version`: catch-all for latest stable version

+      - `torbrowser-alpha/version`: catch-all for latest alpha version

+      - `torbrowser-legacy/version`: catch-all for latest ESR-115 version

+      - `torbrowser-*-stable/version`: platform-specific stable versions

+      - `torbrowser-*-alpha/version`: platform-specific alpha versions

+      - `torbrowser-*-legacy/version`: platform-specific legacy versions

+      - `tor-stable`,`tor-alpha`: set by tor devs, do not touch

+  - [ ] Push to origin as new branch and create MR

+  - [ ] Review

+  - [ ] Merge

+    - **⚠️ WARNING**: Do not deploy yet!

+

+</details>

+

+<details>

+  <summary>Signing</summary>

+

+### release signing

+- [ ] Assign this issue to the signer, one of:

+  - boklm

+  - ma1

+  - morgan

+  - pierov

+- [ ] Ensure all builders have matching builds

+- [ ] On `${STAGING_SERVER}`, ensure updated:

+  - **NOTE** Having a local git branch with `maint-13.5` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file

+  - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}`

+  - [ ] `tor-browser-build/tools/signing/set-config.hosts`

+    - `ssh_host_builder`: ssh hostname of machine with unsigned builds

+    - `ssh_host_linux_signer`: ssh hostname of linux signing machine

+    - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds

+  - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`

+    - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos

+  - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`

+    - `tbb_version`: tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)

+    - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)

+    - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases

+- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050

+- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script:

+  - [ ] Run:

+    ```bash

+    cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser

+    ```

+  - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed

+

+</details>

+

+<details>

+  <summary>Signature verification</summary>

+

+  <details>

+    <summary>Check whether the .exe files got properly signed and timestamped</summary>

+

+```bash

+# Point OSSLSIGNCODE to your osslsigncode binary

+pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION

+OSSLSIGNCODE=/path/to/osslsigncode

+../../../tools/authenticode_check.sh

+popd

+```

+

+  </details>

+  <details>

+    <summary>Check whether the MAR files got properly signed</summary>

+

+```bash

+# Point NSSDB to your nssdb containing the mar signing certificate

+# Point SIGNMAR to your signmar binary

+# Point LD_LIBRARY_PATH to your mar-tools directory

+pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION

+NSSDB=/path/to/nssdb

+SIGNMAR=/path/to/mar-tools/signmar

+LD_LIBRARY_PATH=/path/to/mar-tools/

+../../../tools/marsigning_check.sh

+popd

+```

+

+  </details>

+</details>

+

+<details>

+  <summary>Publishing</summary>

+

+### website

+- [ ] On `staticiforme.torproject.org`, static update components:

+  - [ ] Run:

+    ```bash

+    static-update-component cdn.torproject.org && static-update-component dist.torproject.org

+    ```

+- [ ] Deploy `tor-website` MR

+- [ ] On `staticiforme.torproject.org`, remove old release:

+  - **NOTE**: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)

+  - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`

+  - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`

+  - [ ] Run:

+    ```bash

+    static-update-component cdn.torproject.org && static-update-component dist.torproject.org

+    ```

+- [ ] **(Optional)** Generate and deploy new update responses

+  - **NOTE**: This is only required if there will be no corresponding 14.0 release (i.e. this is an emergency legacy-only 13.5 release). Normally, legacy update responses are generated and deployed as part of the 14.0 release.

+  - **⚠️ WARNING**: This is a little bit off the beaten track, ping boklm or morgan if you have any doubts

+  - From the `maint-14.0` branch:

+    - [ ] Update `rbm.conf`

+      - [ ] `var/torbrowser_legacy_version`: update to `${TOR_BROWSER_VERSION}`

+        - **NOTE** this is the browser version for the legacy branch, not the 14.0 branch

+      - [ ] `var/torbrowser_legacy_platform_version`: update to `${ESR_VERSION}`

+        - **NOTE** this is ESR version for the legacy branch, not the 14.0 branch

+    - [ ] Generate update responses:

+      - [ ] Run:

+        ```bash

+        make torbrowser-update_responses-release

+        ```

+  - On `staticiforme.torproject.org`, deploy new update responses:

+    - **NOTE**: for now this is a bit janky, we should somehow update the workflow to be a bit less hacky

+    - [ ] Edit an existing `deploy_update_responses-release.sh` script in your `HOME` directory with the newly pushed commit hash

+      - **example**: (hash: `d938943`)

+        ```bash

+        #!/bin/bash

+        set -e

+

+        echo "Deploying version 14.0"

+        echo "update_responses_commit: d938943"

+

+        cd "/srv/aus1-master.torproject.org/htdocs/torbrowser"

+        git fetch

+        changed_files="$(git diff --name-only HEAD d938943)"

+        if echo "$changed_files" | grep -qv "release"

+        then

+          echo >&2 "Error: checking out new update_response_commit will changes"

+          echo >&2 "some files outside of the release directory:"

+          echo "$changed_files" | grep -v "release" >&2

+          echo >&2 "--"

+          echo >&2 "If this is really what you want to do, edit this script to"

+          echo >&2 "remove the line 'exit 1' and run it again."

+          echo >&2 "See tor-browser-build#41168 for more details."

+          exit 1

+        fi

+        git checkout "d938943"

+

+        static-update-component aus1.torproject.org

+        ```

+    - [ ] Enable update responses:

+      ```bash

+      sudo -u tb-release ./deploy_update_responses-release.sh

+      ```

+

+</details>

+

+<details>

+  <summary>Communications</summary>

+

+### tor-announce mailing list

+- [ ] Email tor-announce mailing list

+  - **Recipients**

+    ```

+    tor-announce@lists.torproject.org

+    ```

+  - **Subject**

+    ```

+    New Release: Tor Browser ${TOR_BROWSER_VERSION} (Windows, macOS)

+    ```

+  - **Body**

+    ```

+    Hi everyone,

+

+    Tor Browser ${TOR_BROWSER_VERSION} has now been published for legacy Windows and macOS platforms. For details please see our blog post:

+    - ${BLOG_POST_URL}

+

+    Changelog:

+    # paste changelog as quote here

+    ```

+

+</details>

+

+/label ~"Release Prep"
+# Release Prep Tor Browser Stable

+

+- **NOTE** It is assumed the `tor-browser` release rebase and security backport tasks have been completed

+- **NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue

+

 <details>

   <summary>Explanation of variables</summary>

 

-- `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release

-- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)

-  - **example** : `pierov`

-- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process

-- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc

-  - **example** : `91.6.0`

-- `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version

-  - **example** : `11`

-- `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version

-  - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`

-- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format

-  - **example** : `12.5a3`, `12.0.3`

-- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.

-  - **example** : `build1`

-- `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits

-  - **example** : `build2`

-  - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :

-    - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)

-    - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.

-- `$(TOR_BROWSER_VERSION)` : the published Tor Browser version

-    - **example** : `11.5a6`, `11.0.7`

-- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version

-    - **example** : `tbb-12.0.7-build1`

-</details>

+- `${BUILD_SERVER}`: the server the main builder is using to build a browser release

+- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER}

+  - **example**: `pierov`

+- `${STAGING_SERVER}`: the server the signer is using to to run the signing process

+- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc

+  - **example**: `91.6.0`

+- `${TOR_BROWSER_MAJOR}`: the Tor Browser major version

+  - **example**: `11`

+- `${TOR_BROWSER_MINOR}`: the Tor Browser minor version

+  - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`

+- `${TOR_BROWSER_VERSION}`: the Tor Browser version in the format

+  - **example**: `12.5a3`, `12.0.3`

+- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${TOR_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build.

+  - **example**: `build1`

+- `${TOR_BROWSER_BUILD_N}`: the tor-browser build revision for a given Tor Browser release; used in tagging git commits

+  - **example**: `build2`

+  - **⚠️ WARNING**: A project's `${BUILD_N}` and `${TOR_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For example :

+    - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${TOR_BROWSER_BUILD_N}` value may stay at `build1` (but the `${TOR_BROWSER_VERSION}` will increase)

+    - if we have build failures unrelated to `tor-browser`, the `${TOR_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same.

+- `${TOR_BROWSER_VERSION}`: the published Tor Browser version

+    - **example**: `11.5a6`, `11.0.7`

+- `${TBB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Tor Browser version

+  - **example**: `tbb-12.5a7-build1`

+- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date

+  - **example**: `2024-10-29`

 

-**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed

-**NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue

+</details>

 

 <details>

-  <summary>Building</summary>

+  <summary>Build Configuration</summary>

+

+### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git

+

+- [ ] Tag `tor-browser` in tor-browser.git

+  - **example**: `tor-browser-128.4.0esr-14.0-1-build1`

 

 ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git

-Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches.

-

-- [ ] Update `rbm.conf`

-  - [ ] `var/torbrowser_version` : update to next version

-  - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`

-  - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building.

-  - [ ] `var/torbrowser_legacy_version` : update to next version in the legacy-13.5 branch

-  - [ ] `var/torbrowser_legacy_platform_version` : update to firefox platform version in the legacy-13.5 branch

-  - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version

-    - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update

-    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail

-- [ ] Update Desktop-specific build configs

-  - [ ] Update `projects/firefox/config`

-    - [ ] `browser_build` : update to match `tor-browser` tag

-    - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased

-- [ ] Update Android-specific build configs

-  - [ ] Update `projects/geckoview/config`

-    - [ ] `browser_build` : update to match `tor-browser` tag

-    - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased

-  - [ ] ***(Optional)*** Update `projects/tor-android-service/config`

-    - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch

-  - [ ] ***(Optional)*** Update `projects/application-services/config`:

-    **NOTE** we don't currently have any of our own patches for this project

-    - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`

-  - [ ] ***(Optional)*** Update `projects/firefox-android/config`:

-    - [ ] `fenix_version` : update to match stable `firefox-android` build tag

-    - [ ] `browser_branch` : update to match stable `firefox-android` build tag

-    - [ ] `browser_build` : update to match stable `firefox-android` build tag

-  variant: Beta

-- [ ] Update `projects/translation/config`:

-  - [ ] run `make list_translation_updates-release` to get updated hashes

-  - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch

-  - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch

-  - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch

-- [ ] Update common build configs

-  - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript

-    - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`

-      - [ ] `URL`

-      - [ ] `sha256sum`

-  - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/

-    - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config`

-      - [ ] `version` : update to next 3.0.X version

-      - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball

-  - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases

-    - [ ] **(Optional)** If new tag available, update `projects/zlib/config`

-      - [ ] `version` : update to next release tag

-  - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags

-    - [ ] ***(Optional)*** Update `projects/tor/config`

-      - [ ] `version` : update to latest non `-alpha` tag (ping dgoulet or ahf if unsure)

-  - [ ] Check for go updates here : https://go.dev/dl

-    - **NOTE** : In general, Tor Browser Stable uses the latest of the *previous* Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities.

-    - [ ] ***(Optional)*** Update `projects/go/config`

-      - [ ] `version` : update go version

-      - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)

-  - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`

-    - [ ] ***(Optional)*** If new version is available:

-      - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org`

-      - [ ] Deploy to `tb-builder`'s `public_html` directory:

-        - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.`

-      - [ ] Update `projects/manual/config`:

-        - [ ] Change the `version` to `$PIPELINEID`

-        - [ ] Update `sha256sum` in the `input_files` section

-- [ ] Update `ChangeLog-TBB.txt`

-  - [ ] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches

-  - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones

-  - [ ] Run `./tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`

-    - Make sure you have `requests` installed (e.g., `apt install python3-requests`)

-    - The first time you run this script you will need to generate an access token; the script will guide you

-    - `$updateArgs` should be these arguments, depending on what you actually updated:

-      - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)

-      - [ ] `--tor`

-      - [ ] `--no-script`

-      - [ ] `--openssl`

-      - [ ] `--zlib`

-      - [ ] `--go`

-      - E.g., `./tools/fetch-changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12`

-    - `--date $date` is optional, if omitted it will be the date on which you run the command

-  - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output

+Tor Browser Stable is on the `maint-${TOR_BROWSER_MAJOR}.${TOR_BROWSER_MINOR}` branch

+

+- [ ] Changelog bookkeeping:

+  - [ ] Ensure all commits to `tor-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue

+  - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Android, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels

+- [ ] Create a release preparation branch from the current `maint-XX.Y` branch

+- [ ] Run release preparation script:

+  - **NOTE**: You can omit the `--tor-browser` argument if this is for a joint Tor and Mullvad Browser release

+  - **⚠️ WARNING**: You may need to manually update the `firefox/config` and `geckoview/config` files' `browser_build` field if `tor-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged)

+  ```bash

+  ./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION}

+  ```

+- [ ] Review build configuration changes:

+  - [ ] `rbm.conf`

+    - [ ] `var/torbrowser_version`: updated to next browser version

+    - [ ] `var/torbrowser_build`: updated to `${TOR_BROWSER_BUILD_N}`

+    - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building.

+      - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` or `geckoview` tags, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues)

+    - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version

+      - **NOTE**: We try to build incrementals for the previous 3 desktop versions

+      - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail

+- [ ] `projects/firefox/config`

+    - [ ] `browser_build`: updated to match `tor-browser` tag

+    - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased

+  - [ ] `projects/geckoview/config`

+    - [ ] `browser_build`: updated to match `tor-browser` tag

+    - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased

+  - [ ] ***(Optional)*** `projects/translation/config`:

+    - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch

+    - [ ] `steps/tor-browser/git_hash`: updated with `HEAD` commit of project's `tor-browser` branch

+    - [ ] `steps/fenix/git_hash`: updated with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch

+  - [ ] ***(Optional)*** `projects/browser/config`:

+    - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript

+      - [ ] `URL` updated

+        - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url

+      - [ ] `sha256sum` updated

+  - [ ] ***(Optional)*** `projects/openssl/config`: https://www.openssl.org/source/

+    - **NOTE**: Only if new LTS version (3.0.X currrently) available

+    - [ ] `version`: updated to next LTS version

+    - [ ] `input_files/sha256sum`: updated to sha256 sum of source tarball

+  - [ ] **(Optional)** `projects/zlib/config`: https://github.com/madler/zlib/releases

+    - **NOTE**: Only if new tag available

+    - [ ] `version`: updated to next release tag

+  - [ ] **(Optional)** `projects/zstd/config`: https://github.com/facebook/zstd/releases

+    - **NOTE**: Only if new tag available; Android-only for now

+    - [ ] `version`: updated to next release tag

+    - [ ] `git_hash`: updated to the commit corresponding to the tag (we don't check signatures for Zstandard)

+  - [ ] **(Optional)** `projects/tor/config` https://gitlab.torproject.org/tpo/core/tor/-/tags

+    - [ ] `version`: updated to latest non `-alpha` tag or release tag if newer (ping **dgoulet** or **ahf** if unsure)

+  - [ ] **(Optional)** `projects/go/config` https://go.dev/dl

+    - **NOTE**: In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities.

+    - [ ] `version`: updated go version

+    - [ ] `input_files/sha256sum` for `go`: update sha256sum of archive (sha256 sums are displayed on the go download page)

+  - [ ] **(Optional)** `projects/manual/config`

+    - [ ] `version`: updated to latest pipeline id

+    - [ ] `input_files/shasum` for `manual`: updated to manual hash

+    - [ ] Upload the downloaded `manual_${PIPELINEID}.zip` file to `tb-build-02.torproject.org`

+    - [ ] Deploy to `tb-builder`'s `public_html` directory:

+      - [ ] Run:

+        ```bash

+        sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/.

+        ```

+      - `sudo` documentation for TPO machines: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#changingresetting-your-passwords

+  - [ ] `ChangeLog-TBB.txt`: ensure correctness

+    - [ ] Browser name correct

+    - [ ] Release date correct

+    - [ ] No Android updates on a desktop-only release and vice-versa

+    - [ ] All issues added under correct platform

+    - [ ] ESR updates correct

+    - [ ] Component updates correct

 - [ ] Open MR with above changes, using the template for release preparations

+  - **NOTE**: target the `maint-14.0` branch

 - [ ] Merge

 - [ ] Sign+Tag

   - **NOTE** this must be done by one of:

     - ma1

     - morgan

     - pierov

-  - [ ] Run: `make torbrowser-signtag-release`

+  - [ ] Run:

+    ```bash

+    make torbrowser-signtag-release

+    ```

   - [ ] Push tag to `upstream`

 - [ ] Build the tag:

-  - Run `make torbrowser-release && make torbrowser-incrementals-release`

+  - [ ] Run:

+    ```bash

+    make torbrowser-release && make torbrowser-incrementals-release

+    ```

     - [ ] Tor Project build machine

     - [ ] Local developer machine

   - [ ] Submit build request to Mullvad infrastructure:

     - **NOTE** this requires a devmole authentication token

-    - Run `make torbrowser-kick-devmole-build`

-- [ ] Ensure builders have matching builds

+    - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit

+    - [ ] Run:

+      ```bash

+      make torbrowser-kick-devmole-build

+      ```

 

 </details>

 

 <details>

-  <summary>Communications</summary>

-

-### notify stakeholders

-- [ ] **(Once builds confirmed matching)** Email tor-qa mailing list with release information

-  - [ ] tor-qa: tor-qa@lists.torproject.org

-  - **Subject**

-    ```

-    Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)

-    ```

-  - **Body**

-    ```

-    Hello,

-

-    Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing:

-

-    - https://tb-build-02.torproject.org/~$(BUILDER)/builds/torbrowser/release/unsigned/$(TOR_BROWSER_VERSION)/

-

-    The full changelog can be found here:

-

-    - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TBB_BUILD_TAG)/projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt

-    ```

-- [ ] Email packagers:

-  - [ ] Tails dev mailing list: tails-dev@boum.org

-  - [ ] Guardian Project: nathan@guardianproject.info

-  - [ ] FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->

-  - [ ] OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->

-  - [ ] Note any changes which may affect packaging/downstream integration

+  <summary>Website</summary>

+

+  ### downloads: https://gitlab.torproject.org/tpo/web/tpo.git

+  - [ ] `databags/versions.ini`: Update the downloads versions

+      - `torbrowser-stable/version`: catch-all for latest stable version

+      - `torbrowser-alpha/version`: catch-all for latest alpha version

+      - `torbrowser-legacy/version`: catch-all for latest ESR-115 version

+      - `torbrowser-*-stable/version`: platform-specific stable versions

+      - `torbrowser-*-alpha/version`: platform-specific alpha versions

+      - `torbrowser-*-legacy/version`: platform-specific legacy versions

+  - [ ] Push to origin as new branch and create MR

+  - [ ] Review

+  - [ ] Merge

+    - **⚠️ WARNING**: Do not deploy yet!

+

+  ### blog: https://gitlab.torproject.org/tpo/web/blog.git

+  - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)

+    - [ ] Note any ESR update

+    - [ ] Thank any users which have contributed patches

+    - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc

+  - [ ] Push to origin as new branch and open MR

+  - [ ] Review

+  - [ ] Merge

+    - **⚠️ WARNING**: Do not deploy yet!

 

 </details>

 

   <summary>Signing</summary>

 

 ### release signing

-- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long

 - [ ] Assign this issue to the signer, one of:

   - boklm

+  - ma1

   - morgan

-- [ ] On `$(STAGING_SERVER)`, ensure updated:

-  - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)`

+  - pierov

+- [ ] Ensure all builders have matching builds

+- [ ] Verify the associated legacy `maint-13.5` release has been signed and deployed

+  - **⚠️ WARNING**: Do not continue if the legacy channel has not been fully signed and published yet; it is needed for update-response generation!

+  - **NOTE** Stable releases without a corresponding legacy release may ignore this

+- [ ] On `${STAGING_SERVER}`, ensure updated:

+  - **NOTE** Having a local git branch with `maint-14.0` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file

+  - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}`

   - [ ] `tor-browser-build/tools/signing/set-config.hosts`

-    - `ssh_host_builder` : ssh hostname of machine with unsigned builds

-      - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)

-    - `ssh_host_linux_signer` : ssh hostname of linux signing machine

+    - `ssh_host_builder`: ssh hostname of machine with unsigned builds

+    - `ssh_host_linux_signer`: ssh hostname of linux signing machine

+    - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds

   - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`

-    - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos

+    - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos

   - [ ] `set-config.update-responses`

-    - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git`

+    - `update_responses_repository_dir`: directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git`

   - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`

-    - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)

-    - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)

-    - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases

-- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050

-- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:

-  - `cd tor-browser-build/tools/signing/`

-  - `./do-all-signing.torbrowser`

-- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`

-- [ ] Update `staticiforme.torproject.org`:

-  - From `screen` session on `staticiforme.torproject.org`:

-  - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`

-  - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-release.sh`

-  - [ ] Remove old release data from following places:

-    - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)

-    - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`

-    - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`

-  - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`

+    - `tbb_version`: tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)

+    - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)

+    - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases

+- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050

+- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script:

+  - [ ] Run:

+    ```bash

+    cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser

+    ```

+  - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed

 

 </details>

 

 <details>

   <summary>Publishing</summary>

 

+### website

+- [ ] On `staticiforme.torproject.org`, static update components:

+  - [ ] Run:

+    ```bash

+    static-update-component cdn.torproject.org && static-update-component dist.torproject.org

+    ```

+- [ ] Deploy `tor-website` MR

+- [ ] Deploy `tor-blog` MR

+- [ ] On `staticiforme.torproject.org`, enable update responses:

+  - [ ] Run:

+    ```bash

+    sudo -u tb-release ./deploy_update_responses-release.sh

+    ```

+- [ ] On `staticiforme.torproject.org`, remove old release:

+  - **NOTE**: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)

+  - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`

+  - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`

+  - [ ] Run:

+    ```bash

+    static-update-component cdn.torproject.org && static-update-component dist.torproject.org

+    ```

+

 ### Google Play: https://play.google.com/apps/publish

 - [ ] Publish APKs to Google Play:

   - Select `Tor Browser` app

     - [ ] 100% rollout when publishing a security-driven release

   - [ ] Update rollout percentage to 100% after confirmed no major issues

 

-### website: https://gitlab.torproject.org/tpo/web/tpo.git

-- [ ] `databags/versions.ini` : Update the downloads versions

-    - `torbrowser-stable/version` : sort of a catch-all for latest stable version

-    - `torbrowser-alpha/version` : sort of a catch-all for latest stable version

-    - `torbrowser-*-stable/version` : platform-specific stable versions

-    - `torbrowser-*-alpha/version` : platform-specific alpha versions

-    - `tor-stable`,`tor-alpha` : set by tor devs, do not touch

-- [ ] Push to origin as new branch, open 'Draft :' MR

-- [ ] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org

-- [ ] Merge

-- [ ] Publish after CI passes and builds are published

+</details>

 

-### blog: https://gitlab.torproject.org/tpo/web/blog.git

-- [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)

-  - [ ] Note any ESR update

-  - [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc)

-  - [ ] Thank any users which have contributed patches

-- [ ] Push to origin as new branch, open `Draft:` MR

-- [ ] Merge once signed-packages are accessible on https://dist.torproject.org

-- [ ] Publish after CI passes and website has been updated

+<details>

+  <summary>Communications</summary>

 

 ### tor-announce mailing list

-- [ ] Email tor-announce mailing list: tor-announce@lists.torproject.org

+- [ ] Email tor-announce mailing list

+  - **Recipients**

+    ```

+    tor-announce@lists.torproject.org

+    ```

   - **Subject**

     ```

-    New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)

+    New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux)

     ```

   - **Body**

     ```

     Hi everyone,

 

-    Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:

-    - $(BLOG_POST_URL)

+    Tor Browser ${TOR_BROWSER_VERSION} has now been published for all platforms. For details please see our blog post:

+    - ${BLOG_POST_URL}

 

     Changelog:

-    # paste changleog as quote here

+    # paste changelog as quote here

+    ```

+

+### packagers

+- [ ] Email packagers:

+  - **Recipients**

+    - Tails dev mailing list: tails-dev@boum.org

+    - Guardian Project: nathan@guardianproject.info

+    - FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->

+    - OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->

+    - torbrowser-launcher: mail@asciiwolf.com <!-- Gitlab user asciiwolf -->

+    - Anti-Censorship: meskio@torproject.org <!-- Gitlab user meskio -->

     ```

+    tails-dev@boum.org nathan@guardianproject.info freebsd@sysctl.cz caspar@schutijser.com mail@asciiwolf.com meskio@torproject.org

+    ```

+  - **Subject**

+    ```

+    New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux)

+    ```

+  - **Body**

+    ```

+    Hi everyone,

+

+    Tor Browser ${TOR_BROWSER_VERSION} has now been published for all platforms. For details please see our blog post:

+    - ${BLOG_POST_URL}

 

+    Changelog:

+    # paste changelog as quote here

+    ```

+  - [ ] Note any changes which may affect packaging/downstream integration

 </details>

 

 /label ~"Release Prep"
-

morgan pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

5 changed files:

Changes: