... |
... |
@@ -44,13 +44,12 @@ |
44
|
44
|
<details>
|
45
|
45
|
<summary>Android</summary>
|
46
|
46
|
|
47
|
|
-### ***Security Vulnerabilities Backport*** : https://www.mozilla.org/en-US/security/advisories/
|
48
|
|
-- **NOTE** : this work may have already occurred in the analogous stable release prep issue
|
|
47
|
+### **Security Vulnerabilities Backport** : https://www.mozilla.org/en-US/security/advisories/
|
49
|
48
|
- [ ] Create tor-browser issue `Backport Android-specific Firefox $(RR_VERSION) to ESR $(ESR_VERSION)-based Tor Browser`
|
50
|
49
|
- [ ] Link new backport issue to this release prep issue
|
51
|
50
|
- [ ] Go through any `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` (or similar) and create list of CVEs which affect Android that need to be a backported
|
52
|
51
|
- Potentially Affected Components:
|
53
|
|
- - `firefox`
|
|
52
|
+ - `firefox`/`geckoview`
|
54
|
53
|
- `application-services`
|
55
|
54
|
- `android-components`
|
56
|
55
|
- `fenix`
|
... |
... |
@@ -59,21 +58,21 @@ |
59
|
58
|
- [ ] Backport any Android-specific security fixes from Firefox rapid-release
|
60
|
59
|
- [ ] Sign/Tag commit:
|
61
|
60
|
- Tag : `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
|
62
|
|
- - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha`
|
|
61
|
+ - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable`
|
63
|
62
|
- [ ] Push tag to `origin`
|
64
|
63
|
|
65
|
64
|
### **android-components** ***(Optional)*** : https://gitlab.torproject.org/tpo/applications/android-components.git
|
66
|
65
|
- [ ] Backport any Android-specific security fixes from Firefox rapid-release
|
67
|
66
|
- [ ] Sign/Tag commit:
|
68
|
67
|
- Tag : `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
|
69
|
|
- - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)`
|
|
68
|
+ - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable)`
|
70
|
69
|
- [ ] Push tag to `origin`
|
71
|
70
|
|
72
|
71
|
### **fenix** ***(Optional)*** : https://gitlab.torproject.org/tpo/applications/fenix.git
|
73
|
72
|
- [ ] Backport any Android-specific security fixes from Firefox rapid-release
|
74
|
73
|
- [ ] Sign/Tag commit:
|
75
|
74
|
- Tag : `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
|
76
|
|
- - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)`
|
|
75
|
+ - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable)`
|
77
|
76
|
- [ ] Push tag to `origin`
|
78
|
77
|
|
79
|
78
|
</details>
|
... |
... |
@@ -96,25 +95,24 @@ |
96
|
95
|
- [ ] `base-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
|
97
|
96
|
- [ ] `tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
|
98
|
97
|
- [ ] Push new branches and esr tag to origin
|
99
|
|
- - [ ] Rebase `base-browser` patches onto the `gecko-dev` commit
|
100
|
|
- - [ ] Rebase `tor-browser` patches onto the `base-browser` branch
|
|
98
|
+ - [ ] Rebase previous `base-browser` patches onto the `gecko-dev` commit
|
|
99
|
+ - [ ] Rebase previous `tor-browser` patches onto the new `base-browser` branch
|
101
|
100
|
- [ ] Compare patch-sets (ensure nothing *weird* happened during rebase):
|
102
|
101
|
- [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..$(TOR_BROWSER_BRANCH)`
|
103
|
102
|
- [ ] diff of diffs:
|
104
|
103
|
- Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred `$(DIFF_TOOL)` and look at differences on lines that starts with + or -
|
105
|
104
|
- [ ] `git diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) > current_patchset.diff`
|
106
|
105
|
- [ ] `git diff $(ESR_TAG)..$(TOR_BROWSER_BRANCH) > rebased_patchset.diff`
|
107
|
|
- - [ ] `$(DIFF_TOOL) current_patchset.dif rebased_patchset.deff`
|
|
106
|
+ - [ ] `$(DIFF_TOOL) current_patchset.diff rebased_patchset.diff`
|
108
|
107
|
- [ ] Open MR for the rebase
|
109
|
108
|
- [ ] Sign/Tag `base-browser` commit:
|
110
|
109
|
- **NOTE** : Currently we are using the `Bug 40926: Implemented the New Identity feature` commit as the final commit of `base-browser` before `tor-browser`
|
111
|
110
|
- Tag : `base-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-build1`
|
112
|
|
- - Message: `Tagging build1 for $(ESR_VERSION)esr-based alpha`
|
|
111
|
+ - Message: `Tagging build1 for $(ESR_VERSION)esr-based stable`
|
113
|
112
|
- [ ] Sign/Tag `tor-browser` commit :
|
114
|
113
|
- Tag : `tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(FIREFOX_BUILD_N)`
|
115
|
|
- - Message : `Tagging $(FIREFOX_BUILD_N) for $(ESR_VERSION)esr-based alpha`
|
|
114
|
+ - Message : `Tagging $(FIREFOX_BUILD_N) for $(ESR_VERSION)esr-based stable`
|
116
|
115
|
- [ ] Push rebased branches and tags to `origin`
|
117
|
|
-- [ ] Update Gitlab Default Branch to new Alpha branch: https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/repository
|
118
|
116
|
|
119
|
117
|
</details>
|
120
|
118
|
|
... |
... |
@@ -127,75 +125,89 @@ Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in |
127
|
125
|
- [ ] Update `rbm.conf`
|
128
|
126
|
- [ ] `var/torbrowser_version` : update to next version
|
129
|
127
|
- [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
|
130
|
|
- - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from` : update to previous Desktop version
|
|
128
|
+ - [ ] ***(Optional, Desktop)*** `var/torbrowser_incremental_from` : update to previous Desktop version
|
131
|
129
|
- [ ] **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make incrementals-*` step will fail
|
132
|
|
-- [ ] Update `projects/firefox/config`
|
133
|
|
- - [ ] `git_hash` : update the `$(BUILD_N)` section to match `tor-browser` tag
|
134
|
|
- - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
|
135
|
|
-- [ ] Update `projects/geckoview/config`
|
136
|
|
- - [ ] `git_hash` : update the `$(BUILD_N)` section to match `tor-browser` tag
|
137
|
|
- - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
|
138
|
|
-- [ ] Update `projects/translation-base-browser/config`
|
139
|
|
- - [ ] `git_hash` : update with `HEAD` commit of project's `base-browser` branch
|
140
|
|
-- [ ] Update `projects/translation-base-browser-fluent/config`
|
141
|
|
- - [ ] `git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
|
142
|
|
-- [ ] Update `projects/tba-translations/config`:
|
143
|
|
- - [ ] `git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
|
144
|
|
-- [ ] ***(Optional)*** Update `projects/tor-android-service/config`
|
145
|
|
- - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch
|
146
|
|
-- [ ] ***(Optional)*** Update `projects/application-services/config`:
|
147
|
|
- **NOTE** we don't have any of our own patches for this project
|
148
|
|
- - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
|
149
|
|
-- [ ] Update `projects/android-components/config`:
|
150
|
|
- - [ ] `git_hash` : update the `$(BUILD_N)` section to match alpha `android-components` tag
|
151
|
|
-- [ ] Update `projects/fenix/config`
|
152
|
|
- - [ ] `git_hash` : update the `$(BUILD_N)` section to match `fenix` tag
|
153
|
|
- - [ ] ***(Optional)*** `var/fenix_version` : update to latest `$(ESR_VERSION)` if rebased
|
154
|
|
-- [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
|
155
|
|
- - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
|
156
|
|
-- [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
|
157
|
|
- - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
|
158
|
|
- - [ ] `URL`
|
159
|
|
- - [ ] `sha256sum`
|
160
|
|
-- [ ] Check for OpenSSL updates here : https://www.openssl.org/source/
|
161
|
|
- - [ ] ***(Optional)*** If new 1.X.Y version available, update `projects/openssl/config`
|
162
|
|
- - [ ] `version` : update to next 1.X.Y version
|
163
|
|
- - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball
|
164
|
|
-- [ ] Check for zlib updates here: https://github.com/madler/zlib/releases
|
165
|
|
- - [ ] **(Optional)** If new tag available, update `projects/zlib/config`
|
166
|
|
- - [ ] `version` : update to next release tag
|
167
|
|
-- [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags ; Tor Browser Alpha uses latest `-alpha` tagged tor (or latest of stable if newer)
|
168
|
|
- - [ ] ***(Optional)*** Update `projects/tor/config`
|
169
|
|
- - [ ] `version` : update to next release tag
|
170
|
|
-- [ ] Check for go updates here : https://golang.org/dl
|
171
|
|
- - **NOTE** : Tor Browser Alpha uses the latest Stable go version, while Tor Browser Stable uses the latest of the previous Stable major series version
|
172
|
|
- - [ ] ***(Optional)*** Update `projects/go/config`
|
173
|
|
- - [ ] `version` : update go version
|
174
|
|
- - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
|
175
|
|
-- [ ] ***(Optional)*** Update the manual
|
176
|
|
- - [ ] Go to https://gitlab.torproject.org/tpo/web/manual/-/jobs/
|
177
|
|
- - [ ] Open the latest build stage
|
178
|
|
- - [ ] Download the artifacts (they come in a .zip file).
|
179
|
|
- - [ ] Rename it to `manual_$PIPELINEID.zip`
|
180
|
|
- - [ ] Upload it to people.tpo
|
181
|
|
- - [ ] Update `projects/manual/config`
|
182
|
|
- - [ ] Change the version to `$PIPELINEID`
|
183
|
|
- - [ ] Update the hash in the input_files section
|
184
|
|
- - [ ] Update the URL if you have uploaded to a different people.tpo home
|
|
130
|
+- [ ] ***(Optional)*** Update Desktop-specific build configs
|
|
131
|
+ - [ ] Update `projects/firefox/config`
|
|
132
|
+ - [ ] `git_hash` : update the `$(BUILD_N)` section to match `tor-browser` tag
|
|
133
|
+ - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
|
|
134
|
+ - [ ] Update `projects/translation-base-browser/config`
|
|
135
|
+ - [ ] `git_hash` : update with `HEAD` commit of project's `base-browser` branch
|
|
136
|
+ - [ ] Update `projects/translation-base-browser-fluent/config`
|
|
137
|
+ - [ ] `git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
|
|
138
|
+- [ ] ***(Optional)*** Update Android-specific build configs
|
|
139
|
+ - [ ] ***(Optional)*** Update `projects/geckoview/config`
|
|
140
|
+ - [ ] `git_hash` : update the `$(BUILD_N)` section to match `tor-browser` tag
|
|
141
|
+ - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
|
|
142
|
+ - [ ] Update `projects/tba-translations/config`:
|
|
143
|
+ - [ ] `git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
|
|
144
|
+ - [ ] ***(Optional)*** Update `projects/tor-android-service/config`
|
|
145
|
+ - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch
|
|
146
|
+ - [ ] ***(Optional)*** Update `projects/application-services/config`:
|
|
147
|
+ **NOTE** we don't currently have any of our own patches for this project
|
|
148
|
+ - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
|
|
149
|
+ - [ ] ***(Optional)*** Update `projects/android-components/config`:
|
|
150
|
+ - [ ] `git_hash` : update the `$(BUILD_N)` section to match `android-components` tag
|
|
151
|
+ - [ ] ***(Optional)*** Update `projects/fenix/config`
|
|
152
|
+ - [ ] `git_hash` : update the `$(BUILD_N)` section to match `fenix` tag
|
|
153
|
+ - [ ] ***(Optional)*** `var/fenix_version` : update to latest `$(ESR_VERSION)` if rebased
|
|
154
|
+ - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
|
|
155
|
+ - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
|
|
156
|
+- [ ] Update common build configs
|
|
157
|
+ - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
|
|
158
|
+ - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
|
|
159
|
+ - [ ] `URL`
|
|
160
|
+ - [ ] `sha256sum`
|
|
161
|
+ - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/
|
|
162
|
+ - [ ] ***(Optional)*** If new 1.X.Y version available, update `projects/openssl/config`
|
|
163
|
+ - [ ] `version` : update to next 1.X.Y version
|
|
164
|
+ - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball
|
|
165
|
+ - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases
|
|
166
|
+ - [ ] **(Optional)** If new tag available, update `projects/zlib/config`
|
|
167
|
+ - [ ] `version` : update to next release tag
|
|
168
|
+ - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags
|
|
169
|
+ - [ ] ***(Optional)*** Update `projects/tor/config`
|
|
170
|
+ - [ ] `version` : update to latest non `-alpha` tag (ping @dgoulet or @ahf if unsure)
|
|
171
|
+ - [ ] Check for go updates here : https://golang.org/dl
|
|
172
|
+ - **NOTE** : Tor Browser Stable uses the latest of the *previous* Stable major series go version (apart from the transition phase from Tor Browser Alpha to Stable, in which case Tor Browser Stable may use the latest major series go version)
|
|
173
|
+ - [ ] ***(Optional)*** Update `projects/go/config`
|
|
174
|
+ - [ ] `version` : update go version
|
|
175
|
+ - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
|
|
176
|
+ - [ ] ***(Optional)*** Update the manual
|
|
177
|
+ - [ ] Go to https://gitlab.torproject.org/tpo/web/manual/-/jobs/
|
|
178
|
+ - [ ] Open the latest build stage
|
|
179
|
+ - [ ] Download the artifacts (they come in a .zip file).
|
|
180
|
+ - [ ] Rename it to `manual_$PIPELINEID.zip`
|
|
181
|
+ - [ ] Upload it to people.tpo
|
|
182
|
+ - [ ] Update `projects/manual/config`
|
|
183
|
+ - [ ] Change the version to `$PIPELINEID`
|
|
184
|
+ - [ ] Update the hash in the input_files section
|
|
185
|
+ - [ ] Update the URL if you have uploaded to a different people.tpo home
|
185
|
186
|
- [ ] Update `ChangeLog.txt`
|
186
|
187
|
- [ ] Ensure ChangeLog.txt is sync'd between alpha and stable branches
|
187
|
188
|
- [ ] Open MR with above changes
|
188
|
|
-- [ ] Begin build on `$(BUILD_SERVER)` (and fix any issues which come up)
|
189
|
|
-- [ ] Sign/Tag commit : `make signtag-release`
|
|
189
|
+- [ ] Begin build on `$(BUILD_SERVER)` (and fix any issues which come up and update MR)
|
|
190
|
+- [ ] Sign/Tag commit: `make signtag-release`
|
190
|
191
|
- [ ] Push tag to origin
|
|
192
|
+</details>
|
191
|
193
|
|
|
194
|
+<details>
|
|
195
|
+ <summary>Communications</summary>
|
192
|
196
|
### notify stakeholders
|
193
|
197
|
- [ ] Email tor-qa mailing list: tor-qa@lists.torproject.org
|
194
|
|
- - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
|
195
|
|
- - [ ] Call out any new functionality which needs testing
|
196
|
|
- - [ ] Link to any known issues
|
197
|
|
-- [ ] Email Tails dev mailing list: tails-dev@boum.org
|
198
|
|
- - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
|
|
198
|
+ - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
|
|
199
|
+ - [ ] Note any new functionality which needs testing
|
|
200
|
+ - [ ] Link to any known issues
|
|
201
|
+- [ ] Email downstream consumers:
|
|
202
|
+ - Recipients:
|
|
203
|
+ - [ ] Tails dev mailing list: tails-dev@boum.org
|
|
204
|
+ - [ ] Guardian Project: nathan@guardianproject.info
|
|
205
|
+ - [ ] torbrowser-launcher: micah@micahflee.com
|
|
206
|
+ - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
|
|
207
|
+ - [ ] Note any changes which may affect packaging/downstream integration
|
|
208
|
+- [ ] Email upstream stakeholders:
|
|
209
|
+ - [ ] ***(Optional, after ESR migration)*** Cloudflare: ask-research@cloudflare.com
|
|
210
|
+ - **NOTE** : We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
|
199
|
211
|
|
200
|
212
|
</details>
|
201
|
213
|
|
... |
... |
@@ -237,7 +249,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in |
237
|
249
|
- [ ] Enable update responses : `./deploy_update_responses-alpha.sh`
|
238
|
250
|
- [ ] Publish APKs to Google Play:
|
239
|
251
|
- Log into https://play.google.com/apps/publish
|
240
|
|
- - Select `Tor Browser (Alpha)` app
|
|
252
|
+ - Select `Tor Browser` app
|
241
|
253
|
- Navigate to `Release > Production` and click `Create new release` button
|
242
|
254
|
- [ ] Upload the `*.multi.apk` APKs
|
243
|
255
|
- [ ] Update Release Name to Tor Browser version number
|