Richard Pospesel pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

2 changed files:

Changes:

  • .gitlab/issue_templates/Release Prep - Alpha.md
    ... ... @@ -5,8 +5,6 @@
    5 5
     - `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
    
    6 6
     - `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
    
    7 7
         - example : `91.6.0`
    
    8
    -- `$(RR_VERSION)` : the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the `$(ESR_VERSION)`, but Mozilla's Firefox for Android is based off of the `$(RR_VERSION)` so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train.
    
    9
    -    - example: `103`
    
    10 8
     - `$(ESR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
    
    11 9
         - exmaple : `FIREFOX_91_7_0esr_BUILD2`
    
    12 10
     - `$(ESR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
    
    ... ... @@ -23,91 +21,12 @@
    23 21
             - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
    
    24 22
     - `$(TOR_BROWSER_VERSION)` : the published Tor Browser version
    
    25 23
         - example : `11.5a6`, `11.0.7`
    
    26
    -- `$(TOR_BROWSER_BRANCH)` : the full name of tor-browser branch
    
    27
    -    - typically of the form: `tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
    
    28
    -- `$(TOR_BROWSER_BRANCH_PREV)` : the full name of the previous tor-browser branch (when rebasing)
    
    29 24
     </details>
    
    30 25
     
    
    31
    -<details>
    
    32
    -    <summary>Android</summary>
    
    33
    -
    
    34
    -### **Security Vulnerabilities Backport** : https://www.mozilla.org/en-US/security/advisories/
    
    35
    -- **NOTE** : this work usually first occurs during the Tor Browser Stable release, so for alpha we typically only need to update the various `tor-browser-build` configs to point to the right release tags.
    
    36
    -- [ ] Create tor-browser issue `Backport Android-specific Firefox $(RR_VERSION) to ESR $(ESR_VERSION)-based Tor Browser`
    
    37
    -  - [ ] Link new backport issue to this release prep issue
    
    38
    -- [ ] Go through any `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` (or similar) and create list of CVEs which affect Android that need to be a backported
    
    39
    -  - Potentially Affected Components:
    
    40
    -    - `firefox`/`geckoview`
    
    41
    -    - `application-services`
    
    42
    -    - `android-components`
    
    43
    -    - `fenix`
    
    44
    -
    
    45
    -### **application-services** ***(Optional)*** : *TODO: we need to setup a gitlab copy of this repo that we can apply security backports to*
    
    46
    -- [ ] Backport any Android-specific security fixes from Firefox rapid-release
    
    47
    -- [ ] Sign/Tag commit:
    
    48
    -  - Tag : `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
    
    49
    -  - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha`
    
    50
    -- [ ] Push tag to `origin`
    
    51
    -
    
    52
    -### **android-components** ***(Optional)*** : https://gitlab.torproject.org/tpo/applications/android-components.git
    
    53
    -- [ ] Backport any Android-specific security fixes from Firefox rapid-release
    
    54
    -- [ ] Sign/Tag commit:
    
    55
    -  - Tag : `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
    
    56
    -  - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)`
    
    57
    -- [ ] Push tag to `origin`
    
    58
    -
    
    59
    -### **fenix** ***(Optional)*** : https://gitlab.torproject.org/tpo/applications/fenix.git
    
    60
    -- [ ] Backport any Android-specific security fixes from Firefox rapid-release
    
    61
    -- [ ] Sign/Tag commit:
    
    62
    -  - Tag : `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
    
    63
    -  - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)`
    
    64
    -- [ ] Push tag to `origin`
    
    65
    -
    
    66
    -</details>
    
    67
    -
    
    68
    -<details>
    
    69
    -    <summary>Shared</summary>
    
    70
    -
    
    71
    -### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git
    
    72
    -- [ ] ***(Optional)*** Backport any Android-specific security fixes from Firefox rapid-release
    
    73
    -- [ ] ***(Optional, Chemspill)*** Backport security-fixes to both `tor-browser` and `base-browser` branches
    
    74
    -- [ ] ***(Optional)*** Rebase to `$(ESR_VERSION)`
    
    75
    -  - [ ] Find the Firefox hg tag here : https://hg.mozilla.org/releases/mozilla-esr102/tags
    
    76
    -    - [ ] `$(ESR_TAG)` : `<INSERT_TAG_HERE>`
    
    77
    -  - [ ] Identify the hg patch associated with above hg tag, and find the equivalent `gecko-dev` git commit (search by commit message)
    
    78
    -    - [ ] `gecko-dev` commit : `<INSERT_COMMIT_HASH_HERE>`
    
    79
    -    - [ ] Sign/Tag `gecko-dev` commit :
    
    80
    -      - Tag : `$(ESR_TAG)`
    
    81
    -      - Message : `Hg tag $(ESR_TAG)`
    
    82
    -  - [ ] Create new `tor-browser` branch with the discovered `gecko-dev` commit as `HEAD` named:
    
    83
    -    - `tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
    
    84
    -  - [ ] Push new branches and esr tag to origin
    
    85
    -  - [ ] Rebase previous `tor-browser` patches onto the new `gecko-dev` branch
    
    86
    -  - [ ] Compare patch-sets (ensure nothing *weird* happened during rebase):
    
    87
    -    - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..$(TOR_BROWSER_BRANCH)`
    
    88
    -    - [ ] diff of diffs:
    
    89
    -        -  Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred `$(DIFF_TOOL)` and look at differences on lines that starts with + or -
    
    90
    -        - [ ] `git diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) > current_patchset.diff`
    
    91
    -        - [ ] `git diff $(ESR_TAG)..$(TOR_BROWSER_BRANCH) > rebased_patchset.diff`
    
    92
    -        - [ ] `$(DIFF_TOOL) current_patchset.diff rebased_patchset.diff`
    
    93
    -  - [ ] Open MR for the rebase
    
    94
    -  - [ ] Merge
    
    95
    -- [ ] Sign/Tag `tor-browser` commit :
    
    96
    -  - Tag : `tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(FIREFOX_BUILD_N)`
    
    97
    -  - Message : `Tagging $(FIREFOX_BUILD_N) for $(ESR_VERSION)esr-based alpha`
    
    98
    -- [ ] Create `base-browser` branch from rebased `tor-browser` branch named:
    
    99
    -  - `base-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
    
    100
    -  - **NOTE** : Currently we are using the `Bug 40926: Implemented the New Identity feature` commit as the final commit of `base-browser` before `tor-browser`
    
    101
    -- [ ] Sign/Tag `base-browser` commit :
    
    102
    -  - Tag : `base-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-build1`
    
    103
    -  - Message: `Tagging build1 for $(ESR_VERSION)esr-based alpha`
    
    104
    -- [ ] Push tags to `origin`
    
    105
    -- [ ] Update Gitlab Default Branch to new Alpha branch:  https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/repository
    
    106
    -
    
    107
    -</details>
    
    26
    +**NOTE** It is assumed that the `tor-browser` rebase and security backport tasks have been completed
    
    108 27
     
    
    109 28
     <details>
    
    110
    -    <summary>Build</summary>
    
    29
    +  <summary>Build Updates</summary>
    
    111 30
     
    
    112 31
     ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
    
    113 32
     Tor Browser Alpha (and Nightly) are on the `main` branch
    
    ... ... @@ -115,9 +34,9 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    115 34
     - [ ] Update `rbm.conf`
    
    116 35
       - [ ] `var/torbrowser_version` : update to next version
    
    117 36
       - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
    
    118
    -  - [ ] ***(Optional, Desktop)*** `var/torbrowser_incremental_from` : update to previous Desktop version
    
    119
    -    - [ ] **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make incrementals-*` step will fail
    
    120
    -- [ ] ***(Optional)*** Update Desktop-specific build configs
    
    37
    +  - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version
    
    38
    +    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make incrementals-*` step will fail
    
    39
    +- [ ] Update Desktop-specific build configs
    
    121 40
       - [ ] Update `projects/firefox/config`
    
    122 41
         - [ ] `git_hash` : update the `$(BUILD_N)` section to match `tor-browser` tag
    
    123 42
         - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
    
    ... ... @@ -127,7 +46,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    127 46
         - [ ] `steps/base-browser-fluent/git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
    
    128 47
         - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
    
    129 48
         - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
    
    130
    -- [ ] ***(Optional)*** Update Android-specific build configs
    
    49
    +- [ ] Update Android-specific build configs
    
    131 50
       - [ ] ***(Optional)*** Update `projects/geckoview/config`
    
    132 51
         - [ ] `git_hash` : update the `$(BUILD_N)` section to match `tor-browser` tag
    
    133 52
         - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
    
    ... ... @@ -163,7 +82,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    163 82
         - [ ] ***(Optional)*** Update `projects/go/config`
    
    164 83
           - [ ] `version` : update go version
    
    165 84
           - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
    
    166
    -  - [ ] ***(Optional)*** Update the manual : https://gitlab.torproject.org/tpo/web/manual/-/jobs/
    
    85
    +  - [ ] Update the manual : https://gitlab.torproject.org/tpo/web/manual/-/jobs/
    
    167 86
         - [ ] Download the `artifacts.zip` file from latest build stage row (download icon button on the right)
    
    168 87
         - [ ] Rename it to `manual_$PIPELINEID.zip`
    
    169 88
         - [ ] Upload it to people.tpo
    
    ... ... @@ -178,40 +97,62 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    178 97
         - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
    
    179 98
         - The first time you run this script you will need to generate an access token; the script will guide you
    
    180 99
       - [ ] Copy the output of the script to the beginning of `ChangeLog.txt` and adjust its output
    
    181
    -    - At the moment, the script does not create a _Build System_ section
    
    182 100
         - If you used the issue number, you will need to write the Tor Browser version manually
    
    101
    +  - [ ] Include any version updates for:
    
    102
    +    - [ ] translations
    
    103
    +    - [ ] OpenSSL
    
    104
    +    - [ ] NoScript
    
    105
    +    - [ ] Go
    
    106
    +    - [ ] zlib
    
    107
    +  - [ ] Include any ESR rebase for Firefox and GeckoView
    
    183 108
     - [ ] Open MR with above changes
    
    184 109
     - [ ] Begin build on `$(BUILD_SERVER)` (fix any issues which come up and update MR)
    
    185 110
     - [ ] Merge
    
    186 111
     - [ ] Sign/Tag commit: `make signtag-alpha`
    
    187 112
     - [ ] Push tag to `origin`
    
    113
    +
    
    188 114
     </details>
    
    189 115
     
    
    190 116
     <details>
    
    191
    -	<summary>Communications</summary>
    
    117
    +  <summary>Communications</summary>
    
    192 118
     
    
    193 119
     ### notify stakeholders
    
    120
    +
    
    121
    +  <details>
    
    122
    +    <summary>email template</summary>
    
    123
    +
    
    124
    +      Hello All,
    
    125
    +
    
    126
    +      Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing:
    
    127
    +
    
    128
    +      - https://tb-build-05.torproject.org/~$(BUILDER)/builds/release/unsigned/$(TOR_BROWSER_VERSION)/
    
    129
    +
    
    130
    +      The full changelog can be found here:
    
    131
    +
    
    132
    +      - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/main/projects/browser/Bundle-Data/Docs/ChangeLog.txt
    
    133
    +
    
    134
    +  </details>
    
    135
    +
    
    194 136
     - [ ] Email tor-qa mailing list: tor-qa@lists.torproject.org
    
    195
    -  - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
    
    196
    -  - [ ] Note any new functionality which needs testing
    
    197
    -  - [ ] Link to any known issues
    
    198
    -- [ ] Email downstream consumers:
    
    137
    +  - Additional information:
    
    138
    +    - [ ] Note any new functionality which needs testing
    
    139
    +    - [ ] Link to any known issues
    
    140
    +- [ ] ***(Optional, only around build/packaging changes)*** Email downstream consumers:
    
    199 141
       - Recipients:
    
    200
    -    - [ ] Tails dev mailing list: tails-dev@boum.org
    
    201
    -    - [ ] Guardian Project: nathan@guardianproject.info
    
    202
    -    - [ ] torbrowser-launcher: micah@micahflee.com
    
    203
    -    - [ ] FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->
    
    204
    -    - [ ] OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->
    
    205
    -  - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
    
    142
    +    - Tails dev mailing list: tails-dev@boum.org
    
    143
    +    - Guardian Project: nathan@guardianproject.info
    
    144
    +    - torbrowser-launcher: micah@micahflee.com
    
    145
    +    - FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->
    
    146
    +    - OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->
    
    206 147
       - [ ] Note any changes which may affect packaging/downstream integration
    
    207 148
     - [ ] Email upstream stakeholders:
    
    208
    -  - [ ] ***(Optional, after ESR migration)*** Cloudflare: ask-research@cloudflare.com
    
    149
    +  - ***(Optional, after ESR migration)*** Cloudflare: ask-research@cloudflare.com
    
    209 150
         - **NOTE** :  We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
    
    210 151
     
    
    211 152
     </details>
    
    212 153
     
    
    213 154
     <details>
    
    214
    -  <summary>Signing/Publishing</summary>
    
    155
    +  <summary>Signing</summary>
    
    215 156
     
    
    216 157
     ### signing + publishing
    
    217 158
     - [ ] Ensure builders have matching builds
    
    ... ... @@ -242,26 +183,32 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    242 183
     - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
    
    243 184
     - [ ] Update `staticiforme.torproject.org`:
    
    244 185
       - From `screen` session on `staticiforme.torproject.org`:
    
    186
    +  - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
    
    187
    +  - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh`
    
    245 188
       - [ ] Remove old release data from following places:
    
    246 189
         - **NOTE** : Skip this step if the current release is Android or Desktop *only*
    
    247 190
         - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
    
    248 191
         - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
    
    249
    -  - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
    
    250
    -  - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh`
    
    192
    +  - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component
    
    251 193
     - [ ] Publish APKs to Google Play:
    
    252 194
       - Log into https://play.google.com/apps/publish
    
    253 195
       - Select `Tor Browser (Alpha)` app
    
    254
    -  - Navigate to `Release > Production` and click `Create new release` button
    
    255
    -  - [ ] Upload the `*.multi.apk` APKs
    
    256
    -  - [ ] Update Release Name to Tor Browser version number
    
    257
    -  - [ ] Update Release Notes
    
    196
    +  - Navigate to `Release > Production` and click `Create new release` button:
    
    197
    +    - Upload the `*.multi.apk` APKs
    
    198
    +    - Update Release Name to Tor Browser version number
    
    199
    +    - Update Release Notes
    
    258 200
         - Next to 'Release notes', click `Copy from a previous release`
    
    259
    -    - [ ] Edit blog post url to point to most recent blog post
    
    201
    +    - Edit blog post url to point to most recent blog post
    
    260 202
       - Save, review, and configure rollout percentage
    
    261 203
         - [ ] 25% rollout when publishing a scheduled update
    
    262 204
         - [ ] 100% rollout when publishing a security-driven release
    
    263 205
       - [ ] Update rollout percentage to 100% after confirmed no major issues
    
    264 206
     
    
    207
    +</details>
    
    208
    +
    
    209
    +<details>
    
    210
    +  <summary>Publishing</summary>
    
    211
    +
    
    265 212
     ### website: https://gitlab.torproject.org/tpo/web/tpo.git
    
    266 213
     - [ ] `databags/versions.ini` : Update the downloads versions
    
    267 214
         - `torbrowser-stable/version` : sort of a catch-all for latest stable version
    

  • .gitlab/issue_templates/Release Prep - Stable.md
    ... ... @@ -4,16 +4,16 @@
    4 4
     - `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release
    
    5 5
     - `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
    
    6 6
     - `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
    
    7
    -    - example : `91.6.0`
    
    8
    -- `$(RR_VERSION)` : the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the `$(ESR_VERSION)`, but Mozilla's Firefox for Android is based off of the `$(RR_VERSION)` so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train.
    
    9
    -    - example: `103`
    
    7
    +  - example : `91.6.0`
    
    10 8
     - `$(ESR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
    
    11
    -    - exmaple : `FIREFOX_91_7_0esr_BUILD2`
    
    9
    +  - exmaple : `FIREFOX_91_7_0esr_BUILD2`
    
    12 10
     - `$(ESR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
    
    13 11
     - `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version
    
    14
    -    - example : `11`
    
    12
    +  - example : `11`
    
    15 13
     - `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version
    
    16
    -    - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
    
    14
    +  - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
    
    15
    +- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format
    
    16
    +  - example: `12.5a3`, `12.0.3`
    
    17 17
     - `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
    
    18 18
         - example : `build1`
    
    19 19
     - `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits
    
    ... ... @@ -23,89 +23,12 @@
    23 23
             - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
    
    24 24
     - `$(TOR_BROWSER_VERSION)` : the published Tor Browser version
    
    25 25
         - example : `11.5a6`, `11.0.7`
    
    26
    -- `$(TOR_BROWSER_BRANCH)` : the full name of tor-browser branch
    
    27
    -    - typically of the form: `tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
    
    28
    -- `$(TOR_BROWSER_BRANCH_PREV)` : the full name of the previous tor-browser branch (when rebasing)
    
    29 26
     </details>
    
    30 27
     
    
    31
    -<details>
    
    32
    -    <summary>Android</summary>
    
    33
    -
    
    34
    -### **Security Vulnerabilities Backport** : https://www.mozilla.org/en-US/security/advisories/
    
    35
    -- [ ] Create tor-browser issue `Backport Android-specific Firefox $(RR_VERSION) to ESR $(ESR_VERSION)-based Tor Browser`
    
    36
    -  - [ ] Link new backport issue to this release prep issue
    
    37
    -- [ ] Go through any `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` (or similar) and create list of CVEs which affect Android that need to be a backported
    
    38
    -  - Potentially Affected Components:
    
    39
    -    - `firefox`/`geckoview`
    
    40
    -    - `application-services`
    
    41
    -    - `android-components`
    
    42
    -    - `fenix`
    
    43
    -
    
    44
    -### **application-services** ***(Optional)*** : *TODO: we need to setup a gitlab copy of this repo that we can apply security backports to*
    
    45
    -- [ ] Backport any Android-specific security fixes from Firefox rapid-release
    
    46
    -- [ ] Sign/Tag commit:
    
    47
    -  - Tag : `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
    
    48
    -  - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable`
    
    49
    -- [ ] Push tag to `origin`
    
    50
    -
    
    51
    -### **android-components** ***(Optional)*** : https://gitlab.torproject.org/tpo/applications/android-components.git
    
    52
    -- [ ] Backport any Android-specific security fixes from Firefox rapid-release
    
    53
    -- [ ] Sign/Tag commit:
    
    54
    -  - Tag : `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
    
    55
    -  - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable)`
    
    56
    -- [ ] Push tag to `origin`
    
    57
    -
    
    58
    -### **fenix** ***(Optional)*** : https://gitlab.torproject.org/tpo/applications/fenix.git
    
    59
    -- [ ] Backport any Android-specific security fixes from Firefox rapid-release
    
    60
    -- [ ] Sign/Tag commit:
    
    61
    -  - Tag : `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
    
    62
    -  - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable)`
    
    63
    -- [ ] Push tag to `origin`
    
    64
    -
    
    65
    -</details>
    
    66
    -
    
    67
    -<details>
    
    68
    -    <summary>Shared</summary>
    
    69
    -
    
    70
    -### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git
    
    71
    -- [ ] ***(Optional)*** Backport any Android-specific security fixes from Firefox rapid-release
    
    72
    -- [ ] ***(Optional, Chemspill)*** Backport security-fixes to both `tor-browser` and `base-browser` branches
    
    73
    -- [ ] ***(Optional)*** Rebase to `$(ESR_VERSION)`
    
    74
    -  - [ ] Find the Firefox hg tag here : https://hg.mozilla.org/releases/mozilla-esr102/tags
    
    75
    -    - [ ] `$(ESR_TAG)` : `<INSERT_TAG_HERE>`
    
    76
    -  - [ ] Identify the hg patch associated with above hg tag, and find the equivalent `gecko-dev` git commit (search by commit message)
    
    77
    -    - [ ] `gecko-dev` commit : `<INSERT_COMMIT_HASH_HERE>`
    
    78
    -    - [ ] Sign/Tag `gecko-dev` commit :
    
    79
    -      - Tag : `$(ESR_TAG)`
    
    80
    -      - Message : `Hg tag $(ESR_TAG)`
    
    81
    -  - [ ] Create new `tor-browser` branch with the discovered `gecko-dev` commit as `HEAD` named:
    
    82
    -    - `tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
    
    83
    -  - [ ] Push new branches and esr tag to origin
    
    84
    -  - [ ] Rebase previous `tor-browser` patches onto the new `gecko-dev` branch
    
    85
    -  - [ ] Compare patch-sets (ensure nothing *weird* happened during rebase):
    
    86
    -    - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..$(TOR_BROWSER_BRANCH)`
    
    87
    -    - [ ] diff of diffs:
    
    88
    -        -  Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred `$(DIFF_TOOL)` and look at differences on lines that starts with + or -
    
    89
    -        - [ ] `git diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) > current_patchset.diff`
    
    90
    -        - [ ] `git diff $(ESR_TAG)..$(TOR_BROWSER_BRANCH) > rebased_patchset.diff`
    
    91
    -        - [ ] `$(DIFF_TOOL) current_patchset.diff rebased_patchset.diff`
    
    92
    -  - [ ] Open MR for the rebase
    
    93
    -  - [ ] Merge
    
    94
    -- [ ] Sign/Tag `tor-browser` commit :
    
    95
    -  - Tag : `tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(FIREFOX_BUILD_N)`
    
    96
    -  - Message : `Tagging $(FIREFOX_BUILD_N) for $(ESR_VERSION)esr-based stable`
    
    97
    -- [ ] Create `base-browser` branch from rebased `tor-browser` branch named:
    
    98
    -  - `base-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
    
    99
    -  - **NOTE** : Currently we are using the `Bug 40926: Implemented the New Identity feature` commit as the final commit of `base-browser` before `tor-browser`
    
    100
    -- [ ] Sign/Tag `base-browser` commit:
    
    101
    -  - Tag : `base-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-build1`
    
    102
    -  - Message: `Tagging build1 for $(ESR_VERSION)esr-based stable`
    
    103
    -- [ ] Push tags to `origin`
    
    104
    -
    
    105
    -</details>
    
    28
    +**NOTE** It is assumed that the `tor-browser` rebase and security backport tasks have been completed
    
    106 29
     
    
    107 30
     <details>
    
    108
    -    <summary>Build</summary>
    
    31
    +  <summary>Build Configs</summary>
    
    109 32
     
    
    110 33
     ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
    
    111 34
     Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches
    
    ... ... @@ -113,9 +36,9 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    113 36
     - [ ] Update `rbm.conf`
    
    114 37
       - [ ] `var/torbrowser_version` : update to next version
    
    115 38
       - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
    
    116
    -  - [ ] ***(Optional, Desktop)*** `var/torbrowser_incremental_from` : update to previous Desktop version
    
    117
    -    - [ ] **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make incrementals-*` step will fail
    
    118
    -- [ ] ***(Optional)*** Update Desktop-specific build configs
    
    39
    +  - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version
    
    40
    +    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make incrementals-*` step will fail
    
    41
    +- [ ] Update Desktop-specific build configs
    
    119 42
       - [ ] Update `projects/firefox/config`
    
    120 43
         - [ ] `git_hash` : update the `$(BUILD_N)` section to match `tor-browser` tag
    
    121 44
         - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
    
    ... ... @@ -125,7 +48,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    125 48
         - [ ] `steps/base-browser-fluent/git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
    
    126 49
         - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
    
    127 50
         - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
    
    128
    -- [ ] ***(Optional)*** Update Android-specific build configs
    
    51
    +- [ ] Update Android-specific build configs
    
    129 52
       - [ ] ***(Optional)*** Update `projects/geckoview/config`
    
    130 53
         - [ ] `git_hash` : update the `$(BUILD_N)` section to match `tor-browser` tag
    
    131 54
         - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
    
    ... ... @@ -161,7 +84,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    161 84
         - [ ] ***(Optional)*** Update `projects/go/config`
    
    162 85
           - [ ] `version` : update go version
    
    163 86
           - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
    
    164
    -  - [ ] ***(Optional)*** Update the manual : https://gitlab.torproject.org/tpo/web/manual/-/jobs/
    
    87
    +  - [ ] Update the manual : https://gitlab.torproject.org/tpo/web/manual/-/jobs/
    
    165 88
         - [ ] Download the `artifacts.zip` file from latest build stage row (download icon button on the right)
    
    166 89
         - [ ] Rename it to `manual_$PIPELINEID.zip`
    
    167 90
         - [ ] Upload it to people.tpo
    
    ... ... @@ -176,40 +99,62 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    176 99
         - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
    
    177 100
         - The first time you run this script you will need to generate an access token; the script will guide you
    
    178 101
       - [ ] Copy the output of the script to the beginning of `ChangeLog.txt` and adjust its output
    
    179
    -    - At the moment, the script does not create a _Build System_ section
    
    180 102
         - If you used the issue number, you will need to write the Tor Browser version manually
    
    103
    +  - [ ] Include any version updates for:
    
    104
    +    - [ ] translations
    
    105
    +    - [ ] OpenSSL
    
    106
    +    - [ ] NoScript
    
    107
    +    - [ ] Go
    
    108
    +    - [ ] zlib
    
    109
    +  - [ ] Include any ESR rebase for Firefox and GeckoView
    
    181 110
     - [ ] Open MR with above changes
    
    182 111
     - [ ] Begin build on `$(BUILD_SERVER)` (and fix any issues which come up and update MR)
    
    183 112
     - [ ] Merge
    
    184 113
     - [ ] Sign/Tag commit: `make signtag-release`
    
    185 114
     - [ ] Push tag to `origin`
    
    115
    +
    
    186 116
     </details>
    
    187 117
     
    
    188 118
     <details>
    
    189
    -	<summary>Communications</summary>
    
    119
    +  <summary>Communications</summary>
    
    190 120
     
    
    191 121
     ### notify stakeholders
    
    122
    +
    
    123
    +  <details>
    
    124
    +    <summary>email template</summary>
    
    125
    +
    
    126
    +      Hello All,
    
    127
    +
    
    128
    +      Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing:
    
    129
    +
    
    130
    +      - https://tb-build-05.torproject.org/~$(BUILDER)/builds/release/unsigned/$(TOR_BROWSER_VERSION)/
    
    131
    +
    
    132
    +      The full changelog can be found here:
    
    133
    +
    
    134
    +      - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/maint-12.0/projects/browser/Bundle-Data/Docs/ChangeLog.txt
    
    135
    +
    
    136
    +  </details>
    
    137
    +
    
    192 138
     - [ ] Email tor-qa mailing list: tor-qa@lists.torproject.org
    
    193
    -  - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
    
    194
    -  - [ ] Note any new functionality which needs testing
    
    195
    -  - [ ] Link to any known issues
    
    139
    +  - Additional information:
    
    140
    +    - [ ] Note any new functionality which needs testing
    
    141
    +    - [ ] Link to any known issues
    
    196 142
     - [ ] Email downstream consumers:
    
    197 143
       - Recipients:
    
    198
    -    - [ ] Tails dev mailing list: tails-dev@boum.org
    
    199
    -    - [ ] Guardian Project: nathan@guardianproject.info
    
    200
    -    - [ ] torbrowser-launcher: micah@micahflee.com
    
    201
    -    - [ ] FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->
    
    202
    -    - [ ] OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->
    
    203
    -  - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
    
    144
    +    - Tails dev mailing list: tails-dev@boum.org
    
    145
    +    - Guardian Project: nathan@guardianproject.info
    
    146
    +    - torbrowser-launcher: micah@micahflee.com
    
    147
    +    - FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->
    
    148
    +    - OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->
    
    204 149
       - [ ] Note any changes which may affect packaging/downstream integration
    
    205 150
     - [ ] Email upstream stakeholders:
    
    206
    -  - [ ] ***(Optional, after ESR migration)*** Cloudflare: ask-research@cloudflare.com
    
    151
    +  - ***(Optional, after ESR migration)*** Cloudflare: ask-research@cloudflare.com
    
    207 152
         - **NOTE** :  We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
    
    208 153
     
    
    209 154
     </details>
    
    210 155
     
    
    211 156
     <details>
    
    212
    -  <summary>Signing/Publishing</summary>
    
    157
    +  <summary>Signing</summary>
    
    213 158
     
    
    214 159
     ### signing + publishing
    
    215 160
     - [ ] Ensure builders have matching builds
    
    ... ... @@ -240,26 +185,32 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    240 185
     - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
    
    241 186
     - [ ] Update `staticiforme.torproject.org`:
    
    242 187
       - From `screen` session on `staticiforme.torproject.org`:
    
    188
    +  - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
    
    189
    +  - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-release.sh`
    
    243 190
       - [ ] Remove old release data from following places:
    
    244 191
         - **NOTE** : Skip this step if the current release is Android or Desktop *only*
    
    245 192
         - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
    
    246 193
         - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
    
    247
    -  - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
    
    248
    -  - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-release.sh`
    
    194
    +- [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component
    
    249 195
     - [ ] Publish APKs to Google Play:
    
    250 196
       - Log into https://play.google.com/apps/publish
    
    251 197
       - Select `Tor Browser` app
    
    252
    -  - Navigate to `Release > Production` and click `Create new release` button
    
    253
    -  - [ ] Upload the `*.multi.apk` APKs
    
    254
    -  - [ ] Update Release Name to Tor Browser version number
    
    255
    -  - [ ] Update Release Notes
    
    198
    +  - Navigate to `Release > Production` and click `Create new release` button:
    
    199
    +    - Upload the `*.multi.apk` APKs
    
    200
    +    - Update Release Name to Tor Browser version number
    
    201
    +    - Update Release Notes
    
    256 202
         - Next to 'Release notes', click `Copy from a previous release`
    
    257
    -    - [ ] Edit blog post url to point to most recent blog post
    
    203
    +    - Edit blog post url to point to most recent blog post
    
    258 204
       - Save, review, and configure rollout percentage
    
    259 205
         - [ ] 25% rollout when publishing a scheduled update
    
    260 206
         - [ ] 100% rollout when publishing a security-driven release
    
    261 207
       - [ ] Update rollout percentage to 100% after confirmed no major issues
    
    262 208
     
    
    209
    +</details>
    
    210
    +
    
    211
    +<details>
    
    212
    +  <summary>Publishing</summary>
    
    213
    +
    
    263 214
     ### website: https://gitlab.torproject.org/tpo/web/tpo.git
    
    264 215
     - [ ] `databags/versions.ini` : Update the downloads versions
    
    265 216
         - `torbrowser-stable/version` : sort of a catch-all for latest stable version
    
    ... ... @@ -296,4 +247,3 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    296 247
     </details>
    
    297 248
     
    
    298 249
     /label ~"Release Prep"
    299
    -