Richard Pospesel pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

2 changed files:

Changes:

  • .gitlab/issue_templates/Release Prep - Alpha.md
    ... ... @@ -28,20 +28,6 @@
    28 28
     - `$(TOR_BROWSER_BRANCH_PREV)` : the full name of the previous tor-browser branch (when rebasing)
    
    29 29
     </details>
    
    30 30
     
    
    31
    -<details>
    
    32
    -    <summary>Desktop</summary>
    
    33
    -
    
    34
    -### **torbutton** : https://gitlab.torproject.org/tpo/applications/torbutton.git
    
    35
    -- [ ] Update translations :
    
    36
    -  - [ ] `./import-translations.sh`
    
    37
    -    - **NOTE** : if there are no new strings imported then we are done here
    
    38
    -  - [ ] Commit with message `Translation updates`
    
    39
    -    - **NOTE** : only add files which are already being tracked
    
    40
    -  - [ ] ***(Optional)*** Backport to maintenance branch if present and necessary
    
    41
    -- [ ] fixup! `tor-browser`'s `Bug 10760 : Integrate TorButton to TorBrowser core` issue to point to updated `torbutton` commit
    
    42
    -
    
    43
    -</details>
    
    44
    -
    
    45 31
     <details>
    
    46 32
         <summary>Android</summary>
    
    47 33
     
    
    ... ... @@ -83,6 +69,11 @@
    83 69
         <summary>Shared</summary>
    
    84 70
     
    
    85 71
     ### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git
    
    72
    +- [ ] ***(Optional)*** Update torbutton translations in `toolkit/torbutton`
    
    73
    +  - [ ] `./import-translations.sh`
    
    74
    +    - **NOTE** : if there are no new strings imported then we are done here
    
    75
    +  - [ ] Commit as `fixup!` to the `Add TorStrings module for localization` commit
    
    76
    +    - **NOTE** : only add files which are already being tracked
    
    86 77
     - [ ] ***(Optional)*** Backport any Android-specific security fixes from Firefox rapid-release
    
    87 78
     - [ ] ***(Optional, Chemspill)*** Backport security-fixes to both `tor-browser` and `base-browser` branches
    
    88 79
     - [ ] ***(Optional)*** Rebase to `$(ESR_VERSION)`
    
    ... ... @@ -108,7 +99,7 @@
    108 99
             - [ ] `$(DIFF_TOOL) current_patchset.dif rebased_patchset.deff`
    
    109 100
       - [ ] Open MR for the rebase
    
    110 101
     - [ ] Sign/Tag `base-browser` commit:
    
    111
    -  - **NOTE** : Currently we are using the `Bug 40926: Implemented the New Identity feature` commit as the dividing line between `base-browser` and `tor-browser`
    
    102
    +  - **NOTE** : Currently we are using the `Bug 40926: Implemented the New Identity feature` commit as the final commit of `base-browser` before `tor-browser`
    
    112 103
       - Tag : `base-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-build1`
    
    113 104
       - Message: `Tagging build1 for $(ESR_VERSION)esr-based alpha`
    
    114 105
     - [ ] Sign/Tag `tor-browser` commit :
    
    ... ... @@ -120,7 +111,7 @@
    120 111
     </details>
    
    121 112
     
    
    122 113
     <details>
    
    123
    -    <summary>Build/Signing/Publishing</summary>
    
    114
    +    <summary>Build</summary>
    
    124 115
     
    
    125 116
     ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
    
    126 117
     Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches
    
    ... ... @@ -195,8 +186,11 @@ Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in
    195 186
         - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
    
    196 187
         - [ ] Call out any new functionality which needs testing
    
    197 188
         - [ ] Link to any known issues
    
    198
    -- [ ] Email Tails dev mailing list: tails-dev@boum.org
    
    199
    -    - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
    
    189
    +
    
    190
    +</details>
    
    191
    +
    
    192
    +<details>
    
    193
    +  <summary>Signing/Publishing</summary>
    
    200 194
     
    
    201 195
     ### signing + publishing
    
    202 196
     - [ ] Ensure builders have matching builds
    
    ... ... @@ -218,7 +212,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in
    218 212
         - `cd tor-browser-build/tools/signing/`
    
    219 213
         - `./macos-signer-proxy`
    
    220 214
     - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
    
    221
    -- [ ] apk signing : *TODO*
    
    215
    +- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
    
    222 216
     - [ ] run do-all-signing script:
    
    223 217
         - `cd tor-browser-build/tools/signing/`
    
    224 218
         - `./do-all-signing.sh`
    
    ... ... @@ -236,7 +230,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in
    236 230
       - Select `Tor Browser (Alpha)` app
    
    237 231
       - Navigate to `Release > Production` and click `Create new release` button
    
    238 232
       - [ ] Upload the `*.multi.apk` APKs
    
    239
    -  - If necessary, update the 'Release Name' (should be automatically populated)
    
    233
    +  - [ ] Update Release Name to Tor Browser version number
    
    240 234
       - [ ] Update Release Notes
    
    241 235
         - Next to 'Release notes', click `Copy from a previous release`
    
    242 236
         - [ ] Edit blog post url to point to most recent blog post
    
    ... ... @@ -248,7 +242,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in
    248 242
     ### website: https://gitlab.torproject.org/tpo/web/tpo.git
    
    249 243
     - [ ] `databags/versions.ini` : Update the downloads versions
    
    250 244
         - `torbrowser-stable/version` : sort of a catch-all for latest stable version
    
    251
    -    - `torbrowser-stable/win32` : tor version in the expert bundle
    
    245
    +    - `torbrowser-alpha/version` : sort of a catch-all for latest stable version
    
    252 246
         - `torbrowser-*-stable/version` : platform-specific stable versions
    
    253 247
         - `torbrowser-*-alpha/version` : platform-specific alpha versions
    
    254 248
         - `tor-stable`,`tor-alpha` : set by tor devs, do not touch
    

  • .gitlab/issue_templates/Release Prep - Stable.md
    ... ... @@ -3,18 +3,13 @@
    3 3
     
    
    4 4
     - `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release
    
    5 5
     - `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
    
    6
    -- `$(TOR_LAUNCHER_VERSION)` : version of `tor-launcher`, used in tags
    
    7
    -    - example : `0.2.33`
    
    8 6
     - `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
    
    9 7
         - example : `91.6.0`
    
    8
    +- `$(RR_VERSION)` : the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the `$(ESR_VERSION)`, but Mozilla's Firefox for Android is based off of the `$(RR_VERSION)` so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train.
    
    9
    +    - example: `103`
    
    10 10
     - `$(ESR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
    
    11 11
         - exmaple : `FIREFOX_91_7_0esr_BUILD2`
    
    12 12
     - `$(ESR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
    
    13
    -- `$(RR_VERSION)` : the Mozilla defined 'Rapid Relese' version, used in various places for building geckoview tags, labels, etc
    
    14
    -    - example : `96.0.3`
    
    15
    -- `$(RR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
    
    16
    -    - exmaple : `FIREFOX_96_0_3_RELEASE`
    
    17
    -- `$(RR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
    
    18 13
     - `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version
    
    19 14
         - example : `11`
    
    20 15
     - `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version
    
    ... ... @@ -31,46 +26,78 @@
    31 26
     - `$(TOR_BROWSER_BRANCH)` : the full name of tor-browser branch
    
    32 27
         - typically of the form: `tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
    
    33 28
     - `$(TOR_BROWSER_BRANCH_PREV)` : the full name of the previous tor-browser branch (when rebasing)
    
    34
    -- `$(GECKOVIEW_BRANCH)` : the full name of geckoview branch
    
    35
    -    - typically of the form: `tor-browser-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
    
    36
    -- `$(GECKOVIEW_BRANCH_PREV)` : the full name of the previous geckoview branch (when rebasing)
    
    37 29
     </details>
    
    38 30
     
    
    39 31
     <details>
    
    40 32
         <summary>Desktop</summary>
    
    41 33
     
    
    42
    -### **torbutton** ***(Optional)***: https://gitlab.torproject.org/tpo/applications/torbutton.git
    
    43
    -- [ ] ***(Optional)*** Update translations :
    
    44
    -  - **NOTE** We only update strings in stable if a backported feature depends on new strings
    
    34
    +### **torbutton** : https://gitlab.torproject.org/tpo/applications/torbutton.git
    
    35
    +- [ ] Update translations :
    
    45 36
       - [ ] `./import-translations.sh`
    
    46 37
         - **NOTE** : if there are no new strings imported then we are done here
    
    47 38
       - [ ] Commit with message `Translation updates`
    
    48 39
         - **NOTE** : only add files which are already being tracked
    
    49 40
     - [ ] fixup! `tor-browser`'s `Bug 10760 : Integrate TorButton to TorBrowser core` issue to point to updated `torbutton` commit
    
    50 41
     
    
    51
    -### **tor-launcher** ***(Optional)***: https://gitlab.torproject.org/tpo/applications/tor-launcher.git
    
    52
    -- [ ] ***(Optional)*** Update translations:
    
    53
    -  - **NOTE** We only update strings in stable if a backported feature depends on new strings
    
    54
    -  - [ ] ./localization/import-translations.sh
    
    55
    -  - [ ] Commit with message `Translation updates`
    
    56
    -- [ ] Update `install.rdf` file with new version
    
    57
    -- [ ] Sign/Tag commit :
    
    58
    -  - Tag : `$(TOR_LAUNCHER_VERSION)`
    
    59
    -  - Message `Tagging $(TOR_LAUNCHER_VERSION)`
    
    60
    -- [ ] Push `main` and tag to origin
    
    42
    +</details>
    
    43
    +
    
    44
    +<details>
    
    45
    +    <summary>Android</summary>
    
    46
    +
    
    47
    +### ***Security Vulnerabilities Backport*** : https://www.mozilla.org/en-US/security/advisories/
    
    48
    +- **NOTE** : this work may have already occurred in the analogous stable release prep issue
    
    49
    +- [ ] Create tor-browser issue `Backport Android-specific Firefox $(RR_VERSION) to ESR $(ESR_VERSION)-based Tor Browser`
    
    50
    +  - [ ] Link new backport issue to this release prep issue
    
    51
    +- [ ] Go through any `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` (or similar) and create list of CVEs which affect Android that need to be a backported
    
    52
    +  - Potentially Affected Components:
    
    53
    +    - `firefox`
    
    54
    +    - `application-services`
    
    55
    +    - `android-components`
    
    56
    +    - `fenix`
    
    57
    +
    
    58
    +### **application-services** ***(Optional)*** : *TODO: we need to setup a gitlab copy of this repo that we can apply security backports to*
    
    59
    +- [ ] Backport any Android-specific security fixes from Firefox rapid-release
    
    60
    +- [ ] Sign/Tag commit:
    
    61
    +  - Tag : `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
    
    62
    +  - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha`
    
    63
    +- [ ] Push tag to `origin`
    
    64
    +
    
    65
    +### **android-components** ***(Optional)*** : https://gitlab.torproject.org/tpo/applications/android-components.git
    
    66
    +- [ ] Backport any Android-specific security fixes from Firefox rapid-release
    
    67
    +- [ ] Sign/Tag commit:
    
    68
    +  - Tag : `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
    
    69
    +  - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)`
    
    70
    +- [ ] Push tag to `origin`
    
    71
    +
    
    72
    +### **fenix** ***(Optional)*** : https://gitlab.torproject.org/tpo/applications/fenix.git
    
    73
    +- [ ] Backport any Android-specific security fixes from Firefox rapid-release
    
    74
    +- [ ] Sign/Tag commit:
    
    75
    +  - Tag : `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
    
    76
    +  - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)`
    
    77
    +- [ ] Push tag to `origin`
    
    78
    +
    
    79
    +</details>
    
    80
    +
    
    81
    +<details>
    
    82
    +    <summary>Shared</summary>
    
    61 83
     
    
    62 84
     ### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git
    
    85
    +- [ ] ***(Optional)*** Backport any Android-specific security fixes from Firefox rapid-release
    
    86
    +- [ ] ***(Optional, Chemspill)*** Backport security-fixes to both `tor-browser` and `base-browser` branches
    
    63 87
     - [ ] ***(Optional)*** Rebase to `$(ESR_VERSION)`
    
    64
    -  - [ ] Find the Firefox hg tag here : https://hg.mozilla.org/releases/mozilla-esr91/tags
    
    88
    +  - [ ] Find the Firefox hg tag here : https://hg.mozilla.org/releases/mozilla-esr102/tags
    
    65 89
         - [ ] `$(ESR_TAG)` : `<INSERT_TAG_HERE>`
    
    66 90
       - [ ] Identify the hg patch associated with above hg tag, and find the equivalent `gecko-dev` git commit (search by commit message)
    
    67 91
         - [ ] `gecko-dev` commit : `<INSERT_COMMIT_HASH_HERE>`
    
    68
    -  - [ ] Create new `tor-browser` branch with the discovered `gecko-dev` commit as `HEAD` named `tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
    
    69 92
         - [ ] Sign/Tag commit :
    
    70 93
           - Tag : `$(ESR_TAG)`
    
    71 94
           - Message : `Hg tag $(ESR_TAG)`
    
    72
    -  - [ ] Push new branch and tag to origin
    
    73
    -  - [ ] Rebase `tor-browser` patches
    
    95
    +  - [ ] Create new branches with the discovered `gecko-dev` commit as `HEAD` named:
    
    96
    +    - [ ] `base-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
    
    97
    +    - [ ] `tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
    
    98
    +  - [ ] Push new branches and esr tag to origin
    
    99
    +  - [ ] Rebase `base-browser` patches onto the `gecko-dev` commit
    
    100
    +  - [ ] Rebase `tor-browser` patches onto the `base-browser` branch
    
    74 101
       - [ ] Compare patch-sets (ensure nothing *weird* happened during rebase):
    
    75 102
         - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..$(TOR_BROWSER_BRANCH)`
    
    76 103
         - [ ] diff of diffs:
    
    ... ... @@ -79,150 +106,65 @@
    79 106
             - [ ] `git diff $(ESR_TAG)..$(TOR_BROWSER_BRANCH) > rebased_patchset.diff`
    
    80 107
             - [ ] `$(DIFF_TOOL) current_patchset.dif rebased_patchset.deff`
    
    81 108
       - [ ] Open MR for the rebase
    
    82
    -- [ ] ***(Optional)*** Backport any required Alpha patches to Stable
    
    83
    -  - [ ] cherry-pick patches on top of rebased branch (issues to backport should have `Backport` label and be linked to the associated `Release Prep` issue)
    
    84
    -  - [ ] Close associated `Backport` issues
    
    85
    -  - [ ] Open MR for the backport commits
    
    109
    +- [ ] Sign/Tag `base-browser` commit:
    
    110
    +  - **NOTE** : Currently we are using the `Bug 40926: Implemented the New Identity feature` commit as the final commit of `base-browser` before `tor-browser`
    
    111
    +  - Tag : `base-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-build1`
    
    112
    +  - Message: `Tagging build1 for $(ESR_VERSION)esr-based alpha`
    
    86 113
     - [ ] Sign/Tag `tor-browser` commit :
    
    87 114
       - Tag : `tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(FIREFOX_BUILD_N)`
    
    88
    -  - Message : `Tagging $(FIREFOX_BUILD_N) for $(ESR_VERSION)esr-based (alpha|stable)`
    
    89
    -- [ ] Push tag to `origin`
    
    115
    +  - Message : `Tagging $(FIREFOX_BUILD_N) for $(ESR_VERSION)esr-based alpha`
    
    116
    +- [ ] Push rebased branches and tags to `origin`
    
    117
    +- [ ] Update Gitlab Default Branch to new Alpha branch:  https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/repository
    
    90 118
     
    
    91 119
     </details>
    
    92 120
     
    
    93 121
     <details>
    
    94
    -    <summary>Android</summary>
    
    95
    -
    
    96
    -### **geckoview**: https://gitlab.torproject.org/tpo/applications/tor-browser.git
    
    97
    -- [ ] ***(Optional)*** Rebase to `$(RR_VERSION)`
    
    98
    -  - [ ] Find the Firefox hg tag here : https://hg.mozilla.org/releases/mozilla-release/tags
    
    99
    -    - [ ] `$(RR_TAG)` : `<INSERT_TAG_HERE>`
    
    100
    -  - [ ] Identify the hg patch associated with above hg tag, and find the equivalent `gecko-dev` git commit (search by commit message)
    
    101
    -    - [ ] `gecko-dev` commit : `<INSERT_COMMIT_HASH_HERE>`
    
    102
    -  - [ ] Create new `geckoview` branch with the discovered `gecko-dev` commit as `HEAD` named `geckoview-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1`
    
    103
    -  - [ ] Sign/Tag commit :
    
    104
    -    - Tag : `$(RR_TAG)`
    
    105
    -    - Message : `Hg tag $(RR_TAG)`
    
    106
    -  - [ ] Push new branch and tag to origin
    
    107
    -  - [ ] Rebase `geckoview` patches
    
    108
    -  - [ ] Compare patch-sets (ensure nothing *weird* happened during rebase):
    
    109
    -    - [ ] rangediff: `git range-diff $(RR_TAG_PREV)..$(GECKOVIEW_BRANCH_PREV) $(RR_TAG)..$(GECKOVIEW_BRANCH)`
    
    110
    -    - [ ] diff of diffs:
    
    111
    -        -  Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred `$(DIFF_TOOL)` and look at differences on lines that starts with + or -
    
    112
    -        - [ ] `git diff $(RR_TAG_PREV)..$(GECKOVIEW_BRANCH_PREV) > current_patchset.diff`
    
    113
    -        - [ ] `git diff $(RR_TAG)..$(GECKOVIEW_BRANCH) > rebased_patchset.diff`
    
    114
    -        - [ ] `$(DIFF_TOOL) current_patchset.dif rebased_patchset.deff`
    
    115
    -  - [ ] Open MR for the rebase
    
    116
    -- [ ] ***(Optional)*** Backport any required patches to Stable
    
    117
    -  - [ ] cherry-pick patches on top of rebased branch (issues to backport should have `Backport` label and be linked to the associated `Release Prep` issue)
    
    118
    -  - [ ] Close associated `Backport` issues
    
    119
    -  - [ ] Open MR for the backport commits
    
    120
    -  - [ ] Merge + Push
    
    121
    -- [ ] Sign/Tag `geckoview` commit :
    
    122
    -  - Tag : `geckoview-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(FIREFOX_BUILD_N)`
    
    123
    -  - Message : `Tagging $(FIREFOX_BUILD_N) for $(RR_VERSION)-based (alpha|stable)`
    
    124
    -- [ ] Push tag to `origin`
    
    125
    -
    
    126
    -### **tba-translation** ***(Optional)***: https://gitlab.torproject.org/tpo/translation.git
    
    127
    -- **NOTE** We only update strings in stable if a backported feature depends on new strings
    
    128
    -- [ ] Fetch latest and identify new `HEAD` of `fenix-torbrowserstringsxml` branch
    
    129
    -  - [ ] `origin/fenix-torbrowserstringsxml` : `<INSERT COMMIT HASH HERE>`
    
    130
    -
    
    131
    -### **tor-android-service** ***(Optional)***: https://gitlab.torproject.org/tpo/applications/tor-android-service.git
    
    132
    -- [ ] Fetch latest and identify new `HEAD` of `main` branch
    
    133
    -  - [ ] `origin/main` : `<INSERT COMMIT HASH HERE>`
    
    134
    -
    
    135
    -### **application-services** : *TODO: we need to setup a gitlab copy of this repo that we can apply security backports to*
    
    136
    -- [ ] ***(Optional)*** Backport any Android-specific security fixes from Firefox rapid-release
    
    137
    -- [ ] Sign/Tag commit:
    
    138
    -  - Tag : `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
    
    139
    -  - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based (alpha|stable)`
    
    140
    -- [ ] Push tag to `origin`
    
    141
    -### **android-components** ***(Optional)***: https://gitlab.torproject.org/tpo/applications/android-components.git
    
    142
    -- [ ] ***(Optional)*** Rebase to `$(RR_VERSION)`
    
    143
    -  - [ ] Identify the `mozilla-mobile` git tag to start from by first updating `fenix` and then checking which `android-components` tag is used in `buildSrc/src/main/java/AndroidComponents.kt`
    
    144
    -    - Alternatively search for commit message like `Update Android-Components`
    
    145
    -  - [ ] Create new branch from tag named `android-components-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1`
    
    146
    -  - [ ] Push new branch to origin
    
    147
    -  - [ ] Rebase `android-components` patches
    
    148
    -  - [ ] Perform rangediff to ensure nothing weird happened resolving conflicts
    
    149
    -  - [ ] Open MR for the rebase
    
    150
    -  - [ ] Merge + Push
    
    151
    -- [ ] ***(Optional)*** Backport any required patches to Stable
    
    152
    -  - [ ] cherry-pick patches on top of rebased branch (issues to backport should have `Backport` label and be linked to the associated `Release Prep` issue)
    
    153
    -  - [ ] Close associated `Backport` issues
    
    154
    -  - [ ] Open MR for the backport commits
    
    155
    -  - [ ] Merge + Push
    
    156
    - [ ] Sign/Tag commit:
    
    157
    -  - Tag : `android-components-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
    
    158
    -  - Message: `Tagging $(BUILD_N) for $(RR_VERSION)-based (alpha|stable)`
    
    159
    -  - [ ] Push tag to origin
    
    160
    -
    
    161
    -### **fenix** ***(Optional)***: https://gitlab.torproject.org/tpo/applications/fenix.git
    
    162
    -- [ ] ***(Optional)*** Rebase to `$(RR_VERSION)`
    
    163
    -  - Upstream git repo : https://github.com/mozilla-mobile/fenix.git
    
    164
    -  - [ ] Identify the `mozilla-mobile` git tag to start from
    
    165
    -    - Seem to be in the form `v$(RR_VERSION)` (for example, `v96.3.0`)
    
    166
    -  - [ ] Create new branch from tag named `tor-browser-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1`
    
    167
    -    - **NOTE** : it is weird but we do use `tor-browser` here rather than `fenix`
    
    168
    -  - [ ] Push new branch to origin
    
    169
    -  - [ ] Rebase `fenix` patches
    
    170
    -  - [ ] Perform rangediff to ensure nothing weird happened resolving conflicts
    
    171
    -  - [ ] Open MR for the rebase
    
    172
    -  - [ ] Merge + Push
    
    173
    -- [ ] ***(Optional)*** Backport any required patches to Stable
    
    174
    -  - [ ] cherry-pick patches on top of rebased branch (issues to backport should have `Backport` label and be linked to the associated `Release Prep` issue)
    
    175
    -  - [ ] Close associated `Backport` issues
    
    176
    -  - [ ] Open MR for the backport commits
    
    177
    -  - [ ] Merge + Push
    
    178
    -- [ ] Sign/Tag commit:
    
    179
    -  - Tag : `tor-browser-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
    
    180
    -  - Message: `Tagging $(BUILD_N) for $(RR_VERSION)-based (alpha|stable)`
    
    181
    -- [ ] Push tag to origin
    
    182
    -
    
    183
    -</details>
    
    184
    -
    
    185
    -<details>
    
    186
    -    <summary>Build/Signing/Publishing</summary>
    
    122
    +    <summary>Build</summary>
    
    187 123
     
    
    188 124
     ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
    
    189
    -Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in the various `$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-maint` (and possibly more specific) branches
    
    125
    +Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches
    
    190 126
     
    
    191 127
     - [ ] Update `rbm.conf`
    
    192 128
       - [ ] `var/torbrowser_version` : update to next version
    
    193 129
       - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
    
    194 130
       - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from` : update to previous Desktop version
    
    195 131
         - [ ] **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make incrementals-*` step will fail
    
    196
    -- [ ] ***(Desktop Only)*** Update `projects/firefox/config`
    
    132
    +- [ ] Update `projects/firefox/config`
    
    197 133
       - [ ] `git_hash` : update the `$(BUILD_N)` section to match `tor-browser` tag
    
    198 134
       - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
    
    199
    -- [ ] ***(Android Only)*** Update `projects/geckoview/config`
    
    200
    -  - [ ] `git_hash` : update the `$(BUILD_N)` section to match `geckoview` tag
    
    201
    -  - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(RR_VERSION)` if rebased
    
    202
    -- [ ] ***(Android Only, Optional)*** Update `projects/tba-translations/config`:
    
    135
    +- [ ] Update `projects/geckoview/config`
    
    136
    +  - [ ] `git_hash` : update the `$(BUILD_N)` section to match `tor-browser` tag
    
    137
    +  - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
    
    138
    +- [ ] Update `projects/translation-base-browser/config`
    
    139
    +  - [ ] `git_hash` : update with `HEAD` commit of project's `base-browser` branch
    
    140
    +- [ ] Update `projects/translation-base-browser-fluent/config`
    
    141
    +  - [ ] `git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
    
    142
    +- [ ] Update `projects/tba-translations/config`:
    
    203 143
       - [ ]  `git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
    
    204
    -- [ ] ***(Android Only, Optional)*** Update `projects/tor-android-service/config`
    
    144
    +- [ ] ***(Optional)*** Update `projects/tor-android-service/config`
    
    205 145
       - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch
    
    206
    -- [ ] ***(Android Only, Optional)*** Update `projects/application-services/config`:
    
    146
    +- [ ] ***(Optional)*** Update `projects/application-services/config`:
    
    207 147
       **NOTE** we don't have any of our own patches for this project
    
    208
    -  - [ ] `git_hash` : update to appropriate git commit associated with $(RR_VERSION)
    
    209
    -- [ ] ***(Android Only, Optional)*** Update `projects/android-components/config`
    
    210
    -  - [ ] `git_hash` : update the `$(BUILD_N)` section to match `android-components` tag
    
    211
    -  - [ ] ***(Optional)*** `var/android_components_version` : update to latest `$(RR_VERSION)` if rebased
    
    212
    -- [ ] ***(Android Only, Optional)*** Update `projects/fenix/config`
    
    148
    +  - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
    
    149
    +- [ ] Update `projects/android-components/config`:
    
    150
    +  - [ ] `git_hash` : update the `$(BUILD_N)` section to match alpha `android-components` tag
    
    151
    +- [ ] Update `projects/fenix/config`
    
    213 152
       - [ ] `git_hash` : update the `$(BUILD_N)` section to match `fenix` tag
    
    214
    -  - [ ] ***(Optional)*** `var/fenix_version` : update to latest `$(RR_VERSION)` if rebased
    
    215
    -- [ ] ***(Android Only)*** Update allowed_addons.json by running (from `tor-browser-build` root):
    
    216
    -  - `./tools/fetch_allowed_addons.py > projects/tor-browser/allowed_addons.json`
    
    153
    +  - [ ] ***(Optional)*** `var/fenix_version` : update to latest `$(ESR_VERSION)` if rebased
    
    154
    +- [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
    
    155
    +  - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
    
    217 156
     - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
    
    218
    -  - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/tor-browser/config`
    
    157
    +  - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
    
    219 158
         - [ ] `URL`
    
    220 159
         - [ ] `sha256sum`
    
    221
    -- [ ] Check for OpenSSL updates here : https://github.com/openssl/openssl/tags
    
    222
    -  - [ ] ***(Optional)*** If new 1.X.Y series tag available, update `projects/openssl/config`
    
    223
    -    - [ ] `version` : update to next 1.X.Y release tag
    
    160
    +- [ ] Check for OpenSSL updates here : https://www.openssl.org/source/
    
    161
    +  - [ ] ***(Optional)*** If new 1.X.Y version available, update `projects/openssl/config`
    
    162
    +    - [ ] `version` : update to next 1.X.Y version
    
    224 163
         - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball
    
    225
    -- [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags ; Tor Browser Alpha uses `-alpha` tagged tor, while stable uses the stable series
    
    164
    +- [ ] Check for zlib updates here: https://github.com/madler/zlib/releases
    
    165
    +  - [ ] **(Optional)** If new tag available, update `projects/zlib/config`
    
    166
    +    - [ ] `version` : update to next release tag
    
    167
    +- [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags ; Tor Browser Alpha uses latest `-alpha` tagged tor (or latest of stable if newer)
    
    226 168
       - [ ] ***(Optional)*** Update `projects/tor/config`
    
    227 169
         - [ ] `version` : update to next release tag
    
    228 170
     - [ ] Check for go updates here : https://golang.org/dl
    
    ... ... @@ -244,7 +186,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in
    244 186
       - [ ] Ensure ChangeLog.txt is sync'd between alpha and stable branches
    
    245 187
     - [ ] Open MR with above changes
    
    246 188
     - [ ] Begin build on `$(BUILD_SERVER)` (and fix any issues which come up)
    
    247
    -- [ ] Sign/Tag commit : `make signtag-(alpha|release)`
    
    189
    +- [ ] Sign/Tag commit : `make signtag-release`
    
    248 190
     - [ ] Push tag to origin
    
    249 191
     
    
    250 192
     ### notify stakeholders
    
    ... ... @@ -255,57 +197,32 @@ Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in
    255 197
     - [ ] Email Tails dev mailing list: tails-dev@boum.org
    
    256 198
         - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
    
    257 199
     
    
    258
    -### blog: https://gitlab.torproject.org/tpo/web/blog.git
    
    259
    -
    
    260
    -- [ ] Duplicate previous Stable or Alpha release blog post as appropriate to new directory under `content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)` and update with info on release :
    
    261
    -    - [ ] Update Tor Browser version numbers
    
    262
    -    - [ ] Note any ESR rebase
    
    263
    -    - [ ] Note any Rapid Release rebase
    
    264
    -    - [ ] Link to any Firefox security updates
    
    265
    -    - [ ] Note any updates to :
    
    266
    -        - [ ] tor
    
    267
    -        - [ ] OpenSSL
    
    268
    -        - [ ] go
    
    269
    -        - [ ] NoScript
    
    270
    -    - [ ] Convert ChangeLog.txt to markdown format used here by : `tor-browser-build/tools/changelog-format-blog-post`
    
    271
    -- [ ] Push to origin as new branch, open 'Draft :' MR
    
    272
    -- [ ] Remove `Draft:` from MR once signed-packages are uploaded
    
    273
    -- [ ] Merge
    
    274
    -- [ ] Publish after CI passes
    
    200
    +</details>
    
    275 201
     
    
    276
    -### website: https://gitlab.torproject.org/tpo/web/tpo.git
    
    277
    -- [ ] `databags/versions.ini` : Update the downloads versions
    
    278
    -    - `torbrowser-stable/version` : sort of a catch-all for latest stable version
    
    279
    -    - `torbrowser-stable/win32` : tor version in the expert bundle
    
    280
    -    - `torbrowser-*-stable/version` : platform-specific stable versions
    
    281
    -    - `torbrowser-*-alpha/version` : platform-specific alpha versions
    
    282
    -    - `tor-stable`,`tor-alpha` : set by tor devs, do not touch
    
    283
    -- [ ] Push to origin as new branch, open 'Draft :' MR
    
    284
    -- [ ] Remove `Draft:` from MR once signed-packages are uploaded
    
    285
    -- [ ] Merge
    
    286
    -- [ ] Publish after CI passes
    
    202
    +<details>
    
    203
    +  <summary>Signing/Publishing</summary>
    
    287 204
     
    
    288 205
     ### signing + publishing
    
    289 206
     - [ ] Ensure builders have matching builds
    
    290 207
     - [ ] On `$(STAGING_SERVER)`, ensure updated:
    
    291 208
       - [ ] `tor-browser-build/tools/signing/set-config`
    
    292
    -    - [ ] `NSS_DB_DIR` : location of the `nssdb7` directory
    
    209
    +    - `NSS_DB_DIR` : location of the `nssdb7` directory
    
    293 210
       - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
    
    294
    -    - [ ] `ssh_host_builder` : ssh hostname of machine with unsigned builds
    
    211
    +    - `ssh_host_builder` : ssh hostname of machine with unsigned builds
    
    295 212
           - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
    
    296
    -    - [ ] `ssh_host_linux_signer` : ssh hostname of linux signing machine
    
    297
    -    - [ ] `ssh_host_macos_signer` : ssh hostname of macOS signing machine
    
    213
    +    - `ssh_host_linux_signer` : ssh hostname of linux signing machine
    
    214
    +    - `ssh_host_macos_signer` : ssh hostname of macOS signing machine
    
    298 215
       - [ ] `tor-browser-build/tools/signing/set-config.macos-notarization`
    
    299
    -    - [ ] `macos_notarization_user` : the email login for a tor notariser Apple Developer account
    
    216
    +    - `macos_notarization_user` : the email login for a tor notariser Apple Developer account
    
    300 217
       - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
    
    301
    -    - [ ] `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
    
    302
    -    - [ ] `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
    
    303
    -    - [ ] `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
    
    218
    +    - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
    
    219
    +    - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
    
    220
    +    - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
    
    304 221
     - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run the macOS proxy script:
    
    305 222
         - `cd tor-browser-build/tools/signing/`
    
    306 223
         - `./macos-signer-proxy`
    
    307 224
     - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
    
    308
    -- [ ] ***(Android Only)*** APK Signing: *TODO*
    
    225
    +- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
    
    309 226
     - [ ] run do-all-signing script:
    
    310 227
         - `cd tor-browser-build/tools/signing/`
    
    311 228
         - `./do-all-signing.sh`
    
    ... ... @@ -317,23 +234,51 @@ Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in
    317 234
         - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
    
    318 235
         - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
    
    319 236
       - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
    
    320
    -  - [ ] Enable update responses :
    
    321
    -    - [ ] alpha: `./deploy_update_responses-alpha.sh`
    
    322
    -    - [ ] release: `./deploy_update_responses-release.sh`
    
    323
    -- [ ] ***(Android Only)*** : Publish APKs to Google Play:
    
    324
    -  - [ ] Log into https://play.google.com/apps/publish
    
    325
    -  - [ ] Select `Tor Browser` app
    
    326
    -  - [ ] Navigate to `Release > Production` and click `Create new release` button
    
    237
    +  - [ ] Enable update responses : `./deploy_update_responses-alpha.sh`
    
    238
    +- [ ] Publish APKs to Google Play:
    
    239
    +  - Log into https://play.google.com/apps/publish
    
    240
    +  - Select `Tor Browser (Alpha)` app
    
    241
    +  - Navigate to `Release > Production` and click `Create new release` button
    
    327 242
       - [ ] Upload the `*.multi.apk` APKs
    
    328
    -  - [ ] If necessary, update the 'Release Name' (should be automatically populated)
    
    243
    +  - [ ] Update Release Name to Tor Browser version number
    
    329 244
       - [ ] Update Release Notes
    
    330
    -    - [ ] Next to 'Release notes', click `Copy from a previous release`
    
    245
    +    - Next to 'Release notes', click `Copy from a previous release`
    
    331 246
         - [ ] Edit blog post url to point to most recent blog post
    
    332
    -  - [ ] Save, review, and configure rollout percentage
    
    247
    +  - Save, review, and configure rollout percentage
    
    333 248
         - [ ] 25% rollout when publishing a scheduled update
    
    334 249
         - [ ] 100% rollout when publishing a security-driven release
    
    335 250
       - [ ] Update rollout percentage to 100% after confirmed no major issues
    
    336 251
     
    
    252
    +### website: https://gitlab.torproject.org/tpo/web/tpo.git
    
    253
    +- [ ] `databags/versions.ini` : Update the downloads versions
    
    254
    +    - `torbrowser-stable/version` : sort of a catch-all for latest stable version
    
    255
    +    - `torbrowser-alpha/version` : sort of a catch-all for latest stable version
    
    256
    +    - `torbrowser-*-stable/version` : platform-specific stable versions
    
    257
    +    - `torbrowser-*-alpha/version` : platform-specific alpha versions
    
    258
    +    - `tor-stable`,`tor-alpha` : set by tor devs, do not touch
    
    259
    +- [ ] Push to origin as new branch, open 'Draft :' MR
    
    260
    +- [ ] Remove `Draft:` from MR once signed-packages are uploaded
    
    261
    +- [ ] Merge
    
    262
    +- [ ] Publish after CI passes and builds are published
    
    263
    +
    
    264
    +### blog: https://gitlab.torproject.org/tpo/web/blog.git
    
    265
    +
    
    266
    +- [ ] Duplicate previous Stable or Alpha release blog post as appropriate to new directory under `content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)` and update with info on release :
    
    267
    +    - [ ] Update Tor Browser version numbers
    
    268
    +    - [ ] Note any ESR rebase
    
    269
    +    - [ ] Link to any Firefox security updates from ESR upgrade
    
    270
    +    - [ ] Link to any Android-specific security backports
    
    271
    +    - [ ] Note any updates to :
    
    272
    +      - tor
    
    273
    +      - OpenSSL
    
    274
    +      - NoScript
    
    275
    +    - [ ] Convert ChangeLog.txt to markdown format used here by :
    
    276
    +      - `tor-browser-build/tools/changelog-format-blog-post`
    
    277
    +- [ ] Push to origin as new branch, open `Draft:` MR
    
    278
    +- [ ] Remove `Draft:` from MR once signed-packages are uploaded
    
    279
    +- [ ] Merge
    
    280
    +- [ ] Publish after CI passes and website has been updated
    
    281
    +
    
    337 282
     ### tor-announce mailing list
    
    338 283
     - [ ] Send an email to tor-announce@lists.torproject.org, using the same content as the blog post and subject "Tor Browser $version is released".
    
    339 284