[tor-commits] [Git][tpo/applications/tor-browser][tor-browser-128.9.0esr-14.5-1] 6 commits: fixup! TB 41649: Create rebase and security backport gitlab issue templates

morgan pushed to branch tor-browser-128.9.0esr-14.5-1 at The Tor Project / Applications / Tor Browser

Commits: 6ddec96c by Morgan at 2025-04-16T15:28:30+00:00 fixup! TB 41649: Create rebase and security backport gitlab issue templates

revert

- - - - - ede238fb by Morgan at 2025-04-16T15:28:31+00:00 fixup! Adding issue and merge request templates

revert

- - - - - 7f040e37 by Morgan at 2025-04-17T14:31:33+00:00 BB 43615: Add Gitlab Issue and Merge Request templates

- - - - - ee512804 by Morgan at 2025-04-17T15:36:37+00:00 fixup! BB 43615: Add Gitlab Issue and Merge Request templates

add new and modify existing shared Tor/Mullvad browser templates

- - - - - 8f2c9d34 by Morgan at 2025-04-17T15:36:37+00:00 TB 43616: Customize Gitlab Issue and Merge Request templates

- - - - - 17438f0d by Morgan at 2025-04-17T15:36:38+00:00 fixup! TB 43616: Customize Gitlab Issue and Merge Request templates

Tor Browser specific updates

- - - - -

22 changed files:

- + .gitlab/issue_templates/000 Bug Report.md - + .gitlab/issue_templates/010 Proposal.md - + .gitlab/issue_templates/020 Web Compatibility.md - + .gitlab/issue_templates/030 Test.md - + .gitlab/issue_templates/040 Feature.md - .gitlab/issue_templates/Backport.md → .gitlab/issue_templates/050 Backport.md - .gitlab/issue_templates/Rebase Browser - Alpha.md → .gitlab/issue_templates/060 Rebase - Alpha.md - .gitlab/issue_templates/Rebase Browser - Stable.md → .gitlab/issue_templates/061 Rebase - Stable.md - .gitlab/issue_templates/Rebase Browser - Legacy.md → .gitlab/issue_templates/062 Rebase - Legacy.md - .gitlab/issue_templates/Rebase Browser - Rapid.md → .gitlab/issue_templates/063 Rebase - Rapid.md - .gitlab/issue_templates/Uplift.md → .gitlab/issue_templates/070 Uplift.md - .gitlab/issue_templates/Backport Android Security Fixes.md → .gitlab/issue_templates/080 Security Backports.md - .gitlab/issue_templates/Emergency Security Issue.md → .gitlab/issue_templates/090 Emergency Security Issue.md - .gitlab/issue_templates/QA - Desktop.md → .gitlab/issue_templates/100 Release QA - Desktop.md - .gitlab/issue_templates/QA - Android.md → .gitlab/issue_templates/101 Release QA - Android.md - + .gitlab/issue_templates/110 Bugzilla Triage.md - .gitlab/issue_templates/Bugzilla Audit.md → .gitlab/issue_templates/120 Bugzilla Audit.md - − .gitlab/issue_templates/Bugzilla Triage.md - + .gitlab/issue_templates/Default.md - − .gitlab/issue_templates/bug.md - .gitlab/merge_request_templates/default.md → .gitlab/merge_request_templates/Default.md - − .gitlab/merge_request_templates/Rebase.md

Changes:

===================================== .gitlab/issue_templates/000 Bug Report.md ===================================== @@ -0,0 +1,121 @@ +# 🐞 Bug Report +<!-- +Use this template to report problems with the browser which are unrelated to +website functionality (please use the Web Compatibility template for such issues). +The issue's title MUST provide a succinct description of the problem. + +Some good (hypothetical) titles: +- Browser crashes when visiting example.com in Safer mode +- Letterboxing appears even when disabled when using tiling window-manager +- All fonts in browser-chrome have serifs + +Please DO NOT include information about platform in the title, it is redundant +with our labeling system! +--> + +## Reproduction steps +<!-- +Provide specific steps developers can follow to reproduce your issue. +--> + +## Expected behaviour +<!-- +Provide a description of the browser feature or scenario which does not appear +to be working. +--> + +## Actual behaviour +<!-- +Provide a description of what actually occurs. +--> + +## Bookkeeping +<!-- +Please provide the following information: +--> + +- Browser version: +- Browser channel: + - [ ] Release + - [ ] Alpha + - [ ] Nightly +- Distribution method: + - [ ] Installer/archive from torproject.org + - [ ] tor-browser-launcher + - [ ] homebrew + - [ ] other (please specify): +- Operating System: + - [ ] Windows + - [ ] macOS + - [ ] Linux + - [ ] Android + - [ ] Tails + - [ ] Other (please specify): +- Operating System Version: + +### Browser UI language +<!-- +Found in `about:preferences#general`. +Feel free to omit this if you like, but sometimes bugs can be language specific so having +this info may make it easier for developers to reproduce your problem. +--> + +### Have you modified any of the settings in `about:preferences` or `about:config`? If yes, which ones? +<!-- +If you changed any preference in about:config that aren't exposed in a UI, +could you try to see if you can reproduce without them? Generally speaking, such +changes are unsupported and bugs might be closed as invalid. +--> + +### Do you have any extra extensions installed? +<!-- e.g. Firefox Multi-Account Containers, uBlock Origin, etc --> + +## Troubleshooting +<!-- +This is optional, but it will help to resolve your problem. +--> + +### Does this bug occur in a fresh installation? + +### Is this bug new? If it is a regression, in which version of the browser did this bug first appear? +<!-- +Archived packages for past versions can be found here: +- https://archive.torproject.org/tor-package-archive +--> + +### Does this bug occur in the Alpha release channel? +<!-- +Sometimes bugs are fixed in the Alpha (development) channel but not in the Stable channel. +⚠️ However, the Alpha release channel is the development version and as such may be contain +critical bugs not present in the Stable release channel. Do not test in Alpha if you are an +at risk user unless you really, actually, truly know what you are doing! + +The latest Alpha can be found here: +- https://www.torproject.org/download/alpha/ +--> + +### Does this bug occur in Firefox ESR (Desktop only)? +<!-- +Tor Browser is based on Firefox ESR, so any bugs present in this upstream project will likely +also be present in Tor Browser. +Firefox ESR is available for download here: +- https://www.mozilla.org/en-US/firefox/all/desktop-esr/ +--> + +### Does this bug occur in Firefox Rapid Release? +<!-- +If the issue occurs in Firefox ESR, but does not occur in Firefox Rapid Release, we may be able +to identify and backport the patch which fixes it. + +Firefox Rapid Release is available for download here: +- https://www.mozilla.org/en-US/firefox/new/ + +If the issue has been fixed in Firefox, do you know the Bugzilla issue number associated with the fix? +--> + +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Bug"

===================================== .gitlab/issue_templates/010 Proposal.md ===================================== @@ -0,0 +1,70 @@ +# 💡 Proposal +<!-- +Use this template to request a feature or propose some change in the browser. +The issue will likely be edited many times over its life to flesh out the various +questions, so if you don't know the answers to something, jut leave it blank! + +The issue's title MUST provide a succinct description of proposal. + +Some good (hypothetical) titles: +- Remove 'Safer' option from Security Level +- Bundle uBlock Origin by default +- Replace NoScript with faith-based JavaScript sand-boxing +--> + +## User Story +<!-- +Provide a high-level summary of the proposed feature, the problem it solves, and +what it would allow users to do if implemented. --> + +## Security and Privacy Implications +<!-- +How would this proposal interact with our the browser's threat model? +Would this feature negatively affect the browser's security or privacy +guarantees? +--> + +### Security +<!-- +Outline any security implications this feature would introduce. The browser's +security requirements can be found in our threat model document here: +- https://gitlab.torproject.org/tpo/applications/wiki/-/wikis/Design-Documents/Tor-Browser-Design-Doc#21-security-requirements +--> + +### Privacy +<!-- +Outline any privacy implications this feature would introduce. The browser's +privacy requirements can be found in our threat model document here: +- https://gitlab.torproject.org/tpo/applications/wiki/-/wikis/Design-Documents/Tor-Browser-Design-Doc#22-privacy-requirements +--> + +## Accessibility Implications +<!-- +Would this proposal affect or interact with the browser's usability for users +with accessibility needs (e.g. vision or mobility issues). What problems would need +to be solved to ensure these users are not left behind? +--> + +## Other Trade-Offs +<!-- +Beyond the security, privacy and accessibility implications, what other implications +are there for users? +--> + +## Prior Art + +### Does this feature exist in other browsers? +- [ ] Yes + - [ ] Firefox + - [ ] Firefox ESR + - [ ] Other (please specify) +- [ ] No + +### Does this feature exist as an extension? If yes, which one provides this functionality? + +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Proposal"

===================================== .gitlab/issue_templates/020 Web Compatibility.md ===================================== @@ -0,0 +1,112 @@ +# 🌍 Web Compatibility +<!-- +Use this template to report websites which do not work properly in the browser. +The issue's title MUST provide a succinct description of the problem. + +Some good (hypothetical) titles: +- Road signs do not render correctly on maps.foo.com +- Infinite CAPTCHA prompts on bar.nat +- Cannot login to baz.org +--> + +## URL +<!-- Provide a link to the website --> + +## Expected behaviour +<!-- +Provide a description of the how the website is supposed to work +--> + +## Actual behaviour +<!-- +Provide a description of what actually occurs +--> + +## Reproduction steps +<!-- +Provide specific steps developers can follow to reproduce your issue +--> + +## Bookkeeping +<!-- +Please provide the following information: +--> + +- Browser version: +- Browser channel: + - [ ] Release + - [ ] Alpha + - [ ] Nightly +- Distribution method: + - [ ] Installer/archive from torproject.org + - [ ] tor-browser-launcher + - [ ] homebrew + - [ ] other (please specify): +- Operating System: + - [ ] Windows + - [ ] macOS + - [ ] Linux + - [ ] Android + - [ ] Tails + - [ ] Other (please specify): +- Operating System Version: + +### Have you modified any of the settings in `about:preferences` or `about:config`? If yes, which ones? +<!-- +If you changed any preference in about:config that aren't exposed in a UI, +could you try to see if you can reproduce without them? Generally speaking, such +changes are unsupported and bugs might be closed as invalid. +--> + +### Do you have any extra extensions installed? +<!-- e.g. Firefox Multi-Account Containers, uBlock Origin, etc --> + +## Troubleshooting +<!-- +This is optional, but it will help to resolve your problem. +--> + +### Does this bug occur in a fresh installation? + +### Is this bug new? If it is a regression, in which version of the browser did this bug first appear? +<!-- +Archived packages for past versions can be found here: +- https://archive.torproject.org/tor-package-archive +--> + +### Does this bug occur in the Alpha release channel? +<!-- +Sometimes bugs are fixed in the Alpha (development) channel but not in the Stable channel. +⚠️ However, the Alpha release channel is the development version and as such may be contain +critical bugs not present in the Stable release channel. Do not test in Alpha if you are an +at risk user unless you really, actually, truly know what you are doing! + +The latest Alpha can be found here: +- https://www.torproject.org/download/alpha/ +--> + +### Does this bug occur in Firefox ESR (Desktop only)? +<!-- +Tor Browser is based on Firefox ESR, so any bugs present in this upstream project will likely +also be present in Tor Browser. +Firefox ESR is available for download here: +- https://www.mozilla.org/en-US/firefox/all/desktop-esr/ +--> + +### Does this bug occur in Firefox Rapid Release? +<!-- +If the issue occurs in Firefox ESR, but does not occur in Firefox Rapid Release, we may be able +to identify and backport the patch which fixes it. + +Firefox Rapid Release is available for download here: +- https://www.mozilla.org/en-US/firefox/new/ + +If the issue has been fixed in Firefox, do you know the Bugzilla issue number associated with the fix? +--> + +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::WebCompatibility"

===================================== .gitlab/issue_templates/030 Test.md ===================================== @@ -0,0 +1,29 @@ +# 💣 Test +<!-- +Use this template to track testing of some feature. Please +try to make the title a good one-liner for the changelogs! + +Some good (hypothetical) titles: +- Add test exercising new circuit button +- Add tests for verifying built-in bridge connectivity +- Develop a mock Lox authority for automated testing +--> + +## Description +<!-- +Provide an overview of the technical/implementation aspects of this +test work a developer would need to know +--> + +## Scenarios +<!-- +Provide a list of high-level classes of desired test-cases +and the expected behaviour of each +--> + +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Test"

===================================== .gitlab/issue_templates/040 Feature.md ===================================== @@ -0,0 +1,32 @@ +# ✨ Feature +<!-- +Use this template to track implementation of some feature. Please +try to make the title a good one-liner for the changelogs! + +Some good (hypothetical) titles: +- Bundle AwesomeFont Sans Font +- Implement new user on-boarding UX +- Publish Linux aarch64 alpha builds +--> + +## Description +<!-- +Provide an overview of the technical/implementation aspects of this feature +--> + +## Bookkeeping + +### Proposal +<!-- Add links to associated proposal issues (or delete block) --> +- tor-browser#12345 + +### Design +<!-- Add links to associated design issues (or delete block) --> +- tpo/UX/Design#123 + +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Feature"

===================================== .gitlab/issue_templates/Backport.md → .gitlab/issue_templates/050 Backport.md ===================================== @@ -1,31 +1,39 @@ +# ⬅️ Backport Patchset <!-- -Title: - Backport tor-browser#12345: Title of Issue - Backport Bugzilla 1234567: Title of Issue +This is an issue for tracking back-porting a patch-set (e.g. from Alpha to Stable or from +Mozilla Rapid-Release to Alpha).

-This is an issue for tracking back-porting a patch-set (e.g. from Alpha to Stable or from Mozilla Rapid-Release to Alpha) ---> +please ensure the title has the following format: + +- Backport tor-browser#12345: Title of original issue +- Backport Bugzilla 1234567: Title of original issue

-## Backport Patchset +-->

-### Book-keeping +## Bookkeeping

-#### Issue(s) +### Issue(s) - tor-browser#12345 - mullvad-browser#123 - https://bugzilla.mozilla.org/show_bug.cgi?id=1234567

-#### Merge Request(s) +### Merge Request(s) - tor-browser!123

-#### Target Channels +### Target Channels

- [ ] Alpha - [ ] Stable - [ ] Legacy

-### Notes +## Notes

<!-- whatever additional info, context, etc that would be helpful for backporting -->

+ +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" /label ~"Apps::Type::Backport"

===================================== .gitlab/issue_templates/Rebase Browser - Alpha.md → .gitlab/issue_templates/060 Rebase - Alpha.md ===================================== @@ -1,3 +1,5 @@ +# ⤵️ Rebase Alpha + **NOTE:** All examples in this template reference the rebase from 102.7.0esr to 102.8.0esr

<details> @@ -152,4 +154,10 @@ - [ ] Update `firefox_platform_version` - [ ] Set `browser_build` to 1 (to prevent failures in alpha testbuilds)

+<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" /label ~"Apps::Type::Rebase" +/label ~"Apps::Priority::Blocker"

===================================== .gitlab/issue_templates/Rebase Browser - Stable.md → .gitlab/issue_templates/061 Rebase - Stable.md ===================================== @@ -1,3 +1,5 @@ +# ⤵️ Rebase Stable + **NOTE:** All examples in this template reference the rebase from 102.7.0esr to 102.8.0esr

<details> @@ -114,4 +116,10 @@ ``` - [ ] Push tag to `upstream`

+<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" /label ~"Apps::Type::Rebase" +/label ~"Apps::Priority::Blocker"

===================================== .gitlab/issue_templates/Rebase Browser - Legacy.md → .gitlab/issue_templates/062 Rebase - Legacy.md ===================================== @@ -1,3 +1,5 @@ +# ⤵️ Rebase Legacy + **NOTE:** All examples in this template reference the rebase from 115.17.0esr to 115.18.0esr

<details> @@ -110,4 +112,10 @@ ``` - [ ] Push tag to `upstream`

+<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" /label ~"Apps::Type::Rebase" +/label ~"Apps::Priority::Blocker"

===================================== .gitlab/issue_templates/Rebase Browser - Rapid.md → .gitlab/issue_templates/063 Rebase - Rapid.md ===================================== @@ -1,3 +1,5 @@ +# ⤵️ Rebase Rapid + - **NOTE**: All examples in this template reference the rebase from Firefox 129.0a1 to 130.0a1 - **TODO**: - Documentation step for any difficulties or noteworthy things for each rapid rebase @@ -289,4 +291,10 @@ gitGraph: ``` - [ ] Push tag to `upstream`

+<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" /label ~"Apps::Type::Rebase" +/label ~"Apps::Priority::High"

===================================== .gitlab/issue_templates/Uplift.md → .gitlab/issue_templates/070 Uplift.md ===================================== @@ -1,3 +1,4 @@ +# ⬆️ **Uplift** <!-- Title: Uplift tor-browser#12345: Title of Issue @@ -5,22 +6,25 @@ Title: This is an issue for tracking uplift of a patch-set to Firefox -->

-## Uplift Patchset +## Book-keeping

-### Book-keeping - -#### Gitlab Issue(s) +### Gitlab Issue(s) - tor-browser#12345 - mullvad-browser#123

-#### Merge Request(s) +### Merge Request(s) - tor-browser!123

-#### Upstream Mozilla Issue(s): +### Upstream Mozilla Issue(s): - https://bugzilla.mozilla.org/show_bug.cgi?id=12345

-### Notes +## Notes +<!-- +Whatever additional info, context, etc that would be helpful for uplifting --> + +<!-- Do not edit beneath this line <3 -->

-<!-- whatever additional info, context, etc that would be helpful for uplifting --> +---

+/label ~"Apps::Product::TorBrowser" /label ~"Apps::Type::Uplift"

===================================== .gitlab/issue_templates/Backport Android Security Fixes.md → .gitlab/issue_templates/080 Security Backports.md ===================================== @@ -1,3 +1,5 @@ +# 🛡️ **Security Backports** + <details> <summary>Explanation of Variables</summary>

@@ -16,20 +18,14 @@

**NOTE:** It is assumed the `tor-browser` rebases (stable and alpha) have already happened and there exists a `build1` build tags for both `base-browser` and `tor-browser` (stable and alpha)

-### **Bookkeeping** +## **Bookkeeping**

-- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?s...) issues (stable and alpha). +- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?s...) issues (alpha, stable, and legacy).

-### **Security Vulnerabilities Report**: https://www.mozilla.org/en-US/security/advisories/ +## **Security Vulnerabilities Report**: https://www.mozilla.org/en-US/security/advisories/

- Potentially Affected Components: - `firefox`/`geckoview`: https://github.com/mozilla/gecko-dev - - `application-services`: https://github.com/mozilla/application-services - - `android-components` (ESR 102 only): https://github.com/mozilla-mobile/firefox-android - - `fenix` (ESR 102 only): https://github.com/mozilla-mobile/firefox-android - - `firefox-android`: https://github.com/mozilla-mobile/firefox-android - -**NOTE:** `android-components` and `fenix` used to have their own repos, but since November 2022 they have converged to a single `firefox-android` repo. Any backports will require manually porting patches over to our legacy repos until we have transitioned to ESR 115.

- [ ] Go through the `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` report and create a candidate list of CVEs which potentially need to be backported in this issue: - CVEs which are explicitly labeled as 'Android' only @@ -43,100 +39,49 @@ - To find the `gecko-dev` version of a `mozilla-central`, search for a unique string in the relevant `mozilla-central` commit message in the `gecko-dev/release` branch log. - **NOTE:** This process is unfortunately somewhat poorly defined/ad-hoc given the general variation in how Bugzilla issues are labeled and resolved. In general this is going to involve a bit of hunting to identify needed commits or determining whether or not the fix is relevant.

-### CVEs +## CVEs

<!-- CVE Resolution Template, foreach CVE to investigate add an entry in the form: - [ ] https://www.mozilla.org/en-US/security/advisories/mfsaYYYY-NN/#CVE-YYYY-XXXXX // CVE description - https://bugzilla.mozilla.org/show_bug.cgi?id=NNNNNN // Bugzilla issue - **Note**: Any relevant info about this fix, justification for why it is not necessary, etc - **Patches** - - firefox-android: https://link.to/relevant/patch - firefox: https://link.to/relevant/patch -->

-### **tor-browser**: https://gitlab.torproject.org/tpo/applications/tor-browser.git +## **tor-browser**: https://gitlab.torproject.org/tpo/applications/tor-browser.git - [ ] Backport any Android-specific security fixes from Firefox rapid-release - [ ] Backport patches to `tor-browser` stable branch - [ ] Open MR - [ ] Merge - - [ ] Rebase patches onto: + - [ ] cherry-pick patches onto: - [ ] `base-browser` stable + - [ ] `mullvad-browser` stable - [ ] `tor-browser` alpha - [ ] `base-browser` alpha + - [ ] `mullvad-browser` alpha - [ ] Sign/Tag commits: - - **Tag**: `$(PROJECT_NAME)-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)` + - In **tor-browser-build.git**, run signing script: + ```bash + ./tools/browser/sign-tag.${PROJECT_NAME} ${CHANNEL} ${BUILD_N} + ``` - [ ] `base-browser` stable - [ ] `tor-browser` stable + - [ ] `mullvad-browser` stable - [ ] `base-browser` alpha - [ ] `tor-browser` alpha - - [ ] Push tags to `upstream` -- **OR** -- [ ] No backports + - [ ] `mullvad-browser` alpha

-### **application-services**: https://gitlab.torproject.org/tpo/applications/application-services -- **NOTE**: we will need to setup a gitlab copy of this repo and update `tor-browser-build` before we can apply security backports here -- [ ] Backport any Android-specific security fixes from Firefox rapid-release - - [ ] Backport patches to `application-services` stable branch - - [ ] Open MR - - [ ] Merge - - [ ] Rebase patches onto `application-services` alpha - - [ ] Sign/Tag commits: - - **Tag**: `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha` - - [ ] `application-services` stable - - [ ] `application-services` alpha - [ ] Push tags to `upstream` - **OR** - [ ] No backports

+<!-- Do not edit beneath this line <3 -->

-### **android-components (Optional, ESR 102)**: https://gitlab.torproject.org/tpo/applications/android-components.git -- [ ] Backport any Android-specific security fixes from Firefox rapid-release - - **NOTE**: Since November 2022, this repo has been merged with `fenix` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `android-components` project. - - [ ] Backport patches to `android-components` stable branch - - [ ] Open MR - - [ ] Merge - - [ ] Rebase patches onto `android-components` alpha - - [ ] Sign/Tag commits: - - **Tag**: `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)` - - [ ] `android-components` stable - - [ ] `android-components` alpha - - [ ] Push tags to `upstream` -- **OR** -- [ ] No backports - - -### **fenix (Optional, ESR 102)**: https://gitlab.torproject.org/tpo/applications/fenix.git -- [ ] Backport any Android-specific security fixes from Firefox rapid-release - - **NOTE**: Since February 2023, this repo has been merged with `android-components` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `fenix` project. - - [ ] Backport patches to `fenix` stable branch - - [ ] Open MR - - [ ] Merge - - [ ] Rebase patches onto `fenix` alpha - - [ ] Sign/Tag commits: - - **Tag**: `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)` - - [ ] `fenix` stable - - [ ] `fenix` alpha - - [ ] Push tags to `upstream` -- **OR** -- [ ] No backports - -### **firefox-android**: https://gitlab.torproject.org/tpo/applications/firefox-android -- [ ] Backport any Android-specific security fixes from Firefox rapid-release - - [ ] Backport patches to `firefox-android` stable branch - - [ ] Open MR - - [ ] Merge - - [ ] Rebase patches onto `fenix` alpha - - [ ] Sign/Tag commits: - - **Tag**: `firefox-android-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)` - - [ ] `firefox-android` stable - - [ ] `firefox-android` alpha - - [ ] Push tags to `upstream` -- **OR** -- [ ] No backports +---

/confidential +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Product::MullvadBrowser" +/label ~"Apps::Type::Backport" +/label ~"Apps::Priority::Blocker"

===================================== .gitlab/issue_templates/Emergency Security Issue.md → .gitlab/issue_templates/090 Emergency Security Issue.md ===================================== @@ -1,3 +1,5 @@ +# 🚨 Emergency Security Issue + **NOTE** This is an issue template to standardise our process for responding to and fixing critical security and privacy vulnerabilities, exploits, etc.

## Information @@ -31,9 +33,10 @@ - [ ] **clairehurst** : Android, macOS - [ ] **dan** : Android, macOS - [ ] **henry** : accessibility, frontend, localisation + - [ ] **jwilde** : windows, firefox internals - [ ] **ma1** : firefox internals - [ ] **pierov** : updater, fonts, localisation, general - - [ ] **richard** : signing, release + - [ ] **morgan** : signing, release - [ ] **thorin** : fingerprinting - [ ] Other Engineering Teams - [ ] Networking (**ahf**, **dgoulet**) @@ -80,11 +83,20 @@ Sometimes fixes have side-effects: users lose their data, roadmaps need to be ad - [ ] **(Optional)** **gazebook** - if there are consequences to the organisation or partners beyond a browser update, then a communication plan may be needed

+Godspeed! :pray: + +<!-- Do not edit beneath this line <3 --> + +--- + /cc @bella /cc @ma1 /cc @micah -/cc @richard +/cc @morgan

/confidential

-Godspeed! :pray: +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Product::MullvadBrowser" +/label ~"Apps::Type::Bug" +/label ~"Apps::Priority::Blocker"

===================================== .gitlab/issue_templates/QA - Desktop.md → .gitlab/issue_templates/100 Release QA - Desktop.md ===================================== @@ -1,9 +1,11 @@ +# ✅ Release QA - Desktop + Manual QA test check-list for major desktop releases. Please copy/paste form into your own comment, fill out relevant info and run through the checklist!

<details> <summary>Tor Browser Desktop QA Checklist</summary>

-```markdown +``` # System Information

- Version: Tor Browser XXX @@ -25,6 +27,8 @@ Manual QA test check-list for major desktop releases. Please copy/paste form int - [ ] Language notification/message bar - [ ] Spoof English - [ ] Check especially the recently added strings + - [ ] New Locales + - [ ] Bulgarian, Belarusian, Portuguese (PT) - [ ] UI Customisations: - [ ] New Identity - [ ] Toolbar icon @@ -53,8 +57,9 @@ Manual QA test check-list for major desktop releases. Please copy/paste form int - [ ] Betterboxing - [ ] Reuse last window size - [ ] Content alignment + - [ ] Window size indicator on window resize - [ ] No letterboxing: - - [ ]empty tabs or privileged pages (eg: about:blank, about:about) + - [ ] empty tabs or privileged pages (eg: about:blank, about:about) - [ ] full-screen video - [ ] pdf viewer - [ ] reader-mode @@ -96,8 +101,9 @@ Manual QA test check-list for major desktop releases. Please copy/paste form int ## Connectivity + Anti-Censorship - [ ] Tor daemon config by environment variables - https://gitlab.torproject.org/tpo/applications/team/-/wikis/Environment-vari... -- [ ] Internet Test ( about:preferences#connection ) - - [ ] Fails when offline +- [ ] Internet Test ( bootstrap, also visible in about:preferences#connection ) + - [ ] Fails when offline (Goes to offline about:neterror) + - **NOTE**: platform dependent, expected that Linux will just try to bootstrap forever - [ ] Succeeds when online - [ ] Bridges: - Bootstrap @@ -122,7 +128,8 @@ Manual QA test check-list for major desktop releases. Please copy/paste form int - [ ] Succeeds when not bootstrapped - **TODO**: Lox - [ ] Connect Assist - - Useful pref: `torbrowser.debug.censorship_level` + - Useful pref: `torbrowser.debug.censorship_level` (0-5; least to most censored) + - [ ] Connect Automatically checkbox triggers bootstrapping after one successful bootstrap attempt - [ ] Auto-bootstrap updates Tor connection settings on success - [ ] Auto-bootstrap restore previous Tor connection settings on failure

@@ -147,10 +154,14 @@ Manual QA test check-list for major desktop releases. Please copy/paste form int - **TODO** client auth - [ ] **TODO**: .securedrop.tor.onion - [ ] **TODO**: onion-service alt-svc -- [ ] HTML5 Video: https://tekeye.uk/html/html5-video-test-page - - [ ] MPEG4 - - [ ] WebM - - [ ] Ogg +- [ ] HTML5 Video: https://onion-tests.pierov.org/video.html + - [ ] H264 + - [ ] VP9 + - [ ] VP8 + - [ ] AV1 + - [ ] Theora + - [ ] MPEG4 + mp3: only audio should work + - [ ] HEVC + AAC: should not work - [ ] WebSocket Test: https://websocketking.com/

## External Components @@ -159,6 +170,43 @@ Manual QA test check-list for major desktop releases. Please copy/paste form int - [ ] Not removable from about:addons - [ ] Tests: https://test-data.tbb.torproject.org/test-data/noscript/ - **TODO**: fix test pages + +## Tor Settings (about:preferences#connection) +- [ ] Proxy + - [ ] Bad Proxy Address Reports Error; e.g. any bad bad proxy address/port/etc + - [ ] On initial failure gives error modal + - [ ] On browser restart, will also give an error if provided a bad setting + - [ ] Good Proxy Works + - [ ] SOCKS5 +- [ ] Bridge + - [ ] Bad Bridge Fails with error modal; eg: `0:0` + - [ ] Modifying Bridges *during* bootstrap should cancel bootstrap +- [ ] Firewall + - [ ] UI shouldn't accept bad ports (e.g. invalid port numbers, non-numbers, etc) +- [ ] Each individual setting type has it's own validation (i.e. not all or nothing anymore) + ```

</details> + +Please lay claim to a platform in the comments: + +- Windows + - Windows 10, Windows 11 + - x86 + - x86_64 +- macOS + - 10.15, 15.x + - x86_64 + - aarch64 +- Linux + - x86 + - x86_64 + +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Test" +/label ~"Apps::Priority::Blocker"

===================================== .gitlab/issue_templates/QA - Android.md → .gitlab/issue_templates/101 Release QA - Android.md ===================================== @@ -1,7 +1,11 @@ +# ✅ Release QA - Android + Manual QA test check-list for major android releases. Please copy/paste form into your own comment, fill out relevant info and run through the checklist! + <details> <summary>Tor Browser Android QA Checklist</summary> -```markdown + +``` # System Information

- Version: Tor Browser XXX @@ -19,6 +23,11 @@ Manual QA test check-list for major android releases. Please copy/paste form int - [ ] Fingerprinting resistance: https://arkenfox.github.io/TZP/tzp.html - [ ] Security level (Standard, Safer, Safest) - **TODO**: test pages verifying correct behaviour +- [ ] Bookmarks: for now ensure adding/removing/etc work as expected and doesn't busy-spin + +### Localisation +- [ ] New Locales + - [ ] Bulgarian, Belarusian, Portuguese (PT)

## Proxy safety - [ ] Tor exit test: https://check.torproject.org @@ -30,6 +39,8 @@ Manual QA test check-list for major android releases. Please copy/paste form int - [ ] DNS leaks: https://dnsleaktest.com

## Connectivity + Anti-Censorship +- [ ] Internet Test (try connect assist while actually offline) + - [ ] We expect this to fail but we should see what it actually does - [ ] Bridges: - Bootstrap - Browse: https://check.torproject.org @@ -41,6 +52,11 @@ Manual QA test check-list for major android releases. Please copy/paste form int - [ ] obfs4 from https://bridges.torproject.org - [ ] webtunnel from https://bridges.torproject.org - [ ] conjure from [gitlab](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conju...) +- [ ] Connect Assist + - Useful pref: `torbrowser.debug.censorship_level` (0-5; least to most censored) + - [ ] Connect Automatically checkbox triggers bootstrapping after one successful bootstrap attempt + - [ ] Auto-bootstrap updates Tor connection settings on success + - [ ] Auto-bootstrap restore previous Tor connection settings on failure

## Web Browsing - [ ] HTTPS-Only: http://http.badssl.com @@ -54,10 +70,14 @@ Manual QA test check-list for major android releases. Please copy/paste form int - **TODO** client auth - [ ] **TODO**: .securedrop.tor.onion - [ ] **TODO**: onion-service alt-svc -- [ ] HTML5 Video: https://tekeye.uk/html/html5-video-test-page - - [ ] MPEG4 - - [ ] WebM - - [ ] Ogg +- [ ] HTML5 Video: https://onion-tests.pierov.org/video.html + - [ ] H264 + - [ ] VP9 + - [ ] VP8 + - [ ] AV1 + - [ ] Theora + - [ ] MPEG4 + mp3: only audio should work + - [ ] HEVC + AAC: should not work - [ ] WebSocket Test: https://websocketking.com/

## External Components @@ -69,3 +89,19 @@ Manual QA test check-list for major android releases. Please copy/paste form int ```

</details> + +Please lay claim to an architecture in the comments: + +Architectures: +- x86 +- x86_64 +- arm32 +- aarch64 + +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Test" +/label ~"Apps::Priority::Blocker"

===================================== .gitlab/issue_templates/110 Bugzilla Triage.md ===================================== @@ -0,0 +1,56 @@ +# 📋 Bugzilla Triage + +**NOTE** This issue presumes the branches and tags for the next Firefox release have already been created in tor-browser.git + +- [ ] Generate Bugzilla triage CSV + - Run (from `tor-browser-build` root): + ```bash + ./tools/browser/generate-bugzilla-triage-csv ${FIREFOX_VERSION} ${PREVIOUS_NIGHTLY_TAG} ${NEXT_NIGHLTY_TAG} ${TRIAGE_ISSUE_NUMBER} ${REVIEWERS} > out.csv + ``` + - `${FIREFOX_VERSION}`: the major Firefox version of the nightly to review + - **Example**: 129 + - `${PREVIOUS_NIGHTLY_TAG}`: the nightly 'end' tag of the previous major Firefox version + - **Example**: `FIREFOX_NIGHTLY_128_END` + - `${NEXT_NIGHLTY_TAG}`: the nightly 'end' tag of the next major Firefox version we are reviewing + - **Example**: `FIREFOX_NIGHTLY_129_END` + - `${TRIAGE_ISSUE_NUMBER}`: this `tor-browser` issue + - **Example**: `43303` + - `${REVIEWERS}`: `morgan` and two additional devs to triage this Firefox version + - `boklm` + - `brizental` + - `clairehurst` + - `dan` + - `henry` + - `jwilde` + - `ma1` + - `pierov` + - **Example**: + ```bash + ./tools/browser/generate-bugzilla-triage-csv 129 FIREFOX_NIGHTLY_128_END FIREFOX_NIGHTLY_129_END 43303 morgan pierov henry > 129.csv + ``` +- [ ] Attach the generated CSV file to the triage isssue +- [ ] Import to Google Sheets ( https://sheets.google.com ) + - [ ] Create blank spreadsheet + - [ ] **Title**: `Bugzilla Triage ${VERSION}` + - [ ] Import CSV: File > Import > Upload + - **Import location**: "Replace spreadsheet" + - **Separator type**: "Comma" + - **Convert text to numbers, dates, and fomulas**: "✅" + - [ ] Convert 'Review' column's issue cells to check-boxes: + - Select relevant cells (i.e.: `A2:A1554` for in the 129 triage) + - Insert > Checkbox + - [ ] Convert 'Triaged by' cells to check-boxes + - [ ] Share Spreadsheet + - 🔒 Share > General access + - Change `Restricted` to `Anyone with the link` + - Post link in an internal note on this issue +- [ ] Page requested reviewers to this issue +- [ ] Triage Completed by: + - [ ] morgan + - [ ] reviewer 1 <!-- replace with reviewer name :) --> + - [ ] reviewer 2 <!-- replace with reviewer name :) --> + +/label ~"esr-140" +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Audit" +/label ~"Apps::Priority::Blocker"

===================================== .gitlab/issue_templates/Bugzilla Audit.md → .gitlab/issue_templates/120 Bugzilla Audit.md ===================================== @@ -1,3 +1,4 @@ +# 🔍 Bugzilla Audit <!-- Title: Review Mozilla <bugzilla-num>: <bugzilla-description> @@ -5,10 +6,16 @@ Title:

**Bugzilla**: https://bugzilla.mozilla.org/show_bug.cgi?id=

-<!-- briefly describe why this issue needs further review --> +## Description

+<!-- Briefly describe why this issue needs further review --> + +<!-- Do not edit beneath this line <3 --> + +---

<!-- Make sure the "esr-" label is the correct version: --> /label ~"esr-140" - -/label ~"Bugzilla Review" ~"Apps::Type::Audit" +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Audit" +/label ~"Apps::Priority::Blocker"

===================================== .gitlab/issue_templates/Bugzilla Triage.md deleted ===================================== @@ -1,51 +0,0 @@ - # Bugzilla Triage - - **NOTE** This issue presumes the branches and tags for the next Firefox release have already been created in tor-browser.git - - - [ ] Generate Bugzilla triage CSV - - Run (from `tor-browser-build` root): - ```bash - ./tools/browser/generate-bugzilla-triage-csv ${FIREFOX_VERSION} ${PREVIOUS_NIGHTLY_TAG} ${NEXT_NIGHLTY_TAG} ${TRIAGE_ISSUE_NUMBER} ${REVIEWERS} > out.csv - ``` - - `${FIREFOX_VERSION}`: the major Firefox version of the nightly to review - - **Example**: 129 - - `${PREVIOUS_NIGHTLY_TAG}`: the nightly 'end' tag of the previous major Firefox version - - **Example**: `FIREFOX_NIGHTLY_128_END` - - `${NEXT_NIGHLTY_TAG}`: the nightly 'end' tag of the next major Firefox version we are reviewing - - **Example**: `FIREFOX_NIGHTLY_129_END` - - `${TRIAGE_ISSUE_NUMBER}`: this `tor-browser` issue - - **Example**: `43303` - - `${REVIEWERS}`: `morgan` and two additional devs to triage this Firefox version - - `boklm` - - `brizental` - - `clairehurst` - - `dan` - - `henry` - - `jwilde` - - `ma1` - - `pierov` - - **Example**: - ```bash - ./tools/browser/generate-bugzilla-triage-csv 129 FIREFOX_NIGHTLY_128_END FIREFOX_NIGHTLY_129_END 43303 morgan pierov henry > 129.csv - ``` - - [ ] Attach the generated CSV file to the triage isssue - - [ ] Import to Google Sheets ( https://sheets.google.com ) - - [ ] Create blank spreadsheet - - [ ] **Title**: `Bugzilla Triage ${VERSION}` - - [ ] Import CSV: File > Import > Upload - - **Import location**: "Replace spreadsheet" - - **Separator type**: "Comma" - - **Convert text to numbers, dates, and fomulas**: "✅" - - [ ] Convert 'Review' column's issue cells to check-boxes: - - Select relevant cells (i.e.: `A2:A1554` for in the 129 triage) - - Insert > Checkbox - - [ ] Convert 'Triaged by' cells to check-boxes - - [ ] Share Spreadsheet - - 🔒 Share > General access - - Change `Restricted` to `Anyone with the link` - - Post link in an internal note on this issue - - [ ] Page requested reviewers to this issue - - [ ] Triage Completed by: - - [ ] morgan - - [ ] reviewer 1 <!-- replace with reviewer name :) --> - - [ ] reviewer 2 <!-- replace with reviewer name :) -->

===================================== .gitlab/issue_templates/Default.md ===================================== @@ -0,0 +1,26 @@ +# Open a new Issue + +Please select the appropriate issue template from the **Description** drop-down. + +--- + +- 🐞 **Bug Report** - report a problem with the browser +- 💡 **Proposal** - suggest a new feature +- 🌐 **Web Compatibility** - report a broken website + +*NOTE*: the following issue types are intended for internal use + +- 💣 **Test** - develop a test or update testing infrastructure +- ✨ **Feature** - implement new features +- ⬅️ **Backport** - cherry-pick change to other release channels +- ⤵️ **Rebase - Alpha** - rebase alpha to latest Firefox ESR version +- ⤵️ **Rebase - Stable** - rebase stable to latest Firefox ESR version +- ⤵️ **Rebase - Legacy** - rebase legacy to latest Firefox ESR 115 version +- ⤵️ **Rebase - Rapid** - rebase rapid to latest Firefox Nightly version +- ⬆️ **Uplift** - uplift change to upstream project +- 🛡️ **Security Backports** - cherry-pick security fixes from Firefox +- 🚨 **Emergency Security Issue** - manage fixing and publishing a critical security fix +- ✅ **Release QA - Desktop** - test and verify functionality of our Desktop release +- ✅ **Release QA - Android** - test and verify functionality of our Android release +- 📋 **Bugzilla Triage** - identify upstream Firefox issues which need to be audited +- 🔍 **Bugzilla Audit** - determine if/how an upstream change affects the browser

===================================== .gitlab/issue_templates/bug.md deleted ===================================== @@ -1,32 +0,0 @@ -<!-- -* Use this issue template for reporting a new bug. ---> - -### Summary -**Summarize the bug encountered concisely.** - - -### Steps to reproduce: -**How one can reproduce the issue - this is very important.** - -1. Step 1 -2. Step 2 -3. ... - -### What is the current bug behavior? -**What actually happens.** - - -### What is the expected behavior? -**What you want to see instead** - - - -### Environment -**Which operating system are you using? For example: Debian GNU/Linux 10.1, Windows 10, Ubuntu Xenial, FreeBSD 12.2, etc.** -**Which installation method did you use? Distribution package (apt, pkg, homebrew), from source tarball, from Git, etc.** - -### Relevant logs and/or screenshots - - -/label ~"Apps::Type::Bug"

===================================== .gitlab/merge_request_templates/default.md → .gitlab/merge_request_templates/Default.md ===================================== @@ -66,6 +66,7 @@ - **accessibility** : henry - **android** : clairehurst, dan - **build system** : boklm + - **ci/cd**: brizental, henry - **extensions** : ma1 - **firefox internals (XUL/JS/XPCOM)** : jwilde, ma1 - **fonts** : pierov @@ -74,7 +75,7 @@ - **localization** : henry, pierov - **macOS** : clairehurst, dan - **nightly builds** : boklm - - **rebases/release-prep** : dan, ma1, pierov, morgan + - **rebases/release-prep** : brizental, clairehurst, dan, ma1, pierov, morgan - **security** : jwilde, ma1 - **signing** : boklm, morgan - **updater** : pierov

===================================== .gitlab/merge_request_templates/Rebase.md deleted ===================================== @@ -1,23 +0,0 @@ -## Merge Info - -<!-- Bookkeeping information for release management --> - -### Rebase Issue -- tor-browser#xxxxx -- mullvad-browser#xxxxx - -### Release Prep Issue -- tor-browser-build#xxxxx - -### Issue Tracking -- [ ] Link rebase issue with appropriate [Release Prep issue](https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated...) for changelog generation - -### Review - -#### Request Reviewer - -- [ ] Request review from a release engineer: boklm, dan, ma1, morgan, pierov - -#### Change Description - -<!-- Any interesting notes about the rebase and an overview of what the reviewer should expect from the diff of diffs and range-diff -->

View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/dd6ad90...