richard pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
-
aafb2ab9
by Richard Pospesel at 2023-06-20T21:22:57+00:00
-
82bb2187
by Richard Pospesel at 2023-06-20T21:22:59+00:00
5 changed files:
- + .gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md
- .gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md
- .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
- .gitlab/issue_templates/Release Prep - Tor Browser Stable.md
- .gitlab/merge_request_templates/default.md
Changes:
1 | +<details>
|
|
2 | + <summary>Explanation of variables</summary>
|
|
3 | + |
|
4 | +- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
|
|
5 | +- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
|
|
6 | + - **example** : `pierov`
|
|
7 | +- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
|
|
8 | +- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc
|
|
9 | + - **example** : `91.6.0`
|
|
10 | +- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version
|
|
11 | + - **example** : `11`
|
|
12 | +- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version
|
|
13 | + - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
14 | +- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format
|
|
15 | + - **example** : `12.5a3`, `12.0.3`
|
|
16 | +- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
|
|
17 | + - **example** : `build1`
|
|
18 | +- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
|
|
19 | + - **example** : `build2`
|
|
20 | + - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :
|
|
21 | + - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
|
|
22 | + - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
|
|
23 | +- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version
|
|
24 | + - **example** : `11.5a6`, `11.0.7`
|
|
25 | +- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version
|
|
26 | + - **example** : `mb-12.0.7-build1`
|
|
27 | +</details>
|
|
28 | + |
|
29 | +**NOTE** It is assumed that the `tor-browser` alpha rebase and security backport tasks have been completed
|
|
30 | + |
|
31 | +<details>
|
|
32 | + <summary>Building</summary>
|
|
33 | + |
|
34 | +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
|
|
35 | +Mullvad Browser Alpha (and Nightly) are on the `main` branch
|
|
36 | + |
|
37 | +- [ ] Update `rbm.conf`
|
|
38 | + - [ ] `var/torbrowser_version` : update to next version
|
|
39 | + - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
|
|
40 | + - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version
|
|
41 | + - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
|
|
42 | +- [ ] Update build configs
|
|
43 | + - [ ] Update `projects/firefox/config`
|
|
44 | + - [ ] `browser_build` : update to match `mullvad-browser` tag
|
|
45 | + - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
|
|
46 | + - [ ] Update `projects/translation/config`:
|
|
47 | + - [ ] run `make list_translation_updates-alpha` to get updated hashes
|
|
48 | + - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
|
|
49 | + - [ ] `steps/base-browser-fluent/git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
|
|
50 | +- [ ] Update common build configs
|
|
51 | + - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
|
|
52 | + - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
|
|
53 | + - [ ] `URL`
|
|
54 | + - [ ] `sha256sum`
|
|
55 | + - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
|
|
56 | + - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
|
|
57 | + - [ ] `URL`
|
|
58 | + - [ ] `sha256sum`
|
|
59 | + - [ ] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases
|
|
60 | + - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
|
|
61 | + - [ ] `URL`
|
|
62 | + - [ ] `sha256sum`
|
|
63 | +- [ ] Open MR with above changes
|
|
64 | +- [ ] Merge
|
|
65 | +- [ ] Sign/Tag commit: `make mullvadbrowser-signtag-alpha`
|
|
66 | +- [ ] Push tag to `origin`
|
|
67 | +- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
|
|
68 | +- [ ] **TODO** Submit build-tag to Mullvad build infra
|
|
69 | +- [ ] Ensure builders have matching builds
|
|
70 | + |
|
71 | +</details>
|
|
72 | + |
|
73 | +<details>
|
|
74 | + <summary>QA</summary>
|
|
75 | + |
|
76 | +### send the build
|
|
77 | + |
|
78 | + - [ ] Email Mullvad QA: support@mullvad.net, rui@mullvad.net
|
|
79 | + <details>
|
|
80 | + <summary>email template</summary>
|
|
81 | + |
|
82 | + Subject:
|
|
83 | + New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (unsigned)
|
|
84 | + |
|
85 | + Body:
|
|
86 | + unsigned builds: https://tb-build-05.torproject.org/~$(BUILDER)/builds/mullvadbrowser/release/unsigned/$(MB_BUILD_TAG)
|
|
87 | + |
|
88 | + changelog:
|
|
89 | + ...
|
|
90 | + |
|
91 | + </details>
|
|
92 | + |
|
93 | + - ***(Optional)*** Add additional information:
|
|
94 | + - [ ] Note any new functionality which needs testing
|
|
95 | + - [ ] Link to any known issues
|
|
96 | + |
|
97 | +</details>
|
|
98 | + |
|
99 | +<details>
|
|
100 | + <summary>Signing</summary>
|
|
101 | + |
|
102 | +### signing
|
|
103 | +- [ ] On `$(STAGING_SERVER)`, ensure updated:
|
|
104 | + - [ ] `tor-browser-build/tools/signing/set-config.hosts`
|
|
105 | + - `ssh_host_builder` : ssh hostname of machine with unsigned builds
|
|
106 | + - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
|
|
107 | + - `ssh_host_linux_signer` : ssh hostname of linux signing machine
|
|
108 | + - `ssh_host_macos_signer` : ssh hostname of macOS signing machine
|
|
109 | + - [ ] `tor-browser-build/tools/signing/set-config.macos-notarization`
|
|
110 | + - `macos_notarization_user` : the email login for a mullvad notariser Apple Developer account
|
|
111 | + - [ ] `set-config.update-responses`
|
|
112 | + - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`
|
|
113 | + - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
|
|
114 | + - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
|
|
115 | + - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
|
|
116 | + - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
|
|
117 | +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run the macOS proxy script:
|
|
118 | + - `cd tor-browser-build/tools/signing/`
|
|
119 | + - `./macos-signer-proxy`
|
|
120 | +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
|
121 | +- [ ] run do-all-signing script:
|
|
122 | + - `cd tor-browser-build/tools/signing/`
|
|
123 | + - `./do-all-signing.mullvadbrowser`
|
|
124 | +- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
|
|
125 | +- [ ] Update `staticiforme.torproject.org`:
|
|
126 | + - From `screen` session on `staticiforme.torproject.org`:
|
|
127 | + - [ ] Static update components : `static-update-component dist.torproject.org`
|
|
128 | + - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
|
|
129 | + - [ ] Static update components (again) : `static-update-component dist.torproject.org`
|
|
130 | + |
|
131 | +</details>
|
|
132 | + |
|
133 | +<details>
|
|
134 | + <summary>Publishing</summary>
|
|
135 | + |
|
136 | +### email
|
|
137 | + |
|
138 | +- [ ] Email Mullvad with release information: support@mullvad.net, rui@mullvad.net
|
|
139 | + <details>
|
|
140 | + <summary>email template</summary>
|
|
141 | + |
|
142 | + Subject:
|
|
143 | + New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
|
|
144 | + |
|
145 | + Body:
|
|
146 | + signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
|
|
147 | + |
|
148 | + update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
|
|
149 | + |
|
150 | + changelog:
|
|
151 | + ...
|
|
152 | + |
|
153 | + </details>
|
|
154 | + |
|
155 | +### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
|
|
156 | +- [ ] Push this release's associated `mullvad-browser.git` branch to github
|
|
157 | +- [ ] Push this release's associated tags to github:
|
|
158 | + - [ ] Firefox ESR tag
|
|
159 | + - **example** : `FIREFOX_102_12_0esr_BUILD1,`
|
|
160 | + - [ ] `base-browser` tag
|
|
161 | + - **example** : `base-browser-102.12.0esr-12.0-1-build1`
|
|
162 | + - [ ] `mullvad-browser` tag
|
|
163 | + - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
|
|
164 | +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
|
|
165 | + - **Tag**: `$(MULLVAD_BROWSER_VERSION)`
|
|
166 | + - **example** : `12.5a7`
|
|
167 | + - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
|
|
168 | + - **example** : `102.12.0esr-based 12.5a7`
|
|
169 | + - [ ] Push tag to github
|
|
170 | + |
|
171 | +</details>
|
|
172 | + |
|
173 | +<details>
|
|
174 | + <summary>Downstream</summary>
|
|
175 | + |
|
176 | +### notify packagers
|
|
177 | + |
|
178 | +- [ ] **(Optional, Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
|
|
179 | + <details>
|
|
180 | + <summary>email template</summary>
|
|
181 | + |
|
182 | + ...
|
|
183 | + |
|
184 | + ...
|
|
185 | + |
|
186 | + </details>
|
|
187 | + |
|
188 | + - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of
|
|
189 | + - [ ] flathub package maintainer: proletarius101@protonmail.com
|
|
190 | + - [ ] arch package maintainer: bootctl@gmail.com
|
|
191 | + - [ ] nixOS package maintainer: dev@felschr.com
|
|
192 | + |
|
193 | +</details>
|
|
194 | + |
|
195 | +/label ~"Release Prep" |
... | ... | @@ -2,32 +2,36 @@ |
2 | 2 | <summary>Explanation of variables</summary>
|
3 | 3 | |
4 | 4 | - `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
|
5 | +- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
|
|
6 | + - **example** : `pierov`
|
|
5 | 7 | - `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
|
6 | 8 | - `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc
|
7 | - - example : `91.6.0`
|
|
9 | + - **example** : `91.6.0`
|
|
8 | 10 | - `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version
|
9 | - - example : `11`
|
|
11 | + - **example** : `11`
|
|
10 | 12 | - `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version
|
11 | - - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
13 | + - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
12 | 14 | - `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format
|
13 | - - example: `12.5a3`, `12.0.3`
|
|
15 | + - **example** : `12.5a3`, `12.0.3`
|
|
14 | 16 | - `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
|
15 | - - example : `build1`
|
|
17 | + - **example** : `build1`
|
|
16 | 18 | - `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
|
17 | - - example : `build2`
|
|
18 | - - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
|
|
19 | - - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
|
|
20 | - - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
|
|
19 | + - **example** : `build2`
|
|
20 | + - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :
|
|
21 | + - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
|
|
22 | + - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
|
|
21 | 23 | - `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version
|
22 | - - example : `11.5a6`, `11.0.7`
|
|
24 | + - **example** : `11.5a6`, `11.0.7`
|
|
25 | +- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version
|
|
26 | + - **example** : `mb-12.0.7-build1`
|
|
23 | 27 | </details>
|
24 | 28 | |
25 | -**NOTE** It is assumed that the `tor-browser` rebase and security backport tasks have been completed
|
|
29 | +**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
|
|
26 | 30 | |
27 | 31 | <details>
|
28 | - <summary>Build Configs</summary>
|
|
32 | + <summary>Building</summary>
|
|
29 | 33 | |
30 | -### tor-browser-build: https://gitlab.mullvadproject.org/tpo/applications/tor-browser-build.git
|
|
34 | +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
|
|
31 | 35 | Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MULLVAD_BROWSER_MINOR)` (and possibly more specific) branches
|
32 | 36 | |
33 | 37 | - [ ] Update `rbm.conf`
|
... | ... | @@ -57,30 +61,55 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU |
57 | 61 | - [ ] `URL`
|
58 | 62 | - [ ] `sha256sum`
|
59 | 63 | - [ ] Open MR with above changes
|
60 | -- [ ] Begin build on `$(BUILD_SERVER)` (and fix any issues which come up and update MR)
|
|
61 | 64 | - [ ] Merge
|
62 | 65 | - [ ] Sign/Tag commit: `make mullvadbrowser-signtag-release`
|
63 | 66 | - [ ] Push tag to `origin`
|
67 | +- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
|
|
68 | +- [ ] **TODO** Submit build-tag to Mullvad build infra
|
|
69 | +- [ ] Ensure builders have matching builds
|
|
70 | + |
|
71 | +</details>
|
|
72 | + |
|
73 | +<details>
|
|
74 | + <summary>QA</summary>
|
|
75 | + |
|
76 | +### send the build
|
|
77 | + |
|
78 | + - [ ] Email Mullvad QA: support@mullvad.net, rui@mullvad.net
|
|
79 | + <details>
|
|
80 | + <summary>email template</summary>
|
|
81 | + |
|
82 | + Subject:
|
|
83 | + New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (unsigned)
|
|
84 | + |
|
85 | + Body:
|
|
86 | + unsigned builds: https://tb-build-05.torproject.org/~$(BUILDER)/builds/mullvadbrowser/release/unsigned/$(MB_BUILD_TAG)
|
|
87 | + |
|
88 | + changelog:
|
|
89 | + ...
|
|
90 | + |
|
91 | + </details>
|
|
92 | + |
|
93 | + - ***(Optional)*** Add additional information:
|
|
94 | + - [ ] Note any new functionality which needs testing
|
|
95 | + - [ ] Link to any known issues
|
|
64 | 96 | |
65 | 97 | </details>
|
66 | 98 | |
67 | 99 | <details>
|
68 | 100 | <summary>Signing</summary>
|
69 | 101 | |
70 | -### signing + publishing
|
|
71 | -- [ ] Ensure builders have matching builds
|
|
102 | +### signing
|
|
72 | 103 | - [ ] On `$(STAGING_SERVER)`, ensure updated:
|
73 | - - [ ] `tor-browser-build/tools/signing/set-config`
|
|
74 | - - `NSS_DB_DIR` : location of the `nssdb7` direcmullvady
|
|
75 | 104 | - [ ] `tor-browser-build/tools/signing/set-config.hosts`
|
76 | 105 | - `ssh_host_builder` : ssh hostname of machine with unsigned builds
|
77 | - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` direcmullvady)
|
|
106 | + - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
|
|
78 | 107 | - `ssh_host_linux_signer` : ssh hostname of linux signing machine
|
79 | 108 | - `ssh_host_macos_signer` : ssh hostname of macOS signing machine
|
80 | 109 | - [ ] `tor-browser-build/tools/signing/set-config.macos-notarization`
|
81 | 110 | - `macos_notarization_user` : the email login for a mullvad notariser Apple Developer account
|
82 | 111 | - [ ] `set-config.update-responses`
|
83 | - - `update_responses_reposimullvady_dir` : direcmullvady where you cloned `git@gitlab.mullvadproject.org:tpo/applications/mullvad-browser-update-responses.git`
|
|
112 | + - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`
|
|
84 | 113 | - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
|
85 | 114 | - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
|
86 | 115 | - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
|
... | ... | @@ -91,7 +120,7 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU |
91 | 120 | - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
92 | 121 | - [ ] run do-all-signing script:
|
93 | 122 | - `cd tor-browser-build/tools/signing/`
|
94 | - - `./do-all-signing.sh`
|
|
123 | + - `./do-all-signing.mullvadbrowser`
|
|
95 | 124 | - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
|
96 | 125 | - [ ] Update `staticiforme.torproject.org`:
|
97 | 126 | - From `screen` session on `staticiforme.torproject.org`:
|
... | ... | @@ -101,19 +130,64 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU |
101 | 130 | |
102 | 131 | </details>
|
103 | 132 | |
133 | +<details>
|
|
134 | + <summary>Publishing</summary>
|
|
135 | + |
|
136 | +### email
|
|
137 | + |
|
138 | +- [ ] Email Mullvad with release information: support@mullvad.net, rui@mullvad.net
|
|
139 | + <details>
|
|
140 | + <summary>email template</summary>
|
|
141 | + |
|
142 | + Subject:
|
|
143 | + New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
|
|
144 | + |
|
145 | + Body:
|
|
146 | + signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
|
|
147 | + |
|
148 | + update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
|
|
149 | + |
|
150 | + changelog:
|
|
151 | + ...
|
|
152 | + |
|
153 | + </details>
|
|
154 | + |
|
155 | +### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
|
|
156 | +- [ ] Push this release's associated `mullvad-browser.git` branch to github
|
|
157 | +- [ ] Push this release's associated tags to github:
|
|
158 | + - [ ] Firefox ESR tag
|
|
159 | + - **example** : `FIREFOX_102_12_0esr_BUILD1,`
|
|
160 | + - [ ] `base-browser` tag
|
|
161 | + - **example** : `base-browser-102.12.0esr-12.0-1-build1`
|
|
162 | + - [ ] `mullvad-browser` tag
|
|
163 | + - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
|
|
164 | +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
|
|
165 | + - **Tag**: `$(MULLVAD_BROWSER_VERSION)`
|
|
166 | + - **example** : `12.0.7`
|
|
167 | + - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
|
|
168 | + - **example** : `102.12.0esr-based 12.0.7`
|
|
169 | + - [ ] Push tag to github
|
|
170 | + |
|
171 | +</details>
|
|
172 | + |
|
104 | 173 | <details>
|
105 | 174 | <summary>Downstream</summary>
|
106 | 175 | |
107 | -### notify stakeholders
|
|
176 | +### notify packagers
|
|
177 | + |
|
178 | +- [ ] **(Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
|
|
179 | + <details>
|
|
180 | + <summary>email template</summary>
|
|
181 | + |
|
182 | + ...
|
|
183 | + |
|
184 | + ...
|
|
185 | + |
|
186 | + </details>
|
|
108 | 187 | |
109 | -- [ ] Email Mullvad with release information: rui@mullvad.net
|
|
110 | - - [ ] Build artifact download list
|
|
111 | - - [ ] New `mullvad-browser` project branch and tags
|
|
112 | - - [ ] mullvad-browser-update-responses git hash
|
|
113 | - - [ ] changelog
|
|
114 | -- [ ] Email downstream consumers:
|
|
115 | 188 | - [ ] flathub package maintainer: proletarius101@protonmail.com
|
116 | 189 | - [ ] arch package maintainer: bootctl@gmail.com
|
190 | + - [ ] nixOS package maintainer: dev@felschr.com
|
|
117 | 191 | |
118 | 192 | ### merge requests
|
119 | 193 |
... | ... | @@ -2,28 +2,34 @@ |
2 | 2 | <summary>Explanation of variables</summary>
|
3 | 3 | |
4 | 4 | - `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release
|
5 | +- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
|
|
6 | + - **example** : `pierov`
|
|
5 | 7 | - `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
|
6 | 8 | - `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
|
7 | - - example : `91.6.0`
|
|
9 | + - **example** : `91.6.0`
|
|
8 | 10 | - `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version
|
9 | - - example : `11`
|
|
11 | + - **example** : `11`
|
|
10 | 12 | - `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version
|
11 | - - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
13 | + - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
14 | +- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format
|
|
15 | + - **example** : `12.5a3`, `12.0.3`
|
|
12 | 16 | - `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
|
13 | - - example : `build1`
|
|
17 | + - **example** : `build1`
|
|
14 | 18 | - `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits
|
15 | - - example : `build2`
|
|
16 | - - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
|
|
17 | - - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
|
|
18 | - - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
|
|
19 | + - **example** : `build2`
|
|
20 | + - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
|
|
21 | + - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
|
|
22 | + - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
|
|
19 | 23 | - `$(TOR_BROWSER_VERSION)` : the published Tor Browser version
|
20 | - - example : `11.5a6`, `11.0.7`
|
|
24 | + - **example** : `11.5a6`, `11.0.7`
|
|
25 | +- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version
|
|
26 | + - **example** : `tbb-12.5a7-build1`
|
|
21 | 27 | </details>
|
22 | 28 | |
23 | -**NOTE** It is assumed that the `tor-browser` rebase and security backport tasks have been completed
|
|
29 | +**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
|
|
24 | 30 | |
25 | 31 | <details>
|
26 | - <summary>Build Updates</summary>
|
|
32 | + <summary>Building</summary>
|
|
27 | 33 | |
28 | 34 | ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
|
29 | 35 | Tor Browser Alpha (and Nightly) are on the `main` branch
|
... | ... | @@ -44,7 +50,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
44 | 50 | - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
|
45 | 51 | - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
|
46 | 52 | - [ ] Update Android-specific build configs
|
47 | - - [ ] ***(Optional)*** Update `projects/geckoview/config`
|
|
53 | + - [ ] Update `projects/geckoview/config`
|
|
48 | 54 | - [ ] `browser_build` : update to match `tor-browser` tag
|
49 | 55 | - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
|
50 | 56 | - [ ] ***(Optional)*** Update `projects/tor-android-service/config`
|
... | ... | @@ -56,7 +62,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
56 | 62 | - [ ] `android_components_build` : update to match alpha android-components tag
|
57 | 63 | - [ ] ***(Optional)*** Update `projects/fenix/config`
|
58 | 64 | - [ ] `fenix_build` : update to match fenix tag
|
59 | - - [ ] ***(Optional)*** `var/fenix_version` : update to latest `$(ESR_VERSION)` if rebased
|
|
60 | 65 | - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
|
61 | 66 | - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
|
62 | 67 | - [ ] Update common build configs
|
... | ... | @@ -79,14 +84,13 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
79 | 84 | - [ ] ***(Optional)*** Update `projects/go/config`
|
80 | 85 | - [ ] `version` : update go version
|
81 | 86 | - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
|
82 | - - [ ] Update the manual : https://gitlab.torproject.org/tpo/web/manual/-/jobs/
|
|
83 | - - [ ] Download the `artifacts.zip` file from latest build stage row (download icon button on the right)
|
|
84 | - - [ ] Rename it to `manual_$PIPELINEID.zip`
|
|
85 | - - [ ] Upload it to people.tpo
|
|
86 | - - [ ] Update `projects/manual/config`
|
|
87 | - - [ ] Change the version to `$PIPELINEID`
|
|
88 | - - [ ] Update the hash in the input_files section
|
|
89 | - - [ ] Update the URL if you have uploaded to a different people.tpo home
|
|
87 | + - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`
|
|
88 | + - [ ] ***(Optional)*** If new version is available:
|
|
89 | + - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to people.tpo
|
|
90 | + - [ ] Update `projects/manual/config`:
|
|
91 | + - [ ] Change the `version` to `$PIPELINEID`
|
|
92 | + - [ ] Update `sha256sum` in the `input_files` section
|
|
93 | + - [ ] ***(Optional)*** Update the URL if you have uploaded to a different people.tpo home
|
|
90 | 94 | - [ ] Update `ChangeLog.txt`
|
91 | 95 | - [ ] Ensure ChangeLog.txt is sync'd between alpha and stable branches
|
92 | 96 | - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
|
... | ... | @@ -94,19 +98,26 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
94 | 98 | - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
|
95 | 99 | - The first time you run this script you will need to generate an access token; the script will guide you
|
96 | 100 | - [ ] Copy the output of the script to the beginning of `ChangeLog.txt` and adjust its output
|
97 | - - If you used the issue number, you will need to write the Tor Browser version manually
|
|
98 | - - [ ] Include any version updates for:
|
|
99 | - - [ ] translations
|
|
100 | - - [ ] OpenSSL
|
|
101 | - - [ ] NoScript
|
|
101 | + - **NOTE** : If you used the issue number, you will need to write the Tor Browser version manually
|
|
102 | + - [ ] ***(Optional)*** Under `All Platforms` include any version updates for:
|
|
103 | + - [ ] Translations
|
|
104 | + - [ ]OpenSSL
|
|
105 | + - [ ]NoScript
|
|
106 | + - [ ]zlib
|
|
107 | + - [ ] tor daemon
|
|
108 | + - [ ] ***(Optional)*** Under `Windows + macOS + Linux` include updates for:
|
|
109 | + - [ ] Firefox
|
|
110 | + - [ ] ***(Optional)*** Under `Android`, include updates for:
|
|
111 | + - [ ] Geckoview
|
|
112 | + - [ ] ***(Optional)*** Under `Build System/All Platforms` include updates for:
|
|
102 | 113 | - [ ] Go
|
103 | - - [ ] zlib
|
|
104 | - - [ ] Include any ESR rebase for Firefox and GeckoView
|
|
105 | 114 | - [ ] Open MR with above changes
|
106 | -- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues which come up and update MR)
|
|
107 | 115 | - [ ] Merge
|
108 | 116 | - [ ] Sign/Tag commit: `make torbrowser-signtag-alpha`
|
109 | 117 | - [ ] Push tag to `origin`
|
118 | +- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
|
|
119 | +- [ ] **TODO** Submit build-tag to Mullvad build infra
|
|
120 | +- [ ] Ensure builders have matching builds
|
|
110 | 121 | |
111 | 122 | </details>
|
112 | 123 | |
... | ... | @@ -118,6 +129,10 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
118 | 129 | <details>
|
119 | 130 | <summary>email template</summary>
|
120 | 131 | |
132 | + Subject:
|
|
133 | + Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
|
|
134 | + |
|
135 | + Body:
|
|
121 | 136 | Hello All,
|
122 | 137 | |
123 | 138 | Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing:
|
... | ... | @@ -126,15 +141,15 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
126 | 141 | |
127 | 142 | The full changelog can be found here:
|
128 | 143 | |
129 | - - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/main/projects/browser/Bundle-Data/Docs/ChangeLog.txt
|
|
144 | + - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/$(TBB_BUILD_TAG)/ChangeLog.txt
|
|
130 | 145 | |
131 | 146 | </details>
|
132 | 147 | |
133 | 148 | - [ ] Email tor-qa mailing list: tor-qa@lists.torproject.org
|
134 | - - Additional information:
|
|
149 | + - ***(Optional)*** Additional information:
|
|
135 | 150 | - [ ] Note any new functionality which needs testing
|
136 | 151 | - [ ] Link to any known issues
|
137 | -- [ ] ***(Optional, only around build/packaging changes)*** Email downstream consumers:
|
|
152 | +- [ ] ***(Optional, only around build/packaging changes)*** Email packagers:
|
|
138 | 153 | - Recipients:
|
139 | 154 | - Tails dev mailing list: tails-dev@boum.org
|
140 | 155 | - Guardian Project: nathan@guardianproject.info
|
... | ... | @@ -142,7 +157,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
142 | 157 | - FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->
|
143 | 158 | - OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->
|
144 | 159 | - [ ] Note any changes which may affect packaging/downstream integration
|
145 | -- [ ] Email upstream stakeholders:
|
|
160 | +- [ ] Email external partners:
|
|
146 | 161 | - ***(Optional, after ESR migration)*** Cloudflare: ask-research@cloudflare.com
|
147 | 162 | - **NOTE** : We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
|
148 | 163 | |
... | ... | @@ -151,11 +166,9 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
151 | 166 | <details>
|
152 | 167 | <summary>Signing</summary>
|
153 | 168 | |
154 | -### signing + publishing
|
|
155 | -- [ ] Ensure builders have matching builds
|
|
169 | +### signing
|
|
170 | +- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
|
|
156 | 171 | - [ ] On `$(STAGING_SERVER)`, ensure updated:
|
157 | - - [ ] `tor-browser-build/tools/signing/set-config`
|
|
158 | - - `NSS_DB_DIR` : location of the `nssdb7` directory
|
|
159 | 172 | - [ ] `tor-browser-build/tools/signing/set-config.hosts`
|
160 | 173 | - `ssh_host_builder` : ssh hostname of machine with unsigned builds
|
161 | 174 | - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
|
... | ... | @@ -182,7 +195,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
182 | 195 | - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
|
183 | 196 | - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh`
|
184 | 197 | - [ ] Remove old release data from following places:
|
185 | - - **NOTE** : Skip this step if the current release is Android or Desktop *only*
|
|
198 | + - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
|
|
186 | 199 | - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
|
187 | 200 | - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
|
188 | 201 | - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
|
... | ... | @@ -236,7 +249,24 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
236 | 249 | - [ ] Publish after CI passes and website has been updated
|
237 | 250 | |
238 | 251 | ### tor-announce mailing list
|
239 | -- [ ] Send an email to tor-announce@lists.torproject.org, using the same content as the blog post and subject "Tor Browser $version is released".
|
|
252 | + <details>
|
|
253 | + <summary>email template</summary>
|
|
254 | + |
|
255 | + Subject:
|
|
256 | + New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
|
|
257 | + |
|
258 | + Body:
|
|
259 | + Hi everyone,
|
|
260 | + |
|
261 | + Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
|
|
262 | + |
|
263 | + - $(BLOG_POST_URL)
|
|
264 | + |
|
265 | + </details>
|
|
266 | + |
|
267 | +- [ ] Email tor-announce mailing list: tor-announce@lists.torproject.org
|
|
268 | + - **(Optional)** Additional information:
|
|
269 | + - [ ] Link to any known issues
|
|
240 | 270 | |
241 | 271 | </details>
|
242 | 272 |
... | ... | @@ -2,33 +2,34 @@ |
2 | 2 | <summary>Explanation of variables</summary>
|
3 | 3 | |
4 | 4 | - `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release
|
5 | +- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
|
|
6 | + - **example** : `pierov`
|
|
5 | 7 | - `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
|
6 | 8 | - `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
|
7 | - - example : `91.6.0`
|
|
8 | -- `$(ESR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
|
|
9 | - - exmaple : `FIREFOX_91_7_0esr_BUILD2`
|
|
10 | -- `$(ESR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
|
|
9 | + - **example** : `91.6.0`
|
|
11 | 10 | - `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version
|
12 | - - example : `11`
|
|
11 | + - **example** : `11`
|
|
13 | 12 | - `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version
|
14 | - - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
13 | + - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
15 | 14 | - `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format
|
16 | - - example: `12.5a3`, `12.0.3`
|
|
15 | + - **example** : `12.5a3`, `12.0.3`
|
|
17 | 16 | - `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
|
18 | - - example : `build1`
|
|
17 | + - **example** : `build1`
|
|
19 | 18 | - `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits
|
20 | - - example : `build2`
|
|
21 | - - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
|
|
22 | - - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
|
|
23 | - - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
|
|
19 | + - **example** : `build2`
|
|
20 | + - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
|
|
21 | + - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
|
|
22 | + - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
|
|
24 | 23 | - `$(TOR_BROWSER_VERSION)` : the published Tor Browser version
|
25 | - - example : `11.5a6`, `11.0.7`
|
|
24 | + - **example** : `11.5a6`, `11.0.7`
|
|
25 | +- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version
|
|
26 | + - **example** : `tbb-12.0.7-build1`
|
|
26 | 27 | </details>
|
27 | 28 | |
28 | -**NOTE** It is assumed that the `tor-browser` rebase and security backport tasks have been completed
|
|
29 | +**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
|
|
29 | 30 | |
30 | 31 | <details>
|
31 | - <summary>Build Configs</summary>
|
|
32 | + <summary>Building</summary>
|
|
32 | 33 | |
33 | 34 | ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
|
34 | 35 | Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches
|
... | ... | @@ -37,7 +38,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
37 | 38 | - [ ] `var/torbrowser_version` : update to next version
|
38 | 39 | - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
|
39 | 40 | - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version
|
40 | - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make incrementals-*` step will fail
|
|
41 | + - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
|
|
41 | 42 | - [ ] Update Desktop-specific build configs
|
42 | 43 | - [ ] Update `projects/firefox/config`
|
43 | 44 | - [ ] `browser_build` : update to match `tor-browser` tag
|
... | ... | @@ -49,7 +50,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
49 | 50 | - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
|
50 | 51 | - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
|
51 | 52 | - [ ] Update Android-specific build configs
|
52 | - - [ ] ***(Optional)*** Update `projects/geckoview/config`
|
|
53 | + - [ ] Update `projects/geckoview/config`
|
|
53 | 54 | - [ ] `browser_build` : update to match `tor-browser` tag
|
54 | 55 | - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
|
55 | 56 | - [ ] ***(Optional)*** Update `projects/tor-android-service/config`
|
... | ... | @@ -58,10 +59,9 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
58 | 59 | **NOTE** we don't currently have any of our own patches for this project
|
59 | 60 | - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
|
60 | 61 | - [ ] ***(Optional)*** Update `projects/android-components/config`:
|
61 | - - [ ] `android_components_build` : update to match android-components tag
|
|
62 | + - [ ] `android_components_build` : update to match stable android-components tag
|
|
62 | 63 | - [ ] ***(Optional)*** Update `projects/fenix/config`
|
63 | 64 | - [ ] `fenix_build` : update to match fenix tag
|
64 | - - [ ] ***(Optional)*** `var/fenix_version` : update to latest `$(ESR_VERSION)` if rebased
|
|
65 | 65 | - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
|
66 | 66 | - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
|
67 | 67 | - [ ] Update common build configs
|
... | ... | @@ -84,14 +84,13 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
84 | 84 | - [ ] ***(Optional)*** Update `projects/go/config`
|
85 | 85 | - [ ] `version` : update go version
|
86 | 86 | - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
|
87 | - - [ ] Update the manual : https://gitlab.torproject.org/tpo/web/manual/-/jobs/
|
|
88 | - - [ ] Download the `artifacts.zip` file from latest build stage row (download icon button on the right)
|
|
89 | - - [ ] Rename it to `manual_$PIPELINEID.zip`
|
|
90 | - - [ ] Upload it to people.tpo
|
|
91 | - - [ ] Update `projects/manual/config`
|
|
92 | - - [ ] Change the version to `$PIPELINEID`
|
|
93 | - - [ ] Update the hash in the input_files section
|
|
94 | - - [ ] Update the URL if you have uploaded to a different people.tpo home
|
|
87 | + - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`
|
|
88 | + - [ ] ***(Optional)*** If new version is available:
|
|
89 | + - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to people.tpo
|
|
90 | + - [ ] Update `projects/manual/config`:
|
|
91 | + - [ ] Change the `version` to `$PIPELINEID`
|
|
92 | + - [ ] Update `sha256sum` in the `input_files` section
|
|
93 | + - [ ] ***(Optional)*** Update the URL if you have uploaded to a different people.tpo home
|
|
95 | 94 | - [ ] Update `ChangeLog.txt`
|
96 | 95 | - [ ] Ensure ChangeLog.txt is sync'd between alpha and stable branches
|
97 | 96 | - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
|
... | ... | @@ -99,19 +98,26 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
99 | 98 | - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
|
100 | 99 | - The first time you run this script you will need to generate an access token; the script will guide you
|
101 | 100 | - [ ] Copy the output of the script to the beginning of `ChangeLog.txt` and adjust its output
|
102 | - - If you used the issue number, you will need to write the Tor Browser version manually
|
|
103 | - - [ ] Include any version updates for:
|
|
104 | - - [ ] translations
|
|
105 | - - [ ] OpenSSL
|
|
106 | - - [ ] NoScript
|
|
101 | + - **NOTE** : If you used the issue number, you will need to write the Tor Browser version manually
|
|
102 | + - [ ] ***(Optional)*** Under `All Platforms` include any version updates for:
|
|
103 | + - [ ] Translations
|
|
104 | + - [ ]OpenSSL
|
|
105 | + - [ ]NoScript
|
|
106 | + - [ ]zlib
|
|
107 | + - [ ] tor daemon
|
|
108 | + - [ ] ***(Optional)*** Under `Windows + macOS + Linux` include updates for:
|
|
109 | + - [ ] Firefox
|
|
110 | + - [ ] ***(Optional)*** Under `Android`, include updates for:
|
|
111 | + - [ ] Geckoview
|
|
112 | + - [ ] ***(Optional)*** Under `Build System/All Platforms` include updates for:
|
|
107 | 113 | - [ ] Go
|
108 | - - [ ] zlib
|
|
109 | - - [ ] Include any ESR rebase for Firefox and GeckoView
|
|
110 | 114 | - [ ] Open MR with above changes
|
111 | -- [ ] Begin build on `$(BUILD_SERVER)` (and fix any issues which come up and update MR)
|
|
112 | 115 | - [ ] Merge
|
113 | 116 | - [ ] Sign/Tag commit: `make torbrowser-signtag-release`
|
114 | 117 | - [ ] Push tag to `origin`
|
118 | +- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
|
|
119 | +- [ ] **TODO** Submit build-tag to Mullvad build infra
|
|
120 | +- [ ] Ensure builders have matching builds
|
|
115 | 121 | |
116 | 122 | </details>
|
117 | 123 | |
... | ... | @@ -123,6 +129,10 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
123 | 129 | <details>
|
124 | 130 | <summary>email template</summary>
|
125 | 131 | |
132 | + Subject:
|
|
133 | + Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
|
|
134 | + |
|
135 | + Body:
|
|
126 | 136 | Hello All,
|
127 | 137 | |
128 | 138 | Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing:
|
... | ... | @@ -131,36 +141,31 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
131 | 141 | |
132 | 142 | The full changelog can be found here:
|
133 | 143 | |
134 | - - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/maint-12.0/projects/browser/Bundle-Data/Docs/ChangeLog.txt
|
|
144 | + - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/$(TBB_BUILD_TAG)/ChangeLog.txt
|
|
135 | 145 | |
136 | 146 | </details>
|
137 | 147 | |
138 | 148 | - [ ] Email tor-qa mailing list: tor-qa@lists.torproject.org
|
139 | - - Additional information:
|
|
149 | + - ***(Optional)*** Additional information:
|
|
140 | 150 | - [ ] Note any new functionality which needs testing
|
141 | 151 | - [ ] Link to any known issues
|
142 | -- [ ] Email downstream consumers:
|
|
152 | +- [ ] Email packagers:
|
|
143 | 153 | - Recipients:
|
144 | 154 | - Tails dev mailing list: tails-dev@boum.org
|
145 | 155 | - Guardian Project: nathan@guardianproject.info
|
146 | 156 | - torbrowser-launcher: micah@micahflee.com
|
147 | 157 | - FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->
|
148 | 158 | - OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->
|
149 | - - [ ] Note any changes which may affect packaging/downstream integration
|
|
150 | -- [ ] Email upstream stakeholders:
|
|
151 | - - ***(Optional, after ESR migration)*** Cloudflare: ask-research@cloudflare.com
|
|
152 | - - **NOTE** : We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
|
|
159 | + - [ ] ***(Optional)*** Note any changes which may affect packaging/downstream integration
|
|
153 | 160 | |
154 | 161 | </details>
|
155 | 162 | |
156 | 163 | <details>
|
157 | 164 | <summary>Signing</summary>
|
158 | 165 | |
159 | -### signing + publishing
|
|
160 | -- [ ] Ensure builders have matching builds
|
|
166 | +### signing
|
|
167 | +- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
|
|
161 | 168 | - [ ] On `$(STAGING_SERVER)`, ensure updated:
|
162 | - - [ ] `tor-browser-build/tools/signing/set-config`
|
|
163 | - - `NSS_DB_DIR` : location of the `nssdb7` directory
|
|
164 | 169 | - [ ] `tor-browser-build/tools/signing/set-config.hosts`
|
165 | 170 | - `ssh_host_builder` : ssh hostname of machine with unsigned builds
|
166 | 171 | - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
|
... | ... | @@ -180,14 +185,14 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
180 | 185 | - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
181 | 186 | - [ ] run do-all-signing script:
|
182 | 187 | - `cd tor-browser-build/tools/signing/`
|
183 | - - `./do-all-signing.sh`
|
|
188 | + - `./do-all-signing.torbrowser`
|
|
184 | 189 | - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
|
185 | 190 | - [ ] Update `staticiforme.torproject.org`:
|
186 | 191 | - From `screen` session on `staticiforme.torproject.org`:
|
187 | 192 | - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
|
188 | 193 | - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-release.sh`
|
189 | 194 | - [ ] Remove old release data from following places:
|
190 | - - **NOTE** : Skip this step if the current release is Android or Desktop *only*
|
|
195 | + - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
|
|
191 | 196 | - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
|
192 | 197 | - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
|
193 | 198 | - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
|
... | ... | @@ -241,7 +246,24 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
241 | 246 | - [ ] Publish after CI passes and website has been updated
|
242 | 247 | |
243 | 248 | ### tor-announce mailing list
|
244 | -- [ ] Send an email to tor-announce@lists.torproject.org, using the same content as the blog post and subject "Tor Browser $version is released".
|
|
249 | + <details>
|
|
250 | + <summary>email template</summary>
|
|
251 | + |
|
252 | + Subject:
|
|
253 | + New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
|
|
254 | + |
|
255 | + Body:
|
|
256 | + Hi everyone,
|
|
257 | + |
|
258 | + Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
|
|
259 | + |
|
260 | + - $(BLOG_POST_URL)
|
|
261 | + |
|
262 | + </details>
|
|
263 | + |
|
264 | +- [ ] Email tor-announce mailing list: tor-announce@lists.torproject.org
|
|
265 | + - **(Optional)** Additional information:
|
|
266 | + - [ ] Link to any known issues
|
|
245 | 267 | |
246 | 268 | </details>
|
247 | 269 |
... | ... | @@ -2,20 +2,52 @@ |
2 | 2 | |
3 | 3 | <!-- Bookkeeping information for release management -->
|
4 | 4 | |
5 | -- ### Related Issues
|
|
6 | - - tor-browser#xxxxx
|
|
7 | - - tor-browser-build#xxxxx
|
|
8 | - - etc
|
|
5 | +### Related Issues
|
|
6 | +- tor-browser#xxxxx
|
|
7 | +- mullvad-browser#xxxxx
|
|
8 | +- tor-browser-build#xxxxx
|
|
9 | 9 | |
10 | -- ### Backport Timeline
|
|
11 | - - [ ] **Immediate** - patchsets for critical bug fixes or other major blocker (e.g. fixes for a 0-day exploit) OR patchsets with trivial changes which do not need testing (e.g. fixes for typos or fixes easily verified in a local developer build)
|
|
12 | - - [ ] **Next Minor Stable Release** - patchset that needs to be verified in nightly before backport
|
|
13 | - - [ ] **Eventually** - patchset that needs to be verified in alpha before backport
|
|
14 | - - [ ] **No Backport** - patchset for the next major stable
|
|
10 | +### Backporting
|
|
15 | 11 | |
16 | -- ### Issue Tracking
|
|
17 | - - [ ] Link resolved issues with appropriate [Release Prep issue](https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep&first_page_size=20) for changelog generation
|
|
12 | +#### Timeline
|
|
13 | +- [ ] **Immediate**: patchset needed as soon as possible
|
|
14 | +- [ ] **Next Minor Stable Release**: patchset that needs to be verified in nightly before backport
|
|
15 | +- [ ] **Eventually**: patchset that needs to be verified in alpha before backport
|
|
16 | +- [ ] **No Backport (preferred)**: patchset for the next major stable
|
|
18 | 17 | |
19 | -## Change Description
|
|
18 | +#### (Optional) Justification
|
|
19 | +- [ ] **Emergency security update**: patchset fixes CVEs, 0-days, etc
|
|
20 | +- [ ] **Censorship event**: patchset enables censorship circumvention
|
|
21 | +- [ ] **Critical bug-fix**: patchset fixes a bug in core-functionality
|
|
22 | +- [ ] **Consistency**: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
|
|
23 | +- [ ] **Sponsor required**: patchset required for sponsor
|
|
24 | +- [ ] **Other**: please explain
|
|
20 | 25 | |
21 | -<!-- Whatever context the reviewer needs to effectively review the patchset --> |
|
\ No newline at end of file | ||
26 | +### Issue Tracking
|
|
27 | +- [ ] Link resolved issues with appropriate [Release Prep issue](https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep&first_page_size=20) for changelog generation
|
|
28 | + |
|
29 | +### Review
|
|
30 | + |
|
31 | +#### Request Reviewer
|
|
32 | + |
|
33 | +- [ ] Request review from an applications developer depending on modified system:
|
|
34 | + - **NOTE**: if the MR modifies multiple areas, please `/cc` all the relevant reviewers (since gitlab only allows 1 reviewer)
|
|
35 | + - **accessibility** : henry
|
|
36 | + - **android** : dan
|
|
37 | + - **build system** : boklm
|
|
38 | + - **extensions** : ma1
|
|
39 | + - **firefox internals (XUL/JS/XPCOM)** : ma1
|
|
40 | + - **fonts** : pierov
|
|
41 | + - **frontend (implementation)** : henry
|
|
42 | + - **frontend (review)** : donuts, richard
|
|
43 | + - **localization** : henry, pierov
|
|
44 | + - **nightly builds** : boklm
|
|
45 | + - **rebases/release-prep** : dan_b, ma1, pierov, richard
|
|
46 | + - **security** : ma1
|
|
47 | + - **signing** : boklm, richard
|
|
48 | + - **updater** : pierov
|
|
49 | + - **misc/other** : pierov, richard
|
|
50 | + |
|
51 | +#### Change Description
|
|
52 | + |
|
53 | +<!-- Whatever context the reviewer needs to effectively review the patchset; if the patch includes UX updates be sure to include screenshots/video of how any new behaviour --> |