richard pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

5 changed files:

Changes:

  • .gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md
    1
    +<details>
    
    2
    +  <summary>Explanation of variables</summary>
    
    3
    +
    
    4
    +- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
    
    5
    +- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
    
    6
    +  - **example** : `pierov`
    
    7
    +- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
    
    8
    +- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc
    
    9
    +  - **example** : `91.6.0`
    
    10
    +- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version
    
    11
    +  - **example** : `11`
    
    12
    +- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version
    
    13
    +  - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
    
    14
    +- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format
    
    15
    +  - **example** : `12.5a3`, `12.0.3`
    
    16
    +- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
    
    17
    +    - **example** : `build1`
    
    18
    +- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
    
    19
    +    - **example** : `build2`
    
    20
    +    - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :
    
    21
    +      - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
    
    22
    +      - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
    
    23
    +- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version
    
    24
    +    - **example** : `11.5a6`, `11.0.7`
    
    25
    +- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version
    
    26
    +    - **example** : `mb-12.0.7-build1`
    
    27
    +</details>
    
    28
    +
    
    29
    +**NOTE** It is assumed that the `tor-browser` alpha rebase and security backport tasks have been completed
    
    30
    +
    
    31
    +<details>
    
    32
    +  <summary>Building</summary>
    
    33
    +
    
    34
    +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
    
    35
    +Mullvad Browser Alpha (and Nightly) are on the `main` branch
    
    36
    +
    
    37
    +- [ ] Update `rbm.conf`
    
    38
    +  - [ ] `var/torbrowser_version` : update to next version
    
    39
    +  - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
    
    40
    +  - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version
    
    41
    +    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
    
    42
    +- [ ] Update build configs
    
    43
    +  - [ ] Update `projects/firefox/config`
    
    44
    +    - [ ] `browser_build` : update to match `mullvad-browser` tag
    
    45
    +    - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
    
    46
    +  - [ ] Update `projects/translation/config`:
    
    47
    +    - [ ] run `make list_translation_updates-alpha` to get updated hashes
    
    48
    +    - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
    
    49
    +    - [ ] `steps/base-browser-fluent/git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
    
    50
    +- [ ] Update common build configs
    
    51
    +  - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
    
    52
    +    - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
    
    53
    +      - [ ] `URL`
    
    54
    +      - [ ] `sha256sum`
    
    55
    +  - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
    
    56
    +    - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
    
    57
    +      - [ ] `URL`
    
    58
    +      - [ ] `sha256sum`
    
    59
    +  - [ ] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases
    
    60
    +    - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
    
    61
    +      - [ ] `URL`
    
    62
    +      - [ ] `sha256sum`
    
    63
    +- [ ] Open MR with above changes
    
    64
    +- [ ] Merge
    
    65
    +- [ ] Sign/Tag commit: `make mullvadbrowser-signtag-alpha`
    
    66
    +- [ ] Push tag to `origin`
    
    67
    +- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
    
    68
    +- [ ] **TODO** Submit build-tag to Mullvad build infra
    
    69
    +- [ ] Ensure builders have matching builds
    
    70
    +
    
    71
    +</details>
    
    72
    +
    
    73
    +<details>
    
    74
    +  <summary>QA</summary>
    
    75
    +
    
    76
    +### send the build
    
    77
    +
    
    78
    +  - [ ] Email Mullvad QA: support@mullvad.net, rui@mullvad.net
    
    79
    +    <details>
    
    80
    +      <summary>email template</summary>
    
    81
    +
    
    82
    +        Subject:
    
    83
    +        New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (unsigned)
    
    84
    +
    
    85
    +        Body:
    
    86
    +        unsigned builds: https://tb-build-05.torproject.org/~$(BUILDER)/builds/mullvadbrowser/release/unsigned/$(MB_BUILD_TAG)
    
    87
    +
    
    88
    +        changelog:
    
    89
    +        ...
    
    90
    +
    
    91
    +    </details>
    
    92
    +
    
    93
    +    - ***(Optional)*** Add additional information:
    
    94
    +      - [ ] Note any new functionality which needs testing
    
    95
    +      - [ ] Link to any known issues
    
    96
    +
    
    97
    +</details>
    
    98
    +
    
    99
    +<details>
    
    100
    +  <summary>Signing</summary>
    
    101
    +
    
    102
    +### signing
    
    103
    +- [ ] On `$(STAGING_SERVER)`, ensure updated:
    
    104
    +  - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
    
    105
    +    - `ssh_host_builder` : ssh hostname of machine with unsigned builds
    
    106
    +      - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
    
    107
    +    - `ssh_host_linux_signer` : ssh hostname of linux signing machine
    
    108
    +    - `ssh_host_macos_signer` : ssh hostname of macOS signing machine
    
    109
    +  - [ ] `tor-browser-build/tools/signing/set-config.macos-notarization`
    
    110
    +    - `macos_notarization_user` : the email login for a mullvad notariser Apple Developer account
    
    111
    +  - [ ] `set-config.update-responses`
    
    112
    +    - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`
    
    113
    +  - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
    
    114
    +    - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
    
    115
    +    - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
    
    116
    +    - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
    
    117
    +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run the macOS proxy script:
    
    118
    +    - `cd tor-browser-build/tools/signing/`
    
    119
    +    - `./macos-signer-proxy`
    
    120
    +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
    
    121
    +- [ ] run do-all-signing script:
    
    122
    +    - `cd tor-browser-build/tools/signing/`
    
    123
    +    - `./do-all-signing.mullvadbrowser`
    
    124
    +- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
    
    125
    +- [ ] Update `staticiforme.torproject.org`:
    
    126
    +  - From `screen` session on `staticiforme.torproject.org`:
    
    127
    +  - [ ] Static update components : `static-update-component dist.torproject.org`
    
    128
    +  - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
    
    129
    +  - [ ] Static update components (again) : `static-update-component dist.torproject.org`
    
    130
    +
    
    131
    +</details>
    
    132
    +
    
    133
    +<details>
    
    134
    +  <summary>Publishing</summary>
    
    135
    +
    
    136
    +### email
    
    137
    +
    
    138
    +- [ ] Email Mullvad with release information: support@mullvad.net, rui@mullvad.net
    
    139
    +  <details>
    
    140
    +    <summary>email template</summary>
    
    141
    +
    
    142
    +      Subject:
    
    143
    +      New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
    
    144
    +
    
    145
    +      Body:
    
    146
    +      signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
    
    147
    +
    
    148
    +      update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
    
    149
    +
    
    150
    +      changelog:
    
    151
    +      ...
    
    152
    +
    
    153
    +  </details>
    
    154
    +
    
    155
    +### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
    
    156
    +- [ ] Push this release's associated `mullvad-browser.git` branch to github
    
    157
    +- [ ] Push this release's associated tags to github:
    
    158
    +  - [ ] Firefox ESR tag
    
    159
    +    - **example** : `FIREFOX_102_12_0esr_BUILD1,`
    
    160
    +  - [ ] `base-browser` tag
    
    161
    +    - **example** : `base-browser-102.12.0esr-12.0-1-build1`
    
    162
    +  - [ ] `mullvad-browser` tag
    
    163
    +    - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
    
    164
    +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
    
    165
    +  - **Tag**: `$(MULLVAD_BROWSER_VERSION)`
    
    166
    +    - **example** : `12.5a7`
    
    167
    +  - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
    
    168
    +    - **example** : `102.12.0esr-based 12.5a7`
    
    169
    +  - [ ] Push tag to github
    
    170
    +
    
    171
    +</details>
    
    172
    +
    
    173
    +<details>
    
    174
    +  <summary>Downstream</summary>
    
    175
    +
    
    176
    +### notify packagers
    
    177
    +
    
    178
    +- [ ] **(Optional, Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
    
    179
    +  <details>
    
    180
    +    <summary>email template</summary>
    
    181
    +
    
    182
    +    ...
    
    183
    +
    
    184
    +    ...
    
    185
    +
    
    186
    +  </details>
    
    187
    +
    
    188
    +  - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of
    
    189
    +  - [ ] flathub package maintainer: proletarius101@protonmail.com
    
    190
    +  - [ ] arch package maintainer: bootctl@gmail.com
    
    191
    +  - [ ] nixOS package maintainer: dev@felschr.com
    
    192
    +
    
    193
    +</details>
    
    194
    +
    
    195
    +/label ~"Release Prep"

  • .gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md
    ... ... @@ -2,32 +2,36 @@
    2 2
       <summary>Explanation of variables</summary>
    
    3 3
     
    
    4 4
     - `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
    
    5
    +- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
    
    6
    +  - **example** : `pierov`
    
    5 7
     - `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
    
    6 8
     - `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc
    
    7
    -  - example : `91.6.0`
    
    9
    +  - **example** : `91.6.0`
    
    8 10
     - `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version
    
    9
    -  - example : `11`
    
    11
    +  - **example** : `11`
    
    10 12
     - `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version
    
    11
    -  - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
    
    13
    +  - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
    
    12 14
     - `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format
    
    13
    -  - example: `12.5a3`, `12.0.3`
    
    15
    +  - **example** : `12.5a3`, `12.0.3`
    
    14 16
     - `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
    
    15
    -    - example : `build1`
    
    17
    +    - **example** : `build1`
    
    16 18
     - `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
    
    17
    -    - example : `build2`
    
    18
    -    - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
    
    19
    -        - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
    
    20
    -        - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
    
    19
    +    - **example** : `build2`
    
    20
    +    - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :
    
    21
    +      - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
    
    22
    +      - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
    
    21 23
     - `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version
    
    22
    -    - example : `11.5a6`, `11.0.7`
    
    24
    +    - **example** : `11.5a6`, `11.0.7`
    
    25
    +- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version
    
    26
    +    - **example** : `mb-12.0.7-build1`
    
    23 27
     </details>
    
    24 28
     
    
    25
    -**NOTE** It is assumed that the `tor-browser` rebase and security backport tasks have been completed
    
    29
    +**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
    
    26 30
     
    
    27 31
     <details>
    
    28
    -  <summary>Build Configs</summary>
    
    32
    +  <summary>Building</summary>
    
    29 33
     
    
    30
    -### tor-browser-build: https://gitlab.mullvadproject.org/tpo/applications/tor-browser-build.git
    
    34
    +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
    
    31 35
     Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MULLVAD_BROWSER_MINOR)` (and possibly more specific) branches
    
    32 36
     
    
    33 37
     - [ ] Update `rbm.conf`
    
    ... ... @@ -57,30 +61,55 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
    57 61
           - [ ] `URL`
    
    58 62
           - [ ] `sha256sum`
    
    59 63
     - [ ] Open MR with above changes
    
    60
    -- [ ] Begin build on `$(BUILD_SERVER)` (and fix any issues which come up and update MR)
    
    61 64
     - [ ] Merge
    
    62 65
     - [ ] Sign/Tag commit: `make mullvadbrowser-signtag-release`
    
    63 66
     - [ ] Push tag to `origin`
    
    67
    +- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
    
    68
    +- [ ] **TODO** Submit build-tag to Mullvad build infra
    
    69
    +- [ ] Ensure builders have matching builds
    
    70
    +
    
    71
    +</details>
    
    72
    +
    
    73
    +<details>
    
    74
    +  <summary>QA</summary>
    
    75
    +
    
    76
    +### send the build
    
    77
    +
    
    78
    +  - [ ] Email Mullvad QA: support@mullvad.net, rui@mullvad.net
    
    79
    +    <details>
    
    80
    +      <summary>email template</summary>
    
    81
    +
    
    82
    +        Subject:
    
    83
    +        New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (unsigned)
    
    84
    +
    
    85
    +        Body:
    
    86
    +        unsigned builds: https://tb-build-05.torproject.org/~$(BUILDER)/builds/mullvadbrowser/release/unsigned/$(MB_BUILD_TAG)
    
    87
    +
    
    88
    +        changelog:
    
    89
    +        ...
    
    90
    +
    
    91
    +    </details>
    
    92
    +
    
    93
    +    - ***(Optional)*** Add additional information:
    
    94
    +      - [ ] Note any new functionality which needs testing
    
    95
    +      - [ ] Link to any known issues
    
    64 96
     
    
    65 97
     </details>
    
    66 98
     
    
    67 99
     <details>
    
    68 100
       <summary>Signing</summary>
    
    69 101
     
    
    70
    -### signing + publishing
    
    71
    -- [ ] Ensure builders have matching builds
    
    102
    +### signing
    
    72 103
     - [ ] On `$(STAGING_SERVER)`, ensure updated:
    
    73
    -  - [ ] `tor-browser-build/tools/signing/set-config`
    
    74
    -    - `NSS_DB_DIR` : location of the `nssdb7` direcmullvady
    
    75 104
       - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
    
    76 105
         - `ssh_host_builder` : ssh hostname of machine with unsigned builds
    
    77
    -      - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` direcmullvady)
    
    106
    +      - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
    
    78 107
         - `ssh_host_linux_signer` : ssh hostname of linux signing machine
    
    79 108
         - `ssh_host_macos_signer` : ssh hostname of macOS signing machine
    
    80 109
       - [ ] `tor-browser-build/tools/signing/set-config.macos-notarization`
    
    81 110
         - `macos_notarization_user` : the email login for a mullvad notariser Apple Developer account
    
    82 111
       - [ ] `set-config.update-responses`
    
    83
    -    - `update_responses_reposimullvady_dir` : direcmullvady where you cloned `git@gitlab.mullvadproject.org:tpo/applications/mullvad-browser-update-responses.git`
    
    112
    +    - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`
    
    84 113
       - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
    
    85 114
         - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
    
    86 115
         - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
    
    ... ... @@ -91,7 +120,7 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
    91 120
     - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
    
    92 121
     - [ ] run do-all-signing script:
    
    93 122
         - `cd tor-browser-build/tools/signing/`
    
    94
    -    - `./do-all-signing.sh`
    
    123
    +    - `./do-all-signing.mullvadbrowser`
    
    95 124
     - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
    
    96 125
     - [ ] Update `staticiforme.torproject.org`:
    
    97 126
       - From `screen` session on `staticiforme.torproject.org`:
    
    ... ... @@ -101,19 +130,64 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
    101 130
     
    
    102 131
     </details>
    
    103 132
     
    
    133
    +<details>
    
    134
    +  <summary>Publishing</summary>
    
    135
    +
    
    136
    +### email
    
    137
    +
    
    138
    +- [ ] Email Mullvad with release information: support@mullvad.net, rui@mullvad.net
    
    139
    +  <details>
    
    140
    +    <summary>email template</summary>
    
    141
    +
    
    142
    +      Subject:
    
    143
    +      New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
    
    144
    +
    
    145
    +      Body:
    
    146
    +      signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
    
    147
    +
    
    148
    +      update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
    
    149
    +
    
    150
    +      changelog:
    
    151
    +      ...
    
    152
    +
    
    153
    +  </details>
    
    154
    +
    
    155
    +### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
    
    156
    +- [ ] Push this release's associated `mullvad-browser.git` branch to github
    
    157
    +- [ ] Push this release's associated tags to github:
    
    158
    +  - [ ] Firefox ESR tag
    
    159
    +    - **example** : `FIREFOX_102_12_0esr_BUILD1,`
    
    160
    +  - [ ] `base-browser` tag
    
    161
    +    - **example** : `base-browser-102.12.0esr-12.0-1-build1`
    
    162
    +  - [ ] `mullvad-browser` tag
    
    163
    +    - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
    
    164
    +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
    
    165
    +  - **Tag**: `$(MULLVAD_BROWSER_VERSION)`
    
    166
    +    - **example** : `12.0.7`
    
    167
    +  - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
    
    168
    +    - **example** : `102.12.0esr-based 12.0.7`
    
    169
    +  - [ ] Push tag to github
    
    170
    +
    
    171
    +</details>
    
    172
    +
    
    104 173
     <details>
    
    105 174
       <summary>Downstream</summary>
    
    106 175
     
    
    107
    -### notify stakeholders
    
    176
    +### notify packagers
    
    177
    +
    
    178
    +- [ ] **(Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
    
    179
    +  <details>
    
    180
    +    <summary>email template</summary>
    
    181
    +
    
    182
    +    ...
    
    183
    +
    
    184
    +    ...
    
    185
    +
    
    186
    +  </details>
    
    108 187
     
    
    109
    -- [ ] Email Mullvad with release information: rui@mullvad.net
    
    110
    -  - [ ] Build artifact download list
    
    111
    -  - [ ] New `mullvad-browser` project branch and tags
    
    112
    -  - [ ] mullvad-browser-update-responses git hash
    
    113
    -  - [ ] changelog
    
    114
    -- [ ] Email downstream consumers:
    
    115 188
       - [ ] flathub package maintainer: proletarius101@protonmail.com
    
    116 189
       - [ ] arch package maintainer: bootctl@gmail.com
    
    190
    +  - [ ] nixOS package maintainer: dev@felschr.com
    
    117 191
     
    
    118 192
     ### merge requests
    
    119 193
     
    

  • .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
    ... ... @@ -2,28 +2,34 @@
    2 2
       <summary>Explanation of variables</summary>
    
    3 3
     
    
    4 4
     - `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release
    
    5
    +- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
    
    6
    +  - **example** : `pierov`
    
    5 7
     - `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
    
    6 8
     - `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
    
    7
    -    - example : `91.6.0`
    
    9
    +  - **example** : `91.6.0`
    
    8 10
     - `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version
    
    9
    -    - example : `11`
    
    11
    +  - **example** : `11`
    
    10 12
     - `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version
    
    11
    -    - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
    
    13
    +  - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
    
    14
    +- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format
    
    15
    +  - **example** : `12.5a3`, `12.0.3`
    
    12 16
     - `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
    
    13
    -    - example : `build1`
    
    17
    +  - **example** : `build1`
    
    14 18
     - `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits
    
    15
    -    - example : `build2`
    
    16
    -    - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
    
    17
    -        - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
    
    18
    -        - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
    
    19
    +  - **example** : `build2`
    
    20
    +  - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
    
    21
    +    - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
    
    22
    +    - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
    
    19 23
     - `$(TOR_BROWSER_VERSION)` : the published Tor Browser version
    
    20
    -    - example : `11.5a6`, `11.0.7`
    
    24
    +    - **example** : `11.5a6`, `11.0.7`
    
    25
    +- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version
    
    26
    +    - **example** : `tbb-12.5a7-build1`
    
    21 27
     </details>
    
    22 28
     
    
    23
    -**NOTE** It is assumed that the `tor-browser` rebase and security backport tasks have been completed
    
    29
    +**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
    
    24 30
     
    
    25 31
     <details>
    
    26
    -  <summary>Build Updates</summary>
    
    32
    +  <summary>Building</summary>
    
    27 33
     
    
    28 34
     ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
    
    29 35
     Tor Browser Alpha (and Nightly) are on the `main` branch
    
    ... ... @@ -44,7 +50,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    44 50
         - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
    
    45 51
         - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
    
    46 52
     - [ ] Update Android-specific build configs
    
    47
    -  - [ ] ***(Optional)*** Update `projects/geckoview/config`
    
    53
    +  - [ ] Update `projects/geckoview/config`
    
    48 54
         - [ ] `browser_build` : update to match `tor-browser` tag
    
    49 55
         - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
    
    50 56
       - [ ] ***(Optional)*** Update `projects/tor-android-service/config`
    
    ... ... @@ -56,7 +62,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    56 62
         - [ ] `android_components_build` : update to match alpha android-components tag
    
    57 63
       - [ ] ***(Optional)*** Update `projects/fenix/config`
    
    58 64
         - [ ] `fenix_build` : update to match fenix tag
    
    59
    -    - [ ] ***(Optional)*** `var/fenix_version` : update to latest `$(ESR_VERSION)` if rebased
    
    60 65
       - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
    
    61 66
         - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
    
    62 67
     - [ ] Update common build configs
    
    ... ... @@ -79,14 +84,13 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    79 84
         - [ ] ***(Optional)*** Update `projects/go/config`
    
    80 85
           - [ ] `version` : update go version
    
    81 86
           - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
    
    82
    -  - [ ] Update the manual : https://gitlab.torproject.org/tpo/web/manual/-/jobs/
    
    83
    -    - [ ] Download the `artifacts.zip` file from latest build stage row (download icon button on the right)
    
    84
    -    - [ ] Rename it to `manual_$PIPELINEID.zip`
    
    85
    -    - [ ] Upload it to people.tpo
    
    86
    -    - [ ] Update `projects/manual/config`
    
    87
    -      - [ ] Change the version to `$PIPELINEID`
    
    88
    -      - [ ] Update the hash in the input_files section
    
    89
    -      - [ ] Update the URL if you have uploaded to a different people.tpo home
    
    87
    +  - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`
    
    88
    +    - [ ] ***(Optional)*** If new version is available:
    
    89
    +      - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to people.tpo
    
    90
    +      - [ ] Update `projects/manual/config`:
    
    91
    +        - [ ] Change the `version` to `$PIPELINEID`
    
    92
    +        - [ ] Update `sha256sum` in the `input_files` section
    
    93
    +        - [ ] ***(Optional)*** Update the URL if you have uploaded to a different people.tpo home
    
    90 94
     - [ ] Update `ChangeLog.txt`
    
    91 95
       - [ ] Ensure ChangeLog.txt is sync'd between alpha and stable branches
    
    92 96
       - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
    
    ... ... @@ -94,19 +98,26 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    94 98
         - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
    
    95 99
         - The first time you run this script you will need to generate an access token; the script will guide you
    
    96 100
       - [ ] Copy the output of the script to the beginning of `ChangeLog.txt` and adjust its output
    
    97
    -    - If you used the issue number, you will need to write the Tor Browser version manually
    
    98
    -  - [ ] Include any version updates for:
    
    99
    -    - [ ] translations
    
    100
    -    - [ ] OpenSSL
    
    101
    -    - [ ] NoScript
    
    101
    +    - **NOTE** : If you used the issue number, you will need to write the Tor Browser version manually
    
    102
    +  - [ ] ***(Optional)*** Under `All Platforms` include any version updates for:
    
    103
    +    - [ ] Translations
    
    104
    +    - [ ]OpenSSL
    
    105
    +    - [ ]NoScript
    
    106
    +    - [ ]zlib
    
    107
    +    - [ ] tor daemon
    
    108
    +  - [ ] ***(Optional)*** Under `Windows + macOS + Linux` include updates for:
    
    109
    +    - [ ] Firefox
    
    110
    +  - [ ] ***(Optional)*** Under `Android`, include updates for:
    
    111
    +    - [ ] Geckoview
    
    112
    +  - [ ] ***(Optional)*** Under `Build System/All Platforms` include updates for:
    
    102 113
         - [ ] Go
    
    103
    -    - [ ] zlib
    
    104
    -  - [ ] Include any ESR rebase for Firefox and GeckoView
    
    105 114
     - [ ] Open MR with above changes
    
    106
    -- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues which come up and update MR)
    
    107 115
     - [ ] Merge
    
    108 116
     - [ ] Sign/Tag commit: `make torbrowser-signtag-alpha`
    
    109 117
     - [ ] Push tag to `origin`
    
    118
    +- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
    
    119
    +- [ ] **TODO** Submit build-tag to Mullvad build infra
    
    120
    +- [ ] Ensure builders have matching builds
    
    110 121
     
    
    111 122
     </details>
    
    112 123
     
    
    ... ... @@ -118,6 +129,10 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    118 129
       <details>
    
    119 130
         <summary>email template</summary>
    
    120 131
     
    
    132
    +      Subject:
    
    133
    +      Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
    
    134
    +
    
    135
    +      Body:
    
    121 136
           Hello All,
    
    122 137
     
    
    123 138
           Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing:
    
    ... ... @@ -126,15 +141,15 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    126 141
     
    
    127 142
           The full changelog can be found here:
    
    128 143
     
    
    129
    -      - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/main/projects/browser/Bundle-Data/Docs/ChangeLog.txt
    
    144
    +      - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/$(TBB_BUILD_TAG)/ChangeLog.txt
    
    130 145
     
    
    131 146
       </details>
    
    132 147
     
    
    133 148
     - [ ] Email tor-qa mailing list: tor-qa@lists.torproject.org
    
    134
    -  - Additional information:
    
    149
    +  - ***(Optional)*** Additional information:
    
    135 150
         - [ ] Note any new functionality which needs testing
    
    136 151
         - [ ] Link to any known issues
    
    137
    -- [ ] ***(Optional, only around build/packaging changes)*** Email downstream consumers:
    
    152
    +- [ ] ***(Optional, only around build/packaging changes)*** Email packagers:
    
    138 153
       - Recipients:
    
    139 154
         - Tails dev mailing list: tails-dev@boum.org
    
    140 155
         - Guardian Project: nathan@guardianproject.info
    
    ... ... @@ -142,7 +157,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    142 157
         - FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->
    
    143 158
         - OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->
    
    144 159
       - [ ] Note any changes which may affect packaging/downstream integration
    
    145
    -- [ ] Email upstream stakeholders:
    
    160
    +- [ ] Email external partners:
    
    146 161
       - ***(Optional, after ESR migration)*** Cloudflare: ask-research@cloudflare.com
    
    147 162
         - **NOTE** :  We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
    
    148 163
     
    
    ... ... @@ -151,11 +166,9 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    151 166
     <details>
    
    152 167
       <summary>Signing</summary>
    
    153 168
     
    
    154
    -### signing + publishing
    
    155
    -- [ ] Ensure builders have matching builds
    
    169
    +### signing
    
    170
    +- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
    
    156 171
     - [ ] On `$(STAGING_SERVER)`, ensure updated:
    
    157
    -  - [ ] `tor-browser-build/tools/signing/set-config`
    
    158
    -    - `NSS_DB_DIR` : location of the `nssdb7` directory
    
    159 172
       - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
    
    160 173
         - `ssh_host_builder` : ssh hostname of machine with unsigned builds
    
    161 174
           - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
    
    ... ... @@ -182,7 +195,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    182 195
       - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
    
    183 196
       - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh`
    
    184 197
       - [ ] Remove old release data from following places:
    
    185
    -    - **NOTE** : Skip this step if the current release is Android or Desktop *only*
    
    198
    +    - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
    
    186 199
         - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
    
    187 200
         - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
    
    188 201
       - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
    
    ... ... @@ -236,7 +249,24 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    236 249
     - [ ] Publish after CI passes and website has been updated
    
    237 250
     
    
    238 251
     ### tor-announce mailing list
    
    239
    -- [ ] Send an email to tor-announce@lists.torproject.org, using the same content as the blog post and subject "Tor Browser $version is released".
    
    252
    +  <details>
    
    253
    +    <summary>email template</summary>
    
    254
    +
    
    255
    +      Subject:
    
    256
    +      New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
    
    257
    +
    
    258
    +      Body:
    
    259
    +      Hi everyone,
    
    260
    +
    
    261
    +      Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
    
    262
    +
    
    263
    +      - $(BLOG_POST_URL)
    
    264
    +
    
    265
    +  </details>
    
    266
    +
    
    267
    +- [ ] Email tor-announce mailing list: tor-announce@lists.torproject.org
    
    268
    +  - **(Optional)** Additional information:
    
    269
    +    - [ ] Link to any known issues
    
    240 270
     
    
    241 271
     </details>
    
    242 272
     
    

  • .gitlab/issue_templates/Release Prep - Tor Browser Stable.md
    ... ... @@ -2,33 +2,34 @@
    2 2
       <summary>Explanation of variables</summary>
    
    3 3
     
    
    4 4
     - `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release
    
    5
    +- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
    
    6
    +  - **example** : `pierov`
    
    5 7
     - `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
    
    6 8
     - `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
    
    7
    -  - example : `91.6.0`
    
    8
    -- `$(ESR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
    
    9
    -  - exmaple : `FIREFOX_91_7_0esr_BUILD2`
    
    10
    -- `$(ESR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
    
    9
    +  - **example** : `91.6.0`
    
    11 10
     - `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version
    
    12
    -  - example : `11`
    
    11
    +  - **example** : `11`
    
    13 12
     - `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version
    
    14
    -  - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
    
    13
    +  - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
    
    15 14
     - `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format
    
    16
    -  - example: `12.5a3`, `12.0.3`
    
    15
    +  - **example** : `12.5a3`, `12.0.3`
    
    17 16
     - `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
    
    18
    -    - example : `build1`
    
    17
    +  - **example** : `build1`
    
    19 18
     - `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits
    
    20
    -    - example : `build2`
    
    21
    -    - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
    
    22
    -        - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
    
    23
    -        - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
    
    19
    +  - **example** : `build2`
    
    20
    +  - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
    
    21
    +    - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
    
    22
    +    - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
    
    24 23
     - `$(TOR_BROWSER_VERSION)` : the published Tor Browser version
    
    25
    -    - example : `11.5a6`, `11.0.7`
    
    24
    +    - **example** : `11.5a6`, `11.0.7`
    
    25
    +- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version
    
    26
    +    - **example** : `tbb-12.0.7-build1`
    
    26 27
     </details>
    
    27 28
     
    
    28
    -**NOTE** It is assumed that the `tor-browser` rebase and security backport tasks have been completed
    
    29
    +**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
    
    29 30
     
    
    30 31
     <details>
    
    31
    -  <summary>Build Configs</summary>
    
    32
    +  <summary>Building</summary>
    
    32 33
     
    
    33 34
     ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
    
    34 35
     Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches
    
    ... ... @@ -37,7 +38,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    37 38
       - [ ] `var/torbrowser_version` : update to next version
    
    38 39
       - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
    
    39 40
       - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version
    
    40
    -    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make incrementals-*` step will fail
    
    41
    +    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
    
    41 42
     - [ ] Update Desktop-specific build configs
    
    42 43
       - [ ] Update `projects/firefox/config`
    
    43 44
         - [ ] `browser_build` : update to match `tor-browser` tag
    
    ... ... @@ -49,7 +50,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    49 50
         - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
    
    50 51
         - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
    
    51 52
     - [ ] Update Android-specific build configs
    
    52
    -  - [ ] ***(Optional)*** Update `projects/geckoview/config`
    
    53
    +  - [ ] Update `projects/geckoview/config`
    
    53 54
         - [ ] `browser_build` : update to match `tor-browser` tag
    
    54 55
         - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
    
    55 56
       - [ ] ***(Optional)*** Update `projects/tor-android-service/config`
    
    ... ... @@ -58,10 +59,9 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    58 59
         **NOTE** we don't currently have any of our own patches for this project
    
    59 60
         - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
    
    60 61
       - [ ] ***(Optional)*** Update `projects/android-components/config`:
    
    61
    -    - [ ] `android_components_build` : update to match android-components tag
    
    62
    +    - [ ] `android_components_build` : update to match stable android-components tag
    
    62 63
       - [ ] ***(Optional)*** Update `projects/fenix/config`
    
    63 64
         - [ ] `fenix_build` : update to match fenix tag
    
    64
    -    - [ ] ***(Optional)*** `var/fenix_version` : update to latest `$(ESR_VERSION)` if rebased
    
    65 65
       - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
    
    66 66
         - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
    
    67 67
     - [ ] Update common build configs
    
    ... ... @@ -84,14 +84,13 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    84 84
         - [ ] ***(Optional)*** Update `projects/go/config`
    
    85 85
           - [ ] `version` : update go version
    
    86 86
           - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
    
    87
    -  - [ ] Update the manual : https://gitlab.torproject.org/tpo/web/manual/-/jobs/
    
    88
    -    - [ ] Download the `artifacts.zip` file from latest build stage row (download icon button on the right)
    
    89
    -    - [ ] Rename it to `manual_$PIPELINEID.zip`
    
    90
    -    - [ ] Upload it to people.tpo
    
    91
    -    - [ ] Update `projects/manual/config`
    
    92
    -      - [ ] Change the version to `$PIPELINEID`
    
    93
    -      - [ ] Update the hash in the input_files section
    
    94
    -      - [ ] Update the URL if you have uploaded to a different people.tpo home
    
    87
    +  - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`
    
    88
    +    - [ ] ***(Optional)*** If new version is available:
    
    89
    +      - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to people.tpo
    
    90
    +      - [ ] Update `projects/manual/config`:
    
    91
    +        - [ ] Change the `version` to `$PIPELINEID`
    
    92
    +        - [ ] Update `sha256sum` in the `input_files` section
    
    93
    +        - [ ] ***(Optional)*** Update the URL if you have uploaded to a different people.tpo home
    
    95 94
     - [ ] Update `ChangeLog.txt`
    
    96 95
       - [ ] Ensure ChangeLog.txt is sync'd between alpha and stable branches
    
    97 96
       - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
    
    ... ... @@ -99,19 +98,26 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    99 98
         - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
    
    100 99
         - The first time you run this script you will need to generate an access token; the script will guide you
    
    101 100
       - [ ] Copy the output of the script to the beginning of `ChangeLog.txt` and adjust its output
    
    102
    -    - If you used the issue number, you will need to write the Tor Browser version manually
    
    103
    -  - [ ] Include any version updates for:
    
    104
    -    - [ ] translations
    
    105
    -    - [ ] OpenSSL
    
    106
    -    - [ ] NoScript
    
    101
    +    - **NOTE** : If you used the issue number, you will need to write the Tor Browser version manually
    
    102
    +  - [ ] ***(Optional)*** Under `All Platforms` include any version updates for:
    
    103
    +    - [ ] Translations
    
    104
    +    - [ ]OpenSSL
    
    105
    +    - [ ]NoScript
    
    106
    +    - [ ]zlib
    
    107
    +    - [ ] tor daemon
    
    108
    +  - [ ] ***(Optional)*** Under `Windows + macOS + Linux` include updates for:
    
    109
    +    - [ ] Firefox
    
    110
    +  - [ ] ***(Optional)*** Under `Android`, include updates for:
    
    111
    +    - [ ] Geckoview
    
    112
    +  - [ ] ***(Optional)*** Under `Build System/All Platforms` include updates for:
    
    107 113
         - [ ] Go
    
    108
    -    - [ ] zlib
    
    109
    -  - [ ] Include any ESR rebase for Firefox and GeckoView
    
    110 114
     - [ ] Open MR with above changes
    
    111
    -- [ ] Begin build on `$(BUILD_SERVER)` (and fix any issues which come up and update MR)
    
    112 115
     - [ ] Merge
    
    113 116
     - [ ] Sign/Tag commit: `make torbrowser-signtag-release`
    
    114 117
     - [ ] Push tag to `origin`
    
    118
    +- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
    
    119
    +- [ ] **TODO** Submit build-tag to Mullvad build infra
    
    120
    +- [ ] Ensure builders have matching builds
    
    115 121
     
    
    116 122
     </details>
    
    117 123
     
    
    ... ... @@ -123,6 +129,10 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    123 129
       <details>
    
    124 130
         <summary>email template</summary>
    
    125 131
     
    
    132
    +      Subject:
    
    133
    +      Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
    
    134
    +
    
    135
    +      Body:
    
    126 136
           Hello All,
    
    127 137
     
    
    128 138
           Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing:
    
    ... ... @@ -131,36 +141,31 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    131 141
     
    
    132 142
           The full changelog can be found here:
    
    133 143
     
    
    134
    -      - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/maint-12.0/projects/browser/Bundle-Data/Docs/ChangeLog.txt
    
    144
    +      - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/$(TBB_BUILD_TAG)/ChangeLog.txt
    
    135 145
     
    
    136 146
       </details>
    
    137 147
     
    
    138 148
     - [ ] Email tor-qa mailing list: tor-qa@lists.torproject.org
    
    139
    -  - Additional information:
    
    149
    +  - ***(Optional)*** Additional information:
    
    140 150
         - [ ] Note any new functionality which needs testing
    
    141 151
         - [ ] Link to any known issues
    
    142
    -- [ ] Email downstream consumers:
    
    152
    +- [ ] Email packagers:
    
    143 153
       - Recipients:
    
    144 154
         - Tails dev mailing list: tails-dev@boum.org
    
    145 155
         - Guardian Project: nathan@guardianproject.info
    
    146 156
         - torbrowser-launcher: micah@micahflee.com
    
    147 157
         - FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->
    
    148 158
         - OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->
    
    149
    -  - [ ] Note any changes which may affect packaging/downstream integration
    
    150
    -- [ ] Email upstream stakeholders:
    
    151
    -  - ***(Optional, after ESR migration)*** Cloudflare: ask-research@cloudflare.com
    
    152
    -    - **NOTE** :  We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
    
    159
    +  - [ ] ***(Optional)*** Note any changes which may affect packaging/downstream integration
    
    153 160
     
    
    154 161
     </details>
    
    155 162
     
    
    156 163
     <details>
    
    157 164
       <summary>Signing</summary>
    
    158 165
     
    
    159
    -### signing + publishing
    
    160
    -- [ ] Ensure builders have matching builds
    
    166
    +### signing
    
    167
    +- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
    
    161 168
     - [ ] On `$(STAGING_SERVER)`, ensure updated:
    
    162
    -  - [ ] `tor-browser-build/tools/signing/set-config`
    
    163
    -    - `NSS_DB_DIR` : location of the `nssdb7` directory
    
    164 169
       - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
    
    165 170
         - `ssh_host_builder` : ssh hostname of machine with unsigned builds
    
    166 171
           - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
    
    ... ... @@ -180,14 +185,14 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    180 185
     - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
    
    181 186
     - [ ] run do-all-signing script:
    
    182 187
         - `cd tor-browser-build/tools/signing/`
    
    183
    -    - `./do-all-signing.sh`
    
    188
    +    - `./do-all-signing.torbrowser`
    
    184 189
     - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
    
    185 190
     - [ ] Update `staticiforme.torproject.org`:
    
    186 191
       - From `screen` session on `staticiforme.torproject.org`:
    
    187 192
       - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
    
    188 193
       - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-release.sh`
    
    189 194
       - [ ] Remove old release data from following places:
    
    190
    -    - **NOTE** : Skip this step if the current release is Android or Desktop *only*
    
    195
    +    - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
    
    191 196
         - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
    
    192 197
         - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
    
    193 198
     - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
    
    ... ... @@ -241,7 +246,24 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    241 246
     - [ ] Publish after CI passes and website has been updated
    
    242 247
     
    
    243 248
     ### tor-announce mailing list
    
    244
    -- [ ] Send an email to tor-announce@lists.torproject.org, using the same content as the blog post and subject "Tor Browser $version is released".
    
    249
    +  <details>
    
    250
    +    <summary>email template</summary>
    
    251
    +
    
    252
    +      Subject:
    
    253
    +      New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
    
    254
    +
    
    255
    +      Body:
    
    256
    +      Hi everyone,
    
    257
    +
    
    258
    +      Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
    
    259
    +
    
    260
    +      - $(BLOG_POST_URL)
    
    261
    +
    
    262
    +  </details>
    
    263
    +
    
    264
    +- [ ] Email tor-announce mailing list: tor-announce@lists.torproject.org
    
    265
    +  - **(Optional)** Additional information:
    
    266
    +    - [ ] Link to any known issues
    
    245 267
     
    
    246 268
     </details>
    
    247 269
     
    

  • .gitlab/merge_request_templates/default.md
    ... ... @@ -2,20 +2,52 @@
    2 2
     
    
    3 3
     <!-- Bookkeeping information for release management -->
    
    4 4
     
    
    5
    -- ### Related Issues
    
    6
    -  - tor-browser#xxxxx
    
    7
    -  - tor-browser-build#xxxxx
    
    8
    -  - etc
    
    5
    +### Related Issues
    
    6
    +- tor-browser#xxxxx
    
    7
    +- mullvad-browser#xxxxx
    
    8
    +- tor-browser-build#xxxxx
    
    9 9
     
    
    10
    -- ### Backport Timeline
    
    11
    -  - [ ] **Immediate** - patchsets for critical bug fixes or other major blocker (e.g. fixes for a 0-day exploit) OR patchsets with trivial changes which do not need testing (e.g. fixes for typos or fixes easily verified in a local developer build)
    
    12
    -  - [ ] **Next Minor Stable Release** - patchset that needs to be verified in nightly before backport
    
    13
    -  - [ ] **Eventually** - patchset that needs to be verified in alpha before backport
    
    14
    -  - [ ] **No Backport** - patchset for the next major stable
    
    10
    +### Backporting
    
    15 11
     
    
    16
    -- ### Issue Tracking
    
    17
    -  - [ ] Link resolved issues with appropriate [Release Prep issue](https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep&first_page_size=20) for changelog generation
    
    12
    +#### Timeline
    
    13
    +- [ ] **Immediate**: patchset needed as soon as possible
    
    14
    +- [ ] **Next Minor Stable Release**: patchset that needs to be verified in nightly before backport
    
    15
    +- [ ] **Eventually**: patchset that needs to be verified in alpha before backport
    
    16
    +- [ ] **No Backport (preferred)**: patchset for the next major stable
    
    18 17
     
    
    19
    -## Change Description
    
    18
    +#### (Optional) Justification
    
    19
    +- [ ] **Emergency security update**: patchset fixes CVEs, 0-days, etc
    
    20
    +- [ ] **Censorship event**: patchset enables censorship circumvention
    
    21
    +- [ ] **Critical bug-fix**: patchset fixes a bug in core-functionality
    
    22
    +- [ ] **Consistency**: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
    
    23
    +- [ ] **Sponsor required**: patchset required for sponsor
    
    24
    +- [ ] **Other**: please explain
    
    20 25
     
    
    21
    -<!-- Whatever context the reviewer needs to effectively review the patchset -->
    \ No newline at end of file
    26
    +### Issue Tracking
    
    27
    +- [ ] Link resolved issues with appropriate [Release Prep issue](https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep&first_page_size=20) for changelog generation
    
    28
    +
    
    29
    +### Review
    
    30
    +
    
    31
    +#### Request Reviewer
    
    32
    +
    
    33
    +- [ ] Request review from an applications developer depending on modified system:
    
    34
    +  - **NOTE**: if the MR modifies multiple areas, please `/cc` all the relevant reviewers (since gitlab only allows 1 reviewer)
    
    35
    +  - **accessibility** : henry
    
    36
    +  - **android** : dan
    
    37
    +  - **build system** : boklm
    
    38
    +  - **extensions** : ma1
    
    39
    +  - **firefox internals (XUL/JS/XPCOM)** : ma1
    
    40
    +  - **fonts** : pierov
    
    41
    +  - **frontend (implementation)** : henry
    
    42
    +  - **frontend (review)** : donuts, richard
    
    43
    +  - **localization** : henry, pierov
    
    44
    +  - **nightly builds** : boklm
    
    45
    +  - **rebases/release-prep** : dan_b, ma1, pierov, richard
    
    46
    +  - **security** : ma1
    
    47
    +  - **signing** : boklm, richard
    
    48
    +  - **updater** : pierov
    
    49
    +  - **misc/other** : pierov, richard
    
    50
    +
    
    51
    +#### Change Description
    
    52
    +
    
    53
    +<!-- Whatever context the reviewer needs to effectively review the patchset; if the patch includes UX updates be sure to include screenshots/video of how any new behaviour -->