Richard Pospesel pushed to branch tor-browser-102.8.0esr-12.5-1 at The Tor Project / Applications / Tor Browser
Commits: 85c86696 by Richard Pospesel at 2023-02-23T18:40:14+00:00 Bug 41649: Create rebase and security backport gitlab issue templates
- - - - -
3 changed files:
- + .gitlab/issue_templates/Backport Android Security Fixes.md - + .gitlab/issue_templates/Rebase Browser - Alpha.md - + .gitlab/issue_templates/Rebase Browser - Stable.md
Changes:
===================================== .gitlab/issue_templates/Backport Android Security Fixes.md ===================================== @@ -0,0 +1,88 @@ +<details> + <summary>Explanation of Variables</summary> +- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc + - example : `102.8.0` +- `$(RR_VERSION)` : the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the `$(ESR_VERSION)`, but Mozilla's Firefox for Android is based off of the `$(RR_VERSION)` so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train. + - example: `110` +- `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version + - example : `12` +- `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version + - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `$(BUILD_N)` : a project's build revision within a its branch; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build. + - example : `build1` +</details> + +**NOTE:** It is assumed the `tor-browser` rebase has already happened and there exists a `build1` build tag for both `base-browser` and `tor-browser` + +### **Bookkeeping** + +- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?s...) issues (stable and alpha). + +### **Security Vulnerabilities Report** : https://www.mozilla.org/en-US/security/advisories/ + +- Potentially Affected Components: + - `firefox`/`geckoview` : https://github.com/mozilla/gecko-dev + - `application-services` : https://github.com/mozilla/application-services + - `android-components` : https://github.com/mozilla-mobile/firefox-android + - `fenix` : https://github.com/mozilla-mobile/firefox-android + +**NOTE:** `android-components` and `fenix` used to have their own repos, but since November 2022 they have converged to a single `firefox-android` repo. Any backports will require manually porting patches over to our legacy repos. + +- [ ] Go through any `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` (or similar) and create a candidate list of CVEs which potentially need to be backported in this issue: + - CVEs which are explicitly labeled as 'Android' only + - CVEs which are fixed in Rapid Release but not in ESR + - 'Memory safety bugs' fixed in Rapid Release but not in ESR +- [ ] Foreach issue: + - Create link to the CVE on [mozilla.org](https://www.mozilla.org/en-US/security/advisories/) + - example: https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/#CVE-2023-2574... + - Create link to the associated Bugzilla issues (found in the CVE description) + - Create a link to the relevant `gecko-dev`/other commit hashes which need to be backported OR a brief justification for why the fix does not need to be backported + - To find the `gecko-dev` version of a `mozilla-central`, search for a unique string in the relevant `mozilla-central` commit message in the `gecko-dev/release` branch log. + - **NOTE:** This process is unfortunately somewhat poorly defined/ad-hoc given the general variation in how Bugzilla issues are labeled and resolved. In general this is going to involve a bit of hunting to identify needed commits or determining whether or not the fix is relevant. + + +### **tor-browser** : https://gitlab.torproject.org/tpo/applications/tor-browser.git +- [ ] Backport any Android-specific security fixes from Firefox rapid-release + - [ ] Sign/Tag commit: + - Tag : `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` + - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)` + - [ ] Push tag to `origin` +**OR** +- [ ] No backports + +### **application-services** : *TODO: we will need to setup a gitlab copy of this repo that we can apply security backports to if there are ever any security issues here* +- [ ] Backport any Android-specific security fixes from Firefox rapid-release + - [ ] Sign/Tag commit: + - Tag : `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` + - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha` + - [ ] Push tag to `origin` + **OR** +- [ ] No backports + + +### **android-components** : https://gitlab.torproject.org/tpo/applications/android-components.git +- [ ] Backport any Android-specific security fixes from Firefox rapid-release + - **NOTE**: Since November 2022, this repo has been merged with `fenix` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `android-components` project. + - [ ] Sign/Tag commit: + - Tag : `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` + - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)` + - [ ] Push tag to `origin` +**OR** +- [ ] No backports + + +### **fenix** : https://gitlab.torproject.org/tpo/applications/fenix.git +- [ ] Backport any Android-specific security fixes from Firefox rapid-release + - **NOTE**: Since February 2023, this repo has been merged with `android-components` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `fenix` project. + - [ ] Sign/Tag commit: + - Tag : `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` + - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)` + - [ ] Push tag to `origin` +**OR** +- [ ] No backports + +### CVEs + +<!-- Create CVE resolution here --> + +/confidential
===================================== .gitlab/issue_templates/Rebase Browser - Alpha.md ===================================== @@ -0,0 +1,81 @@ +**NOTE:** All examples reference the rebase from 102.7.0esr to 102.8.0esr + +<details> + <summary>Explanation of Variables</summary> +- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc + - example : `102.8.0` +- `$(ESR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)` + - example : `FIREFOX_102_8_0esr_RELEASE` +- `$(ESR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from) +- `$(BROWSER_MAJOR)` : the browser major version + - example : `12` +- `$(BROWSER_MINOR)` : the browser minor version + - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `$(BASE_BROWSER_BRANCH)` : the full name of the current `base-browser` branch + - example: `base-browser-102.8.0esr-12.5-1` +- `$(BASE_BROWSER_BRANCH_PREV)` : the full name of the previous `base-browser` branch + - example: `base-browser-102.7.0esr-12.5-1` +- `$(TOR_BROWSER_BRANCH)` : the full name of the current `tor-browser` branch + - example: `tor-browser-102.8.0esr-12.5-1` +- `$(TOR_BROWSER_BRANCH_PREV)` : the full name of the previous `tor-browser` branch + - example: `tor-browser-102.7.0esr-12.5-1` +</details> + +**NOTE:** It is assumed that we've already identified the new esr branch during the tor-browser stable rebase + +### **Bookkeeping** + +- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?s...) issue. + +### **Rebase base-browser** + +- [ ] Checkout a new branch for the `base-browser` rebase + - example: `git branch base-browser-rebase FIREFOX_102_8_0esr_BUILD1` +- [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `build1` tag onto new `base-browser` rebase branch + - example: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.5-1-build1` +- [ ] Rebase and autosquash these cherry-picked commits + - example: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD` +- [ ] Cherry-pick remainder of patches after the `build1` tag + - example: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1 origin/base-browser-102.7.0esr-12.5-1` +- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution: + - [ ] diff of diffs: + - Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or - + - `git diff $(ESR_TAG_PREV)..$(BASE_BROWSER_BRANCH_PREV) > current_patchset.diff` + - `git diff $(ESR_TAG)..$(BASE_BROWSER_BRANCH) > rebased_patchset.diff` + - diff `current_patchset.diff` and `rebased_patchset.diff` + - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` + - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(BASE_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD` + - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/base-browser-102.7.0esr-12.5-1 FIREFOX_102_8_0esr_BUILD1..HEAD` +- [ ] Open MR for the `base-browser` rebase +- [ ] Merge +- [ ] Sign/Tag HEAD of the merged new `base-browser` branch: + - Tag : `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` + - Message : `Tagging build1 for $(ESR_VERSION)esr-based alpha` +- [ ] Push tag to `origin` + +### **Rebase tor-browser** + +- [ ] Checkout a new branch for the `tor-browser` rebase starting from the `base-browser` `build1` tag + - example: `git branch tor-browser-rebase base-browser-102.8.0esr-12.5-1-build1` +- [ ] Cherry-pick the previous `tor-browser` commits from `base-browser`'s previous `build1` tag up to `tor-browser`'s newest `buildN` tag (not necessarily `build1` if we have multiple build tags) + - example: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..tor-browser-102.7.0esr-12.5-1-build1` +- [ ] Rebase and autosquash these cherry-picked commits (from the last new `base-browser` commit to `HEAD`) + - example: `git rebase --autosquash --interactive base-browser-102.8.0esr-12.5-1-build1 HEAD` +- [ ] Cherry-pick remainder of patches after the last `buildN` tag + - example: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..origin/tor-browser-102.7.0esr-12.5-1` +- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution: + - [ ] diff of diffs: + - Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or - + - `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff` + - `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff` + - diff `current_patchset.diff` and `rebased_patchset.diff` + - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` + - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD` + - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/tor-browser-102.7.0esr-12.5-1 FIREFOX_102_8_0esr_BUILD1..HEAD` +- [ ] Open MR for the `tor-browser` rebase +- [ ] Merge +- [ ] Sign/Tag HEAD of the merged new `tor-browser` branch: + - Tag : `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` + - Message : `Tagging build1 for $(ESR_VERSION)esr-based alpha` +- [ ] Push tag to `origin` +
===================================== .gitlab/issue_templates/Rebase Browser - Stable.md ===================================== @@ -0,0 +1,100 @@ +**NOTE:** All examples reference the rebase from 102.7.0esr to 102.8.0esr + +<details> + <summary>Explanation of variables</summary> +- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc + - example : `102.8.0` +- `$(ESR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)` + - example : `FIREFOX_102_8_0esr_RELEASE` +- `$(ESR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from) +- `$(BROWSER_MAJOR)` : the browser major version + - example : `12` +- `$(BROWSER_MINOR)` : the browser minor version + - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `$(BASE_BROWSER_BRANCH)` : the full name of the current `base-browser` branch + - example: `base-browser-102.8.0esr-12.0-1` +- `$(BASE_BROWSER_BRANCH_PREV)` : the full name of the previous `base-browser` branch + - example: `base-browser-102.7.0esr-12.0-1` +- `$(TOR_BROWSER_BRANCH)` : the full name of the current `tor-browser` branch + - example: `tor-browser-102.8.0esr-12.0-1` +- `$(TOR_BROWSER_BRANCH_PREV)` : the full name of the previous `tor-browser` branch + - example: `tor-browser-102.7.0esr-12.0-1` +</details> + +### **Bookkeeping** + +- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?s...) issue. + +### **Identify the Firefox Tagged Commit and Create New Branches** + +- [ ] Find the Firefox mercurial tag here : https://hg.mozilla.org/releases/mozilla-esr102/tags + - example: `FIREFOX_102_8_0esr_BUILD1` +- [ ] Find the analogous `gecko-dev` commit : https://github.com/mozilla/gecko-dev + - Search for unique string found in the mercurial commit in the `gecko-dev/esr102` branch + - example: 3a3a96c9eedd02296d6652dd50314fccbc5c4845 +- [ ] Sign and Tag `gecko-dev` commit + - Sign/Tag `gecko-dev` commit : + - Tag : `$(ESR_TAG)` + - Message : `Hg tag $(ESR_TAG)` +- [ ] Create new stable `base-browser` branch from tag + - branch name in the form: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1` + - example: `base-browser-102.8.0esr-12.0-1` +- [ ] Create new stable `tor-browser` branch from + - branch name in the form: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1` + - example: `tor-browser-102.8.0esr-12.0-1` +- [ ] Push new `base-browser` branch to `origin` +- [ ] Push new `tor-browser` branch to `origin` +- [ ] Push new `$(ESR_TAG)` to `origin` + +### **Rebase base-browser** + +- [ ] Checkout a new branch for the `base-browser` rebase + - example: `git branch base-browser-rebase FIREFOX_102_8_0esr_BUILD1` +- [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `build1` tag onto new `base-browser` rebase branch + - example: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.0-1-build1` +- [ ] Rebase and autosquash these cherry-picked commits + - example: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD` +- [ ] Cherry-pick remainder of patches after the `build1` tag + - example: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1 origin/base-browser-102.7.0esr-12.0-1` +- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution: + - [ ] diff of diffs: + - Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or - + - `git diff $(ESR_TAG_PREV)..$(BASE_BROWSER_BRANCH_PREV) > current_patchset.diff` + - `git diff $(ESR_TAG)..$(BASE_BROWSER_BRANCH) > rebased_patchset.diff` + - diff `current_patchset.diff` and `rebased_patchset.diff` + - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` + - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(BASE_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD` + - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/base-browser-102.7.0esr-12.0-1 FIREFOX_102_8_0esr_BUILD1..HEAD` +- [ ] Open MR for the `base-browser` rebase +- [ ] Merge +- [ ] Sign/Tag HEAD of the merged new `base-browser` branch: + - Tag : `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` + - Message : `Tagging build1 for $(ESR_VERSION)esr-based stable` +- [ ] Push tag to `origin` + +### **Rebase tor-browser** + +- [ ] Checkout a new branch for the `tor-browser` rebase starting from the `base-browser` `build1` tag + - example: `git branch tor-browser-rebase base-browser-102.8.0esr-12.0-1-build1` +- [ ] Cherry-pick the previous `tor-browser` commits from `base-browser`'s previous `build1` tag up to `tor-browser`'s newest `buildN` tag (not necessarily `build1` if we have multiple build tags) + - example: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..tor-browser-102.7.0esr-12.0-1-build1` +- [ ] Rebase and autosquash these cherry-picked commits (from the last new `base-browser` commit to `HEAD`) + - example: `git rebase --autosquash --interactive base-browser-102.8.0esr-12.0-1-build1 HEAD` +- [ ] Cherry-pick remainder of patches after the last `buildN` tag + - example: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..origin/tor-browser-102.7.0esr-12.0-1` +- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution: + - [ ] diff of diffs: + - Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or - + - `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff` + - `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff` + - diff `current_patchset.diff` and `rebased_patchset.diff` + - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` + - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD` + - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/tor-browser-102.7.0esr-12.0-1 FIREFOX_102_8_0esr_BUILD1..HEAD` +- [ ] Open MR for the `tor-browser` rebase +- [ ] Merge +- [ ] Sign/Tag HEAD of the merged new `tor-browser` branch: + - Tag : `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` + - Message : `Tagging build1 for $(ESR_VERSION)esr-based stable` +- [ ] Push tag to `origin` +
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/85c86696...