Richard Pospesel pushed to branch tor-browser-102.10.0esr-12.5-1 at The Tor Project / Applications / Tor Browser Commits: 0db7a4bd by Richard Pospesel at 2023-04-23T11:51:30+00:00 fixup! Bug 41649: Create rebase and security backport gitlab issue templates - - - - - 3 changed files: - .gitlab/issue_templates/Backport Android Security Fixes.md - .gitlab/issue_templates/Rebase Browser - Alpha.md - .gitlab/issue_templates/Rebase Browser - Stable.md Changes: ===================================== .gitlab/issue_templates/Backport Android Security Fixes.md ===================================== @@ -4,6 +4,7 @@ - example : `102.8.0` - `$(RR_VERSION)` : the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the `$(ESR_VERSION)`, but Mozilla's Firefox for Android is based off of the `$(RR_VERSION)` so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train. - example: `110` +- `$(PROJECT_NAME)` : the name of the browser project, either `base-browser` or `tor-browser` - `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version - example : `12` - `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version @@ -12,7 +13,7 @@ - example : `build1` </details> -**NOTE:** It is assumed the `tor-browser` rebase has already happened and there exists a `build1` build tag for both `base-browser` and `tor-browser` +**NOTE:** It is assumed the `tor-browser` rebase (stable and alpha) has already happened and there exists a `build1` build tags for both `base-browser` and `tor-browser` (stable and alpha) ### **Bookkeeping** @@ -36,26 +37,53 @@ - Create link to the CVE on [mozilla.org](https://www.mozilla.org/en-US/security/advisories/) - example: https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/#CVE-2023-2574... - Create link to the associated Bugzilla issues (found in the CVE description) - - Create a link to the relevant `gecko-dev`/other commit hashes which need to be backported OR a brief justification for why the fix does not need to be backported + - Create links to the relevant `gecko-dev`/other commit hashes which need to be backported OR a brief justification for why the fix does not need to be backported - To find the `gecko-dev` version of a `mozilla-central`, search for a unique string in the relevant `mozilla-central` commit message in the `gecko-dev/release` branch log. - **NOTE:** This process is unfortunately somewhat poorly defined/ad-hoc given the general variation in how Bugzilla issues are labeled and resolved. In general this is going to involve a bit of hunting to identify needed commits or determining whether or not the fix is relevant. +### CVEs + +<!-- CVE Resolution Template, foreach CVE to investigate add an entry in the form: +- [ ] https://www.mozilla.org/en-US/security/advisories/mfsaYYYY-NN/#CVE-YYYY-XXXX... // CVE description + - https://bugzilla.mozilla.org/show_bug.cgi?id=NNNNNN // Bugzilla issue + - **Note** : Any relevant info about this fix, justification for why it is not necessary, etc + - **Patches** + - firefox-android : https://link.to/relevant/patch + - firefox : https://link.to/relevant/patch + --> ### **tor-browser** : https://gitlab.torproject.org/tpo/applications/tor-browser.git - [ ] Backport any Android-specific security fixes from Firefox rapid-release - - [ ] Sign/Tag commit: - - Tag : `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` + - [ ] Backport patches to `tor-browser` stable branch + - [ ] Open MR + - [ ] Merge + - [ ] Rebase patches onto: + - [ ] `base-browser` stable + - [ ] `tor-browser` alpha + - [ ] `base-browser` alpha + - [ ] Sign/Tag commits: + - Tag : `$(PROJECT_NAME)-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)` - - [ ] Push tag to `origin` + - [ ] `base-browser` stable + - [ ] `tor-browser` stable + - [ ] `base-browser` alpha + - [ ] `tor-browser` alpha + - [ ] Push tags to `origin` **OR** - [ ] No backports ### **application-services** : *TODO: we will need to setup a gitlab copy of this repo that we can apply security backports to if there are ever any security issues here* - [ ] Backport any Android-specific security fixes from Firefox rapid-release - - [ ] Sign/Tag commit: + - [ ] Backport patches to `application-services` stable branch + - [ ] Open MR + - [ ] Merge + - [ ] Rebase patches onto `application-services` alpha + - [ ] Sign/Tag commits: - Tag : `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha` - - [ ] Push tag to `origin` + - [ ] `application-services` stable + - [ ] `application-services` alpha + - [ ] Push tags to `origin` **OR** - [ ] No backports @@ -63,10 +91,16 @@ ### **android-components** : https://gitlab.torproject.org/tpo/applications/android-components.git - [ ] Backport any Android-specific security fixes from Firefox rapid-release - **NOTE**: Since November 2022, this repo has been merged with `fenix` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `android-components` project. - - [ ] Sign/Tag commit: + - [ ] Backport patches to `android-components` stable branch + - [ ] Open MR + - [ ] Merge + - [ ] Rebase patches onto `android-components` alpha + - [ ] Sign/Tag commits: - Tag : `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)` - - [ ] Push tag to `origin` + - [ ] `android-components` stable + - [ ] `android-components` alpha + - [ ] Push tags to `origin` **OR** - [ ] No backports @@ -74,15 +108,17 @@ ### **fenix** : https://gitlab.torproject.org/tpo/applications/fenix.git - [ ] Backport any Android-specific security fixes from Firefox rapid-release - **NOTE**: Since February 2023, this repo has been merged with `android-components` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `fenix` project. - - [ ] Sign/Tag commit: + - [ ] Backport patches to `fenix` stable branch + - [ ] Open MR + - [ ] Merge + - [ ] Rebase patches onto `fenix` alpha + - [ ] Sign/Tag commits: - Tag : `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)` - - [ ] Push tag to `origin` + - [ ] `fenix` stable + - [ ] `fenix` alpha + - [ ] Push tags to `origin` **OR** - [ ] No backports -### CVEs - -<!-- Create CVE resolution here --> - /confidential ===================================== .gitlab/issue_templates/Rebase Browser - Alpha.md ===================================== @@ -27,14 +27,46 @@ - [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?s...) issue. +### Update Branch Protection Rules + +- [ ] In [Repository Settings](https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/reposi...): + - [ ] Remove previous alpha `base-browser` and `tor-browser` branch protection rules (this will prevent pushing new changes to the branches being rebased) + - [ ] Create new `base-browser` and `tor-browser` branch protection rule: + - **Branch**: `*-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1*` + - example: `*-102.8.0esr-12.5-1*` + - **Allowed to merge**: `Maintainers` + - **Allowed to push and merge**: `Maintainers` + - **Allowed to force push**: `false` + +### **Create New Branches** + +- [ ] Create new alpha `base-browser` branch from Firefox mercurial tag (found during the stable rebase) + - branch name in the form: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1` + - example: `base-browser-102.8.0esr-12.5-1` +- [ ] Create new alpha `tor-browser` branch from Firefox mercurial tag + - branch name in the form: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1` + - example: `tor-browser-102.8.0esr-12.5-1` +- [ ] Push new `base-browser` branch to `origin` +- [ ] Push new `tor-browser` branch to `origin` + ### **Rebase base-browser** -- [ ] Checkout a new branch for the `base-browser` rebase +- [ ] Checkout a new local branch for the `base-browser` rebase - example: `git branch base-browser-rebase FIREFOX_102_8_0esr_BUILD1` - [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `build1` tag onto new `base-browser` rebase branch - example: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.5-1-build1` - [ ] Rebase and autosquash these cherry-picked commits - example: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD` + - [ ] **(Optional)** Patch reordering + - Relocate new `base-browser` patches in the patch-set to enforce this rough thematic ordering: + - **MOZILLA BACKPORTS** - official Firefox patches we have backported to our ESR branch: Android-specific security updates, critical bug fixes, worthwhile features, etc + - **MOZILLA REVERTS** - revert commits of official Firefox patches + - **UPLIFT CANDIDATES** - patches which stand on their own and should be uplifted to `mozilla-central` + - **BUILD CONFIGURATION** - tools/scripts, gitlab templates, etc + - **BROWSER CONFIGURATION** - branding, mozconfigs, preference overrides, etc + - **SECURITY PATCHES** - security improvements, hardening, etc + - **PRIVACY PATCHES** - fingerprinting, linkability, proxy bypass, etc + - **FEATURES** - new functionality: updater, UX, letterboxing, security level, add-on integration, etc - [ ] Cherry-pick remainder of patches after the `build1` tag - example: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1 origin/base-browser-102.7.0esr-12.5-1` - [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution: @@ -61,15 +93,30 @@ - example: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..tor-browser-102.7.0esr-12.5-1-build1` - [ ] Rebase and autosquash these cherry-picked commits (from the last new `base-browser` commit to `HEAD`) - example: `git rebase --autosquash --interactive base-browser-102.8.0esr-12.5-1-build1 HEAD` + - [ ] **(Optional)** Patch reordering + - Relocate new `tor-browser` patches in the patch-set to enforce this rough thematic ordering: + - **BUILD CONFIGURATION** - tools/scripts, gitlab templates, etc + - **BROWSER CONFIGURATION** - branding, mozconfigs, preference overrides, etc + - **UPDATER PATCHES** - updater tweaks, signing keys, etc + - **SECURITY PATCHES** - non tor-dependent security improvements, hardening, etc + - **PRIVACY PATCHES** - non tor-dependent fingerprinting, linkability, proxy bypass, etc + - **FEAURES** - non tor-dependent features + - **TOR INTEGRATION** - legacy tor-launcher/torbutton, tor modules, bootstrapping, etc + - **TOR SECURITY PATCHES** - tor-specific security improvements + - **TOR PRIVACY PATCHES** - tor-specific privacy improvements + - **TOR FEATURES** - new tor-specific functionality: manual, onion-location, onion service client auth, etc - [ ] Cherry-pick remainder of patches after the last `buildN` tag - example: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..origin/tor-browser-102.7.0esr-12.5-1` +- [ ] Rebase and autosquash again (from the last new `base-browser` commit to `HEAD`), this time replacing all `fixup` and `squash` commands with `pick`. The goal here is to have all of the `fixup` and `squash` commits beside the commit which they modify. + - example: `git rebase --autosquash --interactive base-browser-102.8.0esr-12.5-1-build1 HEAD` + - **NOTE**: Do not allow `fixup` or `squash` commands here! - [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution: - [ ] diff of diffs: - Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or - - `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff` - `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff` - diff `current_patchset.diff` and `rebased_patchset.diff` - - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` + - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` (unless the previous `base-browser` branch includes changes not included in the previous `tor-browser` branch) - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD` - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/tor-browser-102.7.0esr-12.5-1 FIREFOX_102_8_0esr_BUILD1..HEAD` - [ ] Open MR for the `tor-browser` rebase ===================================== .gitlab/issue_templates/Rebase Browser - Stable.md ===================================== @@ -25,6 +25,17 @@ - [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?s...) issue. +### Update Branch Protection Rules + +- [ ] In [Repository Settings](https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/reposi...): + - [ ] Remove previous stable `base-browser` and `tor-browser` branch protection rules (this will prevent pushing new changes to the branches being rebased) + - [ ] Create new `base-browser` and `tor-browser` branch protection rule: + - **Branch**: `*-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1*` + - example: `*-102.8.0esr-12.0-1*` + - **Allowed to merge**: `Maintainers` + - **Allowed to push and merge**: `Maintainers` + - **Allowed to force push**: `false` + ### **Identify the Firefox Tagged Commit and Create New Branches** - [ ] Find the Firefox mercurial tag here : https://hg.mozilla.org/releases/mozilla-esr102/tags @@ -48,7 +59,7 @@ ### **Rebase base-browser** -- [ ] Checkout a new branch for the `base-browser` rebase +- [ ] Checkout a new local branch for the `base-browser` rebase - example: `git branch base-browser-rebase FIREFOX_102_8_0esr_BUILD1` - [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `build1` tag onto new `base-browser` rebase branch - example: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.0-1-build1` @@ -72,6 +83,7 @@ - Message : `Tagging build1 for $(ESR_VERSION)esr-based stable` - [ ] Push tag to `origin` + ### **Rebase tor-browser** - [ ] Checkout a new branch for the `tor-browser` rebase starting from the `base-browser` `build1` tag @@ -88,7 +100,7 @@ - `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff` - `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff` - diff `current_patchset.diff` and `rebased_patchset.diff` - - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` + - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` (unless the previous `base-browser` branch includes changes not included in the previous `tor-browser` branch) - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD` - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/tor-browser-102.7.0esr-12.0-1 FIREFOX_102_8_0esr_BUILD1..HEAD` - [ ] Open MR for the `tor-browser` rebase @@ -97,4 +109,3 @@ - Tag : `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` - Message : `Tagging build1 for $(ESR_VERSION)esr-based stable` - [ ] Push tag to `origin` - View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/0db7a4bd... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/0db7a4bd... You're receiving this email because of your account on gitlab.torproject.org.