richard pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits: f1811496 by Richard Pospesel at 2024-02-21T11:55:05+00:00 Update Mullvad and Tor Browser Release Prep issue templates
- - - - -
4 changed files:
- .gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md - .gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md - .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md - .gitlab/issue_templates/Release Prep - Tor Browser Stable.md
Changes:
===================================== .gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md ===================================== @@ -27,172 +27,178 @@ </details>
**NOTE** It is assumed that the `tor-browser` alpha rebase and security backport tasks have been completed + **NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue
<details> <summary>Building</summary>
- ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git - Mullvad Browser Alpha (and Nightly) are on the `main` branch - - - [ ] Update `rbm.conf` - - [ ] `var/torbrowser_version` : update to next version - - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)` - - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail - - [ ] Update build configs - - [ ] Update `projects/firefox/config` - - [ ] `browser_build` : update to match `mullvad-browser` tag - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased - - [ ] Update `projects/translation/config`: - - [ ] run `make list_translation_updates-alpha` to get updated hashes - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch - - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch - - [ ] Update common build configs - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ - - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases - - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Update `ChangeLog-MB.txt` - - [ ] Ensure `ChangeLog-MB.txt` is sync'd between alpha and stable branches - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones - - [ ] Run `tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs` - - Make sure you have `requests` installed (e.g., `apt install python3-requests`) - - The first time you run this script you will need to generate an access token; the script will guide you - - `$updateArgs` should be these arguments, depending on what you actually updated: - - [ ] `--firefox` - - [ ] `--no-script` - - [ ] `--ublock` - - E.g., `tools/fetch-changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0` - - `--date $date` is optional, if omitted it will be the date on which you run the command - - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output - - [ ] Open MR with above changes, using the template for release preparations - - [ ] Merge - - [ ] Sign+Tag - - **NOTE** this must be done by one of: - - boklm - - dan - - ma1 - - pierov - - richard - - [ ] Run: `make mullvadbrowser-signtag-alpha` - - [ ] Push tag to `upstream` - - [ ] Build the tag on at least one of: - - Run `make mullvadbrowser-alpha && make mullvadbrowser-incrementals-alpha` +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git +Mullvad Browser Alpha (and Nightly) are on the `main` branch + +- [ ] Update `rbm.conf` + - [ ] `var/torbrowser_version` : update to next version + - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)` + - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update + - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail +- [ ] Update build configs + - [ ] Update `projects/firefox/config` + - [ ] `browser_build` : update to match `mullvad-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased + - [ ] Update `projects/translation/config`: + - [ ] run `make list_translation_updates-alpha` to get updated hashes + - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch +- [ ] Update common build configs + - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript + - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` + - [ ] `URL` + - [ ] `sha256sum` + - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ + - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config` + - [ ] `URL` + - [ ] `sha256sum` + - [ ] Check for Mullvad Browser Extension updates here : https://github.com/mullvad/browser-extension/releases + - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config` + - [ ] `URL` + - [ ] `sha256sum` +- [ ] Update `ChangeLog-MB.txt` + - [ ] Ensure `ChangeLog-MB.txt` is sync'd between alpha and stable branches + - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones + - [ ] Run `tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs` + - Make sure you have `requests` installed (e.g., `apt install python3-requests`) + - The first time you run this script you will need to generate an access token; the script will guide you + - `$updateArgs` should be these arguments, depending on what you actually updated: + - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case) + - [ ] `--no-script` + - [ ] `--ublock` + - E.g., `tools/fetch-changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0` + - `--date $date` is optional, if omitted it will be the date on which you run the command + - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output +- [ ] Open MR with above changes, using the template for release preparations +- [ ] Merge +- [ ] Sign+Tag + - **NOTE** this must be done by one of: + - boklm + - dan + - ma1 + - pierov + - richard + - [ ] Run: `make mullvadbrowser-signtag-alpha` + - [ ] Push tag to `upstream` +- [ ] Build the tag: + - Run `make mullvadbrowser-alpha && make mullvadbrowser-incrementals-alpha` on: - [ ] Tor Project build machine - [ ] Local developer machine - [ ] Submit build request to Mullvad infrastructure: - **NOTE** this requires a devmole authentication token - Run `make mullvadbrowser-kick-devmole-build` - - [ ] Ensure builders have matching builds +- [ ] Ensure builders have matching builds
</details>
<details> <summary>Signing</summary>
- ### signing - - [ ] Assign this issue to the signer, one of: - - boklm - - richard - - [ ] On `$(STAGING_SERVER)`, ensure updated: - - [ ] `tor-browser-build/tools/signing/set-config.hosts` - - `ssh_host_builder` : ssh hostname of machine with unsigned builds - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) - - `ssh_host_linux_signer` : ssh hostname of linux signing machine - - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos - - [ ] `set-config.update-responses` - - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git` - - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` - - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases - - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 - - [ ] run do-all-signing script: - - `cd tor-browser-build/tools/signing/` - - `./do-all-signing.mullvadbrowser` - - **NOTE**: at this point the signed binaries should have been copied to `staticiforme` - - [ ] Update `staticiforme.torproject.org`: - - From `screen` session on `staticiforme.torproject.org`: - - [ ] Static update components : `static-update-component dist.torproject.org` - - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser` - - [ ] Static update components (again) : `static-update-component dist.torproject.org` +### release signing +- [ ] Assign this issue to the signer, one of: + - boklm + - richard +- [ ] On `$(STAGING_SERVER)`, ensure updated: + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N) && git checkout tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N)` + - [ ] `tor-browser-build/tools/signing/set-config.hosts` + - `ssh_host_builder` : ssh hostname of machine with unsigned builds + - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) + - `ssh_host_linux_signer` : ssh hostname of linux signing machine + - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` + - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos + - [ ] `set-config.update-responses` + - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git` + - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` + - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) + - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) + - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script: + - `cd tor-browser-build/tools/signing/` + - `./do-all-signing.mullvadbrowser` +- **NOTE**: at this point the signed binaries should have been copied to `staticiforme` +- [ ] Update `staticiforme.torproject.org`: + - From `screen` session on `staticiforme.torproject.org`: + - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser` + - [ ] Static update components (again) : `static-update-component dist.torproject.org`
</details>
<details> <summary>Publishing</summary>
- ### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/ - - [ ] Assign this issue to someone with mullvad commit access, one of: +### mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/ +- [ ] Assign this issue to someone with mullvad commit access, one of: - richard - - [ ] Push this release's associated `mullvad-browser.git` branch to github - - [ ] Push this release's associated tags to github: - - [ ] Firefox ESR tag - - **example** : `FIREFOX_102_12_0esr_BUILD1,` - - [ ] `base-browser` tag - - **example** : `base-browser-102.12.0esr-12.0-1-build1` - - [ ] `mullvad-browser` tag - - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1` - - [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build: - - **Tag**: `$(MULLVAD_BROWSER_VERSION)` - - **example** : `12.5a7` - - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)` - - **example** : `102.12.0esr-based 12.5a7` - - [ ] Push tag to github - - ### email - - [ ] Email Mullvad with release information: support@mullvad.net, rui@mullvad.net - <details> - <summary>email template</summary> - - Subject: - New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed) - - Body: - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION) - - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH) - - changelog: - ... - - </details> +- [ ] Push this release's associated `mullvad-browser.git` branch to github +- [ ] Push this release's associated tags to github: + - [ ] Firefox ESR tag + - **example** : `FIREFOX_102_12_0esr_BUILD1` + - [ ] `base-browser` tag + - **example** : `base-browser-102.12.0esr-12.0-1-build1` + - [ ] `mullvad-browser` tag + - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1` +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build: + - **Tag**: `$(MULLVAD_BROWSER_VERSION)` + - **example** : `12.5a7` + - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)` + - **example** : `102.12.0esr-based 12.5a7` + - [ ] Push tag to github + +### email +- [ ] **(Once branch+tags pushed to GitHub)** Email Mullvad with release information: + - [ ] support alias: support@mullvadvpn.net + - [ ] Rui: rui@mullvad.net + - **Subject** + ``` + New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed) + ``` + - **Body** + ``` + Hello, + + Branch+Tags have been pushed to Mullvad's GitHub repo. + + - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION) + - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH) + + changelog: + ... + ``` + </details>
<details> <summary>Downstream</summary>
- ### notify packagers - - - [ ] **(Optional, Once Mullvad Updates their Github Releases Page)** Email downstream consumers: - - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of - <details> - <summary>email template</summary> - - Hello! - - Mullvad-Browser $(MULLVAD_BROWSER_VERSION) packages are available, so you should all update your respective downstream packages. - - Release builds can be found here: - - - https://github.com/mullvad/mullvad-browser/releases/tag/$(MULLVAD_BROWSER_VE...) - - </details> - - - flathub package maintainer: proletarius101@protonmail.com - - arch package maintainer: bootctl@gmail.com - - nixOS package maintainer: dev@felschr.com +### notify packagers +These steps depend on Mullvad having updated their [GitHub Releases](https://github.com/mullvad/mullvad-browser/releases/) page with the latest release +- [ ] **(Optional)** Email downstream consumers: + - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of + - [ ] flathub package maintainer: proletarius101@protonmail.com + - [ ] arch package maintainer: bootctl@gmail.com + - [ ] nixOS package maintainer: dev@felschr.com + - **Subject** + ``` + Mullvad Browser $(MULLVAD_BROWSER_VERSION) released + ``` + - **Body** + ``` + Hello! + + This is a major alpha release which may require changes in your respective downstream packages once it stabilises. + + The latest alpha builds can be found here: + + - https://github.com/mullvad/mullvad-browser/releases?q=prerelease%3Atrue + ```
</details>
===================================== .gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md ===================================== @@ -28,6 +28,8 @@
**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
+**NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue + <details> <summary>Building</summary>
@@ -38,6 +40,7 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU - [ ] `var/torbrowser_version` : update to next version - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)` - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail - [ ] Update build configs - [ ] Update `projects/firefox/config` @@ -46,7 +49,7 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU - [ ] Update `projects/translation/config`: - [ ] run `make list_translation_updates-release` to get updated hashes - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch - - [ ] `steps/base-browser-fluent/git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch + - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch - [ ] Update common build configs - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` @@ -56,7 +59,7 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config` - [ ] `URL` - [ ] `sha256sum` - - [ ] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases + - [ ] Check for Mullvad Browser Extension updates here : https://github.com/mullvad/browser-extension/releases - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config` - [ ] `URL` - [ ] `sha256sum` @@ -67,39 +70,43 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU - Make sure you have `requests` installed (e.g., `apt install python3-requests`) - The first time you run this script you will need to generate an access token; the script will guide you - `$updateArgs` should be these arguments, depending on what you actually updated: - - [ ] `--firefox` + - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case) - [ ] `--no-script` - [ ] `--ublock` - E.g., `tools/fetch-changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0` - `--date $date` is optional, if omitted it will be the date on which you run the command - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output - - [ ] Open MR with above changes, using the template for release preparations - - [ ] Merge - - [ ] Sign+Tag - - **NOTE** this must be done by one of: - - boklm - - dan - - ma1 - - pierov - - richard - - [ ] Run: `make mullvadbrowser-signtag-release` - - [ ] Push tag to `upstream` - - [ ] Build on at least one of: - - Run `make mullvadbrowser-release && make mullvadbrowser-incrementals-release` +- [ ] Open MR with above changes, using the template for release preparations +- [ ] Merge +- [ ] Sign+Tag + - **NOTE** this must be done by one of: + - boklm + - dan + - ma1 + - pierov + - richard + - [ ] Run: `make mullvadbrowser-signtag-release` + - [ ] Push tag to `upstream` +- [ ] Build the tag: + - Run `make mullvadbrowser-release && make mullvadbrowser-incrementals-release` - [ ] Tor Project build machine - [ ] Local developer machine - [ ] Submit build request to Mullvad infrastructure: - **NOTE** this requires a devmole authentication token - Run `make mullvadbrowser-kick-devmole-build` - - [ ] Ensure builders have matching builds +- [ ] Ensure builders have matching builds
</details>
<details> <summary>Signing</summary>
-### signing +### release signing +- [ ] Assign this issue to the signer, one of: + - boklm + - richard - [ ] On `$(STAGING_SERVER)`, ensure updated: + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N) && git checkout tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N)` - [ ] `tor-browser-build/tools/signing/set-config.hosts` - `ssh_host_builder` : ssh hostname of machine with unsigned builds - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) @@ -113,13 +120,12 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] run do-all-signing script: - - `cd tor-browser-build/tools/signing/` - - `./do-all-signing.mullvadbrowser` +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script: + - `cd tor-browser-build/tools/signing/` + - `./do-all-signing.mullvadbrowser` - **NOTE**: at this point the signed binaries should have been copied to `staticiforme` - [ ] Update `staticiforme.torproject.org`: - From `screen` session on `staticiforme.torproject.org`: - - [ ] Static update components : `static-update-component dist.torproject.org` - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser` - [ ] Static update components (again) : `static-update-component dist.torproject.org`
@@ -128,30 +134,13 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU <details> <summary>Publishing</summary>
-### email - -- [ ] Email Mullvad with release information: support@mullvad.net, rui@mullvad.net - <details> - <summary>email template</summary> - - Subject: - New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed) - - Body: - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION) - - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH) - - changelog: - ... - - </details> - -### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/ +### mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/ +- [ ] Assign this issue to someone with mullvad commit access, one of: + - richard - [ ] Push this release's associated `mullvad-browser.git` branch to github - [ ] Push this release's associated tags to github: - [ ] Firefox ESR tag - - **example** : `FIREFOX_102_12_0esr_BUILD1,` + - **example** : `FIREFOX_102_12_0esr_BUILD1` - [ ] `base-browser` tag - **example** : `base-browser-102.12.0esr-12.0-1-build1` - [ ] `mullvad-browser` tag @@ -163,32 +152,59 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU - **example** : `102.12.0esr-based 12.0.7` - [ ] Push tag to github
+### email +- [ ] **(Once branch+tags pushed to GitHub)** Email Mullvad with release information: + - [ ] support alias: support@mullvadvpn.net + - [ ] Rui: rui@mullvad.net + - **Subject** + ``` + New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed) + ``` + - **Body** + ``` + Hello, + + Branch+Tags have been pushed to Mullvad's GitHub repo. + + - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION) + - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH) + + changelog: + ... + ``` + </details>
<details> <summary>Downstream</summary>
### notify packagers - -- [ ] **(Once Mullvad Updates their Github Releases Page)** Email downstream consumers: - <details> - <summary>email template</summary> - - ... - - ... - - </details> - +These steps depend on Mullvad having updated their [GitHub Releases](https://github.com/mullvad/mullvad-browser/releases/) page with the latest release +- [ ] Email downstream consumers: - [ ] flathub package maintainer: proletarius101@protonmail.com - [ ] arch package maintainer: bootctl@gmail.com - [ ] nixOS package maintainer: dev@felschr.com + - **Subject** + ``` + Mullvad Browser $(MULLVAD_BROWSER_VERSION) released + ``` + - **Body** + ``` + Hello!
-### merge requests + Mullvad-Browser packages are available, so you should update your respective downstream packages. + + The latest release builds can be found here:
-- [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/mullvad-browser.... - - **NOTE**: should just need to update the version to latest + - https://github.com/mullvad/mullvad-browser/releases?q=prerelease%3Afalse + ``` + +### merge requests +- [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/m/mullvad-browse... + - **NOTE**: should just need to update `version` and `sha256` to latest
</details>
-/label ~"Release Prep" ~"Sponsor 131" +/label ~"Release Prep" +/label ~"Sponsor 131" +
===================================== .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md ===================================== @@ -32,197 +32,176 @@ <details> <summary>Building</summary>
- ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git - Tor Browser Alpha (and Nightly) are on the `main` branch - - - [ ] Update `rbm.conf` - - [ ] `var/torbrowser_version` : update to next version - - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)` - - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail - - [ ] Update Desktop-specific build configs - - [ ] Update `projects/firefox/config` - - [ ] `browser_build` : update to match `tor-browser` tag - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased - - [ ] Update `projects/translation/config`: - - [ ] run `make list_translation_updates-alpha` to get updated hashes - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch - - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch - - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch - - [ ] Update Android-specific build configs - - [ ] Update `projects/geckoview/config` - - [ ] `browser_build` : update to match `tor-browser` tag - - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased - - [ ] ***(Optional)*** Update `projects/tor-android-service/config` - - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch - - [ ] ***(Optional)*** Update `projects/application-services/config`: - **NOTE** we don't currently have any of our own patches for this project - - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)` - - [ ] ***(Optional)*** Update `projects/firefox-android/config`: - - [ ] `fenix_version` : update to match alpha `firefox-android` build tag - - [ ] `browser_branch` : update to match alpha `firefox-android` build tag - - [ ] Update allowed_addons.json by running (from `tor-browser-build` root): - - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json` - - [ ] Update common build configs - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/ - - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config` - - [ ] `version` : update to next 3.0.X version - - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball - - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases - - [ ] **(Optional)** If new tag available, update `projects/zlib/config` - - [ ] `version` : update to next release tag - - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags - - [ ] ***(Optional)*** Update `projects/tor/config` - - [ ] `version` : update to latest `-alpha` tag or release tag if newer (ping dgoulet or ahf if unsure) - - [ ] Check for go updates here : https://golang.org/dl - - **NOTE** : Tor Browser Alpha uses the latest Stable major series go version - - [ ] ***(Optional)*** Update `projects/go/config` - - [ ] `version` : update go version - - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page) - - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py` - - [ ] ***(Optional)*** If new version is available: - - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org` - - [ ] Deploy to `tb-builder`'s `public_html` directory: - - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~/../tb-builder/public_html/.` - - [ ] Update `projects/manual/config`: - - [ ] Change the `version` to `$PIPELINEID` - - [ ] Update `sha256sum` in the `input_files` section - - [ ] Update `ChangeLog-TBB.txt` - - [ ] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones - - [ ] Run `tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs` - - Make sure you have `requests` installed (e.g., `apt install python3-requests`) - - The first time you run this script you will need to generate an access token; the script will guide you - - `$updateArgs` should be these arguments, depending on what you actually updated: - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case) - - [ ] `--tor` - - [ ] `--no-script` - - [ ] `--openssl` - - [ ] `--zlib` - - [ ] `--go` - - E.g., `tools/fetch-changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12` - - `--date $date` is optional, if omitted it will be the date on which you run the command - - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output - - [ ] Open MR with above changes, using the template for release preparations - - [ ] Merge - - [ ] Sign+Tag - - **NOTE** this must be done by one of: - - boklm - - dan - - ma1 - - pierov - - richard - - [ ] Run: `make torbrowser-signtag-alpha` - - [ ] Push tag to `upstream` - - [ ] Build on at least one of: - - Run `make torbrowser-alpha && make torbrowser-incrementals-alpha` +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git +Tor Browser Alpha (and Nightly) are on the `main` branch + +- [ ] Update `rbm.conf` + - [ ] `var/torbrowser_version` : update to next version + - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)` + - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update + - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail +- [ ] Update Desktop-specific build configs + - [ ] Update `projects/firefox/config` + - [ ] `browser_build` : update to match `tor-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased +- [ ] Update Android-specific build configs + - [ ] Update `projects/geckoview/config` + - [ ] `browser_build` : update to match `tor-browser` tag + - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased + - [ ] ***(Optional)*** Update `projects/tor-android-service/config` + - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch + - [ ] ***(Optional)*** Update `projects/application-services/config`: + **NOTE** we don't currently have any of our own patches for this project + - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)` + - [ ] ***(Optional)*** Update `projects/firefox-android/config`: + - [ ] `fenix_version` : update to match alpha `firefox-android` build tag + - [ ] `browser_branch` : update to match alpha `firefox-android` build tag + - [ ] Update allowed_addons.json by running (from `tor-browser-build` root): + - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json` +- [ ] Update `projects/translation/config`: + - [ ] run `make list_translation_updates-alpha` to get updated hashes + - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch + - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch +- [ ] Update common build configs + - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript + - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` + - [ ] `URL` + - [ ] `sha256sum` + - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/ + - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config` + - [ ] `version` : update to next 3.0.X version + - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball + - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases + - [ ] **(Optional)** If new tag available, update `projects/zlib/config` + - [ ] `version` : update to next release tag + - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags + - [ ] ***(Optional)*** Update `projects/tor/config` + - [ ] `version` : update to latest `-alpha` tag or release tag if newer (ping dgoulet or ahf if unsure) + - [ ] Check for go updates here : https://go.dev/dl + - **NOTE** : In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities. + - [ ] ***(Optional)*** Update `projects/go/config` + - [ ] `version` : update go version + - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page) + - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py` + - [ ] ***(Optional)*** If new version is available: + - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org` + - [ ] Deploy to `tb-builder`'s `public_html` directory: + - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.` + - [ ] Update `projects/manual/config`: + - [ ] Change the `version` to `$PIPELINEID` + - [ ] Update `sha256sum` in the `input_files` section +- [ ] Update `ChangeLog-TBB.txt` + - [ ] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches + - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones + - [ ] Run `tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs` + - Make sure you have `requests` installed (e.g., `apt install python3-requests`) + - The first time you run this script you will need to generate an access token; the script will guide you + - `$updateArgs` should be these arguments, depending on what you actually updated: + - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case) + - [ ] `--tor` + - [ ] `--no-script` + - [ ] `--openssl` + - [ ] `--zlib` + - [ ] `--go` + - E.g., `tools/fetch-changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12` + - `--date $date` is optional, if omitted it will be the date on which you run the command + - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output +- [ ] Open MR with above changes, using the template for release preparations +- [ ] Merge +- [ ] Sign+Tag + - **NOTE** this must be done by one of: + - boklm + - dan + - ma1 + - pierov + - richard + - [ ] Run: `make torbrowser-signtag-alpha` + - [ ] Push tag to `upstream` +- [ ] Build the tag: + - Run `make torbrowser-alpha && make torbrowser-incrementals-alpha` - [ ] Tor Project build machine - [ ] Local developer machine - [ ] Submit build request to Mullvad infrastructure: - **NOTE** this requires a devmole authentication token - Run `make torbrowser-kick-devmole-build` - - [ ] Ensure builders have matching builds +- [ ] Ensure builders have matching builds
</details>
<details> <summary>Communications</summary>
- ### notify stakeholders - - - [ ] Email tor-qa mailing list: tor-qa@lists.torproject.org - <details> - <summary>email template</summary> - - Subject: - Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux) - - Body: - Hello All, - - Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing: - - - https://tb-build-05.torproject.org/~$(BUILDER)/builds/alpha/unsigned/$(TOR_B... - - The full changelog can be found here: - - - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TBB... - - </details> - - - ***(Optional)*** Additional information: - - [ ] Note any new functionality which needs testing - - [ ] Link to any known issues - - [ ] ***(Optional, only around build/packaging changes)*** Email packagers: - - Recipients: - - Tails dev mailing list: tails-dev@boum.org - - Guardian Project: nathan@guardianproject.info - - torbrowser-launcher: micah@micahflee.com - - FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx --> - - OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser --> - - [ ] Note any changes which may affect packaging/downstream integration - - [ ] Email external partners: - - ***(Optional, after ESR migration)*** Cloudflare: ask-research@cloudflare.com - - **NOTE** : We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs - - ***(Optional, after ESR migration)*** Startpage: admin@startpage.com - - **NOTE** : Startpage also needs the updated user-agent string for better experience on their onion service sites. +### notify stakeholders +- [ ] **(Once builds confirmed matching)** Email tor-qa mailing list with release information + - [ ] tor-qa: tor-qa@lists.torproject.org + - **Subject** + ``` + Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux) + ``` + - **Body** + ``` + Hello, + + Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing: + + - https://tb-build-02.torproject.org/~$(BUILDER)/builds/alpha/unsigned/$(TOR_B... + + The full changelog can be found here: + + - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TBB... + ``` +- [ ] ***(Optional, only around build/packaging changes)*** Email packagers: + - [ ] Tails dev mailing list: tails-dev@boum.org + - [ ] Guardian Project: nathan@guardianproject.info + - [ ] FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx --> + - [ ] OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser --> + - [ ] Note any changes which may affect packaging/downstream integration +- [ ] ***(Optional, after ESR migration)*** Email external partners: + - [ ] Cloudflare: ask-research@cloudflare.com + - **NOTE** : We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs + - [ ] Startpage: admin@startpage.com + - **NOTE** : Startpage also needs the updated user-agent string for better experience on their onion service sites.
</details>
<details> <summary>Signing</summary>
- ### signing - - **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long - - [ ] Assign this issue to the signer, one of: - - boklm - - richard - - [ ] On `$(STAGING_SERVER)`, ensure updated: - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)` - - [ ] `tor-browser-build/tools/signing/set-config.hosts` - - `ssh_host_builder` : ssh hostname of machine with unsigned builds - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) - - `ssh_host_linux_signer` : ssh hostname of linux signing machine - - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos - - [ ] `set-config.update-responses` - - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git` - - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` - - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases - - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 - - [ ] run do-all-signing script: - - `cd tor-browser-build/tools/signing/` - - `./do-all-signing.torbrowser` - - **NOTE**: at this point the signed binaries should have been copied to `staticiforme` - - [ ] Update `staticiforme.torproject.org`: - - From `screen` session on `staticiforme.torproject.org`: - - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org` - - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh` - - [ ] Remove old release data from following places: - - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) - - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` - - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` - - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org` - - [ ] Publish APKs to Google Play: - - Log into https://play.google.com/apps/publish - - Select `Tor Browser (Alpha)` app - - Navigate to `Release > Production` and click `Create new release` button: - - Upload the `tor-browser-android-*.apk` APKs - - Update Release Name to Tor Browser version number - - Update Release Notes - - Next to 'Release notes', click `Copy from a previous release` - - Edit blog post url to point to most recent blog post - - Save, review, and configure rollout percentage - - [ ] 25% rollout when publishing a scheduled update - - [ ] 100% rollout when publishing a security-driven release - - [ ] Update rollout percentage to 100% after confirmed no major issues +### release signing +- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long +- [ ] Assign this issue to the signer, one of: + - boklm + - richard +- [ ] On `$(STAGING_SERVER)`, ensure updated: + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)` + - [ ] `tor-browser-build/tools/signing/set-config.hosts` + - `ssh_host_builder` : ssh hostname of machine with unsigned builds + - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) + - `ssh_host_linux_signer` : ssh hostname of linux signing machine + - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` + - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos + - [ ] `set-config.update-responses` + - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git` + - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` + - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) + - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) + - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script: + - `cd tor-browser-build/tools/signing/` + - `./do-all-signing.torbrowser` +- **NOTE**: at this point the signed binaries should have been copied to `staticiforme` +- [ ] Update `staticiforme.torproject.org`: + - From `screen` session on `staticiforme.torproject.org`: + - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org` + - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh` + - [ ] Remove old release data from following places: + - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) + - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` + - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` + - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
</details>
@@ -262,55 +241,58 @@ popd <details> <summary>Publishing</summary>
- ### website: https://gitlab.torproject.org/tpo/web/tpo.git - - [ ] `databags/versions.ini` : Update the downloads versions - - `torbrowser-stable/version` : sort of a catch-all for latest stable version - - `torbrowser-alpha/version` : sort of a catch-all for latest stable version - - `torbrowser-*-stable/version` : platform-specific stable versions - - `torbrowser-*-alpha/version` : platform-specific alpha versions - - `tor-stable`,`tor-alpha` : set by tor devs, do not touch - - [ ] Push to origin as new branch, open 'Draft :' MR - - [ ] Remove `Draft:` from MR once signed-packages are uploaded - - [ ] Merge - - [ ] Publish after CI passes and builds are published - - ### blog: https://gitlab.torproject.org/tpo/web/blog.git - - [ ] Duplicate previous Stable or Alpha release blog post as appropriate to new directory under `content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)` and update with info on release : - - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) - - [ ] Update Tor Browser version numbers - - [ ] Note any ESR rebase - - [ ] Link to any Firefox security updates from ESR upgrade - - [ ] Link to any Android-specific security backports - - [ ] Note any updates to : - - tor - - OpenSSL - - NoScript - - [ ] Convert ChangeLog-TBB.txt to markdown format used here by : - - `tor-browser-build/tools/changelog-format-blog-post` - - [ ] Push to origin as new branch, open `Draft:` MR - - [ ] Remove `Draft:` from MR once signed-packages are uploaded - - [ ] Merge - - [ ] Publish after CI passes and website has been updated - - ### tor-announce mailing list - - [ ] Email tor-announce mailing list: tor-announce@lists.torproject.org - <details> - <summary>email template</summary> - - Subject: - New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux) - - Body: - Hi everyone, - - Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post: - - - $(BLOG_POST_URL) - - </details> - - - **(Optional)** Additional information: - - [ ] Link to any known issues +### Google Play: https://play.google.com/apps/publish +- [ ] Publish APKs to Google Play: + - Select `Tor Browser (Alpha)` app + - Navigate to `Release > Production` and click `Create new release` button: + - Upload the `tor-browser-android-*.apk` APKs + - Update Release Name to Tor Browser version number + - Update Release Notes + - Next to 'Release notes', click `Copy from a previous release` + - Edit blog post url to point to most recent blog post + - Save, review, and configure rollout percentage + - [ ] 25% rollout when publishing a scheduled update + - [ ] 100% rollout when publishing a security-driven release + - [ ] Update rollout percentage to 100% after confirmed no major issues + +### website: https://gitlab.torproject.org/tpo/web/tpo.git +- [ ] `databags/versions.ini` : Update the downloads versions + - `torbrowser-stable/version` : sort of a catch-all for latest stable version + - `torbrowser-alpha/version` : sort of a catch-all for latest stable version + - `torbrowser-*-stable/version` : platform-specific stable versions + - `torbrowser-*-alpha/version` : platform-specific alpha versions + - `tor-stable`,`tor-alpha` : set by tor devs, do not touch +- [ ] Push to origin as new branch, open 'Draft :' MR +- [ ] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org +- [ ] Merge +- [ ] Publish after CI passes and builds are published + +### blog: https://gitlab.torproject.org/tpo/web/blog.git +- [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) + - [ ] Note any ESR update + - [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc) + - [ ] Thank any users which have contributed patches + - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc +- [ ] Push to origin as new branch, open `Draft:` MR +- [ ] Merge once signed-packages are accessible on https://dist.torproject.org +- [ ] Publish after CI passes and website has been updated + +### tor-announce mailing list +- [ ] Email tor-announce mailing list: tor-announce@lists.torproject.org + - **Subject** + ``` + New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux) + ``` + - **Body** + ``` + Hi everyone, + + Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post: + - $(BLOG_POST_URL) + + Changelog: + # paste changleog as quote here + ```
</details>
===================================== .gitlab/issue_templates/Release Prep - Tor Browser Stable.md ===================================== @@ -27,29 +27,24 @@ </details>
**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed +**NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue
<details> <summary>Building</summary>
### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git -Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches +Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches.
- [ ] Update `rbm.conf` - [ ] `var/torbrowser_version` : update to next version - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)` - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail - [ ] Update Desktop-specific build configs - [ ] Update `projects/firefox/config` - [ ] `browser_build` : update to match `tor-browser` tag - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased - - [ ] Update `projects/translation/config`: - - [ ] run `make list_translation_updates-release` to get updated hashes - - [ ] Update `projects/translation/config`: - - [ ] run `make list_translation_updates-alpha` to get updated hashes - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch - - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch - - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch - [ ] Update Android-specific build configs - [ ] Update `projects/geckoview/config` - [ ] `browser_build` : update to match `tor-browser` tag @@ -60,27 +55,32 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE **NOTE** we don't currently have any of our own patches for this project - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)` - [ ] ***(Optional)*** Update `projects/firefox-android/config`: - - [ ] `fenix_version` : update to match alpha `firefox-android` build tag - - [ ] `browser_branch` : update to match alpha `firefox-android` build tag + - [ ] `fenix_version` : update to match alpha `firefox-android` build tag + - [ ] `browser_branch` : update to match alpha `firefox-android` build tag - [ ] Update allowed_addons.json by running (from `tor-browser-build` root): - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json` +- [ ] Update `projects/translation/config`: + - [ ] run `make list_translation_updates-release` to get updated hashes + - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch + - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch - [ ] Update common build configs - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` - [ ] `URL` - [ ] `sha256sum` - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/ - - [ ] ***(Optional)*** If new 1.X.Y version available, update `projects/openssl/config` - - [ ] `version` : update to next 1.X.Y version + - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config` + - [ ] `version` : update to next 3.0.X version - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases - [ ] **(Optional)** If new tag available, update `projects/zlib/config` - [ ] `version` : update to next release tag - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags - - [ ] ***(Optional)*** Update `projects/tor/config` + - [ ] ***(Optional)*** Update `projects/tor/config` - [ ] `version` : update to latest non `-alpha` tag (ping dgoulet or ahf if unsure) - [ ] Check for go updates here : https://go.dev/dl - - **NOTE** : Tor Browser Stable uses the latest of the *previous* Stable major series go version (apart from the transition phase from Tor Browser Alpha to Stable, in which case Tor Browser Stable may use the latest major series go version) + - **NOTE** : In general, Tor Browser Stable uses the latest of the *previous* Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities. - [ ] ***(Optional)*** Update `projects/go/config` - [ ] `version` : update go version - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page) @@ -88,7 +88,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE - [ ] ***(Optional)*** If new version is available: - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org` - [ ] Deploy to `tb-builder`'s `public_html` directory: - - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~/../tb-builder/public_html/.` + - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.` - [ ] Update `projects/manual/config`: - [ ] Change the `version` to `$PIPELINEID` - [ ] Update `sha256sum` in the `input_files` section @@ -108,25 +108,25 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE - E.g., `tools/fetch-changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12` - `--date $date` is optional, if omitted it will be the date on which you run the command - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output - - [ ] Open MR with above changes, using the template for release preparations - - [ ] Merge - - [ ] Sign+Tag - - **NOTE** this must be done by one of: - - boklm - - dan - - ma1 - - pierov - - richard - - [ ] Run: `make torbrowser-signtag-release` - - [ ] Push tag to `upstream` - - [ ] Build on at least one of: - - Run `make torbrowser-release && make torbrowser-incrementals-release` +- [ ] Open MR with above changes, using the template for release preparations +- [ ] Merge +- [ ] Sign+Tag + - **NOTE** this must be done by one of: + - boklm + - dan + - ma1 + - pierov + - richard + - [ ] Run: `make torbrowser-signtag-release` + - [ ] Push tag to `upstream` +- [ ] Build the tag: + - Run `make torbrowser-release && make torbrowser-incrementals-release` - [ ] Tor Project build machine - [ ] Local developer machine - [ ] Submit build request to Mullvad infrastructure: - **NOTE** this requires a devmole authentication token - Run `make torbrowser-kick-devmole-build` - - [ ] Ensure builders have matching builds +- [ ] Ensure builders have matching builds
</details>
@@ -134,49 +134,44 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE <summary>Communications</summary>
### notify stakeholders +- [ ] **(Once builds confirmed matching)** Email tor-qa mailing list with release information + - [ ] tor-qa: tor-qa@lists.torproject.org + - **Subject** + ``` + Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux) + ``` + - **Body** + ``` + Hello,
- <details> - <summary>email template</summary> - - Subject: - Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux) - - Body: - Hello All, - - Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing: - - - https://tb-build-05.torproject.org/~$(BUILDER)/builds/release/unsigned/$(TOR... - - The full changelog can be found here: + Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing:
- - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/$(TB... + - https://tb-build-02.torproject.org/~$(BUILDER)/builds/release/unsigned/$(TOR...
- </details> + The full changelog can be found here:
-- [ ] Email tor-qa mailing list: tor-qa@lists.torproject.org - - ***(Optional)*** Additional information: - - [ ] Note any new functionality which needs testing - - [ ] Link to any known issues + - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TBB... + ``` - [ ] Email packagers: - - Recipients: - - Tails dev mailing list: tails-dev@boum.org - - Guardian Project: nathan@guardianproject.info - - torbrowser-launcher: micah@micahflee.com - - FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx --> - - OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser --> - - [ ] ***(Optional)*** Note any changes which may affect packaging/downstream integration + - [ ] Tails dev mailing list: tails-dev@boum.org + - [ ] Guardian Project: nathan@guardianproject.info + - [ ] FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx --> + - [ ] OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser --> + - [ ] Note any changes which may affect packaging/downstream integration
</details>
<details> <summary>Signing</summary>
-### signing +### release signing - **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long +- [ ] Assign this issue to the signer, one of: + - boklm + - richard - [ ] On `$(STAGING_SERVER)`, ensure updated: - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)` - - [ ] `tor-browser-build/tools/signing/set-config.hosts` + - [ ] `tor-browser-build/tools/signing/set-config.hosts` - `ssh_host_builder` : ssh hostname of machine with unsigned builds - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) - `ssh_host_linux_signer` : ssh hostname of linux signing machine @@ -189,9 +184,9 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] run do-all-signing script: - - `cd tor-browser-build/tools/signing/` - - `./do-all-signing.torbrowser` +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script: + - `cd tor-browser-build/tools/signing/` + - `./do-all-signing.torbrowser` - **NOTE**: at this point the signed binaries should have been copied to `staticiforme` - [ ] Update `staticiforme.torproject.org`: - From `screen` session on `staticiforme.torproject.org`: @@ -201,20 +196,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` -- [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org` -- [ ] Publish APKs to Google Play: - - Log into https://play.google.com/apps/publish - - Select `Tor Browser` app - - Navigate to `Release > Production` and click `Create new release` button: - - Upload the `tor-browser-android-*.apk` APKs - - Update Release Name to Tor Browser version number - - Update Release Notes - - Next to 'Release notes', click `Copy from a previous release` - - Edit blog post url to point to most recent blog post - - Save, review, and configure rollout percentage - - [ ] 25% rollout when publishing a scheduled update - - [ ] 100% rollout when publishing a security-driven release - - [ ] Update rollout percentage to 100% after confirmed no major issues + - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
</details>
@@ -223,33 +205,51 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
<details> <summary>Check whether the .exe files got properly signed and timestamped</summary> - ``` - # Point OSSLSIGNCODE to your osslsigncode binary - pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION - OSSLSIGNCODE=/path/to/osslsigncode - ../../../tools/authenticode_check.sh - popd - ``` + +```bash +# Point OSSLSIGNCODE to your osslsigncode binary +pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION +OSSLSIGNCODE=/path/to/osslsigncode +../../../tools/authenticode_check.sh +popd +``` + </details> <details> <summary>Check whether the MAR files got properly signed</summary> - ``` - # Point NSSDB to your nssdb containing the mar signing certificate - # Point SIGNMAR to your signmar binary - # Point LD_LIBRARY_PATH to your mar-tools directory - pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION - NSSDB=/path/to/nssdb - SIGNMAR=/path/to/mar-tools/signmar - LD_LIBRARY_PATH=/path/to/mar-tools/ - ../../../tools/marsigning_check.sh - popd - ``` + +```bash +# Point NSSDB to your nssdb containing the mar signing certificate +# Point SIGNMAR to your signmar binary +# Point LD_LIBRARY_PATH to your mar-tools directory +pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION +NSSDB=/path/to/nssdb +SIGNMAR=/path/to/mar-tools/signmar +LD_LIBRARY_PATH=/path/to/mar-tools/ +../../../tools/marsigning_check.sh +popd +``` + </details> </details>
<details> <summary>Publishing</summary>
+### Google Play: https://play.google.com/apps/publish +- [ ] Publish APKs to Google Play: + - Select `Tor Browser` app + - Navigate to `Release > Production` and click `Create new release` button: + - Upload the `tor-browser-android-*.apk` APKs + - Update Release Name to Tor Browser version number + - Update Release Notes + - Next to 'Release notes', click `Copy from a previous release` + - Edit blog post url to point to most recent blog post + - Save, review, and configure rollout percentage + - [ ] 25% rollout when publishing a scheduled update + - [ ] 100% rollout when publishing a security-driven release + - [ ] Update rollout percentage to 100% after confirmed no major issues + ### website: https://gitlab.torproject.org/tpo/web/tpo.git - [ ] `databags/versions.ini` : Update the downloads versions - `torbrowser-stable/version` : sort of a catch-all for latest stable version @@ -258,49 +258,37 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE - `torbrowser-*-alpha/version` : platform-specific alpha versions - `tor-stable`,`tor-alpha` : set by tor devs, do not touch - [ ] Push to origin as new branch, open 'Draft :' MR -- [ ] Remove `Draft:` from MR once signed-packages are uploaded +- [ ] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org - [ ] Merge - [ ] Publish after CI passes and builds are published
### blog: https://gitlab.torproject.org/tpo/web/blog.git - -- [ ] Duplicate previous Stable or Alpha release blog post as appropriate to new directory under `content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)` and update with info on release : - - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) - - [ ] Update Tor Browser version numbers - - [ ] Note any ESR rebase - - [ ] Link to any Firefox security updates from ESR upgrade - - [ ] Link to any Android-specific security backports - - [ ] Note any updates to : - - tor - - OpenSSL - - NoScript - - [ ] Convert ChangeLog.txt to markdown format used here by : - - `tor-browser-build/tools/changelog-format-blog-post` +- [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) + - [ ] Note any ESR update + - [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc) + - [ ] Thank any users which have contributed patches - [ ] Push to origin as new branch, open `Draft:` MR -- [ ] Remove `Draft:` from MR once signed-packages are uploaded -- [ ] Merge +- [ ] Merge once signed-packages are accessible on https://dist.torproject.org - [ ] Publish after CI passes and website has been updated
### tor-announce mailing list - <details> - <summary>email template</summary> - - Subject: - New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux) - - Body: - Hi everyone, - - Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post: - - - $(BLOG_POST_URL) +- [ ] Email tor-announce mailing list: tor-announce@lists.torproject.org + - **Subject** + ``` + New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux) + ``` + - **Body** + ``` + Hi everyone,
- </details> + Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post: + - $(BLOG_POST_URL)
-- [ ] Email tor-announce mailing list: tor-announce@lists.torproject.org - - **(Optional)** Additional information: - - [ ] Link to any known issues + Changelog: + # paste changleog as quote here + ```
</details>
/label ~"Release Prep" +
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/f1...
tor-commits@lists.torproject.org