richard pushed to branch tor-browser-102.12.0esr-12.5-1 at The Tor Project / Applications / Tor Browser Commits: f2fb23c2 by Richard Pospesel at 2023-06-14T17:07:34+00:00 fixup! Adding issue and merge request templates - removed exta unneeded dashes - updated Backporting section to better match our desired process going forward: - discourage requests for backport to stable - provide justification for backport request from list proposed at last Tor meeting - added 'consistency' justification for patches/changes which can be difficult to context switch between but don't affect the final build output - added explicit merge destination selection - - - - - f02f3319 by Richard Pospesel at 2023-06-14T17:12:14+00:00 fixup! Bug 41649: Create rebase and security backport gitlab issue templates - made formatting consistent between each template - updated the directions around the base-browser rebase to better reflect how we *actually* do it with regards to only rarely needing to rebase base-browser seperately - fixed a few typos and incorrect git cherry-pick examples - moved signing and tagging to their own section in the rebase templates - changed instances of 'origin' to 'upstream' to be consistent with github/gitlab documentation - added firefox-android section and marked android-components and fenix sections as optional for esr102 only so we don't have to urently fix this once we swithc to esr115 - - - - - 4 changed files: - .gitlab/issue_templates/Backport Android Security Fixes.md - .gitlab/issue_templates/Rebase Browser - Alpha.md - .gitlab/issue_templates/Rebase Browser - Stable.md - .gitlab/merge_request_templates/default.md Changes: ===================================== .gitlab/issue_templates/Backport Android Security Fixes.md ===================================== @@ -1,41 +1,43 @@ <details> <summary>Explanation of Variables</summary> -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc - - example : `102.8.0` -- `$(RR_VERSION)` : the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the `$(ESR_VERSION)`, but Mozilla's Firefox for Android is based off of the `$(RR_VERSION)` so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train. - - example: `110` -- `$(PROJECT_NAME)` : the name of the browser project, either `base-browser` or `tor-browser` -- `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version - - example : `12` -- `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version - - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` -- `$(BUILD_N)` : a project's build revision within a its branch; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build. - - example : `build1` + +- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc + - **Example**: `102.8.0` +- `$(RR_VERSION)`: the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the `$(ESR_VERSION)`, but Mozilla's Firefox for Android is based off of the `$(RR_VERSION)` so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train. + - **Example**: `110` +- `$(PROJECT_NAME)`: the name of the browser project, either `base-browser` or `tor-browser` +- `$(TOR_BROWSER_MAJOR)`: the Tor Browser major version + - **Example**: `12` +- `$(TOR_BROWSER_MINOR)`: the Tor Browser minor version + - **Example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `$(BUILD_N)`: a project's build revision within a its branch; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build. + - **Example**: `build1` </details> -**NOTE:** It is assumed the `tor-browser` rebase (stable and alpha) has already happened and there exists a `build1` build tags for both `base-browser` and `tor-browser` (stable and alpha) +**NOTE:** It is assumed the `tor-browser` rebases (stable and alpha) have already happened and there exists a `build1` build tags for both `base-browser` and `tor-browser` (stable and alpha) ### **Bookkeeping** - [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?s...) issues (stable and alpha). -### **Security Vulnerabilities Report** : https://www.mozilla.org/en-US/security/advisories/ +### **Security Vulnerabilities Report**: https://www.mozilla.org/en-US/security/advisories/ - Potentially Affected Components: - - `firefox`/`geckoview` : https://github.com/mozilla/gecko-dev - - `application-services` : https://github.com/mozilla/application-services - - `android-components` : https://github.com/mozilla-mobile/firefox-android - - `fenix` : https://github.com/mozilla-mobile/firefox-android + - `firefox`/`geckoview`: https://github.com/mozilla/gecko-dev + - `application-services`: https://github.com/mozilla/application-services + - `android-components` (ESR 102 only): https://github.com/mozilla-mobile/firefox-android + - `fenix` (ESR 102 only): https://github.com/mozilla-mobile/firefox-android + - `firefox-android`: https://github.com/mozilla-mobile/firefox-android -**NOTE:** `android-components` and `fenix` used to have their own repos, but since November 2022 they have converged to a single `firefox-android` repo. Any backports will require manually porting patches over to our legacy repos. +**NOTE:** `android-components` and `fenix` used to have their own repos, but since November 2022 they have converged to a single `firefox-android` repo. Any backports will require manually porting patches over to our legacy repos until we have transitioned to ESR 115. -- [ ] Go through any `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` (or similar) and create a candidate list of CVEs which potentially need to be backported in this issue: +- [ ] Go through the `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` report and create a candidate list of CVEs which potentially need to be backported in this issue: - CVEs which are explicitly labeled as 'Android' only - CVEs which are fixed in Rapid Release but not in ESR - 'Memory safety bugs' fixed in Rapid Release but not in ESR - [ ] Foreach issue: - Create link to the CVE on [mozilla.org](https://www.mozilla.org/en-US/security/advisories/) - - example: https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/#CVE-2023-2574... + - **Example**: https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/#CVE-2023-2574... - Create link to the associated Bugzilla issues (found in the CVE description) - Create links to the relevant `gecko-dev`/other commit hashes which need to be backported OR a brief justification for why the fix does not need to be backported - To find the `gecko-dev` version of a `mozilla-central`, search for a unique string in the relevant `mozilla-central` commit message in the `gecko-dev/release` branch log. @@ -46,13 +48,13 @@ <!-- CVE Resolution Template, foreach CVE to investigate add an entry in the form: - [ ] https://www.mozilla.org/en-US/security/advisories/mfsaYYYY-NN/#CVE-YYYY-XXXX... // CVE description - https://bugzilla.mozilla.org/show_bug.cgi?id=NNNNNN // Bugzilla issue - - **Note** : Any relevant info about this fix, justification for why it is not necessary, etc + - **Note**: Any relevant info about this fix, justification for why it is not necessary, etc - **Patches** - - firefox-android : https://link.to/relevant/patch - - firefox : https://link.to/relevant/patch + - firefox-android: https://link.to/relevant/patch + - firefox: https://link.to/relevant/patch --> -### **tor-browser** : https://gitlab.torproject.org/tpo/applications/tor-browser.git +### **tor-browser**: https://gitlab.torproject.org/tpo/applications/tor-browser.git - [ ] Backport any Android-specific security fixes from Firefox rapid-release - [ ] Backport patches to `tor-browser` stable branch - [ ] Open MR @@ -62,33 +64,34 @@ - [ ] `tor-browser` alpha - [ ] `base-browser` alpha - [ ] Sign/Tag commits: - - Tag : `$(PROJECT_NAME)-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)` + - **Tag**: `$(PROJECT_NAME)-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` + - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)` - [ ] `base-browser` stable - [ ] `tor-browser` stable - [ ] `base-browser` alpha - [ ] `tor-browser` alpha - - [ ] Push tags to `origin` -**OR** + - [ ] Push tags to `upstream` +- **OR** - [ ] No backports -### **application-services** : *TODO: we will need to setup a gitlab copy of this repo that we can apply security backports to if there are ever any security issues here* +### **application-services**: https://gitlab.torproject.org/tpo/applications/application-services +- **NOTE**: we will need to setup a gitlab copy of this repo and update `tor-browser-build` before we can apply security backports here - [ ] Backport any Android-specific security fixes from Firefox rapid-release - [ ] Backport patches to `application-services` stable branch - [ ] Open MR - [ ] Merge - [ ] Rebase patches onto `application-services` alpha - [ ] Sign/Tag commits: - - Tag : `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha` + - **Tag**: `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` + - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha` - [ ] `application-services` stable - [ ] `application-services` alpha - - [ ] Push tags to `origin` - **OR** + - [ ] Push tags to `upstream` +- **OR** - [ ] No backports -### **android-components** : https://gitlab.torproject.org/tpo/applications/android-components.git +### **android-components (Optional, ESR 102)**: https://gitlab.torproject.org/tpo/applications/android-components.git - [ ] Backport any Android-specific security fixes from Firefox rapid-release - **NOTE**: Since November 2022, this repo has been merged with `fenix` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `android-components` project. - [ ] Backport patches to `android-components` stable branch @@ -96,16 +99,16 @@ - [ ] Merge - [ ] Rebase patches onto `android-components` alpha - [ ] Sign/Tag commits: - - Tag : `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)` + - **Tag**: `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` + - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)` - [ ] `android-components` stable - [ ] `android-components` alpha - - [ ] Push tags to `origin` -**OR** + - [ ] Push tags to `upstream` +- **OR** - [ ] No backports -### **fenix** : https://gitlab.torproject.org/tpo/applications/fenix.git +### **fenix (Optional, ESR 102)**: https://gitlab.torproject.org/tpo/applications/fenix.git - [ ] Backport any Android-specific security fixes from Firefox rapid-release - **NOTE**: Since February 2023, this repo has been merged with `android-components` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `fenix` project. - [ ] Backport patches to `fenix` stable branch @@ -113,12 +116,27 @@ - [ ] Merge - [ ] Rebase patches onto `fenix` alpha - [ ] Sign/Tag commits: - - Tag : `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` - - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)` + - **Tag**: `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` + - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)` - [ ] `fenix` stable - [ ] `fenix` alpha - - [ ] Push tags to `origin` -**OR** + - [ ] Push tags to `upstream` +- **OR** +- [ ] No backports + +### **firefox-android**: https://gitlab.torproject.org/tpo/applications/firefox-android +- [ ] Backport any Android-specific security fixes from Firefox rapid-release + - [ ] Backport patches to `firefox-android` stable branch + - [ ] Open MR + - [ ] Merge + - [ ] Rebase patches onto `fenix` alpha + - [ ] Sign/Tag commits: + - **Tag**: `firefox-android-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)` + - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)` + - [ ] `firefox-android` stable + - [ ] `firefox-android` alpha + - [ ] Push tags to `upstream` +- **OR** - [ ] No backports /confidential ===================================== .gitlab/issue_templates/Rebase Browser - Alpha.md ===================================== @@ -1,27 +1,29 @@ -**NOTE:** All examples reference the rebase from 102.7.0esr to 102.8.0esr +**NOTE:** All examples in this template reference the rebase from 102.7.0esr to 102.8.0esr <details> <summary>Explanation of Variables</summary> -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc - - example : `102.8.0` -- `$(ESR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)` - - example : `FIREFOX_102_8_0esr_RELEASE` -- `$(ESR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from) -- `$(BROWSER_MAJOR)` : the browser major version - - example : `12` -- `$(BROWSER_MINOR)` : the browser minor version - - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` -- `$(BASE_BROWSER_BRANCH)` : the full name of the current `base-browser` branch - - example: `base-browser-102.8.0esr-12.5-1` -- `$(BASE_BROWSER_BRANCH_PREV)` : the full name of the previous `base-browser` branch - - example: `base-browser-102.7.0esr-12.5-1` -- `$(TOR_BROWSER_BRANCH)` : the full name of the current `tor-browser` branch - - example: `tor-browser-102.8.0esr-12.5-1` -- `$(TOR_BROWSER_BRANCH_PREV)` : the full name of the previous `tor-browser` branch - - example: `tor-browser-102.7.0esr-12.5-1` + +- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc + - **Example**: `102.8.0` +- `$(ESR_TAG)`: the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)` + - **Example**: `FIREFOX_102_8_0esr_RELEASE` +- `$(ESR_TAG_PREV)`: the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from) + - **Example**: `FIREFOX_102_7_0esr_BUILD1` +- `$(BROWSER_MAJOR)`: the browser major version + - **Example**: `12` +- `$(BROWSER_MINOR)`: the browser minor version + - **Example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `$(BASE_BROWSER_BRANCH)`: the full name of the current `base-browser` branch + - **Example**: `base-browser-102.8.0esr-12.5-1` +- `$(BASE_BROWSER_BRANCH_PREV)`: the full name of the previous `base-browser` branch + - **Example**: `base-browser-102.7.0esr-12.5-1` +- `$(TOR_BROWSER_BRANCH)`: the full name of the current `tor-browser` branch + - **Example**: `tor-browser-102.8.0esr-12.5-1` +- `$(TOR_BROWSER_BRANCH_PREV)`: the full name of the previous `tor-browser` branch + - **Example**: `tor-browser-102.7.0esr-12.5-1` </details> -**NOTE:** It is assumed that we've already identified the new esr branch during the tor-browser stable rebase +**NOTE:** It is assumed that we've already identified the new ESR branch during the tor-browser stable rebase ### **Bookkeeping** @@ -33,7 +35,7 @@ - [ ] Remove previous alpha `base-browser` and `tor-browser` branch protection rules (this will prevent pushing new changes to the branches being rebased) - [ ] Create new `base-browser` and `tor-browser` branch protection rule: - **Branch**: `*-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1*` - - example: `*-102.8.0esr-12.5-1*` + - **Example**: `*-102.8.0esr-12.5-1*` - **Allowed to merge**: `Maintainers` - **Allowed to push and merge**: `Maintainers` - **Allowed to force push**: `false` @@ -41,23 +43,36 @@ ### **Create New Branches** - [ ] Create new alpha `base-browser` branch from Firefox mercurial tag (found during the stable rebase) - - branch name in the form: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1` - - example: `base-browser-102.8.0esr-12.5-1` + - Branch name in the form: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1` + - **Example**: `base-browser-102.8.0esr-12.5-1` - [ ] Create new alpha `tor-browser` branch from Firefox mercurial tag - - branch name in the form: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1` - - example: `tor-browser-102.8.0esr-12.5-1` -- [ ] Push new `base-browser` branch to `origin` -- [ ] Push new `tor-browser` branch to `origin` + - Branch name in the form: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1` + - **Example**: `tor-browser-102.8.0esr-12.5-1` +- [ ] Push new `base-browser` branch to `upstream` +- [ ] Push new `tor-browser` branch to `upstream` + +### **Rebase tor-browser** -### **Rebase base-browser** +- [ ] Checkout a new local branch for the `tor-browser` rebase + - **Example**: `git branch tor-browser-rebase FIREFOX_102_8_0esr_BUILD1` +- [ ] **(Optional)** `base-browser` rebase and autosquash + - **NOTE** This step may be skipped if the `HEAD` of the previous `base-browser` branch is a `-buildN` tag + - [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `buildN` tag onto new `base-browser` rebase branch + - **Example**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.5-1-build1` + - [ ] Rebase and autosquash these cherry-picked commits + - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD` + - [ ] Cherry-pick remainder of patches after the `buildN` tag + - **Example**: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..upstream/base-browser-102.7.0esr-12.5-1` -- [ ] Checkout a new local branch for the `base-browser` rebase - - example: `git branch base-browser-rebase FIREFOX_102_8_0esr_BUILD1` -- [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `build1` tag onto new `base-browser` rebase branch - - example: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.5-1-build1` -- [ ] Rebase and autosquash these cherry-picked commits - - example: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD` +- [ ] `tor-browser` rebase and autosquash + - [ ] Note the current git hash of `HEAD` for `tor-browser` rebase+autosquash step: `git rev-parse HEAD` + - [ ] Cherry-pick the appropriate previous `tor-browser` branch's commit range up to the last `tor-browser` `buildN` tag + - **Example**: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..tor-browser-102.7.0esr-12.5-1-build1` + - **Example (if separate base-browser rebase was skipped)**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..tor-browser-102.7.0esr-12.5-1-build1` + - [ ] Rebase and autosquash **ONLY** these newly cherry-picked commits using the commit noted previously: `git rebase --autosquash --interactive $(PREV_HEAD)` + - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE` - [ ] **(Optional)** Patch reordering + - **NOTE**: We typically want to do this after new features or bug fix commits which are not !fixups to an existing commit have been merged and are just sitting at the end of the commit history - Relocate new `base-browser` patches in the patch-set to enforce this rough thematic ordering: - **MOZILLA BACKPORTS** - official Firefox patches we have backported to our ESR branch: Android-specific security updates, critical bug fixes, worthwhile features, etc - **MOZILLA REVERTS** - revert commits of official Firefox patches @@ -66,34 +81,7 @@ - **BROWSER CONFIGURATION** - branding, mozconfigs, preference overrides, etc - **SECURITY PATCHES** - security improvements, hardening, etc - **PRIVACY PATCHES** - fingerprinting, linkability, proxy bypass, etc - - **FEATURES** - new functionality: updater, UX, letterboxing, security level, add-on integration, etc -- [ ] Cherry-pick remainder of patches after the `build1` tag - - example: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1 origin/base-browser-102.7.0esr-12.5-1` -- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution: - - [ ] diff of diffs: - - Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or - - - `git diff $(ESR_TAG_PREV)..$(BASE_BROWSER_BRANCH_PREV) > current_patchset.diff` - - `git diff $(ESR_TAG)..$(BASE_BROWSER_BRANCH) > rebased_patchset.diff` - - diff `current_patchset.diff` and `rebased_patchset.diff` - - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` - - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(BASE_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD` - - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/base-browser-102.7.0esr-12.5-1 FIREFOX_102_8_0esr_BUILD1..HEAD` -- [ ] Open MR for the `base-browser` rebase -- [ ] Merge -- [ ] Sign/Tag HEAD of the merged new `base-browser` branch: - - Tag : `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` - - Message : `Tagging build1 for $(ESR_VERSION)esr-based alpha` -- [ ] Push tag to `origin` - -### **Rebase tor-browser** - -- [ ] Checkout a new branch for the `tor-browser` rebase starting from the `base-browser` `build1` tag - - example: `git branch tor-browser-rebase base-browser-102.8.0esr-12.5-1-build1` -- [ ] Cherry-pick the previous `tor-browser` commits from `base-browser`'s previous `build1` tag up to `tor-browser`'s newest `buildN` tag (not necessarily `build1` if we have multiple build tags) - - example: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..tor-browser-102.7.0esr-12.5-1-build1` -- [ ] Rebase and autosquash these cherry-picked commits (from the last new `base-browser` commit to `HEAD`) - - example: `git rebase --autosquash --interactive base-browser-102.8.0esr-12.5-1-build1 HEAD` - - [ ] **(Optional)** Patch reordering + - **FEATURES** - new functionality: updater, UX, letterboxing, security level, add-on - Relocate new `tor-browser` patches in the patch-set to enforce this rough thematic ordering: - **BUILD CONFIGURATION** - tools/scripts, gitlab templates, etc - **BROWSER CONFIGURATION** - branding, mozconfigs, preference overrides, etc @@ -105,11 +93,10 @@ - **TOR SECURITY PATCHES** - tor-specific security improvements - **TOR PRIVACY PATCHES** - tor-specific privacy improvements - **TOR FEATURES** - new tor-specific functionality: manual, onion-location, onion service client auth, etc -- [ ] Cherry-pick remainder of patches after the last `buildN` tag - - example: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..origin/tor-browser-102.7.0esr-12.5-1` -- [ ] Rebase and autosquash again (from the last new `base-browser` commit to `HEAD`), this time replacing all `fixup` and `squash` commands with `pick`. The goal here is to have all of the `fixup` and `squash` commits beside the commit which they modify. - - example: `git rebase --autosquash --interactive base-browser-102.8.0esr-12.5-1-build1 HEAD` - - **NOTE**: Do not allow `fixup` or `squash` commands here! + - [ ] Cherry-pick remainder of patches after the last `tor-browser` `buildN` tag + - **Example**: `git cherry-pick tor-browser-102.7.0esr-12.5-1-build1..upstream/tor-browser-102.7.0esr-12.5-1` + - [ ] Rebase and autosquash again, this time replacing all `fixup` and `squash` commands with `pick`. The goal here is to have all of the `fixup` and `squash` commits beside the commit which they modify, but kept un-squashed for easy debugging/bisecting. + - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE` - [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution: - [ ] diff of diffs: - Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or - @@ -118,11 +105,20 @@ - diff `current_patchset.diff` and `rebased_patchset.diff` - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` (unless the previous `base-browser` branch includes changes not included in the previous `tor-browser` branch) - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD` - - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/tor-browser-102.7.0esr-12.5-1 FIREFOX_102_8_0esr_BUILD1..HEAD` + - **Example**: `git range-dif FIREFOX_102_7_0esr_BUILD1..upstream/tor-browser-102.7.0esr-12.5-1 FIREFOX_102_8_0esr_BUILD1..HEAD` - [ ] Open MR for the `tor-browser` rebase - [ ] Merge -- [ ] Sign/Tag HEAD of the merged new `tor-browser` branch: - - Tag : `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` - - Message : `Tagging build1 for $(ESR_VERSION)esr-based alpha` -- [ ] Push tag to `origin` +- Update and push `base-browser` branch + - [ ] Reset the new `base-browser` branch to the appropriate commit in this new `tor-browser` branch + - [ ] Push these commits to `upstream` + +### **Sign and Tag** +- [ ] Sign/Tag `HEAD` of the merged `tor-browser` branch: + - **Tag**: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` + - **Message**: `Tagging build1 for $(ESR_VERSION)esr-based alpha` + - [ ] Push tag to `upstream` +- [ ] Sign/Tag HEAD of the merged `base-browser` branch: + - **Tag**: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` + - **Message**: `Tagging build1 for $(ESR_VERSION)esr-based alpha` + - [ ] Push tag to `upstream` ===================================== .gitlab/issue_templates/Rebase Browser - Stable.md ===================================== @@ -1,24 +1,26 @@ -**NOTE:** All examples reference the rebase from 102.7.0esr to 102.8.0esr +**NOTE:** All examples in this template reference the rebase from 102.7.0esr to 102.8.0esr <details> - <summary>Explanation of variables</summary> -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc - - example : `102.8.0` -- `$(ESR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)` - - example : `FIREFOX_102_8_0esr_RELEASE` -- `$(ESR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from) -- `$(BROWSER_MAJOR)` : the browser major version - - example : `12` -- `$(BROWSER_MINOR)` : the browser minor version - - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` -- `$(BASE_BROWSER_BRANCH)` : the full name of the current `base-browser` branch - - example: `base-browser-102.8.0esr-12.0-1` -- `$(BASE_BROWSER_BRANCH_PREV)` : the full name of the previous `base-browser` branch - - example: `base-browser-102.7.0esr-12.0-1` -- `$(TOR_BROWSER_BRANCH)` : the full name of the current `tor-browser` branch - - example: `tor-browser-102.8.0esr-12.0-1` -- `$(TOR_BROWSER_BRANCH_PREV)` : the full name of the previous `tor-browser` branch - - example: `tor-browser-102.7.0esr-12.0-1` + <summary>Explanation of Variables</summary> + +- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc + - **Example**: `102.8.0` +- `$(ESR_TAG)`: the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)` + - **Example**: `FIREFOX_102_8_0esr_RELEASE` +- `$(ESR_TAG_PREV)`: the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from) + - **Example**: `FIREFOX_102_7_0esr_BUILD1` +- `$(BROWSER_MAJOR)`: the browser major version + - **Example**: `12` +- `$(BROWSER_MINOR)`: the browser minor version + - **Example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `$(BASE_BROWSER_BRANCH)`: the full name of the current `base-browser` branch + - **Example**: `base-browser-102.8.0esr-12.0-1` +- `$(BASE_BROWSER_BRANCH_PREV)`: the full name of the previous `base-browser` branch + - **Example**: `base-browser-102.7.0esr-12.0-1` +- `$(TOR_BROWSER_BRANCH)`: the full name of the current `tor-browser` branch + - **Example**: `tor-browser-102.8.0esr-12.0-1` +- `$(TOR_BROWSER_BRANCH_PREV)`: the full name of the previous `tor-browser` branch + - **Example**: `tor-browser-102.7.0esr-12.0-1` </details> ### **Bookkeeping** @@ -31,69 +33,55 @@ - [ ] Remove previous stable `base-browser` and `tor-browser` branch protection rules (this will prevent pushing new changes to the branches being rebased) - [ ] Create new `base-browser` and `tor-browser` branch protection rule: - **Branch**: `*-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1*` - - example: `*-102.8.0esr-12.0-1*` + - **Example**: `*-102.8.0esr-12.0-1*` - **Allowed to merge**: `Maintainers` - **Allowed to push and merge**: `Maintainers` - **Allowed to force push**: `false` ### **Identify the Firefox Tagged Commit and Create New Branches** -- [ ] Find the Firefox mercurial tag here : https://hg.mozilla.org/releases/mozilla-esr102/tags - - example: `FIREFOX_102_8_0esr_BUILD1` -- [ ] Find the analogous `gecko-dev` commit : https://github.com/mozilla/gecko-dev - - Search for unique string found in the mercurial commit in the `gecko-dev/esr102` branch - - example: 3a3a96c9eedd02296d6652dd50314fccbc5c4845 +- [ ] Find the Firefox mercurial tag here: https://hg.mozilla.org/releases/mozilla-esr102/tags + - **Example**: `FIREFOX_102_8_0esr_BUILD1` +- [ ] Find the analogous `gecko-dev` commit: https://github.com/mozilla/gecko-dev + - **Tip**: Search for unique string (like the Differential Revision ID) found in the mercurial commit in the `gecko-dev/esr102` branch to find the equivalent commit + - **Example**: `3a3a96c9eedd02296d6652dd50314fccbc5c4845` - [ ] Sign and Tag `gecko-dev` commit - Sign/Tag `gecko-dev` commit : - - Tag : `$(ESR_TAG)` - - Message : `Hg tag $(ESR_TAG)` + - **Tag**: `$(ESR_TAG)` + - **Message**: `Hg tag $(ESR_TAG)` - [ ] Create new stable `base-browser` branch from tag - - branch name in the form: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1` - - example: `base-browser-102.8.0esr-12.0-1` + - Branch name in the form: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1` + - **Example**: `base-browser-102.8.0esr-12.0-1` - [ ] Create new stable `tor-browser` branch from - - branch name in the form: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1` - - example: `tor-browser-102.8.0esr-12.0-1` -- [ ] Push new `base-browser` branch to `origin` -- [ ] Push new `tor-browser` branch to `origin` -- [ ] Push new `$(ESR_TAG)` to `origin` - -### **Rebase base-browser** - -- [ ] Checkout a new local branch for the `base-browser` rebase - - example: `git branch base-browser-rebase FIREFOX_102_8_0esr_BUILD1` -- [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `build1` tag onto new `base-browser` rebase branch - - example: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.0-1-build1` -- [ ] Rebase and autosquash these cherry-picked commits - - example: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD` -- [ ] Cherry-pick remainder of patches after the `build1` tag - - example: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1 origin/base-browser-102.7.0esr-12.0-1` -- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution: - - [ ] diff of diffs: - - Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or - - - `git diff $(ESR_TAG_PREV)..$(BASE_BROWSER_BRANCH_PREV) > current_patchset.diff` - - `git diff $(ESR_TAG)..$(BASE_BROWSER_BRANCH) > rebased_patchset.diff` - - diff `current_patchset.diff` and `rebased_patchset.diff` - - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` - - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(BASE_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD` - - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/base-browser-102.7.0esr-12.0-1 FIREFOX_102_8_0esr_BUILD1..HEAD` -- [ ] Open MR for the `base-browser` rebase -- [ ] Merge -- [ ] Sign/Tag HEAD of the merged new `base-browser` branch: - - Tag : `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` - - Message : `Tagging build1 for $(ESR_VERSION)esr-based stable` -- [ ] Push tag to `origin` - + - Branch name in the form: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1` + - **Example**: `tor-browser-102.8.0esr-12.0-1` +- [ ] Push new `base-browser` branch to `upstream` +- [ ] Push new `tor-browser` branch to `upstream` +- [ ] Push new `$(ESR_TAG)` to `upstream` ### **Rebase tor-browser** -- [ ] Checkout a new branch for the `tor-browser` rebase starting from the `base-browser` `build1` tag - - example: `git branch tor-browser-rebase base-browser-102.8.0esr-12.0-1-build1` -- [ ] Cherry-pick the previous `tor-browser` commits from `base-browser`'s previous `build1` tag up to `tor-browser`'s newest `buildN` tag (not necessarily `build1` if we have multiple build tags) - - example: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..tor-browser-102.7.0esr-12.0-1-build1` -- [ ] Rebase and autosquash these cherry-picked commits (from the last new `base-browser` commit to `HEAD`) - - example: `git rebase --autosquash --interactive base-browser-102.8.0esr-12.0-1-build1 HEAD` -- [ ] Cherry-pick remainder of patches after the last `buildN` tag - - example: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..origin/tor-browser-102.7.0esr-12.0-1` +- [ ] Checkout a new local branch for the `tor-browser` rebase + - **Example**: `git branch tor-browser-rebase FIREFOX_102_8_0esr_BUILD1` +- [ ] **(Optional)** `base-browser` rebase + - **NOTE** This step may be skipped if the `HEAD` of the previous `base-browser` branch is a `-buildN` tag + - [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `buildN` tag onto new `base-browser` rebase branch + - **Example**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.0-1-build1` + - [ ] Rebase and autosquash these cherry-picked commits + - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD` + - [ ] Cherry-pick remainder of patches after the `buildN` tag + - **Example**: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..upstream/base-browser-102.7.0esr-12.0-1` +- [ ] `tor-browser` rebase + - [ ] Note the current git hash of `HEAD` for `tor-browser` rebase+autosquash step: `git rev-parse HEAD` + - [ ] Cherry-pick the appropriate previous `tor-browser` branch's commit range up to the last `tor-browser` `buildN` tag + - **Example**: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..tor-browser-102.7.0esr-12.0-1-build1` + - **Example (if separate base-browser rebase was skipped)**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..tor-browser-102.7.0esr-12.0-1-build1` + - [ ] Rebase and autosquash these newly cherry-picked commits: `git rebase --autosquash --interactive $(PREV_HEAD)` + - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE` + - [ ] Cherry-pick remainder of patches after the last `tor-browser` `buildN` tag + - **Example**: `git cherry-pick tor-browser-102.7.0esr-12.0-1-build1..upstream/tor-browser-102.7.0esr-12.0-1` + - [ ] Rebase and autosquash again, this time replacing all `fixup` and `squash` commands with `pick`. The goal here is to have all of the `fixup` and `squash` commits beside the commit which they modify, but kept un-squashed for easy debugging/bisecting. + - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE` - [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution: - [ ] diff of diffs: - Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or - @@ -102,10 +90,20 @@ - diff `current_patchset.diff` and `rebased_patchset.diff` - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` (unless the previous `base-browser` branch includes changes not included in the previous `tor-browser` branch) - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD` - - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/tor-browser-102.7.0esr-12.0-1 FIREFOX_102_8_0esr_BUILD1..HEAD` + - **Example**: `git range-dif FIREFOX_102_7_0esr_BUILD1..upstream/tor-browser-102.7.0esr-12.0-1 FIREFOX_102_8_0esr_BUILD1..HEAD` - [ ] Open MR for the `tor-browser` rebase - [ ] Merge -- [ ] Sign/Tag HEAD of the merged new `tor-browser` branch: - - Tag : `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` - - Message : `Tagging build1 for $(ESR_VERSION)esr-based stable` -- [ ] Push tag to `origin` +- Update and push `base-browser` branch + - [ ] Reset the new `base-browser` branch to the appropriate commit in this new `tor-browser` branch + - [ ] Push these commits to `upstream` + +### **Sign and Tag** + +- [ ] Sign/Tag `HEAD` of the merged `tor-browser` branch: + - **Tag**: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` + - **Message**: `Tagging build1 for $(ESR_VERSION)esr-based stable` + - [ ] Push tag to `upstream` +- [ ] Sign/Tag HEAD of the merged `base-browser` branch: + - **Tag**: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1` + - **Message**: `Tagging build1 for $(ESR_VERSION)esr-based stable` + - [ ] Push tag to `upstream` ===================================== .gitlab/merge_request_templates/default.md ===================================== @@ -2,23 +2,34 @@ <!-- Bookkeeping information for release management --> -- ### Related Issues - - tor-browser#xxxxx - - tor-browser-build#xxxxx - - etc - -- ### Backport Timeline - - [ ] **Immediate** - patchsets for critical bug fixes or other major blocker (e.g. fixes for a 0-day exploit) OR patchsets with trivial changes which do not need testing (e.g. fixes for typos or fixes easily verified in a local developer build) - - [ ] **Next Minor Stable Release** - patchset that needs to be verified in nightly before backport - - [ ] **Eventually** - patchset that needs to be verified in alpha before backport - - [ ] **No Backport** - patchset for the next major stable - -- ### Upstream Merging - - [ ] Merge to `base-browser` - typically for `!fixups` to patches in the `base-browser` branch, though sometimes new patches as well - - **NOTE**: if your changeset includes patches to both `base-browser` and `tor-browser` please please make separate merge requests for each part - -- ### Issue Tracking - - [ ] Link resolved issues with appropriate [Release Prep issue](https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated...) for changelog generation +### Related Issues +- tor-browser#xxxxx +- mullvad-browser#xxxxx +- tor-browser-build#xxxxx + +### Backporting + +#### Timeline +- [ ] **Immediate**: patchset needed as soon as possible +- [ ] **Next Minor Stable Release**: patchset that needs to be verified in nightly before backport +- [ ] **Eventually**: patchset that needs to be verified in alpha before backport +- [ ] **No Backport (preferred)**: patchset for the next major stable + +#### (Optional) Justification +- [ ] **Emergency security update**: patchset fixes CVEs, 0-days, etc +- [ ] **Censorship event**: patchset enables censorship circumvention +- [ ] **Critical bug-fix**: patchset fixes a bug in core-functionality +- [ ] **Consistency**: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc +- [ ] **Sponsor required**: patchset required for sponsor +- [ ] **Other**: please explain + +### Merging +- [ ] Merge to `tor-browser` - `!fixups` to `tor-browser`-specific commits, new features, security backports +- [ ] Merge to `base-browser` -`!fixups` to `base-browser`-specific commits, new features to be shared with `mullvad-browser`, and security backports + - **NOTE**: if your changeset includes patches to both `base-browser` and `tor-browser` please clearly label in the change description which commits should be cherry-picked to `base-browser` after merging + +### Issue Tracking +- [ ] Link resolved issues with appropriate [Release Prep issue](https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated...) for changelog generation ## Change Description View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/ba95714... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/ba95714... You're receiving this email because of your account on gitlab.torproject.org.