[tor-commits] [tor-browser-spec/master] Bug 25030: Update release process document
boklm at torproject.org
boklm at torproject.org
Mon Oct 15 17:55:26 UTC 2018
commit a9cece5a2988a94acf29702b220f8ed4146ebdc2
Author: Georg Koppen <gk at torproject.org>
Date: Wed Oct 10 09:27:08 2018 +0000
Bug 25030: Update release process document
---
processes/ReleaseProcess | 148 ++++++++++++++++++-----------------------------
1 file changed, 57 insertions(+), 91 deletions(-)
diff --git a/processes/ReleaseProcess b/processes/ReleaseProcess
index e4aa4e4..a9c7422 100644
--- a/processes/ReleaseProcess
+++ b/processes/ReleaseProcess
@@ -4,98 +4,74 @@
#
#. Tag any relevant component versions.
- # Depends on which components have been updated
- # If this is a firefox version update, you must rebase the patches, and
- # then:
- vim browser/config/version.txt config/milestone.txt
- git commit browser/config/version.txt config/milestone.txt -m "Bug 10895: Fix versioning for langpacks."
- # git tag and push..
-
-#. Update changelog, updater relevant config and versions file in
-# tor-browser-bundle:
- cd gitian/tor-browser-bundle
- vim Bundle-Data/Docs/ChangeLog.txt
- vim tools/update-responses/config.yml
-# No need to bother with old .xml and .htaccess files
- rm tools/update-resonses/htdocs/$TORBROWSER_UPDATE_CHANNEL/*
- cd gitian
- vim versions*
- git commmit ..
- git diff --color HEAD^1
- cd ../..
-
-#. Tag a build tag in tor-browser-bundle.git
- TORBROWSER_VERSION=x.x.x
- git tag -s tbb-$TORBROWSER_VERSION-build1
-
-#. Check that the build is correctly tagged
- eval $( ./get-tb-version release ) # or alpha / beta
- echo $TORBROWSER_VERSION
- echo $TORBROWSER_BUILDDIR
- echo
- echo 'You must still set $OLD_TORBROWSER_VERSION'
-
-#. Push tag and version to tor-browser-bundle.git
+
+#. Update changelog and relevant config files in tor-browser-build.
+ cd tor-browser-build
+ vim projects/firefox/config
+ vim ChangeLog.txt
+ vim rbm.conf
+
+#. Tag a build tag in tor-browser-build.
+ make signtag-release # or `make signtag-alpha` for an alpha build
+
+#. Push tag and version to tor-browser-build.git. In case of doing a stable
+# release with a maintenance branch use that one instead of `master`.
torsocks git push origin master:master
torsocks git push origin --tags
-#. Build:
- make
- make sign
- make match
-
-#. Place all build signatures in the correct location and fix permissions
- source versions
- for i in gk linus mikeperry boklm
- do
- if [ -d ${TORBROWSER_BUILDDIR}/$i ]; then
- if [ -f ${TORBROWSER_BUILDDIR}/${i}/sha256sums-unsigned-build.txt.asc ]; then
- cp ${TORBROWSER_BUILDDIR}/$i/sha256sums-unsigned-build.txt.asc ${TORBROWSER_BUILDDIR}/sha256sums-unsigned-build.txt-${i}.asc
- fi
- if [ -f ${TORBROWSER_BUILDDIR}/${i}/sha256sums-unsigned-build.incrementals.txt.asc ]; then
- cp ${TORBROWSER_BUILDDIR}/$i/sha256sums-unsigned-build.incrementals.txt.asc ${TORBROWSER_BUILDDIR}/sha256sums-unsigned-build.incrementals.txt-${i}.asc
- fi
- rm -rf ${TORBROWSER_BUILDDIR}/$i
- fi
- done
+#. Build and generate incremental MAR files.
+ make && make incrementals-release # `make alpha && make incrementals-alpha`
+
+#. Compare the SHA256 sums of the bundles and MAR files with an independent
+# builder.
+ sha256sum tor-browser-build/release/unsigned/$TORBROWSER_BUILDDIR/sha256sums-unsigned-build.txt
+ sha256sum tor-browser-build/release/unsigned/$TORBROWSER_BUILDDIR/sha256sums-unsigned-build.incrementals.txt
+
+#. If the sums match (download and) upload the bundles to your build dir on
+# people.torproject.org. Fix permissions.
chmod 755 $TORBROWSER_BUILDDIR
chmod 644 $TORBROWSER_BUILDDIR/*
+ chmod 644 $TORBROWSER_BUILDDIR/.htaccess
+ torsocks ssh people.torproject.org "mkdir ~/public_html/builds/${TORBROWSER_BUILDDIR}"
+ torsocks rsync -avP $TORBROWSER_BUILDDIR/ people.torproject.org:public_html/builds/$TORBROWSER_BUILDDIR
#. (Optional): Upload your binaries to people using partial rsync over old version
torsocks ssh people.torproject.org "mv ~/public_html/builds/${TORBROWSER_VERSION}-build1 ~/public_html/builds/$TORBROWSER_BUILDDIR"
torsocks rsync -avP $TORBROWSER_BUILDDIR/ people.torproject.org:public_html/builds/$TORBROWSER_BUILDDIR
#. Distribute build to tor-qa at lists.torproject.org
- #XXX: Currently manual
- # For stable releases put tails-dev at boum.org into Cc
+ # XXX: Currently manual email with link to candidate build, important changes,
+ # and changelog.
+ # For stable releases put tails-dev at boum.org into Cc.
-#. Code Sign the OS X dmg files:
+#. Codesign the macOS dmg files.
torsocks ssh mac-signer "mkdir $TORBROWSER_VERSION"
torsocks rsync -avP $TORBROWSER_BUILDDIR/*.dmg mac-signer:$TORBROWSER_VERSION/
torsocks ssh mac-signer
# Unlock the keychain and then...
cd $TORBROWSER_VERSION
- # Sign the bundles
+ # Sign the bundles.
../gatekeeper-signing.sh $TORBROWSER_VERSION
- # Check that it worked
+ # Check that it worked.
tar xf torbrowser-$TORBROWSER_VERSION-osx_zh-CN-signed.tar.bz2
spctl -a -t exec -vv TorBrowser.app/
rm -rf TorBrowser.app
exit
torsocks rsync -avP mac-signer:$TORBROWSER_VERSION/*.bz2 .
-#. Regenerate OS X MAR files from code signed dmg files
+#. Regenerate macOS MAR files from code signed dmg files.
# XXX Go to your directory prepared for recreating the .dmg files and containing
- # the uploaded .bz2 files
+ # the uploaded .bz2 files.
./gatekeeper-bundling.sh $TORBROWSER_VERSION
rsync -avP *.dmg $TORBROWSER_BUILDDIR/
- cd $TORBROWSER_BUILDDIR/..
+ cd tor-browser-build
# The code signed dmg files should be in the $TORBROWSER_VERSION directory
# Install a recent p7zip version (see ../tools/dmg2mar for instructions)
- make dmg2mars # or dmg2mars-alpha
+ make dmg2mar-release # or `make dmg2mar-alpha`
-#. Sign the MAR update files
- # First, copy the torbrowser tree to the signing machine:
+#. Sign the MAR files
+ # First, copy the tor-browser-bundle tree to the signing machine. XXX: This
+ # still uses part of the old Gitian related infrastructure.
torsocks rsync -avP $TORBROWSER_BUILDDIR/../../../ signing-machine
torsocks ssh signing-machine "mkdir tor-browser-bundle/gitian/$TORBROWSER_VERSION"
torsocks rsync -avP $TORBROWSER_BUILDDIR/*.mar signing-machine:tor-browser-bundle/gitian/$TORBROWSER_VERSION/
@@ -110,7 +86,7 @@
exit
torsocks rsync -avP signing-machine:tor-browser-bundle/gitian/$TORBROWSER_VERSION/*.mar $TORBROWSER_BUILDDIR/
-#. Sign individual bundle files:
+#. Sign individual bundle files.
# Authenticode signing first
torsocks ssh windows-signing-machine "mkdir tor-browser-bundle/gitian/$TORBROWSER_VERSION"
torsocks rsync -avP $TORBROWSER_BUILDDIR/*.exe windows-signing-machine:tor-browser-bundle/gitian/$TORBROWSER_VERSION/
@@ -123,7 +99,8 @@
cd $TORBROWSER_BUILDDIR
export OSSLSIGNCODE=/path/to/osslsigncode
/path/to/authenticode-timestamping.sh
-
+ # Hashes of the signed bundles
+ ../tools/hash_signed_bundles.sh
# All the GPG signatures at last
torsocks rsync -avP $TORBROWSER_BUILDDIR/* signing-machine:tor-browser-bundle/gitian/$TORBROWSER_VERSION/
cd tor-browser-bundle/gitian/$TORBROWSER_VERSION
@@ -135,18 +112,7 @@
torsocks rsync -avP $TORBROWSER_BUILDDIR/ people.torproject.org:public_html/builds/$TORBROWSER_BUILDDIR
torsocks ssh people.torproject.org "mv public_html/$TORBROWSER_BUILDDIR public_html/$TORBROWSER_VERSION"
-#. Clear out old builds, transfer builds to staticiforme
-#. Remote:
- # We must use $TORBROWSER_VERSION here because signed result dirs should omit the build number suffix
- rsync -avP $TORBROWSER_VERSION staticiforme.torproject.org:/srv/dist-master.torproject.org/htdocs/torbrowser/
- ssh staticiforme.torproject.org "chmod g+w,o+r -R /srv/dist-master.torproject.org/htdocs/torbrowser/*"
- ssh staticiforme.torproject.org "chown -R :torwww /srv/dist-master.torproject.org/htdocs/torbrowser/"
- ssh staticiforme.torproject.org "cd /srv/dist-master.torproject.org/htdocs/torbrowser/$TORBROWSER_VERSION ; for i in *.asc; do echo $i ; gpg -q $i || break; done"
- ssh staticiforme.torproject.org "static-update-component dist.torproject.org"
-#. Local to staticiforme:
- cd ~/tbb-builds/tor-browser-bundle/gitian
- git pull origin
- eval $( ./get-tb-version release ) # or alpha / beta
+#. Transfer builds to staticiforme
# We must use $TORBROWSER_VERSION here because signed result dirs should omit the build number suffix
wget -nH --cut-dirs=2 -r -l 1 https://people.torproject.org/~gk/builds/$TORBROWSER_VERSION
rm $TORBROWSER_VERSION/index.html*
@@ -170,19 +136,19 @@
static-update-component cdn.torproject.org
#. Make sure we really built from the proper Mozilla build tag by consulting
- # the respective ESR release branch (for a good overview for ESR38 see
- # https://hg.mozilla.org/releases/mozilla-esr38/graph/).
+ # the respective ESR release branch (for a good overview for ESR60 see
+ # https://hg.mozilla.org/releases/mozilla-esr60/graph/).
#. Update website's torbrowser versions file in the website git
cd webwml
torsocks git pull origin
# Update `version-win32-stable` as well if we include a new stable tor
# version. See: #14152.
- # Update the release data (via releasedate-torbrowserbundle*). See: #8968.
+ # Update the release date (via releasedate-torbrowserbundle*). See: #8968.
# In the RecommendedTBBVersions file, only add the new version. Don't
# remove the old one yet. That comes later.
vim ./include/versions.wmi ./projects/torbrowser/RecommendedTBBVersions
- git commit include/versions.wmi projects/torbrowser/RecommendedTBBVersions -m "Add new TBB version"
+ git commit include/versions.wmi projects/torbrowser/RecommendedTBBVersions -m "Add new Tor Browser version"
torsocks git push origin master:master
cd ..
@@ -194,21 +160,22 @@
#. Check whether the MAR files got properly signed
# Point SIGNMAR to your signmar binary
# Point LD_LIBRARY_PATH to your mar-tools directory
- cd tor-browser-bundle/gitian/$TORBROWSER_VERSION
- ../../tools/marsigning_check.sh
+ cd tor-browser-build/$TORBROWSER_VERSION
+ ../tools/marsigning_check.sh
cd ..
#. Update and upload new update responses for the updater
# IMPORTANT: Copy the signed MAR files back before creating the update
# responses!
- make update_responses # (or update_responses-alpha, update_responses-beta)
- cd ../tools/update-responses
- export TORBROWSER_UPDATE_CHANNEL=release # or alpha / beta
- chmod 664 htdocs/${TORBROWSER_UPDATE_CHANNEL}/*
- chmod 664 htdocs/${TORBROWSER_UPDATE_CHANNEL}/.htaccess
- chmod 775 htdocs/${TORBROWSER_UPDATE_CHANNEL}/
+ export TORBROWSER_UPDATE_CHANNEL=release # or alpha / nightly
+ make update_responses-$TORBROWSER_UPDATE_CHANNEL
+ cd $TORBROWSER_UPDATE_CHANNEL/update-responses
+ tar -xf update-responses-$TORBROWSER_UPDATE_CHANNEL-$TORBROWSER_VERSION.tar
+ chmod 664 ${TORBROWSER_UPDATE_CHANNEL}/*
+ chmod 664 ${TORBROWSER_UPDATE_CHANNEL}/.htaccess
+ chmod 775 ${TORBROWSER_UPDATE_CHANNEL}/
torsocks ssh staticiforme.torproject.org "rm -rf /srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/${TORBROWSER_UPDATE_CHANNEL}/*"
- torsocks rsync -avP htdocs/$TORBROWSER_UPDATE_CHANNEL staticiforme.torproject.org:/srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/
+ torsocks rsync -avP $TORBROWSER_UPDATE_CHANNEL staticiforme.torproject.org:/srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/
torsocks ssh staticiforme.torproject.org "chown -R :torwww /srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/${TORBROWSER_UPDATE_CHANNEL}/*"
torsocks ssh staticiforme.torproject.org "static-update-component aus1.torproject.org"
# Finally, remove old version as we point the update channel at the new version.
@@ -228,7 +195,6 @@
torsocks git pull origin
# Now it's time to remove the obsolete version(s)
vim ./projects/torbrowser/RecommendedTBBVersions
- git commit projects/torbrowser/RecommendedTBBVersions -m "Deprecate old TBB version"
+ git commit projects/torbrowser/RecommendedTBBVersions -m "Deprecate old Tor Browser version"
torsocks git push origin master:master
cd ..
-
More information about the tor-commits
mailing list