[tor-commits] [Git][tpo/applications/tor-browser][tor-browser-102.8.0esr-12.5-1] Bug 41649: Create rebase and security backport gitlab issue templates

Richard Pospesel (@richard) git at gitlab.torproject.org
Thu Feb 23 18:40:50 UTC 2023 


Richard Pospesel pushed to branch tor-browser-102.8.0esr-12.5-1 at The Tor Project / Applications / Tor Browser


Commits:
85c86696 by Richard Pospesel at 2023-02-23T18:40:14+00:00
Bug 41649: Create rebase and security backport gitlab issue templates

- - - - -


3 changed files:

- + .gitlab/issue_templates/Backport Android Security Fixes.md
- + .gitlab/issue_templates/Rebase Browser - Alpha.md
- + .gitlab/issue_templates/Rebase Browser - Stable.md


Changes:

=====================================
.gitlab/issue_templates/Backport Android Security Fixes.md
=====================================
@@ -0,0 +1,88 @@
+<details>
+  <summary>Explanation of Variables</summary>
+- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
+  - example : `102.8.0`
+- `$(RR_VERSION)` : the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the `$(ESR_VERSION)`, but Mozilla's Firefox for Android is based off of the `$(RR_VERSION)` so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train.
+  - example: `110`
+- `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version
+  - example : `12`
+- `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version
+  - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
+- `$(BUILD_N)` : a project's build revision within a its branch; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
+  - example : `build1`
+</details>
+
+**NOTE:** It is assumed the `tor-browser` rebase has already happened and there exists a `build1` build tag for both `base-browser` and `tor-browser`
+
+### **Bookkeeping**
+
+- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep) issues (stable and alpha).
+
+### **Security Vulnerabilities Report** : https://www.mozilla.org/en-US/security/advisories/
+
+- Potentially Affected Components:
+  - `firefox`/`geckoview` : https://github.com/mozilla/gecko-dev
+  - `application-services` : https://github.com/mozilla/application-services
+  - `android-components` : https://github.com/mozilla-mobile/firefox-android
+  - `fenix` : https://github.com/mozilla-mobile/firefox-android
+
+**NOTE:** `android-components` and `fenix` used to have their own repos, but since November 2022 they have converged to a single `firefox-android` repo. Any backports will require manually porting patches over to our legacy repos.
+
+- [ ] Go through any `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` (or similar) and create a candidate list of CVEs which potentially need to be backported in this issue:
+  - CVEs which are explicitly labeled as 'Android' only
+  - CVEs which are fixed in Rapid Release but not in ESR
+  - 'Memory safety bugs' fixed in Rapid Release but not in ESR
+- [ ] Foreach issue:
+  - Create link to the CVE on [mozilla.org](https://www.mozilla.org/en-US/security/advisories/)
+    - example: https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/#CVE-2023-25740
+  - Create link to the associated Bugzilla issues (found in the CVE description)
+  - Create a link to the relevant `gecko-dev`/other commit hashes which need to be backported OR a brief justification for why the fix does not need to be backported
+    - To find the `gecko-dev` version of a `mozilla-central`, search for a unique string in the relevant `mozilla-central` commit message in the `gecko-dev/release` branch log.
+    - **NOTE:** This process is unfortunately somewhat poorly defined/ad-hoc given the general variation in how Bugzilla issues are labeled and resolved. In general this is going to involve a bit of hunting to identify needed commits or determining whether or not the fix is relevant.
+
+
+### **tor-browser** : https://gitlab.torproject.org/tpo/applications/tor-browser.git
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - [ ] Sign/Tag commit:
+    - Tag : `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)`
+  - [ ] Push tag to `origin`
+**OR**
+- [ ] No backports
+
+### **application-services** : *TODO: we will need to setup a gitlab copy of this repo that we can apply security backports to if there are ever any security issues here*
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - [ ] Sign/Tag commit:
+    - Tag : `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha`
+  - [ ] Push tag to `origin`
+  **OR**
+- [ ] No backports
+
+
+### **android-components** : https://gitlab.torproject.org/tpo/applications/android-components.git
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - **NOTE**: Since November 2022, this repo has been merged with `fenix` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `android-components` project.
+  - [ ] Sign/Tag commit:
+    - Tag : `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)`
+  - [ ] Push tag to `origin`
+**OR**
+- [ ] No backports
+
+
+### **fenix** : https://gitlab.torproject.org/tpo/applications/fenix.git
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - **NOTE**: Since February 2023, this repo has been merged with `android-components` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `fenix` project.
+  - [ ] Sign/Tag commit:
+    - Tag : `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - Message: `Tagging $(BUILD_N) for $(ESR_VERSION)-based alpha)`
+  - [ ] Push tag to `origin`
+**OR**
+- [ ] No backports
+
+### CVEs
+
+<!-- Create CVE resolution here -->
+
+/confidential


=====================================
.gitlab/issue_templates/Rebase Browser - Alpha.md
=====================================
@@ -0,0 +1,81 @@
+**NOTE:** All examples reference the rebase from 102.7.0esr to 102.8.0esr
+
+<details>
+  <summary>Explanation of Variables</summary>
+- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
+  - example : `102.8.0`
+- `$(ESR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
+  - example : `FIREFOX_102_8_0esr_RELEASE`
+- `$(ESR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
+- `$(BROWSER_MAJOR)` : the browser major version
+  - example : `12`
+- `$(BROWSER_MINOR)` : the browser minor version
+  - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
+- `$(BASE_BROWSER_BRANCH)` : the full name of the current `base-browser` branch
+  - example: `base-browser-102.8.0esr-12.5-1`
+- `$(BASE_BROWSER_BRANCH_PREV)` : the full name of the previous `base-browser` branch
+  - example: `base-browser-102.7.0esr-12.5-1`
+- `$(TOR_BROWSER_BRANCH)` : the full name of the current `tor-browser` branch
+  - example: `tor-browser-102.8.0esr-12.5-1`
+- `$(TOR_BROWSER_BRANCH_PREV)` : the full name of the previous `tor-browser` branch
+  - example: `tor-browser-102.7.0esr-12.5-1`
+</details>
+
+**NOTE:** It is assumed that we've already identified the new esr branch during the tor-browser stable rebase
+
+### **Bookkeeping**
+
+- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep) issue.
+
+### **Rebase base-browser**
+
+- [ ] Checkout a new branch for the `base-browser` rebase
+  - example: `git branch base-browser-rebase FIREFOX_102_8_0esr_BUILD1`
+- [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `build1` tag onto new `base-browser` rebase branch
+  - example: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.5-1-build1`
+- [ ] Rebase and autosquash these cherry-picked commits
+  - example: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD`
+- [ ] Cherry-pick remainder of patches after the `build1` tag
+  - example: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1 origin/base-browser-102.7.0esr-12.5-1`
+- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution:
+  - [ ] diff of diffs:
+    -  Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or -
+    - `git diff $(ESR_TAG_PREV)..$(BASE_BROWSER_BRANCH_PREV) > current_patchset.diff`
+    - `git diff $(ESR_TAG)..$(BASE_BROWSER_BRANCH) > rebased_patchset.diff`
+    - diff `current_patchset.diff` and `rebased_patchset.diff`
+      - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456`
+  - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(BASE_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD`
+    - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/base-browser-102.7.0esr-12.5-1 FIREFOX_102_8_0esr_BUILD1..HEAD`
+- [ ] Open MR for the `base-browser` rebase
+- [ ] Merge
+- [ ] Sign/Tag HEAD of the merged new `base-browser` branch:
+  - Tag : `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1`
+  - Message : `Tagging build1 for $(ESR_VERSION)esr-based alpha`
+- [ ] Push tag to `origin`
+
+### **Rebase tor-browser**
+
+- [ ] Checkout a new branch for the `tor-browser` rebase starting from the `base-browser` `build1` tag
+  - example: `git branch tor-browser-rebase base-browser-102.8.0esr-12.5-1-build1`
+- [ ] Cherry-pick the previous `tor-browser` commits from `base-browser`'s previous `build1` tag up to `tor-browser`'s newest `buildN` tag (not necessarily `build1` if we have multiple build tags)
+  - example: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..tor-browser-102.7.0esr-12.5-1-build1`
+- [ ] Rebase and autosquash these cherry-picked commits (from the last new `base-browser` commit to `HEAD`)
+  - example: `git rebase --autosquash --interactive base-browser-102.8.0esr-12.5-1-build1 HEAD`
+- [ ] Cherry-pick remainder of patches after the last `buildN` tag
+  - example: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..origin/tor-browser-102.7.0esr-12.5-1`
+- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution:
+  - [ ] diff of diffs:
+    -  Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or -
+    - `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff`
+    - `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff`
+    - diff `current_patchset.diff` and `rebased_patchset.diff`
+      - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456`
+  - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD`
+    - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/tor-browser-102.7.0esr-12.5-1 FIREFOX_102_8_0esr_BUILD1..HEAD`
+- [ ] Open MR for the `tor-browser` rebase
+- [ ] Merge
+- [ ] Sign/Tag HEAD of the merged new `tor-browser` branch:
+  - Tag : `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1`
+  - Message : `Tagging build1 for $(ESR_VERSION)esr-based alpha`
+- [ ] Push tag to `origin`
+


=====================================
.gitlab/issue_templates/Rebase Browser - Stable.md
=====================================
@@ -0,0 +1,100 @@
+**NOTE:** All examples reference the rebase from 102.7.0esr to 102.8.0esr
+
+<details>
+  <summary>Explanation of variables</summary>
+- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
+  - example : `102.8.0`
+- `$(ESR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
+  - example : `FIREFOX_102_8_0esr_RELEASE`
+- `$(ESR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
+- `$(BROWSER_MAJOR)` : the browser major version
+  - example : `12`
+- `$(BROWSER_MINOR)` : the browser minor version
+  - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
+- `$(BASE_BROWSER_BRANCH)` : the full name of the current `base-browser` branch
+  - example: `base-browser-102.8.0esr-12.0-1`
+- `$(BASE_BROWSER_BRANCH_PREV)` : the full name of the previous `base-browser` branch
+  - example: `base-browser-102.7.0esr-12.0-1`
+- `$(TOR_BROWSER_BRANCH)` : the full name of the current `tor-browser` branch
+  - example: `tor-browser-102.8.0esr-12.0-1`
+- `$(TOR_BROWSER_BRANCH_PREV)` : the full name of the previous `tor-browser` branch
+  - example: `tor-browser-102.7.0esr-12.0-1`
+</details>
+
+### **Bookkeeping**
+
+- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep) issue.
+
+### **Identify the Firefox Tagged Commit and Create New Branches**
+
+- [ ] Find the Firefox mercurial tag here : https://hg.mozilla.org/releases/mozilla-esr102/tags
+   - example: `FIREFOX_102_8_0esr_BUILD1`
+- [ ] Find the analogous `gecko-dev` commit : https://github.com/mozilla/gecko-dev
+  - Search for unique string found in the mercurial commit in the `gecko-dev/esr102` branch
+  - example: 3a3a96c9eedd02296d6652dd50314fccbc5c4845
+- [ ] Sign and Tag `gecko-dev` commit
+  - Sign/Tag `gecko-dev` commit :
+    - Tag : `$(ESR_TAG)`
+    - Message : `Hg tag $(ESR_TAG)`
+- [ ] Create new stable `base-browser` branch from tag
+  - branch name in the form: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1`
+  - example: `base-browser-102.8.0esr-12.0-1`
+- [ ] Create new stable `tor-browser` branch from
+  - branch name in the form: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1`
+  - example: `tor-browser-102.8.0esr-12.0-1`
+- [ ] Push new `base-browser` branch to `origin`
+- [ ] Push new `tor-browser` branch to `origin`
+- [ ] Push new `$(ESR_TAG)` to `origin`
+
+### **Rebase base-browser**
+
+- [ ] Checkout a new branch for the `base-browser` rebase
+  - example: `git branch base-browser-rebase FIREFOX_102_8_0esr_BUILD1`
+- [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `build1` tag onto new `base-browser` rebase branch
+  - example: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.0-1-build1`
+- [ ] Rebase and autosquash these cherry-picked commits
+  - example: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD`
+- [ ] Cherry-pick remainder of patches after the `build1` tag
+  - example: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1 origin/base-browser-102.7.0esr-12.0-1`
+- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution:
+  - [ ] diff of diffs:
+    -  Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or -
+    - `git diff $(ESR_TAG_PREV)..$(BASE_BROWSER_BRANCH_PREV) > current_patchset.diff`
+    - `git diff $(ESR_TAG)..$(BASE_BROWSER_BRANCH) > rebased_patchset.diff`
+    - diff `current_patchset.diff` and `rebased_patchset.diff`
+      - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456`
+  - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(BASE_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD`
+    - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/base-browser-102.7.0esr-12.0-1 FIREFOX_102_8_0esr_BUILD1..HEAD`
+- [ ] Open MR for the `base-browser` rebase
+- [ ] Merge
+- [ ] Sign/Tag HEAD of the merged new `base-browser` branch:
+  - Tag : `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1`
+  - Message : `Tagging build1 for $(ESR_VERSION)esr-based stable`
+- [ ] Push tag to `origin`
+
+### **Rebase tor-browser**
+
+- [ ] Checkout a new branch for the `tor-browser` rebase starting from the `base-browser` `build1` tag
+  - example: `git branch tor-browser-rebase base-browser-102.8.0esr-12.0-1-build1`
+- [ ] Cherry-pick the previous `tor-browser` commits from `base-browser`'s previous `build1` tag up to `tor-browser`'s newest `buildN` tag (not necessarily `build1` if we have multiple build tags)
+  - example: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..tor-browser-102.7.0esr-12.0-1-build1`
+- [ ] Rebase and autosquash these cherry-picked commits (from the last new `base-browser` commit to `HEAD`)
+  - example: `git rebase --autosquash --interactive base-browser-102.8.0esr-12.0-1-build1 HEAD`
+- [ ] Cherry-pick remainder of patches after the last `buildN` tag
+  - example: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..origin/tor-browser-102.7.0esr-12.0-1`
+- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution:
+  - [ ] diff of diffs:
+    -  Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or -
+    - `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff`
+    - `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff`
+    - diff `current_patchset.diff` and `rebased_patchset.diff`
+      - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456`
+  - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD`
+    - example: `git range-dif FIREFOX_102_7_0esr_BUILD1..origin/tor-browser-102.7.0esr-12.0-1 FIREFOX_102_8_0esr_BUILD1..HEAD`
+- [ ] Open MR for the `tor-browser` rebase
+- [ ] Merge
+- [ ] Sign/Tag HEAD of the merged new `tor-browser` branch:
+  - Tag : `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1`
+  - Message : `Tagging build1 for $(ESR_VERSION)esr-based stable`
+- [ ] Push tag to `origin`
+



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/85c86696c69fb7a5a1daa9a77e7a10de5bb58d11

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/85c86696c69fb7a5a1daa9a77e7a10de5bb58d11
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-commits/attachments/20230223/83f58044/attachment-0001.htm>

More information about the tor-commits mailing list