tbb-commits October 2024

tbb-commits@lists.torproject.org

1 participants
290 discussions

[Git][tpo/applications/tor-browser-build][maint-14.0] 3 commits: Bug 41282: Downgrade to Python 3.9.
by Pier Angelo Vendrame (＠pierov) 28 Oct '24

28 Oct '24

Pier Angelo Vendrame pushed to branch maint-14.0 at The Tor Project / Applications / tor-browser-build Commits: 6f8d7791 by Pier Angelo Vendrame at 2024-10-28T10:03:33+01:00 Bug 41282: Downgrade to Python 3.9. MozBug 1924022 introduced a dependency on the Python built-in SSL module. This caused an error in our Linux builds, because we run them in a very old version of Debian that still uses OpenSSL 1.1.0, which is not compatible with Python SSL module since Python 3.10. The less intrusive way to resolve this is to downgrade to Python 3.9.x, which is still supported by all our projects. Also, switch to hashes to verify the Python source tarball, as the Python Software Foundation often rotates keys, which reduces the advantages of verifying the signature rather than the hash for us. - - - - - bcb2346e by Pier Angelo Vendrame at 2024-10-28T10:03:35+01:00 Bug 41289: Fix --tor-browser in relprep.py. --tor-browser enabled also Mullvad Browser, probably because of a copy-paste error. - - - - - f076e0b0 by Pier Angelo Vendrame at 2024-10-28T11:56:11+01:00 Bug 41277: Prepare Tor Browser release 14.0.1. - - - - - 10 changed files: - − keyring/python.gpg - projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt - projects/firefox/config - projects/geckoview/config - projects/manual/config - projects/python/config - projects/tor/config - projects/translation/config - rbm.conf - tools/relprep.py Changes: ===================================== keyring/python.gpg deleted ===================================== Binary files a/keyring/python.gpg and /dev/null differ ===================================== projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt ===================================== @@ -1,3 +1,18 @@ +Tor Browser 14.0.1 - October 29 2024 + * All Platforms + * Updated Tor to 0.4.8.13 + * Bug 43231: Rebase Tor Browser 128-based stable and alpha onto 128.4.0esr [tor-browser] + * Bug 43240: Backport security fixes from Firefox 132 [tor-browser] + * Windows + macOS + Linux + * Updated Firefox to 128.4.0esr + * Android + * Updated GeckoView to 128.4.0esr + * Build System + * All Platforms + * Bug 41289: Fix single-browser in relprep.py [tor-browser-build] + * Linux + * Bug 41282: Add SSL to our custom Python for MozBug 1924022 [tor-browser-build] + Tor Browser 14.0 - October 17 2024 * All Platforms * Bug 30543: compat: make spoofed orientation reflect spoofed screen dimensions [1607032 + 1918202] [tor-browser] ===================================== projects/firefox/config ===================================== @@ -14,12 +14,12 @@ container: use_container: 1 var: - firefox_platform_version: '128.3.0' + firefox_platform_version: '128.4.0' firefox_version: '[% c("var/firefox_platform_version") %]esr' browser_series: '14.0' browser_rebase: 1 browser_branch: '[% c("var/browser_series") %]-[% c("var/browser_rebase") %]' - browser_build: 6 + browser_build: 2 branding_directory_prefix: 'tb' copyright_year: '[% exec("git show -s --format=%ci").remove("-.*") %]' nightly_updates_publish_dir: '[% c("var/nightly_updates_publish_dir_prefix") %]nightly-[% c("var/osname") %]' @@ -107,7 +107,7 @@ targets: gitlab_project: https://gitlab.torproject.org/tpo/applications/mullvad-browser updater_url: 'https://cdn.mullvad.net/browser/update_responses/update_1/' nightly_updates_publish_dir_prefix: mullvadbrowser- - browser_build: 3 + browser_build: 1 linux-x86_64: var: ===================================== projects/geckoview/config ===================================== @@ -16,12 +16,12 @@ container: build_apk: 1 var: - firefox_platform_version: '128.3.0' + firefox_platform_version: '128.4.0' geckoview_version: '[% c("var/firefox_platform_version") %]esr' browser_series: '14.0' browser_rebase: 1 browser_branch: '[% c("var/browser_series") %]-[% c("var/browser_rebase") %]' - browser_build: 6 + browser_build: 2 copyright_year: '[% exec("git show -s --format=%ci").remove("-.*") %]' gitlab_project: https://gitlab.torproject.org/tpo/applications/tor-browser git_commit: '[% exec("git rev-parse HEAD") %]' ===================================== projects/manual/config ===================================== @@ -1,7 +1,7 @@ # vim: filetype=yaml sw=2 # To update, see doc/how-to-update-the-manual.txt # Remember to update also the package's hash, with the version! -version: 214072 +version: 215922 filename: 'manual-[% c("version") %]-[% c("var/build_id") %].tar.[% c("compress_tar") %]' container: use_container: 1 @@ -23,6 +23,6 @@ input_files: - project: container-image - URL: 'https://build-sources.tbb.torproject.org/manual_[% c("version") %].zip' name: manual - sha256sum: 744fc65f6dd2cc2b85f4927fbb55ff6e17f06b9c99bd0bae7a311d732438b818 + sha256sum: b5ed703f54d52e9f197320f3698e936d585a3fed23cc4f9fbf59edce2869f885 - filename: packagemanual.py name: package_script ===================================== projects/python/config ===================================== @@ -1,5 +1,5 @@ # vim: filetype=yaml sw=2 -version: 3.11.3 +version: 3.9.20 filename: 'python-[% c("var/build_id") %].tar.[% c("compress_tar") %]' container: use_container: 1 @@ -24,9 +24,7 @@ input_files: - project: container-image - name: python URL: 'https://www.python.org/ftp/python/[% c("version") %]/Python-[% c("version") %].tar.xz' - gpg_keyring: python.gpg - sig_ext: asc - file_gpg_id: 1 + sha256sum: 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c - name: '[% c("var/compiler") %]' project: '[% c("var/compiler") %]' enable: '[% c("var/linux") %]' ===================================== projects/tor/config ===================================== @@ -1,6 +1,6 @@ # vim: filetype=yaml sw=2 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.[% c("compress_tar") %]' -version: 0.4.8.12 +version: 0.4.8.13 git_hash: 'tor-[% c("version") %]' git_url: https://gitlab.torproject.org/tpo/core/tor.git git_submodule: 1 ===================================== projects/translation/config ===================================== @@ -12,13 +12,13 @@ compress_tar: 'gz' steps: base-browser: base-browser: '[% INCLUDE build %]' - git_hash: 547400dd678f476ec38efde2cf703d57c1a3e8c7 + git_hash: 3b1be2065b54939ed019d94174f137847bcf3c66 targets: nightly: git_hash: 'base-browser' tor-browser: tor-browser: '[% INCLUDE build %]' - git_hash: 38d5c3b11cfb96833ae2c7dc3122829b29583d6f + git_hash: ba63bd165f3fd4bdd472815c9761413d4671cfb7 targets: nightly: git_hash: 'tor-browser' @@ -32,7 +32,7 @@ steps: fenix: '[% INCLUDE build %]' # We need to bump the commit before releasing but just pointing to a branch # might cause too much rebuidling of the Firefox part. - git_hash: 705bbd235cadf827b6d4e0003d59c290f2feaa44 + git_hash: 60f82208b8a0a95e91fdb4dcefe8d394c17f64ba compress_tar: 'zst' targets: nightly: ===================================== rbm.conf ===================================== @@ -73,22 +73,22 @@ buildconf: git_signtag_opt: '-s' var: - torbrowser_version: '14.0' + torbrowser_version: '14.0.1' torbrowser_build: 'build1' # This should be the date of when the build is started. For the build # to be reproducible, browser_release_date should always be in the past. - browser_release_date: '2024/10/16 16:45:00' + browser_release_date: '2024/10/28 09:00:00' browser_release_date_timestamp: '[% USE date; date.format(c("var/browser_release_date"), "%s") %]' updater_enabled: 1 build_mar: 1 torbrowser_incremental_from: - - 13.5.7 - - 13.5.6 - - 13.5.5 + - '[% IF c("var/tor-browser") %]14.0[% END %]' + - '13.5.9' + - '13.5.7' mar_channel_id: '[% c("var/projectname") %]-torproject-[% c("var/channel") %]' - torbrowser_legacy_version: 13.5.7 - torbrowser_legacy_platform_version: 115.16.0 + torbrowser_legacy_version: 13.5.9 + torbrowser_legacy_platform_version: 115.17.0 # By default, we sort the list of installed packages. This allows sharing # containers with identical list of packages, even if they are not listed ===================================== tools/relprep.py ===================================== @@ -92,7 +92,7 @@ class ReleasePreparation: self.repo = Repo(self.base_path) self.tor_browser = bool(kwargs.get("tor_browser", True)) - self.mullvad_browser = bool(kwargs.get("tor_browser", True)) + self.mullvad_browser = bool(kwargs.get("mullvad_browser", True)) if not self.tor_browser and not self.mullvad_browser: raise ValueError("Nothing to do") self.android = kwargs.get("android", self.tor_browser) View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag tor-browser-128.4.0esr-14.0-1-build2
by Pier Angelo Vendrame (＠pierov) 28 Oct '24

28 Oct '24

Pier Angelo Vendrame pushed new tag tor-browser-128.4.0esr-14.0-1-build2 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/tor-brows… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][main] Update rbm for rbm#40006
by boklm (＠boklm) 28 Oct '24

28 Oct '24

boklm pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: f3bcd325 by Nicolas Vigier at 2024-10-28T09:49:28+01:00 Update rbm for rbm#40006 - - - - - 1 changed file: - rbm Changes: ===================================== rbm ===================================== @@ -1 +1 @@ -Subproject commit 1e0cfb68e958c1b22ac51fd32859781b8da2bc93 +Subproject commit f18daa3f93d1aec674e4ba0dfbd22ac6afd6f8c9 View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/f… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/f… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/rbm][main] Bug 40006: Add option to avoid doing a git checkout when using the exec template function
by boklm (＠boklm) 28 Oct '24

28 Oct '24

boklm pushed to branch main at The Tor Project / Applications / RBM Commits: f18daa3f by Nicolas Vigier at 2024-10-27T17:22:45+01:00 Bug 40006: Add option to avoid doing a git checkout when using the exec template function The `exec_noco` option can be used to disable git or hg checkout when using the exec template function. We start using this option in the `abbrev` and `timestamp` options, which are running git and hg commands which don't need a checkout. - - - - - 3 changed files: - doc/rbm_templates.asc - lib/RBM.pm - lib/RBM/DefaultConfig.pm Changes: ===================================== doc/rbm_templates.asc ===================================== @@ -107,9 +107,11 @@ exec:: considered to be a script, which will be written to a temporary file and executed. The second argument of the exec function is an optional $options hash, used to override values of 'git_url', - 'hg_url', 'fetch', 'git_hash' or 'hg_hash'. If neither 'git_url' - nor 'hg_url' is set, the command is executed from the directory - where the 'rbm.conf' file is located. + 'hg_url', 'fetch', 'git_hash' or 'hg_hash'. Before running the + command a checkout of 'git_hash' or 'hg_hash' is done, unless + 'exec_noco' is set to true. If neither 'git_url' nor 'hg_url' + is set, the command is executed from the directory where the + 'rbm.conf' file is located. path:: A function to return an absolute path. It takes a path as first ===================================== lib/RBM.pm ===================================== @@ -551,15 +551,18 @@ sub execute { CORE::state %cache; my $res_name = ''; my $old_cwd = getcwd; + my $exec_noco = ref $options eq 'HASH' && $options->{exec_noco}; if (project_config($project, 'git_url', $options)) { my $git_hash = project_config($project, 'git_hash', $options) || exit_error "No git_hash specified for project $project"; $res_name = "git-$project-/-$git_hash-/-$cmd"; return $cache{$res_name} if exists $cache{$res_name}; git_clone_fetch_chdir($project, $options); - my ($stdout, $stderr, $success, $exit_code) + if (!$exec_noco) { + my ($stdout, $stderr, $success, $exit_code) = capture_exec('git', 'checkout', $git_hash); - exit_error "Cannot checkout $git_hash:\n$stderr" unless $success; + exit_error "Cannot checkout $git_hash:\n$stderr" unless $success; + } git_submodule_init_sync_update() if project_config($project, 'git_submodule', $options); } elsif (project_config($project, 'hg_url', $options)) { @@ -568,9 +571,11 @@ sub execute { $res_name = "hg-$project-/-$hg_hash-/-$cmd"; return $cache{$res_name} if exists $cache{$res_name}; hg_clone_fetch_chdir($project, $options); - my ($stdout, $stderr, $success, $exit_code) + if (!$exec_noco) { + my ($stdout, $stderr, $success, $exit_code) = capture_exec('hg', 'update', '-C', $hg_hash); - exit_error "Cannot checkout $hg_hash:\n$stderr" unless $success; + exit_error "Cannot checkout $hg_hash:\n$stderr" unless $success; + } } else { chdir($config->{basedir}); } ===================================== lib/RBM/DefaultConfig.pm ===================================== @@ -126,9 +126,9 @@ our %default_config = ( abbrev_length => '12', abbrev => '[% IF c("git_url"); - exec("git log -1 --abbrev=" _ c("abbrev_length") _ " --format=%h " _ c("git_hash")); + exec("git log -1 --abbrev=" _ c("abbrev_length") _ " --format=%h " _ c("git_hash"), { exec_noco => 1 }); ELSE; - exec(c("hg") _ " id -i -r " _ c("hg_hash")); + exec(c("hg") _ " id -i -r " _ c("hg_hash"), { exec_noco => 1 }); END; %]', timestamp => sub { @@ -136,12 +136,14 @@ our %default_config = ( if (RBM::project_config($project, 'git_url', $options)) { my $git_hash = RBM::project_config($project, 'git_hash', $options); return RBM::execute($project, - "git show -s --format=format:%ct ${git_hash}^{commit}", $options); + "git show -s --format=format:%ct ${git_hash}^{commit}", + { %$options, exec_noco => 1 }); } elsif (RBM::project_config($project, 'hg_url', $options)) { my $hg = RBM::project_config($project, 'hg', $options); my $hg_hash = RBM::project_config($project, 'hg_hash', $options); my $changeset = RBM::execute($project, - "$hg export --noninteractive -r $hg_hash", $options); + "$hg export --noninteractive -r $hg_hash", + { %$options, exec_noco => 1 }); foreach my $line (split "\n", $changeset) { return $1 if ($line =~ m/^# Date (\d+) \d+/); } View it on GitLab: https://gitlab.torproject.org/tpo/applications/rbm/-/commit/f18daa3f93d1aec… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/rbm/-/commit/f18daa3f93d1aec… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][main] Update release prep issue templates
by morgan (＠morgan) 25 Oct '24

25 Oct '24

morgan pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: 309821b4 by Morgan at 2024-10-25T00:31:34+00:00 Update release prep issue templates - - - - - 5 changed files: - .gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md - .gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md - .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md - + .gitlab/issue_templates/Release Prep - Tor Browser Legacy.md - .gitlab/issue_templates/Release Prep - Tor Browser Stable.md Changes: ===================================== .gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md ===================================== @@ -1,83 +1,96 @@ +# Release Prep Mullvad Browser Alpha + +- **NOTE** It is assumed the `mullvad-browser` alpha rebase and security backport tasks have been completed +- **NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue + <details> <summary>Explanation of variables</summary> -- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release -- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER) - - **example** : `pierov` -- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc - - **example** : `91.6.0` -- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version - - **example** : `11` -- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version - - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` -- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format - - **example** : `12.5a3`, `12.0.3` -- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build. - - **example** : `build1` -- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits - - **example** : `build2` - - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** : - - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase) - - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same. -- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version - - **example** : `11.5a6`, `11.0.7` -- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version - - **example** : `mb-12.0.7-build1` +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER} + - **example**: `pierov` +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc + - **example**: `91.6.0` +- `${MULLVAD_BROWSER_MAJOR}`: the Mullvad Browser major version + - **example**: `11` +- `${MULLVAD_BROWSER_MINOR}`: the Mullvad Browser minor version + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `${MULLVAD_BROWSER_VERSION}`: the Mullvad Browser version in the format + - **example**: `12.5a3`, `12.0.3` +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${MULLVAD_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build. + - **example**: `build1` +- `${MULLVAD_BROWSER_BUILD_N}`: the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits + - **example**: `build2` + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${MULLVAD_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For **example** : + - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${MULLVAD_BROWSER_BUILD_N}` value may stay at `build1` (but the `${MULLVAD_BROWSER_VERSION}` will increase) + - if we have build failures unrelated to `mullvad-browser`, the `${MULLVAD_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same. +- `${MULLVAD_BROWSER_VERSION}`: the published Mullvad Browser version + - **example**: `11.5a6`, `11.0.7` +- `${MB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Mullvad Browser version + - **example**: `mb-12.0.7-build1` +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date + - **example**: `2024-10-29` + </details> -**NOTE** It is assumed that the `tor-browser` alpha rebase and security backport tasks have been completed +<details> + <summary>Build Configuration</summary> -**NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue +### mullvad-browser: https://gitlab.torproject.org/tpo/applications/mullvad-browser.git -<details> - <summary>Building</summary> +- [ ] Tag `mullvad-browser` commit: + - **example**: `mullvad-browser-128.4.0esr-14.5-1-build1` ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git Mullvad Browser Alpha (and Nightly) are on the `main` branch -- [ ] Update `rbm.conf` - - [ ] `var/torbrowser_version` : update to next version - - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)` - - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building. - - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail -- [ ] Update build configs - - [ ] Update `projects/firefox/config` - - [ ] `browser_build` : update to match `mullvad-browser` tag - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased - - [ ] Update `projects/translation/config`: - - [ ] run `make list_translation_updates-alpha` to get updated hashes - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch - - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch -- [ ] Update common build configs - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ - - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for Mullvad Browser Extension updates here : https://github.com/mullvad/browser-extension/releases - - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` -- [ ] Update `ChangeLog-MB.txt` - - [ ] Ensure `ChangeLog-MB.txt` is sync'd between alpha and stable branches - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones - - [ ] Run `./tools/fetch_changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs` - - Make sure you have `requests` installed (e.g., `apt install python3-requests`) - - The first time you run this script you will need to generate an access token; the script will guide you - - `$updateArgs` should be these arguments, depending on what you actually updated: - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case) - - [ ] `--no-script` - - [ ] `--ublock` - - E.g., `./tools/fetch_changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0` - - `--date $date` is optional, if omitted it will be the date on which you run the command - - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output +- [ ] Changelog bookkeeping: + - [ ] Ensure all commits to `mullvad-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels +- [ ] Create a release preparation branch from the `main` branch +- [ ] Run release preparation script: + - **NOTE**: You can omit the `--mullvad-browser` argument if this is for a joint Tor and Mullvad Browser release + - **⚠️ WARNING**: You may need to manually update the `firefox/config` file's `browser_build` field if `mullvad-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged) + ```bash + ./tools/relprep.py --mullvad-browser --date ${RELEASE_DATE} ${MULLVAD_BROWSER_VERSION} + ``` +- [ ] Review build configuration changes: + - [ ] `rbm.conf` + - [ ] `var/torbrowser_version`: updated to next browser version + - [ ] `var/torbrowser_build`: updated to `${MULLVAD_BROWSER_BUILD_N}` + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building. + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` tag, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrowser_build` to build2, build3, etc due to non-firefox related build issues) + - [ ] `var/torbrowser_incremental_from`: updated to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail + - [ ] `projects/firefox/config` + - [ ] `browser_build`: updated to match `mullvad-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] ***(Optional)*** `projects/translation/config`: + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/mullvad-browser/git_hash`: updated with `HEAD` commit of project's `mullvad-browser` branch + - [ ] ***(Optional)*** `projects/browser/config`: + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] uBlock-origin: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] Mullvad Browser extension: https://github.com/mullvad/browser-extension/releases + - [ ] `URL` updated + - [ ] `sha256sum` updated + - [ ] `ChangeLog-MB.txt`: ensure correctness + - [ ] Browser name correct + - [ ] Release date correct + - [ ] No Android updates + - [ ] All issues added under correct platform + - [ ] ESR updates correct + - [ ] Component updates correct - [ ] Open MR with above changes, using the template for release preparations + - **NOTE**: target the `main` branch - [ ] Merge - [ ] Sign+Tag - **NOTE** this must be done by one of: @@ -86,16 +99,25 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch - ma1 - morgan - pierov - - [ ] Run: `make mullvadbrowser-signtag-alpha` + - [ ] Run: + ```bash + make mullvadbrowser-signtag-alpha + ``` - [ ] Push tag to `upstream` - [ ] Build the tag: - - Run `make mullvadbrowser-alpha && make mullvadbrowser-incrementals-alpha` on: + - [ ] Run: + ```bash + make mullvadbrowser-alpha && make mullvadbrowser-incrementals-alpha + ``` - [ ] Tor Project build machine - [ ] Local developer machine - [ ] Submit build request to Mullvad infrastructure: - **NOTE** this requires a devmole authentication token - - Run `make mullvadbrowser-kick-devmole-build` -- [ ] Ensure builders have matching builds + - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit + - [ ] Run: + ```bash + make mullvadbrowser-kick-devmole-build + ``` </details> @@ -105,64 +127,84 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch ### release signing - [ ] Assign this issue to the signer, one of: - boklm + - ma1 - morgan -- [ ] On `$(STAGING_SERVER)`, ensure updated: - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N) && git checkout tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N)` + - pierov +- [ ] Ensure all builders have matching builds +- [ ] On `${STAGING_SERVER}`, ensure updated: + - **NOTE** Having a local git branch with `main` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file + - [ ] `tor-browser-build` is on the right commit: `git tag -v mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N} && git checkout mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N}` - [ ] `tor-browser-build/tools/signing/set-config.hosts` - - `ssh_host_builder` : ssh hostname of machine with unsigned builds - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) - - `ssh_host_linux_signer` : ssh hostname of linux signing machine + - `ssh_host_builder`: ssh hostname of machine with unsigned builds + - `ssh_host_linux_signer`: ssh hostname of linux signing machine + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos - [ ] `set-config.update-responses` - - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git` + - `update_responses_repository_dir`: directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git` - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` - - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script: - - `cd tor-browser-build/tools/signing/` - - `./do-all-signing.mullvadbrowser` -- **NOTE**: at this point the signed binaries should have been copied to `staticiforme` -- [ ] Update `staticiforme.torproject.org`: - - From `screen` session on `staticiforme.torproject.org`: - - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser` - - [ ] Static update components (again) : `static-update-component dist.torproject.org` + - `tbb_version`: mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script: + - [ ] Run: + ```bash + cd tor-browser-build/tools/signing/ && ./do-all-signing.mullvadbrowser + ``` + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed </details> <details> <summary>Publishing</summary> +### website +- [ ] On `staticiforme.torproject.org`, remove old release and publish new: + - [ ] `/srv/dist-master.torproject.org/htdocs/mullvadbrowser` + - [ ] Run: + ```bash + static-update-component dist.torproject.org + ``` + ### mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/ - [ ] Assign this issue to someone with mullvad commit access, one of: - boklm - ma1 - morgan - pierov +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build: + - **Tag**: `${MULLVAD_BROWSER_VERSION}` + - **example**: `12.5a7` + - **Message**: `${ESR_VERSION}esr-based ${MULLVAD_BROWSER_VERSION}` + - **example**: `102.12.0esr-based 12.5a7` - [ ] Push this release's associated `mullvad-browser.git` branch to github - [ ] Push this release's associated tags to github: - [ ] Firefox ESR tag - - **example** : `FIREFOX_102_12_0esr_BUILD1` + - **example**: `FIREFOX_102_12_0esr_BUILD1` - [ ] `base-browser` tag - - **example** : `base-browser-102.12.0esr-12.0-1-build1` - - [ ] `mullvad-browser` tag - - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1` -- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build: - - **Tag**: `$(MULLVAD_BROWSER_VERSION)` - - **example** : `12.5a7` - - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)` - - **example** : `102.12.0esr-based 12.5a7` - - [ ] Push tag to github - -### email -- [ ] **(Once branch+tags pushed to GitHub)** Email Mullvad with release information: - - [ ] support alias: support(a)mullvadvpn.net - - [ ] Rui: rui(a)mullvad.net + - **example**: `base-browser-102.12.0esr-12.0-1-build1` + - [ ] `mullvad-browser` build tag + - **example**: `mullvad-browser-102.12.0esr-12.0-1-build1` + - [ ] `mullvad-browser` release tag + - **example**: `12.0.11` + +</details> + +<details> + <summary>Communications</summary> + +### Mullvad +- [ ] Email Mullvad with release information: + - **Recipients** + - Mullvad support alias: support(a)mullvadvpn.net + - Rui Hildt: rui(a)mullvad.net + ``` + support(a)mullvadvpn.net rui(a)mullvad.net + ``` - **Subject** ``` - New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed) + New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed) ``` - **Body** ``` @@ -170,28 +212,27 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch Branch+Tags have been pushed to Mullvad's GitHub repo. - - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION) - - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH) + - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION} + - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH} changelog: + # paste changelog as quote here ... ``` -</details> - -<details> - <summary>Downstream</summary> - -### notify packagers -These steps depend on Mullvad having updated their [GitHub Releases](https://github.com/mullvad/mullvad-browser/releases/) page with the latest release -- [ ] **(Optional)** Email downstream consumers: +### packagers +- [ ] **(Optional, Once Packages are pushed to GitHub)** - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of - - [ ] flathub package maintainer: proletarius101(a)protonmail.com - - [ ] arch package maintainer: bootctl(a)gmail.com - - [ ] nixOS package maintainer: dev(a)felschr.com + - **Recipients** + - flathub package maintainer: proletarius101(a)protonmail.com + - arch package maintainer: bootctl(a)gmail.com + - nixOS package maintainer: dev(a)felschr.com + ``` + proletarius101(a)protonmail.com bootctl(a)gmail.com dev(a)felschr.com + ``` - **Subject** ``` - Mullvad Browser $(MULLVAD_BROWSER_VERSION) released + Mullvad Browser ${MULLVAD_BROWSER_VERSION} released ``` - **Body** ``` @@ -208,4 +249,3 @@ These steps depend on Mullvad having updated their [GitHub Releases](https://git /label ~"Release Prep" /label ~"Sponsor 131" - ===================================== .gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md ===================================== @@ -1,83 +1,96 @@ +# Release Prep Mullvad Browser Stable + +- **NOTE** It is assumed the `mullvad-browser` release rebase and security backport tasks have been completed +- **NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue + <details> <summary>Explanation of variables</summary> -- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release -- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER) - - **example** : `pierov` -- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc - - **example** : `91.6.0` -- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version - - **example** : `11` -- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version - - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` -- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format - - **example** : `12.5a3`, `12.0.3` -- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build. - - **example** : `build1` -- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits - - **example** : `build2` - - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** : - - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase) - - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same. -- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version - - **example** : `11.5a6`, `11.0.7` -- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version - - **example** : `mb-12.0.7-build1` +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER} + - **example**: `pierov` +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc + - **example**: `91.6.0` +- `${MULLVAD_BROWSER_MAJOR}`: the Mullvad Browser major version + - **example**: `11` +- `${MULLVAD_BROWSER_MINOR}`: the Mullvad Browser minor version + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `${MULLVAD_BROWSER_VERSION}`: the Mullvad Browser version in the format + - **example**: `12.5a3`, `12.0.3` +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${MULLVAD_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build. + - **example**: `build1` +- `${MULLVAD_BROWSER_BUILD_N}`: the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits + - **example**: `build2` + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${MULLVAD_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For **example** : + - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${MULLVAD_BROWSER_BUILD_N}` value may stay at `build1` (but the `${MULLVAD_BROWSER_VERSION}` will increase) + - if we have build failures unrelated to `mullvad-browser`, the `${MULLVAD_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same. +- `${MULLVAD_BROWSER_VERSION}`: the published Mullvad Browser version + - **example**: `11.5a6`, `11.0.7` +- `${MB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Mullvad Browser version + - **example**: `mb-12.0.7-build1` +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date + - **example**: `2024-10-29` + </details> -**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed +<details> + <summary>Build Configuration</summary> -**NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue +### mullvad-browser: https://gitlab.torproject.org/tpo/applications/mullvad-browser.git -<details> - <summary>Building</summary> +- [ ] Tag `mullvad-browser` commit: + - **example**: `mullvad-browser-128.3.0esr-14.0-1-build1` ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git -Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MULLVAD_BROWSER_MINOR)` (and possibly more specific) branches - -- [ ] Update `rbm.conf` - - [ ] `var/torbrowser_version` : update to next version - - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)` - - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building. - - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail -- [ ] Update build configs - - [ ] Update `projects/firefox/config` - - [ ] `browser_build` : update to match `mullvad-browser` tag - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased - - [ ] Update `projects/translation/config`: - - [ ] run `make list_translation_updates-release` to get updated hashes - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch - - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch -- [ ] Update common build configs - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ - - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for Mullvad Browser Extension updates here : https://github.com/mullvad/browser-extension/releases - - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` -- [ ] Update `ChangeLog-MB.txt` - - [ ] Ensure `ChangeLog-MB.txt` is sync'd between alpha and stable branches - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones - - [ ] Run `./tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs` - - Make sure you have `requests` installed (e.g., `apt install python3-requests`) - - The first time you run this script you will need to generate an access token; the script will guide you - - `$updateArgs` should be these arguments, depending on what you actually updated: - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case) - - [ ] `--no-script` - - [ ] `--ublock` - - E.g., `./tools/fetch-changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0` - - `--date $date` is optional, if omitted it will be the date on which you run the command - - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output +Mullvad Browser Stable is on the `maint-${MULLVAD_BROWSER_MAJOR}.${MULLVAD_BROWSER_MINOR}` branch + +- [ ] Changelog bookkeeping: + - [ ] Ensure all commits to `mullvad-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels +- [ ] Create a release preparation branch from the current `maint-XX.Y` branch +- [ ] Run release preparation script: + - **NOTE**: You can omit the `--mullvad-browser` argument if this is for a joint Tor and Mullvad Browser release + - **⚠️ WARNING**: You may need to manually update the `firefox/config` file's `browser_build` field if `mullvad-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged) + ```bash + ./tools/relprep.py --mullvad-browser --date ${RELEASE_DATE} ${MULLVAD_BROWSER_VERSION} + ``` +- [ ] Review build configuration changes: + - [ ] `rbm.conf` + - [ ] `var/torbrowser_version`: updated to next browser version + - [ ] `var/torbrowser_build`: updated to `${MULLVAD_BROWSER_BUILD_N}` + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building. + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` tag, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrowser_build` to build2, build3, etc due to non-firefox related build issues) + - [ ] `var/torbrowser_incremental_from`: updated to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail + - [ ] `projects/firefox/config` + - [ ] `browser_build`: updated to match `mullvad-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] ***(Optional)*** `projects/translation/config`: + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/mullvad-browser/git_hash`: updated with `HEAD` commit of project's `mullvad-browser` branch + - [ ] ***(Optional)*** `projects/browser/config`: + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] uBlock-origin: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] Mullvad Browser extension: https://github.com/mullvad/browser-extension/releases + - [ ] `URL` updated + - [ ] `sha256sum` updated + - [ ] `ChangeLog-MB.txt`: ensure correctness + - [ ] Browser name correct + - [ ] Release date correct + - [ ] No Android updates + - [ ] All issues added under correct platform + - [ ] ESR updates correct + - [ ] Component updates correct - [ ] Open MR with above changes, using the template for release preparations + - **NOTE**: target the `maint-14.0` branch - [ ] Merge - [ ] Sign+Tag - **NOTE** this must be done by one of: @@ -86,16 +99,25 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU - ma1 - morgan - pierov - - [ ] Run: `make mullvadbrowser-signtag-release` + - [ ] Run: + ```bash + make mullvadbrowser-signtag-release + ``` - [ ] Push tag to `upstream` - [ ] Build the tag: - - Run `make mullvadbrowser-release && make mullvadbrowser-incrementals-release` + - [ ] Run: + ```bash + make mullvadbrowser-release && make mullvadbrowser-incrementals-release + ``` - [ ] Tor Project build machine - [ ] Local developer machine - [ ] Submit build request to Mullvad infrastructure: - **NOTE** this requires a devmole authentication token - - Run `make mullvadbrowser-kick-devmole-build` -- [ ] Ensure builders have matching builds + - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit + - [ ] Run: + ```bash + make mullvadbrowser-kick-devmole-build + ``` </details> @@ -105,64 +127,84 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU ### release signing - [ ] Assign this issue to the signer, one of: - boklm + - ma1 - morgan -- [ ] On `$(STAGING_SERVER)`, ensure updated: - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N) && git checkout tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N)` - - [ ] `tor-browser-build/tools/signing/set-config.hosts` - - `ssh_host_builder` : ssh hostname of machine with unsigned builds - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) - - `ssh_host_linux_signer` : ssh hostname of linux signing machine + - pierov +- [ ] Ensure all builders have matching builds +- [ ] On `${STAGING_SERVER}`, ensure updated: + - **NOTE** Having a local git branch with `maint-14.0` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file + - [ ] `tor-browser-build` is on the right commit: `git tag -v mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N} && git checkout mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N}` + - [ ] `tor-browser-build/tools/signing/set-config.hosts` + - `ssh_host_builder`: ssh hostname of machine with unsigned builds + - `ssh_host_linux_signer`: ssh hostname of linux signing machine + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos - [ ] `set-config.update-responses` - - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git` + - `update_responses_repository_dir`: directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git` - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` - - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script: - - `cd tor-browser-build/tools/signing/` - - `./do-all-signing.mullvadbrowser` -- **NOTE**: at this point the signed binaries should have been copied to `staticiforme` -- [ ] Update `staticiforme.torproject.org`: - - From `screen` session on `staticiforme.torproject.org`: - - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser` - - [ ] Static update components (again) : `static-update-component dist.torproject.org` + - `tbb_version`: mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script: + - [ ] Run: + ```bash + cd tor-browser-build/tools/signing/ && ./do-all-signing.mullvadbrowser + ``` + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed </details> <details> <summary>Publishing</summary> +### website +- [ ] On `staticiforme.torproject.org`, remove old release and publish new: + - [ ] `/srv/dist-master.torproject.org/htdocs/mullvadbrowser` + - [ ] Run: + ```bash + static-update-component dist.torproject.org + ``` + ### mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/ - [ ] Assign this issue to someone with mullvad commit access, one of: - boklm - ma1 - morgan - pierov +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build: + - **Tag**: `${MULLVAD_BROWSER_VERSION}` + - **example**: `12.5a7` + - **Message**: `${ESR_VERSION}esr-based ${MULLVAD_BROWSER_VERSION}` + - **example**: `102.12.0esr-based 12.5a7` - [ ] Push this release's associated `mullvad-browser.git` branch to github - [ ] Push this release's associated tags to github: - [ ] Firefox ESR tag - - **example** : `FIREFOX_102_12_0esr_BUILD1` + - **example**: `FIREFOX_102_12_0esr_BUILD1` - [ ] `base-browser` tag - - **example** : `base-browser-102.12.0esr-12.0-1-build1` - - [ ] `mullvad-browser` tag - - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1` -- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build: - - **Tag**: `$(MULLVAD_BROWSER_VERSION)` - - **example** : `12.0.7` - - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)` - - **example** : `102.12.0esr-based 12.0.7` - - [ ] Push tag to github - -### email -- [ ] **(Once branch+tags pushed to GitHub)** Email Mullvad with release information: - - [ ] support alias: support(a)mullvadvpn.net - - [ ] Rui: rui(a)mullvad.net + - **example**: `base-browser-102.12.0esr-12.0-1-build1` + - [ ] `mullvad-browser` build tag + - **example**: `mullvad-browser-102.12.0esr-12.0-1-build1` + - [ ] `mullvad-browser` release tag + - **example**: `12.0.11` + +</details> + +<details> + <summary>Communications</summary> + +### Mullvad +- [ ] Email Mullvad with release information: + - **Recipients** + - Mullvad support alias: support(a)mullvadvpn.net + - Rui Hildt: rui(a)mullvad.net + ``` + support(a)mullvadvpn.net rui(a)mullvad.net + ``` - **Subject** ``` - New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed) + New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed) ``` - **Body** ``` @@ -170,27 +212,26 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU Branch+Tags have been pushed to Mullvad's GitHub repo. - - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION) - - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH) + - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION} + - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH} changelog: + # paste changelog as quote here ... ``` -</details> - -<details> - <summary>Downstream</summary> - -### notify packagers -These steps depend on Mullvad having updated their [GitHub Releases](https://github.com/mullvad/mullvad-browser/releases/) page with the latest release -- [ ] Email downstream consumers: - - [ ] flathub package maintainer: proletarius101(a)protonmail.com - - [ ] arch package maintainer: bootctl(a)gmail.com - - [ ] nixOS package maintainer: dev(a)felschr.com +### packagers +- [ ] **(Once Packages are pushed to GitHub)** + - **Recipients** + - flathub package maintainer: proletarius101(a)protonmail.com + - arch package maintainer: bootctl(a)gmail.com + - nixOS package maintainer: dev(a)felschr.com + ``` + proletarius101(a)protonmail.com bootctl(a)gmail.com dev(a)felschr.com + ``` - **Subject** ``` - Mullvad Browser $(MULLVAD_BROWSER_VERSION) released + Mullvad Browser ${MULLVAD_BROWSER_VERSION} released ``` - **Body** ``` @@ -204,11 +245,12 @@ These steps depend on Mullvad having updated their [GitHub Releases](https://git ``` ### merge requests -- [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/m/mullvad-brows… - - **NOTE**: should just need to update `version` and `sha256` to latest +- [ ] **(Once Packages are pushed to GitHub)** + - [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/m/mullvad-brows… + - **NOTE**: a bot seems to pick this up without needing our intervention these days + - **NOTE**: should just need to update `version` and `sha256` to latest </details> /label ~"Release Prep" -/label ~"Sponsor 131" - +/label ~"Sponsor 131" ===================================== .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md ===================================== @@ -1,112 +1,120 @@ +# Release Prep Tor Browser Alpha + +- **NOTE** It is assumed the `tor-browser` alpha rebase and security backport tasks have been completed +- **NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue + <details> <summary>Explanation of variables</summary> -- `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release -- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER) - - **example** : `pierov` -- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc - - **example** : `91.6.0` -- `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version - - **example** : `11` -- `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version - - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` -- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format - - **example** : `12.5a3`, `12.0.3` -- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build. - - **example** : `build1` -- `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits - - **example** : `build2` - - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example : - - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase) - - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same. -- `$(TOR_BROWSER_VERSION)` : the published Tor Browser version - - **example** : `11.5a6`, `11.0.7` -- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version - - **example** : `tbb-12.5a7-build1` -</details> +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER} + - **example**: `pierov` +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc + - **example**: `91.6.0` +- `${TOR_BROWSER_MAJOR}`: the Tor Browser major version + - **example**: `11` +- `${TOR_BROWSER_MINOR}`: the Tor Browser minor version + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `${TOR_BROWSER_VERSION}`: the Tor Browser version in the format + - **example**: `12.5a3`, `12.0.3` +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${TOR_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build. + - **example**: `build1` +- `${TOR_BROWSER_BUILD_N}`: the tor-browser build revision for a given Tor Browser release; used in tagging git commits + - **example**: `build2` + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${TOR_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For example : + - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${TOR_BROWSER_BUILD_N}` value may stay at `build1` (but the `${TOR_BROWSER_VERSION}` will increase) + - if we have build failures unrelated to `tor-browser`, the `${TOR_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same. +- `${TOR_BROWSER_VERSION}`: the published Tor Browser version + - **example**: `11.5a6`, `11.0.7` +- `${TBB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Tor Browser version + - **example**: `tbb-12.5a7-build1` +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date + - **example**: `2024-10-29` -**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed -**NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue +</details> <details> - <summary>Building</summary> + <summary>Build Configuration</summary> + +### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git + +- [ ] Tag `tor-browser` in tor-browser.git + - **example**: `tor-browser-128.4.0esr-14.5-1-build1` ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git Tor Browser Alpha (and Nightly) are on the `main` branch -- [ ] Update `rbm.conf` - - [ ] `var/torbrowser_version` : update to next version - - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)` - - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building. - - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from` : update to previous Desktop version - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail -- [ ] Update Desktop-specific build configs - - [ ] Update `projects/firefox/config` - - [ ] `browser_build` : update to match `tor-browser` tag - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased -- [ ] Update Android-specific build configs - - [ ] Update `projects/geckoview/config` - - [ ] `browser_build` : update to match `tor-browser` tag - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased - - [ ] ***(Optional)*** Update `projects/application-services/config`: - **NOTE** we don't currently have any of our own patches for this project - - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)` -- [ ] Update `projects/translation/config`: - - [ ] run `make list_translation_updates-alpha` to get updated hashes - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch - - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch - - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch -- [ ] Update common build configs - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/ - - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config` - - [ ] `version` : update to next 3.0.X version - - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball - - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases - - [ ] **(Optional)** If new tag available, update `projects/zlib/config` - - [ ] `version` : update to next release tag - - [ ] Check for Zstandard updates here: https://github.com/facebook/zstd/releases - - [ ] **(Optional)** If new tag available, update `projects/zstd/config` - - [ ] `version` : update to next release tag - - [ ] `git_hash`: update to the commit corresponding to the tag (we don't check signatures for Zstandard) - - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags - - [ ] ***(Optional)*** Update `projects/tor/config` - - [ ] `version` : update to latest `-alpha` tag or release tag if newer (ping dgoulet or ahf if unsure) - - [ ] Check for go updates here : https://go.dev/dl - - **NOTE** : In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities. - - [ ] ***(Optional)*** Update `projects/go/config` - - [ ] `version` : update go version - - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page) - - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/update_manual.py` - - [ ] ***(Optional)*** If new version is available: - - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org` - - The script will tell if it's necessary to - - [ ] Deploy to `tb-builder`'s `public_html` directory: - - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.` - - [ ] Add `projects/manual/config` to the stage area if the script updated it. -- [ ] Update `ChangeLog-TBB.txt` - - [ ] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones - - [ ] Run `./tools/fetch_changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs` - - Make sure you have `requests` installed (e.g., `apt install python3-requests`) - - The first time you run this script you will need to generate an access token; the script will guide you - - `$updateArgs` should be these arguments, depending on what you actually updated: - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case) - - [ ] `--tor` - - [ ] `--no-script` - - [ ] `--openssl` - - [ ] `--zlib` - - [ ] `--zstd` - - [ ] `--go` - - E.g., `./tools/fetch_changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12` - - `--date $date` is optional, if omitted it will be the date on which you run the command - - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output +- [ ] Changelog bookkeeping: + - [ ] Ensure all commits to `tor-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Android, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels +- [ ] Create a release preparation branch from the `main` branch +- [ ] Run release preparation script: + - **NOTE**: You can omit the `--tor-browser` argument if this is for a jointt Tor and Mullvad Browser release + - **⚠️ WARNING**: You may need to manually update the `firefox/config` and `geckoview/config` files' `browser_build` field if `tor-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged) + ```bash + ./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION} + ``` +- [ ] Review build configuration changes: + - [ ] `rbm.conf` + - [ ] `var/torbrowser_version`: updated to next browser version + - [ ] `var/torbrowser_build`: updated to `${TOR_BROWSER_BUILD_N}` + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building. + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` or `geckoview` tags, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues) + - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail + - [ ] `projects/firefox/config` + - [ ] `browser_build`: updated to match `tor-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] `projects/geckoview/config` + - [ ] `browser_build`: updated to match `tor-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] ***(Optional)*** `projects/translation/config`: + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/tor-browser/git_hash`: updated with `HEAD` commit of project's `tor-browser` branch + - [ ] `steps/fenix/git_hash`: updated with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch + - [ ] ***(Optional)*** `projects/browser/config`: + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] ***(Optional)*** `projects/openssl/config`: https://www.openssl.org/source/ + - **NOTE**: Only if new LTS version (3.0.X currrently) available + - [ ] `version`: updated to next LTS version + - [ ] `input_files/sha256sum`: updated to sha256 sum of source tarball + - [ ] **(Optional)** `projects/zlib/config`: https://github.com/madler/zlib/releases + - **NOTE**: Only if new tag available + - [ ] `version`: updated to next release tag + - [ ] **(Optional)** `projects/zstd/config`: https://github.com/facebook/zstd/releases + - **NOTE**: Only if new tag available; Android-only for now + - [ ] `version`: updated to next release tag + - [ ] `git_hash`: updated to the commit corresponding to the tag (we don't check signatures for Zstandard) + - [ ] **(Optional)** `projects/tor/config` https://gitlab.torproject.org/tpo/core/tor/-/tags + - [ ] `version`: updated to latest `-alpha` tag or release tag if newer (ping **dgoulet** or **ahf** if unsure) + - [ ] **(Optional)** `projects/go/config` https://go.dev/dl + - **NOTE**: In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities. + - [ ] `version`: updated go version + - [ ] `input_files/sha256sum` for `go`: update sha256sum of archive (sha256 sums are displayed on the go download page) + - [ ] **(Optional)** `projects/manual/config` + - [ ] `version`: updated to latest pipeline id + - [ ] `input_files/shasum` for `manual`: updated to manual hash + - [ ] Upload the downloaded `manual_${PIPELINEID}.zip` file to `tb-build-02.torproject.org` + - [ ] Deploy to `tb-builder`'s `public_html` directory: + - [ ] Run: + ```bash + sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/. + ``` + - `sudo` documentation for TPO machines: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#changingres… + - [ ] `ChangeLog-TBB.txt`: ensure correctness + - [ ] Browser name correct + - [ ] Release date correct + - [ ] No Android updates on a desktop-only release and vice-versa + - [ ] All issues added under correct platform + - [ ] ESR updates correct + - [ ] Component updates correct - [ ] Open MR with above changes, using the template for release preparations + - **NOTE**: target the `main` branch - [ ] Merge - [ ] Sign+Tag - **NOTE** this must be done by one of: @@ -115,55 +123,53 @@ Tor Browser Alpha (and Nightly) are on the `main` branch - ma1 - morgan - pierov - - [ ] Run: `make torbrowser-signtag-alpha` + - [ ] Run: + ```bash + make torbrowser-signtag-alpha + ``` - [ ] Push tag to `upstream` - [ ] Build the tag: - - Run `make torbrowser-alpha && make torbrowser-incrementals-alpha` + - [ ] Run: + ```bash + make torbrowser-alpha && make torbrowser-incrementals-alpha + ``` - [ ] Tor Project build machine - [ ] Local developer machine - [ ] Submit build request to Mullvad infrastructure: - **NOTE** this requires a devmole authentication token - - Run `make torbrowser-kick-devmole-build` -- [ ] Ensure builders have matching builds + - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit + - [ ] Run: + ```bash + make torbrowser-kick-devmole-build + ``` </details> <details> - <summary>Communications</summary> - -### notify stakeholders -- [ ] **(Once builds confirmed matching)** Email tor-qa mailing list with release information - - [ ] tor-qa: tor-qa(a)lists.torproject.org - - **Subject** - ``` - Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux) - ``` - - **Body** - ``` - Hello, - - Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing: - - - https://tb-build-02.torproject.org/~$(BUILDER)/builds/torbrowser/alpha/unsi… - - The full changelog can be found here: - - - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TB… - ``` -- [ ] ***(Optional, only around build/packaging changes)*** Email packagers: - - [ ] Tails dev mailing list: tails-dev(a)boum.org - - [ ] Guardian Project: nathan(a)guardianproject.info - - [ ] FreeBSD port: freebsd(a)sysctl.cz  - - [ ] OpenBSD port: caspar(a)schutijser.com  - - [ ] Anti-Censorship: meskio(a)torproject.org - - [ ] Note any changes which may affect packaging/downstream integration -- [ ] ***(Optional, only after internal API-breaking changes)*** Email downstream project maintainers: - - [ ] selenium-tor: matzfan(a)tempr.email  -- [ ] ***(Optional, after ESR migration)*** Email external partners: - - [ ] Cloudflare: ask-research(a)cloudflare.com - - **NOTE** : We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs - - [ ] Startpage: admin(a)startpage.com - - **NOTE** : Startpage also needs the updated user-agent string for better experience on their onion service sites. + <summary>Website</summary> + + ### downloads: https://gitlab.torproject.org/tpo/web/tpo.git + - [ ] `databags/versions.ini`: Update the downloads versions + - `torbrowser-stable/version`: catch-all for latest stable version + - `torbrowser-alpha/version`: catch-all for latest alpha version + - `torbrowser-legacy/version`: catch-all for latest ESR-115 version + - `torbrowser-*-stable/version`: platform-specific stable versions + - `torbrowser-*-alpha/version`: platform-specific alpha versions + - `torbrowser-*-legacy/version`: platform-specific legacy versions + - [ ] Push to origin as new branch and create MR + - [ ] Review + - [ ] Merge + - **⚠️ WARNING**: Do not deploy yet! + + ### blog: https://gitlab.torproject.org/tpo/web/blog.git + - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) + - [ ] Note any ESR update + - [ ] Thank any users which have contributed patches + - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc + - [ ] Push to origin as new branch and open MR + - [ ] Review + - [ ] Merge + - **⚠️ WARNING**: Do not deploy yet! </details> @@ -171,38 +177,34 @@ Tor Browser Alpha (and Nightly) are on the `main` branch <summary>Signing</summary> ### release signing -- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long - [ ] Assign this issue to the signer, one of: - boklm + - ma1 - morgan -- [ ] On `$(STAGING_SERVER)`, ensure updated: - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)` + - pierov +- [ ] Ensure all builders have matching builds +- [ ] On `${STAGING_SERVER}`, ensure updated: + - **NOTE** Having a local git branch with `main` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}` - [ ] `tor-browser-build/tools/signing/set-config.hosts` - - `ssh_host_builder` : ssh hostname of machine with unsigned builds - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) - - `ssh_host_linux_signer` : ssh hostname of linux signing machine + - `ssh_host_builder`: ssh hostname of machine with unsigned builds + - `ssh_host_linux_signer`: ssh hostname of linux signing machine + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos - [ ] `set-config.update-responses` - - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git` + - `update_responses_repository_dir`: directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git` - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` - - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script: - - `cd tor-browser-build/tools/signing/` - - `./do-all-signing.torbrowser` -- **NOTE**: at this point the signed binaries should have been copied to `staticiforme` -- [ ] Update `staticiforme.torproject.org`: - - From `screen` session on `staticiforme.torproject.org`: - - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org` - - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh` - - [ ] Remove old release data from following places: - - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) - - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` - - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` - - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org` + - `tbb_version`: tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script: + - [ ] Run: + ```bash + cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser + ``` + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed </details> @@ -242,6 +244,28 @@ popd <details> <summary>Publishing</summary> +### website +- [ ] On `staticiforme.torproject.org`, static update components: + - [ ] Run: + ```bash + static-update-component cdn.torproject.org && static-update-component dist.torproject.org + ``` +- [ ] Deploy `tor-website` MR +- [ ] Deploy `tor-blog` MR +- [ ] On `staticiforme.torproject.org`, enable update responses: + - [ ] Run: + ```bash + sudo -u tb-release ./deploy_update_responses-alpha.sh + ``` +- [ ] On `staticiforme.torproject.org`, remove old release: + - **NOTE**: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) + - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` + - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` + - [ ] Run: + ```bash + static-update-component cdn.torproject.org && static-update-component dist.torproject.org + ``` + ### Google Play: https://play.google.com/apps/publish - [ ] Publish APKs to Google Play: - Select `Tor Browser (Alpha)` app @@ -256,46 +280,70 @@ popd - [ ] 100% rollout when publishing a security-driven release - [ ] Update rollout percentage to 100% after confirmed no major issues -### website: https://gitlab.torproject.org/tpo/web/tpo.git -- [ ] `databags/versions.ini` : Update the downloads versions - - `torbrowser-stable/version` : sort of a catch-all for latest stable version - - `torbrowser-alpha/version` : sort of a catch-all for latest stable version - - `torbrowser-*-stable/version` : platform-specific stable versions - - `torbrowser-*-alpha/version` : platform-specific alpha versions - - `tor-stable`,`tor-alpha` : set by tor devs, do not touch -- [ ] Push to origin as new branch, open 'Draft :' MR -- [ ] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org -- [ ] Merge -- [ ] Publish after CI passes and builds are published - -### blog: https://gitlab.torproject.org/tpo/web/blog.git -- [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) - - [ ] Note any ESR update - - [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc) - - [ ] Thank any users which have contributed patches - - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc -- [ ] Push to origin as new branch, open `Draft:` MR -- [ ] Merge once signed-packages are accessible on https://dist.torproject.org -- [ ] Publish after CI passes and website has been updated +</details> + +<details> + <summary>Communications</summary> ### tor-announce mailing list -- [ ] Email tor-announce mailing list: tor-announce(a)lists.torproject.org +- [ ] Email tor-announce mailing list + - **Recipients** + ``` + tor-announce(a)lists.torproject.org + ``` - **Subject** ``` - New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux) + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux) ``` - **Body** ``` Hi everyone, - Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post: - - $(BLOG_POST_URL) + Tor Browser ${TOR_BROWSER_VERSION} has now been published for all platforms. For details please see our blog post: + - ${BLOG_POST_URL} Changelog: - # paste changleog as quote here + # paste changelog as quote here ``` +### packagers +- [ ] ***(Optional, only around build/packaging changes)*** Email packagers: + - **Recipients** + - Tails dev mailing list: tails-dev(a)boum.org + - Guardian Project: nathan(a)guardianproject.info + - FreeBSD port: freebsd(a)sysctl.cz  + - OpenBSD port: caspar(a)schutijser.com  + - torbrowser-launcher: mail(a)asciiwolf.com  + - Anti-Censorship: meskio(a)torproject.org  + ``` + tails-dev(a)boum.org nathan(a)guardianproject.info freebsd(a)sysctl.cz caspar(a)schutijser.com mail(a)asciiwolf.com meskio(a)torproject.org + ``` + - **Subject** + ``` + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux) + ``` + - [ ] Note any changes which may affect packaging/downstream integration + +### downstream projects +- [ ] ***(Optional, only after internal API-breaking changes)*** Email downstream project maintainers: + - **Recipients** + - selenium-tor: matzfan(a)tempr.email  + ``` + matzfan(a)tempr.email + ``` + - **Subject** + ``` + Breaking Changes in Tor Browser ${TOR_BROWSER_VERSION} + ``` + - [ ] Note any internal API changes which may affect browser automation + +### upstream services +- [ ] ***(Optional, after ESR migration)*** Email external partners: + - [ ] Cloudflare: ask-research(a)cloudflare.com + - **NOTE**: We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs + - [ ] Startpage: admin(a)startpage.com + - **NOTE**: Startpage also needs the updated user-agent string for better experience on their onion service sites. + </details> /label ~"Release Prep" - ===================================== .gitlab/issue_templates/Release Prep - Tor Browser Legacy.md ===================================== @@ -0,0 +1,320 @@ +# Release Prep Tor Browser Legacy + +- **NOTE** It is assumed the `tor-browser` release rebase and security backport tasks have been completed + +<details> + <summary>Explanation of variables</summary> + +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER} + - **example**: `pierov` +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc + - **example**: `91.6.0` +- `${TOR_BROWSER_MAJOR}`: the Tor Browser major version + - **example**: `11` +- `${TOR_BROWSER_MINOR}`: the Tor Browser minor version + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `${TOR_BROWSER_VERSION}`: the Tor Browser version in the format + - **example**: `12.5a3`, `12.0.3` +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${TOR_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build. + - **example**: `build1` +- `${TOR_BROWSER_BUILD_N}`: the tor-browser build revision for a given Tor Browser release; used in tagging git commits + - **example**: `build2` + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${TOR_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For example : + - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${TOR_BROWSER_BUILD_N}` value may stay at `build1` (but the `${TOR_BROWSER_VERSION}` will increase) + - if we have build failures unrelated to `tor-browser`, the `${TOR_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same. +- `${TOR_BROWSER_VERSION}`: the published Tor Browser version + - **example**: `11.5a6`, `11.0.7` +- `${TBB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Tor Browser version + - **example**: `tbb-12.5a7-build1` +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date + - **example**: `2024-10-29` + +</details> + +<details> + <summary>Build Configuration</summary> + +### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git + +- [ ] Tag `tor-browser` in tor-browser.git + - **example**: `tor-browser-115.17.0esr-13.5-1-build1` + +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git +Tor Browser Legacy is on the `maint-13.5` branch + +- [ ] Changelog bookkeeping: + - [ ] Ensure all commits to `tor-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels +- [ ] Create a release preparation branch from the `maint-13.5` branch +- [ ] Run release preparation script: + - **⚠️ WARNING**: You may need to manually update the `firefox/config` file's `browser_build` field if `tor-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged) + ```bash + ./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION} + ``` +- [ ] Review build configuration changes: + - [ ] `rbm.conf` + - [ ] `var/torbrowser_version`: updated to next browser version + - [ ] `var/torbrowser_build`: updated to `${TOR_BROWSER_BUILD_N}` + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building. + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox`, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues) + - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail + - [ ] `projects/firefox/config` + - [ ] `browser_build`: updated to match `tor-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] ***(Optional)*** `projects/translation/config`: + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/tor-browser/git_hash`: updated with `HEAD` commit of project's `tor-browser` branch + - [ ] ***(Optional)*** `projects/browser/config`: + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] ***(Optional)*** `projects/openssl/config`: https://www.openssl.org/source/ + - **NOTE**: Only if new LTS version (3.0.X currrently) available + - [ ] `version`: updated to next LTS version + - [ ] `input_files/sha256sum`: updated to sha256 sum of source tarball + - [ ] **(Optional)** `projects/zlib/config`: https://github.com/madler/zlib/releases + - **NOTE**: Only if new tag available + - [ ] `version`: updated to next release tag + - [ ] **(Optional)** `projects/zstd/config`: https://github.com/facebook/zstd/releases + - **NOTE**: Only if new tag available + - [ ] `version`: updated to next release tag + - [ ] `git_hash`: updated to the commit corresponding to the tag (we don't check signatures for Zstandard) + - [ ] **(Optional)** `projects/tor/config` https://gitlab.torproject.org/tpo/core/tor/-/tags + - [ ] `version`: updated to latest non `-alpha` tag or release tag if newer (ping **dgoulet** or **ahf** if unsure) + - [ ] **(Optional)** `projects/go/config` https://go.dev/dl + - [ ] `go_1_22`: updated to latest 1.22 version + - [ ] `input_files/sha256sum` for `go`: update sha256sum of archive (sha256 sums are displayed on the go download page) + - [ ] **(Optional)** `projects/manual/config` + - [ ] `version`: updated to latest pipeline id + - [ ] `input_files/shasum` for `manual`: updated to manual hash + - [ ] Upload the downloaded `manual_${PIPELINEID}.zip` file to `tb-build-02.torproject.org` + - [ ] Deploy to `tb-builder`'s `public_html` directory: + - [ ] Run: + ```bash + sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/. + ``` + - `sudo` documentation for TPO machines: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#changingres… + - [ ] `ChangeLog-TBB.txt`: ensure correctness + - [ ] Browser name correct + - [ ] Release date correct + - [ ] No Android updates + - [ ] All issues added under correct platform + - [ ] ESR updates correct + - [ ] Component updates correct +- [ ] Open MR with above changes, using the template for release preparations + - **NOTE**: target the `maint-13.5` branch +- [ ] Merge +- [ ] Sign+Tag + - **NOTE** this must be done by one of: + - boklm + - dan + - ma1 + - morgan + - pierov + - [ ] Run: + ```bash + make torbrowser-signtag-release + ``` + - [ ] Push tag to `upstream` +- [ ] Build the tag: + - [ ] Run: + ```bash + make torbrowser-release && make torbrowser-incrementals-release + ``` + - [ ] Tor Project build machine + - [ ] Local developer machine + - [ ] Submit build request to Mullvad infrastructure: + - **NOTE** this requires a devmole authentication token + - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit + - [ ] Run: + ```bash + make torbrowser-kick-devmole-build + ``` + +</details> + +<details> + <summary>Website</summary> + + ### downloads: https://gitlab.torproject.org/tpo/web/tpo.git + - [ ] `databags/versions.ini`: Update the downloads versions + - `torbrowser-stable/version`: catch-all for latest stable version + - `torbrowser-alpha/version`: catch-all for latest alpha version + - `torbrowser-legacy/version`: catch-all for latest ESR-115 version + - `torbrowser-*-stable/version`: platform-specific stable versions + - `torbrowser-*-alpha/version`: platform-specific alpha versions + - `torbrowser-*-legacy/version`: platform-specific legacy versions + - `tor-stable`,`tor-alpha`: set by tor devs, do not touch + - [ ] Push to origin as new branch and create MR + - [ ] Review + - [ ] Merge + - **⚠️ WARNING**: Do not deploy yet! + +</details> + +<details> + <summary>Signing</summary> + +### release signing +- [ ] Assign this issue to the signer, one of: + - boklm + - ma1 + - morgan + - pierov +- [ ] Ensure all builders have matching builds +- [ ] On `${STAGING_SERVER}`, ensure updated: + - **NOTE** Having a local git branch with `maint-13.5` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}` + - [ ] `tor-browser-build/tools/signing/set-config.hosts` + - `ssh_host_builder`: ssh hostname of machine with unsigned builds + - `ssh_host_linux_signer`: ssh hostname of linux signing machine + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds + - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos + - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` + - `tbb_version`: tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script: + - [ ] Run: + ```bash + cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser + ``` + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed + +</details> + +<details> + <summary>Signature verification</summary> + + <details> + <summary>Check whether the .exe files got properly signed and timestamped</summary> + +```bash +# Point OSSLSIGNCODE to your osslsigncode binary +pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION +OSSLSIGNCODE=/path/to/osslsigncode +../../../tools/authenticode_check.sh +popd +``` + + </details> + <details> + <summary>Check whether the MAR files got properly signed</summary> + +```bash +# Point NSSDB to your nssdb containing the mar signing certificate +# Point SIGNMAR to your signmar binary +# Point LD_LIBRARY_PATH to your mar-tools directory +pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION +NSSDB=/path/to/nssdb +SIGNMAR=/path/to/mar-tools/signmar +LD_LIBRARY_PATH=/path/to/mar-tools/ +../../../tools/marsigning_check.sh +popd +``` + + </details> +</details> + +<details> + <summary>Publishing</summary> + +### website +- [ ] On `staticiforme.torproject.org`, static update components: + - [ ] Run: + ```bash + static-update-component cdn.torproject.org && static-update-component dist.torproject.org + ``` +- [ ] Deploy `tor-website` MR +- [ ] On `staticiforme.torproject.org`, remove old release: + - **NOTE**: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) + - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` + - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` + - [ ] Run: + ```bash + static-update-component cdn.torproject.org && static-update-component dist.torproject.org + ``` +- [ ] **(Optional)** Generate and deploy new update responses + - **NOTE**: This is only required if there will be no corresponding 14.0 release (i.e. this is an emergency legacy-only 13.5 release). Normally, legacy update responses are generated and deployed as part of the 14.0 release. + - **⚠️ WARNING**: This is a little bit off the beaten track, ping boklm or morgan if you have any doubts + - From the `maint-14.0` branch: + - [ ] Update `rbm.conf` + - [ ] `var/torbrowser_legacy_version`: update to `${TOR_BROWSER_VERSION}` + - **NOTE** this is the browser version for the legacy branch, not the 14.0 branch + - [ ] `var/torbrowser_legacy_platform_version`: update to `${ESR_VERSION}` + - **NOTE** this is ESR version for the legacy branch, not the 14.0 branch + - [ ] Generate update responses: + - [ ] Run: + ```bash + make torbrowser-update_responses-release + ``` + - On `staticiforme.torproject.org`, deploy new update responses: + - **NOTE**: for now this is a bit janky, we should somehow update the workflow to be a bit less hacky + - [ ] Edit an existing `deploy_update_responses-release.sh` script in your `HOME` directory with the newly pushed commit hash + - **example**: (hash: `d938943`) + ```bash + #!/bin/bash + set -e + + echo "Deploying version 14.0" + echo "update_responses_commit: d938943" + + cd "/srv/aus1-master.torproject.org/htdocs/torbrowser" + git fetch + changed_files="$(git diff --name-only HEAD d938943)" + if echo "$changed_files" | grep -qv "release" + then + echo >&2 "Error: checking out new update_response_commit will changes" + echo >&2 "some files outside of the release directory:" + echo "$changed_files" | grep -v "release" >&2 + echo >&2 "--" + echo >&2 "If this is really what you want to do, edit this script to" + echo >&2 "remove the line 'exit 1' and run it again." + echo >&2 "See tor-browser-build#41168 for more details." + exit 1 + fi + git checkout "d938943" + + static-update-component aus1.torproject.org + ``` + - [ ] Enable update responses: + ```bash + sudo -u tb-release ./deploy_update_responses-release.sh + ``` + +</details> + +<details> + <summary>Communications</summary> + +### tor-announce mailing list +- [ ] Email tor-announce mailing list + - **Recipients** + ``` + tor-announce(a)lists.torproject.org + ``` + - **Subject** + ``` + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Windows, macOS) + ``` + - **Body** + ``` + Hi everyone, + + Tor Browser ${TOR_BROWSER_VERSION} has now been published for legacy Windows and macOS platforms. For details please see our blog post: + - ${BLOG_POST_URL} + + Changelog: + # paste changelog as quote here + ``` + +</details> + +/label ~"Release Prep" ===================================== .gitlab/issue_templates/Release Prep - Tor Browser Stable.md ===================================== @@ -1,117 +1,120 @@ +# Release Prep Tor Browser Stable + +- **NOTE** It is assumed the `tor-browser` release rebase and security backport tasks have been completed +- **NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue + <details> <summary>Explanation of variables</summary> -- `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release -- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER) - - **example** : `pierov` -- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc - - **example** : `91.6.0` -- `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version - - **example** : `11` -- `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version - - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` -- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format - - **example** : `12.5a3`, `12.0.3` -- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build. - - **example** : `build1` -- `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits - - **example** : `build2` - - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example : - - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase) - - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same. -- `$(TOR_BROWSER_VERSION)` : the published Tor Browser version - - **example** : `11.5a6`, `11.0.7` -- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version - - **example** : `tbb-12.0.7-build1` -</details> +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER} + - **example**: `pierov` +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc + - **example**: `91.6.0` +- `${TOR_BROWSER_MAJOR}`: the Tor Browser major version + - **example**: `11` +- `${TOR_BROWSER_MINOR}`: the Tor Browser minor version + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `${TOR_BROWSER_VERSION}`: the Tor Browser version in the format + - **example**: `12.5a3`, `12.0.3` +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${TOR_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build. + - **example**: `build1` +- `${TOR_BROWSER_BUILD_N}`: the tor-browser build revision for a given Tor Browser release; used in tagging git commits + - **example**: `build2` + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${TOR_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For example : + - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${TOR_BROWSER_BUILD_N}` value may stay at `build1` (but the `${TOR_BROWSER_VERSION}` will increase) + - if we have build failures unrelated to `tor-browser`, the `${TOR_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same. +- `${TOR_BROWSER_VERSION}`: the published Tor Browser version + - **example**: `11.5a6`, `11.0.7` +- `${TBB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Tor Browser version + - **example**: `tbb-12.5a7-build1` +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date + - **example**: `2024-10-29` -**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed -**NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue +</details> <details> - <summary>Building</summary> + <summary>Build Configuration</summary> + +### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git + +- [ ] Tag `tor-browser` in tor-browser.git + - **example**: `tor-browser-128.4.0esr-14.0-1-build1` ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git -Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches. - -- [ ] Update `rbm.conf` - - [ ] `var/torbrowser_version` : update to next version - - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)` - - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building. - - [ ] `var/torbrowser_legacy_version` : update to next version in the legacy-13.5 branch - - [ ] `var/torbrowser_legacy_platform_version` : update to firefox platform version in the legacy-13.5 branch - - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail -- [ ] Update Desktop-specific build configs - - [ ] Update `projects/firefox/config` - - [ ] `browser_build` : update to match `tor-browser` tag - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased -- [ ] Update Android-specific build configs - - [ ] Update `projects/geckoview/config` - - [ ] `browser_build` : update to match `tor-browser` tag - - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased - - [ ] ***(Optional)*** Update `projects/tor-android-service/config` - - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch - - [ ] ***(Optional)*** Update `projects/application-services/config`: - **NOTE** we don't currently have any of our own patches for this project - - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)` - - [ ] ***(Optional)*** Update `projects/firefox-android/config`: - - [ ] `fenix_version` : update to match stable `firefox-android` build tag - - [ ] `browser_branch` : update to match stable `firefox-android` build tag - - [ ] `browser_build` : update to match stable `firefox-android` build tag - variant: Beta -- [ ] Update `projects/translation/config`: - - [ ] run `make list_translation_updates-release` to get updated hashes - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch - - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch - - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch -- [ ] Update common build configs - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/ - - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config` - - [ ] `version` : update to next 3.0.X version - - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball - - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases - - [ ] **(Optional)** If new tag available, update `projects/zlib/config` - - [ ] `version` : update to next release tag - - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags - - [ ] ***(Optional)*** Update `projects/tor/config` - - [ ] `version` : update to latest non `-alpha` tag (ping dgoulet or ahf if unsure) - - [ ] Check for go updates here : https://go.dev/dl - - **NOTE** : In general, Tor Browser Stable uses the latest of the *previous* Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities. - - [ ] ***(Optional)*** Update `projects/go/config` - - [ ] `version` : update go version - - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page) - - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py` - - [ ] ***(Optional)*** If new version is available: - - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org` - - [ ] Deploy to `tb-builder`'s `public_html` directory: - - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.` - - [ ] Update `projects/manual/config`: - - [ ] Change the `version` to `$PIPELINEID` - - [ ] Update `sha256sum` in the `input_files` section -- [ ] Update `ChangeLog-TBB.txt` - - [ ] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones - - [ ] Run `./tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs` - - Make sure you have `requests` installed (e.g., `apt install python3-requests`) - - The first time you run this script you will need to generate an access token; the script will guide you - - `$updateArgs` should be these arguments, depending on what you actually updated: - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case) - - [ ] `--tor` - - [ ] `--no-script` - - [ ] `--openssl` - - [ ] `--zlib` - - [ ] `--go` - - E.g., `./tools/fetch-changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12` - - `--date $date` is optional, if omitted it will be the date on which you run the command - - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output +Tor Browser Stable is on the `maint-${TOR_BROWSER_MAJOR}.${TOR_BROWSER_MINOR}` branch + +- [ ] Changelog bookkeeping: + - [ ] Ensure all commits to `tor-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Android, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels +- [ ] Create a release preparation branch from the current `maint-XX.Y` branch +- [ ] Run release preparation script: + - **NOTE**: You can omit the `--tor-browser` argument if this is for a joint Tor and Mullvad Browser release + - **⚠️ WARNING**: You may need to manually update the `firefox/config` and `geckoview/config` files' `browser_build` field if `tor-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged) + ```bash + ./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION} + ``` +- [ ] Review build configuration changes: + - [ ] `rbm.conf` + - [ ] `var/torbrowser_version`: updated to next browser version + - [ ] `var/torbrowser_build`: updated to `${TOR_BROWSER_BUILD_N}` + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building. + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` or `geckoview` tags, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues) + - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail +- [ ] `projects/firefox/config` + - [ ] `browser_build`: updated to match `tor-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] `projects/geckoview/config` + - [ ] `browser_build`: updated to match `tor-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] ***(Optional)*** `projects/translation/config`: + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/tor-browser/git_hash`: updated with `HEAD` commit of project's `tor-browser` branch + - [ ] `steps/fenix/git_hash`: updated with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch + - [ ] ***(Optional)*** `projects/browser/config`: + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] ***(Optional)*** `projects/openssl/config`: https://www.openssl.org/source/ + - **NOTE**: Only if new LTS version (3.0.X currrently) available + - [ ] `version`: updated to next LTS version + - [ ] `input_files/sha256sum`: updated to sha256 sum of source tarball + - [ ] **(Optional)** `projects/zlib/config`: https://github.com/madler/zlib/releases + - **NOTE**: Only if new tag available + - [ ] `version`: updated to next release tag + - [ ] **(Optional)** `projects/zstd/config`: https://github.com/facebook/zstd/releases + - **NOTE**: Only if new tag available; Android-only for now + - [ ] `version`: updated to next release tag + - [ ] `git_hash`: updated to the commit corresponding to the tag (we don't check signatures for Zstandard) + - [ ] **(Optional)** `projects/tor/config` https://gitlab.torproject.org/tpo/core/tor/-/tags + - [ ] `version`: updated to latest non `-alpha` tag or release tag if newer (ping **dgoulet** or **ahf** if unsure) + - [ ] **(Optional)** `projects/go/config` https://go.dev/dl + - **NOTE**: In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities. + - [ ] `version`: updated go version + - [ ] `input_files/sha256sum` for `go`: update sha256sum of archive (sha256 sums are displayed on the go download page) + - [ ] **(Optional)** `projects/manual/config` + - [ ] `version`: updated to latest pipeline id + - [ ] `input_files/shasum` for `manual`: updated to manual hash + - [ ] Upload the downloaded `manual_${PIPELINEID}.zip` file to `tb-build-02.torproject.org` + - [ ] Deploy to `tb-builder`'s `public_html` directory: + - [ ] Run: + ```bash + sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/. + ``` + - `sudo` documentation for TPO machines: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#changingres… + - [ ] `ChangeLog-TBB.txt`: ensure correctness + - [ ] Browser name correct + - [ ] Release date correct + - [ ] No Android updates on a desktop-only release and vice-versa + - [ ] All issues added under correct platform + - [ ] ESR updates correct + - [ ] Component updates correct - [ ] Open MR with above changes, using the template for release preparations + - **NOTE**: target the `maint-14.0` branch - [ ] Merge - [ ] Sign+Tag - **NOTE** this must be done by one of: @@ -120,47 +123,53 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE - ma1 - morgan - pierov - - [ ] Run: `make torbrowser-signtag-release` + - [ ] Run: + ```bash + make torbrowser-signtag-release + ``` - [ ] Push tag to `upstream` - [ ] Build the tag: - - Run `make torbrowser-release && make torbrowser-incrementals-release` + - [ ] Run: + ```bash + make torbrowser-release && make torbrowser-incrementals-release + ``` - [ ] Tor Project build machine - [ ] Local developer machine - [ ] Submit build request to Mullvad infrastructure: - **NOTE** this requires a devmole authentication token - - Run `make torbrowser-kick-devmole-build` -- [ ] Ensure builders have matching builds + - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit + - [ ] Run: + ```bash + make torbrowser-kick-devmole-build + ``` </details> <details> - <summary>Communications</summary> - -### notify stakeholders -- [ ] **(Once builds confirmed matching)** Email tor-qa mailing list with release information - - [ ] tor-qa: tor-qa(a)lists.torproject.org - - **Subject** - ``` - Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux) - ``` - - **Body** - ``` - Hello, - - Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing: - - - https://tb-build-02.torproject.org/~$(BUILDER)/builds/torbrowser/release/un… - - The full changelog can be found here: - - - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TB… - ``` -- [ ] Email packagers: - - [ ] Tails dev mailing list: tails-dev(a)boum.org - - [ ] Guardian Project: nathan(a)guardianproject.info - - [ ] FreeBSD port: freebsd(a)sysctl.cz  - - [ ] OpenBSD port: caspar(a)schutijser.com  - - [ ] Note any changes which may affect packaging/downstream integration + <summary>Website</summary> + + ### downloads: https://gitlab.torproject.org/tpo/web/tpo.git + - [ ] `databags/versions.ini`: Update the downloads versions + - `torbrowser-stable/version`: catch-all for latest stable version + - `torbrowser-alpha/version`: catch-all for latest alpha version + - `torbrowser-legacy/version`: catch-all for latest ESR-115 version + - `torbrowser-*-stable/version`: platform-specific stable versions + - `torbrowser-*-alpha/version`: platform-specific alpha versions + - `torbrowser-*-legacy/version`: platform-specific legacy versions + - [ ] Push to origin as new branch and create MR + - [ ] Review + - [ ] Merge + - **⚠️ WARNING**: Do not deploy yet! + + ### blog: https://gitlab.torproject.org/tpo/web/blog.git + - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) + - [ ] Note any ESR update + - [ ] Thank any users which have contributed patches + - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc + - [ ] Push to origin as new branch and open MR + - [ ] Review + - [ ] Merge + - **⚠️ WARNING**: Do not deploy yet! </details> @@ -168,38 +177,37 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE <summary>Signing</summary> ### release signing -- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long - [ ] Assign this issue to the signer, one of: - boklm + - ma1 - morgan -- [ ] On `$(STAGING_SERVER)`, ensure updated: - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)` + - pierov +- [ ] Ensure all builders have matching builds +- [ ] Verify the associated legacy `maint-13.5` release has been signed and deployed + - **⚠️ WARNING**: Do not continue if the legacy channel has not been fully signed and published yet; it is needed for update-response generation! + - **NOTE** Stable releases without a corresponding legacy release may ignore this +- [ ] On `${STAGING_SERVER}`, ensure updated: + - **NOTE** Having a local git branch with `maint-14.0` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}` - [ ] `tor-browser-build/tools/signing/set-config.hosts` - - `ssh_host_builder` : ssh hostname of machine with unsigned builds - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) - - `ssh_host_linux_signer` : ssh hostname of linux signing machine + - `ssh_host_builder`: ssh hostname of machine with unsigned builds + - `ssh_host_linux_signer`: ssh hostname of linux signing machine + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos - [ ] `set-config.update-responses` - - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git` + - `update_responses_repository_dir`: directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git` - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` - - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script: - - `cd tor-browser-build/tools/signing/` - - `./do-all-signing.torbrowser` -- **NOTE**: at this point the signed binaries should have been copied to `staticiforme` -- [ ] Update `staticiforme.torproject.org`: - - From `screen` session on `staticiforme.torproject.org`: - - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org` - - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-release.sh` - - [ ] Remove old release data from following places: - - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) - - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` - - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` - - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org` + - `tbb_version`: tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script: + - [ ] Run: + ```bash + cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser + ``` + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed </details> @@ -239,6 +247,28 @@ popd <details> <summary>Publishing</summary> +### website +- [ ] On `staticiforme.torproject.org`, static update components: + - [ ] Run: + ```bash + static-update-component cdn.torproject.org && static-update-component dist.torproject.org + ``` +- [ ] Deploy `tor-website` MR +- [ ] Deploy `tor-blog` MR +- [ ] On `staticiforme.torproject.org`, enable update responses: + - [ ] Run: + ```bash + sudo -u tb-release ./deploy_update_responses-release.sh + ``` +- [ ] On `staticiforme.torproject.org`, remove old release: + - **NOTE**: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) + - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` + - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` + - [ ] Run: + ```bash + static-update-component cdn.torproject.org && static-update-component dist.torproject.org + ``` + ### Google Play: https://play.google.com/apps/publish - [ ] Publish APKs to Google Play: - Select `Tor Browser` app @@ -253,45 +283,59 @@ popd - [ ] 100% rollout when publishing a security-driven release - [ ] Update rollout percentage to 100% after confirmed no major issues -### website: https://gitlab.torproject.org/tpo/web/tpo.git -- [ ] `databags/versions.ini` : Update the downloads versions - - `torbrowser-stable/version` : sort of a catch-all for latest stable version - - `torbrowser-alpha/version` : sort of a catch-all for latest stable version - - `torbrowser-*-stable/version` : platform-specific stable versions - - `torbrowser-*-alpha/version` : platform-specific alpha versions - - `tor-stable`,`tor-alpha` : set by tor devs, do not touch -- [ ] Push to origin as new branch, open 'Draft :' MR -- [ ] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org -- [ ] Merge -- [ ] Publish after CI passes and builds are published +</details> -### blog: https://gitlab.torproject.org/tpo/web/blog.git -- [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) - - [ ] Note any ESR update - - [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc) - - [ ] Thank any users which have contributed patches -- [ ] Push to origin as new branch, open `Draft:` MR -- [ ] Merge once signed-packages are accessible on https://dist.torproject.org -- [ ] Publish after CI passes and website has been updated +<details> + <summary>Communications</summary> ### tor-announce mailing list -- [ ] Email tor-announce mailing list: tor-announce(a)lists.torproject.org +- [ ] Email tor-announce mailing list + - **Recipients** + ``` + tor-announce(a)lists.torproject.org + ``` - **Subject** ``` - New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux) + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux) ``` - **Body** ``` Hi everyone, - Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post: - - $(BLOG_POST_URL) + Tor Browser ${TOR_BROWSER_VERSION} has now been published for all platforms. For details please see our blog post: + - ${BLOG_POST_URL} Changelog: - # paste changleog as quote here + # paste changelog as quote here + ``` + +### packagers +- [ ] Email packagers: + - **Recipients** + - Tails dev mailing list: tails-dev(a)boum.org + - Guardian Project: nathan(a)guardianproject.info + - FreeBSD port: freebsd(a)sysctl.cz  + - OpenBSD port: caspar(a)schutijser.com  + - torbrowser-launcher: mail(a)asciiwolf.com  + - Anti-Censorship: meskio(a)torproject.org  ``` + tails-dev(a)boum.org nathan(a)guardianproject.info freebsd(a)sysctl.cz caspar(a)schutijser.com mail(a)asciiwolf.com meskio(a)torproject.org + ``` + - **Subject** + ``` + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux) + ``` + - **Body** + ``` + Hi everyone, + + Tor Browser ${TOR_BROWSER_VERSION} has now been published for all platforms. For details please see our blog post: + - ${BLOG_POST_URL} + Changelog: + # paste changelog as quote here + ``` + - [ ] Note any changes which may affect packaging/downstream integration </details> /label ~"Release Prep" - View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/3… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/3… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][main] 19 commits: Update release prep issue templates
by morgan (＠morgan) 25 Oct '24

25 Oct '24

morgan pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: 00f5ea36 by Morgan at 2024-10-23T21:02:54+00:00 Update release prep issue templates - - - - - 9d89e5ba by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates added note about tags and relprep.py interactions - - - - - 1739114b by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates added ⚠️ icons for warnings - - - - - d81f1a90 by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates fix some typos and add example for when to not update the var/browser_release_date param - - - - - b3b6863a by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates add note about joint tor/mullvad browser releases to relprep.py section - - - - - 2634d715 by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates add note for zstd being android-only - - - - - 95379b55 by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates add warning about addons.mozilla.org urls - - - - - 52778c09 by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates add clarification on openssl versions - - - - - cb4d86d0 by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates add sudo documentation link - - - - - 016d034c by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates add --date arg to relprep.py script invocation - - - - - 4cf18985 by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates add more ⚠️ WARNING to explanation of variables section - - - - - 2fe2103b by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates update notes on incrementals - - - - - 382609cc by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates further changelog checks - - - - - aabf4fdb by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates add explicit tor-browser-build release preparation step - - - - - cb3f93a5 by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates update set-config.hosts section to include builder_tor_browser_build_dir - - - - - b8196933 by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates removed update-responses specific steps from legacy - - - - - 181d513f by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates add verification step to tor browser stable to wait for legacy to be signed (for update response generation) - - - - - 474cdc87 by Morgan at 2024-10-23T21:02:54+00:00 fixup! Update release prep issue templates too much spacing in openssl entry - - - - - 434d85d5 by Morgan at 2024-10-23T21:56:43+00:00 fixup! Update release prep issue templates added directions for deploying 13.5 update responses when there is no corresponding 14.0 release - - - - - 5 changed files: - .gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md - .gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md - .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md - + .gitlab/issue_templates/Release Prep - Tor Browser Legacy.md - .gitlab/issue_templates/Release Prep - Tor Browser Stable.md Changes: ===================================== .gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md ===================================== @@ -1,82 +1,89 @@ +- **NOTE** It is assumed the `mullvad-browser` alpha rebase and security backport tasks have been completed +- **NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue + <details> <summary>Explanation of variables</summary> -- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release -- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER) - - **example** : `pierov` -- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc - - **example** : `91.6.0` -- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version - - **example** : `11` -- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version - - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` -- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format - - **example** : `12.5a3`, `12.0.3` -- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build. - - **example** : `build1` -- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits - - **example** : `build2` - - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** : - - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase) - - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same. -- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version - - **example** : `11.5a6`, `11.0.7` -- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version - - **example** : `mb-12.0.7-build1` -</details> - -**NOTE** It is assumed that the `tor-browser` alpha rebase and security backport tasks have been completed +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER} + - **example**: `pierov` +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc + - **example**: `91.6.0` +- `${MULLVAD_BROWSER_MAJOR}`: the Mullvad Browser major version + - **example**: `11` +- `${MULLVAD_BROWSER_MINOR}`: the Mullvad Browser minor version + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `${MULLVAD_BROWSER_VERSION}`: the Mullvad Browser version in the format + - **example**: `12.5a3`, `12.0.3` +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${MULLVAD_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build. + - **example**: `build1` +- `${MULLVAD_BROWSER_BUILD_N}`: the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits + - **example**: `build2` + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${MULLVAD_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For **example** : + - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${MULLVAD_BROWSER_BUILD_N}` value may stay at `build1` (but the `${MULLVAD_BROWSER_VERSION}` will increase) + - if we have build failures unrelated to `mullvad-browser`, the `${MULLVAD_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same. +- `${MULLVAD_BROWSER_VERSION}`: the published Mullvad Browser version + - **example**: `11.5a6`, `11.0.7` +- `${MB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Mullvad Browser version + - **example**: `mb-12.0.7-build1` +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date + - **example**: `2024-10-29` -**NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue +</details> <details> - <summary>Building</summary> + <summary>Build Configuration</summary> ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git Mullvad Browser Alpha (and Nightly) are on the `main` branch -- [ ] Update `rbm.conf` - - [ ] `var/torbrowser_version` : update to next version - - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)` - - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building. - - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail -- [ ] Update build configs - - [ ] Update `projects/firefox/config` - - [ ] `browser_build` : update to match `mullvad-browser` tag - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased - - [ ] Update `projects/translation/config`: - - [ ] run `make list_translation_updates-alpha` to get updated hashes - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch - - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch -- [ ] Update common build configs - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ - - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for Mullvad Browser Extension updates here : https://github.com/mullvad/browser-extension/releases - - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` -- [ ] Update `ChangeLog-MB.txt` - - [ ] Ensure `ChangeLog-MB.txt` is sync'd between alpha and stable branches - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones - - [ ] Run `./tools/fetch_changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs` - - Make sure you have `requests` installed (e.g., `apt install python3-requests`) - - The first time you run this script you will need to generate an access token; the script will guide you - - `$updateArgs` should be these arguments, depending on what you actually updated: - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case) - - [ ] `--no-script` - - [ ] `--ublock` - - E.g., `./tools/fetch_changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0` - - `--date $date` is optional, if omitted it will be the date on which you run the command - - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output +- [ ] Tag `mullvad-browser` in mullvad-browser.git + - **example**: `mullvad-browser-128.3.0esr-14.0-1-build1` +- [ ] Changelog bookkeeping: + - [ ] Ensure all commits to `mullvad-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels +- [ ] Create a release preparation branch from the `main` branch +- [ ] Run release preparation script: + - **NOTE**: You can omit the `--mullvad-browser` argument if this is for a joint Tor and Mullvad Browser release + ```bash + ./tools/relprep.py --mullvad-browser --date ${RELEASE_DATE} ${MULLVAD_BROWSER_VERSION} + ``` + - **⚠️ WARNING**: You may need to manually update the `firefox/config` file's `browser_build` field if `mullvad-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged) +- [ ] Review build configuration changes: + - [ ] `rbm.conf` + - [ ] `var/torbrowser_version`: updated to next browser version + - [ ] `var/torbrowser_build`: updated to `${MULLVAD_BROWSER_BUILD_N}` + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building. + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` tag, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues) + - [ ] `var/torbrowser_incremental_from`: updated to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail + - [ ] `projects/firefox/config` + - [ ] `browser_build`: updated to match `mullvad-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] ***(Optional)*** `projects/translation/config`: + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/mullvad-browser/git_hash`: updated with `HEAD` commit of project's `mullvad-browser` branch + - [ ] ***(Optional)*** `projects/browser/config`: + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] uBlock-origin: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] Mullvad Browser extension: https://github.com/mullvad/browser-extension/releases + - [ ] `URL` updated + - [ ] `sha256sum` updated + - [ ] `ChangeLog-MB.txt`: ensure correctness + - [ ] Browser name correct + - [ ] Release date correct + - [ ] No Android updates + - [ ] All issues added under correct platform + - [ ] ESR updates correct + - [ ] Component updates correct - [ ] Open MR with above changes, using the template for release preparations - [ ] Merge - [ ] Sign+Tag @@ -86,16 +93,25 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch - ma1 - morgan - pierov - - [ ] Run: `make mullvadbrowser-signtag-alpha` + - [ ] Run: + ``` + make mullvadbrowser-signtag-alpha + ``` - [ ] Push tag to `upstream` - [ ] Build the tag: - - Run `make mullvadbrowser-alpha && make mullvadbrowser-incrementals-alpha` on: + - [ ] Run: + ``` + make mullvadbrowser-alpha && make mullvadbrowser-incrementals-alpha + ``` - [ ] Tor Project build machine - [ ] Local developer machine - [ ] Submit build request to Mullvad infrastructure: - **NOTE** this requires a devmole authentication token - - Run `make mullvadbrowser-kick-devmole-build` -- [ ] Ensure builders have matching builds + - [ ] Run: + ``` + make mullvadbrowser-kick-devmole-build + ``` +- [ ] Ensure all builders have matching builds </details> @@ -105,64 +121,78 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch ### release signing - [ ] Assign this issue to the signer, one of: - boklm + - ma1 - morgan -- [ ] On `$(STAGING_SERVER)`, ensure updated: - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N) && git checkout tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N)` + - pierov +- [ ] Ensure all builders have matching builds +- [ ] On `${STAGING_SERVER}`, ensure updated: + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N} && git checkout tbb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N}` - [ ] `tor-browser-build/tools/signing/set-config.hosts` - - `ssh_host_builder` : ssh hostname of machine with unsigned builds - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) - - `ssh_host_linux_signer` : ssh hostname of linux signing machine + - `ssh_host_builder`: ssh hostname of machine with unsigned builds + - `ssh_host_linux_signer`: ssh hostname of linux signing machine + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos - [ ] `set-config.update-responses` - - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git` + - `update_responses_repository_dir`: directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git` - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` - - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script: - - `cd tor-browser-build/tools/signing/` - - `./do-all-signing.mullvadbrowser` -- **NOTE**: at this point the signed binaries should have been copied to `staticiforme` -- [ ] Update `staticiforme.torproject.org`: - - From `screen` session on `staticiforme.torproject.org`: - - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser` - - [ ] Static update components (again) : `static-update-component dist.torproject.org` + - `tbb_version`: mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script: + - [ ] Run: + ``` + cd tor-browser-build/tools/signing/ && ./do-all-signing.mullvadbrowser + ``` + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed </details> <details> <summary>Publishing</summary> +### website +- [ ] On `staticiforme.torproject.org`, remove old release and publish new: + - [ ] `/srv/dist-master.torproject.org/htdocs/mullvadbrowser` + - [ ] Run: + ``` + static-update-component dist.torproject.org + ``` + ### mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/ - [ ] Assign this issue to someone with mullvad commit access, one of: - boklm - ma1 - morgan - pierov +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build: + - **Tag**: `${MULLVAD_BROWSER_VERSION}` + - **example**: `12.5a7` + - **Message**: `${ESR_VERSION}esr-based ${MULLVAD_BROWSER_VERSION}` + - **example**: `102.12.0esr-based 12.5a7` - [ ] Push this release's associated `mullvad-browser.git` branch to github - [ ] Push this release's associated tags to github: - [ ] Firefox ESR tag - - **example** : `FIREFOX_102_12_0esr_BUILD1` + - **example**: `FIREFOX_102_12_0esr_BUILD1` - [ ] `base-browser` tag - - **example** : `base-browser-102.12.0esr-12.0-1-build1` - - [ ] `mullvad-browser` tag - - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1` -- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build: - - **Tag**: `$(MULLVAD_BROWSER_VERSION)` - - **example** : `12.5a7` - - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)` - - **example** : `102.12.0esr-based 12.5a7` - - [ ] Push tag to github - -### email -- [ ] **(Once branch+tags pushed to GitHub)** Email Mullvad with release information: - - [ ] support alias: support(a)mullvadvpn.net - - [ ] Rui: rui(a)mullvad.net + - **example**: `base-browser-102.12.0esr-12.0-1-build1` + - [ ] `mullvad-browser` build tag + - **example**: `mullvad-browser-102.12.0esr-12.0-1-build1` + - [ ] `mullvad-browser` release tag + - **example**: `12.0.11` + +### Mullvad +- [ ] Email Mullvad with release information: + - **Recipients** + - Mullvad support alias: support(a)mullvadvpn.net + - Rui Hildt: rui(a)mullvad.net + ``` + support(a)mullvadvpn.net rui(a)mullvad.net + ``` - **Subject** ``` - New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed) + New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed) ``` - **Body** ``` @@ -170,28 +200,34 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch Branch+Tags have been pushed to Mullvad's GitHub repo. - - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION) - - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH) + - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION} + - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH} changelog: + # paste changelog as quote here ... ``` </details> <details> - <summary>Downstream</summary> + <summary>Packaging</summary> -### notify packagers -These steps depend on Mullvad having updated their [GitHub Releases](https://github.com/mullvad/mullvad-browser/releases/) page with the latest release -- [ ] **(Optional)** Email downstream consumers: + + +### packagers +- [ ] **(Optional, Once Packages are pushed to GitHub)** - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of - - [ ] flathub package maintainer: proletarius101(a)protonmail.com - - [ ] arch package maintainer: bootctl(a)gmail.com - - [ ] nixOS package maintainer: dev(a)felschr.com + - **Recipients** + - flathub package maintainer: proletarius101(a)protonmail.com + - arch package maintainer: bootctl(a)gmail.com + - nixOS package maintainer: dev(a)felschr.com + ``` + proletarius101(a)protonmail.com bootctl(a)gmail.com dev(a)felschr.com + ``` - **Subject** ``` - Mullvad Browser $(MULLVAD_BROWSER_VERSION) released + Mullvad Browser ${MULLVAD_BROWSER_VERSION} released ``` - **Body** ``` @@ -208,4 +244,3 @@ These steps depend on Mullvad having updated their [GitHub Releases](https://git /label ~"Release Prep" /label ~"Sponsor 131" - ===================================== .gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md ===================================== @@ -1,82 +1,89 @@ +- **NOTE** It is assumed the `mullvad-browser` release rebase and security backport tasks have been completed +- **NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue + <details> <summary>Explanation of variables</summary> -- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release -- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER) - - **example** : `pierov` -- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc - - **example** : `91.6.0` -- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version - - **example** : `11` -- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version - - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` -- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format - - **example** : `12.5a3`, `12.0.3` -- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build. - - **example** : `build1` -- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits - - **example** : `build2` - - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** : - - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase) - - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same. -- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version - - **example** : `11.5a6`, `11.0.7` -- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version - - **example** : `mb-12.0.7-build1` -</details> - -**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER} + - **example**: `pierov` +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc + - **example**: `91.6.0` +- `${MULLVAD_BROWSER_MAJOR}`: the Mullvad Browser major version + - **example**: `11` +- `${MULLVAD_BROWSER_MINOR}`: the Mullvad Browser minor version + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `${MULLVAD_BROWSER_VERSION}`: the Mullvad Browser version in the format + - **example**: `12.5a3`, `12.0.3` +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${MULLVAD_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build. + - **example**: `build1` +- `${MULLVAD_BROWSER_BUILD_N}`: the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits + - **example**: `build2` + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${MULLVAD_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For **example** : + - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${MULLVAD_BROWSER_BUILD_N}` value may stay at `build1` (but the `${MULLVAD_BROWSER_VERSION}` will increase) + - if we have build failures unrelated to `mullvad-browser`, the `${MULLVAD_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same. +- `${MULLVAD_BROWSER_VERSION}`: the published Mullvad Browser version + - **example**: `11.5a6`, `11.0.7` +- `${MB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Mullvad Browser version + - **example**: `mb-12.0.7-build1` +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date + - **example**: `2024-10-29` -**NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue +</details> <details> - <summary>Building</summary> + <summary>Build Configuration</summary> ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git -Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MULLVAD_BROWSER_MINOR)` (and possibly more specific) branches - -- [ ] Update `rbm.conf` - - [ ] `var/torbrowser_version` : update to next version - - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)` - - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building. - - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail -- [ ] Update build configs - - [ ] Update `projects/firefox/config` - - [ ] `browser_build` : update to match `mullvad-browser` tag - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased - - [ ] Update `projects/translation/config`: - - [ ] run `make list_translation_updates-release` to get updated hashes - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch - - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch -- [ ] Update common build configs - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ - - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for Mullvad Browser Extension updates here : https://github.com/mullvad/browser-extension/releases - - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` -- [ ] Update `ChangeLog-MB.txt` - - [ ] Ensure `ChangeLog-MB.txt` is sync'd between alpha and stable branches - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones - - [ ] Run `./tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs` - - Make sure you have `requests` installed (e.g., `apt install python3-requests`) - - The first time you run this script you will need to generate an access token; the script will guide you - - `$updateArgs` should be these arguments, depending on what you actually updated: - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case) - - [ ] `--no-script` - - [ ] `--ublock` - - E.g., `./tools/fetch-changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0` - - `--date $date` is optional, if omitted it will be the date on which you run the command - - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output +Mullvad Browser Release are on the `maint-${MULLVAD_BROWSER_MAJOR}.${MULLVAD_BROWSER_MINOR}` branch + +- [ ] Tag `mullvad-browser` in mullvad-browser.git + - **example**: `mullvad-browser-128.3.0esr-14.0-1-build1` +- [ ] Changelog bookkeeping: + - [ ] Ensure all commits to `mullvad-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels +- [ ] Create a release preparation branch from the current `maint-XX.Y` branch +- [ ] Run release preparation script: + - **NOTE**: You can omit the `--mullvad-browser` argument if this is for a joint Tor and Mullvad Browser release + ```bash + ./tools/relprep.py --mullvad-browser --date ${RELEASE_DATE} ${MULLVAD_BROWSER_VERSION} + ``` + - **⚠️ WARNING**: You may need to manually update the `firefox/config` file's `browser_build` field if `mullvad-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged) +- [ ] Review build configuration changes: + - [ ] `rbm.conf` + - [ ] `var/torbrowser_version`: updated to next browser version + - [ ] `var/torbrowser_build`: updated to `${MULLVAD_BROWSER_BUILD_N}` + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building. + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` tag, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues) + - [ ] `var/torbrowser_incremental_from`: updated to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail + - [ ] `projects/firefox/config` + - [ ] `browser_build`: updated to match `mullvad-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] ***(Optional)*** `projects/translation/config`: + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/mullvad-browser/git_hash`: updated with `HEAD` commit of project's `mullvad-browser` branch + - [ ] ***(Optional)*** `projects/browser/config`: + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] uBlock-origin: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] Mullvad Browser extension: https://github.com/mullvad/browser-extension/releases + - [ ] `URL` updated + - [ ] `sha256sum` updated + - [ ] `ChangeLog-MB.txt`: ensure correctness + - [ ] Browser name correct + - [ ] Release date correct + - [ ] No Android updates + - [ ] All issues added under correct platform + - [ ] ESR updates correct + - [ ] Component updates correct - [ ] Open MR with above changes, using the template for release preparations - [ ] Merge - [ ] Sign+Tag @@ -86,16 +93,24 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU - ma1 - morgan - pierov - - [ ] Run: `make mullvadbrowser-signtag-release` + - [ ] Run: + ``` + make mullvadbrowser-signtag-release + ``` - [ ] Push tag to `upstream` - [ ] Build the tag: - - Run `make mullvadbrowser-release && make mullvadbrowser-incrementals-release` + - [ ] Run: + ``` + make mullvadbrowser-release && make mullvadbrowser-incrementals-release + ``` - [ ] Tor Project build machine - [ ] Local developer machine - [ ] Submit build request to Mullvad infrastructure: - **NOTE** this requires a devmole authentication token - - Run `make mullvadbrowser-kick-devmole-build` -- [ ] Ensure builders have matching builds + - [ ] Run: + ``` + make mullvadbrowser-kick-devmole-build + ``` </details> @@ -105,64 +120,79 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU ### release signing - [ ] Assign this issue to the signer, one of: - boklm + - ma1 - morgan -- [ ] On `$(STAGING_SERVER)`, ensure updated: - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N) && git checkout tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N)` - - [ ] `tor-browser-build/tools/signing/set-config.hosts` - - `ssh_host_builder` : ssh hostname of machine with unsigned builds - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) - - `ssh_host_linux_signer` : ssh hostname of linux signing machine + - pierov +- [ ] Ensure all builders have matching builds +- [ ] On `${STAGING_SERVER}`, ensure updated: + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N} && git checkout tbb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N}` + - [ ] `tor-browser-build/tools/signing/set-config.hosts` + - `ssh_host_builder`: ssh hostname of machine with unsigned builds + - `ssh_host_linux_signer`: ssh hostname of linux signing machine + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos - [ ] `set-config.update-responses` - - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git` + - `update_responses_repository_dir`: directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git` - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` - - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script: - - `cd tor-browser-build/tools/signing/` - - `./do-all-signing.mullvadbrowser` -- **NOTE**: at this point the signed binaries should have been copied to `staticiforme` -- [ ] Update `staticiforme.torproject.org`: - - From `screen` session on `staticiforme.torproject.org`: - - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser` - - [ ] Static update components (again) : `static-update-component dist.torproject.org` + - `tbb_version`: mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script: + - [ ] Run: + ``` + cd tor-browser-build/tools/signing/ && ./do-all-signing.mullvadbrowser + ``` + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed </details> <details> <summary>Publishing</summary> +### website +- [ ] On `staticiforme.torproject.org`, remove old release and publish new: + - [ ] `/srv/dist-master.torproject.org/htdocs/mullvadbrowser` + - [ ] Run: + ``` + static-update-component dist.torproject.org + ``` + ### mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/ - [ ] Assign this issue to someone with mullvad commit access, one of: - boklm - ma1 - morgan - pierov +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build: + - **Tag**: `${MULLVAD_BROWSER_VERSION}` + - **example**: `12.5a7` + - **Message**: `${ESR_VERSION}esr-based ${MULLVAD_BROWSER_VERSION}` + - **example**: `102.12.0esr-based 12.5a7` - [ ] Push this release's associated `mullvad-browser.git` branch to github - [ ] Push this release's associated tags to github: - [ ] Firefox ESR tag - - **example** : `FIREFOX_102_12_0esr_BUILD1` + - **example**: `FIREFOX_102_12_0esr_BUILD1` - [ ] `base-browser` tag - - **example** : `base-browser-102.12.0esr-12.0-1-build1` - - [ ] `mullvad-browser` tag - - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1` -- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build: - - **Tag**: `$(MULLVAD_BROWSER_VERSION)` - - **example** : `12.0.7` - - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)` - - **example** : `102.12.0esr-based 12.0.7` - - [ ] Push tag to github - -### email -- [ ] **(Once branch+tags pushed to GitHub)** Email Mullvad with release information: - - [ ] support alias: support(a)mullvadvpn.net - - [ ] Rui: rui(a)mullvad.net + - **example**: `base-browser-102.12.0esr-12.0-1-build1` + - [ ] `mullvad-browser` build tag + - **example**: `mullvad-browser-102.12.0esr-12.0-1-build1` + - [ ] `mullvad-browser` release tag + - **example**: `12.0.11` + + +### Mullvad +- [ ] Email Mullvad with release information: + - **Recipients** + - Mullvad support alias: support(a)mullvadvpn.net + - Rui Hildt: rui(a)mullvad.net + ``` + support(a)mullvadvpn.net rui(a)mullvad.net + ``` - **Subject** ``` - New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed) + New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed) ``` - **Body** ``` @@ -170,27 +200,31 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU Branch+Tags have been pushed to Mullvad's GitHub repo. - - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION) - - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH) + - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION} + - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH} changelog: + # paste changelog as quote here ... ``` </details> <details> - <summary>Downstream</summary> - -### notify packagers -These steps depend on Mullvad having updated their [GitHub Releases](https://github.com/mullvad/mullvad-browser/releases/) page with the latest release -- [ ] Email downstream consumers: - - [ ] flathub package maintainer: proletarius101(a)protonmail.com - - [ ] arch package maintainer: bootctl(a)gmail.com - - [ ] nixOS package maintainer: dev(a)felschr.com + <summary>Packaging</summary> + +### packagers +- [ ] **(Once Packages are pushed to GitHub)** + - **Recipients** + - flathub package maintainer: proletarius101(a)protonmail.com + - arch package maintainer: bootctl(a)gmail.com + - nixOS package maintainer: dev(a)felschr.com + ``` + proletarius101(a)protonmail.com bootctl(a)gmail.com dev(a)felschr.com + ``` - **Subject** ``` - Mullvad Browser $(MULLVAD_BROWSER_VERSION) released + Mullvad Browser ${MULLVAD_BROWSER_VERSION} released ``` - **Body** ``` @@ -204,11 +238,12 @@ These steps depend on Mullvad having updated their [GitHub Releases](https://git ``` ### merge requests -- [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/m/mullvad-brows… - - **NOTE**: should just need to update `version` and `sha256` to latest +- [ ] **(Once Packages are pushed to GitHub)** + - [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/m/mullvad-brows… + - **NOTE**: a bot seems to pick this up without needing our intervention these days + - **NOTE**: should just need to update `version` and `sha256` to latest </details> /label ~"Release Prep" -/label ~"Sponsor 131" - +/label ~"Sponsor 131" ===================================== .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md ===================================== @@ -1,111 +1,113 @@ +- **NOTE** It is assumed the `tor-browser` alpha rebase and security backport tasks have been completed +- **NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue + <details> <summary>Explanation of variables</summary> -- `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release -- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER) - - **example** : `pierov` -- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc - - **example** : `91.6.0` -- `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version - - **example** : `11` -- `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version - - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` -- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format - - **example** : `12.5a3`, `12.0.3` -- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build. - - **example** : `build1` -- `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits - - **example** : `build2` - - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example : - - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase) - - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same. -- `$(TOR_BROWSER_VERSION)` : the published Tor Browser version - - **example** : `11.5a6`, `11.0.7` -- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version - - **example** : `tbb-12.5a7-build1` -</details> +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER} + - **example**: `pierov` +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc + - **example**: `91.6.0` +- `${TOR_BROWSER_MAJOR}`: the Tor Browser major version + - **example**: `11` +- `${TOR_BROWSER_MINOR}`: the Tor Browser minor version + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `${TOR_BROWSER_VERSION}`: the Tor Browser version in the format + - **example**: `12.5a3`, `12.0.3` +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${TOR_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build. + - **example**: `build1` +- `${TOR_BROWSER_BUILD_N}`: the tor-browser build revision for a given Tor Browser release; used in tagging git commits + - **example**: `build2` + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${TOR_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For example : + - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${TOR_BROWSER_BUILD_N}` value may stay at `build1` (but the `${TOR_BROWSER_VERSION}` will increase) + - if we have build failures unrelated to `tor-browser`, the `${TOR_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same. +- `${TOR_BROWSER_VERSION}`: the published Tor Browser version + - **example**: `11.5a6`, `11.0.7` +- `${TBB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Tor Browser version + - **example**: `tbb-12.5a7-build1` +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date + - **example**: `2024-10-29` -**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed -**NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue +</details> <details> - <summary>Building</summary> + <summary>Build Configuration</summary> ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git Tor Browser Alpha (and Nightly) are on the `main` branch -- [ ] Update `rbm.conf` - - [ ] `var/torbrowser_version` : update to next version - - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)` - - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building. - - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from` : update to previous Desktop version - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail -- [ ] Update Desktop-specific build configs - - [ ] Update `projects/firefox/config` - - [ ] `browser_build` : update to match `tor-browser` tag - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased -- [ ] Update Android-specific build configs - - [ ] Update `projects/geckoview/config` - - [ ] `browser_build` : update to match `tor-browser` tag - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased - - [ ] ***(Optional)*** Update `projects/application-services/config`: - **NOTE** we don't currently have any of our own patches for this project - - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)` -- [ ] Update `projects/translation/config`: - - [ ] run `make list_translation_updates-alpha` to get updated hashes - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch - - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch - - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch -- [ ] Update common build configs - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/ - - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config` - - [ ] `version` : update to next 3.0.X version - - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball - - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases - - [ ] **(Optional)** If new tag available, update `projects/zlib/config` - - [ ] `version` : update to next release tag - - [ ] Check for Zstandard updates here: https://github.com/facebook/zstd/releases - - [ ] **(Optional)** If new tag available, update `projects/zstd/config` - - [ ] `version` : update to next release tag - - [ ] `git_hash`: update to the commit corresponding to the tag (we don't check signatures for Zstandard) - - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags - - [ ] ***(Optional)*** Update `projects/tor/config` - - [ ] `version` : update to latest `-alpha` tag or release tag if newer (ping dgoulet or ahf if unsure) - - [ ] Check for go updates here : https://go.dev/dl - - **NOTE** : In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities. - - [ ] ***(Optional)*** Update `projects/go/config` - - [ ] `version` : update go version - - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page) - - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/update_manual.py` - - [ ] ***(Optional)*** If new version is available: - - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org` - - The script will tell if it's necessary to - - [ ] Deploy to `tb-builder`'s `public_html` directory: - - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.` - - [ ] Add `projects/manual/config` to the stage area if the script updated it. -- [ ] Update `ChangeLog-TBB.txt` - - [ ] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones - - [ ] Run `./tools/fetch_changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs` - - Make sure you have `requests` installed (e.g., `apt install python3-requests`) - - The first time you run this script you will need to generate an access token; the script will guide you - - `$updateArgs` should be these arguments, depending on what you actually updated: - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case) - - [ ] `--tor` - - [ ] `--no-script` - - [ ] `--openssl` - - [ ] `--zlib` - - [ ] `--zstd` - - [ ] `--go` - - E.g., `./tools/fetch_changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12` - - `--date $date` is optional, if omitted it will be the date on which you run the command - - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output +- [ ] Tag `tor-browser` in tor-browser.git + - **example**: `tor-browser-128.3.0esr-14.0-1-build1` +- [ ] Changelog bookkeeping: + - [ ] Ensure all commits to `tor-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Android, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels +- [ ] Create a release preparation branch from the `main` branch +- [ ] Run release preparation script: + - **NOTE**: You can omit the `--tor-browser` argument if this is for a jointt Tor and Mullvad Browser release + ```bash + ./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION} + ``` + - **⚠️ WARNING**: You may need to manually update the `firefox/config` and `geckoview/config` files' `browser_build` field if `tor-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged) +- [ ] Review build configuration changes: + - [ ] `rbm.conf` + - [ ] `var/torbrowser_version`: updated to next browser version + - [ ] `var/torbrowser_build`: updated to `${TOR_BROWSER_BUILD_N}` + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building. + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` or `geckoview` tags, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues) + - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail + - [ ] `projects/firefox/config` + - [ ] `browser_build`: updated to match `tor-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] `projects/geckoview/config` + - [ ] `browser_build`: updated to match `tor-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] ***(Optional)*** `projects/translation/config`: + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/tor-browser/git_hash`: updated with `HEAD` commit of project's `tor-browser` branch + - [ ] `steps/fenix/git_hash`: updated with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch + - [ ] ***(Optional)*** `projects/browser/config`: + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] ***(Optional)*** `projects/openssl/config`: https://www.openssl.org/source/ + - **NOTE**: Only if new LTS version (3.0.X currrently) available + - [ ] `version`: updated to next LTS version + - [ ] `input_files/sha256sum`: updated to sha256 sum of source tarball + - [ ] **(Optional)** `projects/zlib/config`: https://github.com/madler/zlib/releases + - **NOTE**: Only if new tag available + - [ ] `version`: updated to next release tag + - [ ] **(Optional)** `projects/zstd/config`: https://github.com/facebook/zstd/releases + - **NOTE**: Only if new tag available; Android-only for now + - [ ] `version`: updated to next release tag + - [ ] `git_hash`: updated to the commit corresponding to the tag (we don't check signatures for Zstandard) + - [ ] **(Optional)** `projects/tor/config` https://gitlab.torproject.org/tpo/core/tor/-/tags + - [ ] `version`: updated to latest `-alpha` tag or release tag if newer (ping **dgoulet** or **ahf** if unsure) + - [ ] **(Optional)** `projects/go/config` https://go.dev/dl + - **NOTE**: In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities. + - [ ] `version`: updated go version + - [ ] `input_files/sha256sum` for `go`: update sha256sum of archive (sha256 sums are displayed on the go download page) + - [ ] **(Optional)** `projects/manual/config` + - [ ] `version`: updated to latest pipeline id + - [ ] `input_files/shasum` for `manual`: updated to manual hash + - [ ] Upload the downloaded `manual_${PIPELINEID}.zip` file to `tb-build-02.torproject.org` + - [ ] Deploy to `tb-builder`'s `public_html` directory: + - [ ] Run: + ``` + sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/. + ``` + - [`sudo` documentation for TPO machines](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#c… + - [ ] `ChangeLog-TBB.txt`: ensure correctness + - [ ] Browser name correct + - [ ] Release date correct + - [ ] No Android updates on a desktop-only release and vice-versa + - [ ] All issues added under correct platform + - [ ] ESR updates correct + - [ ] Component updates correct - [ ] Open MR with above changes, using the template for release preparations - [ ] Merge - [ ] Sign+Tag @@ -115,55 +117,52 @@ Tor Browser Alpha (and Nightly) are on the `main` branch - ma1 - morgan - pierov - - [ ] Run: `make torbrowser-signtag-alpha` + - [ ] Run: + ``` + make torbrowser-signtag-alpha + ``` - [ ] Push tag to `upstream` - [ ] Build the tag: - - Run `make torbrowser-alpha && make torbrowser-incrementals-alpha` + - [ ] Run: + ``` + make torbrowser-alpha && make torbrowser-incrementals-alpha + ``` - [ ] Tor Project build machine - [ ] Local developer machine - [ ] Submit build request to Mullvad infrastructure: - **NOTE** this requires a devmole authentication token - - Run `make torbrowser-kick-devmole-build` -- [ ] Ensure builders have matching builds + - [ ] Run: + ``` + make torbrowser-kick-devmole-build + ``` </details> <details> - <summary>Communications</summary> - -### notify stakeholders -- [ ] **(Once builds confirmed matching)** Email tor-qa mailing list with release information - - [ ] tor-qa: tor-qa(a)lists.torproject.org - - **Subject** - ``` - Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux) - ``` - - **Body** - ``` - Hello, - - Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing: - - - https://tb-build-02.torproject.org/~$(BUILDER)/builds/torbrowser/alpha/unsi… - - The full changelog can be found here: - - - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TB… - ``` -- [ ] ***(Optional, only around build/packaging changes)*** Email packagers: - - [ ] Tails dev mailing list: tails-dev(a)boum.org - - [ ] Guardian Project: nathan(a)guardianproject.info - - [ ] FreeBSD port: freebsd(a)sysctl.cz  - - [ ] OpenBSD port: caspar(a)schutijser.com  - - [ ] Anti-Censorship: meskio(a)torproject.org - - [ ] Note any changes which may affect packaging/downstream integration -- [ ] ***(Optional, only after internal API-breaking changes)*** Email downstream project maintainers: - - [ ] selenium-tor: matzfan(a)tempr.email  -- [ ] ***(Optional, after ESR migration)*** Email external partners: - - [ ] Cloudflare: ask-research(a)cloudflare.com - - **NOTE** : We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs - - [ ] Startpage: admin(a)startpage.com - - **NOTE** : Startpage also needs the updated user-agent string for better experience on their onion service sites. + <summary>Website</summary> + + ### downloads: https://gitlab.torproject.org/tpo/web/tpo.git + - [ ] `databags/versions.ini`: Update the downloads versions + - `torbrowser-stable/version`: catch-all for latest stable version + - `torbrowser-alpha/version`: catch-all for latest alpha version + - `torbrowser-legacy/version`: catch-all for latest ESR-115 version + - `torbrowser-*-stable/version`: platform-specific stable versions + - `torbrowser-*-alpha/version`: platform-specific alpha versions + - `torbrowser-*-legacy/version`: platform-specific legacy versions + - [ ] Push to origin as new branch and create MR + - [ ] Review + - [ ] Merge + - **⚠️ WARNING**: Do not deploy yet! + + ### blog: https://gitlab.torproject.org/tpo/web/blog.git + - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) + - [ ] Note any ESR update + - [ ] Thank any users which have contributed patches + - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc + - [ ] Push to origin as new branch and open MR + - [ ] Review + - [ ] Merge + - **⚠️ WARNING**: Do not deploy yet! </details> @@ -171,38 +170,33 @@ Tor Browser Alpha (and Nightly) are on the `main` branch <summary>Signing</summary> ### release signing -- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long - [ ] Assign this issue to the signer, one of: - boklm + - ma1 - morgan -- [ ] On `$(STAGING_SERVER)`, ensure updated: - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)` + - pierov +- [ ] Ensure all builders have matching builds +- [ ] On `${STAGING_SERVER}`, ensure updated: + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}` - [ ] `tor-browser-build/tools/signing/set-config.hosts` - - `ssh_host_builder` : ssh hostname of machine with unsigned builds - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) - - `ssh_host_linux_signer` : ssh hostname of linux signing machine + - `ssh_host_builder`: ssh hostname of machine with unsigned builds + - `ssh_host_linux_signer`: ssh hostname of linux signing machine + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos - [ ] `set-config.update-responses` - - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git` + - `update_responses_repository_dir`: directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git` - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` - - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script: - - `cd tor-browser-build/tools/signing/` - - `./do-all-signing.torbrowser` -- **NOTE**: at this point the signed binaries should have been copied to `staticiforme` -- [ ] Update `staticiforme.torproject.org`: - - From `screen` session on `staticiforme.torproject.org`: - - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org` - - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh` - - [ ] Remove old release data from following places: - - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) - - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` - - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` - - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org` + - `tbb_version`: tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script: + - [ ] Run: + ``` + cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser + ``` + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed </details> @@ -242,6 +236,26 @@ popd <details> <summary>Publishing</summary> +### website +- [ ] On `staticiforme.torproject.org`, static update components: + ``` + static-update-component cdn.torproject.org && static-update-component dist.torproject.org + ``` +- [ ] Deploy `tor-website` MR +- [ ] Deploy `tor-blog` MR +- [ ] On `staticiforme.torproject.org`, enable update responses: + ``` + sudo -u tb-release ./deploy_update_responses-alpha.sh + ``` +- [ ] On `staticiforme.torproject.org`, remove old release: + - **NOTE**: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) + - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` + - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` + - [ ] Run: + ``` + static-update-component cdn.torproject.org && static-update-component dist.torproject.org + ``` + ### Google Play: https://play.google.com/apps/publish - [ ] Publish APKs to Google Play: - Select `Tor Browser (Alpha)` app @@ -256,46 +270,70 @@ popd - [ ] 100% rollout when publishing a security-driven release - [ ] Update rollout percentage to 100% after confirmed no major issues -### website: https://gitlab.torproject.org/tpo/web/tpo.git -- [ ] `databags/versions.ini` : Update the downloads versions - - `torbrowser-stable/version` : sort of a catch-all for latest stable version - - `torbrowser-alpha/version` : sort of a catch-all for latest stable version - - `torbrowser-*-stable/version` : platform-specific stable versions - - `torbrowser-*-alpha/version` : platform-specific alpha versions - - `tor-stable`,`tor-alpha` : set by tor devs, do not touch -- [ ] Push to origin as new branch, open 'Draft :' MR -- [ ] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org -- [ ] Merge -- [ ] Publish after CI passes and builds are published - -### blog: https://gitlab.torproject.org/tpo/web/blog.git -- [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) - - [ ] Note any ESR update - - [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc) - - [ ] Thank any users which have contributed patches - - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc -- [ ] Push to origin as new branch, open `Draft:` MR -- [ ] Merge once signed-packages are accessible on https://dist.torproject.org -- [ ] Publish after CI passes and website has been updated +</details> + +<details> + <summary>Communications</summary> ### tor-announce mailing list -- [ ] Email tor-announce mailing list: tor-announce(a)lists.torproject.org +- [ ] Email tor-announce mailing list + - **Recipients** + ``` + tor-announce(a)lists.torproject.org + ``` - **Subject** ``` - New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux) + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux) ``` - **Body** ``` Hi everyone, - Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post: - - $(BLOG_POST_URL) + Tor Browser ${TOR_BROWSER_VERSION} has now been published for all platforms. For details please see our blog post: + - ${BLOG_POST_URL} Changelog: - # paste changleog as quote here + # paste changelog as quote here + ``` + +### packagers +- [ ] ***(Optional, only around build/packaging changes)*** Email packagers: + - **Recipients** + - Tails dev mailing list: tails-dev(a)boum.org + - Guardian Project: nathan(a)guardianproject.info + - FreeBSD port: freebsd(a)sysctl.cz  + - OpenBSD port: caspar(a)schutijser.com  + - torbrowser-launcher: mail(a)asciiwolf.com  + - Anti-Censorship: meskio(a)torproject.org  + ``` + tails-dev(a)boum.org nathan(a)guardianproject.info freebsd(a)sysctl.cz caspar(a)schutijser.com mail(a)asciiwolf.com meskio(a)torproject.org + ``` + - **Subject** ``` + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux) + ``` + - [ ] Note any changes which may affect packaging/downstream integration + +### downstream projects +- [ ] ***(Optional, only after internal API-breaking changes)*** Email downstream project maintainers: + - **Recipients** + - selenium-tor: matzfan(a)tempr.email  + ``` + matzfan(a)tempr.email + ``` + - **Subject** + ``` + Breaking Changes in Tor Browser ${TOR_BROWSER_VERSION} + ``` + - [ ] Note any internal API changes which may affect browser automation + +### upstream services +- [ ] ***(Optional, after ESR migration)*** Email external partners: + - [ ] Cloudflare: ask-research(a)cloudflare.com + - **NOTE**: We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs + - [ ] Startpage: admin(a)startpage.com + - **NOTE**: Startpage also needs the updated user-agent string for better experience on their onion service sites. </details> /label ~"Release Prep" - ===================================== .gitlab/issue_templates/Release Prep - Tor Browser Legacy.md ===================================== @@ -0,0 +1,311 @@ +- **NOTE** It is assumed the `tor-browser` release rebase and security backport tasks have been completed + +<details> + <summary>Explanation of variables</summary> + +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER} + - **example**: `pierov` +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc + - **example**: `91.6.0` +- `${TOR_BROWSER_MAJOR}`: the Tor Browser major version + - **example**: `11` +- `${TOR_BROWSER_MINOR}`: the Tor Browser minor version + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `${TOR_BROWSER_VERSION}`: the Tor Browser version in the format + - **example**: `12.5a3`, `12.0.3` +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${TOR_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build. + - **example**: `build1` +- `${TOR_BROWSER_BUILD_N}`: the tor-browser build revision for a given Tor Browser release; used in tagging git commits + - **example**: `build2` + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${TOR_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For example : + - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${TOR_BROWSER_BUILD_N}` value may stay at `build1` (but the `${TOR_BROWSER_VERSION}` will increase) + - if we have build failures unrelated to `tor-browser`, the `${TOR_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same. +- `${TOR_BROWSER_VERSION}`: the published Tor Browser version + - **example**: `11.5a6`, `11.0.7` +- `${TBB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Tor Browser version + - **example**: `tbb-12.5a7-build1` +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date + - **example**: `2024-10-29` + +</details> + +<details> + <summary>Build Configuration</summary> + +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git +Tor Browser Legacy is on the `maint-13.5` branch + +- [ ] Tag `tor-browser` in tor-browser.git + - **example**: `tor-browser-115.17.0esr-13.5-1-build1` +- [ ] Changelog bookkeeping: + - [ ] Ensure all commits to `tor-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels +- [ ] Create a release preparation branch from the `maint-13.5` branch +- [ ] Run release preparation script: + ```bash + ./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION} + ``` + - **⚠️ WARNING**: You may need to manually update the `firefox/config` file's `browser_build` field if `tor-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged) +- [ ] Review build configuration changes: + - [ ] `rbm.conf` + - [ ] `var/torbrowser_version`: updated to next browser version + - [ ] `var/torbrowser_build`: updated to `${TOR_BROWSER_BUILD_N}` + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building. + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox`, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues) + - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail + - [ ] `projects/firefox/config` + - [ ] `browser_build`: updated to match `tor-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] ***(Optional)*** `projects/translation/config`: + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/tor-browser/git_hash`: updated with `HEAD` commit of project's `tor-browser` branch + - [ ] ***(Optional)*** `projects/browser/config`: + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] ***(Optional)*** `projects/openssl/config`: https://www.openssl.org/source/ + - **NOTE**: Only if new LTS version (3.0.X currrently) available + - [ ] `version`: updated to next LTS version + - [ ] `input_files/sha256sum`: updated to sha256 sum of source tarball + - [ ] **(Optional)** `projects/zlib/config`: https://github.com/madler/zlib/releases + - **NOTE**: Only if new tag available + - [ ] `version`: updated to next release tag + - [ ] **(Optional)** `projects/zstd/config`: https://github.com/facebook/zstd/releases + - **NOTE**: Only if new tag available + - [ ] `version`: updated to next release tag + - [ ] `git_hash`: updated to the commit corresponding to the tag (we don't check signatures for Zstandard) + - [ ] **(Optional)** `projects/tor/config` https://gitlab.torproject.org/tpo/core/tor/-/tags + - [ ] `version`: updated to latest non `-alpha` tag or release tag if newer (ping **dgoulet** or **ahf** if unsure) + - [ ] **(Optional)** `projects/go/config` https://go.dev/dl + - [ ] `go_1_22`: updated to latest 1.22 version + - [ ] `input_files/sha256sum` for `go`: update sha256sum of archive (sha256 sums are displayed on the go download page) + - [ ] **(Optional)** `projects/manual/config` + - [ ] `version`: updated to latest pipeline id + - [ ] `input_files/shasum` for `manual`: updated to manual hash + - [ ] Upload the downloaded `manual_${PIPELINEID}.zip` file to `tb-build-02.torproject.org` + - [ ] Deploy to `tb-builder`'s `public_html` directory: + - [ ] Run: + ``` + sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/. + ``` + - [`sudo` documentation for TPO machines](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#c… + - [ ] `ChangeLog-TBB.txt`: ensure correctness + - [ ] Browser name correct + - [ ] Release date correct + - [ ] No Android updates + - [ ] All issues added under correct platform + - [ ] ESR updates correct + - [ ] Component updates correct +- [ ] Open MR with above changes, using the template for release preparations +- [ ] Merge +- [ ] Sign+Tag + - **NOTE** this must be done by one of: + - boklm + - dan + - ma1 + - morgan + - pierov + - [ ] Run: + ``` + make torbrowser-signtag-release + ``` + - [ ] Push tag to `upstream` +- [ ] Build the tag: + - [ ] Run: + ``` + make torbrowser-release && make torbrowser-incrementals-release + ``` + - [ ] Tor Project build machine + - [ ] Local developer machine + - [ ] Submit build request to Mullvad infrastructure: + - **NOTE** this requires a devmole authentication token + - [ ] Run: + ``` + make torbrowser-kick-devmole-build + ``` + +</details> + +<details> + <summary>Website</summary> + + ### downloads: https://gitlab.torproject.org/tpo/web/tpo.git + - [ ] `databags/versions.ini`: Update the downloads versions + - `torbrowser-stable/version`: catch-all for latest stable version + - `torbrowser-alpha/version`: catch-all for latest alpha version + - `torbrowser-legacy/version`: catch-all for latest ESR-115 version + - `torbrowser-*-stable/version`: platform-specific stable versions + - `torbrowser-*-alpha/version`: platform-specific alpha versions + - `torbrowser-*-legacy/version`: platform-specific legacy versions + - `tor-stable`,`tor-alpha`: set by tor devs, do not touch + - [ ] Push to origin as new branch and create MR + - [ ] Review + - [ ] Merge + - **⚠️ WARNING**: Do not deploy yet! + +</details> + +<details> + <summary>Signing</summary> + +### release signing +- [ ] Assign this issue to the signer, one of: + - boklm + - ma1 + - morgan + - pierov +- [ ] Ensure all builders have matching builds +- [ ] On `${STAGING_SERVER}`, ensure updated: + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}` + - [ ] `tor-browser-build/tools/signing/set-config.hosts` + - `ssh_host_builder`: ssh hostname of machine with unsigned builds + - `ssh_host_linux_signer`: ssh hostname of linux signing machine + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds + - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos + - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` + - `tbb_version`: tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script: + - [ ] Run: + ``` + cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser + ``` + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed + +</details> + +<details> + <summary>Signature verification</summary> + + <details> + <summary>Check whether the .exe files got properly signed and timestamped</summary> + +```bash +# Point OSSLSIGNCODE to your osslsigncode binary +pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION +OSSLSIGNCODE=/path/to/osslsigncode +../../../tools/authenticode_check.sh +popd +``` + + </details> + <details> + <summary>Check whether the MAR files got properly signed</summary> + +```bash +# Point NSSDB to your nssdb containing the mar signing certificate +# Point SIGNMAR to your signmar binary +# Point LD_LIBRARY_PATH to your mar-tools directory +pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION +NSSDB=/path/to/nssdb +SIGNMAR=/path/to/mar-tools/signmar +LD_LIBRARY_PATH=/path/to/mar-tools/ +../../../tools/marsigning_check.sh +popd +``` + + </details> +</details> + +<details> + <summary>Publishing</summary> + +### website +- [ ] On `staticiforme.torproject.org`, static update components: + ``` + static-update-component cdn.torproject.org && static-update-component dist.torproject.org + ``` +- [ ] Deploy `tor-website` MR +- [ ] On `staticiforme.torproject.org`, remove old release: + - **NOTE**: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) + - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` + - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` + - [ ] Run: + ``` + static-update-component cdn.torproject.org && static-update-component dist.torproject.org + ``` +- [ ] **(Optional)** Generate and deploy new update responses + - **NOTE**: This is only required if there will be no corresponding 14.0 release (i.e. this is an emergency legacy-only 13.5 release). Normally, legacy update responses are generated and deployed as part of the 14.0 release. + - **⚠️ WARNING**: This is a little bit off the beaten track, ping boklm or morgan if you have any doubts + - From the `maint-14.0` branch: + - [ ] Update `rbm.conf` + - [ ] `var/torbrowser_legacy_version`: update to `${TOR_BROWSER_VERSION}` + - **NOTE** this is the browser version for the legacy branch, not the 14.0 branch + - [ ] `var/torbrowser_legacy_platform_version`: update to `${ESR_VERSION}` + - **NOTE** this is ESR version for the legacy branch, not the 14.0 branch + - [ ] Generate update responses: + - [ ] Run: + ``` + make torbrowser-update_responses-release + ``` + - On `staticiforme.torproject.org`, deploy new update responses: + - **NOTE**: for now this is a bit janky, we should somehow update the workflow to be a bit less hacky + - [ ] Edit an existing `deploy_update_responses-release.sh` script in your `HOME` directory with the newly pushed commit hash + - **example**: (hash: `d938943`) + ```bash + #!/bin/bash + set -e + + echo "Deploying version 14.0" + echo "update_responses_commit: d938943" + + cd "/srv/aus1-master.torproject.org/htdocs/torbrowser" + git fetch + changed_files="$(git diff --name-only HEAD d938943)" + if echo "$changed_files" | grep -qv "release" + then + echo >&2 "Error: checking out new update_response_commit will changes" + echo >&2 "some files outside of the release directory:" + echo "$changed_files" | grep -v "release" >&2 + echo >&2 "--" + echo >&2 "If this is really what you want to do, edit this script to" + echo >&2 "remove the line 'exit 1' and run it again." + echo >&2 "See tor-browser-build#41168 for more details." + exit 1 + fi + git checkout "d938943" + + static-update-component aus1.torproject.org + ``` + - [ ] Enable update responses: + ```bash + sudo -u tb-release ./deploy_update_responses-release.sh + ``` + +</details> + +<details> + <summary>Communications</summary> + +### tor-announce mailing list +- [ ] Email tor-announce mailing list + - **Recipients** + ``` + tor-announce(a)lists.torproject.org + ``` + - **Subject** + ``` + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Windows, macOS) + ``` + - **Body** + ``` + Hi everyone, + + Tor Browser ${TOR_BROWSER_VERSION} has now been published for legacy Windows and macOS platforms. For details please see our blog post: + - ${BLOG_POST_URL} + + Changelog: + # paste changelog as quote here + ``` + +</details> + +/label ~"Release Prep" ===================================== .gitlab/issue_templates/Release Prep - Tor Browser Stable.md ===================================== @@ -1,116 +1,113 @@ +- **NOTE** It is assumed the `tor-browser` release rebase and security backport tasks have been completed +- **NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue + <details> <summary>Explanation of variables</summary> -- `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release -- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER) - - **example** : `pierov` -- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc - - **example** : `91.6.0` -- `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version - - **example** : `11` -- `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version - - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10` -- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format - - **example** : `12.5a3`, `12.0.3` -- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build. - - **example** : `build1` -- `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits - - **example** : `build2` - - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example : - - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase) - - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same. -- `$(TOR_BROWSER_VERSION)` : the published Tor Browser version - - **example** : `11.5a6`, `11.0.7` -- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version - - **example** : `tbb-12.0.7-build1` -</details> +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER} + - **example**: `pierov` +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc + - **example**: `91.6.0` +- `${TOR_BROWSER_MAJOR}`: the Tor Browser major version + - **example**: `11` +- `${TOR_BROWSER_MINOR}`: the Tor Browser minor version + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `${TOR_BROWSER_VERSION}`: the Tor Browser version in the format + - **example**: `12.5a3`, `12.0.3` +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${TOR_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build. + - **example**: `build1` +- `${TOR_BROWSER_BUILD_N}`: the tor-browser build revision for a given Tor Browser release; used in tagging git commits + - **example**: `build2` + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${TOR_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For example : + - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${TOR_BROWSER_BUILD_N}` value may stay at `build1` (but the `${TOR_BROWSER_VERSION}` will increase) + - if we have build failures unrelated to `tor-browser`, the `${TOR_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same. +- `${TOR_BROWSER_VERSION}`: the published Tor Browser version + - **example**: `11.5a6`, `11.0.7` +- `${TBB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Tor Browser version + - **example**: `tbb-12.5a7-build1` +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date + - **example**: `2024-10-29` -**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed -**NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue +</details> <details> - <summary>Building</summary> + <summary>Build Configuration</summary> ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git -Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches. - -- [ ] Update `rbm.conf` - - [ ] `var/torbrowser_version` : update to next version - - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)` - - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building. - - [ ] `var/torbrowser_legacy_version` : update to next version in the legacy-13.5 branch - - [ ] `var/torbrowser_legacy_platform_version` : update to firefox platform version in the legacy-13.5 branch - - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail -- [ ] Update Desktop-specific build configs - - [ ] Update `projects/firefox/config` - - [ ] `browser_build` : update to match `tor-browser` tag - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased -- [ ] Update Android-specific build configs - - [ ] Update `projects/geckoview/config` - - [ ] `browser_build` : update to match `tor-browser` tag - - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased - - [ ] ***(Optional)*** Update `projects/tor-android-service/config` - - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch - - [ ] ***(Optional)*** Update `projects/application-services/config`: - **NOTE** we don't currently have any of our own patches for this project - - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)` - - [ ] ***(Optional)*** Update `projects/firefox-android/config`: - - [ ] `fenix_version` : update to match stable `firefox-android` build tag - - [ ] `browser_branch` : update to match stable `firefox-android` build tag - - [ ] `browser_build` : update to match stable `firefox-android` build tag - variant: Beta -- [ ] Update `projects/translation/config`: - - [ ] run `make list_translation_updates-release` to get updated hashes - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch - - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch - - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch -- [ ] Update common build configs - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config` - - [ ] `URL` - - [ ] `sha256sum` - - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/ - - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config` - - [ ] `version` : update to next 3.0.X version - - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball - - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases - - [ ] **(Optional)** If new tag available, update `projects/zlib/config` - - [ ] `version` : update to next release tag - - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags - - [ ] ***(Optional)*** Update `projects/tor/config` - - [ ] `version` : update to latest non `-alpha` tag (ping dgoulet or ahf if unsure) - - [ ] Check for go updates here : https://go.dev/dl - - **NOTE** : In general, Tor Browser Stable uses the latest of the *previous* Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities. - - [ ] ***(Optional)*** Update `projects/go/config` - - [ ] `version` : update go version - - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page) - - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py` - - [ ] ***(Optional)*** If new version is available: - - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org` - - [ ] Deploy to `tb-builder`'s `public_html` directory: - - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.` - - [ ] Update `projects/manual/config`: - - [ ] Change the `version` to `$PIPELINEID` - - [ ] Update `sha256sum` in the `input_files` section -- [ ] Update `ChangeLog-TBB.txt` - - [ ] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones - - [ ] Run `./tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs` - - Make sure you have `requests` installed (e.g., `apt install python3-requests`) - - The first time you run this script you will need to generate an access token; the script will guide you - - `$updateArgs` should be these arguments, depending on what you actually updated: - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case) - - [ ] `--tor` - - [ ] `--no-script` - - [ ] `--openssl` - - [ ] `--zlib` - - [ ] `--go` - - E.g., `./tools/fetch-changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12` - - `--date $date` is optional, if omitted it will be the date on which you run the command - - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output +Tor Browser Release are on the `maint-${TOR_BROWSER_MAJOR}.${TOR_BROWSER_MINOR}` branch + +- [ ] Tag `tor-browser` in tor-browser.git + - **example**: `tor-browser-128.3.0esr-14.0-1-build1` +- [ ] Changelog bookkeeping: + - [ ] Ensure all commits to `tor-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Android, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels +- [ ] Create a release preparation branch from the current `maint-XX.Y` branch +- [ ] Run release preparation script: + - **NOTE**: You can omit the `--tor-browser` argument if this is for a joint Tor and Mullvad Browser release + ```bash + ./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION} + ``` + - **⚠️ WARNING**: You may need to manually update the `firefox/config` and `geckoview/config` files' `browser_build` field if `tor-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged) +- [ ] Review build configuration changes: + - [ ] `rbm.conf` + - [ ] `var/torbrowser_version`: updated to next browser version + - [ ] `var/torbrowser_build`: updated to `${TOR_BROWSER_BUILD_N}` + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building. + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` or `geckoview` tags, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues) + - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version + - **NOTE**: We try to build incrementals for the previous 3 desktop versions + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail +- [ ] `projects/firefox/config` + - [ ] `browser_build`: updated to match `tor-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] `projects/geckoview/config` + - [ ] `browser_build`: updated to match `tor-browser` tag + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased + - [ ] ***(Optional)*** `projects/translation/config`: + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch + - [ ] `steps/tor-browser/git_hash`: updated with `HEAD` commit of project's `tor-browser` branch + - [ ] `steps/fenix/git_hash`: updated with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch + - [ ] ***(Optional)*** `projects/browser/config`: + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript + - [ ] `URL` updated + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url + - [ ] `sha256sum` updated + - [ ] ***(Optional)*** `projects/openssl/config`: https://www.openssl.org/source/ + - **NOTE**: Only if new LTS version (3.0.X currrently) available + - [ ] `version`: updated to next LTS version + - [ ] `input_files/sha256sum`: updated to sha256 sum of source tarball + - [ ] **(Optional)** `projects/zlib/config`: https://github.com/madler/zlib/releases + - **NOTE**: Only if new tag available + - [ ] `version`: updated to next release tag + - [ ] **(Optional)** `projects/zstd/config`: https://github.com/facebook/zstd/releases + - **NOTE**: Only if new tag available; Android-only for now + - [ ] `version`: updated to next release tag + - [ ] `git_hash`: updated to the commit corresponding to the tag (we don't check signatures for Zstandard) + - [ ] **(Optional)** `projects/tor/config` https://gitlab.torproject.org/tpo/core/tor/-/tags + - [ ] `version`: updated to latest non `-alpha` tag or release tag if newer (ping **dgoulet** or **ahf** if unsure) + - [ ] **(Optional)** `projects/go/config` https://go.dev/dl + - **NOTE**: In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities. + - [ ] `version`: updated go version + - [ ] `input_files/sha256sum` for `go`: update sha256sum of archive (sha256 sums are displayed on the go download page) + - [ ] **(Optional)** `projects/manual/config` + - [ ] `version`: updated to latest pipeline id + - [ ] `input_files/shasum` for `manual`: updated to manual hash + - [ ] Upload the downloaded `manual_${PIPELINEID}.zip` file to `tb-build-02.torproject.org` + - [ ] Deploy to `tb-builder`'s `public_html` directory: + - [ ] Run: + ``` + sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/. + ``` + - [`sudo` documentation for TPO machines](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#c… + - [ ] `ChangeLog-TBB.txt`: ensure correctness + - [ ] Browser name correct + - [ ] Release date correct + - [ ] No Android updates on a desktop-only release and vice-versa + - [ ] All issues added under correct platform + - [ ] ESR updates correct + - [ ] Component updates correct - [ ] Open MR with above changes, using the template for release preparations - [ ] Merge - [ ] Sign+Tag @@ -120,47 +117,52 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE - ma1 - morgan - pierov - - [ ] Run: `make torbrowser-signtag-release` + - [ ] Run: + ``` + make torbrowser-signtag-release + ``` - [ ] Push tag to `upstream` - [ ] Build the tag: - - Run `make torbrowser-release && make torbrowser-incrementals-release` + - [ ] Run: + ``` + make torbrowser-release && make torbrowser-incrementals-release + ``` - [ ] Tor Project build machine - [ ] Local developer machine - [ ] Submit build request to Mullvad infrastructure: - **NOTE** this requires a devmole authentication token - - Run `make torbrowser-kick-devmole-build` -- [ ] Ensure builders have matching builds + - [ ] Run: + ``` + make torbrowser-kick-devmole-build + ``` </details> <details> - <summary>Communications</summary> - -### notify stakeholders -- [ ] **(Once builds confirmed matching)** Email tor-qa mailing list with release information - - [ ] tor-qa: tor-qa(a)lists.torproject.org - - **Subject** - ``` - Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux) - ``` - - **Body** - ``` - Hello, - - Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing: - - - https://tb-build-02.torproject.org/~$(BUILDER)/builds/torbrowser/release/un… - - The full changelog can be found here: - - - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TB… - ``` -- [ ] Email packagers: - - [ ] Tails dev mailing list: tails-dev(a)boum.org - - [ ] Guardian Project: nathan(a)guardianproject.info - - [ ] FreeBSD port: freebsd(a)sysctl.cz  - - [ ] OpenBSD port: caspar(a)schutijser.com  - - [ ] Note any changes which may affect packaging/downstream integration + <summary>Website</summary> + + ### downloads: https://gitlab.torproject.org/tpo/web/tpo.git + - [ ] `databags/versions.ini`: Update the downloads versions + - `torbrowser-stable/version`: catch-all for latest stable version + - `torbrowser-alpha/version`: catch-all for latest alpha version + - `torbrowser-legacy/version`: catch-all for latest ESR-115 version + - `torbrowser-*-stable/version`: platform-specific stable versions + - `torbrowser-*-alpha/version`: platform-specific alpha versions + - `torbrowser-*-legacy/version`: platform-specific legacy versions + - [ ] Push to origin as new branch and create MR + - [ ] Review + - [ ] Merge + - **⚠️ WARNING**: Do not deploy yet! + + ### blog: https://gitlab.torproject.org/tpo/web/blog.git + - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) + - [ ] Note any ESR update + - [ ] Thank any users which have contributed patches + - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc + - [ ] Push to origin as new branch and open MR + - [ ] Review + - [ ] Merge + - **⚠️ WARNING**: Do not deploy yet! </details> @@ -168,38 +170,36 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE <summary>Signing</summary> ### release signing -- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long - [ ] Assign this issue to the signer, one of: - boklm + - ma1 - morgan -- [ ] On `$(STAGING_SERVER)`, ensure updated: - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)` + - pierov +- [ ] Ensure all builders have matching builds +- [ ] Verify the associated legacy `maint-13.5` release has been signed and deployed + - **⚠️ WARNING**: Do not continue if the legacy channel has not been fully signed and published yet; it is needed for update-response generation! + - **NOTE** Stable releases without a corresponding legacy release may ignore this +- [ ] On `${STAGING_SERVER}`, ensure updated: + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}` - [ ] `tor-browser-build/tools/signing/set-config.hosts` - - `ssh_host_builder` : ssh hostname of machine with unsigned builds - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory) - - `ssh_host_linux_signer` : ssh hostname of linux signing machine + - `ssh_host_builder`: ssh hostname of machine with unsigned builds + - `ssh_host_linux_signer`: ssh hostname of linux signing machine + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect` - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos - [ ] `set-config.update-responses` - - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git` + - `update_responses_repository_dir`: directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git` - [ ] `tor-browser-build/tools/signing/set-config.tbb-version` - - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script: - - `cd tor-browser-build/tools/signing/` - - `./do-all-signing.torbrowser` -- **NOTE**: at this point the signed binaries should have been copied to `staticiforme` -- [ ] Update `staticiforme.torproject.org`: - - From `screen` session on `staticiforme.torproject.org`: - - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org` - - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-release.sh` - - [ ] Remove old release data from following places: - - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) - - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` - - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` - - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org` + - `tbb_version`: tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`) + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`) + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script: + - [ ] Run: + ``` + cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser + ``` + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed </details> @@ -239,6 +239,26 @@ popd <details> <summary>Publishing</summary> +### website +- [ ] On `staticiforme.torproject.org`, static update components: + ``` + static-update-component cdn.torproject.org && static-update-component dist.torproject.org + ``` +- [ ] Deploy `tor-website` MR +- [ ] Deploy `tor-blog` MR +- [ ] On `staticiforme.torproject.org`, enable update responses: + ``` + sudo -u tb-release ./deploy_update_responses-release.sh + ``` +- [ ] On `staticiforme.torproject.org`, remove old release: + - **NOTE**: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc) + - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser` + - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser` + - [ ] Run: + ``` + static-update-component cdn.torproject.org && static-update-component dist.torproject.org + ``` + ### Google Play: https://play.google.com/apps/publish - [ ] Publish APKs to Google Play: - Select `Tor Browser` app @@ -253,45 +273,59 @@ popd - [ ] 100% rollout when publishing a security-driven release - [ ] Update rollout percentage to 100% after confirmed no major issues -### website: https://gitlab.torproject.org/tpo/web/tpo.git -- [ ] `databags/versions.ini` : Update the downloads versions - - `torbrowser-stable/version` : sort of a catch-all for latest stable version - - `torbrowser-alpha/version` : sort of a catch-all for latest stable version - - `torbrowser-*-stable/version` : platform-specific stable versions - - `torbrowser-*-alpha/version` : platform-specific alpha versions - - `tor-stable`,`tor-alpha` : set by tor devs, do not touch -- [ ] Push to origin as new branch, open 'Draft :' MR -- [ ] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org -- [ ] Merge -- [ ] Publish after CI passes and builds are published +</details> -### blog: https://gitlab.torproject.org/tpo/web/blog.git -- [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory) - - [ ] Note any ESR update - - [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc) - - [ ] Thank any users which have contributed patches -- [ ] Push to origin as new branch, open `Draft:` MR -- [ ] Merge once signed-packages are accessible on https://dist.torproject.org -- [ ] Publish after CI passes and website has been updated +<details> + <summary>Communications</summary> ### tor-announce mailing list -- [ ] Email tor-announce mailing list: tor-announce(a)lists.torproject.org +- [ ] Email tor-announce mailing list + - **Recipients** + ``` + tor-announce(a)lists.torproject.org + ``` - **Subject** ``` - New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux) + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux) ``` - **Body** ``` Hi everyone, - Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post: - - $(BLOG_POST_URL) + Tor Browser ${TOR_BROWSER_VERSION} has now been published for all platforms. For details please see our blog post: + - ${BLOG_POST_URL} Changelog: - # paste changleog as quote here + # paste changelog as quote here ``` +### packagers +- [ ] Email packagers: + - **Recipients** + - Tails dev mailing list: tails-dev(a)boum.org + - Guardian Project: nathan(a)guardianproject.info + - FreeBSD port: freebsd(a)sysctl.cz  + - OpenBSD port: caspar(a)schutijser.com  + - torbrowser-launcher: mail(a)asciiwolf.com  + - Anti-Censorship: meskio(a)torproject.org  + ``` + tails-dev(a)boum.org nathan(a)guardianproject.info freebsd(a)sysctl.cz caspar(a)schutijser.com mail(a)asciiwolf.com meskio(a)torproject.org + ``` + - **Subject** + ``` + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux) + ``` + - **Body** + ``` + Hi everyone, + + Tor Browser ${TOR_BROWSER_VERSION} has now been published for all platforms. For details please see our blog post: + - ${BLOG_POST_URL} + + Changelog: + # paste changelog as quote here + ``` + - [ ] Note any changes which may affect packaging/downstream integration </details> /label ~"Release Prep" - View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag base-browser-115.17.0esr-13.5-1-build2
by morgan (＠morgan) 24 Oct '24

24 Oct '24

morgan pushed new tag base-browser-115.17.0esr-13.5-1-build2 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/base-brow… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Deleted tag base-browser-115.17.0esr-13.5-1-build2
by morgan (＠morgan) 24 Oct '24

24 Oct '24

morgan deleted tag base-browser-115.17.0esr-13.5-1-build2 at The Tor Project / Applications / Tor Browser -- You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag tor-browser-115.17.0esr-13.5-1-build2
by morgan (＠morgan) 24 Oct '24

24 Oct '24

morgan pushed new tag tor-browser-115.17.0esr-13.5-1-build2 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/tor-brows… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Deleted tag tor-browser-115.17.0esr-13.5-1-build2
by morgan (＠morgan) 24 Oct '24

24 Oct '24

morgan deleted tag tor-browser-115.17.0esr-13.5-1-build2 at The Tor Project / Applications / Tor Browser -- You're receiving this email because of your account on gitlab.torproject.org.

1 0

← Newer
1
2
3
4
5
6
7
8
9
...
29
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

tbb-commits October 2024