[tbb-commits] [Git][tpo/applications/tor-browser-build][main] Updated gitlab alpha build prep templates
richard (@richard)
git at gitlab.torproject.org
Tue Sep 12 18:19:02 UTC 2023
richard pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
600cbac2 by Richard Pospesel at 2023-09-12T17:36:15+00:00
Updated gitlab alpha build prep templates
- fixed formatting
- updated email templates
- updated changelog steps
- updated the build+reproducibility veificaiton workflow
- added explicit list of valid taggers
- added assign step for signers
- added Sponsor 131 label for Mullvad Browser
- various work-flows to match reality
- - - - -
2 changed files:
- .gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md
- .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
Changes:
=====================================
.gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md
=====================================
@@ -27,54 +27,79 @@
</details>
**NOTE** It is assumed that the `tor-browser` alpha rebase and security backport tasks have been completed
+**NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue
<details>
<summary>Building</summary>
-### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
-Mullvad Browser Alpha (and Nightly) are on the `main` branch
-
-- [ ] Update `rbm.conf`
- - [ ] `var/torbrowser_version` : update to next version
- - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
- - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version
- - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
-- [ ] Update build configs
- - [ ] Update `projects/firefox/config`
- - [ ] `browser_build` : update to match `mullvad-browser` tag
- - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
- - [ ] Update `projects/translation/config`:
- - [ ] run `make list_translation_updates-alpha` to get updated hashes
- - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
- - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch
-- [ ] Update common build configs
- - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
- - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
- - [ ] `URL`
- - [ ] `sha256sum`
- - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
- - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
- - [ ] `URL`
- - [ ] `sha256sum`
- - [ ] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases
- - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
- - [ ] `URL`
- - [ ] `sha256sum`
-- [ ] Open MR with above changes
-- [ ] Merge
-- [ ] Sign/Tag commit: `make mullvadbrowser-signtag-alpha`
-- [ ] Push tag to `origin`
-- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
-- [ ] **TODO** Submit build-tag to Mullvad build infra
-- [ ] Ensure builders have matching builds
+ ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
+ Mullvad Browser Alpha (and Nightly) are on the `main` branch
+
+ - [ ] Update `rbm.conf`
+ - [ ] `var/torbrowser_version` : update to next version
+ - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
+ - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version
+ - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
+ - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
+ - [ ] Update build configs
+ - [ ] Update `projects/firefox/config`
+ - [ ] `browser_build` : update to match `mullvad-browser` tag
+ - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
+ - [ ] Update `projects/translation/config`:
+ - [ ] run `make list_translation_updates-alpha` to get updated hashes
+ - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
+ - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch
+ - [ ] Update common build configs
+ - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
+ - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
+ - [ ] `URL`
+ - [ ] `sha256sum`
+ - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
+ - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
+ - [ ] `URL`
+ - [ ] `sha256sum`
+ - [ ] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases
+ - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
+ - [ ] `URL`
+ - [ ] `sha256sum`
+ - [ ] Update `ChangeLog-MB.txt`
+ - [ ] Ensure ChangeLog-MB.txt is sync'd between alpha and stable branches
+ - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
+ - [ ] Run `tools/fetch-changelogs.py $(TOR_BROWSER_VERSION)` or `tools/fetch-changelogs.py '#$(ISSUE_NUMBER)'`
+ - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
+ - The first time you run this script you will need to generate an access token; the script will guide you
+ - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and update its output
+ - [ ] Version
+ - [ ] Browser Name
+ - [ ] Release Date
+ - [ ] Under `All Platforms` include any version updates for:
+ - NoScript
+ - uBlock-origin
+ - Mullvad Browser Extension
+ - Firefox
+ - [ ] Open MR with above changes
+ - [ ] Build the MR after initial review on at least two of:
+ - [ ] Tor Project build machine
+ - [ ] Mullvad build machine
+ - [ ] Local developer machine
+ - [ ] Ensure builders have matching builds
+ - [ ] Merge
+ - [ ] Sign+Tag
+ - **NOTE** this must be done by one of:
+ - boklm
+ - dan
+ - ma1
+ - pierov
+ - richard
+ - [ ] Run: `make mullvadbrowser-signtag-alpha`
+ - [ ] Push tag to `origin`
</details>
<details>
<summary>QA</summary>
-### send the build
-
+ ### send the build
- [ ] Email Mullvad QA: support at mullvad.net, rui at mullvad.net
<details>
<summary>email template</summary>
@@ -83,7 +108,7 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch
New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (unsigned)
Body:
- unsigned builds: https://tb-build-05.torproject.org/~$(BUILDER)/builds/mullvadbrowser/release/unsigned/$(MB_BUILD_TAG)
+ unsigned builds: https://tb-build-05.torproject.org/~$(BUILDER)/builds/mullvadbrowser/alpha/unsigned/$(MB_BUILD_TAG)
changelog:
...
@@ -99,97 +124,106 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch
<details>
<summary>Signing</summary>
-### signing
-- [ ] On `$(STAGING_SERVER)`, ensure updated:
- - [ ] `tor-browser-build/tools/signing/set-config.hosts`
- - `ssh_host_builder` : ssh hostname of machine with unsigned builds
- - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
- - `ssh_host_linux_signer` : ssh hostname of linux signing machine
- - `ssh_host_macos_signer` : ssh hostname of macOS signing machine
- - [ ] `tor-browser-build/tools/signing/set-config.macos-notarization`
- - `macos_notarization_user` : the email login for a mullvad notariser Apple Developer account
- - [ ] `set-config.update-responses`
- - `update_responses_repository_dir` : directory where you cloned `git at gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`
- - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
- - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
- - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
- - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
-- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run the macOS proxy script:
- - `cd tor-browser-build/tools/signing/`
- - `./macos-signer-proxy`
-- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
-- [ ] run do-all-signing script:
- - `cd tor-browser-build/tools/signing/`
- - `./do-all-signing.mullvadbrowser`
-- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
-- [ ] Update `staticiforme.torproject.org`:
- - From `screen` session on `staticiforme.torproject.org`:
- - [ ] Static update components : `static-update-component dist.torproject.org`
- - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
- - [ ] Static update components (again) : `static-update-component dist.torproject.org`
+ ### signing
+ - [ ] Assign this issue to the signer, one of:
+ - boklm
+ - richard
+ - [ ] On `$(STAGING_SERVER)`, ensure updated:
+ - [ ] `tor-browser-build/tools/signing/set-config.hosts`
+ - `ssh_host_builder` : ssh hostname of machine with unsigned builds
+ - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
+ - `ssh_host_linux_signer` : ssh hostname of linux signing machine
+ - `ssh_host_macos_signer` : ssh hostname of macOS signing machine
+ - [ ] `tor-browser-build/tools/signing/set-config.macos-notarization`
+ - `macos_notarization_user` : the email login for a mullvad notariser Apple Developer account
+ - [ ] `set-config.update-responses`
+ - `update_responses_repository_dir` : directory where you cloned `git at gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`
+ - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
+ - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
+ - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
+ - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
+ - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run the macOS proxy script:
+ - `cd tor-browser-build/tools/signing/`
+ - `./macos-signer-proxy`
+ - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
+ - [ ] run do-all-signing script:
+ - `cd tor-browser-build/tools/signing/`
+ - `./do-all-signing.mullvadbrowser`
+ - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
+ - [ ] Update `staticiforme.torproject.org`:
+ - From `screen` session on `staticiforme.torproject.org`:
+ - [ ] Static update components : `static-update-component dist.torproject.org`
+ - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
+ - [ ] Static update components (again) : `static-update-component dist.torproject.org`
</details>
<details>
<summary>Publishing</summary>
-### email
-
-- [ ] Email Mullvad with release information: support at mullvad.net, rui at mullvad.net
- <details>
- <summary>email template</summary>
-
- Subject:
- New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
-
- Body:
- signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
+ ### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
+ - [ ] Assign this issue to someone with mullvad commit access, one of:
+ - richard
+ - [ ] Push this release's associated `mullvad-browser.git` branch to github
+ - [ ] Push this release's associated tags to github:
+ - [ ] Firefox ESR tag
+ - **example** : `FIREFOX_102_12_0esr_BUILD1,`
+ - [ ] `base-browser` tag
+ - **example** : `base-browser-102.12.0esr-12.0-1-build1`
+ - [ ] `mullvad-browser` tag
+ - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
+ - [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
+ - **Tag**: `$(MULLVAD_BROWSER_VERSION)`
+ - **example** : `12.5a7`
+ - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
+ - **example** : `102.12.0esr-based 12.5a7`
+ - [ ] Push tag to github
+
+ ### email
+ - [ ] Email Mullvad with release information: support at mullvad.net, rui at mullvad.net
+ <details>
+ <summary>email template</summary>
- update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
+ Subject:
+ New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
- changelog:
- ...
+ Body:
+ signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
- </details>
+ update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
-### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
-- [ ] Push this release's associated `mullvad-browser.git` branch to github
-- [ ] Push this release's associated tags to github:
- - [ ] Firefox ESR tag
- - **example** : `FIREFOX_102_12_0esr_BUILD1,`
- - [ ] `base-browser` tag
- - **example** : `base-browser-102.12.0esr-12.0-1-build1`
- - [ ] `mullvad-browser` tag
- - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
-- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
- - **Tag**: `$(MULLVAD_BROWSER_VERSION)`
- - **example** : `12.5a7`
- - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
- - **example** : `102.12.0esr-based 12.5a7`
- - [ ] Push tag to github
+ changelog:
+ ...
+ </details>
</details>
<details>
<summary>Downstream</summary>
-### notify packagers
+ ### notify packagers
+
+ - [ ] **(Optional, Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
+ - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of
+ <details>
+ <summary>email template</summary>
+
+ Hello!
-- [ ] **(Optional, Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
- <details>
- <summary>email template</summary>
+ Mullvad-Browser $(MULLVAD_BROWSER_VERSION) packages are available, so you should all update your respective downstream packages.
- ...
+ Release builds can be found here:
- ...
+ - https://github.com/mullvad/mullvad-browser/releases/tag/$(MULLVAD_BROWSER_VERSION)
- </details>
+ </details>
- - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of
- - [ ] flathub package maintainer: proletarius101 at protonmail.com
- - [ ] arch package maintainer: bootctl at gmail.com
- - [ ] nixOS package maintainer: dev at felschr.com
+ - flathub package maintainer: proletarius101 at protonmail.com
+ - arch package maintainer: bootctl at gmail.com
+ - nixOS package maintainer: dev at felschr.com
</details>
/label ~"Release Prep"
+/label ~"Sponsor 131"
+
=====================================
.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
=====================================
@@ -27,190 +27,208 @@
</details>
**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
+**NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue
<details>
<summary>Building</summary>
-### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
-Tor Browser Alpha (and Nightly) are on the `main` branch
-
-- [ ] Update `rbm.conf`
- - [ ] `var/torbrowser_version` : update to next version
- - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
- - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version
- - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
-- [ ] Update Desktop-specific build configs
- - [ ] Update `projects/firefox/config`
- - [ ] `browser_build` : update to match `tor-browser` tag
- - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
- - [ ] Update `projects/translation/config`:
- - [ ] run `make list_translation_updates-alpha` to get updated hashes
- - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
- - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
- - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
-- [ ] Update Android-specific build configs
- - [ ] Update `projects/geckoview/config`
- - [ ] `browser_build` : update to match `tor-browser` tag
- - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
- - [ ] ***(Optional)*** Update `projects/tor-android-service/config`
- - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch
- - [ ] ***(Optional)*** Update `projects/application-services/config`:
- **NOTE** we don't currently have any of our own patches for this project
- - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
- - [ ] ***(Optional)*** Update `projects/firefox-android/config`:
- - [ ] `fenix_version` : update to match alpha `firefox-android` build tag
- - [ ] `browser_branch` : update to match alpha `firefox-android` build tag
- - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
- - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
-- [ ] Update common build configs
- - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
- - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
- - [ ] `URL`
- - [ ] `sha256sum`
- - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/
- - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config`
- - [ ] `version` : update to next 3.0.X version
- - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball
- - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases
- - [ ] **(Optional)** If new tag available, update `projects/zlib/config`
- - [ ] `version` : update to next release tag
- - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags
- - [ ] ***(Optional)*** Update `projects/tor/config`
- - [ ] `version` : update to latest `-alpha` tag or release tag if newer (ping dgoulet or ahf if unsure)
- - [ ] Check for go updates here : https://golang.org/dl
- - **NOTE** : Tor Browser Alpha uses the latest Stable major series go version
- - [ ] ***(Optional)*** Update `projects/go/config`
- - [ ] `version` : update go version
- - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
- - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`
- - [ ] ***(Optional)*** If new version is available:
- - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to people.tpo
- - [ ] Update `projects/manual/config`:
- - [ ] Change the `version` to `$PIPELINEID`
- - [ ] Update `sha256sum` in the `input_files` section
- - [ ] ***(Optional)*** Update the URL if you have uploaded to a different people.tpo home
-- [ ] Update `ChangeLog.txt`
- - [ ] Ensure ChangeLog.txt is sync'd between alpha and stable branches
- - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
- - [ ] Run `tools/fetch-changelogs.py $(TOR_BROWSER_VERSION)` or `tools/fetch-changelogs.py '#$(ISSUE_NUMBER)'`
- - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
- - The first time you run this script you will need to generate an access token; the script will guide you
- - [ ] Copy the output of the script to the beginning of `ChangeLog.txt` and adjust its output
- - **NOTE** : If you used the issue number, you will need to write the Tor Browser version manually
- - [ ] ***(Optional)*** Under `All Platforms` include any version updates for:
- - [ ] Translations
- - [ ] OpenSSL
- - [ ] NoScript
- - [ ] zlib
- - [ ] tor daemon
- - [ ] ***(Optional)*** Under `Windows + macOS + Linux` include updates for:
- - [ ] Firefox
- - [ ] ***(Optional)*** Under `Android`, include updates for:
- - [ ] Geckoview
- - [ ] ***(Optional)*** Under `Build System/All Platforms` include updates for:
- - [ ] Go
-- [ ] Open MR with above changes
-- [ ] Merge
-- [ ] Sign/Tag commit: `make torbrowser-signtag-alpha`
-- [ ] Push tag to `origin`
-- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
-- [ ] **TODO** Submit build-tag to Mullvad build infra
-- [ ] Ensure builders have matching builds
+ ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
+ Tor Browser Alpha (and Nightly) are on the `main` branch
+
+ - [ ] Update `rbm.conf`
+ - [ ] `var/torbrowser_version` : update to next version
+ - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
+ - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version
+ - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
+ - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
+ - [ ] Update Desktop-specific build configs
+ - [ ] Update `projects/firefox/config`
+ - [ ] `browser_build` : update to match `tor-browser` tag
+ - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
+ - [ ] Update `projects/translation/config`:
+ - [ ] run `make list_translation_updates-alpha` to get updated hashes
+ - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
+ - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
+ - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
+ - [ ] Update Android-specific build configs
+ - [ ] Update `projects/geckoview/config`
+ - [ ] `browser_build` : update to match `tor-browser` tag
+ - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
+ - [ ] ***(Optional)*** Update `projects/tor-android-service/config`
+ - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch
+ - [ ] ***(Optional)*** Update `projects/application-services/config`:
+ **NOTE** we don't currently have any of our own patches for this project
+ - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
+ - [ ] ***(Optional)*** Update `projects/firefox-android/config`:
+ - [ ] `fenix_version` : update to match alpha `firefox-android` build tag
+ - [ ] `browser_branch` : update to match alpha `firefox-android` build tag
+ - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
+ - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
+ - [ ] Update common build configs
+ - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
+ - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
+ - [ ] `URL`
+ - [ ] `sha256sum`
+ - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/
+ - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config`
+ - [ ] `version` : update to next 3.0.X version
+ - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball
+ - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases
+ - [ ] **(Optional)** If new tag available, update `projects/zlib/config`
+ - [ ] `version` : update to next release tag
+ - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags
+ - [ ] ***(Optional)*** Update `projects/tor/config`
+ - [ ] `version` : update to latest `-alpha` tag or release tag if newer (ping dgoulet or ahf if unsure)
+ - [ ] Check for go updates here : https://golang.org/dl
+ - **NOTE** : Tor Browser Alpha uses the latest Stable major series go version
+ - [ ] ***(Optional)*** Update `projects/go/config`
+ - [ ] `version` : update go version
+ - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
+ - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`
+ - [ ] ***(Optional)*** If new version is available:
+ - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to people.tpo
+ - [ ] Update `projects/manual/config`:
+ - [ ] Change the `version` to `$PIPELINEID`
+ - [ ] Update `sha256sum` in the `input_files` section
+ - [ ] ***(Optional)*** Update the URL if you have uploaded to a different people.tpo home
+ - [ ] Update `ChangeLog-TBB.txt`
+ - [ ] Ensure ChangeLog-TBB.txt is sync'd between alpha and stable branches
+ - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
+ - [ ] Run `tools/fetch-changelogs.py $(TOR_BROWSER_VERSION)` or `tools/fetch-changelogs.py '#$(ISSUE_NUMBER)'`
+ - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
+ - The first time you run this script you will need to generate an access token; the script will guide you
+ - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and update its output
+ - [ ] Version
+ - [ ] Browser Name
+ - [ ] Release Date
+ - [ ] Under `All Platforms` include any version updates for:
+ - NoScript
+ - tor
+ - OpenSSL
+ - lyrebird
+ - Snowflake
+ - [ ] Under `Windows + macOS + Linux` include any version updates for:
+ - Firefox
+ - [ ] Under `Android` include any version updates for:
+ - Geckoview
+ - [ ] Under `Windows + Android` include any version updates for:
+ - zlib
+ - [ ] Under `Build System/All Platforms` include any version updates for:
+ - Go
+ - [ ] Open MR with above changes
+ - [ ] Build the MR after initial review on at least two of:
+ - [ ] Tor Project build machine
+ - [ ] Mullvad build machine
+ - [ ] Local developer machine
+ - [ ] Ensure builders have matching builds
+ - [ ] Merge
+ - [ ] Sign_Tag
+ - **NOTE** this must be done by one of:
+ - boklm
+ - dan
+ - ma1
+ - pierov
+ - richard
+ - [ ] Run: `make torbrowser-signtag-alpha`
+ - [ ] Push tag to `origin`
</details>
<details>
<summary>Communications</summary>
-### notify stakeholders
+ ### notify stakeholders
- <details>
- <summary>email template</summary>
+ - [ ] Email tor-qa mailing list: tor-qa at lists.torproject.org
+ <details>
+ <summary>email template</summary>
- Subject:
- Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
+ Subject:
+ Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
- Body:
- Hello All,
+ Body:
+ Hello All,
- Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing:
+ Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing:
- - https://tb-build-05.torproject.org/~$(BUILDER)/builds/release/unsigned/$(TOR_BROWSER_VERSION)/
+ - https://tb-build-05.torproject.org/~$(BUILDER)/builds/alpha/unsigned/$(TOR_BROWSER_VERSION)/
- The full changelog can be found here:
+ The full changelog can be found here:
- - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/$(TBB_BUILD_TAG)/ChangeLog.txt
+ - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TBB_BUILD_TAG)/projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt
- </details>
+ </details>
-- [ ] Email tor-qa mailing list: tor-qa at lists.torproject.org
- - ***(Optional)*** Additional information:
- - [ ] Note any new functionality which needs testing
- - [ ] Link to any known issues
-- [ ] ***(Optional, only around build/packaging changes)*** Email packagers:
- - Recipients:
- - Tails dev mailing list: tails-dev at boum.org
- - Guardian Project: nathan at guardianproject.info
- - torbrowser-launcher: micah at micahflee.com
- - FreeBSD port: freebsd at sysctl.cz <!-- Gitlab user maxfx -->
- - OpenBSD port: caspar at schutijser.com <!-- Gitlab user cschutijser -->
- - [ ] Note any changes which may affect packaging/downstream integration
-- [ ] Email external partners:
- - ***(Optional, after ESR migration)*** Cloudflare: ask-research at cloudflare.com
- - **NOTE** : We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
+ - ***(Optional)*** Additional information:
+ - [ ] Note any new functionality which needs testing
+ - [ ] Link to any known issues
+ - [ ] ***(Optional, only around build/packaging changes)*** Email packagers:
+ - Recipients:
+ - Tails dev mailing list: tails-dev at boum.org
+ - Guardian Project: nathan at guardianproject.info
+ - torbrowser-launcher: micah at micahflee.com
+ - FreeBSD port: freebsd at sysctl.cz <!-- Gitlab user maxfx -->
+ - OpenBSD port: caspar at schutijser.com <!-- Gitlab user cschutijser -->
+ - [ ] Note any changes which may affect packaging/downstream integration
+ - [ ] Email external partners:
+ - ***(Optional, after ESR migration)*** Cloudflare: ask-research at cloudflare.com
+ - **NOTE** : We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
</details>
<details>
<summary>Signing</summary>
-### signing
-- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
-- [ ] On `$(STAGING_SERVER)`, ensure updated:
- - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)`
- - [ ] `tor-browser-build/tools/signing/set-config.hosts`
- - `ssh_host_builder` : ssh hostname of machine with unsigned builds
- - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
- - `ssh_host_linux_signer` : ssh hostname of linux signing machine
- - `ssh_host_macos_signer` : ssh hostname of macOS signing machine
- - [ ] `tor-browser-build/tools/signing/set-config.macos-notarization`
- - `macos_notarization_user` : the email login for a tor notariser Apple Developer account
- - [ ] `set-config.update-responses`
- - `update_responses_repository_dir` : directory where you cloned `git at gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git`
- - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
- - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
- - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
- - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
-- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run the macOS proxy script:
- - `cd tor-browser-build/tools/signing/`
- - `./macos-signer-proxy`
-- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
-- [ ] run do-all-signing script:
- - `cd tor-browser-build/tools/signing/`
- - `./do-all-signing.torbrowser`
-- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
-- [ ] Update `staticiforme.torproject.org`:
- - From `screen` session on `staticiforme.torproject.org`:
- - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
- - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh`
- - [ ] Remove old release data from following places:
- - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
- - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
- - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
- - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
-- [ ] Publish APKs to Google Play:
- - Log into https://play.google.com/apps/publish
- - Select `Tor Browser (Alpha)` app
- - Navigate to `Release > Production` and click `Create new release` button:
- - Upload the `*.multi.apk` APKs
- - Update Release Name to Tor Browser version number
- - Update Release Notes
- - Next to 'Release notes', click `Copy from a previous release`
- - Edit blog post url to point to most recent blog post
- - Save, review, and configure rollout percentage
- - [ ] 25% rollout when publishing a scheduled update
- - [ ] 100% rollout when publishing a security-driven release
- - [ ] Update rollout percentage to 100% after confirmed no major issues
+ ### signing
+ - **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
+ - [ ] Assign this issue to the signer, one of:
+ - boklm
+ - richard
+ - [ ] On `$(STAGING_SERVER)`, ensure updated:
+ - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)`
+ - [ ] `tor-browser-build/tools/signing/set-config.hosts`
+ - `ssh_host_builder` : ssh hostname of machine with unsigned builds
+ - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
+ - `ssh_host_linux_signer` : ssh hostname of linux signing machine
+ - `ssh_host_macos_signer` : ssh hostname of macOS signing machine
+ - [ ] `tor-browser-build/tools/signing/set-config.macos-notarization`
+ - `macos_notarization_user` : the email login for a tor notariser Apple Developer account
+ - [ ] `set-config.update-responses`
+ - `update_responses_repository_dir` : directory where you cloned `git at gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git`
+ - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
+ - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
+ - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
+ - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
+ - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run the macOS proxy script:
+ - `cd tor-browser-build/tools/signing/`
+ - `./macos-signer-proxy`
+ - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
+ - [ ] run do-all-signing script:
+ - `cd tor-browser-build/tools/signing/`
+ - `./do-all-signing.torbrowser`
+ - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
+ - [ ] Update `staticiforme.torproject.org`:
+ - From `screen` session on `staticiforme.torproject.org`:
+ - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
+ - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh`
+ - [ ] Remove old release data from following places:
+ - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
+ - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
+ - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
+ - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
+ - [ ] Publish APKs to Google Play:
+ - Log into https://play.google.com/apps/publish
+ - Select `Tor Browser (Alpha)` app
+ - Navigate to `Release > Production` and click `Create new release` button:
+ - Upload the `*.multi.apk` APKs
+ - Update Release Name to Tor Browser version number
+ - Update Release Notes
+ - Next to 'Release notes', click `Copy from a previous release`
+ - Edit blog post url to point to most recent blog post
+ - Save, review, and configure rollout percentage
+ - [ ] 25% rollout when publishing a scheduled update
+ - [ ] 100% rollout when publishing a security-driven release
+ - [ ] Update rollout percentage to 100% after confirmed no major issues
</details>
@@ -219,83 +237,86 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
<details>
<summary>Check whether the .exe files got properly signed and timestamped</summary>
- ```
- # Point OSSLSIGNCODE to your osslsigncode binary
- pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
- OSSLSIGNCODE=/path/to/osslsigncode
- ../../../tools/authenticode_check.sh
- popd
- ```
+
+```bash
+# Point OSSLSIGNCODE to your osslsigncode binary
+pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+OSSLSIGNCODE=/path/to/osslsigncode
+../../../tools/authenticode_check.sh
+popd
+```
+
</details>
<details>
<summary>Check whether the MAR files got properly signed</summary>
- ```
- # Point NSSDB to your nssdb containing the mar signing certificate
- # Point SIGNMAR to your signmar binary
- # Point LD_LIBRARY_PATH to your mar-tools directory
- pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
- NSSDB=/path/to/nssdb
- SIGNMAR=/path/to/mar-tools/signmar
- LD_LIBRARY_PATH=/path/to/mar-tools/
- ../../../tools/marsigning_check.sh
- popd
- ```
+
+```bash
+# Point NSSDB to your nssdb containing the mar signing certificate
+# Point SIGNMAR to your signmar binary
+# Point LD_LIBRARY_PATH to your mar-tools directory
+pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+NSSDB=/path/to/nssdb
+SIGNMAR=/path/to/mar-tools/signmar
+LD_LIBRARY_PATH=/path/to/mar-tools/
+../../../tools/marsigning_check.sh
+popd
+```
+
</details>
</details>
<details>
<summary>Publishing</summary>
-### website: https://gitlab.torproject.org/tpo/web/tpo.git
-- [ ] `databags/versions.ini` : Update the downloads versions
- - `torbrowser-stable/version` : sort of a catch-all for latest stable version
- - `torbrowser-alpha/version` : sort of a catch-all for latest stable version
- - `torbrowser-*-stable/version` : platform-specific stable versions
- - `torbrowser-*-alpha/version` : platform-specific alpha versions
- - `tor-stable`,`tor-alpha` : set by tor devs, do not touch
-- [ ] Push to origin as new branch, open 'Draft :' MR
-- [ ] Remove `Draft:` from MR once signed-packages are uploaded
-- [ ] Merge
-- [ ] Publish after CI passes and builds are published
-
-### blog: https://gitlab.torproject.org/tpo/web/blog.git
-
-- [ ] Duplicate previous Stable or Alpha release blog post as appropriate to new directory under `content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)` and update with info on release :
- - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
- - [ ] Update Tor Browser version numbers
- - [ ] Note any ESR rebase
- - [ ] Link to any Firefox security updates from ESR upgrade
- - [ ] Link to any Android-specific security backports
- - [ ] Note any updates to :
- - tor
- - OpenSSL
- - NoScript
- - [ ] Convert ChangeLog.txt to markdown format used here by :
- - `tor-browser-build/tools/changelog-format-blog-post`
-- [ ] Push to origin as new branch, open `Draft:` MR
-- [ ] Remove `Draft:` from MR once signed-packages are uploaded
-- [ ] Merge
-- [ ] Publish after CI passes and website has been updated
-
-### tor-announce mailing list
- <details>
- <summary>email template</summary>
-
- Subject:
- New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
-
- Body:
- Hi everyone,
-
- Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
-
- - $(BLOG_POST_URL)
-
- </details>
-
-- [ ] Email tor-announce mailing list: tor-announce at lists.torproject.org
- - **(Optional)** Additional information:
- - [ ] Link to any known issues
+ ### website: https://gitlab.torproject.org/tpo/web/tpo.git
+ - [ ] `databags/versions.ini` : Update the downloads versions
+ - `torbrowser-stable/version` : sort of a catch-all for latest stable version
+ - `torbrowser-alpha/version` : sort of a catch-all for latest stable version
+ - `torbrowser-*-stable/version` : platform-specific stable versions
+ - `torbrowser-*-alpha/version` : platform-specific alpha versions
+ - `tor-stable`,`tor-alpha` : set by tor devs, do not touch
+ - [ ] Push to origin as new branch, open 'Draft :' MR
+ - [ ] Remove `Draft:` from MR once signed-packages are uploaded
+ - [ ] Merge
+ - [ ] Publish after CI passes and builds are published
+
+ ### blog: https://gitlab.torproject.org/tpo/web/blog.git
+ - [ ] Duplicate previous Stable or Alpha release blog post as appropriate to new directory under `content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)` and update with info on release :
+ - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
+ - [ ] Update Tor Browser version numbers
+ - [ ] Note any ESR rebase
+ - [ ] Link to any Firefox security updates from ESR upgrade
+ - [ ] Link to any Android-specific security backports
+ - [ ] Note any updates to :
+ - tor
+ - OpenSSL
+ - NoScript
+ - [ ] Convert ChangeLog-TBB.txt to markdown format used here by :
+ - `tor-browser-build/tools/changelog-format-blog-post`
+ - [ ] Push to origin as new branch, open `Draft:` MR
+ - [ ] Remove `Draft:` from MR once signed-packages are uploaded
+ - [ ] Merge
+ - [ ] Publish after CI passes and website has been updated
+
+ ### tor-announce mailing list
+ - [ ] Email tor-announce mailing list: tor-announce at lists.torproject.org
+ <details>
+ <summary>email template</summary>
+
+ Subject:
+ New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
+
+ Body:
+ Hi everyone,
+
+ Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
+
+ - $(BLOG_POST_URL)
+
+ </details>
+
+ - **(Optional)** Additional information:
+ - [ ] Link to any known issues
</details>
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/600cbac211ffa7c7ed93240dcb9c37de66d9fc84
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/600cbac211ffa7c7ed93240dcb9c37de66d9fc84
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20230912/caa8f197/attachment-0001.htm>
More information about the tbb-commits
mailing list