[tor-commits] [tor-browser-spec/master] Bug 40007: Update Release process document
gk at torproject.org
gk at torproject.org
Fri Feb 25 20:11:07 UTC 2022
commit b336a4ea1c93c9344dd303132d09b3e2bd5d1673
Author: Matthew Finkel <sysrqb at torproject.org>
Date: Tue Nov 17 03:24:20 2020 +0000
Bug 40007: Update Release process document
---
processes/ReleaseProcess | 134 +++++++++++++++++++++++++++-----------------
processes/RollingBackUpdate | 21 +++++++
2 files changed, 105 insertions(+), 50 deletions(-)
diff --git a/processes/ReleaseProcess b/processes/ReleaseProcess
index 3dee1e9..08db508 100644
--- a/processes/ReleaseProcess
+++ b/processes/ReleaseProcess
@@ -139,19 +139,6 @@
# XXX: TORBROWSER_VERSION_OLDEST needs to be set
rm -rf /srv/dist-master.torproject.org/htdocs/torbrowser/$TORBROWSER_VERSION_OLDEST
static-update-component dist.torproject.org
- # We must use $TORBROWSER_VERSION here because signed result dirs should omit the build number suffix
- wget -nH --cut-dirs=2 -r -l 1 https://people.torproject.org/~gk/builds/$TORBROWSER_VERSION
- rm $TORBROWSER_VERSION/index.html*
- mv $TORBROWSER_VERSION /srv/dist-master.torproject.org/htdocs/torbrowser/
- chmod 775 /srv/dist-master.torproject.org/htdocs/torbrowser/$TORBROWSER_VERSION
- chmod 664 /srv/dist-master.torproject.org/htdocs/torbrowser/$TORBROWSER_VERSION/*
- # XXX: Need to manually get .htaccess :(
- chmod 664 /srv/dist-master.torproject.org/htdocs/torbrowser/$TORBROWSER_VERSION/.htaccess
- chown -R :torwww /srv/dist-master.torproject.org/htdocs/torbrowser/$TORBROWSER_VERSION
- # Verify everything was downloaded/copied correctly
- cd /srv/dist-master.torproject.org/htdocs/torbrowser/$TORBROWSER_VERSION
- for i in *.asc; do echo $i ; gpg -q $i || break; done
- static-update-component dist.torproject.org
#. Check diskspace available on cdn.tpo
# We currently have enough disk space to host two alpha and stable
@@ -159,19 +146,25 @@
# it may become necessary to increase disk space. The server hosting
# the files for cdn.tpo is savii.tpo and its disk usage can be monitored
# by going to https://grafana.torproject.org/d/Z7T7Cfemz/node-exporter-full
-# and selecting the host savii.torproject.org.
-
-#. Upload the *.mar files to cdn.tpo
-#. Local to staticiforme:
- mkdir /srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/$TORBROWSER_VERSION
- chmod 775 /srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/$TORBROWSER_VERSION
- cd /srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/$TORBROWSER_VERSION
- for marfile in /srv/dist-master.torproject.org/htdocs/torbrowser/$TORBROWSER_VERSION/*.mar; do ln $marfile; done
+# and selecting the hosts: web-fsn-02.torproject.org, web-cymru-01.torproject.org,
+# web-fsn-01.torproject.org, and cdn-backend-sunet-01.torproject.org
+
+#. Remove the oldest *.mar files from cdn.tpo to save space
+ rm -rf /srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/$TORBROWSER_VERSION_OLDEST
static-update-component cdn.torproject.org
+#. Sync files to dist.tpo and cdn.tpo mirrored web servers
+ # Obtain publish_version.sh from the tor-browser-build repo under tools/update/.
+ # $PREV_TORBROWSER_VERSION is one of the previously published versions remaining
+ # on staticiforme from where the .htaccess is copied.
+ ./publish_version.sh $TORBROWSER_VERSION $PREV_TORBROWSER_VERSION release # or alpha
+
#. Make sure we really built from the proper Mozilla build tag by consulting
- # the respective ESR release branch (for a good overview for ESR60 see
- # https://hg.mozilla.org/releases/mozilla-esr60/graph/).
+ # the respective ESR release branch (for a good overview for ESR78 see
+ # https://hg.mozilla.org/releases/mozilla-esr78/graph/). For the platforms following
+ # rapid release (only Android, currently), consult the beta repo
+ # (https://hg.mozilla.org/releases/mozilla-beta/graph/) or the release repo
+ # (https://hg.mozilla.org/releases/mozilla-release/graph/)
#. Update website's torbrowser versions file in the website git
cd tpo
@@ -179,12 +172,13 @@
# Update `win32` in the `torbrowser-stable` section as well if we
# include a new stable tor version (called the Windows Expert Bundle
# on the website). See: #14152.
- # In the RecommendedTBBVersions file, only add the new version. Don't
- # remove the old one yet. That comes later.
- vim databags/versions.ini content/projects/torbrowser/RecommendedTBBVersions/contents.lr
- git commit databags/versions.ini content/projects/torbrowser/RecommendedTBBVersions/contents.lr -m "Add new Tor Browser version"
+ vim databags/versions.ini
+ git commit databags/versions.ini -m "Add new Tor Browser version"
torsocks git push origin master:master
cd ..
+ # Check build success/failure:
+ # https://jenkins.torproject.org/job/lektor-website-tpo-translation/
+ # https://jenkins.torproject.org/job/lektor-website-tpo-translation-install/
#. Add new locales to the download page
# If this release is introducing new locales, add them to the
@@ -201,14 +195,25 @@
#. Create blog post from changelog
# See https://blog.torproject.org/blog/tor-browser-352-released for now
# Don't forget to link to Mozilla's security advisories if this is a security
- # update, or Nadim will yell at you.
+ # update.
+
+#. Check whether the .exe files got properly signed and timestamped
+ # Point OSSLSIGNCODE to your osslsigncode binary
+ pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+ OSSLSIGNCODE=/path/to/osslsigncode
+ ../../../tools/authenticode_check.sh
+ popd
#. Check whether the MAR files got properly signed
+ # Point NSSDB to your nssdb containing the mar signing certificate
# Point SIGNMAR to your signmar binary
# Point LD_LIBRARY_PATH to your mar-tools directory
- cd tor-browser-build/$TORBROWSER_VERSION
- ../tools/marsigning_check.sh
- cd ..
+ pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+ NSSDB=/path/to/nssdb
+ SIGNMAR=/path/to/mar-tools/signmar
+ LD_LIBRARY_PATH=/path/to/mar-tools/
+ ../../../tools/marsigning_check.sh
+ popd
#. Update and upload new update responses for the updater
# IMPORTANT: Copy the signed MAR files back before creating the update
@@ -220,27 +225,56 @@
chmod 664 ${TORBROWSER_UPDATE_CHANNEL}/*
chmod 664 ${TORBROWSER_UPDATE_CHANNEL}/.htaccess
chmod 775 ${TORBROWSER_UPDATE_CHANNEL}/
- # Rename the update responses directory to .old to make it easier to
- # revert in case of problem (see the file RollingBackUpdate for more
- # details about this)
- torsocks ssh staticiforme.torproject.org "rm -rf /srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/${TORBROWSER_UPDATE_CHANNEL}.old"
- torsocks ssh staticiforme.torproject.org "mv -v /srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/${TORBROWSER_UPDATE_CHANNEL} /srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/${TORBROWSER_UPDATE_CHANNEL}.old"
torsocks rsync -avP $TORBROWSER_UPDATE_CHANNEL staticiforme.torproject.org:/srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/
- torsocks ssh staticiforme.torproject.org "chown -R :torwww /srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/${TORBROWSER_UPDATE_CHANNEL}/*"
+ torsocks ssh staticiforme.torproject.org "chown -R :torwww /srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/${TORBROWSER_UPDATE_CHANNEL}"
torsocks ssh staticiforme.torproject.org "static-update-component aus1.torproject.org"
+# Upload APKs to Google Play
+ Log into https://play.google.com/apps/publish
+ Select correct app (Tor Browser or Tor Browser Alpha)
+ Under left-side navigation bar, select "Production" under "Release"
+ Select "Create new release" button at upper right-side
+ Under "App bundles and APKs" section, "Upload" each signed APK
+ After uploading APKs:
+ - The "Release Name" should be automatically filled with the Firefox version
+ - Next to "Release notes" click "Copy from a previous release"
+ - Select the previous release and adjust the blog post url for this release
+ - Save, review, and configure rollout percentage at the bottom
+ - Use 25% rollout when publishing a scheduled update (without a security driver)
+ - Use 100% rollout when publishing an unscheduled update or security-driven release
+ Roll out.
+
+ Note, you may receive three warning messages about:
+ 1) app is larger than it is necessary (android app bundle),
+ 2) missing deobfuscation file for better crash analysis
+ 3) missing debug symbol file
+
+ These warnings are expected and should be accepted.
+
+ See below for updating the rollout percentage.
+
+# Release on F-Droid
+ Publication on F-Droid via the Guardian Project's repository should be
+ automatic. Hans is responsible for maintaining this automation.
+
+# Update rollout percentage
+ After 24 hours, check the Release Daskboard:
+ - "Release"->"Production" and select the "Release Dashboard" tab
+ If the Release Dashboard does not show any concerning trends (significant
+ increase in crashes or ANRs (Application Not Responding)), then continue on
+ to the next paragraph and increase rollout from 25% to 100%. Otherwise
+ consider halting rollout as described in the `RollingBackUpdate` process.
+
+ Select the "Releases" tab on the "Production" page. The current released
+ version should indicate 25% rollout: "Available to 25% of users on Google Play"
+ On the right-side of the "View release details" button of the release there
+ should be a button labeled "Manage rollout" with a down-arrow. Clicking on
+ that button should show two options:
+ - Update rollout
+ - Halt rollout
+
+ Select "Update rollout" and increase to 100% and click "Update". The change
+ should be immediately implemented and the "Manage rollout" button disappears.
+
#. Write an email to tor-announce in case this release is concerned with getting
# a stable version out. Using the contents of the blog entry should do it.
-
-#. Update website's torbrowser versions file to remove old versions
-# NOTE: You probably want to wait some hours (12-24?) after pushing the
-# update responses before doing this, so that people have a chance to see
-# the Firefox notification first before their browser starts weirdly blinking
-# at them.
- cd tpo
- torsocks git pull origin
- # Now it's time to remove the obsolete version(s)
- vim content/projects/torbrowser/RecommendedTBBVersions/contents.lr
- git commit content/projects/torbrowser/RecommendedTBBVersions/contents.lr -m "Deprecate old Tor Browser version"
- torsocks git push origin master:master
- cd ..
diff --git a/processes/RollingBackUpdate b/processes/RollingBackUpdate
index a1e518b..3aae1b1 100644
--- a/processes/RollingBackUpdate
+++ b/processes/RollingBackUpdate
@@ -69,3 +69,24 @@ You can roll back the update with the following steps on staticiforme:
- run "static-update-component aus1.torproject.org"
+Rolling back an update only for Android users on Google Play
+------------------------------------------------------------
+
+The rollout may be slowed or halted (paused) while an issue is investigated.
+On the "Releases" tab of the "Production" page
+("Release"->"Production"->"Releases") two options are available for
+this case.
+ 1) Use the "Update rollout" option and decrease the percentage
+ 2) Use the "Halt rollout" option and include a note about which issue is
+ being investigated
+
+Google Play does not provide a mechanism for rolling back installations to a
+previous version, so a new version must be released if the current version is
+problematic. If a bug is present (or suspected) in the currently rolling out
+version, then halting the rollout as soon as possible (thus preventing many
+devices updating) is the safest action.
+
+If the rollout is halted and later the decision is made to continue the
+rollout, then on the "Releases" tab (as above) select "Resume rollout". You may
+adjust the rollout percentage, if needed, and then click the "Resume rollout"
+button.
More information about the tor-commits
mailing list