[tor-commits] [Git][tpo/applications/tor-browser-build][main] Update Mullvad and Tor Browser Release Prep issue templates

richard pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

f1811496

by Richard Pospesel at 2024-02-21T11:55:05+00:00

Update Mullvad and Tor Browser Release Prep issue templates

4 changed files:

.gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md
.gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md
.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
.gitlab/issue_templates/Release Prep - Tor Browser Stable.md

Changes:

.gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md

@@ -27,172 +27,178 @@
  </details>
  **NOTE** It is assumed that the `tor-browser` alpha rebase and security backport tasks have been completed
++
  **NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue
  <details>
    <summary>Building</summary>
 -  ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
 -  Mullvad Browser Alpha (and Nightly) are on the `main` branch
+-
 -  - [ ] Update `rbm.conf`
 -    - [ ] `var/torbrowser_version` : update to next version
 -    - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
 -    - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version
 -      - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
 -      - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
 -  - [ ] Update build configs
 -    - [ ] Update `projects/firefox/config`
 -      - [ ] `browser_build` : update to match `mullvad-browser` tag
 -      - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
 -    - [ ] Update `projects/translation/config`:
 -      - [ ] run `make list_translation_updates-alpha` to get updated hashes
 -      - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
 -      - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch
 -  - [ ] Update common build configs
 -    - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
 -      - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
 -        - [ ] `URL`
 -        - [ ] `sha256sum`
 -    - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
 -      - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
 -        - [ ] `URL`
 -        - [ ] `sha256sum`
 -    - [ ] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases
 -      - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
 -        - [ ] `URL`
 -        - [ ] `sha256sum`
 -    - [ ] Update `ChangeLog-MB.txt`
 -      - [ ] Ensure `ChangeLog-MB.txt` is sync'd between alpha and stable branches
 -      - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
 -      - [ ] Run `tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`
 -        - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
 -        - The first time you run this script you will need to generate an access token; the script will guide you
 -        - `$updateArgs` should be these arguments, depending on what you actually updated:
 -          - [ ] `--firefox`
 -          - [ ] `--no-script`
 -          - [ ] `--ublock`
 -          - E.g., `tools/fetch-changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0`
 -        - `--date $date` is optional, if omitted it will be the date on which you run the command
 -      - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output
 -  - [ ] Open MR with above changes, using the template for release preparations
 -  - [ ] Merge
 -  - [ ] Sign+Tag
 -    - **NOTE** this must be done by one of:
 -      - boklm
 -      - dan
 -      - ma1
 -      - pierov
 -      - richard
 -    - [ ] Run: `make mullvadbrowser-signtag-alpha`
 -    - [ ] Push tag to `upstream`
 -  - [ ] Build the tag on at least one of:
 -    - Run `make mullvadbrowser-alpha && make mullvadbrowser-incrementals-alpha`
 +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
 +Mullvad Browser Alpha (and Nightly) are on the `main` branch
++
 +- [ ] Update `rbm.conf`
 +  - [ ] `var/torbrowser_version` : update to next version
 +  - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
 +  - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version
 +    - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
 +    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
 +- [ ] Update build configs
 +  - [ ] Update `projects/firefox/config`
 +    - [ ] `browser_build` : update to match `mullvad-browser` tag
 +    - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
 +  - [ ] Update `projects/translation/config`:
 +    - [ ] run `make list_translation_updates-alpha` to get updated hashes
 +    - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
 +    - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch
 +- [ ] Update common build configs
 +  - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
 +    - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
 +      - [ ] `URL`
 +      - [ ] `sha256sum`
 +  - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
 +    - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
 +      - [ ] `URL`
 +      - [ ] `sha256sum`
 +  - [ ] Check for Mullvad Browser Extension updates here : https://github.com/mullvad/browser-extension/releases
 +    - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
 +      - [ ] `URL`
 +      - [ ] `sha256sum`
 +- [ ] Update `ChangeLog-MB.txt`
 +  - [ ] Ensure `ChangeLog-MB.txt` is sync'd between alpha and stable branches
 +  - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
 +  - [ ] Run `tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`
 +    - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
 +    - The first time you run this script you will need to generate an access token; the script will guide you
 +    - `$updateArgs` should be these arguments, depending on what you actually updated:
 +      - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)
 +      - [ ] `--no-script`
 +      - [ ] `--ublock`
 +      - E.g., `tools/fetch-changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0`
 +    - `--date $date` is optional, if omitted it will be the date on which you run the command
 +  - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output
 +- [ ] Open MR with above changes, using the template for release preparations
 +- [ ] Merge
 +- [ ] Sign+Tag
 +  - **NOTE** this must be done by one of:
 +    - boklm
 +    - dan
 +    - ma1
 +    - pierov
 +    - richard
 +  - [ ] Run: `make mullvadbrowser-signtag-alpha`
 +  - [ ] Push tag to `upstream`
 +- [ ] Build the tag:
 +  - Run `make mullvadbrowser-alpha && make mullvadbrowser-incrementals-alpha` on:
      - [ ] Tor Project build machine
      - [ ] Local developer machine
    - [ ] Submit build request to Mullvad infrastructure:
      - **NOTE** this requires a devmole authentication token
      - Run `make mullvadbrowser-kick-devmole-build`
 -  - [ ] Ensure builders have matching builds
 +- [ ] Ensure builders have matching builds
  </details>
  <details>
    <summary>Signing</summary>
 -  ### signing
 -  - [ ] Assign this issue to the signer, one of:
 -    - boklm
 -    - richard
 -  - [ ] On `$(STAGING_SERVER)`, ensure updated:
 -    - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
 -      - `ssh_host_builder` : ssh hostname of machine with unsigned builds
 -        - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
 -      - `ssh_host_linux_signer` : ssh hostname of linux signing machine
 -    - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`
 -      - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos
 -    - [ ] `set-config.update-responses`
 -      - `update_responses_repository_dir` : directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/mullvad-browser-update-responses.git`
 -    - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
 -      - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
 -      - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
 -      - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
 -  - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
 -  - [ ] run do-all-signing script:
 -      - `cd tor-browser-build/tools/signing/`
 -      - `./do-all-signing.mullvadbrowser`
 -  - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
 -  - [ ] Update `staticiforme.torproject.org`:
 -    - From `screen` session on `staticiforme.torproject.org`:
 -    - [ ] Static update components : `static-update-component dist.torproject.org`
 -    - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
 -    - [ ] Static update components (again) : `static-update-component dist.torproject.org`
 +### release signing
 +- [ ] Assign this issue to the signer, one of:
 +  - boklm
 +  - richard
 +- [ ] On `$(STAGING_SERVER)`, ensure updated:
 +  - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N) && git checkout tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N)`
 +  - [ ] `tor-browser-build/tools/signing/set-config.hosts`
 +    - `ssh_host_builder` : ssh hostname of machine with unsigned builds
 +      - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
 +    - `ssh_host_linux_signer` : ssh hostname of linux signing machine
 +  - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`
 +    - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos
 +  - [ ] `set-config.update-responses`
 +    - `update_responses_repository_dir` : directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/mullvad-browser-update-responses.git`
 +  - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
 +    - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
 +    - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
 +    - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
 +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
 +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:
 +  - `cd tor-browser-build/tools/signing/`
 +  - `./do-all-signing.mullvadbrowser`
 +- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
 +- [ ] Update `staticiforme.torproject.org`:
 +  - From `screen` session on `staticiforme.torproject.org`:
 +  - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
 +  - [ ] Static update components (again) : `static-update-component dist.torproject.org`
  </details>
  <details>
    <summary>Publishing</summary>
 -  ### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
 -  - [ ] Assign this issue to someone with mullvad commit access, one of:
 +### mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/
 +- [ ] Assign this issue to someone with mullvad commit access, one of:
      - richard
 -  - [ ] Push this release's associated `mullvad-browser.git` branch to github
 -  - [ ] Push this release's associated tags to github:
 -    - [ ] Firefox ESR tag
 -      - **example** : `FIREFOX_102_12_0esr_BUILD1,`
 -    - [ ] `base-browser` tag
 -      - **example** : `base-browser-102.12.0esr-12.0-1-build1`
 -    - [ ] `mullvad-browser` tag
 -      - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
 -  - [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
 -    - **Tag**: `$(MULLVAD_BROWSER_VERSION)`
 -      - **example** : `12.5a7`
 -    - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
 -      - **example** : `102.12.0esr-based 12.5a7`
 -    - [ ] Push tag to github
+-
 -  ### email
 -  - [ ] Email Mullvad with release information: support@xxxxxxxxxxx, rui@xxxxxxxxxxx
 -    <details>
 -      <summary>email template</summary>
+-
 -        Subject:
 -        New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
+-
 -        Body:
 -        signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
+-
 -        update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
+-
 -        changelog:
 -        ...
+-
 -    </details>
 +- [ ] Push this release's associated `mullvad-browser.git` branch to github
 +- [ ] Push this release's associated tags to github:
 +  - [ ] Firefox ESR tag
 +    - **example** : `FIREFOX_102_12_0esr_BUILD1`
 +  - [ ] `base-browser` tag
 +    - **example** : `base-browser-102.12.0esr-12.0-1-build1`
 +  - [ ] `mullvad-browser` tag
 +    - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
 +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
 +  - **Tag**: `$(MULLVAD_BROWSER_VERSION)`
 +    - **example** : `12.5a7`
 +  - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
 +    - **example** : `102.12.0esr-based 12.5a7`
 +  - [ ] Push tag to github
++
 +### email
 +- [ ] **(Once branch+tags pushed to GitHub)** Email Mullvad with release information:
 +  - [ ] support alias: support@xxxxxxxxxxxxxx
 +  - [ ] Rui: rui@xxxxxxxxxxx
 +  - **Subject**
 +    ```
 +    New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
 +    ```
 +  - **Body**
 +    ```
 +    Hello,
++
 +    Branch+Tags have been pushed to Mullvad's GitHub repo.
++
 +    - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
 +    - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
++
 +    changelog:
 +    ...
 +    ```
++
  </details>
  <details>
    <summary>Downstream</summary>
 -  ### notify packagers
+-
 -  - [ ] **(Optional, Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
 -    - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of
 -    <details>
 -      <summary>email template</summary>
+-
 -        Hello!
+-
 -        Mullvad-Browser $(MULLVAD_BROWSER_VERSION) packages are available, so you should all update your respective downstream packages.
+-
 -        Release builds can be found here:
+-
 -        - https://github.com/mullvad/mullvad-browser/releases/tag/$(MULLVAD_BROWSER_VERSION)
+-
 -    </details>
+-
 -    - flathub package maintainer: proletarius101@xxxxxxxxxxxxxx
 -    - arch package maintainer: bootctl@xxxxxxxxx
 -    - nixOS package maintainer: dev@xxxxxxxxxxx
 +### notify packagers
 +These steps depend on Mullvad having updated their [GitHub Releases](https://github.com/mullvad/mullvad-browser/releases/) page with the latest release
 +- [ ] **(Optional)** Email downstream consumers:
 +  - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of
 +  - [ ] flathub package maintainer: proletarius101@xxxxxxxxxxxxxx
 +  - [ ] arch package maintainer: bootctl@xxxxxxxxx
 +  - [ ] nixOS package maintainer: dev@xxxxxxxxxxx
 +  - **Subject**
 +    ```
 +    Mullvad Browser $(MULLVAD_BROWSER_VERSION) released
 +    ```
 +  - **Body**
 +    ```
 +    Hello!
++
 +    This is a major alpha release which may require changes in your respective downstream packages once it stabilises.
++
 +    The latest alpha builds can be found here:
++
 +    - https://github.com/mullvad/mullvad-browser/releases?q=prerelease%3Atrue
 +    ```
  </details>

.gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md

@@ -28,6 +28,8 @@
  **NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
 +**NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue
++
  <details>
    <summary>Building</summary>
@@ -38,6 +40,7 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
    - [ ] `var/torbrowser_version` : update to next version
    - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
    - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version
 +    - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
      - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
  - [ ] Update build configs
    - [ ] Update `projects/firefox/config`
@@ -46,7 +49,7 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
    - [ ] Update `projects/translation/config`:
      - [ ] run `make list_translation_updates-release` to get updated hashes
      - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
 -    - [ ] `steps/base-browser-fluent/git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
 +    - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch
  - [ ] Update common build configs
    - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
      - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
@@ -56,7 +59,7 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
      - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
        - [ ] `URL`
        - [ ] `sha256sum`
 -  - [ ] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases
 +  - [ ] Check for Mullvad Browser Extension updates here : https://github.com/mullvad/browser-extension/releases
      - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
        - [ ] `URL`
        - [ ] `sha256sum`
@@ -67,39 +70,43 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
      - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
      - The first time you run this script you will need to generate an access token; the script will guide you
      - `$updateArgs` should be these arguments, depending on what you actually updated:
 -      - [ ] `--firefox`
 +      - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)
        - [ ] `--no-script`
        - [ ] `--ublock`
        - E.g., `tools/fetch-changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0`
      - `--date $date` is optional, if omitted it will be the date on which you run the command
    - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output
 -  - [ ] Open MR with above changes, using the template for release preparations
 -  - [ ] Merge
 -  - [ ] Sign+Tag
 -    - **NOTE** this must be done by one of:
 -      - boklm
 -      - dan
 -      - ma1
 -      - pierov
 -      - richard
 -    - [ ] Run: `make mullvadbrowser-signtag-release`
 -    - [ ] Push tag to `upstream`
 -  - [ ] Build on at least one of:
 -    - Run `make mullvadbrowser-release && make mullvadbrowser-incrementals-release`
 +- [ ] Open MR with above changes, using the template for release preparations
 +- [ ] Merge
 +- [ ] Sign+Tag
 +  - **NOTE** this must be done by one of:
 +    - boklm
 +    - dan
 +    - ma1
 +    - pierov
 +    - richard
 +  - [ ] Run: `make mullvadbrowser-signtag-release`
 +  - [ ] Push tag to `upstream`
 +- [ ] Build the tag:
 +  - Run `make mullvadbrowser-release && make mullvadbrowser-incrementals-release`
      - [ ] Tor Project build machine
      - [ ] Local developer machine
    - [ ] Submit build request to Mullvad infrastructure:
      - **NOTE** this requires a devmole authentication token
      - Run `make mullvadbrowser-kick-devmole-build`
 -  - [ ] Ensure builders have matching builds
 +- [ ] Ensure builders have matching builds
  </details>
  <details>
    <summary>Signing</summary>
 -### signing
 +### release signing
 +- [ ] Assign this issue to the signer, one of:
 +  - boklm
 +  - richard
  - [ ] On `$(STAGING_SERVER)`, ensure updated:
 +  - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N) && git checkout tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N)`
    - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
      - `ssh_host_builder` : ssh hostname of machine with unsigned builds
        - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
@@ -113,13 +120,12 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
      - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
      - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
  - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
 -- [ ] run do-all-signing script:
 -    - `cd tor-browser-build/tools/signing/`
 -    - `./do-all-signing.mullvadbrowser`
 +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:
 +  - `cd tor-browser-build/tools/signing/`
 +  - `./do-all-signing.mullvadbrowser`
  - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
  - [ ] Update `staticiforme.torproject.org`:
    - From `screen` session on `staticiforme.torproject.org`:
 -  - [ ] Static update components : `static-update-component dist.torproject.org`
    - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
    - [ ] Static update components (again) : `static-update-component dist.torproject.org`
@@ -128,30 +134,13 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
  <details>
    <summary>Publishing</summary>
 -### email
+-
 -- [ ] Email Mullvad with release information: support@xxxxxxxxxxx, rui@xxxxxxxxxxx
 -  <details>
 -    <summary>email template</summary>
+-
 -      Subject:
 -      New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
+-
 -      Body:
 -      signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
+-
 -      update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
+-
 -      changelog:
 -      ...
+-
 -  </details>
+-
 -### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
 +### mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/
 +- [ ] Assign this issue to someone with mullvad commit access, one of:
 +    - richard
  - [ ] Push this release's associated `mullvad-browser.git` branch to github
  - [ ] Push this release's associated tags to github:
    - [ ] Firefox ESR tag
 -    - **example** : `FIREFOX_102_12_0esr_BUILD1,`
 +    - **example** : `FIREFOX_102_12_0esr_BUILD1`
    - [ ] `base-browser` tag
      - **example** : `base-browser-102.12.0esr-12.0-1-build1`
    - [ ] `mullvad-browser` tag
@@ -163,32 +152,59 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
      - **example** : `102.12.0esr-based 12.0.7`
    - [ ] Push tag to github
 +### email
 +- [ ] **(Once branch+tags pushed to GitHub)** Email Mullvad with release information:
 +  - [ ] support alias: support@xxxxxxxxxxxxxx
 +  - [ ] Rui: rui@xxxxxxxxxxx
 +  - **Subject**
 +    ```
 +    New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
 +    ```
 +  - **Body**
 +    ```
 +    Hello,
++
 +    Branch+Tags have been pushed to Mullvad's GitHub repo.
++
 +    - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
 +    - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
++
 +    changelog:
 +    ...
 +    ```
++
  </details>
  <details>
    <summary>Downstream</summary>
  ### notify packagers
+-
 -- [ ] **(Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
 -  <details>
 -    <summary>email template</summary>
+-
 -    ...
+-
 -    ...
+-
 -  </details>
+-
 +These steps depend on Mullvad having updated their [GitHub Releases](https://github.com/mullvad/mullvad-browser/releases/) page with the latest release
 +- [ ] Email downstream consumers:
    - [ ] flathub package maintainer: proletarius101@xxxxxxxxxxxxxx
    - [ ] arch package maintainer: bootctl@xxxxxxxxx
    - [ ] nixOS package maintainer: dev@xxxxxxxxxxx
 +  - **Subject**
 +    ```
 +    Mullvad Browser $(MULLVAD_BROWSER_VERSION) released
 +    ```
 +  - **Body**
 +    ```
 +    Hello!
 -### merge requests
 +    Mullvad-Browser packages are available, so you should update your respective downstream packages.
++
 +    The latest release builds can be found here:
 -- [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/mullvad-browser.rb
 -  - **NOTE**: should just need to update the version to latest
 +    - https://github.com/mullvad/mullvad-browser/releases?q=prerelease%3Afalse
 +    ```
++
 +### merge requests
 +- [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/m/mullvad-browser.rb
 +  - **NOTE**: should just need to update `version` and `sha256` to latest
  </details>
 -/label ~"Release Prep" ~"Sponsor 131"
 +/label ~"Release Prep"
 +/label  ~"Sponsor 131"
++

.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md

@@ -32,197 +32,176 @@
  <details>
    <summary>Building</summary>
 -  ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
 -  Tor Browser Alpha (and Nightly) are on the `main` branch
+-
 -  - [ ] Update `rbm.conf`
 -    - [ ] `var/torbrowser_version` : update to next version
 -    - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
 -    - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version
 -      - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
 -      - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
 -  - [ ] Update Desktop-specific build configs
 -    - [ ] Update `projects/firefox/config`
 -      - [ ] `browser_build` : update to match `tor-browser` tag
 -      - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
 -    - [ ] Update `projects/translation/config`:
 -      - [ ] run `make list_translation_updates-alpha` to get updated hashes
 -      - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
 -      - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
 -      - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
 -  - [ ] Update Android-specific build configs
 -    - [ ] Update `projects/geckoview/config`
 -      - [ ] `browser_build` : update to match `tor-browser` tag
 -      - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
 -    - [ ] ***(Optional)*** Update `projects/tor-android-service/config`
 -      - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch
 -    - [ ] ***(Optional)*** Update `projects/application-services/config`:
 -      **NOTE** we don't currently have any of our own patches for this project
 -      - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
 -    - [ ] ***(Optional)*** Update `projects/firefox-android/config`:
 -      - [ ] `fenix_version` : update to match alpha `firefox-android` build tag
 -      - [ ] `browser_branch` : update to match alpha `firefox-android` build tag
 -    - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
 -      - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
 -  - [ ] Update common build configs
 -    - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
 -      - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
 -        - [ ] `URL`
 -        - [ ] `sha256sum`
 -    - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/
 -      - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config`
 -        - [ ] `version` : update to next 3.0.X version
 -        - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball
 -    - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases
 -      - [ ] **(Optional)** If new tag available, update `projects/zlib/config`
 -        - [ ] `version` : update to next release tag
 -    - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags
 -      - [ ] ***(Optional)*** Update `projects/tor/config`
 -        - [ ] `version` : update to latest `-alpha` tag or release tag if newer (ping dgoulet or ahf if unsure)
 -    - [ ] Check for go updates here : https://golang.org/dl
 -      - **NOTE** : Tor Browser Alpha uses the latest Stable major series go version
 -      - [ ] ***(Optional)*** Update `projects/go/config`
 -        - [ ] `version` : update go version
 -        - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
 -    - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`
 -      - [ ] ***(Optional)*** If new version is available:
 -        - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org`
 -        - [ ] Deploy to `tb-builder`'s `public_html` directory:
 -          - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~/../tb-builder/public_html/.`
 -        - [ ] Update `projects/manual/config`:
 -          - [ ] Change the `version` to `$PIPELINEID`
 -          - [ ] Update `sha256sum` in the `input_files` section
 -  - [ ] Update `ChangeLog-TBB.txt`
 -    - [ ] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches
 -    - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
 -    - [ ] Run `tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`
 -      - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
 -      - The first time you run this script you will need to generate an access token; the script will guide you
 -      - `$updateArgs` should be these arguments, depending on what you actually updated:
 -          - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)
 -          - [ ] `--tor`
 -          - [ ] `--no-script`
 -          - [ ] `--openssl`
 -          - [ ] `--zlib`
 -          - [ ] `--go`
 -          - E.g., `tools/fetch-changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12`
 -        - `--date $date` is optional, if omitted it will be the date on which you run the command
 -      - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output
 -  - [ ] Open MR with above changes, using the template for release preparations
 -  - [ ] Merge
 -  - [ ] Sign+Tag
 -    - **NOTE** this must be done by one of:
 -      - boklm
 -      - dan
 -      - ma1
 -      - pierov
 -      - richard
 -    - [ ] Run: `make torbrowser-signtag-alpha`
 -    - [ ] Push tag to `upstream`
 -  - [ ] Build on at least one of:
 -    - Run `make torbrowser-alpha && make torbrowser-incrementals-alpha`
 +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
 +Tor Browser Alpha (and Nightly) are on the `main` branch
++
 +- [ ] Update `rbm.conf`
 +  - [ ] `var/torbrowser_version` : update to next version
 +  - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
 +  - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version
 +    - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
 +    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
 +- [ ] Update Desktop-specific build configs
 +  - [ ] Update `projects/firefox/config`
 +    - [ ] `browser_build` : update to match `tor-browser` tag
 +    - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
 +- [ ] Update Android-specific build configs
 +  - [ ] Update `projects/geckoview/config`
 +    - [ ] `browser_build` : update to match `tor-browser` tag
 +    - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
 +  - [ ] ***(Optional)*** Update `projects/tor-android-service/config`
 +    - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch
 +  - [ ] ***(Optional)*** Update `projects/application-services/config`:
 +    **NOTE** we don't currently have any of our own patches for this project
 +    - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
 +  - [ ] ***(Optional)*** Update `projects/firefox-android/config`:
 +    - [ ] `fenix_version` : update to match alpha `firefox-android` build tag
 +    - [ ] `browser_branch` : update to match alpha `firefox-android` build tag
 +  - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
 +    - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
 +- [ ] Update `projects/translation/config`:
 +  - [ ] run `make list_translation_updates-alpha` to get updated hashes
 +  - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
 +  - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
 +  - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
 +- [ ] Update common build configs
 +  - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
 +    - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
 +      - [ ] `URL`
 +      - [ ] `sha256sum`
 +  - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/
 +    - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config`
 +      - [ ] `version` : update to next 3.0.X version
 +      - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball
 +  - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases
 +    - [ ] **(Optional)** If new tag available, update `projects/zlib/config`
 +      - [ ] `version` : update to next release tag
 +  - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags
 +    - [ ] ***(Optional)*** Update `projects/tor/config`
 +      - [ ] `version` : update to latest `-alpha` tag or release tag if newer (ping dgoulet or ahf if unsure)
 +  - [ ] Check for go updates here : https://go.dev/dl
 +    - **NOTE** : In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities.
 +    - [ ] ***(Optional)*** Update `projects/go/config`
 +      - [ ] `version` : update go version
 +      - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
 +  - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`
 +    - [ ] ***(Optional)*** If new version is available:
 +      - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org`
 +      - [ ] Deploy to `tb-builder`'s `public_html` directory:
 +        - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.`
 +      - [ ] Update `projects/manual/config`:
 +        - [ ] Change the `version` to `$PIPELINEID`
 +        - [ ] Update `sha256sum` in the `input_files` section
 +- [ ] Update `ChangeLog-TBB.txt`
 +  - [ ] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches
 +  - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
 +  - [ ] Run `tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`
 +    - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
 +    - The first time you run this script you will need to generate an access token; the script will guide you
 +    - `$updateArgs` should be these arguments, depending on what you actually updated:
 +      - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)
 +      - [ ] `--tor`
 +      - [ ] `--no-script`
 +      - [ ] `--openssl`
 +      - [ ] `--zlib`
 +      - [ ] `--go`
 +      - E.g., `tools/fetch-changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12`
 +    - `--date $date` is optional, if omitted it will be the date on which you run the command
 +  - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output
 +- [ ] Open MR with above changes, using the template for release preparations
 +- [ ] Merge
 +- [ ] Sign+Tag
 +  - **NOTE** this must be done by one of:
 +    - boklm
 +    - dan
 +    - ma1
 +    - pierov
 +    - richard
 +  - [ ] Run: `make torbrowser-signtag-alpha`
 +  - [ ] Push tag to `upstream`
 +- [ ] Build the tag:
 +  - Run `make torbrowser-alpha && make torbrowser-incrementals-alpha`
      - [ ] Tor Project build machine
      - [ ] Local developer machine
    - [ ] Submit build request to Mullvad infrastructure:
      - **NOTE** this requires a devmole authentication token
      - Run `make torbrowser-kick-devmole-build`
 -  - [ ] Ensure builders have matching builds
 +- [ ] Ensure builders have matching builds
  </details>
  <details>
    <summary>Communications</summary>
 -  ### notify stakeholders
+-
 -  - [ ] Email tor-qa mailing list: tor-qa@xxxxxxxxxxxxxxxxxxxx
 -    <details>
 -      <summary>email template</summary>
+-
 -        Subject:
 -        Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
+-
 -        Body:
 -        Hello All,
+-
 -        Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing:
+-
 -        - https://tb-build-05.torproject.org/~$(BUILDER)/builds/alpha/unsigned/$(TOR_BROWSER_VERSION)/
+-
 -        The full changelog can be found here:
+-
 -        - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TBB_BUILD_TAG)/projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt
+-
 -    </details>
+-
 -    - ***(Optional)*** Additional information:
 -      - [ ] Note any new functionality which needs testing
 -      - [ ] Link to any known issues
 -  - [ ] ***(Optional, only around build/packaging changes)*** Email packagers:
 -    - Recipients:
 -      - Tails dev mailing list: tails-dev@xxxxxxxx
 -      - Guardian Project: nathan@xxxxxxxxxxxxxxxxxxxx
 -      - torbrowser-launcher: micah@xxxxxxxxxxxxx
 -      - FreeBSD port: freebsd@xxxxxxxxx <!-- Gitlab user maxfx -->
 -      - OpenBSD port: caspar@xxxxxxxxxxxxxx <!-- Gitlab user cschutijser -->
 -    - [ ] Note any changes which may affect packaging/downstream integration
 -  - [ ] Email external partners:
 -    - ***(Optional, after ESR migration)*** Cloudflare: ask-research@xxxxxxxxxxxxxx
 -      - **NOTE** :  We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
 -    - ***(Optional, after ESR migration)*** Startpage: admin@xxxxxxxxxxxxx
 -      - **NOTE** : Startpage also needs the updated user-agent string for better experience on their onion service sites.
 +### notify stakeholders
 +- [ ] **(Once builds confirmed matching)** Email tor-qa mailing list with release information
 +  - [ ] tor-qa: tor-qa@xxxxxxxxxxxxxxxxxxxx
 +  - **Subject**
 +    ```
 +    Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
 +    ```
 +  - **Body**
 +    ```
 +    Hello,
++
 +    Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing:
++
 +    - https://tb-build-02.torproject.org/~$(BUILDER)/builds/alpha/unsigned/$(TOR_BROWSER_VERSION)/
++
 +    The full changelog can be found here:
++
 +    - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TBB_BUILD_TAG)/projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt
 +    ```
 +- [ ] ***(Optional, only around build/packaging changes)*** Email packagers:
 +  - [ ] Tails dev mailing list: tails-dev@xxxxxxxx
 +  - [ ] Guardian Project: nathan@xxxxxxxxxxxxxxxxxxxx
 +  - [ ] FreeBSD port: freebsd@xxxxxxxxx <!-- Gitlab user maxfx -->
 +  - [ ] OpenBSD port: caspar@xxxxxxxxxxxxxx <!-- Gitlab user cschutijser -->
 +  - [ ] Note any changes which may affect packaging/downstream integration
 +- [ ] ***(Optional, after ESR migration)*** Email external partners:
 +  - [ ] Cloudflare: ask-research@xxxxxxxxxxxxxx
 +    - **NOTE** :  We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
 +  - [ ]  Startpage: admin@xxxxxxxxxxxxx
 +    - **NOTE** : Startpage also needs the updated user-agent string for better experience on their onion service sites.
  </details>
  <details>
    <summary>Signing</summary>
 -  ### signing
 -  - **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
 -  - [ ] Assign this issue to the signer, one of:
 -    - boklm
 -    - richard
 -  - [ ] On `$(STAGING_SERVER)`, ensure updated:
 -    - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)`
 -    - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
 -      - `ssh_host_builder` : ssh hostname of machine with unsigned builds
 -        - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
 -      - `ssh_host_linux_signer` : ssh hostname of linux signing machine
 -    - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`
 -      - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos
 -    - [ ] `set-config.update-responses`
 -      - `update_responses_repository_dir` : directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/tor-browser-update-responses.git`
 -    - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
 -      - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
 -      - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
 -      - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
 -  - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
 -  - [ ] run do-all-signing script:
 -      - `cd tor-browser-build/tools/signing/`
 -      - `./do-all-signing.torbrowser`
 -  - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
 -  - [ ] Update `staticiforme.torproject.org`:
 -    - From `screen` session on `staticiforme.torproject.org`:
 -    - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
 -    - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh`
 -    - [ ] Remove old release data from following places:
 -      - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
 -      - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
 -      - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
 -    - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
 -  - [ ] Publish APKs to Google Play:
 -    - Log into https://play.google.com/apps/publish
 -    - Select `Tor Browser (Alpha)` app
 -    - Navigate to `Release > Production` and click `Create new release` button:
 -      - Upload the `tor-browser-android-*.apk` APKs
 -      - Update Release Name to Tor Browser version number
 -      - Update Release Notes
 -      - Next to 'Release notes', click `Copy from a previous release`
 -      - Edit blog post url to point to most recent blog post
 -    - Save, review, and configure rollout percentage
 -      - [ ] 25% rollout when publishing a scheduled update
 -      - [ ] 100% rollout when publishing a security-driven release
 -    - [ ] Update rollout percentage to 100% after confirmed no major issues
 +### release signing
 +- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
 +- [ ] Assign this issue to the signer, one of:
 +  - boklm
 +  - richard
 +- [ ] On `$(STAGING_SERVER)`, ensure updated:
 +  - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)`
 +  - [ ] `tor-browser-build/tools/signing/set-config.hosts`
 +    - `ssh_host_builder` : ssh hostname of machine with unsigned builds
 +      - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
 +    - `ssh_host_linux_signer` : ssh hostname of linux signing machine
 +  - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`
 +    - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos
 +  - [ ] `set-config.update-responses`
 +    - `update_responses_repository_dir` : directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/tor-browser-update-responses.git`
 +  - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
 +    - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
 +    - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
 +    - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
 +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
 +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:
 +  - `cd tor-browser-build/tools/signing/`
 +  - `./do-all-signing.torbrowser`
 +- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
 +- [ ] Update `staticiforme.torproject.org`:
 +  - From `screen` session on `staticiforme.torproject.org`:
 +  - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
 +  - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh`
 +  - [ ] Remove old release data from following places:
 +    - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
 +    - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
 +    - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
 +  - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
  </details>
@@ -262,55 +241,58 @@ popd
  <details>
    <summary>Publishing</summary>
 -  ### website: https://gitlab.torproject.org/tpo/web/tpo.git
 -  - [ ] `databags/versions.ini` : Update the downloads versions
 -      - `torbrowser-stable/version` : sort of a catch-all for latest stable version
 -      - `torbrowser-alpha/version` : sort of a catch-all for latest stable version
 -      - `torbrowser-*-stable/version` : platform-specific stable versions
 -      - `torbrowser-*-alpha/version` : platform-specific alpha versions
 -      - `tor-stable`,`tor-alpha` : set by tor devs, do not touch
 -  - [ ] Push to origin as new branch, open 'Draft :' MR
 -  - [ ] Remove `Draft:` from MR once signed-packages are uploaded
 -  - [ ] Merge
 -  - [ ] Publish after CI passes and builds are published
+-
 -  ### blog: https://gitlab.torproject.org/tpo/web/blog.git
 -  - [ ] Duplicate previous Stable or Alpha release blog post as appropriate to new directory under `content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)` and update with info on release :
 -      - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
 -      - [ ] Update Tor Browser version numbers
 -      - [ ] Note any ESR rebase
 -      - [ ] Link to any Firefox security updates from ESR upgrade
 -      - [ ] Link to any Android-specific security backports
 -      - [ ] Note any updates to :
 -        - tor
 -        - OpenSSL
 -        - NoScript
 -      - [ ] Convert ChangeLog-TBB.txt to markdown format used here by :
 -        - `tor-browser-build/tools/changelog-format-blog-post`
 -  - [ ] Push to origin as new branch, open `Draft:` MR
 -  - [ ] Remove `Draft:` from MR once signed-packages are uploaded
 -  - [ ] Merge
 -  - [ ] Publish after CI passes and website has been updated
+-
 -  ### tor-announce mailing list
 -  - [ ] Email tor-announce mailing list: tor-announce@xxxxxxxxxxxxxxxxxxxx
 -    <details>
 -      <summary>email template</summary>
+-
 -        Subject:
 -        New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
+-
 -        Body:
 -        Hi everyone,
+-
 -        Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
+-
 -        - $(BLOG_POST_URL)
+-
 -    </details>
+-
 -    - **(Optional)** Additional information:
 -      - [ ] Link to any known issues
 +### Google Play: https://play.google.com/apps/publish
 +- [ ] Publish APKs to Google Play:
 +  - Select `Tor Browser (Alpha)` app
 +  - Navigate to `Release > Production` and click `Create new release` button:
 +    - Upload the `tor-browser-android-*.apk` APKs
 +    - Update Release Name to Tor Browser version number
 +    - Update Release Notes
 +    - Next to 'Release notes', click `Copy from a previous release`
 +    - Edit blog post url to point to most recent blog post
 +  - Save, review, and configure rollout percentage
 +    - [ ] 25% rollout when publishing a scheduled update
 +    - [ ] 100% rollout when publishing a security-driven release
 +  - [ ] Update rollout percentage to 100% after confirmed no major issues
++
 +### website: https://gitlab.torproject.org/tpo/web/tpo.git
 +- [ ] `databags/versions.ini` : Update the downloads versions
 +    - `torbrowser-stable/version` : sort of a catch-all for latest stable version
 +    - `torbrowser-alpha/version` : sort of a catch-all for latest stable version
 +    - `torbrowser-*-stable/version` : platform-specific stable versions
 +    - `torbrowser-*-alpha/version` : platform-specific alpha versions
 +    - `tor-stable`,`tor-alpha` : set by tor devs, do not touch
 +- [ ] Push to origin as new branch, open 'Draft :' MR
 +- [ ] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org
 +- [ ] Merge
 +- [ ] Publish after CI passes and builds are published
++
 +### blog: https://gitlab.torproject.org/tpo/web/blog.git
 +- [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
 +  - [ ] Note any ESR update
 +  - [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc)
 +  - [ ] Thank any users which have contributed patches
 +  - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc
 +- [ ] Push to origin as new branch, open `Draft:` MR
 +- [ ] Merge once signed-packages are accessible on https://dist.torproject.org
 +- [ ] Publish after CI passes and website has been updated
++
 +### tor-announce mailing list
 +- [ ] Email tor-announce mailing list: tor-announce@xxxxxxxxxxxxxxxxxxxx
 +  - **Subject**
 +    ```
 +    New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
 +    ```
 +  - **Body**
 +    ```
 +    Hi everyone,
++
 +    Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
 +    - $(BLOG_POST_URL)
++
 +    Changelog:
 +    # paste changleog as quote here
 +    ```
  </details>

.gitlab/issue_templates/Release Prep - Tor Browser Stable.md

@@ -27,29 +27,24 @@
  </details>
  **NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
 +**NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue
  <details>
    <summary>Building</summary>
  ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
 -Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches
 +Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches.
  - [ ] Update `rbm.conf`
    - [ ] `var/torbrowser_version` : update to next version
    - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
    - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version
 +    - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
      - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
  - [ ] Update Desktop-specific build configs
    - [ ] Update `projects/firefox/config`
      - [ ] `browser_build` : update to match `tor-browser` tag
      - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
 -  - [ ] Update `projects/translation/config`:
 -    - [ ] run `make list_translation_updates-release` to get updated hashes
 -    - [ ] Update `projects/translation/config`:
 -      - [ ] run `make list_translation_updates-alpha` to get updated hashes
 -      - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
 -      - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
 -      - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
  - [ ] Update Android-specific build configs
    - [ ] Update `projects/geckoview/config`
      - [ ] `browser_build` : update to match `tor-browser` tag
@@ -60,27 +55,32 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
      **NOTE** we don't currently have any of our own patches for this project
      - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
    - [ ] ***(Optional)*** Update `projects/firefox-android/config`:
 -      - [ ] `fenix_version` : update to match alpha `firefox-android` build tag
 -      - [ ] `browser_branch` : update to match alpha `firefox-android` build tag
 +    - [ ] `fenix_version` : update to match alpha `firefox-android` build tag
 +    - [ ] `browser_branch` : update to match alpha `firefox-android` build tag
    - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
      - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
 +- [ ] Update `projects/translation/config`:
 +  - [ ] run `make list_translation_updates-release` to get updated hashes
 +  - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
 +  - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
 +  - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
  - [ ] Update common build configs
    - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
      - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
        - [ ] `URL`
        - [ ] `sha256sum`
    - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/
 -    - [ ] ***(Optional)*** If new 1.X.Y version available, update `projects/openssl/config`
 -      - [ ] `version` : update to next 1.X.Y version
 +    - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config`
 +      - [ ] `version` : update to next 3.0.X version
        - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball
    - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases
      - [ ] **(Optional)** If new tag available, update `projects/zlib/config`
        - [ ] `version` : update to next release tag
    - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags
 -    - [ ] ***(Optional)*** Update `projects/tor/config`
 +    - [ ] ***(Optional)*** Update `projects/tor/config`
        - [ ] `version` : update to latest non `-alpha` tag (ping dgoulet or ahf if unsure)
    - [ ] Check for go updates here : https://go.dev/dl
 -    - **NOTE** : Tor Browser Stable uses the latest of the *previous* Stable major series go version (apart from the transition phase from Tor Browser Alpha to Stable, in which case Tor Browser Stable may use the latest major series go version)
 +    - **NOTE** : In general, Tor Browser Stable uses the latest of the *previous* Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities.
      - [ ] ***(Optional)*** Update `projects/go/config`
        - [ ] `version` : update go version
        - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
@@ -88,7 +88,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
      - [ ] ***(Optional)*** If new version is available:
        - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org`
        - [ ] Deploy to `tb-builder`'s `public_html` directory:
 -        - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~/../tb-builder/public_html/.`
 +        - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.`
        - [ ] Update `projects/manual/config`:
          - [ ] Change the `version` to `$PIPELINEID`
          - [ ] Update `sha256sum` in the `input_files` section
@@ -108,25 +108,25 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
        - E.g., `tools/fetch-changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12`
      - `--date $date` is optional, if omitted it will be the date on which you run the command
    - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output
 -  - [ ] Open MR with above changes, using the template for release preparations
 -  - [ ] Merge
 -  - [ ] Sign+Tag
 -    - **NOTE** this must be done by one of:
 -      - boklm
 -      - dan
 -      - ma1
 -      - pierov
 -      - richard
 -    - [ ] Run: `make torbrowser-signtag-release`
 -    - [ ] Push tag to `upstream`
 -  - [ ] Build on at least one of:
 -    - Run `make torbrowser-release && make torbrowser-incrementals-release`
 +- [ ] Open MR with above changes, using the template for release preparations
 +- [ ] Merge
 +- [ ] Sign+Tag
 +  - **NOTE** this must be done by one of:
 +    - boklm
 +    - dan
 +    - ma1
 +    - pierov
 +    - richard
 +  - [ ] Run: `make torbrowser-signtag-release`
 +  - [ ] Push tag to `upstream`
 +- [ ] Build the tag:
 +  - Run `make torbrowser-release && make torbrowser-incrementals-release`
      - [ ] Tor Project build machine
      - [ ] Local developer machine
    - [ ] Submit build request to Mullvad infrastructure:
      - **NOTE** this requires a devmole authentication token
      - Run `make torbrowser-kick-devmole-build`
 -  - [ ] Ensure builders have matching builds
 +- [ ] Ensure builders have matching builds
  </details>
@@ -134,49 +134,44 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    <summary>Communications</summary>
  ### notify stakeholders
 +- [ ] **(Once builds confirmed matching)** Email tor-qa mailing list with release information
 +  - [ ] tor-qa: tor-qa@xxxxxxxxxxxxxxxxxxxx
 +  - **Subject**
 +    ```
 +    Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
 +    ```
 +  - **Body**
 +    ```
 +    Hello,
 -  <details>
 -    <summary>email template</summary>
+-
 -      Subject:
 -      Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
+-
 -      Body:
 -      Hello All,
+-
 -      Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing:
+-
 -      - https://tb-build-05.torproject.org/~$(BUILDER)/builds/release/unsigned/$(TOR_BROWSER_VERSION)/
+-
 -      The full changelog can be found here:
 +    Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing:
 -      - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/$(TBB_BUILD_TAG)/ChangeLog.txt
 +    - https://tb-build-02.torproject.org/~$(BUILDER)/builds/release/unsigned/$(TOR_BROWSER_VERSION)/
 -  </details>
 +    The full changelog can be found here:
 -- [ ] Email tor-qa mailing list: tor-qa@xxxxxxxxxxxxxxxxxxxx
 -  - ***(Optional)*** Additional information:
 -    - [ ] Note any new functionality which needs testing
 -    - [ ] Link to any known issues
 +    - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TBB_BUILD_TAG)/projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt
 +    ```
  - [ ] Email packagers:
 -  - Recipients:
 -    - Tails dev mailing list: tails-dev@xxxxxxxx
 -    - Guardian Project: nathan@xxxxxxxxxxxxxxxxxxxx
 -    - torbrowser-launcher: micah@xxxxxxxxxxxxx
 -    - FreeBSD port: freebsd@xxxxxxxxx <!-- Gitlab user maxfx -->
 -    - OpenBSD port: caspar@xxxxxxxxxxxxxx <!-- Gitlab user cschutijser -->
 -  - [ ] ***(Optional)*** Note any changes which may affect packaging/downstream integration
 +  - [ ] Tails dev mailing list: tails-dev@xxxxxxxx
 +  - [ ] Guardian Project: nathan@xxxxxxxxxxxxxxxxxxxx
 +  - [ ] FreeBSD port: freebsd@xxxxxxxxx <!-- Gitlab user maxfx -->
 +  - [ ] OpenBSD port: caspar@xxxxxxxxxxxxxx <!-- Gitlab user cschutijser -->
 +  - [ ] Note any changes which may affect packaging/downstream integration
  </details>
  <details>
    <summary>Signing</summary>
 -### signing
 +### release signing
  - **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
 +- [ ] Assign this issue to the signer, one of:
 +  - boklm
 +  - richard
  - [ ] On `$(STAGING_SERVER)`, ensure updated:
    - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)`
 -  - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
 +  - [ ] `tor-browser-build/tools/signing/set-config.hosts`
      - `ssh_host_builder` : ssh hostname of machine with unsigned builds
        - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
      - `ssh_host_linux_signer` : ssh hostname of linux signing machine
@@ -189,9 +184,9 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
      - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
      - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
  - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
 -- [ ] run do-all-signing script:
 -    - `cd tor-browser-build/tools/signing/`
 -    - `./do-all-signing.torbrowser`
 +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:
 +  - `cd tor-browser-build/tools/signing/`
 +  - `./do-all-signing.torbrowser`
  - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
  - [ ] Update `staticiforme.torproject.org`:
    - From `screen` session on `staticiforme.torproject.org`:
@@ -201,20 +196,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
      - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
      - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
      - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
 -- [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
 -- [ ] Publish APKs to Google Play:
 -  - Log into https://play.google.com/apps/publish
 -  - Select `Tor Browser` app
 -  - Navigate to `Release > Production` and click `Create new release` button:
 -    - Upload the `tor-browser-android-*.apk` APKs
 -    - Update Release Name to Tor Browser version number
 -    - Update Release Notes
 -    - Next to 'Release notes', click `Copy from a previous release`
 -    - Edit blog post url to point to most recent blog post
 -  - Save, review, and configure rollout percentage
 -    - [ ] 25% rollout when publishing a scheduled update
 -    - [ ] 100% rollout when publishing a security-driven release
 -  - [ ] Update rollout percentage to 100% after confirmed no major issues
 +  - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
  </details>
@@ -223,33 +205,51 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    <details>
      <summary>Check whether the .exe files got properly signed and timestamped</summary>
 -    ```
 -    # Point OSSLSIGNCODE to your osslsigncode binary
 -    pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
 -    OSSLSIGNCODE=/path/to/osslsigncode
 -    ../../../tools/authenticode_check.sh
 -    popd
 -    ```
++
 +```bash
 +# Point OSSLSIGNCODE to your osslsigncode binary
 +pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
 +OSSLSIGNCODE=/path/to/osslsigncode
 +../../../tools/authenticode_check.sh
 +popd
 +```
++
    </details>
    <details>
      <summary>Check whether the MAR files got properly signed</summary>
 -    ```
 -    # Point NSSDB to your nssdb containing the mar signing certificate
 -    # Point SIGNMAR to your signmar binary
 -    # Point LD_LIBRARY_PATH to your mar-tools directory
 -    pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
 -    NSSDB=/path/to/nssdb
 -    SIGNMAR=/path/to/mar-tools/signmar
 -    LD_LIBRARY_PATH=/path/to/mar-tools/
 -    ../../../tools/marsigning_check.sh
 -    popd
 -    ```
++
 +```bash
 +# Point NSSDB to your nssdb containing the mar signing certificate
 +# Point SIGNMAR to your signmar binary
 +# Point LD_LIBRARY_PATH to your mar-tools directory
 +pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
 +NSSDB=/path/to/nssdb
 +SIGNMAR=/path/to/mar-tools/signmar
 +LD_LIBRARY_PATH=/path/to/mar-tools/
 +../../../tools/marsigning_check.sh
 +popd
 +```
++
    </details>
  </details>
  <details>
    <summary>Publishing</summary>
 +### Google Play: https://play.google.com/apps/publish
 +- [ ] Publish APKs to Google Play:
 +  - Select `Tor Browser` app
 +  - Navigate to `Release > Production` and click `Create new release` button:
 +    - Upload the `tor-browser-android-*.apk` APKs
 +    - Update Release Name to Tor Browser version number
 +    - Update Release Notes
 +    - Next to 'Release notes', click `Copy from a previous release`
 +    - Edit blog post url to point to most recent blog post
 +  - Save, review, and configure rollout percentage
 +    - [ ] 25% rollout when publishing a scheduled update
 +    - [ ] 100% rollout when publishing a security-driven release
 +  - [ ] Update rollout percentage to 100% after confirmed no major issues
++
  ### website: https://gitlab.torproject.org/tpo/web/tpo.git
  - [ ] `databags/versions.ini` : Update the downloads versions
      - `torbrowser-stable/version` : sort of a catch-all for latest stable version
@@ -258,49 +258,37 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
      - `torbrowser-*-alpha/version` : platform-specific alpha versions
      - `tor-stable`,`tor-alpha` : set by tor devs, do not touch
  - [ ] Push to origin as new branch, open 'Draft :' MR
 -- [ ] Remove `Draft:` from MR once signed-packages are uploaded
 +- [ ] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org
  - [ ] Merge
  - [ ] Publish after CI passes and builds are published
  ### blog: https://gitlab.torproject.org/tpo/web/blog.git
+-
 -- [ ] Duplicate previous Stable or Alpha release blog post as appropriate to new directory under `content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)` and update with info on release :
 -    - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
 -    - [ ] Update Tor Browser version numbers
 -    - [ ] Note any ESR rebase
 -    - [ ] Link to any Firefox security updates from ESR upgrade
 -    - [ ] Link to any Android-specific security backports
 -    - [ ] Note any updates to :
 -      - tor
 -      - OpenSSL
 -      - NoScript
 -    - [ ] Convert ChangeLog.txt to markdown format used here by :
 -      - `tor-browser-build/tools/changelog-format-blog-post`
 +- [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
 +  - [ ] Note any ESR update
 +  - [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc)
 +  - [ ] Thank any users which have contributed patches
  - [ ] Push to origin as new branch, open `Draft:` MR
 -- [ ] Remove `Draft:` from MR once signed-packages are uploaded
 -- [ ] Merge
 +- [ ] Merge once signed-packages are accessible on https://dist.torproject.org
  - [ ] Publish after CI passes and website has been updated
  ### tor-announce mailing list
 -  <details>
 -    <summary>email template</summary>
+-
 -      Subject:
 -      New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
+-
 -      Body:
 -      Hi everyone,
+-
 -      Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
+-
 -      - $(BLOG_POST_URL)
 +- [ ] Email tor-announce mailing list: tor-announce@xxxxxxxxxxxxxxxxxxxx
 +  - **Subject**
 +    ```
 +    New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
 +    ```
 +  - **Body**
 +    ```
 +    Hi everyone,
 -  </details>
 +    Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
 +    - $(BLOG_POST_URL)
 -- [ ] Email tor-announce mailing list: tor-announce@xxxxxxxxxxxxxxxxxxxx
 -  - **(Optional)** Additional information:
 -    - [ ] Link to any known issues
 +    Changelog:
 +    # paste changleog as quote here
 +    ```
  </details>
  /label ~"Release Prep"
++