morgan pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
-
309821b4
by Morgan at 2024-10-25T00:31:34+00:00
5 changed files:
- .gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md
- .gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md
- .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
- + .gitlab/issue_templates/Release Prep - Tor Browser Legacy.md
- .gitlab/issue_templates/Release Prep - Tor Browser Stable.md
Changes:
1 | +# Release Prep Mullvad Browser Alpha
|
|
2 | + |
|
3 | +- **NOTE** It is assumed the `mullvad-browser` alpha rebase and security backport tasks have been completed
|
|
4 | +- **NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue
|
|
5 | + |
|
1 | 6 | <details>
|
2 | 7 | <summary>Explanation of variables</summary>
|
3 | 8 | |
4 | -- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
|
|
5 | -- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
|
|
6 | - - **example** : `pierov`
|
|
7 | -- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
|
|
8 | -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc
|
|
9 | - - **example** : `91.6.0`
|
|
10 | -- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version
|
|
11 | - - **example** : `11`
|
|
12 | -- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version
|
|
13 | - - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
14 | -- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format
|
|
15 | - - **example** : `12.5a3`, `12.0.3`
|
|
16 | -- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
|
|
17 | - - **example** : `build1`
|
|
18 | -- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
|
|
19 | - - **example** : `build2`
|
|
20 | - - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :
|
|
21 | - - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
|
|
22 | - - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
|
|
23 | -- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version
|
|
24 | - - **example** : `11.5a6`, `11.0.7`
|
|
25 | -- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version
|
|
26 | - - **example** : `mb-12.0.7-build1`
|
|
9 | +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release
|
|
10 | +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER}
|
|
11 | + - **example**: `pierov`
|
|
12 | +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process
|
|
13 | +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc
|
|
14 | + - **example**: `91.6.0`
|
|
15 | +- `${MULLVAD_BROWSER_MAJOR}`: the Mullvad Browser major version
|
|
16 | + - **example**: `11`
|
|
17 | +- `${MULLVAD_BROWSER_MINOR}`: the Mullvad Browser minor version
|
|
18 | + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
19 | +- `${MULLVAD_BROWSER_VERSION}`: the Mullvad Browser version in the format
|
|
20 | + - **example**: `12.5a3`, `12.0.3`
|
|
21 | +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${MULLVAD_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build.
|
|
22 | + - **example**: `build1`
|
|
23 | +- `${MULLVAD_BROWSER_BUILD_N}`: the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
|
|
24 | + - **example**: `build2`
|
|
25 | + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${MULLVAD_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For **example** :
|
|
26 | + - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${MULLVAD_BROWSER_BUILD_N}` value may stay at `build1` (but the `${MULLVAD_BROWSER_VERSION}` will increase)
|
|
27 | + - if we have build failures unrelated to `mullvad-browser`, the `${MULLVAD_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same.
|
|
28 | +- `${MULLVAD_BROWSER_VERSION}`: the published Mullvad Browser version
|
|
29 | + - **example**: `11.5a6`, `11.0.7`
|
|
30 | +- `${MB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Mullvad Browser version
|
|
31 | + - **example**: `mb-12.0.7-build1`
|
|
32 | +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date
|
|
33 | + - **example**: `2024-10-29`
|
|
34 | + |
|
27 | 35 | </details>
|
28 | 36 | |
29 | -**NOTE** It is assumed that the `tor-browser` alpha rebase and security backport tasks have been completed
|
|
37 | +<details>
|
|
38 | + <summary>Build Configuration</summary>
|
|
30 | 39 | |
31 | -**NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue
|
|
40 | +### mullvad-browser: https://gitlab.torproject.org/tpo/applications/mullvad-browser.git
|
|
32 | 41 | |
33 | -<details>
|
|
34 | - <summary>Building</summary>
|
|
42 | +- [ ] Tag `mullvad-browser` commit:
|
|
43 | + - **example**: `mullvad-browser-128.4.0esr-14.5-1-build1`
|
|
35 | 44 | |
36 | 45 | ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
|
37 | 46 | Mullvad Browser Alpha (and Nightly) are on the `main` branch
|
38 | 47 | |
39 | -- [ ] Update `rbm.conf`
|
|
40 | - - [ ] `var/torbrowser_version` : update to next version
|
|
41 | - - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
|
|
42 | - - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building.
|
|
43 | - - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version
|
|
44 | - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
|
|
45 | - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
|
|
46 | -- [ ] Update build configs
|
|
47 | - - [ ] Update `projects/firefox/config`
|
|
48 | - - [ ] `browser_build` : update to match `mullvad-browser` tag
|
|
49 | - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
|
|
50 | - - [ ] Update `projects/translation/config`:
|
|
51 | - - [ ] run `make list_translation_updates-alpha` to get updated hashes
|
|
52 | - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
|
|
53 | - - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch
|
|
54 | -- [ ] Update common build configs
|
|
55 | - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
|
|
56 | - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
|
|
57 | - - [ ] `URL`
|
|
58 | - - [ ] `sha256sum`
|
|
59 | - - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
|
|
60 | - - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
|
|
61 | - - [ ] `URL`
|
|
62 | - - [ ] `sha256sum`
|
|
63 | - - [ ] Check for Mullvad Browser Extension updates here : https://github.com/mullvad/browser-extension/releases
|
|
64 | - - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
|
|
65 | - - [ ] `URL`
|
|
66 | - - [ ] `sha256sum`
|
|
67 | -- [ ] Update `ChangeLog-MB.txt`
|
|
68 | - - [ ] Ensure `ChangeLog-MB.txt` is sync'd between alpha and stable branches
|
|
69 | - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
|
|
70 | - - [ ] Run `./tools/fetch_changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`
|
|
71 | - - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
|
|
72 | - - The first time you run this script you will need to generate an access token; the script will guide you
|
|
73 | - - `$updateArgs` should be these arguments, depending on what you actually updated:
|
|
74 | - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)
|
|
75 | - - [ ] `--no-script`
|
|
76 | - - [ ] `--ublock`
|
|
77 | - - E.g., `./tools/fetch_changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0`
|
|
78 | - - `--date $date` is optional, if omitted it will be the date on which you run the command
|
|
79 | - - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output
|
|
48 | +- [ ] Changelog bookkeeping:
|
|
49 | + - [ ] Ensure all commits to `mullvad-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue
|
|
50 | + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels
|
|
51 | +- [ ] Create a release preparation branch from the `main` branch
|
|
52 | +- [ ] Run release preparation script:
|
|
53 | + - **NOTE**: You can omit the `--mullvad-browser` argument if this is for a joint Tor and Mullvad Browser release
|
|
54 | + - **⚠️ WARNING**: You may need to manually update the `firefox/config` file's `browser_build` field if `mullvad-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged)
|
|
55 | + ```bash
|
|
56 | + ./tools/relprep.py --mullvad-browser --date ${RELEASE_DATE} ${MULLVAD_BROWSER_VERSION}
|
|
57 | + ```
|
|
58 | +- [ ] Review build configuration changes:
|
|
59 | + - [ ] `rbm.conf`
|
|
60 | + - [ ] `var/torbrowser_version`: updated to next browser version
|
|
61 | + - [ ] `var/torbrowser_build`: updated to `${MULLVAD_BROWSER_BUILD_N}`
|
|
62 | + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building.
|
|
63 | + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` tag, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrowser_build` to build2, build3, etc due to non-firefox related build issues)
|
|
64 | + - [ ] `var/torbrowser_incremental_from`: updated to previous Desktop version
|
|
65 | + - **NOTE**: We try to build incrementals for the previous 3 desktop versions
|
|
66 | + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
|
|
67 | + - [ ] `projects/firefox/config`
|
|
68 | + - [ ] `browser_build`: updated to match `mullvad-browser` tag
|
|
69 | + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased
|
|
70 | + - [ ] ***(Optional)*** `projects/translation/config`:
|
|
71 | + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch
|
|
72 | + - [ ] `steps/mullvad-browser/git_hash`: updated with `HEAD` commit of project's `mullvad-browser` branch
|
|
73 | + - [ ] ***(Optional)*** `projects/browser/config`:
|
|
74 | + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript
|
|
75 | + - [ ] `URL` updated
|
|
76 | + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url
|
|
77 | + - [ ] `sha256sum` updated
|
|
78 | + - [ ] uBlock-origin: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin
|
|
79 | + - [ ] `URL` updated
|
|
80 | + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url
|
|
81 | + - [ ] `sha256sum` updated
|
|
82 | + - [ ] Mullvad Browser extension: https://github.com/mullvad/browser-extension/releases
|
|
83 | + - [ ] `URL` updated
|
|
84 | + - [ ] `sha256sum` updated
|
|
85 | + - [ ] `ChangeLog-MB.txt`: ensure correctness
|
|
86 | + - [ ] Browser name correct
|
|
87 | + - [ ] Release date correct
|
|
88 | + - [ ] No Android updates
|
|
89 | + - [ ] All issues added under correct platform
|
|
90 | + - [ ] ESR updates correct
|
|
91 | + - [ ] Component updates correct
|
|
80 | 92 | - [ ] Open MR with above changes, using the template for release preparations
|
93 | + - **NOTE**: target the `main` branch
|
|
81 | 94 | - [ ] Merge
|
82 | 95 | - [ ] Sign+Tag
|
83 | 96 | - **NOTE** this must be done by one of:
|
... | ... | @@ -86,16 +99,25 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch |
86 | 99 | - ma1
|
87 | 100 | - morgan
|
88 | 101 | - pierov
|
89 | - - [ ] Run: `make mullvadbrowser-signtag-alpha`
|
|
102 | + - [ ] Run:
|
|
103 | + ```bash
|
|
104 | + make mullvadbrowser-signtag-alpha
|
|
105 | + ```
|
|
90 | 106 | - [ ] Push tag to `upstream`
|
91 | 107 | - [ ] Build the tag:
|
92 | - - Run `make mullvadbrowser-alpha && make mullvadbrowser-incrementals-alpha` on:
|
|
108 | + - [ ] Run:
|
|
109 | + ```bash
|
|
110 | + make mullvadbrowser-alpha && make mullvadbrowser-incrementals-alpha
|
|
111 | + ```
|
|
93 | 112 | - [ ] Tor Project build machine
|
94 | 113 | - [ ] Local developer machine
|
95 | 114 | - [ ] Submit build request to Mullvad infrastructure:
|
96 | 115 | - **NOTE** this requires a devmole authentication token
|
97 | - - Run `make mullvadbrowser-kick-devmole-build`
|
|
98 | -- [ ] Ensure builders have matching builds
|
|
116 | + - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit
|
|
117 | + - [ ] Run:
|
|
118 | + ```bash
|
|
119 | + make mullvadbrowser-kick-devmole-build
|
|
120 | + ```
|
|
99 | 121 | |
100 | 122 | </details>
|
101 | 123 | |
... | ... | @@ -105,64 +127,84 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch |
105 | 127 | ### release signing
|
106 | 128 | - [ ] Assign this issue to the signer, one of:
|
107 | 129 | - boklm
|
130 | + - ma1
|
|
108 | 131 | - morgan
|
109 | -- [ ] On `$(STAGING_SERVER)`, ensure updated:
|
|
110 | - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N) && git checkout tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N)`
|
|
132 | + - pierov
|
|
133 | +- [ ] Ensure all builders have matching builds
|
|
134 | +- [ ] On `${STAGING_SERVER}`, ensure updated:
|
|
135 | + - **NOTE** Having a local git branch with `main` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file
|
|
136 | + - [ ] `tor-browser-build` is on the right commit: `git tag -v mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N} && git checkout mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N}`
|
|
111 | 137 | - [ ] `tor-browser-build/tools/signing/set-config.hosts`
|
112 | - - `ssh_host_builder` : ssh hostname of machine with unsigned builds
|
|
113 | - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
|
|
114 | - - `ssh_host_linux_signer` : ssh hostname of linux signing machine
|
|
138 | + - `ssh_host_builder`: ssh hostname of machine with unsigned builds
|
|
139 | + - `ssh_host_linux_signer`: ssh hostname of linux signing machine
|
|
140 | + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds
|
|
115 | 141 | - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`
|
116 | - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos
|
|
142 | + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos
|
|
117 | 143 | - [ ] `set-config.update-responses`
|
118 | - - `update_responses_repository_dir` : directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/mullvad-browser-update-responses.git`
|
|
144 | + - `update_responses_repository_dir`: directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/mullvad-browser-update-responses.git`
|
|
119 | 145 | - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
|
120 | - - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
|
|
121 | - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
|
|
122 | - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
|
|
123 | -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
|
124 | -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:
|
|
125 | - - `cd tor-browser-build/tools/signing/`
|
|
126 | - - `./do-all-signing.mullvadbrowser`
|
|
127 | -- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
|
|
128 | -- [ ] Update `staticiforme.torproject.org`:
|
|
129 | - - From `screen` session on `staticiforme.torproject.org`:
|
|
130 | - - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
|
|
131 | - - [ ] Static update components (again) : `static-update-component dist.torproject.org`
|
|
146 | + - `tbb_version`: mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
|
|
147 | + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
|
|
148 | + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases
|
|
149 | +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
|
150 | +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script:
|
|
151 | + - [ ] Run:
|
|
152 | + ```bash
|
|
153 | + cd tor-browser-build/tools/signing/ && ./do-all-signing.mullvadbrowser
|
|
154 | + ```
|
|
155 | + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed
|
|
132 | 156 | |
133 | 157 | </details>
|
134 | 158 | |
135 | 159 | <details>
|
136 | 160 | <summary>Publishing</summary>
|
137 | 161 | |
162 | +### website
|
|
163 | +- [ ] On `staticiforme.torproject.org`, remove old release and publish new:
|
|
164 | + - [ ] `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
|
|
165 | + - [ ] Run:
|
|
166 | + ```bash
|
|
167 | + static-update-component dist.torproject.org
|
|
168 | + ```
|
|
169 | + |
|
138 | 170 | ### mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/
|
139 | 171 | - [ ] Assign this issue to someone with mullvad commit access, one of:
|
140 | 172 | - boklm
|
141 | 173 | - ma1
|
142 | 174 | - morgan
|
143 | 175 | - pierov
|
176 | +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
|
|
177 | + - **Tag**: `${MULLVAD_BROWSER_VERSION}`
|
|
178 | + - **example**: `12.5a7`
|
|
179 | + - **Message**: `${ESR_VERSION}esr-based ${MULLVAD_BROWSER_VERSION}`
|
|
180 | + - **example**: `102.12.0esr-based 12.5a7`
|
|
144 | 181 | - [ ] Push this release's associated `mullvad-browser.git` branch to github
|
145 | 182 | - [ ] Push this release's associated tags to github:
|
146 | 183 | - [ ] Firefox ESR tag
|
147 | - - **example** : `FIREFOX_102_12_0esr_BUILD1`
|
|
184 | + - **example**: `FIREFOX_102_12_0esr_BUILD1`
|
|
148 | 185 | - [ ] `base-browser` tag
|
149 | - - **example** : `base-browser-102.12.0esr-12.0-1-build1`
|
|
150 | - - [ ] `mullvad-browser` tag
|
|
151 | - - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
|
|
152 | -- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
|
|
153 | - - **Tag**: `$(MULLVAD_BROWSER_VERSION)`
|
|
154 | - - **example** : `12.5a7`
|
|
155 | - - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
|
|
156 | - - **example** : `102.12.0esr-based 12.5a7`
|
|
157 | - - [ ] Push tag to github
|
|
158 | - |
|
159 | -### email
|
|
160 | -- [ ] **(Once branch+tags pushed to GitHub)** Email Mullvad with release information:
|
|
161 | - - [ ] support alias: support@xxxxxxxxxxxxxx
|
|
162 | - - [ ] Rui: rui@xxxxxxxxxxx
|
|
186 | + - **example**: `base-browser-102.12.0esr-12.0-1-build1`
|
|
187 | + - [ ] `mullvad-browser` build tag
|
|
188 | + - **example**: `mullvad-browser-102.12.0esr-12.0-1-build1`
|
|
189 | + - [ ] `mullvad-browser` release tag
|
|
190 | + - **example**: `12.0.11`
|
|
191 | + |
|
192 | +</details>
|
|
193 | + |
|
194 | +<details>
|
|
195 | + <summary>Communications</summary>
|
|
196 | + |
|
197 | +### Mullvad
|
|
198 | +- [ ] Email Mullvad with release information:
|
|
199 | + - **Recipients**
|
|
200 | + - Mullvad support alias: support@xxxxxxxxxxxxxx
|
|
201 | + - Rui Hildt: rui@xxxxxxxxxxx
|
|
202 | + ```
|
|
203 | + support@xxxxxxxxxxxxxx rui@xxxxxxxxxxx
|
|
204 | + ```
|
|
163 | 205 | - **Subject**
|
164 | 206 | ```
|
165 | - New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
|
|
207 | + New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed)
|
|
166 | 208 | ```
|
167 | 209 | - **Body**
|
168 | 210 | ```
|
... | ... | @@ -170,28 +212,27 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch |
170 | 212 | |
171 | 213 | Branch+Tags have been pushed to Mullvad's GitHub repo.
|
172 | 214 | |
173 | - - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
|
|
174 | - - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
|
|
215 | + - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION}
|
|
216 | + - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}
|
|
175 | 217 | |
176 | 218 | changelog:
|
219 | + # paste changelog as quote here
|
|
177 | 220 | ...
|
178 | 221 | ```
|
179 | 222 | |
180 | -</details>
|
|
181 | - |
|
182 | -<details>
|
|
183 | - <summary>Downstream</summary>
|
|
184 | - |
|
185 | -### notify packagers
|
|
186 | -These steps depend on Mullvad having updated their [GitHub Releases](https://github.com/mullvad/mullvad-browser/releases/) page with the latest release
|
|
187 | -- [ ] **(Optional)** Email downstream consumers:
|
|
223 | +### packagers
|
|
224 | +- [ ] **(Optional, Once Packages are pushed to GitHub)**
|
|
188 | 225 | - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of
|
189 | - - [ ] flathub package maintainer: proletarius101@xxxxxxxxxxxxxx
|
|
190 | - - [ ] arch package maintainer: bootctl@xxxxxxxxx
|
|
191 | - - [ ] nixOS package maintainer: dev@xxxxxxxxxxx
|
|
226 | + - **Recipients**
|
|
227 | + - flathub package maintainer: proletarius101@xxxxxxxxxxxxxx
|
|
228 | + - arch package maintainer: bootctl@xxxxxxxxx
|
|
229 | + - nixOS package maintainer: dev@xxxxxxxxxxx
|
|
230 | + ```
|
|
231 | + proletarius101@xxxxxxxxxxxxxx bootctl@xxxxxxxxx dev@xxxxxxxxxxx
|
|
232 | + ```
|
|
192 | 233 | - **Subject**
|
193 | 234 | ```
|
194 | - Mullvad Browser $(MULLVAD_BROWSER_VERSION) released
|
|
235 | + Mullvad Browser ${MULLVAD_BROWSER_VERSION} released
|
|
195 | 236 | ```
|
196 | 237 | - **Body**
|
197 | 238 | ```
|
... | ... | @@ -208,4 +249,3 @@ These steps depend on Mullvad having updated their [GitHub Releases](https://git |
208 | 249 | |
209 | 250 | /label ~"Release Prep"
|
210 | 251 | /label ~"Sponsor 131" |
211 | - |
1 | +# Release Prep Mullvad Browser Stable
|
|
2 | + |
|
3 | +- **NOTE** It is assumed the `mullvad-browser` release rebase and security backport tasks have been completed
|
|
4 | +- **NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue
|
|
5 | + |
|
1 | 6 | <details>
|
2 | 7 | <summary>Explanation of variables</summary>
|
3 | 8 | |
4 | -- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
|
|
5 | -- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
|
|
6 | - - **example** : `pierov`
|
|
7 | -- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
|
|
8 | -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc
|
|
9 | - - **example** : `91.6.0`
|
|
10 | -- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version
|
|
11 | - - **example** : `11`
|
|
12 | -- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version
|
|
13 | - - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
14 | -- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format
|
|
15 | - - **example** : `12.5a3`, `12.0.3`
|
|
16 | -- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
|
|
17 | - - **example** : `build1`
|
|
18 | -- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
|
|
19 | - - **example** : `build2`
|
|
20 | - - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :
|
|
21 | - - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
|
|
22 | - - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
|
|
23 | -- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version
|
|
24 | - - **example** : `11.5a6`, `11.0.7`
|
|
25 | -- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version
|
|
26 | - - **example** : `mb-12.0.7-build1`
|
|
9 | +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release
|
|
10 | +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER}
|
|
11 | + - **example**: `pierov`
|
|
12 | +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process
|
|
13 | +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc
|
|
14 | + - **example**: `91.6.0`
|
|
15 | +- `${MULLVAD_BROWSER_MAJOR}`: the Mullvad Browser major version
|
|
16 | + - **example**: `11`
|
|
17 | +- `${MULLVAD_BROWSER_MINOR}`: the Mullvad Browser minor version
|
|
18 | + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
19 | +- `${MULLVAD_BROWSER_VERSION}`: the Mullvad Browser version in the format
|
|
20 | + - **example**: `12.5a3`, `12.0.3`
|
|
21 | +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${MULLVAD_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build.
|
|
22 | + - **example**: `build1`
|
|
23 | +- `${MULLVAD_BROWSER_BUILD_N}`: the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
|
|
24 | + - **example**: `build2`
|
|
25 | + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${MULLVAD_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For **example** :
|
|
26 | + - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${MULLVAD_BROWSER_BUILD_N}` value may stay at `build1` (but the `${MULLVAD_BROWSER_VERSION}` will increase)
|
|
27 | + - if we have build failures unrelated to `mullvad-browser`, the `${MULLVAD_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same.
|
|
28 | +- `${MULLVAD_BROWSER_VERSION}`: the published Mullvad Browser version
|
|
29 | + - **example**: `11.5a6`, `11.0.7`
|
|
30 | +- `${MB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Mullvad Browser version
|
|
31 | + - **example**: `mb-12.0.7-build1`
|
|
32 | +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date
|
|
33 | + - **example**: `2024-10-29`
|
|
34 | + |
|
27 | 35 | </details>
|
28 | 36 | |
29 | -**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
|
|
37 | +<details>
|
|
38 | + <summary>Build Configuration</summary>
|
|
30 | 39 | |
31 | -**NOTE** This can/is often done in conjunction with the equivalent Tor Browser release prep issue
|
|
40 | +### mullvad-browser: https://gitlab.torproject.org/tpo/applications/mullvad-browser.git
|
|
32 | 41 | |
33 | -<details>
|
|
34 | - <summary>Building</summary>
|
|
42 | +- [ ] Tag `mullvad-browser` commit:
|
|
43 | + - **example**: `mullvad-browser-128.3.0esr-14.0-1-build1`
|
|
35 | 44 | |
36 | 45 | ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
|
37 | -Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MULLVAD_BROWSER_MINOR)` (and possibly more specific) branches
|
|
38 | - |
|
39 | -- [ ] Update `rbm.conf`
|
|
40 | - - [ ] `var/torbrowser_version` : update to next version
|
|
41 | - - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
|
|
42 | - - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building.
|
|
43 | - - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version
|
|
44 | - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
|
|
45 | - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
|
|
46 | -- [ ] Update build configs
|
|
47 | - - [ ] Update `projects/firefox/config`
|
|
48 | - - [ ] `browser_build` : update to match `mullvad-browser` tag
|
|
49 | - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
|
|
50 | - - [ ] Update `projects/translation/config`:
|
|
51 | - - [ ] run `make list_translation_updates-release` to get updated hashes
|
|
52 | - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
|
|
53 | - - [ ] `steps/mullvad-browser/git_hash` : update with `HEAD` commit of project's `mullvad-browser` branch
|
|
54 | -- [ ] Update common build configs
|
|
55 | - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
|
|
56 | - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
|
|
57 | - - [ ] `URL`
|
|
58 | - - [ ] `sha256sum`
|
|
59 | - - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
|
|
60 | - - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
|
|
61 | - - [ ] `URL`
|
|
62 | - - [ ] `sha256sum`
|
|
63 | - - [ ] Check for Mullvad Browser Extension updates here : https://github.com/mullvad/browser-extension/releases
|
|
64 | - - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
|
|
65 | - - [ ] `URL`
|
|
66 | - - [ ] `sha256sum`
|
|
67 | -- [ ] Update `ChangeLog-MB.txt`
|
|
68 | - - [ ] Ensure `ChangeLog-MB.txt` is sync'd between alpha and stable branches
|
|
69 | - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
|
|
70 | - - [ ] Run `./tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`
|
|
71 | - - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
|
|
72 | - - The first time you run this script you will need to generate an access token; the script will guide you
|
|
73 | - - `$updateArgs` should be these arguments, depending on what you actually updated:
|
|
74 | - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)
|
|
75 | - - [ ] `--no-script`
|
|
76 | - - [ ] `--ublock`
|
|
77 | - - E.g., `./tools/fetch-changelogs.py 41029 --date 'December 19 2023' --firefox 115.6.0esr --no-script 11.4.29 --ublock 1.54.0`
|
|
78 | - - `--date $date` is optional, if omitted it will be the date on which you run the command
|
|
79 | - - [ ] Copy the output of the script to the beginning of `ChangeLog-MB.txt` and adjust its output
|
|
46 | +Mullvad Browser Stable is on the `maint-${MULLVAD_BROWSER_MAJOR}.${MULLVAD_BROWSER_MINOR}` branch
|
|
47 | + |
|
48 | +- [ ] Changelog bookkeeping:
|
|
49 | + - [ ] Ensure all commits to `mullvad-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue
|
|
50 | + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels
|
|
51 | +- [ ] Create a release preparation branch from the current `maint-XX.Y` branch
|
|
52 | +- [ ] Run release preparation script:
|
|
53 | + - **NOTE**: You can omit the `--mullvad-browser` argument if this is for a joint Tor and Mullvad Browser release
|
|
54 | + - **⚠️ WARNING**: You may need to manually update the `firefox/config` file's `browser_build` field if `mullvad-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged)
|
|
55 | + ```bash
|
|
56 | + ./tools/relprep.py --mullvad-browser --date ${RELEASE_DATE} ${MULLVAD_BROWSER_VERSION}
|
|
57 | + ```
|
|
58 | +- [ ] Review build configuration changes:
|
|
59 | + - [ ] `rbm.conf`
|
|
60 | + - [ ] `var/torbrowser_version`: updated to next browser version
|
|
61 | + - [ ] `var/torbrowser_build`: updated to `${MULLVAD_BROWSER_BUILD_N}`
|
|
62 | + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building.
|
|
63 | + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` tag, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrowser_build` to build2, build3, etc due to non-firefox related build issues)
|
|
64 | + - [ ] `var/torbrowser_incremental_from`: updated to previous Desktop version
|
|
65 | + - **NOTE**: We try to build incrementals for the previous 3 desktop versions
|
|
66 | + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
|
|
67 | + - [ ] `projects/firefox/config`
|
|
68 | + - [ ] `browser_build`: updated to match `mullvad-browser` tag
|
|
69 | + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased
|
|
70 | + - [ ] ***(Optional)*** `projects/translation/config`:
|
|
71 | + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch
|
|
72 | + - [ ] `steps/mullvad-browser/git_hash`: updated with `HEAD` commit of project's `mullvad-browser` branch
|
|
73 | + - [ ] ***(Optional)*** `projects/browser/config`:
|
|
74 | + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript
|
|
75 | + - [ ] `URL` updated
|
|
76 | + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url
|
|
77 | + - [ ] `sha256sum` updated
|
|
78 | + - [ ] uBlock-origin: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin
|
|
79 | + - [ ] `URL` updated
|
|
80 | + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url
|
|
81 | + - [ ] `sha256sum` updated
|
|
82 | + - [ ] Mullvad Browser extension: https://github.com/mullvad/browser-extension/releases
|
|
83 | + - [ ] `URL` updated
|
|
84 | + - [ ] `sha256sum` updated
|
|
85 | + - [ ] `ChangeLog-MB.txt`: ensure correctness
|
|
86 | + - [ ] Browser name correct
|
|
87 | + - [ ] Release date correct
|
|
88 | + - [ ] No Android updates
|
|
89 | + - [ ] All issues added under correct platform
|
|
90 | + - [ ] ESR updates correct
|
|
91 | + - [ ] Component updates correct
|
|
80 | 92 | - [ ] Open MR with above changes, using the template for release preparations
|
93 | + - **NOTE**: target the `maint-14.0` branch
|
|
81 | 94 | - [ ] Merge
|
82 | 95 | - [ ] Sign+Tag
|
83 | 96 | - **NOTE** this must be done by one of:
|
... | ... | @@ -86,16 +99,25 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU |
86 | 99 | - ma1
|
87 | 100 | - morgan
|
88 | 101 | - pierov
|
89 | - - [ ] Run: `make mullvadbrowser-signtag-release`
|
|
102 | + - [ ] Run:
|
|
103 | + ```bash
|
|
104 | + make mullvadbrowser-signtag-release
|
|
105 | + ```
|
|
90 | 106 | - [ ] Push tag to `upstream`
|
91 | 107 | - [ ] Build the tag:
|
92 | - - Run `make mullvadbrowser-release && make mullvadbrowser-incrementals-release`
|
|
108 | + - [ ] Run:
|
|
109 | + ```bash
|
|
110 | + make mullvadbrowser-release && make mullvadbrowser-incrementals-release
|
|
111 | + ```
|
|
93 | 112 | - [ ] Tor Project build machine
|
94 | 113 | - [ ] Local developer machine
|
95 | 114 | - [ ] Submit build request to Mullvad infrastructure:
|
96 | 115 | - **NOTE** this requires a devmole authentication token
|
97 | - - Run `make mullvadbrowser-kick-devmole-build`
|
|
98 | -- [ ] Ensure builders have matching builds
|
|
116 | + - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit
|
|
117 | + - [ ] Run:
|
|
118 | + ```bash
|
|
119 | + make mullvadbrowser-kick-devmole-build
|
|
120 | + ```
|
|
99 | 121 | |
100 | 122 | </details>
|
101 | 123 | |
... | ... | @@ -105,64 +127,84 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU |
105 | 127 | ### release signing
|
106 | 128 | - [ ] Assign this issue to the signer, one of:
|
107 | 129 | - boklm
|
130 | + - ma1
|
|
108 | 131 | - morgan
|
109 | -- [ ] On `$(STAGING_SERVER)`, ensure updated:
|
|
110 | - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N) && git checkout tbb-$(MULLVAD_BROWSER_VERSION)-$(MULLVAD_BROWSER_BUILD_N)`
|
|
111 | - - [ ] `tor-browser-build/tools/signing/set-config.hosts`
|
|
112 | - - `ssh_host_builder` : ssh hostname of machine with unsigned builds
|
|
113 | - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
|
|
114 | - - `ssh_host_linux_signer` : ssh hostname of linux signing machine
|
|
132 | + - pierov
|
|
133 | +- [ ] Ensure all builders have matching builds
|
|
134 | +- [ ] On `${STAGING_SERVER}`, ensure updated:
|
|
135 | + - **NOTE** Having a local git branch with `maint-14.0` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file
|
|
136 | + - [ ] `tor-browser-build` is on the right commit: `git tag -v mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N} && git checkout mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N}`
|
|
137 | + - [ ] `tor-browser-build/tools/signing/set-config.hosts`
|
|
138 | + - `ssh_host_builder`: ssh hostname of machine with unsigned builds
|
|
139 | + - `ssh_host_linux_signer`: ssh hostname of linux signing machine
|
|
140 | + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds
|
|
115 | 141 | - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`
|
116 | - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos
|
|
142 | + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos
|
|
117 | 143 | - [ ] `set-config.update-responses`
|
118 | - - `update_responses_repository_dir` : directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/mullvad-browser-update-responses.git`
|
|
144 | + - `update_responses_repository_dir`: directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/mullvad-browser-update-responses.git`
|
|
119 | 145 | - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
|
120 | - - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
|
|
121 | - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
|
|
122 | - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
|
|
123 | -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
|
124 | -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:
|
|
125 | - - `cd tor-browser-build/tools/signing/`
|
|
126 | - - `./do-all-signing.mullvadbrowser`
|
|
127 | -- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
|
|
128 | -- [ ] Update `staticiforme.torproject.org`:
|
|
129 | - - From `screen` session on `staticiforme.torproject.org`:
|
|
130 | - - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
|
|
131 | - - [ ] Static update components (again) : `static-update-component dist.torproject.org`
|
|
146 | + - `tbb_version`: mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
|
|
147 | + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
|
|
148 | + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases
|
|
149 | +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
|
150 | +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script:
|
|
151 | + - [ ] Run:
|
|
152 | + ```bash
|
|
153 | + cd tor-browser-build/tools/signing/ && ./do-all-signing.mullvadbrowser
|
|
154 | + ```
|
|
155 | + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed
|
|
132 | 156 | |
133 | 157 | </details>
|
134 | 158 | |
135 | 159 | <details>
|
136 | 160 | <summary>Publishing</summary>
|
137 | 161 | |
162 | +### website
|
|
163 | +- [ ] On `staticiforme.torproject.org`, remove old release and publish new:
|
|
164 | + - [ ] `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
|
|
165 | + - [ ] Run:
|
|
166 | + ```bash
|
|
167 | + static-update-component dist.torproject.org
|
|
168 | + ```
|
|
169 | + |
|
138 | 170 | ### mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/
|
139 | 171 | - [ ] Assign this issue to someone with mullvad commit access, one of:
|
140 | 172 | - boklm
|
141 | 173 | - ma1
|
142 | 174 | - morgan
|
143 | 175 | - pierov
|
176 | +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
|
|
177 | + - **Tag**: `${MULLVAD_BROWSER_VERSION}`
|
|
178 | + - **example**: `12.5a7`
|
|
179 | + - **Message**: `${ESR_VERSION}esr-based ${MULLVAD_BROWSER_VERSION}`
|
|
180 | + - **example**: `102.12.0esr-based 12.5a7`
|
|
144 | 181 | - [ ] Push this release's associated `mullvad-browser.git` branch to github
|
145 | 182 | - [ ] Push this release's associated tags to github:
|
146 | 183 | - [ ] Firefox ESR tag
|
147 | - - **example** : `FIREFOX_102_12_0esr_BUILD1`
|
|
184 | + - **example**: `FIREFOX_102_12_0esr_BUILD1`
|
|
148 | 185 | - [ ] `base-browser` tag
|
149 | - - **example** : `base-browser-102.12.0esr-12.0-1-build1`
|
|
150 | - - [ ] `mullvad-browser` tag
|
|
151 | - - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
|
|
152 | -- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
|
|
153 | - - **Tag**: `$(MULLVAD_BROWSER_VERSION)`
|
|
154 | - - **example** : `12.0.7`
|
|
155 | - - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
|
|
156 | - - **example** : `102.12.0esr-based 12.0.7`
|
|
157 | - - [ ] Push tag to github
|
|
158 | - |
|
159 | -### email
|
|
160 | -- [ ] **(Once branch+tags pushed to GitHub)** Email Mullvad with release information:
|
|
161 | - - [ ] support alias: support@xxxxxxxxxxxxxx
|
|
162 | - - [ ] Rui: rui@xxxxxxxxxxx
|
|
186 | + - **example**: `base-browser-102.12.0esr-12.0-1-build1`
|
|
187 | + - [ ] `mullvad-browser` build tag
|
|
188 | + - **example**: `mullvad-browser-102.12.0esr-12.0-1-build1`
|
|
189 | + - [ ] `mullvad-browser` release tag
|
|
190 | + - **example**: `12.0.11`
|
|
191 | + |
|
192 | +</details>
|
|
193 | + |
|
194 | +<details>
|
|
195 | + <summary>Communications</summary>
|
|
196 | + |
|
197 | +### Mullvad
|
|
198 | +- [ ] Email Mullvad with release information:
|
|
199 | + - **Recipients**
|
|
200 | + - Mullvad support alias: support@xxxxxxxxxxxxxx
|
|
201 | + - Rui Hildt: rui@xxxxxxxxxxx
|
|
202 | + ```
|
|
203 | + support@xxxxxxxxxxxxxx rui@xxxxxxxxxxx
|
|
204 | + ```
|
|
163 | 205 | - **Subject**
|
164 | 206 | ```
|
165 | - New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
|
|
207 | + New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed)
|
|
166 | 208 | ```
|
167 | 209 | - **Body**
|
168 | 210 | ```
|
... | ... | @@ -170,27 +212,26 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU |
170 | 212 | |
171 | 213 | Branch+Tags have been pushed to Mullvad's GitHub repo.
|
172 | 214 | |
173 | - - signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
|
|
174 | - - update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
|
|
215 | + - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION}
|
|
216 | + - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}
|
|
175 | 217 | |
176 | 218 | changelog:
|
219 | + # paste changelog as quote here
|
|
177 | 220 | ...
|
178 | 221 | ```
|
179 | 222 | |
180 | -</details>
|
|
181 | - |
|
182 | -<details>
|
|
183 | - <summary>Downstream</summary>
|
|
184 | - |
|
185 | -### notify packagers
|
|
186 | -These steps depend on Mullvad having updated their [GitHub Releases](https://github.com/mullvad/mullvad-browser/releases/) page with the latest release
|
|
187 | -- [ ] Email downstream consumers:
|
|
188 | - - [ ] flathub package maintainer: proletarius101@xxxxxxxxxxxxxx
|
|
189 | - - [ ] arch package maintainer: bootctl@xxxxxxxxx
|
|
190 | - - [ ] nixOS package maintainer: dev@xxxxxxxxxxx
|
|
223 | +### packagers
|
|
224 | +- [ ] **(Once Packages are pushed to GitHub)**
|
|
225 | + - **Recipients**
|
|
226 | + - flathub package maintainer: proletarius101@xxxxxxxxxxxxxx
|
|
227 | + - arch package maintainer: bootctl@xxxxxxxxx
|
|
228 | + - nixOS package maintainer: dev@xxxxxxxxxxx
|
|
229 | + ```
|
|
230 | + proletarius101@xxxxxxxxxxxxxx bootctl@xxxxxxxxx dev@xxxxxxxxxxx
|
|
231 | + ```
|
|
191 | 232 | - **Subject**
|
192 | 233 | ```
|
193 | - Mullvad Browser $(MULLVAD_BROWSER_VERSION) released
|
|
234 | + Mullvad Browser ${MULLVAD_BROWSER_VERSION} released
|
|
194 | 235 | ```
|
195 | 236 | - **Body**
|
196 | 237 | ```
|
... | ... | @@ -204,11 +245,12 @@ These steps depend on Mullvad having updated their [GitHub Releases](https://git |
204 | 245 | ```
|
205 | 246 | |
206 | 247 | ### merge requests
|
207 | -- [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/m/mullvad-browser.rb
|
|
208 | - - **NOTE**: should just need to update `version` and `sha256` to latest
|
|
248 | +- [ ] **(Once Packages are pushed to GitHub)**
|
|
249 | + - [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/m/mullvad-browser.rb
|
|
250 | + - **NOTE**: a bot seems to pick this up without needing our intervention these days
|
|
251 | + - **NOTE**: should just need to update `version` and `sha256` to latest
|
|
209 | 252 | |
210 | 253 | </details>
|
211 | 254 | |
212 | 255 | /label ~"Release Prep"
|
213 | -/label ~"Sponsor 131"
|
|
214 | - |
|
256 | +/label ~"Sponsor 131" |
1 | +# Release Prep Tor Browser Alpha
|
|
2 | + |
|
3 | +- **NOTE** It is assumed the `tor-browser` alpha rebase and security backport tasks have been completed
|
|
4 | +- **NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue
|
|
5 | + |
|
1 | 6 | <details>
|
2 | 7 | <summary>Explanation of variables</summary>
|
3 | 8 | |
4 | -- `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release
|
|
5 | -- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
|
|
6 | - - **example** : `pierov`
|
|
7 | -- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
|
|
8 | -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
|
|
9 | - - **example** : `91.6.0`
|
|
10 | -- `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version
|
|
11 | - - **example** : `11`
|
|
12 | -- `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version
|
|
13 | - - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
14 | -- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format
|
|
15 | - - **example** : `12.5a3`, `12.0.3`
|
|
16 | -- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
|
|
17 | - - **example** : `build1`
|
|
18 | -- `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits
|
|
19 | - - **example** : `build2`
|
|
20 | - - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
|
|
21 | - - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
|
|
22 | - - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
|
|
23 | -- `$(TOR_BROWSER_VERSION)` : the published Tor Browser version
|
|
24 | - - **example** : `11.5a6`, `11.0.7`
|
|
25 | -- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version
|
|
26 | - - **example** : `tbb-12.5a7-build1`
|
|
27 | -</details>
|
|
9 | +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release
|
|
10 | +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER}
|
|
11 | + - **example**: `pierov`
|
|
12 | +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process
|
|
13 | +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc
|
|
14 | + - **example**: `91.6.0`
|
|
15 | +- `${TOR_BROWSER_MAJOR}`: the Tor Browser major version
|
|
16 | + - **example**: `11`
|
|
17 | +- `${TOR_BROWSER_MINOR}`: the Tor Browser minor version
|
|
18 | + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
19 | +- `${TOR_BROWSER_VERSION}`: the Tor Browser version in the format
|
|
20 | + - **example**: `12.5a3`, `12.0.3`
|
|
21 | +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${TOR_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build.
|
|
22 | + - **example**: `build1`
|
|
23 | +- `${TOR_BROWSER_BUILD_N}`: the tor-browser build revision for a given Tor Browser release; used in tagging git commits
|
|
24 | + - **example**: `build2`
|
|
25 | + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${TOR_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For example :
|
|
26 | + - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${TOR_BROWSER_BUILD_N}` value may stay at `build1` (but the `${TOR_BROWSER_VERSION}` will increase)
|
|
27 | + - if we have build failures unrelated to `tor-browser`, the `${TOR_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same.
|
|
28 | +- `${TOR_BROWSER_VERSION}`: the published Tor Browser version
|
|
29 | + - **example**: `11.5a6`, `11.0.7`
|
|
30 | +- `${TBB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Tor Browser version
|
|
31 | + - **example**: `tbb-12.5a7-build1`
|
|
32 | +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date
|
|
33 | + - **example**: `2024-10-29`
|
|
28 | 34 | |
29 | -**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
|
|
30 | -**NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue
|
|
35 | +</details>
|
|
31 | 36 | |
32 | 37 | <details>
|
33 | - <summary>Building</summary>
|
|
38 | + <summary>Build Configuration</summary>
|
|
39 | + |
|
40 | +### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git
|
|
41 | + |
|
42 | +- [ ] Tag `tor-browser` in tor-browser.git
|
|
43 | + - **example**: `tor-browser-128.4.0esr-14.5-1-build1`
|
|
34 | 44 | |
35 | 45 | ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
|
36 | 46 | Tor Browser Alpha (and Nightly) are on the `main` branch
|
37 | 47 | |
38 | -- [ ] Update `rbm.conf`
|
|
39 | - - [ ] `var/torbrowser_version` : update to next version
|
|
40 | - - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
|
|
41 | - - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building.
|
|
42 | - - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from` : update to previous Desktop version
|
|
43 | - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
|
|
44 | - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
|
|
45 | -- [ ] Update Desktop-specific build configs
|
|
46 | - - [ ] Update `projects/firefox/config`
|
|
47 | - - [ ] `browser_build` : update to match `tor-browser` tag
|
|
48 | - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
|
|
49 | -- [ ] Update Android-specific build configs
|
|
50 | - - [ ] Update `projects/geckoview/config`
|
|
51 | - - [ ] `browser_build` : update to match `tor-browser` tag
|
|
52 | - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
|
|
53 | - - [ ] ***(Optional)*** Update `projects/application-services/config`:
|
|
54 | - **NOTE** we don't currently have any of our own patches for this project
|
|
55 | - - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
|
|
56 | -- [ ] Update `projects/translation/config`:
|
|
57 | - - [ ] run `make list_translation_updates-alpha` to get updated hashes
|
|
58 | - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
|
|
59 | - - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
|
|
60 | - - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
|
|
61 | -- [ ] Update common build configs
|
|
62 | - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
|
|
63 | - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
|
|
64 | - - [ ] `URL`
|
|
65 | - - [ ] `sha256sum`
|
|
66 | - - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/
|
|
67 | - - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config`
|
|
68 | - - [ ] `version` : update to next 3.0.X version
|
|
69 | - - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball
|
|
70 | - - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases
|
|
71 | - - [ ] **(Optional)** If new tag available, update `projects/zlib/config`
|
|
72 | - - [ ] `version` : update to next release tag
|
|
73 | - - [ ] Check for Zstandard updates here: https://github.com/facebook/zstd/releases
|
|
74 | - - [ ] **(Optional)** If new tag available, update `projects/zstd/config`
|
|
75 | - - [ ] `version` : update to next release tag
|
|
76 | - - [ ] `git_hash`: update to the commit corresponding to the tag (we don't check signatures for Zstandard)
|
|
77 | - - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags
|
|
78 | - - [ ] ***(Optional)*** Update `projects/tor/config`
|
|
79 | - - [ ] `version` : update to latest `-alpha` tag or release tag if newer (ping dgoulet or ahf if unsure)
|
|
80 | - - [ ] Check for go updates here : https://go.dev/dl
|
|
81 | - - **NOTE** : In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities.
|
|
82 | - - [ ] ***(Optional)*** Update `projects/go/config`
|
|
83 | - - [ ] `version` : update go version
|
|
84 | - - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
|
|
85 | - - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/update_manual.py`
|
|
86 | - - [ ] ***(Optional)*** If new version is available:
|
|
87 | - - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org`
|
|
88 | - - The script will tell if it's necessary to
|
|
89 | - - [ ] Deploy to `tb-builder`'s `public_html` directory:
|
|
90 | - - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.`
|
|
91 | - - [ ] Add `projects/manual/config` to the stage area if the script updated it.
|
|
92 | -- [ ] Update `ChangeLog-TBB.txt`
|
|
93 | - - [ ] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches
|
|
94 | - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
|
|
95 | - - [ ] Run `./tools/fetch_changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`
|
|
96 | - - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
|
|
97 | - - The first time you run this script you will need to generate an access token; the script will guide you
|
|
98 | - - `$updateArgs` should be these arguments, depending on what you actually updated:
|
|
99 | - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)
|
|
100 | - - [ ] `--tor`
|
|
101 | - - [ ] `--no-script`
|
|
102 | - - [ ] `--openssl`
|
|
103 | - - [ ] `--zlib`
|
|
104 | - - [ ] `--zstd`
|
|
105 | - - [ ] `--go`
|
|
106 | - - E.g., `./tools/fetch_changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12`
|
|
107 | - - `--date $date` is optional, if omitted it will be the date on which you run the command
|
|
108 | - - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output
|
|
48 | +- [ ] Changelog bookkeeping:
|
|
49 | + - [ ] Ensure all commits to `tor-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue
|
|
50 | + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Android, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels
|
|
51 | +- [ ] Create a release preparation branch from the `main` branch
|
|
52 | +- [ ] Run release preparation script:
|
|
53 | + - **NOTE**: You can omit the `--tor-browser` argument if this is for a jointt Tor and Mullvad Browser release
|
|
54 | + - **⚠️ WARNING**: You may need to manually update the `firefox/config` and `geckoview/config` files' `browser_build` field if `tor-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged)
|
|
55 | + ```bash
|
|
56 | + ./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION}
|
|
57 | + ```
|
|
58 | +- [ ] Review build configuration changes:
|
|
59 | + - [ ] `rbm.conf`
|
|
60 | + - [ ] `var/torbrowser_version`: updated to next browser version
|
|
61 | + - [ ] `var/torbrowser_build`: updated to `${TOR_BROWSER_BUILD_N}`
|
|
62 | + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building.
|
|
63 | + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` or `geckoview` tags, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues)
|
|
64 | + - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version
|
|
65 | + - **NOTE**: We try to build incrementals for the previous 3 desktop versions
|
|
66 | + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
|
|
67 | + - [ ] `projects/firefox/config`
|
|
68 | + - [ ] `browser_build`: updated to match `tor-browser` tag
|
|
69 | + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased
|
|
70 | + - [ ] `projects/geckoview/config`
|
|
71 | + - [ ] `browser_build`: updated to match `tor-browser` tag
|
|
72 | + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased
|
|
73 | + - [ ] ***(Optional)*** `projects/translation/config`:
|
|
74 | + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch
|
|
75 | + - [ ] `steps/tor-browser/git_hash`: updated with `HEAD` commit of project's `tor-browser` branch
|
|
76 | + - [ ] `steps/fenix/git_hash`: updated with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
|
|
77 | + - [ ] ***(Optional)*** `projects/browser/config`:
|
|
78 | + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript
|
|
79 | + - [ ] `URL` updated
|
|
80 | + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url
|
|
81 | + - [ ] `sha256sum` updated
|
|
82 | + - [ ] ***(Optional)*** `projects/openssl/config`: https://www.openssl.org/source/
|
|
83 | + - **NOTE**: Only if new LTS version (3.0.X currrently) available
|
|
84 | + - [ ] `version`: updated to next LTS version
|
|
85 | + - [ ] `input_files/sha256sum`: updated to sha256 sum of source tarball
|
|
86 | + - [ ] **(Optional)** `projects/zlib/config`: https://github.com/madler/zlib/releases
|
|
87 | + - **NOTE**: Only if new tag available
|
|
88 | + - [ ] `version`: updated to next release tag
|
|
89 | + - [ ] **(Optional)** `projects/zstd/config`: https://github.com/facebook/zstd/releases
|
|
90 | + - **NOTE**: Only if new tag available; Android-only for now
|
|
91 | + - [ ] `version`: updated to next release tag
|
|
92 | + - [ ] `git_hash`: updated to the commit corresponding to the tag (we don't check signatures for Zstandard)
|
|
93 | + - [ ] **(Optional)** `projects/tor/config` https://gitlab.torproject.org/tpo/core/tor/-/tags
|
|
94 | + - [ ] `version`: updated to latest `-alpha` tag or release tag if newer (ping **dgoulet** or **ahf** if unsure)
|
|
95 | + - [ ] **(Optional)** `projects/go/config` https://go.dev/dl
|
|
96 | + - **NOTE**: In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities.
|
|
97 | + - [ ] `version`: updated go version
|
|
98 | + - [ ] `input_files/sha256sum` for `go`: update sha256sum of archive (sha256 sums are displayed on the go download page)
|
|
99 | + - [ ] **(Optional)** `projects/manual/config`
|
|
100 | + - [ ] `version`: updated to latest pipeline id
|
|
101 | + - [ ] `input_files/shasum` for `manual`: updated to manual hash
|
|
102 | + - [ ] Upload the downloaded `manual_${PIPELINEID}.zip` file to `tb-build-02.torproject.org`
|
|
103 | + - [ ] Deploy to `tb-builder`'s `public_html` directory:
|
|
104 | + - [ ] Run:
|
|
105 | + ```bash
|
|
106 | + sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/.
|
|
107 | + ```
|
|
108 | + - `sudo` documentation for TPO machines: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#changingresetting-your-passwords
|
|
109 | + - [ ] `ChangeLog-TBB.txt`: ensure correctness
|
|
110 | + - [ ] Browser name correct
|
|
111 | + - [ ] Release date correct
|
|
112 | + - [ ] No Android updates on a desktop-only release and vice-versa
|
|
113 | + - [ ] All issues added under correct platform
|
|
114 | + - [ ] ESR updates correct
|
|
115 | + - [ ] Component updates correct
|
|
109 | 116 | - [ ] Open MR with above changes, using the template for release preparations
|
117 | + - **NOTE**: target the `main` branch
|
|
110 | 118 | - [ ] Merge
|
111 | 119 | - [ ] Sign+Tag
|
112 | 120 | - **NOTE** this must be done by one of:
|
... | ... | @@ -115,55 +123,53 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
115 | 123 | - ma1
|
116 | 124 | - morgan
|
117 | 125 | - pierov
|
118 | - - [ ] Run: `make torbrowser-signtag-alpha`
|
|
126 | + - [ ] Run:
|
|
127 | + ```bash
|
|
128 | + make torbrowser-signtag-alpha
|
|
129 | + ```
|
|
119 | 130 | - [ ] Push tag to `upstream`
|
120 | 131 | - [ ] Build the tag:
|
121 | - - Run `make torbrowser-alpha && make torbrowser-incrementals-alpha`
|
|
132 | + - [ ] Run:
|
|
133 | + ```bash
|
|
134 | + make torbrowser-alpha && make torbrowser-incrementals-alpha
|
|
135 | + ```
|
|
122 | 136 | - [ ] Tor Project build machine
|
123 | 137 | - [ ] Local developer machine
|
124 | 138 | - [ ] Submit build request to Mullvad infrastructure:
|
125 | 139 | - **NOTE** this requires a devmole authentication token
|
126 | - - Run `make torbrowser-kick-devmole-build`
|
|
127 | -- [ ] Ensure builders have matching builds
|
|
140 | + - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit
|
|
141 | + - [ ] Run:
|
|
142 | + ```bash
|
|
143 | + make torbrowser-kick-devmole-build
|
|
144 | + ```
|
|
128 | 145 | |
129 | 146 | </details>
|
130 | 147 | |
131 | 148 | <details>
|
132 | - <summary>Communications</summary>
|
|
133 | - |
|
134 | -### notify stakeholders
|
|
135 | -- [ ] **(Once builds confirmed matching)** Email tor-qa mailing list with release information
|
|
136 | - - [ ] tor-qa: tor-qa@xxxxxxxxxxxxxxxxxxxx
|
|
137 | - - **Subject**
|
|
138 | - ```
|
|
139 | - Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
|
|
140 | - ```
|
|
141 | - - **Body**
|
|
142 | - ```
|
|
143 | - Hello,
|
|
144 | - |
|
145 | - Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing:
|
|
146 | - |
|
147 | - - https://tb-build-02.torproject.org/~$(BUILDER)/builds/torbrowser/alpha/unsigned/$(TOR_BROWSER_VERSION)/
|
|
148 | - |
|
149 | - The full changelog can be found here:
|
|
150 | - |
|
151 | - - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TBB_BUILD_TAG)/projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt
|
|
152 | - ```
|
|
153 | -- [ ] ***(Optional, only around build/packaging changes)*** Email packagers:
|
|
154 | - - [ ] Tails dev mailing list: tails-dev@xxxxxxxx
|
|
155 | - - [ ] Guardian Project: nathan@xxxxxxxxxxxxxxxxxxxx
|
|
156 | - - [ ] FreeBSD port: freebsd@xxxxxxxxx <!-- Gitlab user maxfx -->
|
|
157 | - - [ ] OpenBSD port: caspar@xxxxxxxxxxxxxx <!-- Gitlab user cschutijser -->
|
|
158 | - - [ ] Anti-Censorship: meskio@xxxxxxxxxxxxxx
|
|
159 | - - [ ] Note any changes which may affect packaging/downstream integration
|
|
160 | -- [ ] ***(Optional, only after internal API-breaking changes)*** Email downstream project maintainers:
|
|
161 | - - [ ] selenium-tor: matzfan@tempr.email <!-- Forum user Noino -->
|
|
162 | -- [ ] ***(Optional, after ESR migration)*** Email external partners:
|
|
163 | - - [ ] Cloudflare: ask-research@xxxxxxxxxxxxxx
|
|
164 | - - **NOTE** : We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
|
|
165 | - - [ ] Startpage: admin@xxxxxxxxxxxxx
|
|
166 | - - **NOTE** : Startpage also needs the updated user-agent string for better experience on their onion service sites.
|
|
149 | + <summary>Website</summary>
|
|
150 | + |
|
151 | + ### downloads: https://gitlab.torproject.org/tpo/web/tpo.git
|
|
152 | + - [ ] `databags/versions.ini`: Update the downloads versions
|
|
153 | + - `torbrowser-stable/version`: catch-all for latest stable version
|
|
154 | + - `torbrowser-alpha/version`: catch-all for latest alpha version
|
|
155 | + - `torbrowser-legacy/version`: catch-all for latest ESR-115 version
|
|
156 | + - `torbrowser-*-stable/version`: platform-specific stable versions
|
|
157 | + - `torbrowser-*-alpha/version`: platform-specific alpha versions
|
|
158 | + - `torbrowser-*-legacy/version`: platform-specific legacy versions
|
|
159 | + - [ ] Push to origin as new branch and create MR
|
|
160 | + - [ ] Review
|
|
161 | + - [ ] Merge
|
|
162 | + - **⚠️ WARNING**: Do not deploy yet!
|
|
163 | + |
|
164 | + ### blog: https://gitlab.torproject.org/tpo/web/blog.git
|
|
165 | + - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
|
|
166 | + - [ ] Note any ESR update
|
|
167 | + - [ ] Thank any users which have contributed patches
|
|
168 | + - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc
|
|
169 | + - [ ] Push to origin as new branch and open MR
|
|
170 | + - [ ] Review
|
|
171 | + - [ ] Merge
|
|
172 | + - **⚠️ WARNING**: Do not deploy yet!
|
|
167 | 173 | |
168 | 174 | </details>
|
169 | 175 | |
... | ... | @@ -171,38 +177,34 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
171 | 177 | <summary>Signing</summary>
|
172 | 178 | |
173 | 179 | ### release signing
|
174 | -- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
|
|
175 | 180 | - [ ] Assign this issue to the signer, one of:
|
176 | 181 | - boklm
|
182 | + - ma1
|
|
177 | 183 | - morgan
|
178 | -- [ ] On `$(STAGING_SERVER)`, ensure updated:
|
|
179 | - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)`
|
|
184 | + - pierov
|
|
185 | +- [ ] Ensure all builders have matching builds
|
|
186 | +- [ ] On `${STAGING_SERVER}`, ensure updated:
|
|
187 | + - **NOTE** Having a local git branch with `main` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file
|
|
188 | + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}`
|
|
180 | 189 | - [ ] `tor-browser-build/tools/signing/set-config.hosts`
|
181 | - - `ssh_host_builder` : ssh hostname of machine with unsigned builds
|
|
182 | - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
|
|
183 | - - `ssh_host_linux_signer` : ssh hostname of linux signing machine
|
|
190 | + - `ssh_host_builder`: ssh hostname of machine with unsigned builds
|
|
191 | + - `ssh_host_linux_signer`: ssh hostname of linux signing machine
|
|
192 | + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds
|
|
184 | 193 | - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`
|
185 | - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos
|
|
194 | + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos
|
|
186 | 195 | - [ ] `set-config.update-responses`
|
187 | - - `update_responses_repository_dir` : directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/tor-browser-update-responses.git`
|
|
196 | + - `update_responses_repository_dir`: directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/tor-browser-update-responses.git`
|
|
188 | 197 | - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
|
189 | - - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
|
|
190 | - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
|
|
191 | - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
|
|
192 | -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
|
193 | -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:
|
|
194 | - - `cd tor-browser-build/tools/signing/`
|
|
195 | - - `./do-all-signing.torbrowser`
|
|
196 | -- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
|
|
197 | -- [ ] Update `staticiforme.torproject.org`:
|
|
198 | - - From `screen` session on `staticiforme.torproject.org`:
|
|
199 | - - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
|
|
200 | - - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh`
|
|
201 | - - [ ] Remove old release data from following places:
|
|
202 | - - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
|
|
203 | - - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
|
|
204 | - - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
|
|
205 | - - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
|
|
198 | + - `tbb_version`: tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
|
|
199 | + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
|
|
200 | + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases
|
|
201 | +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
|
202 | +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script:
|
|
203 | + - [ ] Run:
|
|
204 | + ```bash
|
|
205 | + cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser
|
|
206 | + ```
|
|
207 | + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed
|
|
206 | 208 | |
207 | 209 | </details>
|
208 | 210 | |
... | ... | @@ -242,6 +244,28 @@ popd |
242 | 244 | <details>
|
243 | 245 | <summary>Publishing</summary>
|
244 | 246 | |
247 | +### website
|
|
248 | +- [ ] On `staticiforme.torproject.org`, static update components:
|
|
249 | + - [ ] Run:
|
|
250 | + ```bash
|
|
251 | + static-update-component cdn.torproject.org && static-update-component dist.torproject.org
|
|
252 | + ```
|
|
253 | +- [ ] Deploy `tor-website` MR
|
|
254 | +- [ ] Deploy `tor-blog` MR
|
|
255 | +- [ ] On `staticiforme.torproject.org`, enable update responses:
|
|
256 | + - [ ] Run:
|
|
257 | + ```bash
|
|
258 | + sudo -u tb-release ./deploy_update_responses-alpha.sh
|
|
259 | + ```
|
|
260 | +- [ ] On `staticiforme.torproject.org`, remove old release:
|
|
261 | + - **NOTE**: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
|
|
262 | + - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
|
|
263 | + - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
|
|
264 | + - [ ] Run:
|
|
265 | + ```bash
|
|
266 | + static-update-component cdn.torproject.org && static-update-component dist.torproject.org
|
|
267 | + ```
|
|
268 | + |
|
245 | 269 | ### Google Play: https://play.google.com/apps/publish
|
246 | 270 | - [ ] Publish APKs to Google Play:
|
247 | 271 | - Select `Tor Browser (Alpha)` app
|
... | ... | @@ -256,46 +280,70 @@ popd |
256 | 280 | - [ ] 100% rollout when publishing a security-driven release
|
257 | 281 | - [ ] Update rollout percentage to 100% after confirmed no major issues
|
258 | 282 | |
259 | -### website: https://gitlab.torproject.org/tpo/web/tpo.git
|
|
260 | -- [ ] `databags/versions.ini` : Update the downloads versions
|
|
261 | - - `torbrowser-stable/version` : sort of a catch-all for latest stable version
|
|
262 | - - `torbrowser-alpha/version` : sort of a catch-all for latest stable version
|
|
263 | - - `torbrowser-*-stable/version` : platform-specific stable versions
|
|
264 | - - `torbrowser-*-alpha/version` : platform-specific alpha versions
|
|
265 | - - `tor-stable`,`tor-alpha` : set by tor devs, do not touch
|
|
266 | -- [ ] Push to origin as new branch, open 'Draft :' MR
|
|
267 | -- [ ] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org
|
|
268 | -- [ ] Merge
|
|
269 | -- [ ] Publish after CI passes and builds are published
|
|
270 | - |
|
271 | -### blog: https://gitlab.torproject.org/tpo/web/blog.git
|
|
272 | -- [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
|
|
273 | - - [ ] Note any ESR update
|
|
274 | - - [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc)
|
|
275 | - - [ ] Thank any users which have contributed patches
|
|
276 | - - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc
|
|
277 | -- [ ] Push to origin as new branch, open `Draft:` MR
|
|
278 | -- [ ] Merge once signed-packages are accessible on https://dist.torproject.org
|
|
279 | -- [ ] Publish after CI passes and website has been updated
|
|
283 | +</details>
|
|
284 | + |
|
285 | +<details>
|
|
286 | + <summary>Communications</summary>
|
|
280 | 287 | |
281 | 288 | ### tor-announce mailing list
|
282 | -- [ ] Email tor-announce mailing list: tor-announce@xxxxxxxxxxxxxxxxxxxx
|
|
289 | +- [ ] Email tor-announce mailing list
|
|
290 | + - **Recipients**
|
|
291 | + ```
|
|
292 | + tor-announce@xxxxxxxxxxxxxxxxxxxx
|
|
293 | + ```
|
|
283 | 294 | - **Subject**
|
284 | 295 | ```
|
285 | - New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
|
|
296 | + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux)
|
|
286 | 297 | ```
|
287 | 298 | - **Body**
|
288 | 299 | ```
|
289 | 300 | Hi everyone,
|
290 | 301 | |
291 | - Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
|
|
292 | - - $(BLOG_POST_URL)
|
|
302 | + Tor Browser ${TOR_BROWSER_VERSION} has now been published for all platforms. For details please see our blog post:
|
|
303 | + - ${BLOG_POST_URL}
|
|
293 | 304 | |
294 | 305 | Changelog:
|
295 | - # paste changleog as quote here
|
|
306 | + # paste changelog as quote here
|
|
296 | 307 | ```
|
297 | 308 | |
309 | +### packagers
|
|
310 | +- [ ] ***(Optional, only around build/packaging changes)*** Email packagers:
|
|
311 | + - **Recipients**
|
|
312 | + - Tails dev mailing list: tails-dev@xxxxxxxx
|
|
313 | + - Guardian Project: nathan@xxxxxxxxxxxxxxxxxxxx
|
|
314 | + - FreeBSD port: freebsd@xxxxxxxxx <!-- Gitlab user maxfx -->
|
|
315 | + - OpenBSD port: caspar@xxxxxxxxxxxxxx <!-- Gitlab user cschutijser -->
|
|
316 | + - torbrowser-launcher: mail@xxxxxxxxxxxxx <!-- Gitlab user asciiwolf -->
|
|
317 | + - Anti-Censorship: meskio@xxxxxxxxxxxxxx <!-- Gitlab user meskio -->
|
|
318 | + ```
|
|
319 | + tails-dev@xxxxxxxx nathan@xxxxxxxxxxxxxxxxxxxx freebsd@xxxxxxxxx caspar@xxxxxxxxxxxxxx mail@xxxxxxxxxxxxx meskio@xxxxxxxxxxxxxx
|
|
320 | + ```
|
|
321 | + - **Subject**
|
|
322 | + ```
|
|
323 | + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux)
|
|
324 | + ```
|
|
325 | + - [ ] Note any changes which may affect packaging/downstream integration
|
|
326 | + |
|
327 | +### downstream projects
|
|
328 | +- [ ] ***(Optional, only after internal API-breaking changes)*** Email downstream project maintainers:
|
|
329 | + - **Recipients**
|
|
330 | + - selenium-tor: matzfan@tempr.email <!-- Forum user Noino -->
|
|
331 | + ```
|
|
332 | + matzfan@tempr.email
|
|
333 | + ```
|
|
334 | + - **Subject**
|
|
335 | + ```
|
|
336 | + Breaking Changes in Tor Browser ${TOR_BROWSER_VERSION}
|
|
337 | + ```
|
|
338 | + - [ ] Note any internal API changes which may affect browser automation
|
|
339 | + |
|
340 | +### upstream services
|
|
341 | +- [ ] ***(Optional, after ESR migration)*** Email external partners:
|
|
342 | + - [ ] Cloudflare: ask-research@xxxxxxxxxxxxxx
|
|
343 | + - **NOTE**: We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
|
|
344 | + - [ ] Startpage: admin@xxxxxxxxxxxxx
|
|
345 | + - **NOTE**: Startpage also needs the updated user-agent string for better experience on their onion service sites.
|
|
346 | + |
|
298 | 347 | </details>
|
299 | 348 | |
300 | 349 | /label ~"Release Prep" |
301 | - |
1 | +# Release Prep Tor Browser Legacy
|
|
2 | + |
|
3 | +- **NOTE** It is assumed the `tor-browser` release rebase and security backport tasks have been completed
|
|
4 | + |
|
5 | +<details>
|
|
6 | + <summary>Explanation of variables</summary>
|
|
7 | + |
|
8 | +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release
|
|
9 | +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER}
|
|
10 | + - **example**: `pierov`
|
|
11 | +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process
|
|
12 | +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc
|
|
13 | + - **example**: `91.6.0`
|
|
14 | +- `${TOR_BROWSER_MAJOR}`: the Tor Browser major version
|
|
15 | + - **example**: `11`
|
|
16 | +- `${TOR_BROWSER_MINOR}`: the Tor Browser minor version
|
|
17 | + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
18 | +- `${TOR_BROWSER_VERSION}`: the Tor Browser version in the format
|
|
19 | + - **example**: `12.5a3`, `12.0.3`
|
|
20 | +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${TOR_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build.
|
|
21 | + - **example**: `build1`
|
|
22 | +- `${TOR_BROWSER_BUILD_N}`: the tor-browser build revision for a given Tor Browser release; used in tagging git commits
|
|
23 | + - **example**: `build2`
|
|
24 | + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${TOR_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For example :
|
|
25 | + - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${TOR_BROWSER_BUILD_N}` value may stay at `build1` (but the `${TOR_BROWSER_VERSION}` will increase)
|
|
26 | + - if we have build failures unrelated to `tor-browser`, the `${TOR_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same.
|
|
27 | +- `${TOR_BROWSER_VERSION}`: the published Tor Browser version
|
|
28 | + - **example**: `11.5a6`, `11.0.7`
|
|
29 | +- `${TBB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Tor Browser version
|
|
30 | + - **example**: `tbb-12.5a7-build1`
|
|
31 | +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date
|
|
32 | + - **example**: `2024-10-29`
|
|
33 | + |
|
34 | +</details>
|
|
35 | + |
|
36 | +<details>
|
|
37 | + <summary>Build Configuration</summary>
|
|
38 | + |
|
39 | +### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git
|
|
40 | + |
|
41 | +- [ ] Tag `tor-browser` in tor-browser.git
|
|
42 | + - **example**: `tor-browser-115.17.0esr-13.5-1-build1`
|
|
43 | + |
|
44 | +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
|
|
45 | +Tor Browser Legacy is on the `maint-13.5` branch
|
|
46 | + |
|
47 | +- [ ] Changelog bookkeeping:
|
|
48 | + - [ ] Ensure all commits to `tor-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue
|
|
49 | + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels
|
|
50 | +- [ ] Create a release preparation branch from the `maint-13.5` branch
|
|
51 | +- [ ] Run release preparation script:
|
|
52 | + - **⚠️ WARNING**: You may need to manually update the `firefox/config` file's `browser_build` field if `tor-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged)
|
|
53 | + ```bash
|
|
54 | + ./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION}
|
|
55 | + ```
|
|
56 | +- [ ] Review build configuration changes:
|
|
57 | + - [ ] `rbm.conf`
|
|
58 | + - [ ] `var/torbrowser_version`: updated to next browser version
|
|
59 | + - [ ] `var/torbrowser_build`: updated to `${TOR_BROWSER_BUILD_N}`
|
|
60 | + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building.
|
|
61 | + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox`, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues)
|
|
62 | + - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version
|
|
63 | + - **NOTE**: We try to build incrementals for the previous 3 desktop versions
|
|
64 | + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
|
|
65 | + - [ ] `projects/firefox/config`
|
|
66 | + - [ ] `browser_build`: updated to match `tor-browser` tag
|
|
67 | + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased
|
|
68 | + - [ ] ***(Optional)*** `projects/translation/config`:
|
|
69 | + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch
|
|
70 | + - [ ] `steps/tor-browser/git_hash`: updated with `HEAD` commit of project's `tor-browser` branch
|
|
71 | + - [ ] ***(Optional)*** `projects/browser/config`:
|
|
72 | + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript
|
|
73 | + - [ ] `URL` updated
|
|
74 | + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url
|
|
75 | + - [ ] `sha256sum` updated
|
|
76 | + - [ ] ***(Optional)*** `projects/openssl/config`: https://www.openssl.org/source/
|
|
77 | + - **NOTE**: Only if new LTS version (3.0.X currrently) available
|
|
78 | + - [ ] `version`: updated to next LTS version
|
|
79 | + - [ ] `input_files/sha256sum`: updated to sha256 sum of source tarball
|
|
80 | + - [ ] **(Optional)** `projects/zlib/config`: https://github.com/madler/zlib/releases
|
|
81 | + - **NOTE**: Only if new tag available
|
|
82 | + - [ ] `version`: updated to next release tag
|
|
83 | + - [ ] **(Optional)** `projects/zstd/config`: https://github.com/facebook/zstd/releases
|
|
84 | + - **NOTE**: Only if new tag available
|
|
85 | + - [ ] `version`: updated to next release tag
|
|
86 | + - [ ] `git_hash`: updated to the commit corresponding to the tag (we don't check signatures for Zstandard)
|
|
87 | + - [ ] **(Optional)** `projects/tor/config` https://gitlab.torproject.org/tpo/core/tor/-/tags
|
|
88 | + - [ ] `version`: updated to latest non `-alpha` tag or release tag if newer (ping **dgoulet** or **ahf** if unsure)
|
|
89 | + - [ ] **(Optional)** `projects/go/config` https://go.dev/dl
|
|
90 | + - [ ] `go_1_22`: updated to latest 1.22 version
|
|
91 | + - [ ] `input_files/sha256sum` for `go`: update sha256sum of archive (sha256 sums are displayed on the go download page)
|
|
92 | + - [ ] **(Optional)** `projects/manual/config`
|
|
93 | + - [ ] `version`: updated to latest pipeline id
|
|
94 | + - [ ] `input_files/shasum` for `manual`: updated to manual hash
|
|
95 | + - [ ] Upload the downloaded `manual_${PIPELINEID}.zip` file to `tb-build-02.torproject.org`
|
|
96 | + - [ ] Deploy to `tb-builder`'s `public_html` directory:
|
|
97 | + - [ ] Run:
|
|
98 | + ```bash
|
|
99 | + sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/.
|
|
100 | + ```
|
|
101 | + - `sudo` documentation for TPO machines: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#changingresetting-your-passwords
|
|
102 | + - [ ] `ChangeLog-TBB.txt`: ensure correctness
|
|
103 | + - [ ] Browser name correct
|
|
104 | + - [ ] Release date correct
|
|
105 | + - [ ] No Android updates
|
|
106 | + - [ ] All issues added under correct platform
|
|
107 | + - [ ] ESR updates correct
|
|
108 | + - [ ] Component updates correct
|
|
109 | +- [ ] Open MR with above changes, using the template for release preparations
|
|
110 | + - **NOTE**: target the `maint-13.5` branch
|
|
111 | +- [ ] Merge
|
|
112 | +- [ ] Sign+Tag
|
|
113 | + - **NOTE** this must be done by one of:
|
|
114 | + - boklm
|
|
115 | + - dan
|
|
116 | + - ma1
|
|
117 | + - morgan
|
|
118 | + - pierov
|
|
119 | + - [ ] Run:
|
|
120 | + ```bash
|
|
121 | + make torbrowser-signtag-release
|
|
122 | + ```
|
|
123 | + - [ ] Push tag to `upstream`
|
|
124 | +- [ ] Build the tag:
|
|
125 | + - [ ] Run:
|
|
126 | + ```bash
|
|
127 | + make torbrowser-release && make torbrowser-incrementals-release
|
|
128 | + ```
|
|
129 | + - [ ] Tor Project build machine
|
|
130 | + - [ ] Local developer machine
|
|
131 | + - [ ] Submit build request to Mullvad infrastructure:
|
|
132 | + - **NOTE** this requires a devmole authentication token
|
|
133 | + - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit
|
|
134 | + - [ ] Run:
|
|
135 | + ```bash
|
|
136 | + make torbrowser-kick-devmole-build
|
|
137 | + ```
|
|
138 | + |
|
139 | +</details>
|
|
140 | + |
|
141 | +<details>
|
|
142 | + <summary>Website</summary>
|
|
143 | + |
|
144 | + ### downloads: https://gitlab.torproject.org/tpo/web/tpo.git
|
|
145 | + - [ ] `databags/versions.ini`: Update the downloads versions
|
|
146 | + - `torbrowser-stable/version`: catch-all for latest stable version
|
|
147 | + - `torbrowser-alpha/version`: catch-all for latest alpha version
|
|
148 | + - `torbrowser-legacy/version`: catch-all for latest ESR-115 version
|
|
149 | + - `torbrowser-*-stable/version`: platform-specific stable versions
|
|
150 | + - `torbrowser-*-alpha/version`: platform-specific alpha versions
|
|
151 | + - `torbrowser-*-legacy/version`: platform-specific legacy versions
|
|
152 | + - `tor-stable`,`tor-alpha`: set by tor devs, do not touch
|
|
153 | + - [ ] Push to origin as new branch and create MR
|
|
154 | + - [ ] Review
|
|
155 | + - [ ] Merge
|
|
156 | + - **⚠️ WARNING**: Do not deploy yet!
|
|
157 | + |
|
158 | +</details>
|
|
159 | + |
|
160 | +<details>
|
|
161 | + <summary>Signing</summary>
|
|
162 | + |
|
163 | +### release signing
|
|
164 | +- [ ] Assign this issue to the signer, one of:
|
|
165 | + - boklm
|
|
166 | + - ma1
|
|
167 | + - morgan
|
|
168 | + - pierov
|
|
169 | +- [ ] Ensure all builders have matching builds
|
|
170 | +- [ ] On `${STAGING_SERVER}`, ensure updated:
|
|
171 | + - **NOTE** Having a local git branch with `maint-13.5` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file
|
|
172 | + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}`
|
|
173 | + - [ ] `tor-browser-build/tools/signing/set-config.hosts`
|
|
174 | + - `ssh_host_builder`: ssh hostname of machine with unsigned builds
|
|
175 | + - `ssh_host_linux_signer`: ssh hostname of linux signing machine
|
|
176 | + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds
|
|
177 | + - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`
|
|
178 | + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos
|
|
179 | + - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
|
|
180 | + - `tbb_version`: tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
|
|
181 | + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
|
|
182 | + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases
|
|
183 | +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
|
184 | +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script:
|
|
185 | + - [ ] Run:
|
|
186 | + ```bash
|
|
187 | + cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser
|
|
188 | + ```
|
|
189 | + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed
|
|
190 | + |
|
191 | +</details>
|
|
192 | + |
|
193 | +<details>
|
|
194 | + <summary>Signature verification</summary>
|
|
195 | + |
|
196 | + <details>
|
|
197 | + <summary>Check whether the .exe files got properly signed and timestamped</summary>
|
|
198 | + |
|
199 | +```bash
|
|
200 | +# Point OSSLSIGNCODE to your osslsigncode binary
|
|
201 | +pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
|
|
202 | +OSSLSIGNCODE=/path/to/osslsigncode
|
|
203 | +../../../tools/authenticode_check.sh
|
|
204 | +popd
|
|
205 | +```
|
|
206 | + |
|
207 | + </details>
|
|
208 | + <details>
|
|
209 | + <summary>Check whether the MAR files got properly signed</summary>
|
|
210 | + |
|
211 | +```bash
|
|
212 | +# Point NSSDB to your nssdb containing the mar signing certificate
|
|
213 | +# Point SIGNMAR to your signmar binary
|
|
214 | +# Point LD_LIBRARY_PATH to your mar-tools directory
|
|
215 | +pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
|
|
216 | +NSSDB=/path/to/nssdb
|
|
217 | +SIGNMAR=/path/to/mar-tools/signmar
|
|
218 | +LD_LIBRARY_PATH=/path/to/mar-tools/
|
|
219 | +../../../tools/marsigning_check.sh
|
|
220 | +popd
|
|
221 | +```
|
|
222 | + |
|
223 | + </details>
|
|
224 | +</details>
|
|
225 | + |
|
226 | +<details>
|
|
227 | + <summary>Publishing</summary>
|
|
228 | + |
|
229 | +### website
|
|
230 | +- [ ] On `staticiforme.torproject.org`, static update components:
|
|
231 | + - [ ] Run:
|
|
232 | + ```bash
|
|
233 | + static-update-component cdn.torproject.org && static-update-component dist.torproject.org
|
|
234 | + ```
|
|
235 | +- [ ] Deploy `tor-website` MR
|
|
236 | +- [ ] On `staticiforme.torproject.org`, remove old release:
|
|
237 | + - **NOTE**: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
|
|
238 | + - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
|
|
239 | + - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
|
|
240 | + - [ ] Run:
|
|
241 | + ```bash
|
|
242 | + static-update-component cdn.torproject.org && static-update-component dist.torproject.org
|
|
243 | + ```
|
|
244 | +- [ ] **(Optional)** Generate and deploy new update responses
|
|
245 | + - **NOTE**: This is only required if there will be no corresponding 14.0 release (i.e. this is an emergency legacy-only 13.5 release). Normally, legacy update responses are generated and deployed as part of the 14.0 release.
|
|
246 | + - **⚠️ WARNING**: This is a little bit off the beaten track, ping boklm or morgan if you have any doubts
|
|
247 | + - From the `maint-14.0` branch:
|
|
248 | + - [ ] Update `rbm.conf`
|
|
249 | + - [ ] `var/torbrowser_legacy_version`: update to `${TOR_BROWSER_VERSION}`
|
|
250 | + - **NOTE** this is the browser version for the legacy branch, not the 14.0 branch
|
|
251 | + - [ ] `var/torbrowser_legacy_platform_version`: update to `${ESR_VERSION}`
|
|
252 | + - **NOTE** this is ESR version for the legacy branch, not the 14.0 branch
|
|
253 | + - [ ] Generate update responses:
|
|
254 | + - [ ] Run:
|
|
255 | + ```bash
|
|
256 | + make torbrowser-update_responses-release
|
|
257 | + ```
|
|
258 | + - On `staticiforme.torproject.org`, deploy new update responses:
|
|
259 | + - **NOTE**: for now this is a bit janky, we should somehow update the workflow to be a bit less hacky
|
|
260 | + - [ ] Edit an existing `deploy_update_responses-release.sh` script in your `HOME` directory with the newly pushed commit hash
|
|
261 | + - **example**: (hash: `d938943`)
|
|
262 | + ```bash
|
|
263 | + #!/bin/bash
|
|
264 | + set -e
|
|
265 | + |
|
266 | + echo "Deploying version 14.0"
|
|
267 | + echo "update_responses_commit: d938943"
|
|
268 | + |
|
269 | + cd "/srv/aus1-master.torproject.org/htdocs/torbrowser"
|
|
270 | + git fetch
|
|
271 | + changed_files="$(git diff --name-only HEAD d938943)"
|
|
272 | + if echo "$changed_files" | grep -qv "release"
|
|
273 | + then
|
|
274 | + echo >&2 "Error: checking out new update_response_commit will changes"
|
|
275 | + echo >&2 "some files outside of the release directory:"
|
|
276 | + echo "$changed_files" | grep -v "release" >&2
|
|
277 | + echo >&2 "--"
|
|
278 | + echo >&2 "If this is really what you want to do, edit this script to"
|
|
279 | + echo >&2 "remove the line 'exit 1' and run it again."
|
|
280 | + echo >&2 "See tor-browser-build#41168 for more details."
|
|
281 | + exit 1
|
|
282 | + fi
|
|
283 | + git checkout "d938943"
|
|
284 | + |
|
285 | + static-update-component aus1.torproject.org
|
|
286 | + ```
|
|
287 | + - [ ] Enable update responses:
|
|
288 | + ```bash
|
|
289 | + sudo -u tb-release ./deploy_update_responses-release.sh
|
|
290 | + ```
|
|
291 | + |
|
292 | +</details>
|
|
293 | + |
|
294 | +<details>
|
|
295 | + <summary>Communications</summary>
|
|
296 | + |
|
297 | +### tor-announce mailing list
|
|
298 | +- [ ] Email tor-announce mailing list
|
|
299 | + - **Recipients**
|
|
300 | + ```
|
|
301 | + tor-announce@xxxxxxxxxxxxxxxxxxxx
|
|
302 | + ```
|
|
303 | + - **Subject**
|
|
304 | + ```
|
|
305 | + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Windows, macOS)
|
|
306 | + ```
|
|
307 | + - **Body**
|
|
308 | + ```
|
|
309 | + Hi everyone,
|
|
310 | + |
|
311 | + Tor Browser ${TOR_BROWSER_VERSION} has now been published for legacy Windows and macOS platforms. For details please see our blog post:
|
|
312 | + - ${BLOG_POST_URL}
|
|
313 | + |
|
314 | + Changelog:
|
|
315 | + # paste changelog as quote here
|
|
316 | + ```
|
|
317 | + |
|
318 | +</details>
|
|
319 | + |
|
320 | +/label ~"Release Prep" |
1 | +# Release Prep Tor Browser Stable
|
|
2 | + |
|
3 | +- **NOTE** It is assumed the `tor-browser` release rebase and security backport tasks have been completed
|
|
4 | +- **NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue
|
|
5 | + |
|
1 | 6 | <details>
|
2 | 7 | <summary>Explanation of variables</summary>
|
3 | 8 | |
4 | -- `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release
|
|
5 | -- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
|
|
6 | - - **example** : `pierov`
|
|
7 | -- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
|
|
8 | -- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
|
|
9 | - - **example** : `91.6.0`
|
|
10 | -- `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version
|
|
11 | - - **example** : `11`
|
|
12 | -- `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version
|
|
13 | - - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
14 | -- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format
|
|
15 | - - **example** : `12.5a3`, `12.0.3`
|
|
16 | -- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
|
|
17 | - - **example** : `build1`
|
|
18 | -- `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits
|
|
19 | - - **example** : `build2`
|
|
20 | - - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
|
|
21 | - - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
|
|
22 | - - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
|
|
23 | -- `$(TOR_BROWSER_VERSION)` : the published Tor Browser version
|
|
24 | - - **example** : `11.5a6`, `11.0.7`
|
|
25 | -- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version
|
|
26 | - - **example** : `tbb-12.0.7-build1`
|
|
27 | -</details>
|
|
9 | +- `${BUILD_SERVER}`: the server the main builder is using to build a browser release
|
|
10 | +- `${BUILDER}`: whomever is building the release on the ${BUILD_SERVER}
|
|
11 | + - **example**: `pierov`
|
|
12 | +- `${STAGING_SERVER}`: the server the signer is using to to run the signing process
|
|
13 | +- `${ESR_VERSION}`: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc
|
|
14 | + - **example**: `91.6.0`
|
|
15 | +- `${TOR_BROWSER_MAJOR}`: the Tor Browser major version
|
|
16 | + - **example**: `11`
|
|
17 | +- `${TOR_BROWSER_MINOR}`: the Tor Browser minor version
|
|
18 | + - **example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
|
|
19 | +- `${TOR_BROWSER_VERSION}`: the Tor Browser version in the format
|
|
20 | + - **example**: `12.5a3`, `12.0.3`
|
|
21 | +- `${BUILD_N}`: a project's build revision within a its branch; this is separate from the `${TOR_BROWSER_BUILD_N}` value; many of the Firefox-related projects have a `${BUILD_N}` suffix and may differ between projects even when they contribute to the same build.
|
|
22 | + - **example**: `build1`
|
|
23 | +- `${TOR_BROWSER_BUILD_N}`: the tor-browser build revision for a given Tor Browser release; used in tagging git commits
|
|
24 | + - **example**: `build2`
|
|
25 | + - **⚠️ WARNING**: A project's `${BUILD_N}` and `${TOR_BROWSER_BUILD_N}` may be the same, but it is possible for them to diverge. For example :
|
|
26 | + - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `${BUILD_N}` value will increase, while the `${TOR_BROWSER_BUILD_N}` value may stay at `build1` (but the `${TOR_BROWSER_VERSION}` will increase)
|
|
27 | + - if we have build failures unrelated to `tor-browser`, the `${TOR_BROWSER_BUILD_N}` value will increase while the `${BUILD_N}` will stay the same.
|
|
28 | +- `${TOR_BROWSER_VERSION}`: the published Tor Browser version
|
|
29 | + - **example**: `11.5a6`, `11.0.7`
|
|
30 | +- `${TBB_BUILD_TAG}`: the `tor-browser-build` build tag used to build a given Tor Browser version
|
|
31 | + - **example**: `tbb-12.5a7-build1`
|
|
32 | +- `${RELEASE_DATE}`: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date
|
|
33 | + - **example**: `2024-10-29`
|
|
28 | 34 | |
29 | -**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
|
|
30 | -**NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue
|
|
35 | +</details>
|
|
31 | 36 | |
32 | 37 | <details>
|
33 | - <summary>Building</summary>
|
|
38 | + <summary>Build Configuration</summary>
|
|
39 | + |
|
40 | +### tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git
|
|
41 | + |
|
42 | +- [ ] Tag `tor-browser` in tor-browser.git
|
|
43 | + - **example**: `tor-browser-128.4.0esr-14.0-1-build1`
|
|
34 | 44 | |
35 | 45 | ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
|
36 | -Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches.
|
|
37 | - |
|
38 | -- [ ] Update `rbm.conf`
|
|
39 | - - [ ] `var/torbrowser_version` : update to next version
|
|
40 | - - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
|
|
41 | - - [ ] `var/browser_release_date` : update to build date. For the build to be reproducible, the date should be in the past when building.
|
|
42 | - - [ ] `var/torbrowser_legacy_version` : update to next version in the legacy-13.5 branch
|
|
43 | - - [ ] `var/torbrowser_legacy_platform_version` : update to firefox platform version in the legacy-13.5 branch
|
|
44 | - - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version
|
|
45 | - - **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
|
|
46 | - - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
|
|
47 | -- [ ] Update Desktop-specific build configs
|
|
48 | - - [ ] Update `projects/firefox/config`
|
|
49 | - - [ ] `browser_build` : update to match `tor-browser` tag
|
|
50 | - - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
|
|
51 | -- [ ] Update Android-specific build configs
|
|
52 | - - [ ] Update `projects/geckoview/config`
|
|
53 | - - [ ] `browser_build` : update to match `tor-browser` tag
|
|
54 | - - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
|
|
55 | - - [ ] ***(Optional)*** Update `projects/tor-android-service/config`
|
|
56 | - - [ ] `git_hash` : update with `HEAD` commit of project's `main` branch
|
|
57 | - - [ ] ***(Optional)*** Update `projects/application-services/config`:
|
|
58 | - **NOTE** we don't currently have any of our own patches for this project
|
|
59 | - - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
|
|
60 | - - [ ] ***(Optional)*** Update `projects/firefox-android/config`:
|
|
61 | - - [ ] `fenix_version` : update to match stable `firefox-android` build tag
|
|
62 | - - [ ] `browser_branch` : update to match stable `firefox-android` build tag
|
|
63 | - - [ ] `browser_build` : update to match stable `firefox-android` build tag
|
|
64 | - variant: Beta
|
|
65 | -- [ ] Update `projects/translation/config`:
|
|
66 | - - [ ] run `make list_translation_updates-release` to get updated hashes
|
|
67 | - - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
|
|
68 | - - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
|
|
69 | - - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
|
|
70 | -- [ ] Update common build configs
|
|
71 | - - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
|
|
72 | - - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
|
|
73 | - - [ ] `URL`
|
|
74 | - - [ ] `sha256sum`
|
|
75 | - - [ ] Check for OpenSSL updates here : https://www.openssl.org/source/
|
|
76 | - - [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config`
|
|
77 | - - [ ] `version` : update to next 3.0.X version
|
|
78 | - - [ ] `input_files/sha256sum` : update to sha256 sum of source tarball
|
|
79 | - - [ ] Check for zlib updates here: https://github.com/madler/zlib/releases
|
|
80 | - - [ ] **(Optional)** If new tag available, update `projects/zlib/config`
|
|
81 | - - [ ] `version` : update to next release tag
|
|
82 | - - [ ] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags
|
|
83 | - - [ ] ***(Optional)*** Update `projects/tor/config`
|
|
84 | - - [ ] `version` : update to latest non `-alpha` tag (ping dgoulet or ahf if unsure)
|
|
85 | - - [ ] Check for go updates here : https://go.dev/dl
|
|
86 | - - **NOTE** : In general, Tor Browser Stable uses the latest of the *previous* Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities.
|
|
87 | - - [ ] ***(Optional)*** Update `projects/go/config`
|
|
88 | - - [ ] `version` : update go version
|
|
89 | - - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
|
|
90 | - - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`
|
|
91 | - - [ ] ***(Optional)*** If new version is available:
|
|
92 | - - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org`
|
|
93 | - - [ ] Deploy to `tb-builder`'s `public_html` directory:
|
|
94 | - - `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.`
|
|
95 | - - [ ] Update `projects/manual/config`:
|
|
96 | - - [ ] Change the `version` to `$PIPELINEID`
|
|
97 | - - [ ] Update `sha256sum` in the `input_files` section
|
|
98 | -- [ ] Update `ChangeLog-TBB.txt`
|
|
99 | - - [ ] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches
|
|
100 | - - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
|
|
101 | - - [ ] Run `./tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`
|
|
102 | - - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
|
|
103 | - - The first time you run this script you will need to generate an access token; the script will guide you
|
|
104 | - - `$updateArgs` should be these arguments, depending on what you actually updated:
|
|
105 | - - [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)
|
|
106 | - - [ ] `--tor`
|
|
107 | - - [ ] `--no-script`
|
|
108 | - - [ ] `--openssl`
|
|
109 | - - [ ] `--zlib`
|
|
110 | - - [ ] `--go`
|
|
111 | - - E.g., `./tools/fetch-changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12`
|
|
112 | - - `--date $date` is optional, if omitted it will be the date on which you run the command
|
|
113 | - - [ ] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output
|
|
46 | +Tor Browser Stable is on the `maint-${TOR_BROWSER_MAJOR}.${TOR_BROWSER_MINOR}` branch
|
|
47 | + |
|
48 | +- [ ] Changelog bookkeeping:
|
|
49 | + - [ ] Ensure all commits to `tor-browser` and `tor-browser-build` for this release have an associated issue linked to this release preparation issue
|
|
50 | + - [ ] Ensure each issue has a platform (~Windows, ~MacOS, ~Linux, ~Android, ~Desktop, ~"All Platforms") and potentially ~"Build System" labels
|
|
51 | +- [ ] Create a release preparation branch from the current `maint-XX.Y` branch
|
|
52 | +- [ ] Run release preparation script:
|
|
53 | + - **NOTE**: You can omit the `--tor-browser` argument if this is for a joint Tor and Mullvad Browser release
|
|
54 | + - **⚠️ WARNING**: You may need to manually update the `firefox/config` and `geckoview/config` files' `browser_build` field if `tor-browser.git` has not yet been tagged (e.g. if security backports have not yet been merged and tagged)
|
|
55 | + ```bash
|
|
56 | + ./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION}
|
|
57 | + ```
|
|
58 | +- [ ] Review build configuration changes:
|
|
59 | + - [ ] `rbm.conf`
|
|
60 | + - [ ] `var/torbrowser_version`: updated to next browser version
|
|
61 | + - [ ] `var/torbrowser_build`: updated to `${TOR_BROWSER_BUILD_N}`
|
|
62 | + - [ ] `var/browser_release_date`: updated to build date. For the build to be reproducible, the date should be in the past when building.
|
|
63 | + - **⚠️ WARNING**: If we have updated `var/torbrowser_build` without updating the `firefox` or `geckoview` tags, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping `var/torbrwoser_build` to build2, build3, etc due to non-firefox related build issues)
|
|
64 | + - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version
|
|
65 | + - **NOTE**: We try to build incrementals for the previous 3 desktop versions
|
|
66 | + - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
|
|
67 | +- [ ] `projects/firefox/config`
|
|
68 | + - [ ] `browser_build`: updated to match `tor-browser` tag
|
|
69 | + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased
|
|
70 | + - [ ] `projects/geckoview/config`
|
|
71 | + - [ ] `browser_build`: updated to match `tor-browser` tag
|
|
72 | + - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased
|
|
73 | + - [ ] ***(Optional)*** `projects/translation/config`:
|
|
74 | + - [ ] `steps/base-browser/git_hash`: updated with `HEAD` commit of project's `base-browser` branch
|
|
75 | + - [ ] `steps/tor-browser/git_hash`: updated with `HEAD` commit of project's `tor-browser` branch
|
|
76 | + - [ ] `steps/fenix/git_hash`: updated with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
|
|
77 | + - [ ] ***(Optional)*** `projects/browser/config`:
|
|
78 | + - [ ] NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript
|
|
79 | + - [ ] `URL` updated
|
|
80 | + - **⚠️ WARNING**: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url
|
|
81 | + - [ ] `sha256sum` updated
|
|
82 | + - [ ] ***(Optional)*** `projects/openssl/config`: https://www.openssl.org/source/
|
|
83 | + - **NOTE**: Only if new LTS version (3.0.X currrently) available
|
|
84 | + - [ ] `version`: updated to next LTS version
|
|
85 | + - [ ] `input_files/sha256sum`: updated to sha256 sum of source tarball
|
|
86 | + - [ ] **(Optional)** `projects/zlib/config`: https://github.com/madler/zlib/releases
|
|
87 | + - **NOTE**: Only if new tag available
|
|
88 | + - [ ] `version`: updated to next release tag
|
|
89 | + - [ ] **(Optional)** `projects/zstd/config`: https://github.com/facebook/zstd/releases
|
|
90 | + - **NOTE**: Only if new tag available; Android-only for now
|
|
91 | + - [ ] `version`: updated to next release tag
|
|
92 | + - [ ] `git_hash`: updated to the commit corresponding to the tag (we don't check signatures for Zstandard)
|
|
93 | + - [ ] **(Optional)** `projects/tor/config` https://gitlab.torproject.org/tpo/core/tor/-/tags
|
|
94 | + - [ ] `version`: updated to latest non `-alpha` tag or release tag if newer (ping **dgoulet** or **ahf** if unsure)
|
|
95 | + - [ ] **(Optional)** `projects/go/config` https://go.dev/dl
|
|
96 | + - **NOTE**: In general, Tor Browser Alpha uses the latest Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities.
|
|
97 | + - [ ] `version`: updated go version
|
|
98 | + - [ ] `input_files/sha256sum` for `go`: update sha256sum of archive (sha256 sums are displayed on the go download page)
|
|
99 | + - [ ] **(Optional)** `projects/manual/config`
|
|
100 | + - [ ] `version`: updated to latest pipeline id
|
|
101 | + - [ ] `input_files/shasum` for `manual`: updated to manual hash
|
|
102 | + - [ ] Upload the downloaded `manual_${PIPELINEID}.zip` file to `tb-build-02.torproject.org`
|
|
103 | + - [ ] Deploy to `tb-builder`'s `public_html` directory:
|
|
104 | + - [ ] Run:
|
|
105 | + ```bash
|
|
106 | + sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/.
|
|
107 | + ```
|
|
108 | + - `sudo` documentation for TPO machines: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#changingresetting-your-passwords
|
|
109 | + - [ ] `ChangeLog-TBB.txt`: ensure correctness
|
|
110 | + - [ ] Browser name correct
|
|
111 | + - [ ] Release date correct
|
|
112 | + - [ ] No Android updates on a desktop-only release and vice-versa
|
|
113 | + - [ ] All issues added under correct platform
|
|
114 | + - [ ] ESR updates correct
|
|
115 | + - [ ] Component updates correct
|
|
114 | 116 | - [ ] Open MR with above changes, using the template for release preparations
|
117 | + - **NOTE**: target the `maint-14.0` branch
|
|
115 | 118 | - [ ] Merge
|
116 | 119 | - [ ] Sign+Tag
|
117 | 120 | - **NOTE** this must be done by one of:
|
... | ... | @@ -120,47 +123,53 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
120 | 123 | - ma1
|
121 | 124 | - morgan
|
122 | 125 | - pierov
|
123 | - - [ ] Run: `make torbrowser-signtag-release`
|
|
126 | + - [ ] Run:
|
|
127 | + ```bash
|
|
128 | + make torbrowser-signtag-release
|
|
129 | + ```
|
|
124 | 130 | - [ ] Push tag to `upstream`
|
125 | 131 | - [ ] Build the tag:
|
126 | - - Run `make torbrowser-release && make torbrowser-incrementals-release`
|
|
132 | + - [ ] Run:
|
|
133 | + ```bash
|
|
134 | + make torbrowser-release && make torbrowser-incrementals-release
|
|
135 | + ```
|
|
127 | 136 | - [ ] Tor Project build machine
|
128 | 137 | - [ ] Local developer machine
|
129 | 138 | - [ ] Submit build request to Mullvad infrastructure:
|
130 | 139 | - **NOTE** this requires a devmole authentication token
|
131 | - - Run `make torbrowser-kick-devmole-build`
|
|
132 | -- [ ] Ensure builders have matching builds
|
|
140 | + - **NOTE** this also requires you be connected to a Swedish Mulvad VPN exit
|
|
141 | + - [ ] Run:
|
|
142 | + ```bash
|
|
143 | + make torbrowser-kick-devmole-build
|
|
144 | + ```
|
|
133 | 145 | |
134 | 146 | </details>
|
135 | 147 | |
136 | 148 | <details>
|
137 | - <summary>Communications</summary>
|
|
138 | - |
|
139 | -### notify stakeholders
|
|
140 | -- [ ] **(Once builds confirmed matching)** Email tor-qa mailing list with release information
|
|
141 | - - [ ] tor-qa: tor-qa@xxxxxxxxxxxxxxxxxxxx
|
|
142 | - - **Subject**
|
|
143 | - ```
|
|
144 | - Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
|
|
145 | - ```
|
|
146 | - - **Body**
|
|
147 | - ```
|
|
148 | - Hello,
|
|
149 | - |
|
150 | - Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing:
|
|
151 | - |
|
152 | - - https://tb-build-02.torproject.org/~$(BUILDER)/builds/torbrowser/release/unsigned/$(TOR_BROWSER_VERSION)/
|
|
153 | - |
|
154 | - The full changelog can be found here:
|
|
155 | - |
|
156 | - - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TBB_BUILD_TAG)/projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt
|
|
157 | - ```
|
|
158 | -- [ ] Email packagers:
|
|
159 | - - [ ] Tails dev mailing list: tails-dev@xxxxxxxx
|
|
160 | - - [ ] Guardian Project: nathan@xxxxxxxxxxxxxxxxxxxx
|
|
161 | - - [ ] FreeBSD port: freebsd@xxxxxxxxx <!-- Gitlab user maxfx -->
|
|
162 | - - [ ] OpenBSD port: caspar@xxxxxxxxxxxxxx <!-- Gitlab user cschutijser -->
|
|
163 | - - [ ] Note any changes which may affect packaging/downstream integration
|
|
149 | + <summary>Website</summary>
|
|
150 | + |
|
151 | + ### downloads: https://gitlab.torproject.org/tpo/web/tpo.git
|
|
152 | + - [ ] `databags/versions.ini`: Update the downloads versions
|
|
153 | + - `torbrowser-stable/version`: catch-all for latest stable version
|
|
154 | + - `torbrowser-alpha/version`: catch-all for latest alpha version
|
|
155 | + - `torbrowser-legacy/version`: catch-all for latest ESR-115 version
|
|
156 | + - `torbrowser-*-stable/version`: platform-specific stable versions
|
|
157 | + - `torbrowser-*-alpha/version`: platform-specific alpha versions
|
|
158 | + - `torbrowser-*-legacy/version`: platform-specific legacy versions
|
|
159 | + - [ ] Push to origin as new branch and create MR
|
|
160 | + - [ ] Review
|
|
161 | + - [ ] Merge
|
|
162 | + - **⚠️ WARNING**: Do not deploy yet!
|
|
163 | + |
|
164 | + ### blog: https://gitlab.torproject.org/tpo/web/blog.git
|
|
165 | + - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
|
|
166 | + - [ ] Note any ESR update
|
|
167 | + - [ ] Thank any users which have contributed patches
|
|
168 | + - [ ] **(Optional)** Draft any additional sections for new features which need testing, known issues, etc
|
|
169 | + - [ ] Push to origin as new branch and open MR
|
|
170 | + - [ ] Review
|
|
171 | + - [ ] Merge
|
|
172 | + - **⚠️ WARNING**: Do not deploy yet!
|
|
164 | 173 | |
165 | 174 | </details>
|
166 | 175 | |
... | ... | @@ -168,38 +177,37 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
168 | 177 | <summary>Signing</summary>
|
169 | 178 | |
170 | 179 | ### release signing
|
171 | -- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
|
|
172 | 180 | - [ ] Assign this issue to the signer, one of:
|
173 | 181 | - boklm
|
182 | + - ma1
|
|
174 | 183 | - morgan
|
175 | -- [ ] On `$(STAGING_SERVER)`, ensure updated:
|
|
176 | - - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)`
|
|
184 | + - pierov
|
|
185 | +- [ ] Ensure all builders have matching builds
|
|
186 | +- [ ] Verify the associated legacy `maint-13.5` release has been signed and deployed
|
|
187 | + - **⚠️ WARNING**: Do not continue if the legacy channel has not been fully signed and published yet; it is needed for update-response generation!
|
|
188 | + - **NOTE** Stable releases without a corresponding legacy release may ignore this
|
|
189 | +- [ ] On `${STAGING_SERVER}`, ensure updated:
|
|
190 | + - **NOTE** Having a local git branch with `maint-14.0` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` and update the `set-config.tbb-version` file
|
|
191 | + - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}`
|
|
177 | 192 | - [ ] `tor-browser-build/tools/signing/set-config.hosts`
|
178 | - - `ssh_host_builder` : ssh hostname of machine with unsigned builds
|
|
179 | - - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
|
|
180 | - - `ssh_host_linux_signer` : ssh hostname of linux signing machine
|
|
193 | + - `ssh_host_builder`: ssh hostname of machine with unsigned builds
|
|
194 | + - `ssh_host_linux_signer`: ssh hostname of linux signing machine
|
|
195 | + - `builder_tor_browser_build_dir`: path on `ssh_host_builder` to root of builder's `tor-browser-build` clone containing unsigned builds
|
|
181 | 196 | - [ ] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`
|
182 | - - `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos
|
|
197 | + - `appstoreconnect_api_key_path`: path to json file containing appstoreconnect api key infos
|
|
183 | 198 | - [ ] `set-config.update-responses`
|
184 | - - `update_responses_repository_dir` : directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/tor-browser-update-responses.git`
|
|
199 | + - `update_responses_repository_dir`: directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/tor-browser-update-responses.git`
|
|
185 | 200 | - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
|
186 | - - `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
|
|
187 | - - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
|
|
188 | - - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
|
|
189 | -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
|
190 | -- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:
|
|
191 | - - `cd tor-browser-build/tools/signing/`
|
|
192 | - - `./do-all-signing.torbrowser`
|
|
193 | -- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
|
|
194 | -- [ ] Update `staticiforme.torproject.org`:
|
|
195 | - - From `screen` session on `staticiforme.torproject.org`:
|
|
196 | - - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
|
|
197 | - - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-release.sh`
|
|
198 | - - [ ] Remove old release data from following places:
|
|
199 | - - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
|
|
200 | - - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
|
|
201 | - - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
|
|
202 | - - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
|
|
201 | + - `tbb_version`: tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
|
|
202 | + - `tbb_version_build`: the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
|
|
203 | + - `tbb_version_type`: either `alpha` for alpha releases or `release` for stable releases
|
|
204 | +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
|
205 | +- [ ] On `${STAGING_SERVER}` in a separate `screen` session, run do-all-signing script:
|
|
206 | + - [ ] Run:
|
|
207 | + ```bash
|
|
208 | + cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser
|
|
209 | + ```
|
|
210 | + - **NOTE**: on successful execution, the signed binaries and mars should have been copied to `staticiforme` and update responses pushed
|
|
203 | 211 | |
204 | 212 | </details>
|
205 | 213 | |
... | ... | @@ -239,6 +247,28 @@ popd |
239 | 247 | <details>
|
240 | 248 | <summary>Publishing</summary>
|
241 | 249 | |
250 | +### website
|
|
251 | +- [ ] On `staticiforme.torproject.org`, static update components:
|
|
252 | + - [ ] Run:
|
|
253 | + ```bash
|
|
254 | + static-update-component cdn.torproject.org && static-update-component dist.torproject.org
|
|
255 | + ```
|
|
256 | +- [ ] Deploy `tor-website` MR
|
|
257 | +- [ ] Deploy `tor-blog` MR
|
|
258 | +- [ ] On `staticiforme.torproject.org`, enable update responses:
|
|
259 | + - [ ] Run:
|
|
260 | + ```bash
|
|
261 | + sudo -u tb-release ./deploy_update_responses-release.sh
|
|
262 | + ```
|
|
263 | +- [ ] On `staticiforme.torproject.org`, remove old release:
|
|
264 | + - **NOTE**: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
|
|
265 | + - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
|
|
266 | + - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
|
|
267 | + - [ ] Run:
|
|
268 | + ```bash
|
|
269 | + static-update-component cdn.torproject.org && static-update-component dist.torproject.org
|
|
270 | + ```
|
|
271 | + |
|
242 | 272 | ### Google Play: https://play.google.com/apps/publish
|
243 | 273 | - [ ] Publish APKs to Google Play:
|
244 | 274 | - Select `Tor Browser` app
|
... | ... | @@ -253,45 +283,59 @@ popd |
253 | 283 | - [ ] 100% rollout when publishing a security-driven release
|
254 | 284 | - [ ] Update rollout percentage to 100% after confirmed no major issues
|
255 | 285 | |
256 | -### website: https://gitlab.torproject.org/tpo/web/tpo.git
|
|
257 | -- [ ] `databags/versions.ini` : Update the downloads versions
|
|
258 | - - `torbrowser-stable/version` : sort of a catch-all for latest stable version
|
|
259 | - - `torbrowser-alpha/version` : sort of a catch-all for latest stable version
|
|
260 | - - `torbrowser-*-stable/version` : platform-specific stable versions
|
|
261 | - - `torbrowser-*-alpha/version` : platform-specific alpha versions
|
|
262 | - - `tor-stable`,`tor-alpha` : set by tor devs, do not touch
|
|
263 | -- [ ] Push to origin as new branch, open 'Draft :' MR
|
|
264 | -- [ ] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org
|
|
265 | -- [ ] Merge
|
|
266 | -- [ ] Publish after CI passes and builds are published
|
|
286 | +</details>
|
|
267 | 287 | |
268 | -### blog: https://gitlab.torproject.org/tpo/web/blog.git
|
|
269 | -- [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
|
|
270 | - - [ ] Note any ESR update
|
|
271 | - - [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc)
|
|
272 | - - [ ] Thank any users which have contributed patches
|
|
273 | -- [ ] Push to origin as new branch, open `Draft:` MR
|
|
274 | -- [ ] Merge once signed-packages are accessible on https://dist.torproject.org
|
|
275 | -- [ ] Publish after CI passes and website has been updated
|
|
288 | +<details>
|
|
289 | + <summary>Communications</summary>
|
|
276 | 290 | |
277 | 291 | ### tor-announce mailing list
|
278 | -- [ ] Email tor-announce mailing list: tor-announce@xxxxxxxxxxxxxxxxxxxx
|
|
292 | +- [ ] Email tor-announce mailing list
|
|
293 | + - **Recipients**
|
|
294 | + ```
|
|
295 | + tor-announce@xxxxxxxxxxxxxxxxxxxx
|
|
296 | + ```
|
|
279 | 297 | - **Subject**
|
280 | 298 | ```
|
281 | - New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
|
|
299 | + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux)
|
|
282 | 300 | ```
|
283 | 301 | - **Body**
|
284 | 302 | ```
|
285 | 303 | Hi everyone,
|
286 | 304 | |
287 | - Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
|
|
288 | - - $(BLOG_POST_URL)
|
|
305 | + Tor Browser ${TOR_BROWSER_VERSION} has now been published for all platforms. For details please see our blog post:
|
|
306 | + - ${BLOG_POST_URL}
|
|
289 | 307 | |
290 | 308 | Changelog:
|
291 | - # paste changleog as quote here
|
|
309 | + # paste changelog as quote here
|
|
310 | + ```
|
|
311 | + |
|
312 | +### packagers
|
|
313 | +- [ ] Email packagers:
|
|
314 | + - **Recipients**
|
|
315 | + - Tails dev mailing list: tails-dev@xxxxxxxx
|
|
316 | + - Guardian Project: nathan@xxxxxxxxxxxxxxxxxxxx
|
|
317 | + - FreeBSD port: freebsd@xxxxxxxxx <!-- Gitlab user maxfx -->
|
|
318 | + - OpenBSD port: caspar@xxxxxxxxxxxxxx <!-- Gitlab user cschutijser -->
|
|
319 | + - torbrowser-launcher: mail@xxxxxxxxxxxxx <!-- Gitlab user asciiwolf -->
|
|
320 | + - Anti-Censorship: meskio@xxxxxxxxxxxxxx <!-- Gitlab user meskio -->
|
|
292 | 321 | ```
|
322 | + tails-dev@xxxxxxxx nathan@xxxxxxxxxxxxxxxxxxxx freebsd@xxxxxxxxx caspar@xxxxxxxxxxxxxx mail@xxxxxxxxxxxxx meskio@xxxxxxxxxxxxxx
|
|
323 | + ```
|
|
324 | + - **Subject**
|
|
325 | + ```
|
|
326 | + New Release: Tor Browser ${TOR_BROWSER_VERSION} (Android, Windows, macOS, Linux)
|
|
327 | + ```
|
|
328 | + - **Body**
|
|
329 | + ```
|
|
330 | + Hi everyone,
|
|
331 | + |
|
332 | + Tor Browser ${TOR_BROWSER_VERSION} has now been published for all platforms. For details please see our blog post:
|
|
333 | + - ${BLOG_POST_URL}
|
|
293 | 334 | |
335 | + Changelog:
|
|
336 | + # paste changelog as quote here
|
|
337 | + ```
|
|
338 | + - [ ] Note any changes which may affect packaging/downstream integration
|
|
294 | 339 | </details>
|
295 | 340 | |
296 | 341 | /label ~"Release Prep" |
297 | - |