The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2024-03-13T08:08:26Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42448Rebase Tor Browser stable onto Firefox 115.9.0esr2024-03-13T08:08:26ZPier Angelo VendrameRebase Tor Browser stable onto Firefox 115.9.0esr**NOTE:** All examples in this template reference the rebase from 102.7.0esr to 102.8.0esr
<details>
<summary>Explanation of Variables</summary>
- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building...**NOTE:** All examples in this template reference the rebase from 102.7.0esr to 102.8.0esr
<details>
<summary>Explanation of Variables</summary>
- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
- **Example**: `102.8.0`
- `$(ESR_TAG)`: the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
- **Example**: `FIREFOX_102_8_0esr_RELEASE`
- `$(ESR_TAG_PREV)`: the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
- **Example**: `FIREFOX_102_7_0esr_BUILD1`
- `$(BROWSER_MAJOR)`: the browser major version
- **Example**: `12`
- `$(BROWSER_MINOR)`: the browser minor version
- **Example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
- `$(BASE_BROWSER_BRANCH)`: the full name of the current `base-browser` branch
- **Example**: `base-browser-102.8.0esr-12.0-1`
- `$(BASE_BROWSER_BRANCH_PREV)`: the full name of the previous `base-browser` branch
- **Example**: `base-browser-102.7.0esr-12.0-1`
- `$(TOR_BROWSER_BRANCH)`: the full name of the current `tor-browser` branch
- **Example**: `tor-browser-102.8.0esr-12.0-1`
- `$(TOR_BROWSER_BRANCH_PREV)`: the full name of the previous `tor-browser` branch
- **Example**: `tor-browser-102.7.0esr-12.0-1`
</details>
### **Bookkeeping**
- [x] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep) issue.
### Update Branch Protection Rules
- [ ] In [Repository Settings](https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/repository):
- [ ] Remove previous stable `base-browser` and `tor-browser` branch protection rules (this will prevent pushing new changes to the branches being rebased)
- [ ] Create new `base-browser` and `tor-browser` branch protection rule:
- **Branch**: `*-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1*`
- **Example**: `*-102.8.0esr-12.0-1*`
- **Allowed to merge**: `Maintainers`
- **Allowed to push and merge**: `Maintainers`
- **Allowed to force push**: `false`
### **Identify the Firefox Tagged Commit and Create New Branches**
- [ ] Find the Firefox mercurial tag here: https://hg.mozilla.org/releases/mozilla-esr102/tags
- **Example**: `FIREFOX_102_8_0esr_BUILD1`
- [ ] Find the analogous `gecko-dev` commit: https://github.com/mozilla/gecko-dev
- **Tip**: Search for unique string (like the Differential Revision ID) found in the mercurial commit in the `gecko-dev/esr102` branch to find the equivalent commit
- **Example**: `3a3a96c9eedd02296d6652dd50314fccbc5c4845`
- [ ] Sign and Tag `gecko-dev` commit
- Sign/Tag `gecko-dev` commit :
- **Tag**: `$(ESR_TAG)`
- **Message**: `Hg tag $(ESR_TAG)`
- [ ] Create new stable `base-browser` branch from tag
- Branch name in the form: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1`
- **Example**: `base-browser-102.8.0esr-12.0-1`
- [ ] Create new stable `tor-browser` branch from
- Branch name in the form: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1`
- **Example**: `tor-browser-102.8.0esr-12.0-1`
- [ ] Push new `base-browser` branch to `upstream`
- [ ] Push new `tor-browser` branch to `upstream`
- [ ] Push new `$(ESR_TAG)` to `upstream`
### **Rebase tor-browser**
- [ ] Checkout a new local branch for the `tor-browser` rebase
- **Example**: `git branch tor-browser-rebase FIREFOX_102_8_0esr_BUILD1`
- [ ] **(Optional)** `base-browser` rebase
- **NOTE** This step may be skipped if the `HEAD` of the previous `base-browser` branch is a `-buildN` tag
- [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `buildN` tag onto new `base-browser` rebase branch
- **Example**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.0-1-build1`
- [ ] Rebase and autosquash these cherry-picked commits
- **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD`
- [ ] Cherry-pick remainder of patches after the `buildN` tag
- **Example**: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..upstream/base-browser-102.7.0esr-12.0-1`
- [ ] `tor-browser` rebase
- [ ] Note the current git hash of `HEAD` for `tor-browser` rebase+autosquash step: `git rev-parse HEAD`
- [ ] Cherry-pick the appropriate previous `tor-browser` branch's commit range up to the last `tor-browser` `buildN` tag
- **Example**: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..tor-browser-102.7.0esr-12.0-1-build1`
- **Example (if separate base-browser rebase was skipped)**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..tor-browser-102.7.0esr-12.0-1-build1`
- [ ] Rebase and autosquash these newly cherry-picked commits: `git rebase --autosquash --interactive $(PREV_HEAD)`
- **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE`
- [ ] Cherry-pick remainder of patches after the last `tor-browser` `buildN` tag
- **Example**: `git cherry-pick tor-browser-102.7.0esr-12.0-1-build1..upstream/tor-browser-102.7.0esr-12.0-1`
- [ ] Rebase and autosquash again, this time replacing all `fixup` and `squash` commands with `pick`. The goal here is to have all of the `fixup` and `squash` commits beside the commit which they modify, but kept un-squashed for easy debugging/bisecting.
- **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE`
- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution:
- [ ] diff of diffs:
- Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or -
- `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff`
- `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff`
- diff `current_patchset.diff` and `rebased_patchset.diff`
- If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` (unless the previous `base-browser` branch includes changes not included in the previous `tor-browser` branch)
- [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD`
- **Example**: `git range-dif FIREFOX_102_7_0esr_BUILD1..upstream/tor-browser-102.7.0esr-12.0-1 FIREFOX_102_8_0esr_BUILD1..HEAD`
- [ ] Open MR for the `tor-browser` rebase
- [ ] Merge
- Update and push `base-browser` branch
- [ ] Reset the new `base-browser` branch to the appropriate commit in this new `tor-browser` branch
- [ ] Push these commits to `upstream`
### **Sign and Tag**
- [ ] Sign/Tag `HEAD` of the merged `tor-browser` branch:
- **Tag**: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1`
- **Message**: `Tagging build1 for $(ESR_VERSION)esr-based stable`
- [ ] Push tag to `upstream`
- [ ] Sign/Tag HEAD of the merged `base-browser` branch:
- **Tag**: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1`
- **Message**: `Tagging build1 for $(ESR_VERSION)esr-based stable`
- [ ] Push tag to `upstream`Pier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42446Improve accessible descriptions in built-in dialog2024-03-26T20:42:37ZhenryImprove accessible descriptions in built-in dialogCurrently the "Current bridge" label is present in the aria description for the radio options, even if the label is hidden.
Moreover, the "Current bridge" text is concatenated with the rest of the description, without any punctuation se...Currently the "Current bridge" label is present in the aria description for the radio options, even if the label is hidden.
Moreover, the "Current bridge" text is concatenated with the rest of the description, without any punctuation separation.henryhenryhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41556Deploy Tor Weather 2.02024-03-25T13:18:01ZGeorg KoppenDeploy Tor Weather 2.0@sarthikg has re-written Tor Weather (yay!) and we want to deploy the 2.0 version now. There are architectural changes as well that e.g. do not need any onionoo-service and onionoo-timer jobs anymore. Morevover, IIRC we need to do some d...@sarthikg has re-written Tor Weather (yay!) and we want to deploy the 2.0 version now. There are architectural changes as well that e.g. do not need any onionoo-service and onionoo-timer jobs anymore. Morevover, IIRC we need to do some database migrations as well. So, this will be exciting I guess. :)Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/team/-/issues/266Prepare DRL meeting2024-03-27T20:53:09ZGabagaba@torproject.orgPrepare DRL meetingGabagaba@torproject.orgGabagaba@torproject.org2024-03-19https://gitlab.torproject.org/tpo/team/-/issues/265Draft agenda2024-03-25T17:38:08ZGabagaba@torproject.orgDraft agendaGabagaba@torproject.orgGabagaba@torproject.org2024-03-26https://gitlab.torproject.org/tpo/tpa/team/-/issues/41555failed disk on fsn-node-022024-03-12T19:23:34ZJérôme Charaouilavamind@torproject.orgfailed disk on fsn-node-02One of the 10GB HDDs on fsn-node-02 has failed over the weekend. The raid-1 volume below `vg_ganeti_hdd` is thus degraded but otherwise healthy.One of the 10GB HDDs on fsn-node-02 has failed over the weekend. The raid-1 volume below `vg_ganeti_hdd` is thus degraded but otherwise healthy.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/network-health/metrics/tor_fusion/-/issues/4tor_fusion doesn't parse tgen streams2024-03-11T15:55:43ZHirotor_fusion doesn't parse tgen streamsIt seems the tgen streams parser is busted.It seems the tgen streams parser is busted.HiroHirohttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42441Evaluate RR version-by-RR version rebases instead of ESR-to-ESR2024-03-27T11:06:13ZPier Angelo VendrameEvaluate RR version-by-RR version rebases instead of ESR-to-ESRTraditionally, we're switching from a Firefox ESR version to the next one.
I've done this work twice now, and I can see some of the problems it involves.
First, at a certain point we have to focus this change and we're in a sort of lim...Traditionally, we're switching from a Firefox ESR version to the next one.
I've done this work twice now, and I can see some of the problems it involves.
First, at a certain point we have to focus this change and we're in a sort of limbo with patches developed for the previous ESR while we're already rebasing, and the rebaser has to catch a lot.
Second, the rebase is a lot of work, but reviewing it is also a big one.
Third, we have a lots of conflicts.
In 13 Firefox versions, it's very likely that a commit is going to cause conflicts.
Because the long time it takes to do this work, last year I decided to start when 115 started nightly.
It gave us 2 additional months, which was great, considering it raised our budget from 3 months to 5 months.
I thought if I could do better, and I came up with the idea of traversing RR version by RR version, and I've started to do so.
My impression is that differences are much smaller, therefore easier to explain.
Also, it's a work we can spread during the year, and we can be ready to move to the build/Android parts sooner (even though also for Android we could do something similar), or in any case give some of the 5 months time to all members of the team.
I can see some disadvantages (and limits) also with this approach:
- it's possible that with 13 rebases instead of just a few ones we lose more parts of the patches
- possibly more (easy) conflicts to solve, so they might require more time at the end, than solving only one big conflict (but I'm not sure, I don't have metrics)
- I've gone with a quick approach: I haven't solved non-trivial problems that involve fixing a patch, and I haven't tried to build/run
- more load on the team (more reviews to do, if we end up not taking the quick way we might have to work on build problems every month)
- as an alternative, the reviews could be done with a lower frequency, or even when we arrive to our final target (it will be a huge review on one shot, but at least it will be possible to find when something has changed more easily, by going through my notes)
- I started from 115.x and go back to 115.0 to then go through the mozilla/release branch. I had a few conflicts because of the various backports. Starting this work as soon as possible would help with this.Pier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41552Grant cohosh developer access to the blog project2024-03-07T02:44:43ZanarcatGrant cohosh developer access to the blog projectFollowing the [instructions on the blog wiki page](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/blog#1-navigate-to-the-gitlab-blog-project-at-httpsgitlabtorprojectorgtpowebblog) led me here :) Do you need me to sign this re...Following the [instructions on the blog wiki page](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/blog#1-navigate-to-the-gitlab-blog-project-at-httpsgitlabtorprojectorgtpowebblog) led me here :) Do you need me to sign this request?anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41551Grant cohosh developer access to the blog project2024-03-07T02:44:24ZCecylia BocovichGrant cohosh developer access to the blog projectFollowing the [instructions on the blog wiki page](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/blog#1-navigate-to-the-gitlab-blog-project-at-httpsgitlabtorprojectorgtpowebblog) led me here :) Do you need me to sign this re...Following the [instructions on the blog wiki page](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/blog#1-navigate-to-the-gitlab-blog-project-at-httpsgitlabtorprojectorgtpowebblog) led me here :) Do you need me to sign this request?anarcatanarcathttps://gitlab.torproject.org/tpo/web/manual/-/issues/156New translations available for the manual: tk, ja2024-03-07T16:56:04ZemmapeelNew translations available for the manual: tk, jaThe manual can be released to Turkmen and Japanese, they are 100% translated.The manual can be released to Turkmen and Japanese, they are 100% translated.emmapeelemmapeelhttps://gitlab.torproject.org/tpo/network-health/team/-/issues/350New round of contacting operators for DNS issues and badexiting problematic r...2024-03-13T08:51:22ZGeorg KoppenNew round of contacting operators for DNS issues and badexiting problematic relays (2024-03-04)We got the following report:
```
Relay 032E18F26B35047A20EB1F0E480D0DFD3D8AB6E2 failed DNS check 5/5 times
Relay 54FAC042C6F2FDEB449DD5B9EDE6833D155C538B failed DNS check 5/5 times
Relay 74F49CD5F9E94EDBF1F8D8705B4C64E88C1CC344 failed DN...We got the following report:
```
Relay 032E18F26B35047A20EB1F0E480D0DFD3D8AB6E2 failed DNS check 5/5 times
Relay 54FAC042C6F2FDEB449DD5B9EDE6833D155C538B failed DNS check 5/5 times
Relay 74F49CD5F9E94EDBF1F8D8705B4C64E88C1CC344 failed DNS check 2/2 times
Relay 9B31F1F1C1554F9FFB3455911F82E818EF7C7883 failed DNS check 4/4 times
Relay CB3B9D9932A51F2A2E120EAE0B5F9409EE371E80 failed DNS check 5/5 times
Relay D0E13EA9121FC221E2299A62420FB952B18AB6D2 failed DNS check 5/5 times
```
After double-checking it turns out that 3 of them still have issues:
```
[+] 032E18F26B35047A20EB1F0E480D0DFD3D8AB6E2
> Addr: 23.137.249.227 - Contact: 'tornode2022@protonmail.com' - Nickname: 'hogman9' - Version: 0.4.8.10
> Flags: ['Exit', 'Fast', 'Running', 'Stable', 'Valid']
> OR Port: 443, Dir Port: 0
> Bandwidth: 20.860104 MB/s
> Uptime: 8 days, 9:03:32
https://metrics.torproject.org/rs.html#details/032E18F26B35047A20EB1F0E480D0DFD3D8AB6E2
[+] 54FAC042C6F2FDEB449DD5B9EDE6833D155C538B
> Addr: 91.219.236.101 - Contact: 'email:denny.obreham[]a-n-o-n-y-m-e.net url:https://a-n-o-n-y-m-e.net proof:uri-rsa donationurl:https://a-n-o-n-y-m-e.net ciissversion:2' - Nickname: 'Lyle' - Version: 0.4.8.10
> Flags: ['Exit', 'Fast', 'Running', 'V2Dir', 'Valid']
> OR Port: 443, Dir Port: 0
> Bandwidth: 7.293411 MB/s
> Uptime: 3 days, 0:00:19
https://metrics.torproject.org/rs.html#details/54FAC042C6F2FDEB449DD5B9EDE6833D155C538B
[+] 9B31F1F1C1554F9FFB3455911F82E818EF7C7883
> Addr: 185.100.86.128 - Contact: 'potlatch protonmail com' - Nickname: 'TorExitFinland' - Version: 0.4.8.10
> Flags: ['Exit', 'Fast', 'Running', 'Stable', 'V2Dir', 'Valid']
> OR Port: 9001, Dir Port: 0
> Bandwidth: 3.0847629999999997 MB/s
> Uptime: 3 days, 18:22:19
https://metrics.torproject.org/rs.html#details/9B31F1F1C1554F9FFB3455911F82E818EF7C7883
```
I'll reach out.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41101Prepare Tor Browser 13.0.11 (emergency release)2024-03-06T14:10:31ZPier Angelo VendramePrepare Tor Browser 13.0.11 (emergency release)<details>
<summary>Explanation of variables</summary>
- `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release
- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
- **example** :...<details>
<summary>Explanation of variables</summary>
- `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release
- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
- **example** : `pierov`
- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
- **example** : `91.6.0`
- `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version
- **example** : `11`
- `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version
- **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format
- **example** : `12.5a3`, `12.0.3`
- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
- **example** : `build1`
- `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits
- **example** : `build2`
- **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
- if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
- if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
- `$(TOR_BROWSER_VERSION)` : the published Tor Browser version
- **example** : `11.5a6`, `11.0.7`
- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version
- **example** : `tbb-12.0.7-build1`
</details>
**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
**NOTE** This can/is often done in conjunction with the equivalent Mullvad Browser release prep issue
<details>
<summary>Building</summary>
### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches.
- [x] Update `rbm.conf`
- [x] `var/torbrowser_version` : update to next version
- [x] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
- [x] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version
- **NOTE**: We try to build incrementals for the previous 3 desktop versions except in the case of a watershed update
- **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
- [x] Update Desktop-specific build configs
- [x] Update `projects/firefox/config`
- [x] `browser_build` : update to match `tor-browser` tag
- [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
- [x] Update Android-specific build configs
- [ ] Update `projects/geckoview/config`
- [ ] `browser_build` : update to match `tor-browser` tag
- [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
- [ ] ***(Optional)*** Update `projects/tor-android-service/config`
- [ ] `git_hash` : update with `HEAD` commit of project's `main` branch
- [ ] ***(Optional)*** Update `projects/application-services/config`:
**NOTE** we don't currently have any of our own patches for this project
- [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
- [x] ***(Optional)*** Update `projects/firefox-android/config`:
- [ ] `fenix_version` : update to match stable `firefox-android` build tag
- [ ] `browser_branch` : update to match stable `firefox-android` build tag
- [x] `browser_build` : update to match stable `firefox-android` build tag
variant: Beta
- [x] Update allowed_addons.json by running (from `tor-browser-build` root):
- `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
- [x] Update `projects/translation/config`:
- [x] run `make list_translation_updates-release` to get updated hashes
- [x] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
- [x] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
- [x] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
- [x] Update common build configs
- [x] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
- [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
- [ ] `URL`
- [ ] `sha256sum`
- [x] Check for OpenSSL updates here : https://www.openssl.org/source/
- [ ] ***(Optional)*** If new 3.0.X version available, update `projects/openssl/config`
- [ ] `version` : update to next 3.0.X version
- [ ] `input_files/sha256sum` : update to sha256 sum of source tarball
- [x] Check for zlib updates here: https://github.com/madler/zlib/releases
- [ ] **(Optional)** If new tag available, update `projects/zlib/config`
- [ ] `version` : update to next release tag
- [x] Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags
- [ ] ***(Optional)*** Update `projects/tor/config`
- [ ] `version` : update to latest non `-alpha` tag (ping dgoulet or ahf if unsure)
- [x] Check for go updates here : https://go.dev/dl
- **NOTE** : In general, Tor Browser Stable uses the latest of the *previous* Stable major series Go version, but there are sometimes exceptions. Check with the anti-censorship team before doing a major version update in case there is incompatibilities.
- [ ] ***(Optional)*** Update `projects/go/config`
- [ ] `version` : update go version
- [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
- [x] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`
- [x] ***(Optional)*** If new version is available:
- [x] Upload the downloaded `manual_$PIPELINEID.zip` file to `tb-build-02.torproject.org`
- [x] Deploy to `tb-builder`'s `public_html` directory:
- `sudo -u tb-builder cp manual_$PIPELINEID.zip ~tb-builder/public_html/.`
- [x] Update `projects/manual/config`:
- [x] Change the `version` to `$PIPELINEID`
- [x] Update `sha256sum` in the `input_files` section
- [x] Update `ChangeLog-TBB.txt`
- [x] Ensure `ChangeLog-TBB.txt` is sync'd between alpha and stable branches
- [x] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
- [x] Run `./tools/fetch-changelogs.py $(ISSUE_NUMBER) --date $date $updateArgs`
- Make sure you have `requests` installed (e.g., `apt install python3-requests`)
- The first time you run this script you will need to generate an access token; the script will guide you
- `$updateArgs` should be these arguments, depending on what you actually updated:
- [ ] `--firefox` (be sure to include esr at the end if needed, which is usually the case)
- [ ] `--tor`
- [ ] `--no-script`
- [ ] `--openssl`
- [ ] `--zlib`
- [ ] `--go`
- E.g., `./tools/fetch-changelogs.py 41028 --date 'December 19 2023' --firefox 115.6.0esr --tor 0.4.8.10 --no-script 11.4.29 --zlib 1.3 --go 1.21.5 --openssl 3.0.12`
- `--date $date` is optional, if omitted it will be the date on which you run the command
- [x] Copy the output of the script to the beginning of `ChangeLog-TBB.txt` and adjust its output
- [x] Open MR with above changes, using the template for release preparations
- [x] Merge
- [x] Sign+Tag
- **NOTE** this must be done by one of:
- boklm
- dan
- ma1
- pierov
- richard
- [x] Run: `make torbrowser-signtag-release`
- [x] Push tag to `upstream`
- [x] Build the tag:
- Run `make torbrowser-release && make torbrowser-incrementals-release`
- [x] Tor Project build machine
- [x] Local developer machine
- [x] Submit build request to Mullvad infrastructure:
- **NOTE** this requires a devmole authentication token
- Run `make torbrowser-kick-devmole-build`
- [x] Ensure builders have matching builds
</details>
<details>
<summary>Communications</summary>
### notify stakeholders
- [x] **(Once builds confirmed matching)** Email tor-qa mailing list with release information
- [x] tor-qa: tor-qa@lists.torproject.org
- **Subject**
```
Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
```
- **Body**
```
Hello,
Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing:
- https://tb-build-02.torproject.org/~$(BUILDER)/builds/torbrowser/release/unsigned/$(TOR_BROWSER_VERSION)/
The full changelog can be found here:
- https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/$(TBB_BUILD_TAG)/projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt
```
- [x] Email packagers:
- [x] Tails dev mailing list: tails-dev@boum.org
- [x] Guardian Project: nathan@guardianproject.info
- [x] FreeBSD port: freebsd@sysctl.cz <!-- Gitlab user maxfx -->
- [x] OpenBSD port: caspar@schutijser.com <!-- Gitlab user cschutijser -->
- [ ] Note any changes which may affect packaging/downstream integration
</details>
<details>
<summary>Signing</summary>
### release signing
- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
- [x] Assign this issue to the signer, one of:
- boklm
- richard
- [x] On `$(STAGING_SERVER)`, ensure updated:
- [x] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)`
- [x] `tor-browser-build/tools/signing/set-config.hosts`
- `ssh_host_builder` : ssh hostname of machine with unsigned builds
- **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
- `ssh_host_linux_signer` : ssh hostname of linux signing machine
- [x] `tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect`
- `appstoreconnect_api_key_path` : path to json file containing appstoreconnect api key infos
- [x] `set-config.update-responses`
- `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/tor-browser-update-responses.git`
- [x] `tor-browser-build/tools/signing/set-config.tbb-version`
- `tbb_version` : tor browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
- `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
- `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
- [x] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
- [x] On `$(STAGING_SERVER)` in a separate `screen` session, run do-all-signing script:
- `cd tor-browser-build/tools/signing/`
- `./do-all-signing.torbrowser`
- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
- [x] Update `staticiforme.torproject.org`:
- From `screen` session on `staticiforme.torproject.org`:
- [x] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
- [x] Enable update responses : `sudo -u tb-release ./deploy_update_responses-release.sh`
- [x] Remove old release data from following places:
- **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
- [x] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
- [x] `/srv/dist-master.torproject.org/htdocs/torbrowser`
- [x] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
</details>
<details>
<summary>Signature verification</summary>
<details>
<summary>Check whether the .exe files got properly signed and timestamped</summary>
```bash
# Point OSSLSIGNCODE to your osslsigncode binary
pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
OSSLSIGNCODE=/path/to/osslsigncode
../../../tools/authenticode_check.sh
popd
```
</details>
<details>
<summary>Check whether the MAR files got properly signed</summary>
```bash
# Point NSSDB to your nssdb containing the mar signing certificate
# Point SIGNMAR to your signmar binary
# Point LD_LIBRARY_PATH to your mar-tools directory
pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
NSSDB=/path/to/nssdb
SIGNMAR=/path/to/mar-tools/signmar
LD_LIBRARY_PATH=/path/to/mar-tools/
../../../tools/marsigning_check.sh
popd
```
</details>
</details>
<details>
<summary>Publishing</summary>
### Google Play: https://play.google.com/apps/publish
- [x] Publish APKs to Google Play:
- Select `Tor Browser` app
- Navigate to `Release > Production` and click `Create new release` button:
- Upload the `tor-browser-android-*.apk` APKs
- Update Release Name to Tor Browser version number
- Update Release Notes
- Next to 'Release notes', click `Copy from a previous release`
- Edit blog post url to point to most recent blog post
- Save, review, and configure rollout percentage
- [ ] 25% rollout when publishing a scheduled update
- [x] 100% rollout when publishing a security-driven release
- [ ] Update rollout percentage to 100% after confirmed no major issues
### website: https://gitlab.torproject.org/tpo/web/tpo.git
- [x] `databags/versions.ini` : Update the downloads versions
- `torbrowser-stable/version` : sort of a catch-all for latest stable version
- `torbrowser-alpha/version` : sort of a catch-all for latest stable version
- `torbrowser-*-stable/version` : platform-specific stable versions
- `torbrowser-*-alpha/version` : platform-specific alpha versions
- `tor-stable`,`tor-alpha` : set by tor devs, do not touch
- [x] Push to origin as new branch, open 'Draft :' MR
- [x] Remove `Draft:` from MR once signed-packages are accessible on https://dist.torproject.org
- [x] Merge
- [x] Publish after CI passes and builds are published
### blog: https://gitlab.torproject.org/tpo/web/blog.git
- [x] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
- [ ] Note any ESR update
- [ ] Note any updates to dependencies (OpenSSL, zlib, NoScript, tor, etc)
- [ ] Thank any users which have contributed patches
- [x] Push to origin as new branch, open `Draft:` MR
- [x] Merge once signed-packages are accessible on https://dist.torproject.org
- [x] Publish after CI passes and website has been updated
### tor-announce mailing list
- [x] Email tor-announce mailing list: tor-announce@lists.torproject.org
- **Subject**
```
New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
```
- **Body**
```
Hi everyone,
Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
- $(BLOG_POST_URL)
Changelog:
# paste changleog as quote here
```
</details>richardrichardhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/issues/40014Intergrating WebTunnel into Lyrebird to reduce Distributed Binary Size2024-03-26T14:17:29ZshelikhooIntergrating WebTunnel into Lyrebird to reduce Distributed Binary SizeWe are considering integrating WebTunnel into WebTunnel in order to reduce the binary size of distributed binary.
This is a request from application team: the apk size is increasing and approaching the limit of Play Store. It might be b...We are considering integrating WebTunnel into WebTunnel in order to reduce the binary size of distributed binary.
This is a request from application team: the apk size is increasing and approaching the limit of Play Store. It might be beneficial for us to move webtunnel's entry point to Lyrebird to avoid shipping one more copy of the Go Runtime library.shelikhooshelikhoohttps://gitlab.torproject.org/tpo/network-health/sbws/-/issues/40195Figure out why server descriptor observed bandwidth is not seen for at least ...2024-03-18T14:59:16ZjugaFigure out why server descriptor observed bandwidth is not seen for at least 4 days by some bwauthsOne reason could be that at the moment of the measurement, sbws can't see it.
Other could be that when the measurement fails, the original data structures doesn't store that moment observed bandwidth. I think i created an issue for this ...One reason could be that at the moment of the measurement, sbws can't see it.
Other could be that when the measurement fails, the original data structures doesn't store that moment observed bandwidth. I think i created an issue for this last one that at that moment didn't look important and it doesn't happen in onbasca. Maybe it's one of these: https://gitlab.torproject.org/tpo/network-health/sbws/-/issues/?sort=updated_desc&state=closed&search=observed&first_page_size=100
Maybe https://gitlab.torproject.org/tpo/network-health/sbws/-/issues/40190 could be happening due this too (observed getting higher and sbws taking days to realize)jugajugahttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42437Drop "torbrowser.version" preference2024-03-26T20:27:58ZhenryDrop "torbrowser.version" preference"torbrowser.version" is defined based on `__BASE_BROWSER_VERSION_QUOTED__`, but is only used in one place: https://gitlab.torproject.org/tpo/applications/tor-browser/-/blob/8614325290175a7253f11501d823db65ab805257/browser/components/abou..."torbrowser.version" is defined based on `__BASE_BROWSER_VERSION_QUOTED__`, but is only used in one place: https://gitlab.torproject.org/tpo/applications/tor-browser/-/blob/8614325290175a7253f11501d823db65ab805257/browser/components/abouttor/AboutTorMessage.sys.mjs#L30.
But we could just use the existing "browser.startup.homepage_override.torbrowser.version" instead.henryhenryhttps://gitlab.torproject.org/tpo/network-health/metrics/website/-/issues/40109Rename "Blocked in" to "Not distributed in"2024-03-11T12:56:06ZGeorg KoppenRename "Blocked in" to "Not distributed in"We don't have means right now to test whether bridges are actually blocked in, say, Russia right now or not, yet we claim that bridges *are* blocked in Russia when the assignments file contains `blocklist=ru`. However, that's only an ind...We don't have means right now to test whether bridges are actually blocked in, say, Russia right now or not, yet we claim that bridges *are* blocked in Russia when the assignments file contains `blocklist=ru`. However, that's only an indicator that the bridges in question are not getting distributed in Russia at the moment (for whatever reason).
Thus, to be less confusing we should rename our "Blocked in" part to "Not distributed in". Note: the tooltip is pretty accurate, though.
(This got brought up at the relay operator meet-up 2024-03-02).Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/community/support/-/issues/40148Front desk - Create a template to help users connect to Snowflake2024-03-04T21:04:29ZGusFront desk - Create a template to help users connect to SnowflakeDue the ongoing issue with Fastly front domains (https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/135), and while it's not fixed on Tor Browser built-in bridge, let's create a template to help users from China to circumven...Due the ongoing issue with Fastly front domains (https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/135), and while it's not fixed on Tor Browser built-in bridge, let's create a template to help users from China to circumvent censorship with Snowflake.
I created a draft, but maybe we want to add the bridge-moji and other instructions?
https://rt.torproject.org/Articles/Article/Display.html?id=252
wdyt, @ebanam?Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetebanamebanam@torproject.orgebanamebanam@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41549BTCPayServer is Down2024-03-18T23:29:44ZSusanBTCPayServer is DownI am unable to connect to the btcpay.torproject.org. It says the site cannot be reached. I believe this means that donors cannot use it to donate either.I am unable to connect to the btcpay.torproject.org. It says the site cannot be reached. I believe this means that donors cannot use it to donate either.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41546GitLab CI object storage cache is broken2024-03-06T20:34:17ZJérôme Charaouilavamind@torproject.orgGitLab CI object storage cache is brokenAll our GitLab CI jobs seem to be failing to upload caches to the MinIO object storage bucket:
```
Uploading cache.zip to https://minio.torproject.org:9000/gitlab-ci-runner-cache/project/2302/default-non_protected
FATAL: received: 403 ...All our GitLab CI jobs seem to be failing to upload caches to the MinIO object storage bucket:
```
Uploading cache.zip to https://minio.torproject.org:9000/gitlab-ci-runner-cache/project/2302/default-non_protected
FATAL: received: 403 Forbidden
Failed to create cache
```
This is probably related to the recent rotation of credentials.anarcatanarcat