Reported in a comment on the blog:
https://blog.torproject.org/comment/275985#comment-275985

However we keep setting MAR_OLD_FORMAT=1 on the stable release for now.

We pick up fix for Windows bustage and a macOS reproducibility issue.
Moreover an update Torbutton version with a new icon gets included, too.

Picking up build2 and updating the Changelog

There is no `extension-overrides.js` in a profile direcory anymore.

For some reason the switch from 60.0.1esr to 60.1.0esr is causing
to break our builds because the 32bit linker is not capable of linking
gkrust nor libxul due to address space limitations anymore.

We keep the configuration for 32bit Linux bundles as we shipped them in
our nightly builds over the past couple of weeks but are avoiding
building browser debug information for now.

`intl.locale.matchOS` has been deprecated and the new preference is
`intl.locale.requested`, which is set by commit 473342ee. See bug
26073 for more information.

Changelog update and versions bump

Richard Pospesel authored Jun 19, 2018 and Georg Koppen committed Jun 22, 2018

The infrastructure for loading extension-overrides.js no longer
exists in ESR60, so these prefs had to be moved.

Unfortunately, we can't just dump the contents of extension-overrides.js
into 000-tor-browser.js.  The settings are actually partially built in
tor-browser-build to conditionally include various bridge strings as well
as localization settings.  So, we piggy back off this existing build
process and just append the contents of the partially generated
extension-overrids.js to 000-tor-browser.js.

Starting with content sandboxing being enabled our seatbelt profiles
have been broken (see: #22000). We should remove them for now to avoid
a broken experience in the alphas.

Sukhbir Singh authored Jun 17, 2018 and boklm committed Jun 19, 2018

This commit adds support for building the 64-bit version of NSIS, and
also bumps the version to 3.03. Doing this enables us to build MAR files
in a 64-bit container for the 64-bit version of Tor Browser; see bug
26363 and bug 24477.

The pe_checksum_fix.py doesn't work in a 64-bit container with the
bundled python-pefile version so we build its latest version to fix this
issue. This change is borrowed from commit bb32ec91 and updates
python-pefile to 2017.11.5.

The Debian package and the patches are no longer required as all changes
were merged upstream in 3.01-1. (See the nsis changelog in Debian.)

Mozilla switched from Bzip2 to LZMA as compression algorithm for MAR
files during th Firefox 56. That means esr52-based Tor Browsers don't
understand LZMA yet. Thus, we still use Bzip2 for the first esr60-based
MAR files and switch afterwards to LZMA.

After building Firefox we now get a 'Tor Browser.app' instead of a
'TorBrowser.app'. This patch makes sure the additional whitespace in the
app name is correctly handled by the build script and the one that deals
with packaging the final bundle.

We need to ship a fix for the Firefox packaging step as well as
|./mach package| wants to build the final .dmg in that step, too, which
breaks: there is no .dmg creation tool available. Setting
`INNER_MAKE_PACKAGE` to `true` does not seem to work anymore. That part
of this patch is currently only a workaround to get the nightly builds
going. We should come up with a better solution that allows us to skip
that part of the Firefox packaging step on all supported platforms.

Igor Oliveira authored May 23, 2018 and Sukhbir Singh committed May 29, 2018

intl.locale.requested is the new way that Gecko handles locales.

Revert the download URL to Mozilla Add-ons (AMO)

Changelog update and versions bump

https://bugs.torproject.org/22782#comment:7

This also uses the newer standalone broker on the backend (rather than
the one based on App Engine), but that should be invisible to users.

Patch by David Fifield

I converted the mac file to a unix file format as well using `dos2unix`
to get rid of the ^M characters that started to show up.

Changelog update, versions bump

Firefox version bump to pick up Pwn2Own fix

Changelog update and versions bump

Thanks to arma for catching this.

Changelog update and versions bump

Richard Pospesel authored Jan 18, 2018 and Georg Koppen committed Feb 21, 2018

After much debugging and investigation, it seems that the required
information needed to drive the first-party domain cannot be accessed in
the XmlHttpRequest creation path.  The JS context the part of pdf.js making
the range requests runs with does not have a reference to parent window and
associated LoadInfo information (which includes the requesting first-party
domain).

To fix the issue, we can easily disable support for range-based requests
via the pdfjs.disableRange property.  However, the side-effect here is
that pages can not be read as they load; the entire pdf must be
downloaded before it can be read and interacted with.

This patch updates each platforms extension-overrides.js to change this
pref.

We need to whitelist `[System+Principal]` for functioning settings
frames of WebExtensions on the about:addons page. On higher security
slider levels this is broken otherwise.

To quote Giorgio Maone (see: #25000 comment:14):

"The Tor Browser enforces permissions cascading, and in the Add-ons
Options window the top frame is about:addons, whose principal's origin
is [System+Principal]. Since this origin is omitted from Tor Browser's
version of NoScript mandatory whitelist, the top site by default is
considered forbidden, cascading down script blocking to the
WebExtension's subframe."

Kathleen Brade authored Feb 15, 2018 and boklm committed Feb 16, 2018

Tor Launcher's Moat client implementation uses Mozilla's Subprocess.jsm
module to start the meek client, and that module requires a complete
file path including the .exe suffix. For consistency, we now include
the .exe suffix everywhere.

Add a tbb_version.json file containing informations about the installed
bundle.

Changelog update and versions bump