Skip to content
Snippets Groups Projects
Select Git revision
  • main default protected
  • maint-13.5 protected
  • maint-14.0 protected
  • maint-13.5a11 protected
  • maint-13.5a10 protected
  • maint-13.0 protected
  • maint-12.5 protected
  • maint-12.0-mullvad protected
  • maint-12.0 protected
  • maint-11.5 protected
  • maint-11.0 protected
  • maint-11.5a10 protected
  • maint-10.5 protected
  • maint-11.0a8 protected
  • maint-10.0-android protected
  • maint-10.0-desktop protected
  • maint-10.5a3 protected
  • maint-10.0.3 protected
  • maint-10.0a9 protected
  • maint-9.5 protected
  • mb-14.5a4-build1 protected
  • tbb-14.5a4-build1 protected
  • mb-14.0.7-build2 protected
  • tbb-13.5.13-build1 protected
  • tbb-14.0.7-build2 protected
  • tbb-14.0.7-build1 protected
  • mb-14.5a3-build1 protected
  • tbb-14.5a3-build1 protected
  • tbb-14.0.6-build1 protected
  • tbb-13.5.12-build1 protected
  • mb-14.0.5-build1 protected
  • tbb-14.0.5-build1 protected
  • mb-14.5a2-build2 protected
  • tbb-14.5a2-build2 protected
  • mb-14.5a2-build1 protected
  • tbb-14.5a2-build1 protected
  • mb-14.0.4-build1 protected
  • tbb-14.0.4-build1 protected
  • tbb-13.5.11-build1 protected
  • mb-14.5a1-build1 protected
40 results
Blame Permalink
Release Prep - Mullvad Browser Stable.md 12.33 KiB

Release Prep Mullvad Browser Stable

  • NOTE It is assumed the mullvad-browser release rebase and security backport tasks have been completed
  • NOTE This can/is often done in conjunction with the equivalent Tor Browser release prep issue
Explanation of variables
  • ${BUILD_SERVER}: the server the main builder is using to build a browser release
  • ${BUILDER}: whomever is building the release on the ${BUILD_SERVER}
    • example: pierov
  • ${STAGING_SERVER}: the server the signer is using to to run the signing process
  • ${ESR_VERSION}: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc
    • example: 91.6.0
  • ${MULLVAD_BROWSER_MAJOR}: the Mullvad Browser major version
    • example: 11
  • ${MULLVAD_BROWSER_MINOR}: the Mullvad Browser minor version
    • example: either 0 or 5; Alpha's is always (Stable + 5) % 10
  • ${MULLVAD_BROWSER_VERSION}: the Mullvad Browser version in the format
    • example: 12.5a3, 12.0.3
  • ${BUILD_N}: a project's build revision within a its branch; this is separate from the ${MULLVAD_BROWSER_BUILD_N} value; many of the Firefox-related projects have a ${BUILD_N} suffix and may differ between projects even when they contribute to the same build.
    • example: build1
  • ${MULLVAD_BROWSER_BUILD_N}: the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
    • example: build2
      • :warning: WARNING: A project's ${BUILD_N} and ${MULLVAD_BROWSER_BUILD_N} may be the same, but it is possible for them to diverge. For example :
        • if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the ${BUILD_N} value will increase, while the ${MULLVAD_BROWSER_BUILD_N} value may stay at build1 (but the ${MULLVAD_BROWSER_VERSION} will increase)
        • if we have build failures unrelated to mullvad-browser, the ${MULLVAD_BROWSER_BUILD_N} value will increase while the ${BUILD_N} will stay the same.
  • ${MULLVAD_BROWSER_VERSION}: the published Mullvad Browser version
    • example: 11.5a6, 11.0.7
  • ${MB_BUILD_TAG}: the tor-browser-build build tag used to build a given Mullvad Browser version
    • example: mb-12.0.7-build1
  • ${RELEASE_DATE}: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date
    • example: 2024-10-29
Build Configuration

mullvad-browser: https://gitlab.torproject.org/tpo/applications/mullvad-browser.git

  • Tag mullvad-browser commit:
    • example: mullvad-browser-128.3.0esr-14.0-1-build1
    • Run: 
      ./tools/browser/sign-tag.mullvadbrowser stable ${BUILD_N}

tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git

Mullvad Browser Stable is on the maint-${MULLVAD_BROWSER_MAJOR}.${MULLVAD_BROWSER_MINOR} branch

  • Changelog bookkeeping:
    • Ensure all commits to mullvad-browser and tor-browser-build for this release have an associated issue linked to this release preparation issue
    • Ensure each issue has a platform (Windows, MacOS, Linux, Desktop, All Platforms) and potentially Build System labels
  • Create a release preparation branch from the current maint-XX.Y branch
  • Run release preparation script:
    • NOTE: You can omit the --mullvad-browser argument if this is for a joint Tor and Mullvad Browser release
    • :warning: WARNING: You may need to manually update the firefox/config file's browser_build field if mullvad-browser.git has not yet been tagged (e.g. if security backports have not yet been merged and tagged)
    ./tools/relprep.py --mullvad-browser --date ${RELEASE_DATE} ${MULLVAD_BROWSER_VERSION}
  • Review build configuration changes:
    • rbm.conf
      • var/torbrowser_version: updated to next browser version
      • var/torbrowser_build: updated to ${MULLVAD_BROWSER_BUILD_N}
      • var/browser_release_date: updated to build date. For the build to be reproducible, the date should be in the past when building.
        • :warning: WARNING: If we have updated var/torbrowser_build without updating the firefox tag, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumping var/torbrowser_build to build2, build3, etc due to non-firefox related build issues)
      • var/torbrowser_incremental_from: updated to previous Desktop version
        • NOTE: We try to build incrementals for the previous 3 desktop versions
        • :warning: WARNING: Really actually make sure this is the previous Desktop version or else the make mullvadbrowser-incrementals-* step will fail
    • projects/firefox/config
      • browser_build: updated to match mullvad-browser tag
      • (Optional) var/firefox_platform_version: updated to latest ${ESR_VERSION} if rebased
    • (Optional) projects/translation/config:
      • steps/base-browser/git_hash: updated with HEAD commit of project's base-browser branch
      • steps/mullvad-browser/git_hash: updated with HEAD commit of project's mullvad-browser branch
    • (Optional) projects/browser/config:
    • ChangeLog-MB.txt: ensure correctness
      • Browser name correct
      • Release date correct
      • No Android updates
      • All issues added under correct platform
      • ESR updates correct
      • Component updates correct
  • Open MR with above changes, using the template for release preparations
    • NOTE: target the maint-14.0 branch
  • Merge
  • Sign+Tag
    • NOTE this must be done by one of:
      • boklm
      • dan
      • ma1
      • morgan
      • pierov
    • Run: 
      make mullvadbrowser-signtag-release
  • Push tag to upstream
  • Build the tag:
    • Run: 
      make mullvadbrowser-release && make mullvadbrowser-incrementals-release
      • Tor Project build machine
      • Local developer machine
    • Submit build request to Mullvad infrastructure:
      • NOTE this requires a devmole authentication token
      • NOTE this also requires you be connected to Gothenburg Mulvad VPN exit se-got-wg-101
      • Run: 
        make mullvadbrowser-kick-devmole-build
Signing

release signing

  • Assign this issue to the signer, one of:
    • boklm
    • ma1
    • morgan
    • pierov
  • Ensure all builders have matching builds
  • On ${STAGING_SERVER}, ensure updated:
    • NOTE Having a local git branch with maint-14.0 as the upstream branch with these values saved means you only need to periodically git pull --rebase and update the set-config.tbb-version file
    • tor-browser-build is on the right commit: git tag -v mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N} && git checkout mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N}
    • tor-browser-build/tools/signing/set-config.hosts
      • ssh_host_builder: ssh hostname of machine with unsigned builds
      • ssh_host_linux_signer: ssh hostname of linux signing machine
      • builder_tor_browser_build_dir: path on ssh_host_builder to root of builder's tor-browser-build clone containing unsigned builds
    • tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect
      • appstoreconnect_api_key_path: path to json file containing appstoreconnect api key infos
    • set-config.update-responses
      • update_responses_repository_dir: directory where you cloned git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git
    • tor-browser-build/tools/signing/set-config.tbb-version
      • tbb_version: mullvad browser version string, same as var/torbrowser_version in rbm.conf (examples: 11.5a12, 11.0.13)
      • tbb_version_build: the tor-browser-build build number (if var/torbrowser_build in rbm.conf is buildN then this value is N)
      • tbb_version_type: either alpha for alpha releases or release for stable releases
  • On ${STAGING_SERVER} in a separate screen session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
  • On ${STAGING_SERVER} in a separate screen session, run do-all-signing script:
    • Run: 
      cd tor-browser-build/tools/signing/ && ./do-all-signing.mullvadbrowser
    • NOTE: on successful execution, the signed binaries and mars should have been copied to staticiforme and update responses pushed
Publishing

website

  • On staticiforme.torproject.org, remove old release and publish new:
    • /srv/dist-master.torproject.org/htdocs/mullvadbrowser
    • Run: 
      static-update-component dist.torproject.org

mullvad-browser (GitHub): https://github.com/mullvad/mullvad-browser/

  • Assign this issue to someone with mullvad commit access, one of:
    • boklm
    • ma1
    • morgan
    • pierov
  • Sign+Tag additionally the mullvad-browser.git firefox commit used in build:
    • Tag: ${MULLVAD_BROWSER_VERSION}
      • example: 12.5a7
    • Message: ${ESR_VERSION}esr-based ${MULLVAD_BROWSER_VERSION}
      • example: 102.12.0esr-based 12.5a7
  • Push this release's associated mullvad-browser.git branch to github
  • Push this release's associated tags to github:
    • Firefox ESR tag
      • example: FIREFOX_102_12_0esr_BUILD1
    • base-browser tag
      • example: base-browser-102.12.0esr-12.0-1-build1
    • mullvad-browser build tag
      • example: mullvad-browser-102.12.0esr-12.0-1-build1
    • mullvad-browser release tag
      • example: 12.0.11
Communications

Mullvad

  • Email Mullvad with release information:
    • Recipients 
      support@mullvadvpn.net, rui@mullvad.net
    • Subject 
      New build: Mullvad Browser ${MULLVAD_BROWSER_VERSION} (signed)
    • Body 
      Hello,

Branch+Tags have been pushed to Mullvad's GitHub repo.

- signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION}
- update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}*

* https://gitlab.torproject.org/tpo/applications/mullvad-browser-update-responses

changelog:
# paste changelog as quote here
...

packagers

  • (Once Packages are pushed to GitHub)
    • Recipients 
      proletarius101@protonmail.com, bootctl@gmail.com, dev@felschr.com,
    • Subject 
      Mullvad Browser ${MULLVAD_BROWSER_VERSION} released
    • Body 
      Hello!

Mullvad-Browser packages are available, so you should update your respective downstream packages.

The latest release builds can be found here:

- https://github.com/mullvad/mullvad-browser/releases?q=prerelease%3Afalse

merge requests

/label Apps::Type::ReleasePreparation /label Sponsor 131