tor-browser-build issueshttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues2023-10-03T15:35:57Zhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40887Update Webtunnel version to 38eb55052023-10-03T15:35:57ZshelikhooUpdate Webtunnel version to 38eb5505Since webtunnel's initial inclusion into Tor Browser, there has been minor bug fixes that improve its stability. Since we are currently having session about promoting its adaption, we should update the version included in the tor browser...Since webtunnel's initial inclusion into Tor Browser, there has been minor bug fixes that improve its stability. Since we are currently having session about promoting its adaption, we should update the version included in the tor browser to the most recent version.
(A connected merge request will be submitted.)https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40886Update README with instructions for Arch linux2023-10-03T15:38:27ZDan BallardUpdate README with instructions for Arch linuxI'm using Arch linux now, so there's a lot of packages to install to run RBM, I think I've collected them allI'm using Arch linux now, so there's a lot of packages to install to run RBM, I think I've collected them allDan BallardDan Ballardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40885Bump version of Snowflake to v2.6.02023-10-03T16:33:26ZCecylia BocovichBump version of Snowflake to v2.6.0We just released a new version of Snowflake, so it's time to update Tor Browser.We just released a new version of Snowflake, so it's time to update Tor Browser.Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40884Script to automate uploading sha256s and signatures to location signing/downl...2023-12-05T07:49:35ZDan BallardScript to automate uploading sha256s and signatures to location signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo expects them to besigning/download-unsigned-sha256sums-gpg-signatures-from-people-tpo has a very specific location it expects sha256sums and signatures. create a script to place them there reliablysigning/download-unsigned-sha256sums-gpg-signatures-from-people-tpo has a very specific location it expects sha256sums and signatures. create a script to place them there reliablyrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40883Verification issues with the new Windows code signing certificate2023-08-17T21:35:26Zcypherpunks1Verification issues with the new Windows code signing certificateThe new certificate cannot be verified on two systems that I tried it.
A comparison of the 12.0.4 and 12.5a7 installers:
![cert](/uploads/eceecebe2d7a455900271857d7484f25/cert.png)The new certificate cannot be verified on two systems that I tried it.
A comparison of the 12.0.4 and 12.5a7 installers:
![cert](/uploads/eceecebe2d7a455900271857d7484f25/cert.png)cypherpunks1cypherpunks1https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40882Fix static-update-component command in issue_templates2023-07-20T20:56:22ZboklmFix static-update-component command in issue_templatesIn `.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md` and
`.gitlab/issue_templates/Release Prep - Tor Browser Stable.md`, the
second `Static update components` command is missing some part.In `.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md` and
`.gitlab/issue_templates/Release Prep - Tor Browser Stable.md`, the
second `Static update components` command is missing some part.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40881do-all-signing is asking for nssdb7 password when signing mullvadbrowser2023-07-20T20:56:47Zboklmdo-all-signing is asking for nssdb7 password when signing mullvadbrowserWhen signing mullvadbrowser, `do-all-signing` is asking for the `nssdb7`
password, although what is needed is the `mullvadbrowser-nssdb-1` password.When signing mullvadbrowser, `do-all-signing` is asking for the `nssdb7`
password, although what is needed is the `mullvadbrowser-nssdb-1` password.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40880The README doesn't include some dependencies needed for building incrementals2023-10-03T15:38:11ZPier Angelo VendrameThe README doesn't include some dependencies needed for building incrementalsIt seems we're missing at least `libxml-libxml-perl`, but possibly also `libxml-writer-perl` and `libparallel-forkmanager-perl`.
```
$ make mullvadbrowser-incrementals-release
git submodule update --init
./rbm/rbm build release --step u...It seems we're missing at least `libxml-libxml-perl`, but possibly also `libxml-writer-perl` and `libparallel-forkmanager-perl`.
```
$ make mullvadbrowser-incrementals-release
git submodule update --init
./rbm/rbm build release --step update_responses_config --target release --target create_unsigned_incrementals --target mullvadbrowser
tools/update-responses/download_missing_versions release
Can't locate XML/LibXML.pm in @INC (you may need to install the XML::LibXML module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.32.1 /usr/local/share/perl/5.32.1 /usr/lib/x86_64-linux-gnu/perl5/5.32 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.32 /usr/share/perl/5.32 /usr/local/lib/site_perl) at tools/update-responses/download_missing_versions line 20.
BEGIN failed--compilation aborted at tools/update-responses/download_missing_versions line 20.
make: *** [Makefile:501: mullvadbrowser-incrementals-release] Error 2
```
/cc @boklmDan BallardDan Ballardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40879Prepare Mullvad Browser Alpha 12.5a72023-06-20T22:02:36ZrichardPrepare Mullvad Browser Alpha 12.5a7<details>
<summary>Explanation of variables</summary>
- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
-...<details>
<summary>Explanation of variables</summary>
- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc
- example : `91.6.0`
- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version
- example : `11`
- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version
- example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format
- example: `12.5a3`, `12.0.3`
- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
- example : `build1`
- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
- example : `build2`
- **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
- if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
- if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version
- example : `11.5a6`, `11.0.7`
</details>
**NOTE** It is assumed that the `tor-browser` rebase and security backport tasks have been completed
<details>
<summary>Build Configs</summary>
### tor-browser-build: https://gitlab.mullvadproject.org/tpo/applications/tor-browser-build.git
Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MULLVAD_BROWSER_MINOR)` (and possibly more specific) branches
- [x] Update `rbm.conf`
- [x] `var/torbrowser_version` : update to next version
- [x] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
- [x] `var/torbrowser_incremental_from` : update to previous Desktop version
- **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
- [x] Update build configs
- [x] Update `projects/firefox/config`
- [x] `browser_build` : update to match `mullvad-browser` tag
- [x] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
- [ ] Update `projects/translation/config`:
- [ ] run `make list_translation_updates-release` to get updated hashes
- [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
- [ ] `steps/base-browser-fluent/git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
- [ ] Update common build configs
- [x] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
- [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
- [ ] `URL`
- [ ] `sha256sum`
- [x] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
- [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
- [ ] `URL`
- [ ] `sha256sum`
- [x] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases
- [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
- [ ] `URL`
- [ ] `sha256sum`
- [x] Open MR with above changes
- [x] Begin build on `$(BUILD_SERVER)` (and fix any issues which come up and update MR)
- [ ] Merge
- [ ] Sign/Tag commit: `make mullvadbrowser-signtag-release`
- [ ] Push tag to `origin`
</details>
<details>
<summary>Signing</summary>
### signing + publishing
- [x] Ensure builders have matching builds
- [x] On `$(STAGING_SERVER)`, ensure updated:
- [ ] `tor-browser-build/tools/signing/set-config`
- `NSS_DB_DIR` : location of the `nssdb7` direcmullvady
- [ ] `tor-browser-build/tools/signing/set-config.hosts`
- `ssh_host_builder` : ssh hostname of machine with unsigned builds
- **NOTE** : `tor-browser-build` is expected to be in the `$HOME` direcmullvady)
- `ssh_host_linux_signer` : ssh hostname of linux signing machine
- `ssh_host_macos_signer` : ssh hostname of macOS signing machine
- [ ] `tor-browser-build/tools/signing/set-config.macos-notarization`
- `macos_notarization_user` : the email login for a mullvad notariser Apple Developer account
- [ ] `set-config.update-responses`
- `update_responses_reposimullvady_dir` : direcmullvady where you cloned `git@gitlab.mullvadproject.org:tpo/applications/mullvad-browser-update-responses.git`
- [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
- `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
- `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
- `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
- [x] On `$(STAGING_SERVER)` in a separate `screen` session, run the macOS proxy script:
- `cd tor-browser-build/tools/signing/`
- `./macos-signer-proxy`
- [x] On `$(STAGING_SERVER)` in a separate `screen` session, ensure mullvad daemon is running with SOCKS5 proxy on the default port 9050
- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs direcmullvady
- [x] run do-all-signing script:
- `cd tor-browser-build/tools/signing/`
- `./do-all-signing.sh`
- **NOTE**: at this point the signed binaries should be in `tor-browser-build/mullvadbrowser/release/signed/$(MULLVAD_BROWSER_VERSION)`
</details>
<details>
<summary>Downstream</summary>
### notify stakeholders
- [x] Email Mullvad with release information: rui@mullvad.net
- [ ] Build artifact download list
- [ ] New `mullvad-browser` project branch and tags
- [ ] mullvad-browser-update-responses git hash
- [ ] changelog
- [x] Email downstream consumers:
- [ ] flathub package maintainer: proletarius101@protonmail.com
- [ ] arch package maintainer: bootctl@gmail.com
### merge requests
- [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/mullvad-browser.rb
- **NOTE**: should just need to update the version to latest
</details>richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40878Fix permissions on gpg signature2023-06-12T20:17:58ZboklmFix permissions on gpg signature`tools/signing/linux-signer-gpg-sign` is now creating signature files
without permission for other users to read. We should change that so
that other users can read them.`tools/signing/linux-signer-gpg-sign` is now creating signature files
without permission for other users to read. We should change that so
that other users can read them.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40877Update osslsigncode to more recent version2023-06-28T22:24:51ZboklmUpdate osslsigncode to more recent versionIn `projects/osslsigncode` we are still using an old version of
osslsigncode.
We have two patches, which I think can be dropped:
- `timestamping.patch` which is used to allow timestamping with the add
command. A similar patch was don...In `projects/osslsigncode` we are still using an old version of
osslsigncode.
We have two patches, which I think can be dropped:
- `timestamping.patch` which is used to allow timestamping with the add
command. A similar patch was done upstream in
https://github.com/mtrojnar/osslsigncode/commit/62e8ffd0c9aedf844452b80c5a72f3d0808cabbe
- `0001-Make-code-work-with-OpenSSL-1.1.patch` which is adding support for
OpenSSL 1.1 and is probably not needed with current versionboklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40876Move nightly builds to tb-build-062023-07-05T16:14:11ZboklmMove nightly builds to tb-build-06With tpo/tpa/team#40984 we have a new machine for nightly build.
While moving nightly builds there, we should configure the build to use
`/tmp` during the build.With tpo/tpa/team#40984 we have a new machine for nightly build.
While moving nightly builds there, we should configure the build to use
`/tmp` during the build.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40875re-enable Windows code signing2023-06-15T09:40:14Zboklmre-enable Windows code signingWe now have a new Windows cert, so we should re-enable Windows code
signing.We now have a new Windows cert, so we should re-enable Windows code
signing.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40874Add commit information also to GV2023-08-09T12:36:14ZPier Angelo VendrameAdd commit information also to GVA while ago we've added the commit information to `about:buildconfig` in the Firefox project.
However, we haven't on GeckoView. We should do it.A while ago we've added the commit information to `about:buildconfig` in the Firefox project.
However, we haven't on GeckoView. We should do it.Pier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40873Prepare Mullvad Browser Alpha 13.0a12023-08-02T15:53:55ZrichardPrepare Mullvad Browser Alpha 13.0a1<details>
<summary>Explanation of variables</summary>
- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
- **example...<details>
<summary>Explanation of variables</summary>
- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
- **example** : `pierov`
- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc
- **example** : `91.6.0`
- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version
- **example** : `11`
- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version
- **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format
- **example** : `12.5a3`, `12.0.3`
- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
- **example** : `build1`
- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
- **example** : `build2`
- **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :
- if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
- if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version
- **example** : `11.5a6`, `11.0.7`
- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version
- **example** : `mb-12.0.7-build1`
</details>
**NOTE** It is assumed that the `tor-browser` alpha rebase and security backport tasks have been completed
<details>
<summary>Building</summary>
### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
Mullvad Browser Alpha (and Nightly) are on the `main` branch
- [x] Update `rbm.conf`
- [ ] `var/torbrowser_version` : update to next version
- [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
- [ ] `var/torbrowser_incremental_from` : update to previous Desktop version
- **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
- [x] Update build configs
- [x] Update `projects/firefox/config`
- [x] `browser_build` : update to match `mullvad-browser` tag
- [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
- [x] Update `projects/translation/config`:
- [ ] run `make list_translation_updates-alpha` to get updated hashes
- [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
- [ ] `steps/base-browser-fluent/git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
- [ ] Update common build configs
- [x] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
- [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
- [ ] `URL`
- [ ] `sha256sum`
- [x] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
- [x] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
- [x] `URL`
- [x] `sha256sum`
- [x] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases
- [x] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
- [x] `URL`
- [x] `sha256sum`
- [x] Open MR with above changes
- [x] Merge
- [x] Sign/Tag commit: `make mullvadbrowser-signtag-alpha`
- [x] Push tag to `origin`
- [x] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
- [ ] **TODO** Submit build-tag to Mullvad build infra
- [x] Ensure builders have matching builds
</details>
<details>
<summary>QA</summary>
### send the build
- [x] Email Mullvad QA: support@mullvad.net, rui@mullvad.net
<details>
<summary>email template</summary>
Subject:
New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (unsigned)
Body:
unsigned builds: https://tb-build-05.torproject.org/~$(BUILDER)/builds/mullvadbrowser/release/unsigned/$(MB_BUILD_TAG)
changelog:
...
</details>
- ***(Optional)*** Add additional information:
- [ ] Note any new functionality which needs testing
- [ ] Link to any known issues
</details>
<details>
<summary>Signing</summary>
### signing
- [x] On `$(STAGING_SERVER)`, ensure updated:
- [x] `tor-browser-build/tools/signing/set-config.hosts`
- `ssh_host_builder` : ssh hostname of machine with unsigned builds
- **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
- `ssh_host_linux_signer` : ssh hostname of linux signing machine
- `ssh_host_macos_signer` : ssh hostname of macOS signing machine
- [x] `tor-browser-build/tools/signing/set-config.macos-notarization`
- `macos_notarization_user` : the email login for a mullvad notariser Apple Developer account
- [x] `set-config.update-responses`
- `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`
- [x] `tor-browser-build/tools/signing/set-config.tbb-version`
- `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
- `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
- `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
- [x] On `$(STAGING_SERVER)` in a separate `screen` session, run the macOS proxy script:
- `cd tor-browser-build/tools/signing/`
- `./macos-signer-proxy`
- [x] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
- [x] run do-all-signing script:
- `cd tor-browser-build/tools/signing/`
- `./do-all-signing.mullvadbrowser`
- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
- [x] Update `staticiforme.torproject.org`:
- From `screen` session on `staticiforme.torproject.org`:
- [ ] Static update components : `static-update-component dist.torproject.org`
- [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
- [ ] Static update components (again) : `static-update-component dist.torproject.org`
</details>
<details>
<summary>Publishing</summary>
### email
- [x] Email Mullvad with release information: support@mullvad.net, rui@mullvad.net
<details>
<summary>email template</summary>
Subject:
New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
Body:
signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
changelog:
...
</details>
### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
- [x] Push this release's associated `mullvad-browser.git` branch to github
- [x] Push this release's associated tags to github:
- [x] Firefox ESR tag
- **example** : `FIREFOX_102_12_0esr_BUILD1,`
- [x] `base-browser` tag
- **example** : `base-browser-102.12.0esr-12.0-1-build1`
- [x] `mullvad-browser` tag
- **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
- [x] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
- **Tag**: `$(MULLVAD_BROWSER_VERSION)`
- **example** : `12.5a7`
- **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
- **example** : `102.12.0esr-based 12.5a7`
- [x] Push tag to github
</details>
<details>
<summary>Downstream</summary>
### notify packagers
- [ ] **(Optional, Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
<details>
<summary>email template</summary>
...
...
</details>
- **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of
- [ ] flathub package maintainer: proletarius101@protonmail.com
- [ ] arch package maintainer: bootctl@gmail.com
- [ ] nixOS package maintainer: dev@felschr.com
</details>richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40872Prepare Mullvad Browser Stable 12.5.02023-06-28T21:32:14ZrichardPrepare Mullvad Browser Stable 12.5.0<details>
<summary>Explanation of variables</summary>
- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
- **example...<details>
<summary>Explanation of variables</summary>
- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
- **example** : `pierov`
- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc
- **example** : `91.6.0`
- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version
- **example** : `11`
- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version
- **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format
- **example** : `12.5a3`, `12.0.3`
- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
- **example** : `build1`
- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
- **example** : `build2`
- **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :
- if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
- if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version
- **example** : `11.5a6`, `11.0.7`
- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version
- **example** : `mb-12.0.7-build1`
</details>
**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
<details>
<summary>Building</summary>
### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MULLVAD_BROWSER_MINOR)` (and possibly more specific) branches
- [x] Update `rbm.conf`
- [x] `var/torbrowser_version` : update to next version
- [x] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
- [x] `var/torbrowser_incremental_from` : update to previous Desktop version
- **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
- [x] Update build configs
- [x] Update `projects/firefox/config`
- [ ] `browser_build` : update to match `mullvad-browser` tag
- [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
- [x] Update `projects/translation/config`:
- [ ] run `make list_translation_updates-release` to get updated hashes
- [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
- [ ] `steps/base-browser-fluent/git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
- [ ] Update common build configs
- [x] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
- [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
- [ ] `URL`
- [ ] `sha256sum`
- [x] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
- [x] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
- [x] `URL`
- [x] `sha256sum`
- [x] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases
- [x] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
- [x] `URL`
- [x] `sha256sum`
- [x] Open MR with above changes
- [x] Merge
- [x] Sign/Tag commit: `make mullvadbrowser-signtag-release`
- [x] Push tag to `origin`
- [x] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
- [ ] **TODO** Submit build-tag to Mullvad build infra
- [x] Ensure builders have matching builds
</details>
<details>
<summary>QA</summary>
### send the build
- [x] Email Mullvad QA: support@mullvad.net, rui@mullvad.net
<details>
<summary>email template</summary>
Subject:
New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (unsigned)
Body:
unsigned builds: https://tb-build-05.torproject.org/~$(BUILDER)/builds/mullvadbrowser/release/unsigned/$(MB_BUILD_TAG)
changelog:
...
</details>
- ***(Optional)*** Add additional information:
- [ ] Note any new functionality which needs testing
- [ ] Link to any known issues
</details>
<details>
<summary>Signing</summary>
### signing
- [x] On `$(STAGING_SERVER)`, ensure updated:
- [x] `tor-browser-build/tools/signing/set-config.hosts`
- `ssh_host_builder` : ssh hostname of machine with unsigned builds
- **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
- `ssh_host_linux_signer` : ssh hostname of linux signing machine
- `ssh_host_macos_signer` : ssh hostname of macOS signing machine
- [x] `tor-browser-build/tools/signing/set-config.macos-notarization`
- `macos_notarization_user` : the email login for a mullvad notariser Apple Developer account
- [x] `set-config.update-responses`
- `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`
- [x] `tor-browser-build/tools/signing/set-config.tbb-version`
- `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
- `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
- `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
- [x] On `$(STAGING_SERVER)` in a separate `screen` session, run the macOS proxy script:
- `cd tor-browser-build/tools/signing/`
- `./macos-signer-proxy`
- [x] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
- [x] run do-all-signing script:
- `cd tor-browser-build/tools/signing/`
- `./do-all-signing.mullvadbrowser`
- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
- [x] Update `staticiforme.torproject.org`:
- From `screen` session on `staticiforme.torproject.org`:
- [ ] Static update components : `static-update-component dist.torproject.org`
- [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
- [x] Static update components (again) : `static-update-component dist.torproject.org`
</details>
<details>
<summary>Publishing</summary>
### email
- [x] Email Mullvad with release information: support@mullvad.net, rui@mullvad.net
<details>
<summary>email template</summary>
Subject:
New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
Body:
signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
changelog:
...
</details>
### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
- [x] Push this release's associated `mullvad-browser.git` branch to github
- [x] Push this release's associated tags to github:
- [x] Firefox ESR tag
- **example** : `FIREFOX_102_12_0esr_BUILD1,`
- [x] `base-browser` tag
- **example** : `base-browser-102.12.0esr-12.0-1-build1`
- [x] `mullvad-browser` tag
- **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
- [x] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
- **Tag**: `$(MULLVAD_BROWSER_VERSION)`
- **example** : `12.0.7`
- **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
- **example** : `102.12.0esr-based 12.0.7`
- [x] Push tag to github
</details>
<details>
<summary>Downstream</summary>
### notify packagers
- [x] **(Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
<details>
<summary>email template</summary>
...
...
</details>
- [ ] flathub package maintainer: proletarius101@protonmail.com
- [ ] arch package maintainer: bootctl@gmail.com
- [ ] nixOS package maintainer: dev@felschr.com
### merge requests
- [ ] homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/mullvad-browser.rb
- **NOTE**: should just need to update the version to latest
</details>richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40871Update keyring/boklm.gpg for new subkeys2023-07-06T19:52:10ZboklmUpdate keyring/boklm.gpg for new subkeysMy old subkeys expired and I created new ones.My old subkeys expired and I created new ones.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40870Remove url without browser name from tools/signing/download-unsigned-sha256su...2023-06-07T21:47:36ZboklmRemove url without browser name from tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpoIn `tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo`
we try to download signatures from URLs that include a directory with
the browser name, and also the old type of URLs which does not:
https://people.torprojec...In `tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo`
we try to download signatures from URLs that include a directory with
the browser name, and also the old type of URLs which does not:
https://people.torproject.org/~$builder/builds/$tbb_version-build$tbb_version_build/$file
We should keep it in the `maint-12.0` branch, but remove it from the
`main` and `maint-12.0-mullvad` branches, to avoid downloading
signatures for the wrong browser.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40869obfs4 is renamed to lyrebird2023-06-28T16:05:25Zboklmobfs4 is renamed to lyrebirdSince `go.mod` was updated in obfs4 main branch, we need to update
`var/go_vendor_sha256sum` for obfs4 nightly.
`doc/how-to-update-go-dependencies.txt` has the instructions to do that.
/cc @meskioSince `go.mod` was updated in obfs4 main branch, we need to update
`var/go_vendor_sha256sum` for obfs4 nightly.
`doc/how-to-update-go-dependencies.txt` has the instructions to do that.
/cc @meskioboklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40868Bump Rust to 1.69.02023-10-03T15:38:23ZCecylia BocovichBump Rust to 1.69.0I ran into a problem compiling wasm-bindgen because the version of rust is too old:
```
error: package `time v0.3.20` cannot be built because it requires rustc 1.63.0 or newer, while the currently active rustc version is 1.60.0
```
Is ...I ran into a problem compiling wasm-bindgen because the version of rust is too old:
```
error: package `time v0.3.20` cannot be built because it requires rustc 1.63.0 or newer, while the currently active rustc version is 1.60.0
```
Is it possible to bump it to the latest version rustc 1.69.0 (2023-04-16)?Pier Angelo VendramePier Angelo Vendrame