tor-browser-build issueshttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues2023-03-30T07:43:16Zhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/10980Build the Tor Browser User Manual when building Tor Browser2023-03-30T07:43:16ZLunarBuild the Tor Browser User Manual when building Tor BrowserThe Tor Browser User Manual should be built during the Tor Browser building process in order to be included in the bundles.The Tor Browser User Manual should be built during the Tor Browser building process in order to be included in the bundles.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40047Build our GCC properly2023-06-01T16:35:24ZGeorg KoppenBuild our GCC properlyGCC depends on MPC which depends on MPFR which depends on GMP.
Please, update GCC with dependencies everywhere.
(That was originally the purpose of #31845).
See Mozilla's GCC build process for all the deps. We might not need all
of the...GCC depends on MPC which depends on MPFR which depends on GMP.
Please, update GCC with dependencies everywhere.
(That was originally the purpose of #31845).
See Mozilla's GCC build process for all the deps. We might not need all
of them, though.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/30283Build nightlies over the weekend from scratch2023-01-05T14:14:50ZGeorg KoppenBuild nightlies over the weekend from scratchWe should find issues with one of our build dependencies as early as possible. Cached artifacts as we use them now make this harder. boklm had the idea to build everything from scratch over the weekend as there are often not that many ne...We should find issues with one of our build dependencies as early as possible. Cached artifacts as we use them now make this harder. boklm had the idea to build everything from scratch over the weekend as there are often not that many new commits to build anyway during that time. That way we'd get notified much faster about issues like legacy/trac#30280.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29694Build Go binaries with `-buildmode=pie"?2023-01-05T14:13:35ZGeorg KoppenBuild Go binaries with `-buildmode=pie"?I was looking a bit how the `obfs4proxy` binary gets build for Android today and it turns out that Briar etc. use `-buildmode=pie`. Currently our Linux binaries have no PIE and no RELRO (but Stack Canaries, NX etc. enabled). Trying with ...I was looking a bit how the `obfs4proxy` binary gets build for Android today and it turns out that Briar etc. use `-buildmode=pie`. Currently our Linux binaries have no PIE and no RELRO (but Stack Canaries, NX etc. enabled). Trying with `-buildmode=pie` results in "PIE enabled" but somewhat surprisingly our stack canaries are gone (but we get partial RELRO).
So, generally, should we start using PIE mode (and `-extldflags=-pie` where needed)? Or are we good with what we have?https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/26302Build fonts we ship from source2023-01-05T13:12:01ZGeorg KoppenBuild fonts we ship from sourceIn comment:12:ticket:18364 vegansalad mentioned that there are ways to build at least some fonts from source using `fonttools` and `nototools`. Might be worth investigating how far we'd come with that.In comment:12:ticket:18364 vegansalad mentioned that there are ways to build at least some fonts from source using `fonttools` and `nototools`. Might be worth investigating how far we'd come with that.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41110Avoid Fontconfig warning about "ambiguous path"2024-03-27T08:15:02ZRusty BirdAvoid Fontconfig warning about "ambiguous path" $ ./start-tor-browser --verbose
Fontconfig warning: "/home/user/tor-browser/Browser/fontconfig/fonts.conf", line 42: Use of ambiguous path in <dir> element. please add prefix="cwd" if current behavior is desired.
I'll open a mer... $ ./start-tor-browser --verbose
Fontconfig warning: "/home/user/tor-browser/Browser/fontconfig/fonts.conf", line 42: Use of ambiguous path in <dir> element. please add prefix="cwd" if current behavior is desired.
I'll open a merge request that adds `prefix="cwd"`.Rusty BirdRusty Birdhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41000Automation2023-11-01T20:14:46ZrichardAutomation*The* Automation ~Meta Ticket tracking our myriad automation efforts
High level summary:
- Release Prep Automation
- basically convert as much of the checklist to an automatic'ish walk-through script
- Enable GeckoDriver everywhere...*The* Automation ~Meta Ticket tracking our myriad automation efforts
High level summary:
- Release Prep Automation
- basically convert as much of the checklist to an automatic'ish walk-through script
- Enable GeckoDriver everywhere
- CI/Automation
- Builds
- Linting
- Auto-rebasing
- Tests
- tor-browser/mullvad-browser specific tests
- TZP-based fingerprinting
- Fix+Run Mozilla Tests
- Builing Signing Improvements
- per build signing
- Mullvad Buildinghttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41004Auto-build Tor + Mullvad Browsers on tag push2023-11-06T23:11:00ZrichardAuto-build Tor + Mullvad Browsers on tag pushWe chatted briefly last week about Mullvad somehow auto-building our browsers on tag push.
We would like to bring Mullvad into the build release verification process (eg as another builder) to give users further confidence that devs ar...We chatted briefly last week about Mullvad somehow auto-building our browsers on tag push.
We would like to bring Mullvad into the build release verification process (eg as another builder) to give users further confidence that devs are not collaborating to sneak malicious code into the build.
/cc @ruihildtjbjorkangjbjorkanghttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40611Audit license and copyright info2023-08-25T23:13:34ZrichardAudit license and copyright infoHTTPS-Everywhere has been removed from Desktop, so we should stop including their copyright and any licensing information we have bundled. We also need to update the base-browser target to not include unneeded licensing (tor, PTs, etc)HTTPS-Everywhere has been removed from Desktop, so we should stop including their copyright and any licensing information we have bundled. We also need to update the base-browser target to not include unneeded licensing (tor, PTs, etc)Sponsor 131 - Phase 3 - Major ESR 102 Migrationhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40201Apply -fstack-clash-protection where possible2022-12-22T15:49:24ZGeorg KoppenApply -fstack-clash-protection where possibleIt seems we can pick up a newer compiler-based hardening flag: `-fstack-clash-protection`. It's supposed to be available with clang 11.0.1, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1588710.
It seems this is mainly for Linux and...It seems we can pick up a newer compiler-based hardening flag: `-fstack-clash-protection`. It's supposed to be available with clang 11.0.1, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1588710.
It seems this is mainly for Linux and Android. We should go over GCC-using projects, too, as this flag is supposed to be available there as well.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40230Allow merging update-responses from different versions per platform2023-01-05T15:07:00ZMatthew FinkelAllow merging update-responses from different versions per platformThis is a bit difficult, but Tor Browser 10.0.10 and 10.0.11 is the reasoning behind this. Version 10.0.10 was an update for all platforms, but 10.0.11 was an update for only Windows, and we only built Windows (i686/x86_64) 10.0.11. Ther...This is a bit difficult, but Tor Browser 10.0.10 and 10.0.11 is the reasoning behind this. Version 10.0.10 was an update for all platforms, but 10.0.11 was an update for only Windows, and we only built Windows (i686/x86_64) 10.0.11. Therefore, the update response only included Windows, and macOS and Linux users received a message indicating that updating failed and they should reinstall Tor Browser. I fixed this by copying the rewrite rules for 10.0.10 for macOS and Linux into .htaccess of 10.0.11, and now those platforms are receiving the "no-update" response. Automating this would be nice, but I don't immediately see an easy solution.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29615Adjust creation of buildID script2023-02-01T12:10:28ZGeorg KoppenAdjust creation of buildID scriptWe should adjust the creation of our build ID script to make sure we have a larger space using the months available (currently Tor Browser 17 is the last major version that produces valid buildIDs). And we should think about a good way t...We should adjust the creation of our build ID script to make sure we have a larger space using the months available (currently Tor Browser 17 is the last major version that produces valid buildIDs). And we should think about a good way to implement something where we don't need to worry about the buildID creation in the future anymore.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40559Add Tor Browser-specific licenses in about:license2023-01-05T13:54:25ZMatthew FinkelAdd Tor Browser-specific licenses in about:licenseThis idea came out of legacy/trac#33771 and legacy/trac#33772. GeKo mentioned that we don't need to ship a specific license for NSS because it is covered by `about:license`, and we could use `about:license` for the additional licenses we...This idea came out of legacy/trac#33771 and legacy/trac#33772. GeKo mentioned that we don't need to ship a specific license for NSS because it is covered by `about:license`, and we could use `about:license` for the additional licenses we must ship, as well. Currently those Tor Browser-specific licenses are controlled by tor-browser-build and they are included as text files at build-time. Extending `about:license` is a good idea.
The main disadvantage I see is downstream projects who take a tor browser package and re-use all of the tor parts but they don't use the browser. We could achieve this by continuing with adding licenses in text files and then patching them into tor-browser's `toolkit/content/license.html` at build time. I'm not very excited about the additional complexity this would require, though.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40994Add support in do-all-signing to sign release for some archs only2023-12-07T13:28:57ZboklmAdd support in do-all-signing to sign release for some archs onlyCurrently when we want to sign a release for some of the platforms only,
we need to comment some steps in `do-all-signing`. We should add some
options to make it easier to disable/enable signing of some of the
platforms.Currently when we want to sign a release for some of the platforms only,
we need to comment some steps in `do-all-signing`. We should add some
options to make it easier to disable/enable signing of some of the
platforms.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40618Add support for android-only and desktop-only releases in do-all-signing2023-11-01T19:17:53ZboklmAdd support for android-only and desktop-only releases in do-all-signingIn `tools/signing/set-config.tbb-version` we should add some option to say if a release is desktop-only, or android-only, and make `do-all-signing` only run the steps relevant for desktop or android in those cases.In `tools/signing/set-config.tbb-version` we should add some option to say if a release is desktop-only, or android-only, and make `do-all-signing` only run the steps relevant for desktop or android in those cases.Sponsor 131 - Phase 4 - Browser Release Managementboklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40785Add some step in the signing process to check that we have two matching builds2023-11-01T19:18:10ZboklmAdd some step in the signing process to check that we have two matching buildsChecking that we have two matching builds currently needs to be done manually before starting the signing process.
We can add add some step in the signing process to check that `sha256sums-unsigned-build.txt` has been signed by two people.Checking that we have two matching builds currently needs to be done manually before starting the signing process.
We can add add some step in the signing process to check that `sha256sums-unsigned-build.txt` has been signed by two people.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/32416Add some documentation about building go libraries/programs with build_go_lib2023-01-05T14:16:24ZboklmAdd some documentation about building go libraries/programs with build_go_libAs `build_go_lib` template is getting more complex, we should add some documentation about how to use it, probably into 'README.HACKING'.As `build_go_lib` template is getting more complex, we should add some documentation about how to use it, probably into 'README.HACKING'.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40258Add redirects for single-platform releases to projects/release/update_respons...2023-01-05T13:55:30ZboklmAdd redirects for single-platform releases to projects/release/update_responses_config.ymlWhen we do a release for a single platform, we need to add some redirects in the .htaccess file in https://aus1.torproject.org/torbrowser/update_3/.
To make that easier, I think we can add those redirects as comments in `projects/releas...When we do a release for a single platform, we need to add some redirects in the .htaccess file in https://aus1.torproject.org/torbrowser/update_3/.
To make that easier, I think we can add those redirects as comments in `projects/release/update_responses_config.yml`, in `htaccess_rewrite_rules`. So that we only need to uncomment some of those lines when doing a release only for some platforms.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40861Add README to update_responses to document downloads.json etc2023-08-26T05:46:31ZruihildtAdd README to update_responses to document downloads.json etcCurrently, we use the tag link using the following format for the Github release link, as follow:
`https://github.com/mullvad/mullvad-browser/releases/tag/mullvad-browser-102.11.0esr-12.0-1-build1`
This is inconvenient for:
- downstrea...Currently, we use the tag link using the following format for the Github release link, as follow:
`https://github.com/mullvad/mullvad-browser/releases/tag/mullvad-browser-102.11.0esr-12.0-1-build1`
This is inconvenient for:
- downstream packagers using the tag to download from the GitHub page new releases
- dynamically linking our changelog on our website
- generally being able to look at the release version from the link
This is why, we have changed the release tags to the following format:
`https://github.com/mullvad/mullvad-browser/releases/tag/12.0.6`
This needs to be updated when generating the XML update responses.
--------------
Additional considerations (Nice to have if trivial to add)
- For now, we're manually adding this tag to the branch pushed on Github. If this can someone get added automatically, then it's a win.
- https://cdn.mullvad.net/browser/update_responses/update_1/release/downloads.json actually contains a tag, which is not present on the branch moved to our Github repository. Could this tag be changed to the same format `XX.X.X`?
EDIT: The tag referenced in downloads.json is not self-evident as to what it is for, we should add some small documentation there for users that go looking for it.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40578Add README to Tor Browser2023-01-05T14:22:24ZtraumschuleAdd README to Tor BrowserI am struck that there is none.
```
tor-browser8.5a1$ find |grep -i readme
./Browser/TorBrowser/Docs/Obfsproxy/README
./Browser/TorBrowser/Docs/fteproxy/README.md
./Browser/TorBrowser/Docs/meek/README
./Browser/TorBrowser/Docs/libfte/RE...I am struck that there is none.
```
tor-browser8.5a1$ find |grep -i readme
./Browser/TorBrowser/Docs/Obfsproxy/README
./Browser/TorBrowser/Docs/fteproxy/README.md
./Browser/TorBrowser/Docs/meek/README
./Browser/TorBrowser/Docs/libfte/README.md
./Browser/TorBrowser/Docs/snowflake/README.md
```