Prepare stable release 11.5.5
Explanation of variables
-
$(BUILD_SERVER)
: the server the main builder is using to build a tor-browser release -
$(STAGING_SERVER)
: the server the signer is using to to run the signing process -
$(TOR_LAUNCHER_VERSION)
: version oftor-launcher
, used in tags- example :
0.2.33
- example :
-
$(ESR_VERSION)
: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc- example :
91.6.0
- example :
-
$(ESR_TAG)
: the Mozilla defined hg (Mercurial) tag associated with$(ESR_VERSION)
- exmaple :
FIREFOX_91_7_0esr_BUILD2
- exmaple :
-
$(ESR_TAG_PREV)
: the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from) -
$(RR_VERSION)
: the Mozilla defined 'Rapid Relese' version, used in various places for building geckoview tags, labels, etc- example :
96.0.3
- example :
-
$(RR_TAG)
: the Mozilla defined hg (Mercurial) tag associated with$(ESR_VERSION)
- exmaple :
FIREFOX_96_0_3_RELEASE
- exmaple :
-
$(RR_TAG_PREV)
: the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from) -
$(TOR_BROWSER_MAJOR)
: the Tor Browser major version- example :
11
- example :
-
$(TOR_BROWSER_MINOR)
: the Tor Browser minor version- example : either
0
or5
; Alpha's is always(Stable + 5) % 10
- example : either
-
$(BUILD_N)
: a project's build revision within a its branch; this is separate from the$(TOR_BROWSER_BUILD_N)
value; many of the Firefox-related projects have a$(BUILD_N)
suffix and may differ between projects even when they contribute to the same build.- example :
build1
- example :
-
$(TOR_BROWSER_BUILD_N)
: the tor-browser build revision for a given Tor Browser release; used in tagging git commits- example :
build2
-
NOTE : A project's
$(BUILD_N)
and$(TOR_BROWSER_BUILD_N)
may be the same, but it is possible for them to diverge. For example :- if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the
$(BUILD_N)
value will increase, while the$(TOR_BROWSER_BUILD_N)
value may stay atbuild1
(but the$(TOR_BROWSER_VERSION)
will increase) - if we have build failures unrelated to
tor-browser
, the$(TOR_BROWSER_BUILD_N)
value will increase while the$(BUILD_N)
will stay the same.
- if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the
- example :
-
$(TOR_BROWSER_VERSION)
: the published Tor Browser version- example :
11.5a6
,11.0.7
- example :
-
$(TOR_BROWSER_BRANCH)
: the full name of tor-browser branch- typically of the form:
tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1
- typically of the form:
-
$(TOR_BROWSER_BRANCH_PREV)
: the full name of the previous tor-browser branch (when rebasing) -
$(GECKOVIEW_BRANCH)
: the full name of geckoview branch- typically of the form:
tor-browser-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1
- typically of the form:
-
$(GECKOVIEW_BRANCH_PREV)
: the full name of the previous geckoview branch (when rebasing)
Desktop
https://git.torproject.org/torbutton.git
torbutton (Optional):-
(Optional) Update translations : - NOTE We only update strings in stable if a backported feature depends on new strings
-
./import-translations.sh
- NOTE : if there are no new strings imported then we are done here
-
Commit with message Translation updates
- NOTE : only add files which are already being tracked
-
fixup! tor-browser
'sBug 10760 : Integrate TorButton to TorBrowser core
issue to point to updatedtorbutton
commit
https://git.torproject.org/tor-launcher.git
tor-launcher (Optional):-
(Optional) Update translations: - NOTE We only update strings in stable if a backported feature depends on new strings
-
./localization/import-translations.sh -
Commit with message Translation updates
-
Update install.rdf
file with new version -
Sign/Tag commit : - Tag :
$(TOR_LAUNCHER_VERSION)
- Message
Tagging $(TOR_LAUNCHER_VERSION)
- Tag :
-
Push main
and tag to origin
https://git.torproject.org/tor-browser.git
tor-browser:-
(Optional) Rebase to $(ESR_VERSION)
-
Find the Firefox hg tag here : https://hg.mozilla.org/releases/mozilla-esr91/tags -
$(ESR_TAG)
:<INSERT_TAG_HERE>
-
-
Identify the hg patch associated with above hg tag, and find the equivalent gecko-dev
git commit (search by commit message)-
gecko-dev
commit :<INSERT_COMMIT_HASH_HERE>
-
-
Create new tor-browser
branch with the discoveredgecko-dev
commit asHEAD
namedtor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1
-
Sign/Tag commit : - Tag :
$(ESR_TAG)
- Message :
Hg tag $(ESR_TAG)
- Tag :
-
-
Push new branch and tag to origin -
Rebase tor-browser
patches -
Compare patch-sets (ensure nothing weird happened during rebase): -
rangediff: git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..$(TOR_BROWSER_BRANCH)
-
diff of diffs: - Do the diff between
current_patchset.diff
andrebased_patchset.diff
with your preferred$(DIFF_TOOL)
and look at differences on lines that starts with + or - -
git diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) > current_patchset.diff
-
git diff $(ESR_TAG)..$(TOR_BROWSER_BRANCH) > rebased_patchset.diff
-
$(DIFF_TOOL) current_patchset.dif rebased_patchset.deff
- Do the diff between
-
-
Open MR for the rebase
-
-
(Optional) Backport any required Alpha patches to Stable -
cherry-pick patches on top of rebased branch (issues to backport should have Backport
label and be linked to the associatedRelease Prep
issue) -
Close associated Backport
issues -
Open MR for the backport commits
-
-
Sign/Tag tor-browser
commit :- Tag :
tor-browser-$(ESR_VERSION)esr-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(FIREFOX_BUILD_N)
- Message :
Tagging $(FIREFOX_BUILD_N) for $(ESR_VERSION)esr-based (alpha|stable)
- Tag :
-
Push tag to origin
Android
https://git.torproject.org/tor-browser.git
geckoview:-
(Optional) Rebase to $(RR_VERSION)
-
Find the Firefox hg tag here : https://hg.mozilla.org/releases/mozilla-release/tags -
$(RR_TAG)
:FIREFOX_102_4_0esr_BUILD1
-
-
Identify the hg patch associated with above hg tag, and find the equivalent gecko-dev
git commit (search by commit message)-
gecko-dev
commit : df868fe98ed5d25b9d6c2994d77f74929c938e78
-
-
Create new geckoview
branch with the discoveredgecko-dev
commit asHEAD
namedgeckoview-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR-BROWSER_MINOR)-1
-
Sign/Tag commit : - Tag :
$(RR_TAG)
- Message :
Hg tag $(RR_TAG)
- Tag :
-
Push new branch and tag to origin -
Rebase geckoview
patches -
Compare patch-sets (ensure nothing weird happened during rebase): -
rangediff: git range-diff $(RR_TAG_PREV)..$(GECKOVIEW_BRANCH_PREV) $(RR_TAG)..$(GECKOVIEW_BRANCH)
-
diff of diffs: - Do the diff between
current_patchset.diff
andrebased_patchset.diff
with your preferred$(DIFF_TOOL)
and look at differences on lines that starts with + or - -
git diff $(RR_TAG_PREV)..$(GECKOVIEW_BRANCH_PREV) > current_patchset.diff
-
git diff $(RR_TAG)..$(GECKOVIEW_BRANCH) > rebased_patchset.diff
-
$(DIFF_TOOL) current_patchset.dif rebased_patchset.deff
- Do the diff between
-
-
Open MR for the rebase
-
-
(Optional) Backport any required patches to Stable -
cherry-pick patches on top of rebased branch (issues to backport should have Backport
label and be linked to the associatedRelease Prep
issue) -
Close associated Backport
issues -
Open MR for the backport commits -
Merge + Push
-
-
Sign/Tag geckoview
commit :- Tag :
geckoview-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(FIREFOX_BUILD_N)
- Message :
Tagging $(FIREFOX_BUILD_N) for $(RR_VERSION)-based (alpha|stable)
- Tag :
-
Push tag to origin
https://git.torproject.org/translation.git
tba-translation (Optional):- NOTE We only update strings in stable if a backported feature depends on new strings
-
Fetch latest and identify new HEAD
offenix-torbrowserstringsxml
branch-
origin/fenix-torbrowserstringsxml
:9ed8ec8aef95cd3b4e61e7e77e2113cbd13c4528
-
https://git.torproject.org/tor-android-service.git
tor-android-service (Optional):-
Fetch latest and identify new HEAD
ofmain
branch-
origin/main
:20738f8d347778a274c9ae782026ecca1c682a4a
-
application-services : TODO: we need to setup a gitlab copy of this repo that we can apply security backports to
-
(Optional) Backport any Android-specific security fixes from Firefox rapid-release -
Sign/Tag commit: - Tag :
application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
- Message:
Tagging $(BUILD_N) for $(ESR_VERSION)-based (alpha|stable)
- Tag :
-
Push tag to origin
https://gitlab.torproject.org/tpo/applications/android-components.git
android-components (Optional):-
(Optional) Rebase to $(RR_VERSION)
-
Identify the mozilla-mobile
git tag to start from by first updatingfenix
and then checking whichandroid-components
tag is used inbuildSrc/src/main/java/AndroidComponents.kt
- Alternatively search for commit message like
Update Android-Components
- Alternatively search for commit message like
-
Create new branch from tag named android-components-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1
-
Push new branch to origin -
Rebase android-components
patches -
Perform rangediff to ensure nothing weird happened resolving conflicts -
Open MR for the rebase -
Merge + Push
-
-
(Optional) Backport any required patches to Stable -
cherry-pick patches on top of rebased branch (issues to backport should have Backport
label and be linked to the associatedRelease Prep
issue) -
Close associated Backport
issues -
Open MR for the backport commits -
Merge + Push [ ] Sign/Tag commit: - Tag :
android-components-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
- Message:
Tagging $(BUILD_N) for $(RR_VERSION)-based (alpha|stable)
-
Push tag to origin
-
https://gitlab.torproject.org/tpo/applications/fenix.git
fenix (Optional):-
(Optional) Rebase to $(RR_VERSION)
- Upstream git repo : https://github.com/mozilla-mobile/fenix.git
-
Identify the mozilla-mobile
git tag to start from- Seem to be in the form
v$(RR_VERSION)
(for example,v96.3.0
)
- Seem to be in the form
-
Create new branch from tag named tor-browser-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1
-
NOTE : it is weird but we do use
tor-browser
here rather thanfenix
-
NOTE : it is weird but we do use
-
Push new branch to origin -
Rebase fenix
patches -
Perform rangediff to ensure nothing weird happened resolving conflicts -
Open MR for the rebase -
Merge + Push
-
(Optional) Backport any required patches to Stable -
cherry-pick patches on top of rebased branch (issues to backport should have Backport
label and be linked to the associatedRelease Prep
issue) -
Close associated Backport
issues -
Open MR for the backport commits -
Merge + Push
-
-
Sign/Tag commit: - Tag :
tor-browser-$(RR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
- Message:
Tagging $(BUILD_N) for $(RR_VERSION)-based (alpha|stable)
- Tag :
-
Push tag to origin
Build/Signing/Publishing
https://git.torproject.org/builders/tor-browser-build.git
tor-browser-build:Tor Browser Alpha (and Nightly) are on the main
branch, while Stable lives in the various $(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-maint
(and possibly more specific) branches
-
Update rbm.conf
-
var/torbrowser_version
: update to next version -
var/torbrowser_build
: update to$(TOR_BROWSER_BUILD_N)
-
(Desktop Only) var/torbrowser_incremental_from
: update to previous Desktop version-
IMPORTANT: Really actually make sure this is the previous Desktop version or else the make incrementals-*
step will fail
-
-
-
(Desktop Only) Update projects/firefox/config
-
git_hash
: update the$(BUILD_N)
section to matchtor-browser
tag -
(Optional) var/firefox_platform_version
: update to latest$(ESR_VERSION)
if rebased
-
-
(Android Only) Update projects/geckoview/config
-
git_hash
: update the$(BUILD_N)
section to matchgeckoview
tag -
(Optional) var/geckoview_version
: update to latest$(RR_VERSION)
if rebased
-
-
(Android Only, Optional) Update projects/tba-translations/config
:-
git_hash
: update withHEAD
commit of project'sfenix-torbrowserstringsxml
branch
-
-
(Android Only, Optional) Update projects/tor-android-service/config
-
git_hash
: update withHEAD
commit of project'smain
branch
-
-
(Android Only, Optional) Update projects/application-services/config
: NOTE we don't have any of our own patches for this project-
git_hash
: update to appropriate git commit associated with $(RR_VERSION)
-
-
(Android Only, Optional) Update projects/android-components/config
-
git_hash
: update the$(BUILD_N)
section to matchandroid-components
tag -
(Optional) var/android_components_version
: update to latest$(RR_VERSION)
if rebased
-
-
(Android Only, Optional) Update projects/fenix/config
-
git_hash
: update the$(BUILD_N)
section to matchfenix
tag -
(Optional) var/fenix_version
: update to latest$(RR_VERSION)
if rebased
-
-
(Android Only) Update allowed_addons.json by running (from tor-browser-build
root):./tools/fetch_allowed_addons.py > projects/tor-browser/allowed_addons.json
-
Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript -
(Optional) If new version available, update noscript
section ofinput_files
inprojects/tor-browser/config
-
URL
-
sha256sum
-
-
-
Check for OpenSSL updates here : https://github.com/openssl/openssl/tags -
(Optional) If new 1.X.Y series tag available, update projects/openssl/config
-
version
: update to next 1.X.Y release tag -
input_files/sha256sum
: update to sha256 sum of source tarball
-
-
-
Check for tor updates here : https://gitlab.torproject.org/tpo/core/tor/-/tags ; Tor Browser Alpha uses -alpha
tagged tor, while stable uses the stable series-
(Optional) Update projects/tor/config
-
version
: update to next release tag
-
-
-
Check for go updates here : https://golang.org/dl - NOTE : Tor Browser Alpha uses the latest Stable go version, while Tor Browser Stable uses the latest of the previous Stable major series version
-
(Optional) Update projects/go/config
-
version
: update go version -
input_files/sha256sum
forgo
: update sha256sum of archive (sha256 sums are displayed on the go download page)
-
-
(Optional) Update the manual -
Go to https://gitlab.torproject.org/tpo/web/manual/-/jobs/ -
Open the latest build stage -
Download the artifacts (they come in a .zip file). -
Rename it to manual_$PIPELINEID.zip
-
Upload it to people.tpo -
Update projects/manual/config
-
Change the version to $PIPELINEID
-
Update the hash in the input_files section -
Update the URL if you have uploaded to a different people.tpo home
-
-
-
Update ChangeLog.txt
-
Ensure ChangeLog.txt is sync'd between alpha and stable branches
-
-
Open MR with above changes -
Begin build on $(BUILD_SERVER)
(and fix any issues which come up) -
Sign/Tag commit : make signtag-(alpha|release)
-
Push tag to origin
notify stakeholders
-
Email tor-qa mailing list: tor-qa@lists.torproject.org -
Provide links to unsigned builds on $(BUILD_SERVER)
-
Call out any new functionality which needs testing -
Link to any known issues
-
-
Email Tails dev mailing list: tails-dev@boum.org -
Provide links to unsigned builds on $(BUILD_SERVER)
-
https://gitlab.torproject.org/tpo/web/blog.git
blog:-
Duplicate previous Stable or Alpha release blog post as appropriate to new directory under content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)
and update with info on release :-
Update Tor Browser version numbers -
Note any ESR rebase -
Note any Rapid Release rebase -
Link to any Firefox security updates -
Note any updates to : -
tor -
OpenSSL -
go -
NoScript
-
-
Convert ChangeLog.txt to markdown format used here by : tor-browser-build/tools/changelog-format-blog-post
-
-
Push to origin as new branch, open 'Draft :' MR -
Remove Draft:
from MR once signed-packages are uploaded -
Merge -
Publish after CI passes
https://gitlab.torproject.org/tpo/web/tpo.git
website:-
databags/versions.ini
: Update the downloads versions-
torbrowser-stable/version
: sort of a catch-all for latest stable version -
torbrowser-stable/win32
: tor version in the expert bundle -
torbrowser-*-stable/version
: platform-specific stable versions -
torbrowser-*-alpha/version
: platform-specific alpha versions -
tor-stable
,tor-alpha
: set by tor devs, do not touch
-
-
Push to origin as new branch, open 'Draft :' MR -
Remove Draft:
from MR once signed-packages are uploaded -
Merge -
Publish after CI passes
signing + publishing
-
Ensure builders have matching builds -
On $(STAGING_SERVER)
, ensure updated:-
tor-browser-build/tools/signing/set-config
-
NSS_DB_DIR
: location of thenssdb7
directory
-
-
tor-browser-build/tools/signing/set-config.hosts
-
ssh_host_builder
: ssh hostname of machine with unsigned builds-
NOTE :
tor-browser-build
is expected to be in the$HOME
directory)
-
NOTE :
-
ssh_host_linux_signer
: ssh hostname of linux signing machine -
ssh_host_macos_signer
: ssh hostname of macOS signing machine
-
-
tor-browser-build/tools/signing/set-config.macos-notarization
-
macos_notarization_user
: the email login for a tor notariser Apple Developer account
-
-
tor-browser-build/tools/signing/set-config.tbb-version
-
tbb_version
: tor browser version string, same asvar/torbrowser_version
inrbm.conf
(examples:11.5a12
,11.0.13
) -
tbb_version_build
: the tor-browser-build build number (ifvar/torbrowser_build
inrbm.conf
isbuildN
then this value isN
) -
tbb_version_type
: eitheralpha
for alpha releases orrelease
for stable releases
-
-
-
On $(STAGING_SERVER)
in a separatescreen
session, run the macOS proxy script:cd tor-browser-build/tools/signing/
./macos-signer-proxy
-
On $(STAGING_SERVER)
in a separatescreen
session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -
(Android Only) APK Signing: TODO -
run do-all-signing script: cd tor-browser-build/tools/signing/
./do-all-signing.sh
-
NOTE: at this point the signed binaries should have been copied to
staticiforme
-
Update staticiforme.torproject.org
:- From
screen
session onstaticiforme.torproject.org
: -
Remove old release data from following places: - NOTE : Skip this step if the current release is Android or Desktop only
-
/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser
-
/srv/dist-master.torproject.org/htdocs/torbrowser
-
Static update components : static-update-component cdn.torproject.org && static-update-component dist.torproject.org
-
Enable update responses : -
alpha: ./deploy_update_responses-alpha.sh
-
release: ./deploy_update_responses-release.sh
-
- From
-
(Android Only) : Publish APKs to Google Play: -
Log into https://play.google.com/apps/publish -
Select Tor Browser
app -
Navigate to Release > Production
and clickCreate new release
button -
Upload the *.multi.apk
APKs -
If necessary, update the 'Release Name' (should be automatically populated) -
Update Release Notes -
Next to 'Release notes', click Copy from a previous release
-
Edit blog post url to point to most recent blog post
-
-
Save, review, and configure rollout percentage -
25% rollout when publishing a scheduled update -
100% rollout when publishing a security-driven release
-
-
Update rollout percentage to 100% after confirmed no major issues
-
tor-announce mailing list
-
Send an email to tor-announce@lists.torproject.org, using the same content as the blog post and subject "Tor Browser $version is released".
Edited by morgan