Prepare Mullvad Browser 12.5.2
Explanation of variables
-
$(BUILD_SERVER)
: the server the main builder is using to build a mullvad-browser release -
$(BUILDER)
: whomever is building the release on the $(BUILD_SERVER)-
example :
pierov
-
example :
-
$(STAGING_SERVER)
: the server the signer is using to to run the signing process -
$(ESR_VERSION)
: the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc-
example :
91.6.0
-
example :
-
$(MULLVAD_BROWSER_MAJOR)
: the Mullvad Browser major version-
example :
11
-
example :
-
$(MULLVAD_BROWSER_MINOR)
: the Mullvad Browser minor version-
example : either
0
or5
; Alpha's is always(Stable + 5) % 10
-
example : either
-
$(MULLVAD_BROWSER_VERSION)
: the Mullvad Browser version in the format-
example :
12.5a3
,12.0.3
-
example :
-
$(BUILD_N)
: a project's build revision within a its branch; this is separate from the$(MULLVAD_BROWSER_BUILD_N)
value; many of the Firefox-related projects have a$(BUILD_N)
suffix and may differ between projects even when they contribute to the same build.-
example :
build1
-
example :
-
$(MULLVAD_BROWSER_BUILD_N)
: the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits-
example :
build2
-
NOTE : A project's
$(BUILD_N)
and$(MULLVAD_BROWSER_BUILD_N)
may be the same, but it is possible for them to diverge. For example :- if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the
$(BUILD_N)
value will increase, while the$(MULLVAD_BROWSER_BUILD_N)
value may stay atbuild1
(but the$(MULLVAD_BROWSER_VERSION)
will increase) - if we have build failures unrelated to
mullvad-browser
, the$(MULLVAD_BROWSER_BUILD_N)
value will increase while the$(BUILD_N)
will stay the same.
- if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the
-
example :
-
$(MULLVAD_BROWSER_VERSION)
: the published Mullvad Browser version-
example :
11.5a6
,11.0.7
-
example :
-
$(MB_BUILD_TAG)
: thetor-browser-build
build tag used to build a given Mullvad Browser version-
example :
mb-12.0.7-build1
-
example :
NOTE It is assumed that the tor-browser
stable rebase and security backport tasks have been completed
Building
https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
tor-browser-build:Mullvad Browser Stable lives in the various maint-$(MULLVAD_BROWSER_MAJOR).$(MULLVAD_BROWSER_MINOR)
(and possibly more specific) branches
-
Update rbm.conf
-
var/torbrowser_version
: update to next version -
var/torbrowser_build
: update to$(MULLVAD_BROWSER_BUILD_N)
-
var/torbrowser_incremental_from
: update to previous Desktop version-
IMPORTANT: Really actually make sure this is the previous Desktop version or else the
make mullvadbrowser-incrementals-*
step will fail
-
IMPORTANT: Really actually make sure this is the previous Desktop version or else the
-
-
Update build configs -
Update projects/firefox/config
-
browser_build
: update to matchmullvad-browser
tag -
(Optional) var/firefox_platform_version
: update to latest$(ESR_VERSION)
if rebased
-
-
Update projects/translation/config
:-
run make list_translation_updates-release
to get updated hashes -
steps/base-browser/git_hash
: update withHEAD
commit of project'sbase-browser
branch -
steps/base-browser-fluent/git_hash
: update withHEAD
commit of project'sbasebrowser-newidentityftl
branch
-
-
-
Update common build configs -
Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript -
(Optional) If new version available, update noscript
section ofinput_files
inprojects/browser/config
-
URL
-
sha256sum
-
-
-
Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ -
(Optional) If new version available, update ublock-origin
section ofinput_files
inprojects/browser/config
-
URL
-
sha256sum
-
-
-
Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases -
(Optional) If new version available, update mullvad-extension
section ofinput_files
inprojects/browser/config
-
URL
-
sha256sum
-
-
-
-
Open MR with above changes -
Merge -
Sign/Tag commit: make mullvadbrowser-signtag-release
-
Push tag to origin
-
Begin build on $(BUILD_SERVER)
(fix any issues in subsequent MRs) -
TODO Submit build-tag to Mullvad build infra -
Ensure builders have matching builds
QA
send the build
-
Email Mullvad QA: support@mullvad.net, rui@mullvad.net email template
Subject: New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (unsigned) Body: unsigned builds: https://tb-build-05.torproject.org/~$(BUILDER)/builds/mullvadbrowser/release/unsigned/$(MB_BUILD_TAG) changelog: ...
-
(Optional) Add additional information:
-
Note any new functionality which needs testing -
Link to any known issues
-
-
(Optional) Add additional information:
Signing
signing
-
On $(STAGING_SERVER)
, ensure updated:-
tor-browser-build/tools/signing/set-config.hosts
-
ssh_host_builder
: ssh hostname of machine with unsigned builds-
NOTE :
tor-browser-build
is expected to be in the$HOME
directory)
-
NOTE :
-
ssh_host_linux_signer
: ssh hostname of linux signing machine -
ssh_host_macos_signer
: ssh hostname of macOS signing machine
-
-
tor-browser-build/tools/signing/set-config.macos-notarization
-
macos_notarization_user
: the email login for a mullvad notariser Apple Developer account
-
-
set-config.update-responses
-
update_responses_repository_dir
: directory where you clonedgit@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git
-
-
tor-browser-build/tools/signing/set-config.tbb-version
-
tbb_version
: mullvad browser version string, same asvar/torbrowser_version
inrbm.conf
(examples:11.5a12
,11.0.13
) -
tbb_version_build
: the tor-browser-build build number (ifvar/torbrowser_build
inrbm.conf
isbuildN
then this value isN
) -
tbb_version_type
: eitheralpha
for alpha releases orrelease
for stable releases
-
-
-
On $(STAGING_SERVER)
in a separatescreen
session, run the macOS proxy script:cd tor-browser-build/tools/signing/
./macos-signer-proxy
-
On $(STAGING_SERVER)
in a separatescreen
session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -
run do-all-signing script: cd tor-browser-build/tools/signing/
./do-all-signing.mullvadbrowser
-
NOTE: at this point the signed binaries should have been copied to
staticiforme
-
Update staticiforme.torproject.org
:- From
screen
session onstaticiforme.torproject.org
: -
Static update components : static-update-component dist.torproject.org
-
Remove old release data from /srv/dist-master.torproject.org/htdocs/mullvadbrowser
-
Static update components (again) : static-update-component dist.torproject.org
- From
Publishing
-
Email Mullvad with release information: support@mullvad.net, rui@mullvad.net email template
Subject: New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed) Body: signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION) update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH) changelog: ...
https://github.com/mullvad/mullvad-browser/
mullvad-browser (github):-
Push this release's associated mullvad-browser.git
branch to github -
Push this release's associated tags to github: -
Firefox ESR tag -
example :
FIREFOX_102_12_0esr_BUILD1,
-
example :
-
base-browser
tag-
example :
base-browser-102.12.0esr-12.0-1-build1
-
example :
-
mullvad-browser
tag-
example :
mullvad-browser-102.12.0esr-12.0-1-build1
-
example :
-
-
Sign+Tag additionally the mullvad-browser.git
firefox
commit used in build:-
Tag:
$(MULLVAD_BROWSER_VERSION)
-
example :
12.0.7
-
example :
-
Message:
$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)
-
example :
102.12.0esr-based 12.0.7
-
example :
-
Push tag to github
-
Tag:
Downstream
notify packagers
-
(Once Mullvad Updates their Github Releases Page) Email downstream consumers: email template
...
...
-
flathub package maintainer: proletarius101@protonmail.com -
arch package maintainer: bootctl@gmail.com -
nixOS package maintainer: dev@felschr.com
-
merge requests
-
homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/mullvad-browser.rb - NOTE: should just need to update the version to latest
Edited by morgan