Prepare Mullvad Browser Stable 14.0.3
Release Prep Mullvad Browser Stable
-
NOTE It is assumed the
mullvad-browser
release rebase and security backport tasks have been completed - NOTE This can/is often done in conjunction with the equivalent Tor Browser release prep issue
Explanation of variables
-
${BUILD_SERVER}
: the server the main builder is using to build a browser release -
${BUILDER}
: whomever is building the release on the ${BUILD_SERVER}-
example:
pierov
-
example:
-
${STAGING_SERVER}
: the server the signer is using to to run the signing process -
${ESR_VERSION}
: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc-
example:
91.6.0
-
example:
-
${MULLVAD_BROWSER_MAJOR}
: the Mullvad Browser major version-
example:
11
-
example:
-
${MULLVAD_BROWSER_MINOR}
: the Mullvad Browser minor version-
example: either
0
or5
; Alpha's is always(Stable + 5) % 10
-
example: either
-
${MULLVAD_BROWSER_VERSION}
: the Mullvad Browser version in the format-
example:
12.5a3
,12.0.3
-
example:
-
${BUILD_N}
: a project's build revision within a its branch; this is separate from the${MULLVAD_BROWSER_BUILD_N}
value; many of the Firefox-related projects have a${BUILD_N}
suffix and may differ between projects even when they contribute to the same build.-
example:
build1
-
example:
-
${MULLVAD_BROWSER_BUILD_N}
: the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits-
example:
build2
-
⚠️ WARNING: A project's${BUILD_N}
and${MULLVAD_BROWSER_BUILD_N}
may be the same, but it is possible for them to diverge. For example :- if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the
${BUILD_N}
value will increase, while the${MULLVAD_BROWSER_BUILD_N}
value may stay atbuild1
(but the${MULLVAD_BROWSER_VERSION}
will increase) - if we have build failures unrelated to
mullvad-browser
, the${MULLVAD_BROWSER_BUILD_N}
value will increase while the${BUILD_N}
will stay the same.
- if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the
-
-
example:
-
${MULLVAD_BROWSER_VERSION}
: the published Mullvad Browser version-
example:
11.5a6
,11.0.7
-
example:
-
${MB_BUILD_TAG}
: thetor-browser-build
build tag used to build a given Mullvad Browser version-
example:
mb-12.0.7-build1
-
example:
-
${RELEASE_DATE}
: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date-
example:
2024-10-29
-
example:
Build Configuration
https://gitlab.torproject.org/tpo/applications/mullvad-browser.git
mullvad-browser:-
Tag mullvad-browser
commit:-
example:
mullvad-browser-128.3.0esr-14.0-1-build1
-
example:
https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
tor-browser-build:Mullvad Browser Stable is on the maint-${MULLVAD_BROWSER_MAJOR}.${MULLVAD_BROWSER_MINOR}
branch
-
Changelog bookkeeping: -
Ensure all commits to mullvad-browser
andtor-browser-build
for this release have an associated issue linked to this release preparation issue -
Ensure each issue has a platform (Windows, MacOS, Linux, Desktop, All Platforms) and potentially Build System labels
-
-
Create a release preparation branch from the current maint-XX.Y
branch -
Run release preparation script: -
NOTE: You can omit the
--mullvad-browser
argument if this is for a joint Tor and Mullvad Browser release -
⚠️ WARNING: You may need to manually update thefirefox/config
file'sbrowser_build
field ifmullvad-browser.git
has not yet been tagged (e.g. if security backports have not yet been merged and tagged)
./tools/relprep.py --mullvad-browser --date ${RELEASE_DATE} ${MULLVAD_BROWSER_VERSION}
-
NOTE: You can omit the
-
Review build configuration changes: -
rbm.conf
-
var/torbrowser_version
: updated to next browser version -
var/torbrowser_build
: updated to${MULLVAD_BROWSER_BUILD_N}
-
var/browser_release_date
: updated to build date. For the build to be reproducible, the date should be in the past when building.-
⚠️ WARNING: If we have updatedvar/torbrowser_build
without updating thefirefox
tag, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumpingvar/torbrowser_build
to build2, build3, etc due to non-firefox related build issues)
-
-
var/torbrowser_incremental_from
: updated to previous Desktop version- NOTE: We try to build incrementals for the previous 3 desktop versions
-
⚠️ WARNING: Really actually make sure this is the previous Desktop version or else themake mullvadbrowser-incrementals-*
step will fail
-
-
projects/firefox/config
-
browser_build
: updated to matchmullvad-browser
tag -
(Optional) var/firefox_platform_version
: updated to latest${ESR_VERSION}
if rebased
-
-
(Optional) projects/translation/config
:-
steps/base-browser/git_hash
: updated withHEAD
commit of project'sbase-browser
branch -
steps/mullvad-browser/git_hash
: updated withHEAD
commit of project'smullvad-browser
branch
-
-
(Optional) projects/browser/config
:-
NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript -
URL
updated-
⚠️ WARNING: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url
-
-
sha256sum
updated
-
-
uBlock-origin: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin -
URL
updated-
⚠️ WARNING: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url
-
-
sha256sum
updated
-
-
Mullvad Browser extension: https://github.com/mullvad/browser-extension/releases -
URL
updated -
sha256sum
updated
-
-
-
ChangeLog-MB.txt
: ensure correctness-
Browser name correct -
Release date correct -
No Android updates -
All issues added under correct platform -
ESR updates correct -
Component updates correct
-
-
-
Open MR with above changes, using the template for release preparations -
NOTE: target the
maint-14.0
branch
-
NOTE: target the
-
Merge -
Sign+Tag -
NOTE this must be done by one of:
- boklm
- dan
- ma1
- morgan
- pierov
-
Run: make mullvadbrowser-signtag-release
-
Push tag to upstream
-
NOTE this must be done by one of:
-
Build the tag: -
Run: make mullvadbrowser-release && make mullvadbrowser-incrementals-release
-
Tor Project build machine -
Local developer machine
-
-
Submit build request to Mullvad infrastructure: - NOTE this requires a devmole authentication token
- NOTE this also requires you be connected to a Swedish Mulvad VPN exit
-
Run: make mullvadbrowser-kick-devmole-build
-
Signing
release signing
-
Assign this issue to the signer, one of: - boklm
- ma1
- morgan
- pierov
-
Ensure all builders have matching builds -
On ${STAGING_SERVER}
, ensure updated:-
NOTE Having a local git branch with
maint-14.0
as the upstream branch with these values saved means you only need to periodicallygit pull --rebase
and update theset-config.tbb-version
file -
tor-browser-build
is on the right commit:git tag -v mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N} && git checkout mb-${MULLVAD_BROWSER_VERSION}-${MULLVAD_BROWSER_BUILD_N}
-
tor-browser-build/tools/signing/set-config.hosts
-
ssh_host_builder
: ssh hostname of machine with unsigned builds -
ssh_host_linux_signer
: ssh hostname of linux signing machine -
builder_tor_browser_build_dir
: path onssh_host_builder
to root of builder'stor-browser-build
clone containing unsigned builds
-
-
tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect
-
appstoreconnect_api_key_path
: path to json file containing appstoreconnect api key infos
-
-
set-config.update-responses
-
update_responses_repository_dir
: directory where you clonedgit@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git
-
-
tor-browser-build/tools/signing/set-config.tbb-version
-
tbb_version
: mullvad browser version string, same asvar/torbrowser_version
inrbm.conf
(examples:11.5a12
,11.0.13
) -
tbb_version_build
: the tor-browser-build build number (ifvar/torbrowser_build
inrbm.conf
isbuildN
then this value isN
) -
tbb_version_type
: eitheralpha
for alpha releases orrelease
for stable releases
-
-
NOTE Having a local git branch with
-
On ${STAGING_SERVER}
in a separatescreen
session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -
On ${STAGING_SERVER}
in a separatescreen
session, run do-all-signing script:-
Run: cd tor-browser-build/tools/signing/ && ./do-all-signing.mullvadbrowser
-
NOTE: on successful execution, the signed binaries and mars should have been copied to
staticiforme
and update responses pushed
-
Publishing
website
-
On staticiforme.torproject.org
, remove old release and publish new:-
/srv/dist-master.torproject.org/htdocs/mullvadbrowser
-
Run: static-update-component dist.torproject.org
-
https://github.com/mullvad/mullvad-browser/
mullvad-browser (GitHub):-
Assign this issue to someone with mullvad commit access, one of: - boklm
- ma1
- morgan
- pierov
-
Sign+Tag additionally the mullvad-browser.git
firefox
commit used in build:-
Tag:
${MULLVAD_BROWSER_VERSION}
-
example:
12.5a7
-
example:
-
Message:
${ESR_VERSION}esr-based ${MULLVAD_BROWSER_VERSION}
-
example:
102.12.0esr-based 12.5a7
-
example:
-
Tag:
-
Push this release's associated mullvad-browser.git
branch to github -
Push this release's associated tags to github: -
Firefox ESR tag -
example:
FIREFOX_102_12_0esr_BUILD1
-
example:
-
base-browser
tag-
example:
base-browser-102.12.0esr-12.0-1-build1
-
example:
-
mullvad-browser
build tag-
example:
mullvad-browser-102.12.0esr-12.0-1-build1
-
example:
-
mullvad-browser
release tag-
example:
12.0.11
-
example:
-
Communications
Mullvad
-
Email Mullvad with release information: -
Recipients
- Mullvad support alias: support@mullvadvpn.net
- Rui Hildt: rui@mullvad.net
support@mullvadvpn.net rui@mullvad.net
-
Subject
New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed)
-
Body
Hello, Branch+Tags have been pushed to Mullvad's GitHub repo. - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION} - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH} changelog: # paste changelog as quote here ...
-
Recipients
packagers
-
(Once Packages are pushed to GitHub) -
Recipients
- flathub package maintainer: proletarius101@protonmail.com
- arch package maintainer: bootctl@gmail.com
- nixOS package maintainer: dev@felschr.com
proletarius101@protonmail.com bootctl@gmail.com dev@felschr.com
-
Subject
Mullvad Browser ${MULLVAD_BROWSER_VERSION} released
-
Body
Hello! Mullvad-Browser packages are available, so you should update your respective downstream packages. The latest release builds can be found here: - https://github.com/mullvad/mullvad-browser/releases?q=prerelease%3Afalse
-
Recipients
merge requests
-
(Once Packages are pushed to GitHub) -
homebrew: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/m/mullvad-browser.rb - NOTE: a bot seems to pick this up without needing our intervention these days
-
NOTE: should just need to update
version
andsha256
to latest
-
Edited by morgan