fixup! TB 43616: Customize Gitlab Issue and Merge Request templates

# ⤵️ Rebase Legacy

**NOTE:** All examples in this template reference the rebase from 115.17.0esr to 115.18.0esr

<details>

    ```

  - [ ] Push tag to `upstream`

<!-- Do not edit beneath this line <3 -->

---

/label ~"Apps::Product::TorBrowser"

/label ~"Apps::Type::Rebase"

/label ~"Apps::Priority::Blocker"

# ⬆️ **Uplift**

<!--

Title:

    Uplift tor-browser#12345: Title of Issue

This is an issue for tracking uplift of a patch-set to Firefox

-->

## Uplift Patchset

## Book-keeping

### Book-keeping

#### Gitlab Issue(s)

### Gitlab Issue(s)

- tor-browser#12345

- mullvad-browser#123

#### Merge Request(s)

### Merge Request(s)

- tor-browser!123

#### Upstream Mozilla Issue(s):

### Upstream Mozilla Issue(s):

- https://bugzilla.mozilla.org/show_bug.cgi?id=12345

### Notes

## Notes

<!--

Whatever additional info, context, etc that would be helpful for uplifting -->

<!-- Do not edit beneath this line <3 -->

<!-- whatever additional info, context, etc that would be helpful for uplifting -->

---

/label ~"Apps::Product::TorBrowser"

/label ~"Apps::Type::Uplift"

# 🛡️ **Security Backports**

<details>

  <summary>Explanation of Variables</summary>

**NOTE:** It is assumed the `tor-browser` rebases (stable and alpha) have already happened and there exists a `build1` build tags for both `base-browser` and `tor-browser` (stable and alpha)

### **Bookkeeping**

## **Bookkeeping**

- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Apps%3A%3AType%3A%3AReleasePreparation) issues (stable and alpha).

- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Apps%3A%3AType%3A%3AReleasePreparation) issues (alpha, stable, and legacy).

### **Security Vulnerabilities Report**: https://www.mozilla.org/en-US/security/advisories/

## **Security Vulnerabilities Report**: https://www.mozilla.org/en-US/security/advisories/

- Potentially Affected Components:

  - `firefox`/`geckoview`: https://github.com/mozilla/gecko-dev

  - `application-services`: https://github.com/mozilla/application-services

  - `android-components` (ESR 102 only): https://github.com/mozilla-mobile/firefox-android

  - `fenix` (ESR 102 only): https://github.com/mozilla-mobile/firefox-android

  - `firefox-android`: https://github.com/mozilla-mobile/firefox-android

**NOTE:** `android-components` and `fenix` used to have their own repos, but since November 2022 they have converged to a single `firefox-android` repo. Any backports will require manually porting patches over to our legacy repos until we have transitioned to ESR 115.

- [ ] Go through the `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` report and create a candidate list of CVEs which potentially need to be backported in this issue:

  - CVEs which are explicitly labeled as 'Android' only

    - To find the `gecko-dev` version of a `mozilla-central`, search for a unique string in the relevant `mozilla-central` commit message in the `gecko-dev/release` branch log.

    - **NOTE:** This process is unfortunately somewhat poorly defined/ad-hoc given the general variation in how Bugzilla issues are labeled and resolved. In general this is going to involve a bit of hunting to identify needed commits or determining whether or not the fix is relevant.

### CVEs

## CVEs

<!-- CVE Resolution Template, foreach CVE to investigate add an entry in the form:

- [ ] https://www.mozilla.org/en-US/security/advisories/mfsaYYYY-NN/#CVE-YYYY-XXXXX // CVE description

  - https://bugzilla.mozilla.org/show_bug.cgi?id=NNNNNN // Bugzilla issue

  - **Note**: Any relevant info about this fix, justification for why it is not necessary, etc

  - **Patches**

    - firefox-android: https://link.to/relevant/patch

    - firefox: https://link.to/relevant/patch

 -->

### **tor-browser**: https://gitlab.torproject.org/tpo/applications/tor-browser.git

## **tor-browser**: https://gitlab.torproject.org/tpo/applications/tor-browser.git

- [ ] Backport any Android-specific security fixes from Firefox rapid-release

  - [ ] Backport patches to `tor-browser` stable branch

  - [ ] Open MR

  - [ ] Merge

  - [ ] Rebase patches onto:

  - [ ] cherry-pick patches onto:

    - [ ] `base-browser` stable

    - [ ] `mullvad-browser` stable

    - [ ] `tor-browser` alpha

    - [ ] `base-browser` alpha

    - [ ] `mullvad-browser` alpha

  - [ ] Sign/Tag commits:

    - **Tag**: `$(PROJECT_NAME)-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`

    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)`

    - In **tor-browser-build.git**, run signing script:

      ```bash

      ./tools/browser/sign-tag.${PROJECT_NAME} ${CHANNEL} ${BUILD_N}

      ```

    - [ ] `base-browser` stable

    - [ ] `tor-browser` stable

    - [ ] `mullvad-browser` stable

    - [ ] `base-browser` alpha

    - [ ] `tor-browser` alpha

  - [ ] Push tags to `upstream`

- **OR**

- [ ] No backports

    - [ ] `mullvad-browser` alpha

### **application-services**: https://gitlab.torproject.org/tpo/applications/application-services

- **NOTE**: we will need to setup a gitlab copy of this repo and update `tor-browser-build` before we can apply security backports here

- [ ] Backport any Android-specific security fixes from Firefox rapid-release

  - [ ] Backport patches to `application-services` stable branch

  - [ ] Open MR

  - [ ] Merge

  - [ ] Rebase patches onto `application-services` alpha

  - [ ] Sign/Tag commits:

    - **Tag**: `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`

    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha`

    - [ ] `application-services` stable

    - [ ] `application-services` alpha

  - [ ] Push tags to `upstream`

- **OR**

- [ ] No backports

<!-- Do not edit beneath this line <3 -->

### **android-components (Optional, ESR 102)**: https://gitlab.torproject.org/tpo/applications/android-components.git

- [ ] Backport any Android-specific security fixes from Firefox rapid-release

  - **NOTE**: Since November 2022, this repo has been merged with `fenix` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `android-components` project.

  - [ ] Backport patches to `android-components` stable branch

  - [ ] Open MR

  - [ ] Merge

  - [ ] Rebase patches onto `android-components` alpha

  - [ ] Sign/Tag commits:

    - **Tag**: `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`

    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)`

    - [ ] `android-components` stable

    - [ ] `android-components` alpha

  - [ ] Push tags to `upstream`

- **OR**

- [ ] No backports

### **fenix (Optional, ESR 102)**: https://gitlab.torproject.org/tpo/applications/fenix.git

- [ ] Backport any Android-specific security fixes from Firefox rapid-release

  - **NOTE**: Since February 2023, this repo has been merged with `android-components` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `fenix` project.

  - [ ] Backport patches to `fenix` stable branch

  - [ ] Open MR

  - [ ] Merge

  - [ ] Rebase patches onto `fenix` alpha

  - [ ] Sign/Tag commits:

    - **Tag**: `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`

    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)`

    - [ ] `fenix` stable

    - [ ] `fenix` alpha

  - [ ] Push tags to `upstream`

- **OR**

- [ ] No backports

### **firefox-android**: https://gitlab.torproject.org/tpo/applications/firefox-android

- [ ] Backport any Android-specific security fixes from Firefox rapid-release

  - [ ] Backport patches to `firefox-android` stable branch

  - [ ] Open MR

  - [ ] Merge

  - [ ] Rebase patches onto `fenix` alpha

  - [ ] Sign/Tag commits:

    - **Tag**: `firefox-android-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`

    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)`

    - [ ] `firefox-android` stable

    - [ ] `firefox-android` alpha

  - [ ] Push tags to `upstream`

- **OR**

- [ ] No backports

---

/confidential

/label ~"Apps::Product::TorBrowser"

/label ~"Apps::Product::MullvadBrowser"

/label ~"Apps::Type::Backport"

/label ~"Apps::Priority::Blocker"

# ✅ Release QA - Desktop

Manual QA test check-list for major desktop releases. Please copy/paste form into your own comment, fill out relevant info and run through the checklist!

<details>

    <summary>Tor Browser Desktop QA Checklist</summary>

```markdown

```

# System Information

- Version: Tor Browser XXX

  - [ ] Language notification/message bar

  - [ ] Spoof English

  - [ ] Check especially the recently added strings

  - [ ] New Locales

    - [ ] Bulgarian, Belarusian, Portuguese (PT)

- [ ] UI Customisations:

    - [ ] New Identity

        - [ ] Toolbar icon

- [ ] Betterboxing

    - [ ] Reuse last window size

    - [ ] Content alignment

    - [ ] Window size indicator on window resize

    - [ ] No letterboxing:

        - [ ] empty tabs or privileged pages (eg: about:blank, about:about)

        - [ ] full-screen video

## Connectivity + Anti-Censorship

- [ ] Tor daemon config by environment variables

    - https://gitlab.torproject.org/tpo/applications/team/-/wikis/Environment-variables-and-related-preferences

- [ ] Internet Test ( about:preferences#connection )

  - [ ] Fails when offline

- [ ] Internet Test ( bootstrap, also visible in about:preferences#connection )

  - [ ] Fails when offline (Goes to offline about:neterror)

    - **NOTE**: platform dependent, expected that Linux will just try to bootstrap forever

  - [ ] Succeeds when online

- [ ] Bridges:

    - Bootstrap

        - [ ] Succeeds when not bootstrapped

    - **TODO**: Lox

- [ ] Connect Assist

    - Useful pref: `torbrowser.debug.censorship_level`

    - Useful pref: `torbrowser.debug.censorship_level` (0-5; least to most censored)

    - [ ] Connect Automatically checkbox triggers bootstrapping after one successful bootstrap attempt

    - [ ] Auto-bootstrap updates Tor connection settings on success

    - [ ] Auto-bootstrap restore previous Tor connection settings on failure

        - **TODO** client auth

- [ ] **TODO**: .securedrop.tor.onion

- [ ] **TODO**: onion-service alt-svc

- [ ] HTML5 Video: https://tekeye.uk/html/html5-video-test-page

    - [ ] MPEG4

    - [ ] WebM

    - [ ] Ogg

- [ ] HTML5 Video: https://onion-tests.pierov.org/video.html

    - [ ] H264

    - [ ] VP9

    - [ ] VP8

    - [ ] AV1

    - [ ] Theora

    - [ ] MPEG4 + mp3: only audio should work

    - [ ] HEVC + AAC: should not work

- [ ] WebSocket Test: https://websocketking.com/

## External Components

  - [ ] Not removable from about:addons

  - [ ] Tests: https://test-data.tbb.torproject.org/test-data/noscript/

    - **TODO**: fix test pages

## Tor Settings (about:preferences#connection)

- [ ] Proxy

  - [ ] Bad Proxy Address Reports Error; e.g. any bad bad proxy address/port/etc

   - [ ] On initial failure gives error modal

   - [ ] On browser restart, will also give an error if provided a bad setting

  - [ ] Good Proxy Works

    - [ ] SOCKS5

- [ ] Bridge

  - [ ] Bad Bridge Fails with error modal; eg: `0:0`

  - [ ] Modifying Bridges *during* bootstrap should cancel bootstrap

- [ ] Firewall

  - [ ] UI shouldn't accept bad ports (e.g. invalid port numbers, non-numbers, etc)

- [ ] Each individual setting type has it's own validation (i.e. not all or nothing anymore)

```

</details>

Please lay claim to a platform in the comments:

- Windows

  - Windows 10, Windows 11

  - x86

  - x86_64

- macOS

  - 10.15, 15.x

  - x86_64

  - aarch64

- Linux

  - x86

  - x86_64

<!-- Do not edit beneath this line <3 -->

---

/label ~"Apps::Product::TorBrowser"

/label ~"Apps::Type::Test"

/label ~"Apps::Priority::Blocker"

# ✅ Release QA - Android

Manual QA test check-list for major android releases. Please copy/paste form into your own comment, fill out relevant info and run through the checklist!

<details>

    <summary>Tor Browser Android QA Checklist</summary>

```markdown

```

# System Information

- Version: Tor Browser XXX

- [ ] Fingerprinting resistance: https://arkenfox.github.io/TZP/tzp.html

- [ ] Security level (Standard, Safer, Safest)

    - **TODO**: test pages verifying correct behaviour

- [ ] Bookmarks: for now ensure adding/removing/etc work as expected and doesn't busy-spin

### Localisation

- [ ] New Locales

  - [ ] Bulgarian, Belarusian, Portuguese (PT)

## Proxy safety

- [ ] Tor exit test: https://check.torproject.org

- [ ] DNS leaks: https://dnsleaktest.com

## Connectivity + Anti-Censorship

- [ ] Internet Test (try connect assist while actually offline)

  - [ ] We expect this to fail but we should see what it actually does

- [ ] Bridges:

    - Bootstrap

    - Browse: https://check.torproject.org

        - [ ] obfs4 from https://bridges.torproject.org

        - [ ] webtunnel from https://bridges.torproject.org

        - [ ] conjure from [gitlab](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/blob/main/client/torrc?ref_type=heads#L6)

- [ ] Connect Assist

    - Useful pref: `torbrowser.debug.censorship_level` (0-5; least to most censored)

    - [ ] Connect Automatically checkbox triggers bootstrapping after one successful bootstrap attempt

    - [ ] Auto-bootstrap updates Tor connection settings on success

    - [ ] Auto-bootstrap restore previous Tor connection settings on failure

## Web Browsing

- [ ] HTTPS-Only: http://http.badssl.com

        - **TODO** client auth

- [ ] **TODO**: .securedrop.tor.onion

- [ ] **TODO**: onion-service alt-svc

- [ ] HTML5 Video: https://tekeye.uk/html/html5-video-test-page

    - [ ] MPEG4

    - [ ] WebM

    - [ ] Ogg

- [ ] HTML5 Video: https://onion-tests.pierov.org/video.html

    - [ ] H264

    - [ ] VP9

    - [ ] VP8

    - [ ] AV1

    - [ ] Theora

    - [ ] MPEG4 + mp3: only audio should work

    - [ ] HEVC + AAC: should not work

- [ ] WebSocket Test: https://websocketking.com/

## External Components

```

</details>

Please lay claim to an architecture in the comments:

Architectures:

- x86

- x86_64

- arm32

- aarch64

<!-- Do not edit beneath this line <3 -->

---

/label ~"Apps::Product::TorBrowser"

/label ~"Apps::Type::Test"

/label ~"Apps::Priority::Blocker"