TB 43616: Customize Gitlab Issue and Merge Request templates

# ⤵️ Rebase Alpha

## **Bookkeeping**

- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Apps%3A%3AType%3A%3AReleasePreparation) issue.

- [ ] Create "Firefox Release Review" issue for this version

  - **NOTE**: We have issues open through Firefox 153 so this can be skipped until we get to Firefox 154

## **Rebase**

The step-by-step rebase process is detailed on the [Rebase Process](https://gitlab.torproject.org/tpo/applications/wiki/-/wikis/Development-Information/Rebase/Rebase-Process) wiki page. Refer to it for detailed instructions on how to perform each step.

- Rebase application-services

  - uniffi-rs

    - Prepare the rebase

      - [ ] Verify if application-services has updated it's uniffi-rs version else skip this step

      - [ ] Get the [upstream](https://github.com/mozilla/uniffi-rs) tag

      - [ ] Freeze the current default branch (on both tor-browser and mullvad-browser)

      - [ ] Create the target branch (`X.XX.X`)

    - [ ] Rebase

    - Merge

      - [ ] Perform a self-review

      - [ ] Build

      - [ ] File a merge request

    - Tag and update the repository

      - [ ] Tag `vX.XX.X`

      - [ ] Make `X.XX.X` the default branch

  - application-services

    - Prepare the rebase

      - [ ] Get the [upstream](github.com/mozilla/application-services) tag

      - [ ] Freeze the current default branch

      - [ ] Create the target branch (`XXX.X-TORBROWSER`)

    - Do the rebase

      - [ ] Cherry-pick commits

      - [ ] Squash _all_ `fixup!` commits

    - Merge

      - [ ] Perform a self-review

      - [ ] Build

      - [ ] File a merge request

    - [ ] Tag and update the repository

      - [ ] Tag `vXXX.X-TORBROWSER-build1`

      - [ ] Make `XXX.X-TORBROWSER` the default branch

- Rebase Tor Browser

  - Prepare the rebase

    - [ ] Get the [Firefox](https://github.com/mozilla-firefox/firefox) tag

  - Do the rebase [Part 1]

    - [ ] Create the target branch (`tor-browser-XXX.0a1-YY.0-1`)

    - [ ] Cherry-pick commits until `tor-browser-(XXX - 1).0a1-YY.0-2-build1`

    - Optional: If your first rebase, complex, or difficult, can do an MR here for feedback.

    - [ ] Freeze the current default branch

    - [ ] Cherry-pick remaining commits (rest of tor-browser-(XXX - 1)a1-YY.Y-2)

    - Merge

      - [ ] Perform a self-review (`git range-diff`)

      - [ ] Run linters

      - [ ] Build and test

        - [ ] Desktop

        - [ ] Android

      - [ ] File a merge request

    - Tag and update the repository

      - [ ] Tag `tor-browser-...-1-build1`

      - [ ] Tag `tor-browser-...-1-build2`

      - [ ] Make `tor-browser-...-1` the default branch and freeze it

  - Do the rebase [Part 2]

    - [ ] Create the target branch (`tor-browser-...-2`)

    - [ ] Cherry-pick commits until `tor-browser-XXX...-1-build1`

    - [ ] Squash (`git rebase --autosquash FIREFOX_...`)

    - [ ] Cherry-pick the remaining commits

    - [ ] Reorder commits

      - [ ] Move Mozilla "Bug ZZZZZZZZ" issues to the very start

      - [ ] Move any Base Browser "BB TTTTT" issues into the BB range

      - [ ] Move `--fixups` next to their parent (`git rebase -i --autosquash FIREFOX_...` then change all the `fixup` to `pick`)

        - Note: also `drop` any commits marked `!dropme`

    - Merge

      - [ ] Perform a self-review (`git range-diff` + diff of diffs)

      - [ ] Run linters

      - [ ] Build and test

        - [ ] Desktop

        - [ ] Android

      - [ ] File a merge request

    - Tag and update the repository

      - [ ] `tor-browser-...-2-build1`

      - [ ] `base-browser-...-2-build1`

      - [ ] Make `tor-browser-...-2` the default branch

    - [ ] Send notification email to application-team about the rebase completion and new open branch

---

/label ~"Apps::Product::TorBrowser"

/label ~"Apps::Type::Rebase"

/label ~"Apps::Impact::High"

/label ~"Priority::Blocker"

# ⤵️ Rebase Stable

## **Bookkeeping**

- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Apps%3A%3AType%3A%3AReleasePreparation) issue.

## **Rebase**

The step-by-step rebase process is detailed on the [Rebase Process](https://gitlab.torproject.org/tpo/applications/wiki/-/wikis/Development-Information/Rebase/Rebase-Process) wiki page. Refer to it for detailed instructions on how to perform each step.

- Rebase Tor Browser

  - Prepare the rebase

    - [ ] Get the Firefox tag

    - [ ] Freeze the current default branch

    - [ ] Create the target branch

  - Do the rebase

    - [ ] Cherry-pick commits until `tor-browser-...-build1`

    - [ ] Squash (`git rebase --autosquash FIREFOX_...-build1`)

    - [ ] Cherry-pick the remaining commits

    - [ ] Reorder commits

  - Merge

    - [ ] Perform a self-review  (`git range-diff` + diff of diffs)

    - [ ] Run linters

  - Tag

    - [ ] `tor-browser-...-build1`

    - [ ] `base-browser-...-build1`

---

/label ~"Apps::Product::TorBrowser"

/label ~"Apps::Type::Rebase"

/label ~"Apps::Impact::High"

/label ~"Priority::Blocker"

# ⬆️ **Uplift**

<!--

Title:

    Uplift tor-browser#12345: Title of Issue

This is an issue for tracking uplift of a patch-set to Firefox

-->

## Book-keeping

### Gitlab Issue(s)

- tor-browser#xxxxx

- mullvad-browser#xyz

### Merge Request(s)

- tor-browser!xyz

### Upstream Mozilla Issue(s):

- https://bugzilla.mozilla.org/show_bug.cgi?id=12345

## Notes

<!--

Whatever additional info, context, etc that would be helpful for uplifting -->

<!-- Do not edit beneath this line <3 -->

---

/label ~"Apps::Product::TorBrowser"

/label ~"Apps::Type::Uplift"

# 🛡️ **Security Backports**

<details>

  <summary>Explanation of Variables</summary>

- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc

  - **Example**: `102.8.0`

- `$(RR_VERSION)`: the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the `$(ESR_VERSION)`, but Mozilla's Firefox for Android is based off of the `$(RR_VERSION)` so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train.

  - **Example**: `110`

- `$(PROJECT_NAME)`: the name of the browser project, either `base-browser` or `tor-browser`

- `$(TOR_BROWSER_MAJOR)`: the Tor Browser major version

  - **Example**: `12`

- `$(TOR_BROWSER_MINOR)`: the Tor Browser minor version

  - **Example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`

- `$(BUILD_N)`: a project's build revision within a its branch; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.

  - **Example**: `build1`

</details>

**NOTE:** It is assumed the `tor-browser` rebases (stable and alpha) have already happened and there exists a `build1` build tags for both `base-browser` and `tor-browser` (stable and alpha)

## **Bookkeeping**

- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Apps%3A%3AType%3A%3AReleasePreparation) issues (alpha, stable, and legacy).

## **Security Vulnerabilities Report**: https://www.mozilla.org/en-US/security/advisories/

- Potentially Affected Components:

  - `firefox`/`geckoview`: https://github.com/mozilla/gecko-dev

- [ ] Go through the `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` report and create a candidate list of CVEs which potentially need to be backported in this issue:

  - CVEs which are explicitly labeled as 'Android' only

  - CVEs which are fixed in Rapid Release but not in ESR

  - 'Memory safety bugs' fixed in Rapid Release but not in ESR

- [ ] Foreach issue:

  - Create link to the CVE on [mozilla.org](https://www.mozilla.org/en-US/security/advisories/)

    - **Example**: https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/#CVE-2023-25740

  - Create link to the associated Bugzilla issues (found in the CVE description)

  - Create links to the relevant `gecko-dev`/other commit hashes which need to be backported OR a brief justification for why the fix does not need to be backported

    - To find the `gecko-dev` version of a `mozilla-central`, search for a unique string in the relevant `mozilla-central` commit message in the `gecko-dev/release` branch log.

    - **NOTE:** This process is unfortunately somewhat poorly defined/ad-hoc given the general variation in how Bugzilla issues are labeled and resolved. In general this is going to involve a bit of hunting to identify needed commits or determining whether or not the fix is relevant.

## CVEs

<!-- CVE Resolution Template, foreach CVE to investigate add an entry in the form:

- [ ] https://www.mozilla.org/en-US/security/advisories/mfsaYYYY-NN/#CVE-YYYY-XXXXX // CVE description

  - https://bugzilla.mozilla.org/show_bug.cgi?id=NNNNNN // Bugzilla issue

  - **Note**: Any relevant info about this fix, justification for why it is not necessary, etc

  - **Patches**

    - firefox: https://link.to/relevant/patch

 -->

## **tor-browser**: https://gitlab.torproject.org/tpo/applications/tor-browser.git

- [ ] Backport security fixes from Firefox rapid-release

  - [ ] Backport patches to `tor-browser` stable branch

  - [ ] Open MR

  - [ ] Merge

  - [ ] cherry-pick patches onto:

    - [ ] `base-browser` stable

    - [ ] `mullvad-browser` stable

  - [ ] Sign/Tag commits:

    - In **tor-browser-build.git**, run signing script:

      ```bash

      ./tools/browser/sign-tag.${PROJECT_NAME} ${CHANNEL} ${BUILD_N}

      ```

    - [ ] `base-browser` stable

    - [ ] `tor-browser` stable

    - [ ] `mullvad-browser` stable

  - [ ] Push tags to `upstream`

- **OR**

- [ ] No backports

<!-- Do not edit beneath this line <3 -->

---

/confidential

/label ~"Apps::Product::TorBrowser"

/label ~"Apps::Product::MullvadBrowser"

/label ~"Apps::Type::Backport"

/label ~"Apps::Impact::High"

/label ~"Priority::Blocker"

# ✅ Release QA - Desktop

Manual QA test check-list for major desktop releases. Please copy/paste form into your own comment, fill out relevant info and run through the checklist!

<details>

    <summary>Tor Browser Desktop QA Checklist</summary>

```

# System Information

- Version: Tor Browser XXX

- OS: Windows|macOS|Linux YYY

- CPU Architecture:

- Profile: New|Old

# Features

## Base functionality

- [ ] Tor Browser launches successfully

- [ ] Connects to the Tor network

    - [ ] Homepage loads:

        - [ ] about:tor

        - [ ] about:blank

        - [ ] custom

- [ ] Tor Browser loads URLs passed by command-line after bootstrapped

- [ ] Localisation (Browser chrome)

  - [ ] Language notification/message bar

  - [ ] Spoof English

  - [ ] Check especially the recently added strings

  - [ ] New Locales

    - [ ] Bulgarian, Belarusian, Portuguese (PT)

- [ ] UI Customisations:

    - [ ] New Identity

        - [ ] Toolbar icon

        - [ ] Hamburger menu

        - [ ] File menu

    - [ ] New circuit for this site

        - [ ] Circuit display

        - [ ] Hamburger menu

        - [ ] File menu

    - [ ] No Firefox extras (Sync, Pocket, Report broken site, Tracking protection, etc)

    - [ ] No unified extensions button (puzzle piece)

    - [ ] NoScript button hidden

    - [ ] Context Menu Populated

- [ ] Fingerprinting resistance: https://arkenfox.github.io/TZP/tzp.html

- [ ] Security level (Standard, Safer, Safest)

    - Displays in:

        - toolbar icon

        - toolbar panel

        - about:preferences#privacy

    - [ ] On switch, each UI element is updated

    - [ ] On custom config (toggle `svg.disabled`)

        - [ ] each UI element displays warning

        - [ ] `Restore defaults` reverts custom prefs

    - **TODO**: test pages verifying correct behaviour

- [ ] New identity

- [ ] Betterboxing

    - [ ] Reuse last window size

    - [ ] Content alignment

    - [ ] Window size indicator on window resize

    - [ ] No letterboxing:

        - [ ] empty tabs or privileged pages (eg: about:blank, about:about)

        - [ ] full-screen video

        - [ ] pdf viewer

        - [ ] reader-mode

- [ ] Downloads Warning

    - [ ] Downloads toolbar panel

    - [ ] about:downloads

    - [ ] Library window (<kbd>Ctrl</kbd>+<kbd>Shift</kbd>+<kbd>o</kbd>)

- [ ] Drag and Drop protections:

    - [ ] Dragging a link from a tab to another tab in the same window works

    - [ ] Dragging a link from a tab to another tab in a separate window works

    - [ ] Dragging a link into the library creates a bookmark

    - [ ] Dragging a link from Tor Browser to Firefox doesn't work

    - [ ] Dragging a link from Firefox to Tor Browser works

    - [ ] Dragging a link from Tor Browser to another app (e.g., text editor) doesn't work

    - [ ] Repeat with page favicon

## Proxy safety

- [ ] Tor exit test: https://check.torproject.org

- [ ] Circuit isolation

    - Following websites should all report different IP addresses

    - https://ifconfig.io

    - https://myip.wtf

    - https://wtfismyip.com

- [ ] DNS leaks: https://dnsleaktest.com

- [ ] Circuit Display

    - [ ] Website => circuit

    - [ ] Remote PDF => circuit

    - [ ] Remote image => circuit

    - [ ] .onion Website => circuit with onion-service relays

    - [ ] .tor.onion Website => circuit with onion-service relays, link to true onion address

        - http://ft.securedrop.tor.onion

    - [ ] Website in reader mode => circuit (same as w/o reader mode)

    - [ ] Local image => no circuit

    - [ ] Local SVG with remote content => catch-all circuit, but not shown

    - [ ] Local PDF => no circuit

    - [ ] Local HTML `file://` with local resources  => no circuit

    - [ ] Local HTML `file://` with remote resources => catch-all circuit, but not shown

## Connectivity + Anti-Censorship

- [ ] Tor daemon config by environment variables

    - https://gitlab.torproject.org/tpo/applications/team/-/wikis/Environment-variables-and-related-preferences

- [ ] Internet Test ( bootstrap, also visible in about:preferences#connection )

  - [ ] Fails when offline (Goes to offline about:neterror)

    - **NOTE**: platform dependent, expected that Linux will just try to bootstrap forever

  - [ ] Succeeds when online

- [ ] Bridges:

    - Bootstrap

    - Browse: https://check.torproject.org

    - Bridge node in circuit-display

    - Bridge cards

    - Disable

    - Remove

    - [ ] Default bridges:

        - [ ] Removable as a group, not editable

        - [ ] obfs4

        - [ ] meek

        - [ ] snowflake

    - [ ] User provided bridges:

        - [ ] Removable and editable individually

        - [ ] obfs4 from https://bridges.torproject.org

        - [ ] webtunnel from https://bridges.torproject.org

        - [ ] conjure from [gitlab](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/blob/main/client/torrc?ref_type=heads#L6)

    - [ ] Request bridges...

        - [ ] Removable as a group, but not editable

        - [ ] Succeeds when bootstrapped

        - [ ] Succeeds when not bootstrapped

    - **TODO**: Lox

- [ ] Connect Assist

    - Useful pref: `torbrowser.debug.censorship_level` (0-5; least to most censored)

    - [ ] Connect Automatically checkbox triggers bootstrapping after one successful bootstrap attempt

    - [ ] Auto-bootstrap updates Tor connection settings on success

    - [ ] Auto-bootstrap restore previous Tor connection settings on failure

## Web Browsing

- [ ] HTTPS-Only: http://http.badssl.com

- [ ] Crypto-currency warning on http website

    - **TODO**: we should provide an example page

- [ ] .onion:

    - [ ] torproject.org onion: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/

    - [ ] Onion-Location pill

    - [ ] Client authentication

        - You can create an ephemeral client-auth onion-service using [onion share](https://onionshare.org)

        - [ ] Remember key option saves the key between sessions.

        - [ ] Saved keys are viewable in preferences (privacy).

          - [ ] Can remove individual keys.

          - [ ] Can remove all keys at once.

    - [ ] Onion service errors

        - [ ] invalid onion: http://invalid.onion

        - [ ] onion offline: http://wfdn32ds656ycma5gvrh7duvdvxbg2ygzr3no3ijsya25qm6nnko4iqd.onion/

        - [ ] onion baddssl: https://gitlab.torproject.org/tpo/applications/team/-/wikis/Development-Information/BadSSL-But-Onion

        - **TODO** all the identity block states

        - **TODO** client auth

- [ ] **TODO**: .securedrop.tor.onion

- [ ] **TODO**: onion-service alt-svc

- [ ] HTML5 Video: https://onion-tests.pierov.org/video.html

    - [ ] H264

    - [ ] VP9

    - [ ] VP8

    - [ ] AV1

    - [ ] Theora

    - [ ] MPEG4 + mp3: only audio should work

    - [ ] HEVC + AAC: should not work

- [ ] WebSocket Test: https://websocketking.com/

## External Components

- [ ] NoScript

  - [ ] Latest Version: https://addons.mozilla.org/en-US/firefox/addon/noscript/

  - [ ] Not removable from about:addons

  - [ ] Tests: https://test-data.tbb.torproject.org/test-data/noscript/

    - **TODO**: fix test pages

## Tor Settings (about:preferences#connection)

- [ ] Proxy

  - [ ] Bad Proxy Address Reports Error; e.g. any bad bad proxy address/port/etc

   - [ ] On initial failure gives error modal

   - [ ] On browser restart, will also give an error if provided a bad setting

  - [ ] Good Proxy Works

    - [ ] SOCKS5

- [ ] Bridge

  - [ ] Bad Bridge Fails with error modal; eg: `0:0`

  - [ ] Modifying Bridges *during* bootstrap should cancel bootstrap

- [ ] Firewall

  - [ ] UI shouldn't accept bad ports (e.g. invalid port numbers, non-numbers, etc)

- [ ] Each individual setting type has it's own validation (i.e. not all or nothing anymore)

## Upgrades

- [ ] Build-to-Build upgrade from:

  - [ ] Previous minor version

  - [ ] Previous major version

  - [ ] Previous watershed release

    - **NOTE**: a watershed release is a release which all previous versions will first update to before updating to latest; the most recent watershed is Tor Browser 14.0

    - Updater Documentation: https://gitlab.torproject.org/tpo/applications/wiki/-/wikis/Development-Information/Tor-Browser/Updater

```

</details>

Please lay claim to a platform in the comments:

- Windows

  - Windows 10, Windows 11

  - x86

  - x86_64

- macOS

  - 10.15, 15.x

  - x86_64

  - aarch64

- Linux

  - x86_64

  - aarch64

<!-- Do not edit beneath this line <3 -->

---

/label ~"Apps::Product::TorBrowser"

/label ~"Apps::Type::Test"

/label ~"Apps::Impact::High"

/label ~"Priority::Blocker"