Skip to content
Snippets Groups Projects
Select Git revision
  • main default protected
  • release-0.4.8 protected
  • maint-0.4.8 protected
  • release-0.4.7 protected
  • maint-0.4.7 protected
  • release-0.4.5 protected
  • maint-0.4.5 protected
  • release-0.4.6 protected
  • maint-0.4.6 protected
  • release-0.3.5 protected
  • maint-0.3.5 protected
  • release-0.4.4 protected
  • maint-0.4.4 protected
  • release-0.4.3 protected
  • maint-0.4.3 protected
  • maint-0.4.2 protected
  • release-0.4.2 protected
  • maint-0.4.1 protected
  • release-0.4.1 protected
  • maint-0.4.0 protected
  • tor-0.4.9.2-alpha protected
  • tor-0.4.8.16 protected
  • tor-0.4.8.15 protected
  • tor-0.4.8.14 protected
  • tor-0.4.9.1-alpha protected
  • tor-0.4.8.13 protected
  • tor-0.4.8.12 protected
  • tor-0.4.8.11 protected
  • tor-0.4.8.10 protected
  • tor-0.4.8.9 protected
  • tor-0.4.8.8 protected
  • tor-0.4.7.16 protected
  • tor-0.4.8.7 protected
  • tor-0.4.8.6 protected
  • tor-0.4.7.15 protected
  • tor-0.4.8.5 protected
  • tor-0.4.9.0-alpha-dev protected
  • tor-0.4.8.4 protected
  • tor-0.4.8.3-rc protected
  • tor-0.4.7.14 protected
40 results
Blame Permalink
ReleasingTor.md 6.63 KiB

How to Release Tor

Here are the steps that the maintainer should take when putting out a new Tor release. It is split in 3 stages and coupled with our Tor CI Release pipeline.

Before we begin, first rule is to make sure:

  • Our CIs (*nix and Windows) pass for each version to release
  • Coverity has no new alerts

0. Security Release

To start with, if you are doing a security release, this must be done few days prior to the release:

  1. If this is going to be an important security release, give the packagers advance warning, via tor-packagers@lists.torproject.org.

1. Preliminaries

The following must be done 2 days at the very least prior to the release:

  1. Add the version(s) in the dirauth-conf git repository as the RecommendedVersion and RequiredVersion so they can be approved by the authorities and be in the consensus before the release.

  2. Send a pre-release announcement to tor-project@lists.torproject.org in order to inform every teams in Tor of the upcoming release. This is so we can avoid creating release surprises and sync with other teams.

  3. Ask the network-team to review the changes/ files in all versions we are about to release. This step is encouraged but not mandatory.

2. Tarballs

To build the tarballs to release, we need to launch the CI release pipeline:

https://gitlab.torproject.org/tpo/core/tor-ci-release

The versions.yml needs to be modified with the Tor versions you want to release. Once done, git commit and push to trigger the release pipeline.

The first two stages (Preliminary and Patches) will be run automatically. The Build stage needs to be triggered manually once all generated patches have been merged upstream.

  1. Download the generated patches from the Patches stage.

    Apply these patches to the main or release branch as appropriate. (Version bumps apply to maint; anything touching the changelog should apply only to main or release.)

    When updating the version, it will be on maint branches and so to merge-forward, use git merge -s ours. For instance, if merging the version change of maint-0.4.5 into maint-0.4.6, do on maint-0.4.6 this command: git merge -s ours maint-0.4.5. And then you can proceed with a git-merge-forward.

  2. For the ChangeLog and ReleaseNotes, you need to write a blurb at the top explaining a bit the release.

  3. Review, modify if needed, and merge them upstream.

  4. Manually trigger the maintained job in the Build stage so the CI can build the tarballs without errors.

Once this is done, each selected developers need to build the tarballs in a reproducible way using:

https://gitlab.torproject.org/tpo/core/tor-ci-reproducible

Steps are:

  1. Run ./build.sh which will download everything you need, including the latest tarballs from the release CI, and auto-commit the signatures if the checksum match. You will need to confirm the commits.

  2. If all is good, git push origin main your signatures.