diff options
Diffstat (limited to 'wiki/src/contribute/release_process')
10 files changed, 95 insertions, 153 deletions
diff --git a/wiki/src/contribute/release_process/Debian_security_updates.mdwn b/wiki/src/contribute/release_process/Debian_security_updates.mdwn index 5814ca2..db3aadb 100644 --- a/wiki/src/contribute/release_process/Debian_security_updates.mdwn +++ b/wiki/src/contribute/release_process/Debian_security_updates.mdwn @@ -8,22 +8,18 @@ by delaying a Tails release a bit to wait for a DSA to happen. Debian security team ==================== -RequestTracker --------------- - -The Debian security team uses the [Debian RT](https://rt.debian.org/) -to track some of their work. Looking at their RT queues might help us -see if something is being prepared. We, as a Debian derivative, have a -read-only access to these queues. - Security tracker ---------------- -The Debian [security tracker][web]'s [SVN repository][svn] is the main -place where we can look at the Debian security team upcoming uploads -and announces. There is also a [mailing list][] that broadcasts -changes to this repository. +The Debian [security tracker][web]'s [GIT repository][git] is the main +place where Debian tracks the status of security issues. + +We can look at the [list of upcoming Debian Security Advisories (DSA)][DSA needed]. + +There is also a [mailing list][] that broadcasts changes to +this repository. [web]: http://security-tracker.debian.org/tracker/ -[svn]: http://svn.debian.org/wsvn/secure-testing -[mailing list]: http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits +[git]: https://salsa.debian.org/security-tracker-team/security-tracker +[mailing list]: https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits +[DSA needed]: https://salsa.debian.org/security-tracker-team/security-tracker/blob/master/data/dsa-needed.txt diff --git a/wiki/src/contribute/release_process/perl5lib.mdwn b/wiki/src/contribute/release_process/perl5lib.mdwn index 5fe9c35..7e1edd4 100644 --- a/wiki/src/contribute/release_process/perl5lib.mdwn +++ b/wiki/src/contribute/release_process/perl5lib.mdwn @@ -5,21 +5,14 @@ Install build and test dependencies =================================== -In a Stretch system, as a user that has sudo credentials: - - git checkout debian && \ - sudo apt install devscripts && \ - mk-build-deps -i -r --root-cmd sudo && \ + git checkout master && \ sudo apt install \ - libdist-zilla-perl \ - libdist-zilla-plugins-cjm-perl \ - libdist-zilla-plugin-changelogfromgit-perl \ - libdist-zilla-plugin-installguide-perl \ - libdist-zilla-plugin-localemsgfmt-perl \ - libdist-zilla-plugin-test-perl-critic-perl \ - libdist-zilla-plugin-test-notabs-perl \ - libdist-zilla-plugin-git-perl \ - dh-make-perl + devscripts \ + dh-make-perl \ + libdist-zilla-app-command-authordebs-perl && \ + dzil authordebs --install && \ + git checkout debian && \ + mk-build-deps -i -r --root-cmd sudo Update POT and PO files ======================= @@ -65,8 +58,7 @@ upstream tarball, update `debian/changelog`: git checkout debian && \ gbp import-orig --upstream-vcs-tag=Tails-perl5lib_$VERSION \ ../Tails-perl5lib-$VERSION.tar.gz && \ - gbp dch --auto && \ - dch -e + gbp dch --auto --spawn-editor=always (Do not forget to set the appropriate release.) @@ -81,7 +73,8 @@ Commit `debian/changelog`: Git-Dch: Ignore " -Build a Debian package (use a Stretch/amd64 chroot): +Build a Debian package (use a Stretch/amd64 chroot with `stretch-backports` +enabled): gbp buildpackage diff --git a/wiki/src/contribute/release_process/persistence-setup.mdwn b/wiki/src/contribute/release_process/persistence-setup.mdwn index 5603265..48c7c88 100644 --- a/wiki/src/contribute/release_process/persistence-setup.mdwn +++ b/wiki/src/contribute/release_process/persistence-setup.mdwn @@ -7,23 +7,19 @@ Pre-requisites * a Debian Stretch (or newer) system * Tails' `devel` APT suite enabled -* the right version of the `tails-perl5lib` package installed +* the latest version of the `tails-perl5lib` package installed Install build and test dependencies =================================== - git checkout debian && \ - sudo apt install devscripts && \ - mk-build-deps -i -r --root-cmd sudo && \ + git checkout master && \ sudo apt install \ - libdist-zilla-perl \ - libdist-zilla-plugins-cjm-perl \ - libdist-zilla-plugin-installguide-perl \ - libdist-zilla-plugin-localemsgfmt-perl \ - libdist-zilla-plugin-test-perl-critic-perl \ - libdist-zilla-plugin-test-notabs-perl \ - libdist-zilla-plugin-git-perl \ - dh-make-perl + devscripts \ + dh-make-perl \ + libdist-zilla-app-command-authordebs-perl && \ + dzil authordebs --install && \ + git checkout debian && \ + mk-build-deps -i -r --root-cmd sudo Make an upstream release ======================== @@ -36,13 +32,11 @@ Export new upstream version number: export VERSION=XXX -Update version number in `bin/tails-persistence-setup`: - - perl -pi -E 's,^Version [0-9.]+,Version $ENV{VERSION},' bin/tails-persistence-setup - perl -pi -E "s,^our \\\$VERSION = '[0-9.]+';\$,our \\\$VERSION = '$VERSION';," bin/tails-persistence-setup - -Commit all files that need to be: +Update version number in `bin/tails-persistence-setup` and +commit all files that need to be: + perl -pi -E 's,^Version [0-9.]+,Version $ENV{VERSION},' bin/tails-persistence-setup && \ + perl -pi -E "s,^our \\\$VERSION = '[0-9.]+';\$,our \\\$VERSION = '$VERSION';," bin/tails-persistence-setup && \ git commit bin/tails-persistence-setup -m "tails-persistent-setup $VERSION" Optionally, run the upstream test suite (it is run as part of the @@ -74,7 +68,7 @@ Checkout the Debian packaging branch and import the new upstream tarball: Update `debian/changelog`: - gbp dch && dch -e + gbp dch --auto --spawn-editor=always (Do not forget to set the appropriate release.) @@ -86,9 +80,9 @@ Commit `debian/changelog`: Git-Dch: Ignore " -Build a Debian package (use a Stretch/amd64 chroot, that -has either tails-perl5lib installed, or the Tails APT repository -configured): +Build a Debian package (use a Stretch/amd64 chroot, that has +`stretch-backports` enabled and on top of that: either tails-perl5lib +installed or the Tails APT repository configured): gbp buildpackage diff --git a/wiki/src/contribute/release_process/tails-greeter.mdwn b/wiki/src/contribute/release_process/tails-greeter.mdwn index 100caf6..e178b66 100644 --- a/wiki/src/contribute/release_process/tails-greeter.mdwn +++ b/wiki/src/contribute/release_process/tails-greeter.mdwn @@ -14,33 +14,17 @@ Update POT and PO files ) && \ git commit po -m 'Update POT and PO files.' - Prepare a release ================= -Run `./scripts/release.sh` and follow the instructions. + git checkout master && ./scripts/release.sh +… then follow the instructions, making sure you set the appropriate +release on the first line of the new changelog entry. Update the Debian package ========================= -Checkout the correct branch: - - git checkout master - -Update `debian/changelog`: - - gbp dch - -(Do not forget to set the appropriate release.) - -Commit the changelog: - - git commit debian/changelog \ - -m "$(dpkg-parsechangelog -SSource) ($(dpkg-parsechangelog -SVersion)) - Git-Dch: Ignore - " - Build a new Debian package (use a Stretch/amd64 chroot): gbp buildpackage diff --git a/wiki/src/contribute/release_process/tails-iuk.mdwn b/wiki/src/contribute/release_process/tails-iuk.mdwn index 9b8313c..2077ae6 100644 --- a/wiki/src/contribute/release_process/tails-iuk.mdwn +++ b/wiki/src/contribute/release_process/tails-iuk.mdwn @@ -13,19 +13,14 @@ Pre-requisites Install build and test dependencies =================================== - git checkout debian && \ - sudo apt install devscripts && \ - mk-build-deps -i -r --root-cmd sudo && \ + git checkout master && \ sudo apt install \ - libdist-zilla-perl \ - libdist-zilla-plugin-changelogfromgit-perl \ - libdist-zilla-plugins-cjm-perl \ - libdist-zilla-plugin-installguide-perl \ - libdist-zilla-plugin-localemsgfmt-perl \ - libdist-zilla-plugin-test-perl-critic-perl \ - libdist-zilla-plugin-test-notabs-perl \ - libdist-zilla-plugin-git-perl \ - dh-make-perl + devscripts \ + dh-make-perl \ + libdist-zilla-app-command-authordebs-perl && \ + dzil authordebs --install && \ + git checkout debian && \ + mk-build-deps -i -r --root-cmd sudo Update POT and PO files ======================= @@ -49,16 +44,11 @@ Export new upstream version number: Export location of a checkout of the branch of the main Tails Git repository used to prepare the release (typically `stable` or `testing`): - export TAILS_GIT_CHECKOUT=XXX + export TAILS_GIT_CHECKOUT="$RELEASE_CHECKOUT" Export source date epoch: - export SOURCE_DATE_EPOCH=$(date \ - --utc \ - --date="$(dpkg-parsechangelog \ - --file "$TAILS_GIT_CHECKOUT/debian/changelog" \ - --show-field=Date)" \ - +%s) + export SOURCE_DATE_EPOCH=$(date --utc +%s) Update version number in `bin/tails-create-iuk`, commit all files that need to be. @@ -77,8 +67,8 @@ Run the upstream test suite: umask 077 # Run the test suite - NODE_PATH="/path/to/tails.git/submodules/mirror-pool-dispatcher/lib/js" \ - PATH="/path/to/tails.git/submodules/mirror-pool-dispatcher/bin:$PATH" \ + NODE_PATH="${TAILS_GIT_CHECKOUT}/submodules/mirror-pool-dispatcher/lib/js" \ + PATH="${TAILS_GIT_CHECKOUT}/submodules/mirror-pool-dispatcher/bin:$PATH" \ RELEASE_TESTING=1 \ LC_ALL=C \ dzil test @@ -99,8 +89,7 @@ upstream tarball, update `debian/changelog`: git checkout debian && \ gbp import-orig --upstream-vcs-tag=$VERSION \ ../Tails-IUK-$VERSION.tar.gz && \ - gbp dch --auto && \ - dch -e + gbp dch --auto --spawn-editor=always (Do not forget to set the appropriate release.) @@ -115,9 +104,9 @@ Commit `debian/changelog`: Git-Dch: Ignore " -Build a Debian package (use a Stretch chroot with the right version of -`tails-perl5lib` installed), add a signed tag to the repository and -push the changes: +Build a Debian package (use a Stretch/amd64 chroot, that has +`stretch-backports` enabled and on top of that: either tails-perl5lib +installed or the Tails APT repository configured): gbp buildpackage && \ gbp buildpackage --git-tag-only --git-sign-tags && \ diff --git a/wiki/src/contribute/release_process/test.mdwn b/wiki/src/contribute/release_process/test.mdwn index af4e77d..5ee4589 100644 --- a/wiki/src/contribute/release_process/test.mdwn +++ b/wiki/src/contribute/release_process/test.mdwn @@ -107,11 +107,17 @@ tracked by tickets prefixed with `todo/test_suite:`. ## Security and fingerprinting * Run the [tests the Tor Browser folks - use](https://trac.torproject.org/projects/tor/wiki/doc/build/BuildSignoff#TestPagestoUse). + use](https://trac.torproject.org/projects/tor/wiki/doc/build/BuildSignoff#TestPagestoUse) + and compare to the last released version of Tails. Results should + not be worse. (automate: [[!tails_ticket 10260]]) + - For the "evercookie" test to work, you may have to disable + _uBlock_ on its web page. * Compare the fingerprint Tor Browser in Tails with the fingerprint of - the same version of Tor Browser (running outside of Tails), using at least - <https://panopticlick.eff.org/> (automate: [[!tails_ticket 10262]]) + the same version of Tor Browser (running on Linux outside of Tails), using at least + <https://panopticlick.eff.org/> (automate: [[!tails_ticket 10262]]). + Click "Show full results for fingerprinting" to see the details + we're interested in. - The exposed User-Agent should match the latest Tor Browser's one. - Ignore the result of the "blocking tracking ads" and "blocking invisible trackers" tests, which seem unreliable (we've seen @@ -129,14 +135,16 @@ tracked by tickets prefixed with `todo/test_suite:`. * Running `/usr/local/lib/getTorBrowserUserAgent` should produce the User-Agent set by the installed version of Torbutton, and used in the Tor Browser. (automate: [[!tails_ticket 10268]]) +<a id="Thunderbird"></a> + # Thunderbird * Check mail over IMAP using: - - a hidden service IMAP server (e.g. Riseup, zsolxunfmbfuq7wf.onion with SSL). + - a hidden service IMAP server (e.g. Riseup, zsolxunfmbfuq7wf.onion on port 993 with SSL). * Check mail over POP using: - - a hidden service POP server (e.g. Riseup, zsolxunfmbfuq7wf.onion with SSL). + - a hidden service POP server (see above, on port 995 with SSL). * Send an email using: - - a hidden service SMTP server (see above). + - a hidden service SMTP server (see above, on port 465 with SSL). * Check that the profile works and is torified: 1. Send an email using Thunderbird and a non-anonymizing SMTP relay (a @@ -225,16 +233,7 @@ tracked by tickets prefixed with `todo/test_suite:`. then: - # Set TAILS_CHANNEL accordingly: - - # For actual releases: - TAILS_CHANNEL=test - - # For other (~rc, ~alpha...) releases: - TAILS_CHANNEL=alpha - - # Run: - echo "TAILS_CHANNEL=\"${TAILS_CHANNEL}\"" | sudo tee --append /etc/os-release && \ + echo "TAILS_CHANNEL=\"test\" | sudo tee --append /etc/os-release && \ tails-upgrade-frontend-wrapper Else, use a local test setup: @@ -317,7 +316,7 @@ tracked by tickets prefixed with `todo/test_suite:`. # Documentation * The "Tails documentation" desktop launcher should open the - [[getting started]] page (automate: [[!tails_ticket 8788]]): + [[doc]] page (automate: [[!tails_ticket 8788]]): - in one language to which the website is translated - in one language to which the website is not translated (=> English) * Browse around in the documentation shipped in the image. Internal @@ -351,28 +350,6 @@ You *really* have to reboot between each language. Russian, Tiếng Việt). * In the Tor Browser: - DuckDuckGo must be the default, pre-selected search plugin. (automate: [[!tails_ticket 10265]]) - - the search plugins must be localized for the expected locales - (automate: [[!tails_ticket 10267]]). - - StartPage should have localized *user interface* for (run this in - a Tails Git checkout of the commit the release under testing was built - from): - - grep --extended-regexp "[^:]*:[^:]*:[^:]*:[^:]*:[^:]+" \ - config/chroot_local-includes/usr/share/tails/browser-localization/descriptions | \ - sed -n --regexp-extended 's/^([^:]+):.*$/\1/p' - - StartPage should have localized *search results* for: - - grep --extended-regexp "[^:]*:[^:]*:[^:]*:[^:]+:[^:]*" \ - config/chroot_local-includes/usr/share/tails/browser-localization/descriptions | \ - sed -n --regexp-extended 's/^([^:]+):.*$/\1/p' - - DDG should have localized user interface *and* search results, and - Wikipedia should have a localized plugin, for: - - sed -n --regexp-extended 's/^([^:]+):.*$/\1/p' \ - config/chroot_local-includes/usr/share/tails/browser-localization/descriptions ## Spellchecking diff --git a/wiki/src/contribute/release_process/test/setup.mdwn b/wiki/src/contribute/release_process/test/setup.mdwn index b51ee46..71c5aa8 100644 --- a/wiki/src/contribute/release_process/test/setup.mdwn +++ b/wiki/src/contribute/release_process/test/setup.mdwn @@ -60,6 +60,7 @@ The following packages are necessary on Debian Stretch: virt-viewer \ x11vnc \ tigervnc-viewer \ + x264 \ xvfb \ && \ sudo service libvirtd restart diff --git a/wiki/src/contribute/release_process/test/usage.mdwn b/wiki/src/contribute/release_process/test/usage.mdwn index 6d06ecb..7d792e5 100644 --- a/wiki/src/contribute/release_process/test/usage.mdwn +++ b/wiki/src/contribute/release_process/test/usage.mdwn @@ -30,15 +30,15 @@ one of these types of features and not the other. A typical example run of a few `@product` features could be: - ./run_test_suite --view --capture test-0.17.webm \ + ./run_test_suite --view --capture \ --iso path/to/tails.iso \ features/apt.feature features/erase_memory.feature which will test only the `apt` and `erase_memory` features (if no feature paths are given, all features in `features/cucumber` will -be tested) of the given ISO image `tails.iso` while showing the test +be tested) of the given ISO image `tails.iso` while showing each test session in a VNC viewer (`--view`) and also capturing it into a video -called `test-0.17.web` (`--capture`). Similarly, to test a `@source` +(`--capture`). Similarly, to test a `@source` feature, we'd simply run something like: ./run_test_suite features/build.feature diff --git a/wiki/src/contribute/release_process/thunderbird.mdwn b/wiki/src/contribute/release_process/thunderbird.mdwn index a8f4d86..4b530c8 100644 --- a/wiki/src/contribute/release_process/thunderbird.mdwn +++ b/wiki/src/contribute/release_process/thunderbird.mdwn @@ -76,7 +76,7 @@ released: --force-bad-version \ --distribution "${DISTRIBUTION:?}" \ --force-distribution \ - "Rebuild Thunderbird with Tails' secure autoconfiguration patches." && \ + "Rebuild with Tails' secure autoconfiguration patches." && \ git commit debian/changelog \ -m "document changes and release ${TAILS_VERSION:?}" @@ -91,7 +91,10 @@ released: gbp buildpackage --git-debian-branch=tails/stretch \ --git-sign-tags --git-tag-only -1. Include all sources in the `.changes` file: +1. If you've built a package based on an _upstream_ release (as in: + what's before the first `-` in the package version number) + whose `.orig.tar.xz` tarball was never uploaded to our custom + APT repository, include all sources in the `.changes` file: cd path/to/build/artifacts/directory && \ cp path/to/build-area/*${UPSTREAM_VERSION:?}*.orig*.tar.xz . && \ @@ -103,18 +106,17 @@ released: named tag: GBP_TAG="debian/$(echo ${TAILS_VERSION:?} | tr '~:' '_%')" - GBP_TAG_COMMIT="$(git rev-list -n 1 "${GBP_TAG}")" NEW_GBP_TAG="$(echo ${GBP_TAG:?} | sed 's@/1%@/@')" && \ git tag -s "${NEW_GBP_TAG:?}" \ -m "thunderbird Debian release 1:${TAILS_VERSION:?}" \ - "${GBP_TAG_COMMIT:?}" + "${GBP_TAG:?}" 1. Git push and upload packages: git push --follow-tags origin \ ${NEW_GBP_TAG:?} \ tails/stretch \ - upstream-52.x \ + upstream-60.x \ pristine-tar && \ (cd /path/to/build/artifacts && \ debsign "${CHANGES_FILE:?}" && \ diff --git a/wiki/src/contribute/release_process/tor-browser.mdwn b/wiki/src/contribute/release_process/tor-browser.mdwn index 06798d3..f9f88e9 100644 --- a/wiki/src/contribute/release_process/tor-browser.mdwn +++ b/wiki/src/contribute/release_process/tor-browser.mdwn @@ -98,21 +98,27 @@ the corresponding tarballs ourselves, so read on the next section. </p> </div> -Sync with the start-tor-browser script +Sync with the upstream wrapper scripts ====================================== Adapt our `config/chroot_local-includes/usr/local/bin/tor-browser` and/or `config/chroot_local-includes/usr/local/lib/tails-shell-library/tor-browser.sh` -for recent changes in `RelativeLink/start-tor-browser` in the -[Tor Browser build Git repo](https://git.torproject.org/builders/tor-browser-build.git). Look -in the Git history: +for recent changes made in the +[Tor Browser build Git repo](https://git.torproject.org/builders/tor-browser-build.git): - git log -p projects/tor-browser/RelativeLink/start-tor-browser + git log -p \ + projects/firefox/abicheck.cc \ + projects/firefox/start-firefox \ + projects/tor-browser/RelativeLink/start-tor-browser -and take note of changes to environment variables (or newly added -ones) and the commandline options passed to the `firefox` executable, -etc. +Then apply any relevant change, e.g. to: + + - environment variables; + - commandline options passed to the `firefox` executable; + - required libstdc++6 version bumps; if there's been any change upstream, + look for `abicheck` in `config/chroot_local-hooks/10-tbb` and adjust + that hook as needed. Self-hosted Tor Browser tarballs archive ======================================== |