summaryrefslogtreecommitdiffstats
path: root/wiki/src/contribute/release_process
diff options
context:
space:
mode:
Diffstat (limited to 'wiki/src/contribute/release_process')
-rw-r--r--wiki/src/contribute/release_process/Debian_security_updates.mdwn24
-rw-r--r--wiki/src/contribute/release_process/perl5lib.mdwn27
-rw-r--r--wiki/src/contribute/release_process/persistence-setup.mdwn38
-rw-r--r--wiki/src/contribute/release_process/tails-greeter.mdwn22
-rw-r--r--wiki/src/contribute/release_process/tails-iuk.mdwn41
-rw-r--r--wiki/src/contribute/release_process/test.mdwn55
-rw-r--r--wiki/src/contribute/release_process/test/setup.mdwn1
-rw-r--r--wiki/src/contribute/release_process/test/usage.mdwn6
-rw-r--r--wiki/src/contribute/release_process/thunderbird.mdwn12
-rw-r--r--wiki/src/contribute/release_process/tor-browser.mdwn22
10 files changed, 95 insertions, 153 deletions
diff --git a/wiki/src/contribute/release_process/Debian_security_updates.mdwn b/wiki/src/contribute/release_process/Debian_security_updates.mdwn
index 5814ca2..db3aadb 100644
--- a/wiki/src/contribute/release_process/Debian_security_updates.mdwn
+++ b/wiki/src/contribute/release_process/Debian_security_updates.mdwn
@@ -8,22 +8,18 @@ by delaying a Tails release a bit to wait for a DSA to happen.
Debian security team
====================
-RequestTracker
---------------
-
-The Debian security team uses the [Debian RT](https://rt.debian.org/)
-to track some of their work. Looking at their RT queues might help us
-see if something is being prepared. We, as a Debian derivative, have a
-read-only access to these queues.
-
Security tracker
----------------
-The Debian [security tracker][web]'s [SVN repository][svn] is the main
-place where we can look at the Debian security team upcoming uploads
-and announces. There is also a [mailing list][] that broadcasts
-changes to this repository.
+The Debian [security tracker][web]'s [GIT repository][git] is the main
+place where Debian tracks the status of security issues.
+
+We can look at the [list of upcoming Debian Security Advisories (DSA)][DSA needed].
+
+There is also a [mailing list][] that broadcasts changes to
+this repository.
[web]: http://security-tracker.debian.org/tracker/
-[svn]: http://svn.debian.org/wsvn/secure-testing
-[mailing list]: http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
+[git]: https://salsa.debian.org/security-tracker-team/security-tracker
+[mailing list]: https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
+[DSA needed]: https://salsa.debian.org/security-tracker-team/security-tracker/blob/master/data/dsa-needed.txt
diff --git a/wiki/src/contribute/release_process/perl5lib.mdwn b/wiki/src/contribute/release_process/perl5lib.mdwn
index 5fe9c35..7e1edd4 100644
--- a/wiki/src/contribute/release_process/perl5lib.mdwn
+++ b/wiki/src/contribute/release_process/perl5lib.mdwn
@@ -5,21 +5,14 @@
Install build and test dependencies
===================================
-In a Stretch system, as a user that has sudo credentials:
-
- git checkout debian && \
- sudo apt install devscripts && \
- mk-build-deps -i -r --root-cmd sudo && \
+ git checkout master && \
sudo apt install \
- libdist-zilla-perl \
- libdist-zilla-plugins-cjm-perl \
- libdist-zilla-plugin-changelogfromgit-perl \
- libdist-zilla-plugin-installguide-perl \
- libdist-zilla-plugin-localemsgfmt-perl \
- libdist-zilla-plugin-test-perl-critic-perl \
- libdist-zilla-plugin-test-notabs-perl \
- libdist-zilla-plugin-git-perl \
- dh-make-perl
+ devscripts \
+ dh-make-perl \
+ libdist-zilla-app-command-authordebs-perl && \
+ dzil authordebs --install && \
+ git checkout debian && \
+ mk-build-deps -i -r --root-cmd sudo
Update POT and PO files
=======================
@@ -65,8 +58,7 @@ upstream tarball, update `debian/changelog`:
git checkout debian && \
gbp import-orig --upstream-vcs-tag=Tails-perl5lib_$VERSION \
../Tails-perl5lib-$VERSION.tar.gz && \
- gbp dch --auto && \
- dch -e
+ gbp dch --auto --spawn-editor=always
(Do not forget to set the appropriate release.)
@@ -81,7 +73,8 @@ Commit `debian/changelog`:
Git-Dch: Ignore
"
-Build a Debian package (use a Stretch/amd64 chroot):
+Build a Debian package (use a Stretch/amd64 chroot with `stretch-backports`
+enabled):
gbp buildpackage
diff --git a/wiki/src/contribute/release_process/persistence-setup.mdwn b/wiki/src/contribute/release_process/persistence-setup.mdwn
index 5603265..48c7c88 100644
--- a/wiki/src/contribute/release_process/persistence-setup.mdwn
+++ b/wiki/src/contribute/release_process/persistence-setup.mdwn
@@ -7,23 +7,19 @@ Pre-requisites
* a Debian Stretch (or newer) system
* Tails' `devel` APT suite enabled
-* the right version of the `tails-perl5lib` package installed
+* the latest version of the `tails-perl5lib` package installed
Install build and test dependencies
===================================
- git checkout debian && \
- sudo apt install devscripts && \
- mk-build-deps -i -r --root-cmd sudo && \
+ git checkout master && \
sudo apt install \
- libdist-zilla-perl \
- libdist-zilla-plugins-cjm-perl \
- libdist-zilla-plugin-installguide-perl \
- libdist-zilla-plugin-localemsgfmt-perl \
- libdist-zilla-plugin-test-perl-critic-perl \
- libdist-zilla-plugin-test-notabs-perl \
- libdist-zilla-plugin-git-perl \
- dh-make-perl
+ devscripts \
+ dh-make-perl \
+ libdist-zilla-app-command-authordebs-perl && \
+ dzil authordebs --install && \
+ git checkout debian && \
+ mk-build-deps -i -r --root-cmd sudo
Make an upstream release
========================
@@ -36,13 +32,11 @@ Export new upstream version number:
export VERSION=XXX
-Update version number in `bin/tails-persistence-setup`:
-
- perl -pi -E 's,^Version [0-9.]+,Version $ENV{VERSION},' bin/tails-persistence-setup
- perl -pi -E "s,^our \\\$VERSION = '[0-9.]+';\$,our \\\$VERSION = '$VERSION';," bin/tails-persistence-setup
-
-Commit all files that need to be:
+Update version number in `bin/tails-persistence-setup` and
+commit all files that need to be:
+ perl -pi -E 's,^Version [0-9.]+,Version $ENV{VERSION},' bin/tails-persistence-setup && \
+ perl -pi -E "s,^our \\\$VERSION = '[0-9.]+';\$,our \\\$VERSION = '$VERSION';," bin/tails-persistence-setup && \
git commit bin/tails-persistence-setup -m "tails-persistent-setup $VERSION"
Optionally, run the upstream test suite (it is run as part of the
@@ -74,7 +68,7 @@ Checkout the Debian packaging branch and import the new upstream tarball:
Update `debian/changelog`:
- gbp dch && dch -e
+ gbp dch --auto --spawn-editor=always
(Do not forget to set the appropriate release.)
@@ -86,9 +80,9 @@ Commit `debian/changelog`:
Git-Dch: Ignore
"
-Build a Debian package (use a Stretch/amd64 chroot, that
-has either tails-perl5lib installed, or the Tails APT repository
-configured):
+Build a Debian package (use a Stretch/amd64 chroot, that has
+`stretch-backports` enabled and on top of that: either tails-perl5lib
+installed or the Tails APT repository configured):
gbp buildpackage
diff --git a/wiki/src/contribute/release_process/tails-greeter.mdwn b/wiki/src/contribute/release_process/tails-greeter.mdwn
index 100caf6..e178b66 100644
--- a/wiki/src/contribute/release_process/tails-greeter.mdwn
+++ b/wiki/src/contribute/release_process/tails-greeter.mdwn
@@ -14,33 +14,17 @@ Update POT and PO files
) && \
git commit po -m 'Update POT and PO files.'
-
Prepare a release
=================
-Run `./scripts/release.sh` and follow the instructions.
+ git checkout master && ./scripts/release.sh
+… then follow the instructions, making sure you set the appropriate
+release on the first line of the new changelog entry.
Update the Debian package
=========================
-Checkout the correct branch:
-
- git checkout master
-
-Update `debian/changelog`:
-
- gbp dch
-
-(Do not forget to set the appropriate release.)
-
-Commit the changelog:
-
- git commit debian/changelog \
- -m "$(dpkg-parsechangelog -SSource) ($(dpkg-parsechangelog -SVersion))
- Git-Dch: Ignore
- "
-
Build a new Debian package (use a Stretch/amd64 chroot):
gbp buildpackage
diff --git a/wiki/src/contribute/release_process/tails-iuk.mdwn b/wiki/src/contribute/release_process/tails-iuk.mdwn
index 9b8313c..2077ae6 100644
--- a/wiki/src/contribute/release_process/tails-iuk.mdwn
+++ b/wiki/src/contribute/release_process/tails-iuk.mdwn
@@ -13,19 +13,14 @@ Pre-requisites
Install build and test dependencies
===================================
- git checkout debian && \
- sudo apt install devscripts && \
- mk-build-deps -i -r --root-cmd sudo && \
+ git checkout master && \
sudo apt install \
- libdist-zilla-perl \
- libdist-zilla-plugin-changelogfromgit-perl \
- libdist-zilla-plugins-cjm-perl \
- libdist-zilla-plugin-installguide-perl \
- libdist-zilla-plugin-localemsgfmt-perl \
- libdist-zilla-plugin-test-perl-critic-perl \
- libdist-zilla-plugin-test-notabs-perl \
- libdist-zilla-plugin-git-perl \
- dh-make-perl
+ devscripts \
+ dh-make-perl \
+ libdist-zilla-app-command-authordebs-perl && \
+ dzil authordebs --install && \
+ git checkout debian && \
+ mk-build-deps -i -r --root-cmd sudo
Update POT and PO files
=======================
@@ -49,16 +44,11 @@ Export new upstream version number:
Export location of a checkout of the branch of the main Tails Git
repository used to prepare the release (typically `stable` or `testing`):
- export TAILS_GIT_CHECKOUT=XXX
+ export TAILS_GIT_CHECKOUT="$RELEASE_CHECKOUT"
Export source date epoch:
- export SOURCE_DATE_EPOCH=$(date \
- --utc \
- --date="$(dpkg-parsechangelog \
- --file "$TAILS_GIT_CHECKOUT/debian/changelog" \
- --show-field=Date)" \
- +%s)
+ export SOURCE_DATE_EPOCH=$(date --utc +%s)
Update version number in `bin/tails-create-iuk`, commit all files that
need to be.
@@ -77,8 +67,8 @@ Run the upstream test suite:
umask 077
# Run the test suite
- NODE_PATH="/path/to/tails.git/submodules/mirror-pool-dispatcher/lib/js" \
- PATH="/path/to/tails.git/submodules/mirror-pool-dispatcher/bin:$PATH" \
+ NODE_PATH="${TAILS_GIT_CHECKOUT}/submodules/mirror-pool-dispatcher/lib/js" \
+ PATH="${TAILS_GIT_CHECKOUT}/submodules/mirror-pool-dispatcher/bin:$PATH" \
RELEASE_TESTING=1 \
LC_ALL=C \
dzil test
@@ -99,8 +89,7 @@ upstream tarball, update `debian/changelog`:
git checkout debian && \
gbp import-orig --upstream-vcs-tag=$VERSION \
../Tails-IUK-$VERSION.tar.gz && \
- gbp dch --auto && \
- dch -e
+ gbp dch --auto --spawn-editor=always
(Do not forget to set the appropriate release.)
@@ -115,9 +104,9 @@ Commit `debian/changelog`:
Git-Dch: Ignore
"
-Build a Debian package (use a Stretch chroot with the right version of
-`tails-perl5lib` installed), add a signed tag to the repository and
-push the changes:
+Build a Debian package (use a Stretch/amd64 chroot, that has
+`stretch-backports` enabled and on top of that: either tails-perl5lib
+installed or the Tails APT repository configured):
gbp buildpackage && \
gbp buildpackage --git-tag-only --git-sign-tags && \
diff --git a/wiki/src/contribute/release_process/test.mdwn b/wiki/src/contribute/release_process/test.mdwn
index af4e77d..5ee4589 100644
--- a/wiki/src/contribute/release_process/test.mdwn
+++ b/wiki/src/contribute/release_process/test.mdwn
@@ -107,11 +107,17 @@ tracked by tickets prefixed with `todo/test_suite:`.
## Security and fingerprinting
* Run the [tests the Tor Browser folks
- use](https://trac.torproject.org/projects/tor/wiki/doc/build/BuildSignoff#TestPagestoUse).
+ use](https://trac.torproject.org/projects/tor/wiki/doc/build/BuildSignoff#TestPagestoUse)
+ and compare to the last released version of Tails. Results should
+ not be worse.
(automate: [[!tails_ticket 10260]])
+ - For the "evercookie" test to work, you may have to disable
+ _uBlock_ on its web page.
* Compare the fingerprint Tor Browser in Tails with the fingerprint of
- the same version of Tor Browser (running outside of Tails), using at least
- <https://panopticlick.eff.org/> (automate: [[!tails_ticket 10262]])
+ the same version of Tor Browser (running on Linux outside of Tails), using at least
+ <https://panopticlick.eff.org/> (automate: [[!tails_ticket 10262]]).
+ Click "Show full results for fingerprinting" to see the details
+ we're interested in.
- The exposed User-Agent should match the latest Tor Browser's one.
- Ignore the result of the "blocking tracking ads" and "blocking
invisible trackers" tests, which seem unreliable (we've seen
@@ -129,14 +135,16 @@ tracked by tickets prefixed with `todo/test_suite:`.
* Running `/usr/local/lib/getTorBrowserUserAgent` should produce the User-Agent set by the
installed version of Torbutton, and used in the Tor Browser. (automate: [[!tails_ticket 10268]])
+<a id="Thunderbird"></a>
+
# Thunderbird
* Check mail over IMAP using:
- - a hidden service IMAP server (e.g. Riseup, zsolxunfmbfuq7wf.onion with SSL).
+ - a hidden service IMAP server (e.g. Riseup, zsolxunfmbfuq7wf.onion on port 993 with SSL).
* Check mail over POP using:
- - a hidden service POP server (e.g. Riseup, zsolxunfmbfuq7wf.onion with SSL).
+ - a hidden service POP server (see above, on port 995 with SSL).
* Send an email using:
- - a hidden service SMTP server (see above).
+ - a hidden service SMTP server (see above, on port 465 with SSL).
* Check that the profile works and is torified:
1. Send an email using Thunderbird and a non-anonymizing SMTP relay (a
@@ -225,16 +233,7 @@ tracked by tickets prefixed with `todo/test_suite:`.
then:
- # Set TAILS_CHANNEL accordingly:
-
- # For actual releases:
- TAILS_CHANNEL=test
-
- # For other (~rc, ~alpha...) releases:
- TAILS_CHANNEL=alpha
-
- # Run:
- echo "TAILS_CHANNEL=\"${TAILS_CHANNEL}\"" | sudo tee --append /etc/os-release && \
+ echo "TAILS_CHANNEL=\"test\" | sudo tee --append /etc/os-release && \
tails-upgrade-frontend-wrapper
Else, use a local test setup:
@@ -317,7 +316,7 @@ tracked by tickets prefixed with `todo/test_suite:`.
# Documentation
* The "Tails documentation" desktop launcher should open the
- [[getting started]] page (automate: [[!tails_ticket 8788]]):
+ [[doc]] page (automate: [[!tails_ticket 8788]]):
- in one language to which the website is translated
- in one language to which the website is not translated (=> English)
* Browse around in the documentation shipped in the image. Internal
@@ -351,28 +350,6 @@ You *really* have to reboot between each language.
Russian, Tiếng Việt).
* In the Tor Browser:
- DuckDuckGo must be the default, pre-selected search plugin. (automate: [[!tails_ticket 10265]])
- - the search plugins must be localized for the expected locales
- (automate: [[!tails_ticket 10267]]).
-
- StartPage should have localized *user interface* for (run this in
- a Tails Git checkout of the commit the release under testing was built
- from):
-
- grep --extended-regexp "[^:]*:[^:]*:[^:]*:[^:]*:[^:]+" \
- config/chroot_local-includes/usr/share/tails/browser-localization/descriptions | \
- sed -n --regexp-extended 's/^([^:]+):.*$/\1/p'
-
- StartPage should have localized *search results* for:
-
- grep --extended-regexp "[^:]*:[^:]*:[^:]*:[^:]+:[^:]*" \
- config/chroot_local-includes/usr/share/tails/browser-localization/descriptions | \
- sed -n --regexp-extended 's/^([^:]+):.*$/\1/p'
-
- DDG should have localized user interface *and* search results, and
- Wikipedia should have a localized plugin, for:
-
- sed -n --regexp-extended 's/^([^:]+):.*$/\1/p' \
- config/chroot_local-includes/usr/share/tails/browser-localization/descriptions
## Spellchecking
diff --git a/wiki/src/contribute/release_process/test/setup.mdwn b/wiki/src/contribute/release_process/test/setup.mdwn
index b51ee46..71c5aa8 100644
--- a/wiki/src/contribute/release_process/test/setup.mdwn
+++ b/wiki/src/contribute/release_process/test/setup.mdwn
@@ -60,6 +60,7 @@ The following packages are necessary on Debian Stretch:
virt-viewer \
x11vnc \
tigervnc-viewer \
+ x264 \
xvfb \
&& \
sudo service libvirtd restart
diff --git a/wiki/src/contribute/release_process/test/usage.mdwn b/wiki/src/contribute/release_process/test/usage.mdwn
index 6d06ecb..7d792e5 100644
--- a/wiki/src/contribute/release_process/test/usage.mdwn
+++ b/wiki/src/contribute/release_process/test/usage.mdwn
@@ -30,15 +30,15 @@ one of these types of features and not the other.
A typical example run of a few `@product` features could be:
- ./run_test_suite --view --capture test-0.17.webm \
+ ./run_test_suite --view --capture \
--iso path/to/tails.iso \
features/apt.feature features/erase_memory.feature
which will test only the `apt` and `erase_memory` features (if
no feature paths are given, all features in `features/cucumber` will
-be tested) of the given ISO image `tails.iso` while showing the test
+be tested) of the given ISO image `tails.iso` while showing each test
session in a VNC viewer (`--view`) and also capturing it into a video
-called `test-0.17.web` (`--capture`). Similarly, to test a `@source`
+(`--capture`). Similarly, to test a `@source`
feature, we'd simply run something like:
./run_test_suite features/build.feature
diff --git a/wiki/src/contribute/release_process/thunderbird.mdwn b/wiki/src/contribute/release_process/thunderbird.mdwn
index a8f4d86..4b530c8 100644
--- a/wiki/src/contribute/release_process/thunderbird.mdwn
+++ b/wiki/src/contribute/release_process/thunderbird.mdwn
@@ -76,7 +76,7 @@ released:
--force-bad-version \
--distribution "${DISTRIBUTION:?}" \
--force-distribution \
- "Rebuild Thunderbird with Tails' secure autoconfiguration patches." && \
+ "Rebuild with Tails' secure autoconfiguration patches." && \
git commit debian/changelog \
-m "document changes and release ${TAILS_VERSION:?}"
@@ -91,7 +91,10 @@ released:
gbp buildpackage --git-debian-branch=tails/stretch \
--git-sign-tags --git-tag-only
-1. Include all sources in the `.changes` file:
+1. If you've built a package based on an _upstream_ release (as in:
+ what's before the first `-` in the package version number)
+ whose `.orig.tar.xz` tarball was never uploaded to our custom
+ APT repository, include all sources in the `.changes` file:
cd path/to/build/artifacts/directory && \
cp path/to/build-area/*${UPSTREAM_VERSION:?}*.orig*.tar.xz . && \
@@ -103,18 +106,17 @@ released:
named tag:
GBP_TAG="debian/$(echo ${TAILS_VERSION:?} | tr '~:' '_%')"
- GBP_TAG_COMMIT="$(git rev-list -n 1 "${GBP_TAG}")"
NEW_GBP_TAG="$(echo ${GBP_TAG:?} | sed 's@/1%@/@')" && \
git tag -s "${NEW_GBP_TAG:?}" \
-m "thunderbird Debian release 1:${TAILS_VERSION:?}" \
- "${GBP_TAG_COMMIT:?}"
+ "${GBP_TAG:?}"
1. Git push and upload packages:
git push --follow-tags origin \
${NEW_GBP_TAG:?} \
tails/stretch \
- upstream-52.x \
+ upstream-60.x \
pristine-tar && \
(cd /path/to/build/artifacts && \
debsign "${CHANGES_FILE:?}" && \
diff --git a/wiki/src/contribute/release_process/tor-browser.mdwn b/wiki/src/contribute/release_process/tor-browser.mdwn
index 06798d3..f9f88e9 100644
--- a/wiki/src/contribute/release_process/tor-browser.mdwn
+++ b/wiki/src/contribute/release_process/tor-browser.mdwn
@@ -98,21 +98,27 @@ the corresponding tarballs ourselves, so read on the next section.
</p>
</div>
-Sync with the start-tor-browser script
+Sync with the upstream wrapper scripts
======================================
Adapt our `config/chroot_local-includes/usr/local/bin/tor-browser`
and/or
`config/chroot_local-includes/usr/local/lib/tails-shell-library/tor-browser.sh`
-for recent changes in `RelativeLink/start-tor-browser` in the
-[Tor Browser build Git repo](https://git.torproject.org/builders/tor-browser-build.git). Look
-in the Git history:
+for recent changes made in the
+[Tor Browser build Git repo](https://git.torproject.org/builders/tor-browser-build.git):
- git log -p projects/tor-browser/RelativeLink/start-tor-browser
+ git log -p \
+ projects/firefox/abicheck.cc \
+ projects/firefox/start-firefox \
+ projects/tor-browser/RelativeLink/start-tor-browser
-and take note of changes to environment variables (or newly added
-ones) and the commandline options passed to the `firefox` executable,
-etc.
+Then apply any relevant change, e.g. to:
+
+ - environment variables;
+ - commandline options passed to the `firefox` executable;
+ - required libstdc++6 version bumps; if there's been any change upstream,
+ look for `abicheck` in `config/chroot_local-hooks/10-tbb` and adjust
+ that hook as needed.
Self-hosted Tor Browser tarballs archive
========================================