summaryrefslogtreecommitdiffstats
path: root/wiki/src/contribute/release_process.mdwn
blob: eec40867c1e03a86f5e25c60ac9515c35d7c2cee (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
[[!meta title="Release process"]]

[[!toc levels=2]]

See the [[release_schedule]].

<div class="caution">
Read the remainder of this document from the branch used to prepare the release!
</div>

Requirements
============

To release Tails you'll need some packages installed:

* `tidy mktorrent transmission-cli`
* aufs DKMS module for your running kernel.
* [[!debpts squashfs-tools]] that honors `$SOURCE_DATE_EPOCH`.
  Install it from our custom `devel` APT suite.
* `tails-iuk` dependencies, including suggested packages (see
  `debian/control` in the `debian` branch of its repo)
* `tails-perl5lib` dependencies (same trick as `tails-iuk` to get the
  list)
* `po4a` _from Stretch_: the version in testing/sid extracts Markdown headings
   in a different way, which makes tons of strings fuzzy.

Environment
===========

To be able to copy'n'paste the code snippets found on this page,
you need to set a bunch of environment variables.

Unless the release process explicitly instructs you to change the
value of one such variable, treat it as a constant: else,
inconsistency will surely arise, which can cause trouble later on.

Version numbers
---------------

Note:

* Regarding version numbers, what follows supports just fine the case
  when we do something else than alternating bugfix and major releases
  consistently. For example, if the next two releases are bugfix ones,
  do not set `$NEXT_PLANNED_MAJOR_VERSION` to one of these
  bugfix releases. Instead, set it to the version number of the next
  major release.
* The `$NEXT*VERSION` constants are used only for two types of
  operations: preparing upgrade-description files and adding changelog
  entries. This two types of operations have to be consistent with
  each other: for example, if one adds a dummy entry for version X in
  a changelog, an UDF must exist for version X as well… hence the use
  of shared constants to encode the values that must be the same on
  both sides :)

Export the following environment variables:

* version numbers (see [[contribute/release_schedule#versioning]]):

        export VERSION=$(dpkg-parsechangelog -SVersion)
        export TAG=$(echo "${VERSION:?}" | sed -e 's,~,-,')
        export PREVIOUS_VERSION=$(dpkg-parsechangelog --offset 1 --count 1 -SVersion)
        export PREVIOUS_TAG=$(echo "${PREVIOUS_VERSION:?}" | sed -e 's,~,-,')

* `NEXT_PLANNED_MAJOR_VERSION`: set to the version number of the next
  *major* Tails release; if you're preparing a RC for a major release,
  use that major release; otherwise, use whatever the next planned
  major release is
* `SECOND_NEXT_PLANNED_MAJOR_VERSION`: if you're preparing the RC
  for a major release, set this to the version number of
  the second next *major* Tails release; e.g. if preparing the RC for
  the 3.9 major release, then set this to 3.12 (3.9 is the next major
  release, 3.10 and 3.11 are bugfix releases, 3.12 is a major
  release).
* `NEXT_PLANNED_BUGFIX_VERSION`: set to the version number of the next
  *bugfix* Tails release; if the next release is a bugfix release, use
  that one; otherwise, use `${VERSION}.1`
* `NEXT_POTENTIAL_EMERGENCY_VERSION`: set to the version number we'll give
  to the next emergency release if we have to put one out

Other variables
---------------

Also export the following environment variables:

* `MAJOR_RELEASE`: set to 1 if preparing a major release or a release
  candidate for a major release, to 0 otherwise
* `ISOS`: the directory where one stores `tails-amd64-*`
  sub-directories like the ones downloaded with BitTorrent.
* `ARTIFACTS`: the directory where build artifacts (e.g.
  the `.packages` file) land.
* `MASTER_CHECKOUT`: a checkout of the `master` branch of the main
  Tails Git repository.
* `RELEASE_BRANCH=$(if [ "$MAJOR_RELEASE" = 1 ]; then echo -n testing; else echo -n stable; fi)`
* `RELEASE_CHECKOUT`: a checkout of the branch of the main Tails Git
  repository used to prepare the release (`stable` or `testing`).
* `TAILS_SIGNATURE_KEY=A490D0F4D311A4153E2BB7CADBB802B258ACD84F`
* `TAILS_SIGNATURE_KEY_LONG_ID=$(echo "${TAILS_SIGNATURE_KEY:?}"perl -nE 'say substr($_, -17)')`
* `IUK_CHECKOUT`: a checkout of the relevant tag of the `iuk`
  Git repository.
* `PERL5LIB_CHECKOUT`: a checkout of the relevant tag of the
  `perl5lib` Git repository.
* `DIST`: either 'alpha' (for RC:s) or 'stable' (for actual releases)
* `export WEBSITE_RELEASE_BRANCH="web/release-${TAG:?}"`

Pre-freeze
==========

The [[contribute/working_together/roles/release_manager]] role
documentation has more tasks that should be done early enough.

Coordinate with Debian security updates
---------------------------------------

See [[release_process/Debian_security_updates]].

Sanity check
============

Visit the [Jenkins RM view](https://jenkins.tails.boum.org/view/RM/)
and check that the jobs for the release branch have good enough results.

Freeze
======

Major release
-------------

If we are at freeze time for a major release:

1. Merge the `master` Git branch into `devel`:

        git checkout devel && git fetch origin && git merge --no-ff origin/master

2. [[Merge each APT overlay suite|APT_repository/custom#workflow-merge-overlays]]
   listed in the `devel` branch's `config/APT_overlays.d/` into the `devel`
   APT suite.

3. Merge the `devel` Git branch into the `testing` one:

        git checkout testing && git merge devel

   ... and check that the resulting `config/APT_overlays.d/` in the
   `testing` branch is empty.

4. [[Hard reset|APT_repository/custom#workflow-reset]] the `testing`
   custom APT suite to the current state of the `devel` one.

5. [[Freeze|APT_repository/time-based_snapshots#freeze]] the
   time-based APT repository snapshots that shall be used
   during the freeze.

6. Make it so the time-based APT repository snapshots are kept around
   long enough, by bumping their `Valid-Until` to 10 days after the
   next major release (the one _after_ the one you're preparing)'s
   scheduled date:
   [[APT_repository/time-based_snapshots#bump-expiration-date-for-all-snapshots]]


Bugfix release
--------------

If we are at freeze time for a bugfix release:

1. Merge the `master` Git branch into `stable`:

        git checkout stable && git fetch && git merge --no-ff origin/master

2. [[Merge each APT overlay suite|APT_repository/custom#workflow-merge-overlays]]
   listed in the `stable` branch's `config/APT_overlays.d/` into the `stable`
   APT suite.

Common steps for bugfix and major releases
------------------------------------------

Reset the release branch's `config/base_branch`:

        echo "${RELEASE_BRANCH:?}" > config/base_branch && \
           git commit config/base_branch \
               -m "Restore ${RELEASE_BRANCH:?}'s base branch."

Bootstrap manual testing coordination:

1. Create a pad.
2. Copy the [[manual test suite|contribute/release_process/test]]
   into it.
3. Send the pad URL to the usual testers (see `manual_testers.mdwn` in
   the RM team's Git repository), end-to-end encrypted.

Update included files
=====================

<a id="upgrade-custom-debs"></a>

Upgrade bundled binary Debian packages
--------------------------------------

Skip this section if you are preparing a bugfix release.

The goal here is to make sure the bundled binary Debian packages contain
up-to-date localization files, so:

 - If you are preparing a release candidate, build at least the packages
   that change user-visible strings, so that translators can use the RC
   to check the status of their work and identify what's left to do.
 - If you are preparing a major release, build at least the packages
   that got translation updates since the RC: we've sent a call for
   translation while releasing the RC so the least we can do is to
   incorporate the work that ensued into our final release :)

For each bundled Debian package, `cd` into the package's root
directory (e.g. a checkout of the `whisperback` repository),
import translations from Transifex and sanity-check them:

	cd whisperback
	"${RELEASE_CHECKOUT:?}"/import-translations && \
	"${RELEASE_CHECKOUT:?}"/submodules/jenkins-tools/slaves/check_po

Then, `git rm` the PO files that have issues (alternatively, if you
feel like it you can fix them but your changes will be overwritten
next time we import translations from Transifex).

And finally, commit:

    git add po && git commit \
	    -m "Update POT and PO files, pull updated translations from Transifex."

Then see the relevant release processes, and upload the packages to
the release branch's custom APT suite:

* [[tails-installer]]
* [[tails-greeter]]
* [[perl5lib]]
* [[persistence-setup]]
* [[tails-iuk]]
* whisperback:
  * follow [upstream release process](https://git-tails.immerda.ch/whisperback/plain/HACKING)
  * build a Debian package

Upgrade Tor Browser
-------------------

See the dedicated page: [[tor-browser]]

Upgrade Tor Browser AppArmor profile
------------------------------------

See the dedicated page: [[tor-browser_AppArmor_patch]]

Upgrade Thunderbird
---------------

See the dedicated page: [[thunderbird]]

Upgrade custom packages for VeraCrypt integration
-------------------------------------------------

See the dedicated page: [[veracrypt]]

Update PO files
---------------

Pull updated translations for languages translated in Transifex,
refresh the code PO files,
and commit the result, including new PO files:

	cd "${RELEASE_CHECKOUT:?}" && \
	./import-translations  && \
	./refresh-translations && \
	./submodules/jenkins-tools/slaves/check_po && \
	git add po && git commit -m 'Update PO files.'

If `check_po` complains:

* delete the offending PO files;
* send a note to <tails-l10n@boum.org> so that they get in touch with
  whoever can fix them.

When preparing an actual release
================================

If we're about to prepare an image for a final (non-RC) release, then
follow these instructions:

Major release
-------------

[[Merge each APT overlay suite|APT_repository/custom#workflow-merge-overlays]]
listed in the `testing` branch's `config/APT_overlays.d/` into the `testing`
custom APT suite.

Bugfix release
--------------

<div class="note">
For bugfix releases, we generally do not put any RC out, so freeze time
is the same as preparing the actual release. Hence, the following
steps have already been done above, and this section is a noop in the
general case.
</div>

[[Merge each APT overlay suite|APT_repository/custom#workflow-merge-overlays]]
listed in the `stable` branch's `config/APT_overlays.d/` into the `stable`
custom APT suite.

Update other base branches
==========================

1. Merge the release branch into `devel` following the instructions for
   [[merging base branches|APT_repository/custom#workflow-merge-main-branch]].

2. [[Thaw|APT_repository/time-based_snapshots#thaw]], on the devel
   branch, the time-based APT repository snapshots that were used
   during the freeze. It's fine if that results in a no-op
   (it depends on how exactly previous operations were performed).

3. Merge `devel` into `feature/buster`, *without* following the instructions for
   [[merging base branches|APT_repository/custom#workflow-merge-main-branch]].
   (For now `feature/buster` is handled as any other topic branch
   forked off `devel`: its base branch is set to `devel`.)
   If the merge conflicts don't look like something you feel confident
   resolving properly, abort this merge and let the Foundations
   Team know.

4. Ensure that the release, `devel` and `feature/buster` branches
   have the expected content in `config/APT_overlays.d/`: e.g. it must
   not list any overlay APT suite that has been merged already.

5. Push the modified branches to Git:

        git push origin                          \
           "${RELEASE_BRANCH:?}:${RELEASE_BRANCH:?}" \
           feature/buster:feature/buster       \
           devel:devel

Update more included files
==========================

Changelog
---------

Remove the placeholder entry for next release in `debian/changelog`,
and then:

	git checkout "${RELEASE_BRANCH:?}" && \
	DEBEMAIL='tails@boum.org' DEBFULLNAME='Tails developers' \
	./release ${VERSION:?} ${PREVIOUS_TAG:?}

This populates the Changelog with the Git log entries.

Then, launch an editor for the needed cleanup of the result:

	dch -e

Changelog entries can be dispatched into those usual sections:

 * Major changes
 * Security fixes
 * Bugfixes
 * Minor improvements and updates
 * Build system
 * Test suite

Then, gather other useful information from:

* every custom bundled package's own Changelog (Greeter, Persistent
  Volume Assistant, etc.);
* the diff between the previous version's `.packages` file and the one
  from the to-be-released images; look for:
  - security fixes
  - new upstream releases of applications mentioned in [[doc/about/features]]
  - new upstream releases of other important components such as the
    Linux kernel
* the "Fix committed" section on the *Release Manager View for ${VERSION:?}*
  in Redmine.

Finally, sanity check the version and commit:

	if [ "$(dpkg-parsechangelog -SVersion)" = "${VERSION:?}" ]; then
	    git commit debian/changelog -m "Update changelog for ${VERSION:?}."
	else
	    echo 'Error: version mismatch: please compare ${VERSION:?} with the last entry in debian/changelog'
	fi

Included website
----------------

### Merge master

Merge `master` into the branch used for the release:

	git fetch origin && git merge origin/master

### version number

If preparing a RC, skip this part.

In the branch used to build the release, update the `wiki/src/inc/*` files to
match the *version number* and *date* of the new release. Set the date
at least 24 hours in the future! Between tests and mirror synchronization,
the build will not be released on the same day. Try to make sure it
matches the date of the future signature.

	RELEASE_DATE='2015-11-03'

	echo "${VERSION:?}"      > wiki/src/inc/stable_amd64_version.html
	echo -n "${RELEASE_DATE:?}" > wiki/src/inc/stable_amd64_date.html
	for type in img iso; do
	   basename="tails-amd64-${VERSION:?}"
	   filename="${basename:?}.${type:?}"
	   echo "TZ=UTC gpg --no-options --keyid-format long --verify ${filename:?}.sig ${filename:?}" \
	        > wiki/src/inc/stable_amd64_${type:?}_gpg_verify.html && \
	   echo "http://dl.amnesia.boum.org/tails/stable/${basename:?}/${filename:?}" \
	        > wiki/src/inc/stable_amd64_${type:?}_url.html
	   echo "https://tails.boum.org/torrents/files/${filename:?}.sig" \
	        > wiki/src/inc/stable_amd64_${type:?}_sig_url.html
	   echo "https://tails.boum.org/torrents/files/${filename:?}.torrent" \
	        > wiki/src/inc/stable_amd64_${type:?}_torrent_url.html
	done
	./build-website
	git commit wiki/src/inc/ -m "Update version and date for ${VERSION:?}."

Website translations
--------------------

Refresh the website PO files and commit the ones corresponding to
pages that were added or changed accordingly to changes coming with
the new release. This e.g. ensures that the RC call for translation
points translators to up-to-date PO files:

	./build-website && git add wiki/src && git commit -m 'Update website PO files.'
	git push origin "${RELEASE_BRANCH:?}:${RELEASE_BRANCH:?}"

Call for translation
====================

If at freeze time, send a call for translations to tails-l10n, making it clear what
Git branch the translations must be based on, and what are the
priorities. Also, add a few words to remember the translation teams
using Git that they should regularly contact Transifex translators,
as detailed on the [[documentation for
translators|contribute/how/translate]].

To get a list of changes on the website:

    git diff --stat ${PREVIOUS_TAG:?}.. -- \
        wiki/src/'*'.{mdwn,html} \
        ':!wiki/src/blueprint*' \
        ':!wiki/src/contribute*' \
        ':!wiki/src/inc' \
        ':!wiki/src/news*' \
        ':!wiki/src/security*'

Enable OpenPGP signing
======================

### If you have an OpenPGP smart card

If you have an OpenPGP smart card (i.e. if you are one of the usual
release managers) go fetch it. Remember to only plug it when needed! A
pro tip is to never plug it unless prompted which `gpg` will do for
you. Then just unplug it as soon as the `.sig` is done.

### Otherwise: importing the signing key

This is only relevant when the master key has been reassembled,
e.g. for signing a Tails emergency release where none of the usual
release managers are available.

You should never import the Tails signing key into your own keyring,
and a good practice is to import it to a tmpfs to limit the risks that
the private key material is written to disk:

    export GNUPGHOME=$(mktemp -d)
    sudo mount -t ramfs ramfs "${GNUPGHOME:?}"
    sudo chown $(id -u):$(id -g) "${GNUPGHOME:?}"
    sudo chmod 0700 "${GNUPGHOME:?}"
    gpg --homedir ${HOME:?}/.gnupg --export ${TAILS_SIGNATURE_KEY:?} | gpg --import
    gpg --import path/to/private-key

Let's also ensure that strong digest algorithms are used for our
signatures, like the defaults we set in Tails:

    cp config/chroot_local-includes/etc/skel/.gnupg/gpg.conf "${GNUPGHOME:?}"

Build the almost-final image
============================

1. [[Build ISO and USB images|contribute/build]] from the release branch.
   Do _not_ set `keeprunning` nor `rescue` in `$TAILS_BUILD_OPTIONS`.
2. Carefully read the build logs to make sure nothing bad happened.
3. Keep the resulting build artifacts until the end of this release process.
4. Record where the manifest of needed packages is stored:

        export PACKAGES_MANIFEST=XXX ; \
        [ -f "${PACKAGES_MANIFEST:?}" ] || echo "ERROR: PACKAGES_MANIFEST is incorrect"


Tag the release in Git
======================

	git tag -u "${TAILS_SIGNATURE_KEY:?}" \
	  -m "tagging version ${VERSION:?}" "${TAG:?}" && \
	git push origin "${TAG:?}" "${RELEASE_BRANCH:?}"

(Pushing the tag is needed so that the APT repository is updated, and
the Tails APT configuration works at build and boot time. It might be
premature, as testing might reveal critical issues, but this is
a signed tag, so it can be overridden later. Yes, there is room for
improvement here.)

XXX: From this push of a tag, the builds in Jenkins fail because we prevent it
to continue if the last debian/changelog entry has a tag. There are workarounds
we need to decide and implement.

Prepare the versioned APT suites
================================

* [[Prepare the versioned APT suite in our custom APT repository|APT_repository/custom#workflow-post-tag]].

* Prepare tagged snapshots of upstream APT repositories:

          ./bin/tag-apt-snapshots "${PACKAGES_MANIFEST:?}" "${TAG:?}"

  Note:

  - This command can take a while (about a dozen minutes).
  - It's expected that the packages that were pulled from our
    [[custom APT repository|APT_repository/custom]] are
    listed under "some packages were not found anywhere" (because we
    are currently not using time-based snapshots for our custom APT
    repository). However, _no other package should be on that list_.
    Now, we have a "safety" net, in case you don't notice such a problem: if
    other packages are missing, the next build (that will use the
    newly created partial, tagged APT repository) will fail.

Build images
============

Sanity check
------------

Verify that the Tor Browser release used in Tails still is the most
recent. Also look if there's a new `-buildX` tag (e.g.
`tor-browser-60.3.0esr-8.0-1-build1`) for the Firefox version the Tor
Browser we want to ship is based on in these Git repositories:

* <https://gitweb.torproject.org/builders/tor-browser-build.git>
* <https://gitweb.torproject.org/tor-browser.git>

A new tag may indicate that a new Tor Browser release or rebuild is imminent.

Better catch this before people spend time doing manual tests.

SquashFS file order
-------------------

1. Install the almost final USB image to a USB stick.
1. Boot this USB stick a first time to trigger re-partitioning.
1. Shut down this Tails.
1. Boot this USB stick **on bare metal** again.
1. Add `profile` to the kernel command-line.
1. Login with the default settings in the Greeter (e.g. do not configure
   an _Administration Password_).
1. Wait for the "Tor is ready" notification.
1. Start *Tor Browser*.
1. A few minutes later, once the `boot-profile` process has been
   killed, retrieve the new sort file from `/var/log/boot-profile`.
1. Backup the old sort file: `cp config/binary_rootfs/squashfs.sort{,.old}`
1. Copy the new sort file to `config/binary_rootfs/squashfs.sort`.
1. Cleanup a bit:
   - remove `var/log/live/config.pipe`: otherwise the boot is broken
     or super-slow
   - remove the bits about `kill-boot-profile` at the end: they're
     only useful when profiling the boot
1. Inspect the Git diff (including diff stat), apply common sense:

        diff -NaurB \
            <( cut -d' ' -f1 config/binary_rootfs/squashfs.sort.old | sort ) \
            <( cut -d' ' -f1 config/binary_rootfs/squashfs.sort     | sort ) \
            | less

1. `git commit -m 'Updating SquashFS sort file' config/binary_rootfs/squashfs.sort`

Build the final image
---------------------

Then all included files should be up-to-date and the versioned APT
suite should be ready, so it is time to:

1. Mark the version as "released" in the changelog:

        dch --release --no-force-save-on-release --maintmaint && \
        git commit -m "Mark Tails ${VERSION:?} as released." debian/changelog

1. Export `SOURCE_DATE_EPOCH`:

        export SOURCE_DATE_EPOCH=$(date --utc --date="$(dpkg-parsechangelog --show-field=Date)" '+%s')

1. tag the release *again*, with all included files in:

        git tag -f -u "${TAILS_SIGNATURE_KEY:?}" \
                -m "tagging version ${VERSION:?}" "${TAG:?}" && \
        git push --force origin "${TAG:?}" && \
        git push origin "${RELEASE_BRANCH:?}"

   Note: for Jenkins to build the release you must push the release
   branch with its tip tagged. I.e. if you deviate from the above
   commands by e.g. committing a commit in between `git tag` and the
   first `git push` then Jenkins won't build from the tag -- please
   avoid that!

1. build the final image!
   Do _not_ set `keeprunning` nor `rescue` in `$TAILS_BUILD_OPTIONS`.
   Our build system will apply the correct compression settings automatically
   so don't bother setting it yourself.

1. Compare the new build manifest with the one from the previous,
   almost final build:

        diff -Naur \
           "${PACKAGES_MANIFEST:?}" \
           "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.build-manifest"

   They should be identical, except that the `debian-security` serial might be higher.

1. To ensure we publish the final build's `.build-manifest`, run:

        export PACKAGES_MANIFEST="${ARTIFACTS:?}/tails-amd64-${VERSION:?}.build-manifest"


1. <a id="reproducibility-sanity-check-iso"></a>
   Let's sanity check that Jenkins reproduced your images.

   Visit the URL printed by this command:

       echo "https://jenkins.tails.boum.org/job/build_Tails_ISO_${RELEASE_BRANCH}/"

   Find the job (probably the last one)
   and make sure the ISO and USB images built by Jenkins
   have the same hash (in the `.shasum` file) as the images you built.

   Then:

   - If all hashes match: yay, we're good to go!

     Set the `$MATCHING_JENKINS_BUILD_ID` environment variable
     to the ID of this job (an integer).

   - If there is a hash mismatch for the image: ouch! Now we are in a
     tricky situation: on the one hand it seems like a poor idea to
     block users from benefiting from this release's security updates,
     but on the other hand the failure might imply that something
     nefarious is going on. At this stage, no matter what, immediately
     fetch Jenkins' image, compare it with your, and try to rule out
     build system compromise:

          sudo diffoscope \
              --text diffoscope.txt \
              --html diffoscope.html \
              --max-report-size 262144000 \
              --max-diff-block-lines 10000 \
              --max-diff-input-lines 10000000 \
                  path/to/your/tails-amd64-${VERSION:?}.iso \
                  path/to/jenkins/tails-amd64-${VERSION:?}.iso

     Do the same for the USB image as well.

     Then carefully investigate the `diffoscope` report:

       - If you cannot rule out that the difference is harmful: let's take
         a step back; we might be compromised, so we are in no position to
         release. Halt the release, involve the rest of <tails@boum.org>, and then
         try to re-establish trust in all build machines and infra
         involved, etc. Have fun!

       - Otherwise, if the change is definitely harmless:

         * If the source of non-determinism is identified quickly and
           is easy and fast to fix, *and* the QA of the current image
           has not gone very far (so at least that time is not wasted),
           then you should consider abandoning the current version, and
           immediately start preparing an emergency release with:

           - the reproducibility fix,
           - a new changelog entry,
           - adjustments to the release notes so they are re-purposed for
             this emergency release (the abandoned release gets none, since
             it effectively never will be released publicly).

         * Otherwise, if the fix looks time-consuming or difficult,
           let's release anyway. But let's add a known issue about
           "This Tails release does not build reproducibility" to the
           release notes, linking to the ticket where
           the nature of the reproducibility failure is clearly
           described.

1. check out a new branch:

   If preparing anything but a final release (e.g. an alpha, beta
   or RC):

        git checkout -b "${WEBSITE_RELEASE_BRANCH:?}" origin/master && \
        git push -u origin "${WEBSITE_RELEASE_BRANCH:?}"

   Else, if preparing a final release:

        git checkout -b "${WEBSITE_RELEASE_BRANCH:?}" "${TAG:?}" && \
        git push -u origin "${WEBSITE_RELEASE_BRANCH:?}"

   (as soon as a new commit is created on `$RELEASE_BRANCH`, its
   build will start failing until a new changelog entry is created,
   which we don't want to do on `$RELEASE_BRANCH` before it's merged
   into `master` at release time)

Generate the OpenPGP signatures and Torrents
============================================

Create a directory with a suitable name, go there, move the built
image to this brand new directory, generate detached OpenPGP
signatures for the image to be published (in the same directory as the
image and with a `.sig` extension), then go up to the parent
directory, create a `.torrent` file and check the generated `.torrent`
files metadata:

	for type in iso img ; do
	   mkdir "${ISOS:?}/tails-amd64-${VERSION:?}.${type:?}" && \
	   cd "${ISOS:?}/tails-amd64-${VERSION:?}.${type:?}" && \
	   mv "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.${type:?}" . && \
	   gpg --armor --default-key "${TAILS_SIGNATURE_KEY:?}" --detach-sign *".${type:?}" && \
	   rename 's,\.asc$,.sig,' *.asc && \
	   cd .. && \
	   mktorrent \
	      -a 'udp://tracker.torrent.eu.org:451'   \
	      -a 'udp://tracker.coppersurfer.tk:6969' \
	      "tails-amd64-${VERSION:?}.${type:?}" && \
	   transmission-show tails-amd64-${VERSION:?}.${type:?}.torrent
	done

Lastly, let's set some variables to be used later:

    ISO_PATH="${ISOS:?}/tails-amd64-${VERSION:?}.iso/tails-amd64-${VERSION:?}.iso"
    ISO_SHA256SUM="$(sha256sum "${ISO_PATH:?}" | cut -f 1 -d ' ' | tr -d '\n')"
    ISO_SIZE_IN_BYTES="$(stat -c %s "${ISO_PATH:?}")"
    IMG_PATH="${ISOS:?}/tails-amd64-${VERSION:?}.img/tails-amd64-${VERSION:?}.img"
    IMG_SHA256SUM="$(sha256sum "${IMG_PATH:?}" | cut -f 1 -d ' ' | tr -d '\n')"
    IMG_SIZE_IN_BYTES="$(stat -c %s "${IMG_PATH:?}")"

<a id="prepare-iuk"></a>

Prepare incremental upgrades
============================

Build the Incremental Upgrade Kits
----------------------------------

Incremental upgrades may be skipped if the delta is too big (like when
migrating to a new Debian release) or if there are changes outside of
the scope for IUKs (like partition table changes). Use common sense!

Use `tails-create-iuk` to build the following IUKs:

* From the two previous *planned* releases, and any emergency releases
  in between and after. This should be, more or less, all releases for
  the last 12 weeks (although irregularities in Firefox release
  schedule may add or remove a few weeks).

* From the last RC for the version being released, e.g. 1.0~rc1 to
  1.0. This should be done even if there was no IUK generated from the
  previous stable release since it is a good way to test the iuk code
  that'll be used for the incremental upgrade paths to the
  next version.

Include each such version in a white-space separated list called
`IUK_SOURCE_VERSIONS`, (e.g. `IUK_SOURCE_VERSIONS="2.8 2.9 2.9.1 2.10~rc1"`), optionally setting `TMPDIR` to an existing absolute path where disk space is available,
and run the following:

    for source_version in $(echo ${IUK_SOURCE_VERSIONS:?}); do
        if [ "$(dpkg-query --showformat '${Version}\n' --show squashfs-tools)" != 1:4.3-3.0tails4 ]; then
            echo 'ERROR! Your squashfs-tools probably does not honor SOURCE_DATE_EPOCH so any generated IUKs will *not* be reproducible!'
            break
        fi
        echo "Generating IUK file from ${source_version:?} to ${VERSION:?}"
        sudo su -c "cd ${IUK_CHECKOUT:?} && \
          SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH \
          LC_ALL=C \
          TMPDIR=\"${TMPDIR:-/tmp}\" \
          PERL5LIB=\"${PERL5LIB_CHECKOUT:?}/lib\" \
            ./bin/tails-create-iuk \
               --squashfs-diff-name \"${VERSION:?}.squashfs\"           \
               --old-iso \"${ISOS:?}/tails-amd64-${source_version:?}.iso/tails-amd64-${source_version:?}.iso\" \
               --new-iso \"${ISOS:?}/tails-amd64-${VERSION:?}.iso/tails-amd64-${VERSION:?}.iso\"          \
               --outfile \"${ISOS:?}/Tails_amd64_${source_version:?}_to_${VERSION:?}.iuk\""
    done

Note that developer tools for creating IUK and upgrade-description
files are primarily developed and tested on Debian sid. They may
therefore occasionally be broken on Debian stable. As of December 2018
they work fine on Debian Stretch.

<a id="reproducibility-sanity-check-iuk"></a>

Note that we do not yet build IUKs on Jenkins, otherwise here would be
a great point to compare its IUKs with yours.

<a id="prepare-upgrade-description-files"></a>

Prepare upgrade-description files
---------------------------------

1. Prepare upgrade-description files (see the [[upgrade-description
   files
   specification|contribute/design/incremental_upgrades#upgrade-description-files]]
   for details).

   <div class="caution">
   In <emph>most</emph> cases the example command below is exactly the
   one you should run. But in order to tell whether you're in one of
   the exceptional cases when you have to adjust that command, it's
   important that you understand what follows.
   </div>

   At this step, we use the
   `tails-iuk-generate-upgrade-description-files` tool in order to:

   1. Create a new upgrade-description for the version being released
      and for the next one, that expresses that *no* upgrade is
      available for these ones yet.

      This is what the `--version` and `--next-version` arguments
      in the example command below do. You do not need to modify them.

   2. For every previous release listed in `$IUK_SOURCE_VERSIONS`,
      i.e. those that will have a direct incremental upgrade path to
      the version being released: create or update its
      upgrade-description file to advertise this direct incremental
      upgrade path.

      This is what the `--previous-version` arguments generated by the
      example command below do. You do not need to modify that part.

   3. For every recently supported previous release that's _not_
      listed in `$IUK_SOURCE_VERSIONS` (i.e. releases that have no
      _direct_ incremental upgrade path to the version being
      released):

       - If there's a _multi-step incremental upgrade path_ from this
         previous version to the version being released (e.g. by first
         upgrading to a version that's in `$IUK_SOURCE_VERSIONS`): tell
         the users of that old version to go through this multi-step
         incremental upgrade path, i.e. leave its upgrade-description
         file unmodified (it already advertises the first step of
         this multi-step path).

         To do so, ensure you do not manually pass this previous
         release to `--previous-version`. The example command below
         does the right thing in this respect already, so this
         constraint only matters if you have other reasons to modify
         the command.

       - Else, if there's _no incremental upgrade path, be it direct
         or multi-step_, from this previous version to the version
         being released (which happens for example when releasing
         Tails based on a new version of Debian and when we
         unintentionally broke incremental upgrades recently): tell the users
         of that old version they need to manually upgrade to the version
         being released.

         To do so, pass this previous version to `--previous-version`.
         You need to do this manually as the example command below
         won't do it automatically.

   Run this command, after adjusting it if needed as explained above:

        ( cd ${IUK_CHECKOUT:?} && \
        ./bin/tails-iuk-generate-upgrade-description-files \
            --build-target amd64 \
            --version "${VERSION:?}" \
            $( \
                if [ "${DIST:?}" = stable ]; then
                    echo \
                        --next-version "${NEXT_PLANNED_MAJOR_VERSION:?}" \
                        --next-version "${NEXT_PLANNED_MAJOR_VERSION:?}~rc1" \
                        --next-version "${NEXT_PLANNED_BUGFIX_VERSION:?}" \
                        --next-version "${NEXT_POTENTIAL_EMERGENCY_VERSION:?}" \
                else
                    echo --next-version $(echo ${VERSION:?} | sed -e 's,~.*$,,')
                fi
            ) \
            $( \
                for version in $(echo ${IUK_SOURCE_VERSIONS:?}); do
                   echo "--previous-version ${version:?}"
                done \
            ) \
            --iso "${ISO_PATH:?}" \
            --iuks "${ISOS:?}" \
            --release-checkout "${RELEASE_CHECKOUT:?}" \
            --major-release "${MAJOR_RELEASE:?}" \
            --channel "${DIST:?}"
       )

1. Create an armoured detached signature for each created or modified
   upgrade-description file.

        cd "${RELEASE_CHECKOUT:?}" && \
        find "${RELEASE_CHECKOUT:?}/wiki/src/upgrade/" \
           -type f -name upgrades.yml | \
           while read udf; do
               if [ -n "$(git status --porcelain "${udf:?}")" ]; then
                   for x in 1 2 3; do
                       gpg -u "${TAILS_SIGNATURE_KEY:?}" --armor \
                           --detach-sign "${udf:?}" \
                       && break
                   done
                   mv --force "${udf:?}.asc" "${udf:?}.pgp"
                   ( \
                     cd ${IUK_CHECKOUT:?} && \
                     ./bin/tails-iuk-check-upgrade-description-file "${udf:?}" \
                   ) || break
               fi
           done

1. Add and commit the upgrade-description files and their detached
   signatures to the Git branch used to prepare the release
   (`$WEBSITE_RELEASE_BRANCH`):

        ( \
          cd "${RELEASE_CHECKOUT:?}" && git add wiki/src/upgrade && \
          git commit -m "Update upgrade-description files." && \
          git push origin ${WEBSITE_RELEASE_BRANCH:?} \
        )

1. Copy the generated UDFs for the previous releases to the *test*
   channel in `$MASTER_CHECKOUT`, modify their content accordingly,
   sign them, commit and push:

        ( \
          cd ${MASTER_CHECKOUT:?} && \
          git fetch && \
          git merge origin/master && \
          for old_version in $(echo ${IUK_SOURCE_VERSIONS:?}); do
            release_udf="wiki/src/upgrade/v1/Tails/${old_version:?}/amd64/${DIST:?}/upgrades.yml" && \
            test_udf="wiki/src/upgrade/v1/Tails/${old_version:?}/amd64/test/upgrades.yml" && \
            mkdir -p "$(dirname "$test_udf")" && \
            git show origin/${WEBSITE_RELEASE_BRANCH:?}:${release_udf:?} \
              | sed -e "s/channel: ${DIST:?}/channel: test/" > ${test_udf:?} && \
            gpg -u "${TAILS_SIGNATURE_KEY:?}" --armor --detach-sign ${test_udf:?} && \
            mv ${test_udf:?}.asc ${test_udf:?}.pgp && \
            git add ${test_udf:?}* ; \
          done && \
          git commit -m "Add incremental upgrades on the test channel for Tails ${VERSION:?}" && \
          git push origin master:master \
        )

Prepare the image description file for *Tails Verification*
-----------------------------------------------------------

If preparing a RC, skip this part.

Update the image description file (IDF) used by the browser extension:

    ./bin/idf-content \
       --version "${VERSION:?}" \
       --iso "${ISO_PATH:?}" \
       --img "${IMG_PATH:?}" \
       > "${RELEASE_CHECKOUT:?}"/wiki/src/install/v2/Tails/amd64/stable/latest.json && \
    ( cd "${RELEASE_CHECKOUT:?}" && \
      git add wiki/src/install/v2/Tails/amd64/stable/latest.json && \
      git commit -m "Update IDF file for Tails Verification." )

Done with OpenPGP signing
=========================

Unplug your OpenPGP smartcard and store it away, so you don't plug it
back semi-mechanically later on.

**Beware!** If your have to plug your OpenPGP smart card or reassemble the
key again after this point it invalidates *everything* done for
the [[reproduction of this release|test#reproducibility-final-check]]
so it has to be started from the beginning:

* the original text is restored on the pad, and
* some tester follows it from scratch, and
* the Trusted Reproducer follows awaits the new input from said tester
  and then starts from scratch.

So please try to avoid this!

Upload images
=============

Sanity check
------------

Verify once more that the Tor Browser we ship is still the most recent (see
above).

<a id="publish-iuk"></a>

Publish the ISO, IMG, and IUKs over HTTP
----------------------------------------

Upload the IUKs to our rsync server:

    for source_version in $(echo ${IUK_SOURCE_VERSIONS:?}); do
       rsync --partial --inplace --progress -v \
          "${ISOS:?}/Tails_amd64_${source_version:?}_to_${VERSION:?}.iuk" \
          rsync.lizard:
    done

While waiting for the IUKs to be uploaded, you can proceed with the next steps.

Upload the ISO and USB image signatures to our rsync server:

    scp "${ISO_PATH:?}.sig" "${IMG_PATH:?}.sig" rsync.lizard:

Copy the ISO and USB images to our rsync server, verify their signature,
move them in place with proper ownership and permissions
and update the time in `project/trace` file on our rsync server
and on the live website (even for a release candidate):

    cat "${RELEASE_CHECKOUT:?}/wiki/src/tails-signing.key" \
       | ssh rsync.lizard gpg --import
    ssh rsync.lizard << EOF
       wget \
          "https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.iso" \
          "https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_BUILD_ID:?}/archive/build-artifacts/tails-amd64-${VERSION:?}.img" && \
       gpg --verify tails-amd64-${VERSION:?}.iso{.sig,} && \
       gpg --verify tails-amd64-${VERSION:?}.img{.sig,}
    EOF

    ssh rsync.lizard << EOF
      sudo install -o root -g rsync_tails -m 0755 -d \
         /srv/rsync/tails/tails/${DIST:?}/tails-amd64-${VERSION:?} && \
      sudo chown root:rsync_tails tails-amd64-${VERSION:?}.{iso,img}* && \
      sudo chmod u=rwX,go=rX tails-amd64-${VERSION:?}.{iso,img}* && \
      sudo mv tails-amd64-${VERSION:?}.{iso,img}* \
              /srv/rsync/tails/tails/${DIST:?}/tails-amd64-${VERSION:?}
    EOF

	TRACE_TIME=$(date +%s) &&
	echo ${TRACE_TIME:?} | ssh rsync.lizard "cat > /srv/rsync/tails/tails/project/trace" && \
	[ -n "${MASTER_CHECKOUT:?}" ] && \
	echo ${TRACE_TIME:?} > "${MASTER_CHECKOUT:?}/wiki/src/inc/trace" &&
	(
	   cd "${MASTER_CHECKOUT:?}" && \
	   git commit wiki/src/inc/trace \
	      -m "Updating trace file after uploading the ISO and USB images for ${VERSION:?}." && \
	   git push origin master
	)

Once the IUKs are uploaded, move them IUKs in place with proper
ownership and permissions and update the time in `project/trace` file
on our rsync server and on the live website (even for a release
candidate):

    ssh rsync.lizard << EOF
      sudo chown root:rsync_tails Tails_amd64_*_to_${VERSION:?}.iuk && \
      sudo chmod u=rwX,go=rX Tails_amd64_*_to_${VERSION:?}.iuk && \
      sudo mv Tails_amd64_*_to_${VERSION:?}.iuk \
              /srv/rsync/tails/tails/${DIST:?}/iuk/
    EOF

	TRACE_TIME=$(date +%s) &&
	echo ${TRACE_TIME:?} | ssh rsync.lizard "cat > /srv/rsync/tails/tails/project/trace" && \
	[ -n "${MASTER_CHECKOUT:?}" ] && \
	echo ${TRACE_TIME:?} > "${MASTER_CHECKOUT:?}/wiki/src/inc/trace" &&
	(
	   cd "${MASTER_CHECKOUT:?}" && \
	   git commit wiki/src/inc/trace \
	      -m "Updating trace file after uploading the IUKs for ${VERSION:?}." && \
	   git push origin master
	)

## Announce, seed and test the Torrent

Skip this section if [[!tails_ticket 16378]] is not resolved yet.

Check if there's enough space on our Bittorrent seed to import the new
ISO and USB images:

    ssh bittorrent.lizard df -h /var/lib/transmission-daemon/downloads

If not, list already running Torrents:

    ssh bittorrent.lizard transmission-remote --list

… set `$ID` to the oldest one and delete it (do this both for the ISO and USB image):

    ssh bittorrent.lizard -t "${ID:?}" --remove-and-delete

… and finally check disk space again:

    ssh bittorrent.lizard df -h /var/lib/transmission-daemon/downloads

Now you can announce and seed the Torrent for the release you're preparing:

    cat "${RELEASE_CHECKOUT:?}/wiki/src/tails-signing.key" \
       | ssh bittorrent.lizard gpg --import
    for type in iso img ; do
       image_filename="tails-amd64-${VERSION:?}.${type:?}"
       scp \
          "${ISOS:?}/${image_filename:?}.torrent" \
          "${ISOS:?}/${image_filename:?}/${image_filename:?}.sig" \
          bittorrent.lizard: && \
       ssh bittorrent.lizard << EOF
          mkdir --mode 0755 "${image_filename:?}" && \
          mv "${image_filename:?}.sig" \
             "${image_filename:?}/" && \
          cd "${image_filename:?}" && \
          wget \
             "https://nightly.tails.boum.org/build_Tails_ISO_${RELEASE_BRANCH:?}/builds/${MATCHING_JENKINS_BUILD_ID:?}/archive/build-artifacts/${image_filename:?}" && \
          gpg --verify ${image_filename:?}{.sig,} && \
          cd && \
          chgrp -R debian-transmission "${image_filename:?}" && \
          chmod -R go+rX,g+w "${image_filename:?}" && \
          mv \
             "${image_filename:?}" \
             /var/lib/transmission-daemon/downloads/ && \
          transmission-remote --add ${image_filename:?}.torrent \
                              --find /var/lib/transmission-daemon/downloads/
    EOF
    done

Test that you can start downloading the ISO and USB images with a BitTorrent client.

ISO history
-----------

Push the released ISO and USB images and their artifacts (`.buildlog`, `.build-manifest`, and `.packages` files) to our Tails ISO history git-annex repo, so that
our isotesters can fetch them from there for their testing. How to do so
is described in the `ISO_history.mdwn` document in the RM team's Git repo.

Testing
=======

1. Using `check-mirrors`, choose a fast mirror that already has the
   tentative ISO and USB images. E.g. <https://mirrors.kernel.org/tails/> or
   <https://mirrors.wikimedia.org/tails/> are reliable and have plenty
   of bandwidth.

        ./check-mirrors.rb --allow-multiple --fast --channel ${DIST:?} \
            --ip $(dig +short mirrors.kernel.org | tail -n1) \
            tails-amd64-${VERSION:?}

1. Email <tails-testers@boum.org> to ask them to test the tentative
   ISO and USB images, pointing them to the up-to-date mirror you've found previously.
1. Email <tails@boum.org> and potential contributors (see
   `manual_testers.mdwn` in the internal Git repository) that tests
   may start:
   - point them to the up-to-date mirror you've found previously
   - make it clear what's the deadline
   - make it clear where and how you expect to get feedback
   - attach the Torrent
   - attach the `.packages` file
1. Make sure someone is committed to run the automated test suite.
1. Make sure that enough people are here to run the tests, that they
   report their results in due time, and that they make it clear when
   they're leaving for good.
1. Fill the holes and make sure that the automated and manual test
   suites are done in due time. Clock and report this work separately
   from your RM'ing work.
1. Triage test results, reproduce bugs as needed, decide what the next
   step is and make sure it happens: add to known issues? file ticket?
   release blocker? improve the test description (steps, expected outcome)?
1. If [[!tails_ticket 16378]] is not resolved yet, ensure someone will
   seed the Torrent.

Update the website and Git repository
=====================================

What follows in this section happens on the `$WEBSITE_RELEASE_BRANCH`
branch in `${RELEASE_CHECKOUT:?}`:

	cd "${RELEASE_CHECKOUT:?}" && \
	   git checkout "${WEBSITE_RELEASE_BRANCH:?}"

If preparing a final release
----------------------------

Skip this part if preparing a RC.

Rename, copy, garbage collect and update various files:

	cp "${ISO_PATH:?}.sig" \
	   "${IMG_PATH:?}.sig" \
	   "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.build-manifest" \
	   "${ARTIFACTS:?}/tails-amd64-${VERSION:?}.packages" \
	   "${ISOS:?}/tails-amd64-${VERSION:?}".{iso,img}.torrent \
	   "${RELEASE_CHECKOUT:?}/wiki/src/torrents/files/" && \
	git rm \
	   "${RELEASE_CHECKOUT:?}/wiki/src/torrents/files/tails-amd64-${PREVIOUS_VERSION:?}."{build-manifest,iso.sig,img.sig,packages,iso.torrent,img.torrent} && \
	LC_NUMERIC=C ls -l -h ${ISO_PATH:?} | \
	   cut -f 5 -d ' ' | sed -r 's/(.+)([MG])/\1 \2B/' \
	   > "${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_iso_size.html" && \
	LC_NUMERIC=C ls -l -h ${IMG_PATH:?} | \
	   cut -f 5 -d ' ' | sed -r 's/(.+)([MG])/\1 \2B/' \
	   > "${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_img_size.html" && \
    gpg --check-trustdb && \
    LANG=C TZ=UTC gpg --no-options --keyid-format long --trusted-key "${TAILS_SIGNATURE_KEY_LONG_ID:?}" --verify "${ISO_PATH:?}.sig" "${ISO_PATH:?}" 2>&1 | \
	   perl -pE 's/\[ultimate\]$/[full]/' | \
	   sed 's/ /\&nbsp;/g;s/</\&lt;/;s/>/\&gt;/;s/$/<br\/>/g' > \
	   "${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_iso_gpg_signature_output.html" && \
    LANG=C TZ=UTC gpg --no-options --keyid-format long --trusted-key "${TAILS_SIGNATURE_KEY_LONG_ID:?}" --verify "${IMG_PATH:?}.sig" "${IMG_PATH:?}" 2>&1 | \
	   perl -pE 's/\[ultimate\]$/[full]/' | \
	   sed 's/ /\&nbsp;/g;s/</\&lt;/;s/>/\&gt;/;s/$/<br\/>/g' > \
	   "${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_img_gpg_signature_output.html"

Then, build the website and commit this last set of changes:

	./build-website && \
	git add wiki/src && \
	git commit -m "Update various website source files for ${VERSION:?}"

Ensure our [[contribute/working_together/roles/technical_writer]] has
[[written|contribute/how/documentation/release_notes]] the
announcement for the release in `wiki/src/news/version_${TAG:?}.mdwn`.

Write an announcement listing the security bugs affecting the previous
version in
`wiki/src/security/Numerous_security_holes_in_${PREVIOUS_VERSION:?}.mdwn`
in order to let the users of the old versions
know that they have to upgrade. Date it a few days before the
images to be released were *built*. Including:

- if we are not shipping Linux from Debian stable, the list of
  CVE fixed in Linux since the one shipped in the previous release of
  Tails; you can find them in the relevant changelog e.g.:
  * <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/unstable_changelog>
  * <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/testing_changelog>
  * <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/stretch-backports_changelog>
- the list of DSA fixed in packages we ship since those that were in
  the previous release of Tails: <https://www.debian.org/security/#DSAS>
- the list of BSA fixed in packages we ship since those that were in
  the previous release of Tails:
  <https://lists.debian.org/debian-backports-announce/>
- the list of MFSA fixed by the Tor Browser update:
  <https://www.mozilla.org/security/announce/>

If preparing a release candidate
--------------------------------

Skip this part if preparing a final release.

Copy the signatures and the Torrent into the website repository:

	cp "${ISO_PATH:?}.sig" \
	   "${IMG_PATH:?}.sig" \
	   "${ISOS:?}/tails-amd64-${VERSION:?}".{iso,img}.torrent \
	   "${RELEASE_CHECKOUT:?}/wiki/src/torrents/files/"

Write the announcement for the release in
`${RELEASE_CHECKOUT:?}/wiki/src/news/test_${TAG:?}.mdwn`, including:

- Update the `meta title` directive.
- Update the `meta date` directive.
- Document important config changes that persistence users have to do
  themselves (e.g. the Pidgin proxy settings change in
  [[!tails_gitweb_commit 9925321]] breaks all existing persistent
  profiles).
- Document known issues.
- This snippet can help to convert the copied changelog's ticket
  references to links:

      sed -i 's@#\([0-9]\{4,5\}\)@[[!tails_ticket \1]]@g' \
          wiki/src/news/test_${TAG:?}.mdwn

In any case
-----------

Generate PO files for the announcements and record the last commit
before putting the release out for real:

	./build-website && \
	git add wiki/src && \
	git commit -m "Releasing version ${VERSION:?}"

Then, send the PO files for the announcements to <tails-l10n@boum.org>
so that they get translated shortly, perhaps even soon enough to
integrate them before pushing the release out officially.

Go wild!
========

Wait for the HTTP mirrors to catch up
-------------------------------------

Test downloading the ISO, USB image, and IUK over HTTP.

Make sure every active mirror in the pool has the new version:

	./check-mirrors.rb --channel ${DIST:?} --allow-multiple --fast \
        tails-amd64-${VERSION:?}

Ask <tails-mirrors@boum.org> to drop those that are lagging behind and
notify their administrators.

Sanity checks
-------------

* Check the outcome of the "Testing" section above.
* Wait for the Mozilla security advisory
  [to be published](https://www.mozilla.org/en-US/security/advisories/).
* While waiting, if preparing a major release, you can drop the post for Tor blog:
  see the "Tor blog" section below. If you do that, uncheck the *Publish*
  checkbox and click *Save* to save the draft.
* Verify once more that the Tor Browser we ship is still the most recent (see
  above).

Push
----

### Git

Push the last commits to our Git repository and put `master` in the
following state:

    ( cd "${RELEASE_CHECKOUT:?}" && \
      git push origin \
          "${WEBSITE_RELEASE_BRANCH:?}:${WEBSITE_RELEASE_BRANCH:?}" \
          devel:devel \
    ) && \
    ( cd "${MASTER_CHECKOUT:?}" && \
      git fetch && \
      git merge origin/master && \
      git merge "origin/${WEBSITE_RELEASE_BRANCH:?}" && \
      echo "stable" > config/base_branch && \
      git commit config/base_branch \
          -m "Restore master's base branch." \
    )

Finally, push the `master` branch to make the changes go live on our
website:

    ( cd "${MASTER_CHECKOUT:?}" && \
      git push origin master:master \
    )

The release is now public! Woo!

Check translation are correct
-----------------------------

Once the push is over and the live website is build, check that each
`news/version_${VERSION}` HTML pages looks OK in all supported
languages.

Bug tracker
-----------

Skip this part if preparing a release candidate.

Mark all issues fixed in this release as `Status: Resolved` in our bug
tracker. For a list of candidates, see:

* the [issues in *Fix committed*
  status](https://redmine.tails.boum.org/code/projects/tails/issues?query_id=111);
* the "Fix committed" section on the *Release Manager View for ${VERSION:?}*
  in Redmine.

Select these issues with the checkboxes in the first column, then
right click on the list to display the context menu, and finally
change the _Status_ there. Relationships between tickets will likely
prevent you from closing all these issues at once, but at least
you can process them in several smaller batches instead of one by one.

Postpone to next release any remaining open issue for the version
you've just released. Use the right-click contextual menu to do so in
one single batch.

Then, mark the just-released Redmine milestone as done: go to the
target version page, click *Edit*, and set *Status* to *Closed*.

### Tickets linked from the website

Go through the tickets linked from the documentation and support sections of the
website and point our lead technical writer (sajolida) to the tickets that might be resolved in
this release.

    cd "${MASTER_CHECKOUT:?}" && \
    find wiki/src/{doc,support} -name "*.mdwn" -o -name "*.html" | xargs cat | \
        ruby -e 'puts STDIN.read.scan(/\[\[!tails_ticket\s+(\d+)[^\]]*\]\]/)' | \
        while read ticket; do
            url="https://redmine.tails.boum.org/code/issues/${ticket:?}"
            url_content=$(curl --fail --silent ${url:?})
            if [ "${?}" -ne 0 ] || [ -z "${url_content:-}" ]; then
                echo "Failed to fetch ${url:?} so manually investigate #${ticket:?}" >&2
                continue
            fi
            ticket_status="$(echo "${url_content:?}" | \
                sed -n 's,^.*<div class="status attribute"><div class="label">Status:</div><div class="value">\([^<>]\+\)</div></div>.*$,\1,p')"
            if [ -z "${ticket_status:-}" ]; then
                echo "Failed to find the status of #${ticket:?}" >&2
                continue
            fi
            if [ "${ticket_status:?}" != "New" ] && \
               [ "${ticket_status:?}" != "Confirmed" ] && \
               [ "${ticket_status:?}" != "In Progress" ]; then
                echo "It seems ticket #${ticket:?} has been fixed (Status: ${ticket_status:?}) so please find all instances in the wiki and fix them. Ticket URL: ${url:?}"
            fi
        done

Remember that ticket expressions, e.g. `[[!tails_ticket 1234]]`, can
span several lines, so finding the ones reported by the above code
*might* be harder than `git grep "tails_ticket 1234"`.

Twitter
-------

Check in the comments of the ticket for the release notes if the
technical writers have prepared a tweet. Otherwise tweet a simple link
to the release notes:

    Tails x.y is out: https://tails.boum.org/news/version_x.y/

Tor blog
--------

XXX: move most of this to the list of things that can be done while
waiting for manual test results, replace "Save and publish" there with
"Save and keep unpublished", and keep only the "Save and publish" step
here (+ adjust *Authoring Information* → *Authored on* since the date
of the draft creation won't be correct). I didn't do this yet as it
would conflict with the changes I've done for [[!tails_ticket 12629]]
in painful ways.

We announce *major* releases on the Tor blog:

* Generate a Tor Blog-friendly post; please go through it manually,
  and look at the previews, to make sure it looks sane!

      ikiwiki --setup ikiwiki.setup \
              --render wiki/src/news/version_${VERSION:?}.mdwn | \
          tidy --wrap 99999 | \
          sed '0,/^<div id="content" role="main">$/d' | \
          sed '/^<div id="footer" class="pagefooter" role="contentinfo">$/,$d' | \
          sed '/^<div class="toc">$/,+7d' | \
          sed '/^<p><img [^<>]*\/><\/p>$/d' | \
          sed '/^<\/div>$/d' | \
          sed 's@<a name[^<>]*></a>@@g' | \
          sed 's@href="\.\./@href="https://tails.boum.org/@g' | \
          sed 's@src="\./@src="https://tails.boum.org/news/@g' | \
          sed 's@\(\.en\)\?.html@/@g' \
          > /tmp/tor-blog-post.html
          cat >> /tmp/tor-blog-post.html <<EOF
      <h1>Support and feedback</h1>
      <p>For support and feedback, visit the <a href="https://tails.boum.org/support/">Support section</a> on the Tails website.</p>
      EOF

- [login to the Tor blog](https://blog.torproject.org/user)
- click *Content* → *Add content* → *Blog Post*
- add these tags:
  * tails
  * anonymous operating system
  * tails releases
- set *Title* to "New Release: Tails $VERSION"
- choose *Filtered HTML* as the *Text format* in the blog post editor
- copy the text you have prepared into the *Post Body* textarea of the
  blog post editor
- open *Comment Settings* and verify that comments are *Closed*
- open *Promotion Options* and check *Promoted to front page*
- click *Preview* and ensure everything is OK
- click *Save and publish*

Amnesia news
------------

1. [Subscribe](https://www.autistici.org/mailman/listinfo/amnesia-news/)
   to `amnesia-news@`. It's the only reliable way to check if the next
   step has worked (the online web archive is not refreshed immediately).

2. [Log in](https://www.autistici.org/mailman/admindb/amnesia-news)
   and accept the release announcement, that's been automatically sent
   to `amnesia-news@` on an hourly basis, and is stuck in the
   moderation queue.

Prepare for the next development cycle
======================================

XXX: adapt / fork for release candidates. In the meantime, read all
this, and skip what does not make sense for a RC.

1. If you just released a new stable release, remove the previous
   stable release from:
   - our rsync server:
     `ssh rsync.lizard sudo rm -rf /srv/rsync/tails/tails/stable/tails-amd64-${PREVIOUS_VERSION:?}/`
   - our Bittorrent seed: get the previous release's _Transmission_ IDs
     (ISO and USB image)
     with `ssh bittorrent.lizard transmission-remote --list` and then
     delete them with
     `ssh bittorrent.lizard transmission-remote -t "${PREVIOUS_VERSION_TRANSMISSION_ID:?}" --remove-and-delete`
	 then re-run `ssh bittorrent.lizard transmission-remote --list` and make sure everything looks good
1. Remove any remaining RC for the just-published release from
   `rsync.lizard:/srv/rsync/tails/tails/alpha/`
1. Remove IUKs that are more than 9 months old from
   `/{stable,alpha}/iuk` on the rsync server:
   - first check that it's not going to remove anything we want to keep:

         ssh rsync.lizard /bin/sh -c \
             \"find /srv/rsync/tails/tails/alpha  \
                    /srv/rsync/tails/tails/stable \
                    -type f -name '*.iuk' -mtime '+270' \
                    -not -name '*~test_*~test.iuk' -ls \
             \"

   - then actually delete the files:

         ssh rsync.lizard /bin/sh -c \
             \"sudo find /srv/rsync/tails/tails/alpha  \
                    /srv/rsync/tails/tails/stable \
                    -type f -name '*.iuk' -mtime '+270' \
                    -not -name '*~test_*~test.iuk' -delete \
             \"

1. Check how much space our mirrors need:

        ssh rsync.lizard du -sh /srv/rsync/tails

   Compare it to the minimum disk space we ask of our mirror operators
   (30 GiB) and determine if any further action is needed to either
   reduce our usage by deleting stuff, or asking them to give us more
   space.
1. Delete Git branches that were merged:

        cd "${MASTER_CHECKOUT:?}" && \
        git checkout master && \
        git fetch && \
        git submodule update && \
        bare_repo=$(mktemp -d)
        git clone --bare --reference "${MASTER_CHECKOUT:?}" \
           gitolite@d53ykjpeekuikgoq.onion:tails \
           "${bare_repo:?}" && \
        PYTHONPATH=lib/python3 ./bin/delete-merged-git-branches \
           --repo "${bare_repo:?}" && \
        rm -rf "${bare_repo:?}"

1. On the `stable` and `devel` branches, remove all old versions
   that were never released from `wiki/src/upgrade/v1/Tails` and
   `debian/changelog`. Explanation: the
   post-release APT repository steps from the previous stable release
   will usually have had us prepare for an emergency release that was
   never made.
1. [[Thaw the packages that were granted freeze exceptions|APT_repository/time-based_snapshots#freeze-exceptions-post-release]].
1. Pull `master` back and merge it into `stable`, and in turn into
   `devel`
1. [[Thaw|APT_repository/time-based_snapshots#thaw]], on the devel
   branch, the time-based APT repository snapshots that were used
   during the freeze. This should generally be a no-op but if there
   was some hiccup earlier it could be needed.
1. Follow the
   [[post-release|APT_repository/custom#workflow-post-release]] custom
   APT repository documentation. This includes some git operations,
   like creating an appropriate _"dummy changelog entry"_ in the
   `debian/changelog` file.
1. Verify that the snapshots used in the release branch are ok,
   e.g. they use the correct snapshots, and they were bumped
   appropriately (they should expire after the next planned major release date).
   Look carefully at the output of this command:

        cd "${RELEASE_CHECKOUT:?}" && \
        git checkout "${RELEASE_BRANCH:?}" && \
        for dir in config/APT_snapshots.d vagrant/definitions/tails-builder/config/APT_snapshots.d; do
        (
            echo "${dir:?}:"
            cd "${dir:?}" && \
            for ARCHIVE in * ; do
                SERIAL="$(cat ${ARCHIVE:?}/serial)"
                if [ "${SERIAL:?}" = 'latest' ]; then
                    EXPIRY='never'
                    if [ "${ARCHIVE:?}" != 'debian-security' ]; then
                        echo "Warning: origin '${ARCHIVE:?}' is using the 'latest' snapshot, which is unexpected" >&2
                    fi
                else
                    if [ "${ARCHIVE:?}" = 'debian-security' ]; then
                        DIST='stretch/updates'
                    else
                        DIST='stable'
                   fi
                   EXPIRY="$(curl --silent "http://time-based.snapshots.deb.tails.boum.org/${ARCHIVE:?}/dists/${DIST:?}/snapshots/${SERIAL:?}/Release" | sed -n 's/^Valid-Until:\s\+\(.*\)$/\1/p')"
                fi
                echo "* Archive '${ARCHIVE:?}' uses snapshot '${SERIAL:?}' which expires on: ${EXPIRY:?}"
            done
            echo ---
        )
        done

1. Push the resulting branches.
1. Make sure Jenkins manages to build all updated major branches:
   <https://jenkins.tails.boum.org/>.
1. Make sure you pushed all changes in every of our Git repo (including our
   Debian packages ones).
1. Delete the _Release Manager View for ${VERSION_:?}_ Redmine custom query.
1. Ensure the next two releases have their own _Release Manager View_.
1. On the [[!tails_roadmap]], update the *Due date* for the *Holes
   in the Roof* so that this section appears after the next release.
1. If you are the release manager for the next release too, look at the
   tasks that must be done at the beginning of your shift in the
   [[release manager role page|contribute/working_together/roles/release_manager]].
   Otherwise, kindly remind the next release manager about this :)

Related pages
=============

[[!map pages="contribute/release_process/*"]]