summaryrefslogtreecommitdiffstats
path: root/wiki/src/contribute/release_process/thunderbird.mdwn
blob: 244d655da854f707093f39b6f8b2054286a84de1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
[[!meta title="Releasing Thunderbird"]]

Until we have
[[!tails_ticket 6156 desc="upstreamed our secure autoconfiguration patches"]]
we have to maintain Thunderbird ourselves. This means we need to
[[!debpts thunderbird]] new versions hitting Debian stable.

The first time you do this requires some additional steps (WARNING!
this will download almost 2 GiB of data):

1. Clone [Tails' Thunderbird repo](http://git.tails.boum.org/thunderbird/).

1. Add a remote for Debian:

        git remote add debian-upstream https://salsa.debian.org/mozilla-team/thunderbird.git

Let's pretend the scenario is that Thunderbird 60.0-3 has just been
released:

    VERSION="60.0-3"
    TAG="debian/1%$(echo ${VERSION:?} | tr '~' '_')"
    UPSTREAM_VERSION=$(echo ${VERSION:?} | perl -pi -E 's/-.*//')

1. `git fetch && git fetch debian-upstream`

1. Verify the signed tag:

        git tag -v "${TAG:?}"

   The tag should have been signed with one of the keys that follow;
   investigate if it's not the case:

    - `8B94 819C 2555 70A3 74B6  2CCD 26E3 C875 A744 20EF`
    - `B70D FC6F 134F ECFC 011E  62AA 8301 6014 251D 1DB0`
    - `D343 9DAA 19DC FACD AE87  9CF2 B999 CDB5 8C8D DBD2`

1. Let's update our branch to the new version:

        git checkout tails/stretch && git merge origin/tails/stretch && \
        git merge --no-edit "${TAG:?}"

   Now you most likely will have to deal with a merge conflict in
   `debian/changelog` -- just reorder the conflicting entries by
   version number, `git add` modified files as needed, and ensure
   a merge commit is created eventually.

1. Let's ensure our patches still apply cleanly:

   1. Check if they do:

          quilt push -a

   2. Regardless of whether our patches applied cleanly, clean up:

          quilt pop -a && rm -rf .pc

   3. If our patches applied cleanly, move on. Otherwise:

      XXX (undocumented as we prefer focusing our efforts on
      upstreaming our patches than on documenting the current,
      temporary state of things): after reverse-engineering the state
      of our Git repository, it seems that one should create a new
      `secure_account_creation-${VERSION:?}` branch forked of the
      latest existing one, transplant our commits on top of `${TAG}`
      with the appropriate `--onto` option, squash our commits into
      a new `secure_account_creation-${VERSION:?}-squashed` branch,
      extract updated patches from there into
      `debian/patches/secure-account-creation/`.

1. Then let's release a new version:

        TAILS_VERSION="1:${VERSION:?}~deb9u1.0tails1" && \
        DISTRIBUTION="bugfix-${TICKET:?}-thunderbird-${UPSTREAM_VERSION:?}" && \
        dch \
           --newversion "${TAILS_VERSION:?}" \
           --force-bad-version \
           --distribution "${DISTRIBUTION:?}" \
           --force-distribution \
           "Rebuild with Tails' secure autoconfiguration patches." && \
        git commit debian/changelog \
            -m "document changes and release ${TAILS_VERSION:?}"

1. Build packages in a Stretch amd64 chroot:

        gbp buildpackage \
            --git-debian-branch=tails/stretch \
            --git-export=WC

1. Tag the new version:

        gbp buildpackage --git-debian-branch=tails/stretch \
            --git-sign-tags --git-tag-only

1. If you've built a package based on an _upstream_ release (as in:
   what's before the first `-` in the package version number)
   whose `.orig.tar.xz` tarball was never uploaded to our custom
   APT repository, include all sources in the `.changes` file:

        cd path/to/build/artifacts/directory && \
        cp path/to/build-area/*${UPSTREAM_VERSION:?}*.orig*.tar.xz . && \
        CHANGES_FILE="thunderbird_$(echo "${TAILS_VERSION:?}" | sed 's/^1://')_amd64.changes" && \
        changestool "${CHANGES_FILE:?}" includeallsources

1. Due to [[!tails_ticket 11531]] we won't be able to push the tag
   generated by `gbp` so we have to replace it with a differently
   named tag:

        GBP_TAG="debian/$(echo ${TAILS_VERSION:?} | tr '~:' '_%')"
        NEW_GBP_TAG="$(echo ${GBP_TAG:?} | sed 's@/1%@/@')" && \
        git tag -s "${NEW_GBP_TAG:?}" \
                -m "thunderbird Debian release 1:${TAILS_VERSION:?}" \
                "${GBP_TAG:?}"

1. Git push and upload packages:

        git push --follow-tags origin \
           ${NEW_GBP_TAG:?} \
           tails/stretch \
           upstream-60.x \
           pristine-tar && \
        (cd /path/to/build/artifacts && \
         debsign "${CHANGES_FILE:?}" && \
         dupload --to tails "${CHANGES_FILE:?}")

   Note: pushing some tags will fail due to [[!tails_ticket 11531]].