Upgrade documentation for the TBB migration.

23965452 · Tails developers · 6c6d7392 · 23965452 · 23965452 · 23965452
Commit 23965452 authored Sep 29, 2014 by Tails developers
--- a/config/chroot_local-includes/usr/local/sbin/unsafe-browser
+++ b/config/chroot_local-includes/usr/local/sbin/unsafe-browser
@@ -147,14 +147,14 @@ configure_chroot () {
    done
    chmod a+r ${CHROOT}/etc/resolv.conf

-    # Remove all Iceweasel addons: some adds proxying, which we don't
+    # Remove all addons: some adds proxying, which we don't
    # want; some may change the fingerprint compared to a standard
-    # Iceweasel install. Note: We cannot use apt-get since we don't ship its
+    # Firefox install. Note: We cannot use apt-get since we don't ship its
    # lists (#6531). Too bad, APT supports globbing, while dkpg does not.
    dpkg -l 'xul-ext-*' | /bin/grep '^ii' | awk '{print $2}' | \
        xargs chroot ${CHROOT} dpkg --remove

-    # Create a fresh Iceweasel profile for the clearnet user
+    # Create a fresh browser profile for the clearnet user
    CLEARNET_PROFILE="${CHROOT}"/home/clearnet/.tor-browser/profile.default

    CLEARNET_EXT="${CLEARNET_PROFILE}"/extensions
@@ -210,7 +210,7 @@ EOF
 }

 run_browser_in_chroot () {
-    # Start Iceweasel in the chroot
+    # Start the browser in the chroot
    echo "* Starting Unsafe Browser"

    sudo -u ${SUDO_USER} xhost +SI:localuser:${CLEARNET_USER} 2>/dev/null

--- a/config/chroot_local-includes/usr/share/amnesia/browser/searchplugins/locale/README
+++ b/config/chroot_local-includes/usr/share/amnesia/browser/searchplugins/locale/README
 When Tails is built, the searchplugins defined in these directories
 will be symlinked to the corresponding locale directory in
-/etc/iceweasel/searchplugins/locale. With one twist: if a language
-has more than one locale, the searchplugins will be symlinked in all
-the corresponding directories.
+/usr/local/lib/tor-browser/Browser/distribution/searchplugins/locale with
+one twist: if a language has more than one locale, the searchplugins
+will be symlinked in all the corresponding directories.
--- a/wiki/src/contribute/design.mdwn
+++ b/wiki/src/contribute/design.mdwn
@@ -745,9 +745,9 @@ See [[doc/about/features]].
 ## 3.3 Internationalization

 Tails ships, as is, localization files provided by the installed
-Debian packages. All available iceweasel localization packages
+Debian packages. All available Tor Browser localization packages
 are installed. Spell checking software and data is installed for the
-set of best supported languages; it is usable at least is Iceweasel,
+set of best supported languages; it is usable at least is Tor Browser,
 LibreOffice and gedit.

 ### 3.3.1 Input methods
@@ -945,77 +945,58 @@ granting `sudo` privileges to the `amnesia` user by default.
 Unless an administrator password is set in tails-greeter,
 no root access is possible afterwards.

-### 3.6.13 Iceweasel
-
-(Note: Iceweasel is the name of the web browser, based on Mozilla
-Firefox, that is shipped by Debian and thus by Tails.)
-
-Tails ships custom Iceweasel ESR packages built with the Torbrowser
-patches to better blend in the Tor Browser Bundle's anonymity set.
-Some patches, that are not relevant for Tails, are not
-applied, though: see the Tails browser's
-[changelog](https://git-tails.immerda.ch/iceweasel/plain/debian/changelog?h=tails/master)
-for the current status.
-
-Iceweasel uses the Torbutton extension in order to prevent attacks
-using JavaScript, plugins and other non-HTTP features like web
-bugs. It is configured to always be enabled on Iceweasel start and
-uses Tor as SOCKS5 proxy. SOCKS is configured to perform name
-resolution through this proxy. Iceweasel is also configured to not
-cache to disk (mainly to reduce memory usage for DVD users as disk
-writes will be stored there), history is disabled (just in case) and
-many other things. It is also set up not to automatically check for
-updates of its installed extensions. Java support is disabled.
-
-Iceweasel is shipped with some extensions to help users manage their
-browsing experience. The Torbutton settings treat all cookies as
-session cookies by default. This prevents the
-known leak of browsing information cookies can lead to. The [Adblock
-plus](https://addons.mozilla.org/fr/firefox/addon/1865/) extension
-protects against many tracking possibilities by removing most ads.
-
-Tails ships the [HTTPS
-Everywhere](https://www.eff.org/https-everywhere) extension that
-forces HTTPS usage for requests to a number of major websites.
-
-Tails also ships the
-[FoxyProxy](https://addons.mozilla.org/fr/firefox/addon/2464/)
-extension that:
-
- allows using I2P instead of Tor to visit eepsites (I2P's own hidden
-  services look-alike); see [[the design document dedicated to Tails
-  use of I2P|I2P]] for details;
- could help [[!tails_todo FTP_in_Iceweasel desc="fixing Iceweasel's FTP support"]].
-
-Thanks to Torbutton, to the Tor Browser patches, and to us importing
-(most of) the TBB preferences, Iceweasel is configured so that Tor browser
-fingerprint appears uniformly among Torbutton users. Tails enables
-Torbutton's EN-US locale spoofing to avoid partitioning Tails
-users into per-language anonymity sets.
-
-Torbutton is also configured to spoof the timezone settings the same
-way as the Tor Browser Bundle does, i.e. to `UTC+00:00`.
-
-Thanks to the Tor Browser patches, the in-memory web cache is isolated
-to the url bar origin.
-
-The Iceweasel config is poorly commented but the commit messages in
-Git history explains it all. In a nutshell, Iceweasel preferences are
-set in various ways:
-
-* A Tor Browser patch called
-  `0022-Tor-Browser-s-Firefox-preference-overrides.patch` bundles
-  their prefs directly into `omni.ja`.
-* `/etc/iceweasel/*/*.js` contains:
-  - Torbutton preferences that the TBB also sets;
-  - some Tails-specific settings.
-
-Whenever the user tries to start Iceweasel before Tor is ready, they
-are informed it won't work, and asked whether to start the browser
-anyway:
-
- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/iceweasel]]
- [[!tails_gitweb config/chroot_local-includes/usr/local/sbin/tor-has-bootstrapped]]
+### 3.6.13 Tor Browser
+
+Tails ships with the Tor Browser, which is based on Mozilla Firefox
+and patched by the Tor Project for improved anonymity by reducing
+information leaks, decreasing attack surface and similar. The actual
+binaries etc. used in Tails are those distributed by the Tor Project,
+but the configuration differs slightly, which is described below.
+
+In Tails we diverge from the TBB's one-profile-only design, and
+install the Tor Browser in a globally accessible directory used by all
+browser profiles (and other XUL applications).
+
+- [[!tails_gitweb config/chroot_local-hooks/10-tbb]]
+
+The default profile is split from the binaries and application data:
+
+- [[!tails_gitweb_dir config/chroot_local-includes/etc/tor-browser]]
+
+As for extensions we have the following differences:
+
+* Tails also installs the
+  [Adblock plus](https://addons.mozilla.org/fr/firefox/addon/1865/)
+  extension to protect against many tracking possibilities by removing
+  most ads.
+
+* Tails also ships the
+  [FoxyProxy](https://addons.mozilla.org/fr/firefox/addon/2464/)
+  extension that:
+  - allows using I2P instead of Tor to visit eepsites (I2P's own
+    hidden services look-alike); see
+    [[the design document dedicated to Tails use of I2P|I2P]] for
+    details;
+  - could help
+    [[!tails_todo FTP_in_Iceweasel desc="fixing web browser FTP support"]].
+
+* Tails does not install the same Torbutton as in the TBB. We
+  installed a patched version.
+
+* Tails does not install the Tor Launcher extension as part of the
+  browser. A patched Tor Launcher is installed for use as a
+  stand-alone XUL application, though.
+
+In Tails we do not use the `start-tor-browser` script, since it does a
+lot of stuff not needed in Tails (error checking mainly) and isn't
+flexible since it looks for the browser profile in a specific
+place. Our custom script makes use of the global installation and also
+makes sure the default profile is used as a basis. Also, whenever the
+user tries to start the Tor Browser before Tor is ready, they are
+informed it won't work, and asked whether to start the browser anyway:
+
+- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/tor-browser]]
+- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/generate-tor-browser-profile]]- [[!tails_gitweb config/chroot_local-includes/usr/local/sbin/tor-has-bootstrapped]]
 - [[!tails_gitweb config/chroot_local-includes/etc/sudoers.d/zzz_tor-has-bootstrapped]]

 Once Tor is ready to be used, the user is informed they can now use
@@ -1023,15 +1004,13 @@ the Internet:

 - [[!tails_gitweb config/chroot_local-includes/etc/NetworkManager/dispatcher.d/60-tor-ready-notification.sh]]

-Source code, scripts and configuration:
+The remaining configuration differences can be found in:

- [[!tails_gitweb_dir config/chroot_local-includes/etc/iceweasel]]
- Tails' Iceweasel source [[lives in Git|contribute/git]]
- [[!tails_gitweb config/chroot_local-hooks/12-remove_unwanted_iceweasel_searchplugins]]
- [[!tails_gitweb config/chroot_local-hooks/13-iceweasel_sqlite]]
+- [[!tails_gitweb_dir config/chroot_local-includes/etc/tor-browser/preferences/zzz_tails.js]]
+- [[!tails_gitweb config/chroot_local-hooks/12-remove_unwanted_browser_searchplugins]]
 - [[!tails_gitweb config/chroot_local-hooks/13-override-tbb-branding]]
- [[!tails_gitweb config/chroot_local-hooks/14-add_localized_iceweasel_searchplugins]]
- [[!tails_gitweb config/chroot_local-hooks/14-generate-iceweasel-profile]]
+- [[!tails_gitweb config/chroot_local-hooks/14-add_localized_browser_searchplugins]]
+- [[!tails_gitweb config/chroot_local-hooks/14-generate-tor-browser-profile]]
 - [[!tails_gitweb config/chroot_local-hooks/15-symlink-places.sqlite]]

 ### 3.6.14 Claws Mail
@@ -1244,7 +1223,7 @@ release candidates images before they are officially published.
 ### 3.8.3 Upgrades

 Keeping Tor (stable releases only, unless the Tor core developers
-recommend otherwise) and Iceweasel up-to-date is a priority.
+recommend otherwise) and the Tor Browser up-to-date is a priority.

 Remaining applications, including the base system, will be upgraded
 using Debian standard upgrade process, and generally based on the
@@ -1299,11 +1278,11 @@ where Tails is heading to.
 Tails tries to make it as difficult as possible to distinguish Tails
 users from other Tor users.

-Iceweasel is configured to match the fingerprint of the Tor Browser
+The Tor Browser used in Tails is configured to match the fingerprint of the Tor Browser
 Bundle and the known differences, if any, are listed in the [[known
 issues|support/known_issues]] page.

-However the fact that different extensions are installed in Tails and in
+However the fact that different browser extensions are installed in Tails and in
 the TBB surely allows more sophisticated attacks that usual fingerprint
 as returned by tools such as <https://panopticlick.eff.org/> and
 <http://ip-check.info/>. For example, the fact that Adblock is removing

--- a/wiki/src/contribute/design/I2P.mdwn
+++ b/wiki/src/contribute/design/I2P.mdwn
@@ -11,7 +11,7 @@ be able to access eepsites from Tails.
 Versions
 ========

-[I2P](https:/geti2p.net) has been included since Tails v0.7 with Iceweasel
+[I2P](https:/geti2p.net) has been included since Tails v0.7 with the web browser
 preconfigured using FoxyProxy so that eepsites (`.i2p` TLD) are directed to
 I2P. All other traffic gets routed through Tor.

@@ -78,12 +78,12 @@ participating in I2P traffic:
 [[!tails_gitweb config/chroot_local-hooks/16-i2p_config]].

 [[!tails_todo iceweasel_addon_-_FoxyProxy desc="FoxyProxy"]] has been installed
-system-wide, and the default iceweasel profile provides with a
+system-wide, and the default web browser profile provides with a
 configuration handling the I2P integration. FoxyProxy's whitelist
 filter is used to make sure that the corresponding urls will be
 proxied appropriately.

-Below are the patterns that each url handled by iceweasel will be
+Below are the patterns that each url handled by the web browser will be
 matched against. These patterns will be tried in order, from top to
 bottom, until the first match is found:

@@ -231,7 +231,7 @@ Things to meditate upon
  SOCKS5. This effectively breaks FTP completely, so there's room for
  adding a pattern above number 4 which matches ftp connections
  (i.e. `^ftp://.*`) and proxies them through some ftp proxy using Tor
-  as its parent proxy. See [[!tails_todo FTP_in_Iceweasel]]. As an addition,
+  as its parent proxy. See [[!tails_todo FTP_in_Iceweasel desc="FTP in Tor Browser"]]. As an addition,
  at the moment (versions <=0.8) ftp does not work in I2P for
  technical reasons, so no pattern for that is needed.

@@ -258,4 +258,4 @@ Things to meditate upon

 * Are the patterns used above correct for their intended purposes?
  Does the FoxyProxy setup in any way open up for attacks? See
-  [[!tails_todo iceweasel_addon_-_FoxyProxy]].
+  [[!tails_todo iceweasel_addon_-_FoxyProxy desc="FoxyProxy"]].
--- a/wiki/src/contribute/design/Unsafe_Browser.mdwn
+++ b/wiki/src/contribute/design/Unsafe_Browser.mdwn
@@ -14,8 +14,8 @@ Internet access seem required for avoiding this problem.
 Requirements
 ============

-* It must run a completely separate Iceweasel profile from the
-  Torified browser's.
+* It must run a completely separate browser profile from the
+  Torified browser.
 * It must be hard to start by mistake.
 * It must be hard to mistake for the Torified browser.
 * It must be configured to use the DNS provided by DHCP (which is required
@@ -42,8 +42,8 @@ when started:
 0. Show a dialog asking the user for verification, while also briefly
   explaining that the Unsafe Browser won't be anonymous.
 0. "No" is the default answer, but if "Yes", we start a separate
-   Iceweasel instance.
-0. Iceweasel is configured to use a theme with scary colors (red). To
+   browser instance.
+0. The browser is configured to use a theme with scary colors (red). To
   not raise suspicion the scary theme is not used when Windows
   camouflage is activated, but instead the normal Internet Explorer
   theme is used.

--- a/wiki/src/contribute/design/persistence.mdwn
+++ b/wiki/src/contribute/design/persistence.mdwn
@@ -23,8 +23,8 @@ This is relevant for the following applications:
 - GnuPG, SSH and OTR key pairs
 - GnuPG configuration
 - SSH client configuration
- iceweasel certificate trust
- iceweasel bookmarks
+- Tor Browser certificate trust
+- Tor Browser bookmarks
 - Pidgin configuration
 - MUA configuration
 - printers configuration

--- a/wiki/src/contribute/design/stream_isolation.mdwn
+++ b/wiki/src/contribute/design/stream_isolation.mdwn
@@ -26,8 +26,8 @@ Tails:
 Web Browser
 -----------

-Until Torbrowser implements clever fine-grained stream isolation
-([[!tor_bug 3455]]), Iceweasel is merely directed to a dedicated SOCKS port.
+Until the Tor Browser implements clever fine-grained stream isolation
+([[!tor_bug 3455]]) it is merely directed to a dedicated SOCKS port.

 Destination address/port -based circuit isolation
 -------------------------------------------------
@@ -46,7 +46,7 @@ However:
  before we ship it to the masses.

 For performance reasons, we will start with *not* using
-`IsolateDestAddr`/`IsolateDestPort` for iceweasel we ship: nowadays,
+`IsolateDestAddr`/`IsolateDestPort` for the Tor Browser: nowadays,
 loading a mere web page often requires fetching resources from a dozen
 or more remote sources. (Also, it looks like the use of
 `IsolateDestAddr` in a modern web browser may create very uncommon
@@ -91,9 +91,7 @@ in [[!tails_gitweb config/chroot_local-includes/etc/tor/torrc]]:

 Applications are configured to use the right SOCKS port:

- [[!tails_gitweb config/chroot_local-includes/etc/iceweasel/pref/iceweasel.js]]
- [[!tails_gitweb config/chroot_local-includes/etc/iceweasel/profile/foxyproxy.xml]]
- [[!tails_gitweb config/chroot_local-includes/etc/iceweasel/profile/user.js]]
+- [[!tails_gitweb config/chroot_local-includes/etc/tor-browser/profile/preferences/zzz_tails.js]]
 - [[!tails_gitweb config/chroot_local-includes/etc/init.d/htpdate]]
 - [[!tails_gitweb config/chroot_local-includes/etc/tor/tor-tsocks-mua.conf]]
 - [[!tails_gitweb config/chroot_local-includes/usr/local/bin/tails-security-check]]

--- a/wiki/src/contribute/how/documentation/guidelines.mdwn
+++ b/wiki/src/contribute/how/documentation/guidelines.mdwn
@@ -119,7 +119,7 @@ is described in its principal use cases. For example:

 The screen reading functionality of <span class="application">GNOME
 Orca</span> does not work neither with the <span
-class="application">Iceweasel Web Browser</span> nor with the <span
+class="application">Tor Browser</span> nor with the <span
 class="application">Unsafe Web Browser</span>.

 </div>

--- a/wiki/src/contribute/release_process.mdwn
+++ b/wiki/src/contribute/release_process.mdwn
@@ -41,12 +41,6 @@ Pre-freeze
 The [[contribute/working_together/roles/release_manager]] role
 documentation has more tasks that should be done early enough.

-Update Iceweasel preferences
----------------------------
-
-* update `extensions.adblockplus.currentVersion` in
-  `config/chroot_local-includes/etc/iceweasel/profile/user.js`
-
 Coordinate with Debian security updates
 ---------------------------------------

@@ -71,22 +65,22 @@ AdBlock patterns
 ----------------

 Patterns are stored in
-`config/chroot_local-includes/etc/iceweasel/profile/adblockplus/`.
+`config/chroot_local-includes/etc/tor-browser/profile.default/adblockplus/`.

 1. Boot Tails
-2. Open *Tools* → *Addons*
+2. Start the tor Browser and open *Tools* → *Addons*
 3. Select *Adblock Plus* in extensions
 4. Open *Preferences* → *Filter preferences…*
 5. For each filters, click *Actions* → *Update filters*
-6. Close Iceweasel
-7. Copy the `.mozilla/firefox/default/adblockplus/patterns.ini` from
-   this Iceweasel instance to the
-   `config/chroot_local-includes/etc/iceweasel/profile/adblockplus`
+6. Close the Tor Browser
+7. Copy the `.tor-browser/profile.default/adblockplus/patterns.ini` from
+   this Tor Browser instance to the
+   `config/chroot_local-includes/etc/tor-browser/profile.default/adblockplus`
   directory in the Tails Git checkout.
 8. Commit:

       git commit -m 'Update AdBlock Plus patterns.' \
-          config/chroot_local-includes/etc/iceweasel/profile/adblockplus/patterns.ini
+          config/chroot_local-includes/etc/tor-browser/profile.default/adblockplus/patterns.ini

 Upgrade bundled binary Debian packages
 --------------------------------------
@@ -116,7 +110,6 @@ Correct all the errors that are not in the ignored list of

 Then see the relevant release processes:

-* [[iceweasel]]
 * [[liveusb-creator]]
 * [[tails-greeter]]
 * [[perl5lib]]
@@ -127,6 +120,11 @@ Then see the relevant release processes:
  * build a Debian package
  * upload it to our [[APT repository]]

+Upgrade the Tor Browser
+-----------------------
+
+See the dedicated page: [[tor-browser]]
+
 Update PO files
 ---------------

@@ -479,15 +477,6 @@ Prepare upgrade-description files
 Upload images
 =============

-Sanity check
------------
-
-Verify that the current source for Firefox is still the same we've
-used when preparing our custom Iceweasel package: e.g. FF17.0.8 got
-re-tagged and re-uploaded at the last minute, due to a test failure.
-
-Better catch this before people spend time doing manual tests.
-
 ## Announce, seed and test the Torrents

 Announce and seed the Torrents.
@@ -622,7 +611,7 @@ image to be released was *built*. Including:
 - the list of BSA fixed in packages we ship since those that were in
  the previous release of Tails:
  <https://lists.debian.org/debian-backports-announce/>
- the list of MFSA fixed by the iceweasel update:
+- the list of MFSA fixed by the Tor Browser update:
  <https://www.mozilla.org/security/announce/>

 If preparing a release candidate
@@ -679,12 +668,6 @@ Testing
 Go wild!
 ========

-Sanity check
------------
-
-Verify once more that the current source for Firefox is still the same
-we've used when preparing our custom Iceweasel packages.
-
 Push
 ----


--- a/wiki/src/contribute/release_process/Debian_security_updates.mdwn
+++ b/wiki/src/contribute/release_process/Debian_security_updates.mdwn
@@ -5,17 +5,6 @@ by delaying a Tails release a bit to wait for a DSA to happen.

 [[!toc levels=2]]

-Iceweasel
-=========
-
-Mozilla updates are scheduled in advance. Searching the web for the
-next (point-)release number tells you when it will be released. Add
-2-3 days to this release date, and you know when a xulrunner/iceweasel
-Debian security update will be ready on the mirrors.
-
-See the [releases page](http://wiki.mozilla.org/Releases) on Mozilla
-wiki.
-
 Debian security team
 ====================


--- a/wiki/src/contribute/release_process/iceweasel.mdwn
+++ b/wiki/src/contribute/release_process/iceweasel.mdwn
-[[!meta title="Releasing Iceweasel + Torbrowser patches"]]
-
-[[!toc levels=2]]
-
-1. Prepare environment
-======================
-
-* Clone our Tor browser
-  [[Git repository|contribute/git#other-repositories]] if you do not
-  have it handy yet.
-
-* Add (and fetch from) a Git remote for the Debian iceweasel packaging
-  repository:
-
-      git remote add -f debian git://git.debian.org/git/pkg-mozilla/iceweasel.git
-
-* Export the new upstream release to the environment of the one shell
-  or three that will be used:
-
-	export VERSION=17.0.9esr
-
-2. Was Iceweasel updated?
-=========================
-
-It might have been updated in one of these sources:
-
-* branch `esr/master` in `git://git.debian.org/git/pkg-mozilla/iceweasel.git`
-* <http://mozilla.debian.net/pool/iceweasel-esr/i/iceweasel/>
-
-**If** it was updated, then skip to [[New Iceweasel release|iceweasel#new-iceweasel-release]].
-**Else**, skip to [[New Firefox release|iceweasel#new-firefox-release]].
-
-<a id="new-firefox-release"></a>
-
-3. New Firefox release
-======================
-
-If Iceweasel was not updated to match the new Firefox release we want,
-a bit more work is needed.
-
-Note that usually, we're doing these steps (usually on Sunday or
-Monday) *before* the new ESR was officially released (which usually
-happens on Tuesday). Mozilla make the source available on previous
-Friday or Saturday, so that downstreams (such as us!) can get their
-stuff ready in time for the security announce.
-
-* Download the Firefox tarball and detached signature from
-  <https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/VERSION/source/>
-  (`VERSION` is the version we want to build, that is something like
-  `17.0.7esr`).
-  If it's not ready there yet, look at
-  <https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/VERSION-candidates/>
-  instead: Mozilla now only moves the tarballs to the `releases` directory after
-  it has passed their internal QA.
-* Check the signature.
-* Put the tarball in the parent directory of your Iceweasel Git repository.
-* Extract the tarball.
-* `cd` into the extracted directory.
-* Copy the `debian/` directory from our previous package into the new
-  upstream source directory.
-* Add a `debian/changelog` entry matching the new
-  upstream version. Use 0 for the Debian packaging version, e.g.
-  `17.0.5esr-0`, to leave room for the official packaging that we will
-  want to merge when it's out:
-
-      dch -v ${VERSION}-0 "New upstream release."
-
-* If you had to download a *candidate* version above, patch
-  `debian/upstream.mk` so that it downloads stuff from the same place,
-  e.g.:
-
-	--- a/debian/upstream.mk
-	+++ b/debian/upstream.mk
-	@@ -89,12 +89,12 @@ ifndef L10N_CHANNEL
-	 L10N_CHANNEL := $(SOURCE_CHANNEL)
-	 endif
-	 
-	-BASE_URL = ftp://ftp.mozilla.org/pub/mozilla.org/$(PRODUCT_NAME)/$(SOURCE_TYPE)
-	+BASE_URL = ftp://ftp.mozilla.org/pub/mozilla.org/$(PRODUCT_NAME)/candidates
-	 
-	 L10N_FILTER = awk '(NF == 1 || /linux/) && $$1 != "en-US" { print $$1 }'
-	 $(call lazy,L10N_LANGS,$$(shell $$(L10N_FILTER) $(PRODUCT)/locales/shipped-locales))
-	 ifeq ($(SOURCE_TYPE),releases)
-	-SOURCE_URL = $(BASE_URL)/$(SOURCE_VERSION)/source/$(PRODUCT_NAME)-$(SOURCE_VERSION).source.tar.bz2
-	+SOURCE_URL = $(BASE_URL)/$(SOURCE_VERSION)-candidates/build1/source/$(PRODUCT_NAME)-$(SOURCE_VERSION).source.tar.bz2
-	 SOURCE_REV = $(call uc,$(PRODUCT_NAME))_$(subst .,_,$(SOURCE_VERSION))_RELEASE
-	 L10N_REV = $(SOURCE_REV)
-	 SOURCE_REPO = http://hg.mozilla.org/releases/$(SOURCE_CHANNEL)
-
-  **Beware**: make sure to replace `build1` with the name of the
-  directory you downloaded the upstream candidate tarball above.
-
-* Download and repack the other tarballs:
-
-      make -f debian/rules download
-
-* `cd` into our Iceweasel Git directory.
-* Checkout the `tails/master` branch.
-* Unapply all quilt patches and commit:
-
-      quilt pop -a && \
-      git add . && git reset HEAD .pc && git commit -a -m 'Unapply all quilt patches.'
-
-* Get yourself a new upstream branch:
-
-      git branch -D upstream && \
-      git branch upstream tails/master
-
-* Trick the tarball importer to import the correct version:
-
-      cp ../mozilla-esr24/browser/config/version.txt browser/config/ && \
-      cp ../mozilla-esr24/debian/changelog debian/
-
-* Import the new upstream release into the `upstream` branch:
-
-      make -f debian/rules import
-
-* Merge the import commit into `tails/master`:
-
-      git reset --hard && git merge upstream
-
-* Get the `debian` directory back:
-
-      git checkout HEAD^ -- debian && \
-      git commit -m 'Get Debian packaging directory back.'
-
-* Don't ignore `.mozconfig`'s:
-
-      grep -v -F '/.mozconfig*' .gitignore | sponge .gitignore && \
-      git commit -m "Don't ignore .mozconfig's." .gitignore
-
-* Cleanup quilt status:
-
-      rm -rf .pc
-
-* Apply all quilt patches:
-
-      quilt push -a
-
-  It might be that the last patch (`configure.patch`) fails. Ignore it
-  for now.
-
-* Commit:
-
-      git add . && git reset HEAD .pc && git commit -a -m 'Apply all quilt patches.'
-
-<a id="new-iceweasel-release"></a>
-
-4. New Iceweasel release
-=========================
-
-Skip this entire stage if you imported a new Firefox release.
-
-The way to proceed is different depending on whether Debian's
-iceweasel was pushed to it yet, or not.
-
-If Debian's iceweasel was pushed to Git already
-----------------------------------------------
-
-* Retrieve the update from the iceweasel Git repository and verify the
-  Git tag you want to import, e.g.
-
-      git fetch debian && git tag -v debian/17.0.8esr-1
-
-* Checkout our `tails/master` branch.
-
-* Unapply all Torbrowser patches:
-  - If quilt knows they are applied (`quilt applied` will tell you),
-    then use `quilt pop` as many times as needed.
-  - Else, some manual care is needed so that quilt internal state
-    matches the actual state of the source tree. We need to manually
-    unapply all quilt patches, then reapply them all:
-
-        for p in $(tac debian/patches/series) ; do
-           patch -p1 -R < "debian/patches/$p"
-        done && quilt push -a
-
-    ... and then use `quilt pop` as many times as needed to unapply
-    all Torbrowser patches.
-