Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
T
tails
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
952
Issues
952
List
Boards
Labels
Service Desk
Milestones
Merge Requests
10
Merge Requests
10
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
tails
tails
Commits
23965452
Commit
23965452
authored
Sep 29, 2014
by
Tails developers
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Upgrade documentation for the TBB migration.
parent
6c6d7392
Changes
22
Hide whitespace changes
Inline
Side-by-side
Showing
22 changed files
with
136 additions
and
664 deletions
+136
-664
config/chroot_local-includes/usr/local/sbin/unsafe-browser
config/chroot_local-includes/usr/local/sbin/unsafe-browser
+4
-4
config/chroot_local-includes/usr/share/amnesia/browser/searchplugins/locale/README
...des/usr/share/amnesia/browser/searchplugins/locale/README
+3
-3
wiki/src/contribute/design.mdwn
wiki/src/contribute/design.mdwn
+62
-83
wiki/src/contribute/design/I2P.mdwn
wiki/src/contribute/design/I2P.mdwn
+5
-5
wiki/src/contribute/design/Unsafe_Browser.mdwn
wiki/src/contribute/design/Unsafe_Browser.mdwn
+4
-4
wiki/src/contribute/design/persistence.mdwn
wiki/src/contribute/design/persistence.mdwn
+2
-2
wiki/src/contribute/design/stream_isolation.mdwn
wiki/src/contribute/design/stream_isolation.mdwn
+4
-6
wiki/src/contribute/how/documentation/guidelines.mdwn
wiki/src/contribute/how/documentation/guidelines.mdwn
+1
-1
wiki/src/contribute/release_process.mdwn
wiki/src/contribute/release_process.mdwn
+13
-30
wiki/src/contribute/release_process/Debian_security_updates.mdwn
...c/contribute/release_process/Debian_security_updates.mdwn
+0
-11
wiki/src/contribute/release_process/iceweasel.mdwn
wiki/src/contribute/release_process/iceweasel.mdwn
+0
-479
wiki/src/contribute/release_process/test.mdwn
wiki/src/contribute/release_process/test.mdwn
+9
-9
wiki/src/contribute/release_process/test/usage.mdwn
wiki/src/contribute/release_process/test/usage.mdwn
+1
-1
wiki/src/contribute/release_process/tor-browser.mdwn
wiki/src/contribute/release_process/tor-browser.mdwn
+22
-0
wiki/src/contribute/working_together/roles/release_manager.mdwn
...rc/contribute/working_together/roles/release_manager.mdwn
+0
-20
wiki/src/doc/anonymous_internet/Tor_Browser.mdwn
wiki/src/doc/anonymous_internet/Tor_Browser.mdwn
+1
-1
wiki/src/doc/first_steps/introduction_to_gnome_and_the_tails_desktop.mdwn
...st_steps/introduction_to_gnome_and_the_tails_desktop.mdwn
+1
-1
wiki/src/doc/first_steps/introduction_to_gnome_and_the_tails_desktop/iceweasel.png
...introduction_to_gnome_and_the_tails_desktop/iceweasel.png
+0
-0
wiki/src/doc/first_steps/introduction_to_gnome_and_the_tails_desktop/tor-browser.png
...troduction_to_gnome_and_the_tails_desktop/tor-browser.png
+0
-0
wiki/src/doc/get/verify_the_iso_image_using_gnome.html
wiki/src/doc/get/verify_the_iso_image_using_gnome.html
+2
-2
wiki/src/misc/unsafe_browser_warning.mdwn
wiki/src/misc/unsafe_browser_warning.mdwn
+1
-1
wiki/src/support/faq.mdwn
wiki/src/support/faq.mdwn
+1
-1
No files found.
config/chroot_local-includes/usr/local/sbin/unsafe-browser
View file @
23965452
...
...
@@ -147,14 +147,14 @@ configure_chroot () {
done
chmod
a+r
${
CHROOT
}
/etc/resolv.conf
# Remove all
Iceweasel
addons: some adds proxying, which we don't
# Remove all addons: some adds proxying, which we don't
# want; some may change the fingerprint compared to a standard
#
Iceweasel
install. Note: We cannot use apt-get since we don't ship its
#
Firefox
install. Note: We cannot use apt-get since we don't ship its
# lists (#6531). Too bad, APT supports globbing, while dkpg does not.
dpkg
-l
'xul-ext-*'
| /bin/grep
'^ii'
|
awk
'{print $2}'
|
\
xargs
chroot
${
CHROOT
}
dpkg
--remove
# Create a fresh
Iceweasel
profile for the clearnet user
# Create a fresh
browser
profile for the clearnet user
CLEARNET_PROFILE
=
"
${
CHROOT
}
"
/home/clearnet/.tor-browser/profile.default
CLEARNET_EXT
=
"
${
CLEARNET_PROFILE
}
"
/extensions
...
...
@@ -210,7 +210,7 @@ EOF
}
run_browser_in_chroot
()
{
# Start
Iceweasel
in the chroot
# Start
the browser
in the chroot
echo
"* Starting Unsafe Browser"
sudo
-u
${
SUDO_USER
}
xhost +SI:localuser:
${
CLEARNET_USER
}
2>/dev/null
...
...
config/chroot_local-includes/usr/share/amnesia/browser/searchplugins/locale/README
View file @
23965452
When Tails is built, the searchplugins defined in these directories
will be symlinked to the corresponding locale directory in
/
etc/iceweasel/searchplugins/locale. With one twist: if a language
has more than one locale, the searchplugins will be symlinked in all
the corresponding directories.
/
usr/local/lib/tor-browser/Browser/distribution/searchplugins/locale with
one twist: if a language has more than one locale, the searchplugins
will be symlinked in all
the corresponding directories.
wiki/src/contribute/design.mdwn
View file @
23965452
...
...
@@ -745,9 +745,9 @@ See [[doc/about/features]].
## 3.3 Internationalization
Tails ships, as is, localization files provided by the installed
Debian packages. All available
iceweasel
localization packages
Debian packages. All available
Tor Browser
localization packages
are installed. Spell checking software and data is installed for the
set of best supported languages; it is usable at least is
Iceweasel
,
set of best supported languages; it is usable at least is
Tor Browser
,
LibreOffice and gedit.
### 3.3.1 Input methods
...
...
@@ -945,77 +945,58 @@ granting `sudo` privileges to the `amnesia` user by default.
Unless an administrator password is set in tails-greeter,
no root access is possible afterwards.
### 3.6.13 Iceweasel
(Note: Iceweasel is the name of the web browser, based on Mozilla
Firefox, that is shipped by Debian and thus by Tails.)
Tails ships custom Iceweasel ESR packages built with the Torbrowser
patches to better blend in the Tor Browser Bundle's anonymity set.
Some patches, that are not relevant for Tails, are not
applied, though: see the Tails browser's
[changelog](https://git-tails.immerda.ch/iceweasel/plain/debian/changelog?h=tails/master)
for the current status.
Iceweasel uses the Torbutton extension in order to prevent attacks
using JavaScript, plugins and other non-HTTP features like web
bugs. It is configured to always be enabled on Iceweasel start and
uses Tor as SOCKS5 proxy. SOCKS is configured to perform name
resolution through this proxy. Iceweasel is also configured to not
cache to disk (mainly to reduce memory usage for DVD users as disk
writes will be stored there), history is disabled (just in case) and
many other things. It is also set up not to automatically check for
updates of its installed extensions. Java support is disabled.
Iceweasel is shipped with some extensions to help users manage their
browsing experience. The Torbutton settings treat all cookies as
session cookies by default. This prevents the
known leak of browsing information cookies can lead to. The [Adblock
plus](https://addons.mozilla.org/fr/firefox/addon/1865/) extension
protects against many tracking possibilities by removing most ads.
Tails ships the [HTTPS
Everywhere](https://www.eff.org/https-everywhere) extension that
forces HTTPS usage for requests to a number of major websites.
Tails also ships the
[FoxyProxy](https://addons.mozilla.org/fr/firefox/addon/2464/)
extension that:
- allows using I2P instead of Tor to visit eepsites (I2P's own hidden
services look-alike); see [[the design document dedicated to Tails
use of I2P|I2P]] for details;
- could help [[!tails_todo FTP_in_Iceweasel desc="fixing Iceweasel's FTP support"]].
Thanks to Torbutton, to the Tor Browser patches, and to us importing
(most of) the TBB preferences, Iceweasel is configured so that Tor browser
fingerprint appears uniformly among Torbutton users. Tails enables
Torbutton's EN-US locale spoofing to avoid partitioning Tails
users into per-language anonymity sets.
Torbutton is also configured to spoof the timezone settings the same
way as the Tor Browser Bundle does, i.e. to `UTC+00:00`.
Thanks to the Tor Browser patches, the in-memory web cache is isolated
to the url bar origin.
The Iceweasel config is poorly commented but the commit messages in
Git history explains it all. In a nutshell, Iceweasel preferences are
set in various ways:
* A Tor Browser patch called
`0022-Tor-Browser-s-Firefox-preference-overrides.patch` bundles
their prefs directly into `omni.ja`.
* `/etc/iceweasel/*/*.js` contains:
- Torbutton preferences that the TBB also sets;
- some Tails-specific settings.
Whenever the user tries to start Iceweasel before Tor is ready, they
are informed it won't work, and asked whether to start the browser
anyway:
- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/iceweasel]]
- [[!tails_gitweb config/chroot_local-includes/usr/local/sbin/tor-has-bootstrapped]]
### 3.6.13 Tor Browser
Tails ships with the Tor Browser, which is based on Mozilla Firefox
and patched by the Tor Project for improved anonymity by reducing
information leaks, decreasing attack surface and similar. The actual
binaries etc. used in Tails are those distributed by the Tor Project,
but the configuration differs slightly, which is described below.
In Tails we diverge from the TBB's one-profile-only design, and
install the Tor Browser in a globally accessible directory used by all
browser profiles (and other XUL applications).
- [[!tails_gitweb config/chroot_local-hooks/10-tbb]]
The default profile is split from the binaries and application data:
- [[!tails_gitweb_dir config/chroot_local-includes/etc/tor-browser]]
As for extensions we have the following differences:
* Tails also installs the
[Adblock plus](https://addons.mozilla.org/fr/firefox/addon/1865/)
extension to protect against many tracking possibilities by removing
most ads.
* Tails also ships the
[FoxyProxy](https://addons.mozilla.org/fr/firefox/addon/2464/)
extension that:
- allows using I2P instead of Tor to visit eepsites (I2P's own
hidden services look-alike); see
[[the design document dedicated to Tails use of I2P|I2P]] for
details;
- could help
[[!tails_todo FTP_in_Iceweasel desc="fixing web browser FTP support"]].
* Tails does not install the same Torbutton as in the TBB. We
installed a patched version.
* Tails does not install the Tor Launcher extension as part of the
browser. A patched Tor Launcher is installed for use as a
stand-alone XUL application, though.
In Tails we do not use the `start-tor-browser` script, since it does a
lot of stuff not needed in Tails (error checking mainly) and isn't
flexible since it looks for the browser profile in a specific
place. Our custom script makes use of the global installation and also
makes sure the default profile is used as a basis. Also, whenever the
user tries to start the Tor Browser before Tor is ready, they are
informed it won't work, and asked whether to start the browser anyway:
- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/tor-browser]]
- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/generate-tor-browser-profile]]- [[!tails_gitweb config/chroot_local-includes/usr/local/sbin/tor-has-bootstrapped]]
- [[!tails_gitweb config/chroot_local-includes/etc/sudoers.d/zzz_tor-has-bootstrapped]]
Once Tor is ready to be used, the user is informed they can now use
...
...
@@ -1023,15 +1004,13 @@ the Internet:
- [[!tails_gitweb config/chroot_local-includes/etc/NetworkManager/dispatcher.d/60-tor-ready-notification.sh]]
Source code, scripts and configuratio
n:
The remaining configuration differences can be found i
n:
- [[!tails_gitweb_dir config/chroot_local-includes/etc/iceweasel]]
- Tails' Iceweasel source [[lives in Git|contribute/git]]
- [[!tails_gitweb config/chroot_local-hooks/12-remove_unwanted_iceweasel_searchplugins]]
- [[!tails_gitweb config/chroot_local-hooks/13-iceweasel_sqlite]]
- [[!tails_gitweb_dir config/chroot_local-includes/etc/tor-browser/preferences/zzz_tails.js]]
- [[!tails_gitweb config/chroot_local-hooks/12-remove_unwanted_browser_searchplugins]]
- [[!tails_gitweb config/chroot_local-hooks/13-override-tbb-branding]]
- [[!tails_gitweb config/chroot_local-hooks/14-add_localized_
iceweasel
_searchplugins]]
- [[!tails_gitweb config/chroot_local-hooks/14-generate-
iceweasel
-profile]]
- [[!tails_gitweb config/chroot_local-hooks/14-add_localized_
browser
_searchplugins]]
- [[!tails_gitweb config/chroot_local-hooks/14-generate-
tor-browser
-profile]]
- [[!tails_gitweb config/chroot_local-hooks/15-symlink-places.sqlite]]
### 3.6.14 Claws Mail
...
...
@@ -1244,7 +1223,7 @@ release candidates images before they are officially published.
### 3.8.3 Upgrades
Keeping Tor (stable releases only, unless the Tor core developers
recommend otherwise) and
Iceweasel
up-to-date is a priority.
recommend otherwise) and
the Tor Browser
up-to-date is a priority.
Remaining applications, including the base system, will be upgraded
using Debian standard upgrade process, and generally based on the
...
...
@@ -1299,11 +1278,11 @@ where Tails is heading to.
Tails tries to make it as difficult as possible to distinguish Tails
users from other Tor users.
Iceweasel
is configured to match the fingerprint of the Tor Browser
The Tor Browser used in Tails
is configured to match the fingerprint of the Tor Browser
Bundle and the known differences, if any, are listed in the [[known
issues|support/known_issues]] page.
However the fact that different extensions are installed in Tails and in
However the fact that different
browser
extensions are installed in Tails and in
the TBB surely allows more sophisticated attacks that usual fingerprint
as returned by tools such as <https://panopticlick.eff.org/> and
<http://ip-check.info/>. For example, the fact that Adblock is removing
...
...
wiki/src/contribute/design/I2P.mdwn
View file @
23965452
...
...
@@ -11,7 +11,7 @@ be able to access eepsites from Tails.
Versions
========
[I2P](https:/geti2p.net) has been included since Tails v0.7 with
Iceweasel
[I2P](https:/geti2p.net) has been included since Tails v0.7 with
the web browser
preconfigured using FoxyProxy so that eepsites (`.i2p` TLD) are directed to
I2P. All other traffic gets routed through Tor.
...
...
@@ -78,12 +78,12 @@ participating in I2P traffic:
[[!tails_gitweb config/chroot_local-hooks/16-i2p_config]].
[[!tails_todo iceweasel_addon_-_FoxyProxy desc="FoxyProxy"]] has been installed
system-wide, and the default
iceweasel
profile provides with a
system-wide, and the default
web browser
profile provides with a
configuration handling the I2P integration. FoxyProxy's whitelist
filter is used to make sure that the corresponding urls will be
proxied appropriately.
Below are the patterns that each url handled by
iceweasel
will be
Below are the patterns that each url handled by
the web browser
will be
matched against. These patterns will be tried in order, from top to
bottom, until the first match is found:
...
...
@@ -231,7 +231,7 @@ Things to meditate upon
SOCKS5. This effectively breaks FTP completely, so there's room for
adding a pattern above number 4 which matches ftp connections
(i.e. `^ftp://.*`) and proxies them through some ftp proxy using Tor
as its parent proxy. See [[!tails_todo FTP_in_Iceweasel]]. As an addition,
as its parent proxy. See [[!tails_todo FTP_in_Iceweasel
desc="FTP in Tor Browser"
]]. As an addition,
at the moment (versions <=0.8) ftp does not work in I2P for
technical reasons, so no pattern for that is needed.
...
...
@@ -258,4 +258,4 @@ Things to meditate upon
* Are the patterns used above correct for their intended purposes?
Does the FoxyProxy setup in any way open up for attacks? See
[[!tails_todo iceweasel_addon_-_FoxyProxy]].
[[!tails_todo iceweasel_addon_-_FoxyProxy
desc="FoxyProxy"
]].
wiki/src/contribute/design/Unsafe_Browser.mdwn
View file @
23965452
...
...
@@ -14,8 +14,8 @@ Internet access seem required for avoiding this problem.
Requirements
============
* It must run a completely separate
Iceweasel
profile from the
Torified browser
's
.
* It must run a completely separate
browser
profile from the
Torified browser.
* It must be hard to start by mistake.
* It must be hard to mistake for the Torified browser.
* It must be configured to use the DNS provided by DHCP (which is required
...
...
@@ -42,8 +42,8 @@ when started:
0. Show a dialog asking the user for verification, while also briefly
explaining that the Unsafe Browser won't be anonymous.
0. "No" is the default answer, but if "Yes", we start a separate
Iceweasel
instance.
0.
Iceweasel
is configured to use a theme with scary colors (red). To
browser
instance.
0.
The browser
is configured to use a theme with scary colors (red). To
not raise suspicion the scary theme is not used when Windows
camouflage is activated, but instead the normal Internet Explorer
theme is used.
...
...
wiki/src/contribute/design/persistence.mdwn
View file @
23965452
...
...
@@ -23,8 +23,8 @@ This is relevant for the following applications:
- GnuPG, SSH and OTR key pairs
- GnuPG configuration
- SSH client configuration
-
iceweasel
certificate trust
-
iceweasel
bookmarks
-
Tor Browser
certificate trust
-
Tor Browser
bookmarks
- Pidgin configuration
- MUA configuration
- printers configuration
...
...
wiki/src/contribute/design/stream_isolation.mdwn
View file @
23965452
...
...
@@ -26,8 +26,8 @@ Tails:
Web Browser
-----------
Until
Torb
rowser implements clever fine-grained stream isolation
([[!tor_bug 3455]])
, Iceweasel
is merely directed to a dedicated SOCKS port.
Until
the Tor B
rowser implements clever fine-grained stream isolation
([[!tor_bug 3455]])
it
is merely directed to a dedicated SOCKS port.
Destination address/port -based circuit isolation
-------------------------------------------------
...
...
@@ -46,7 +46,7 @@ However:
before we ship it to the masses.
For performance reasons, we will start with *not* using
`IsolateDestAddr`/`IsolateDestPort` for
iceweasel we ship
: nowadays,
`IsolateDestAddr`/`IsolateDestPort` for
the Tor Browser
: nowadays,
loading a mere web page often requires fetching resources from a dozen
or more remote sources. (Also, it looks like the use of
`IsolateDestAddr` in a modern web browser may create very uncommon
...
...
@@ -91,9 +91,7 @@ in [[!tails_gitweb config/chroot_local-includes/etc/tor/torrc]]:
Applications are configured to use the right SOCKS port:
- [[!tails_gitweb config/chroot_local-includes/etc/iceweasel/pref/iceweasel.js]]
- [[!tails_gitweb config/chroot_local-includes/etc/iceweasel/profile/foxyproxy.xml]]
- [[!tails_gitweb config/chroot_local-includes/etc/iceweasel/profile/user.js]]
- [[!tails_gitweb config/chroot_local-includes/etc/tor-browser/profile/preferences/zzz_tails.js]]
- [[!tails_gitweb config/chroot_local-includes/etc/init.d/htpdate]]
- [[!tails_gitweb config/chroot_local-includes/etc/tor/tor-tsocks-mua.conf]]
- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/tails-security-check]]
...
...
wiki/src/contribute/how/documentation/guidelines.mdwn
View file @
23965452
...
...
@@ -119,7 +119,7 @@ is described in its principal use cases. For example:
The screen reading functionality of <span class="application">GNOME
Orca</span> does not work neither with the <span
class="application">
Iceweasel Web
Browser</span> nor with the <span
class="application">
Tor
Browser</span> nor with the <span
class="application">Unsafe Web Browser</span>.
</div>
...
...
wiki/src/contribute/release_process.mdwn
View file @
23965452
...
...
@@ -41,12 +41,6 @@ Pre-freeze
The [[contribute/working_together/roles/release_manager]] role
documentation has more tasks that should be done early enough.
Update Iceweasel preferences
----------------------------
* update `extensions.adblockplus.currentVersion` in
`config/chroot_local-includes/etc/iceweasel/profile/user.js`
Coordinate with Debian security updates
---------------------------------------
...
...
@@ -71,22 +65,22 @@ AdBlock patterns
----------------
Patterns are stored in
`config/chroot_local-includes/etc/
iceweasel/profile
/adblockplus/`.
`config/chroot_local-includes/etc/
tor-browser/profile.default
/adblockplus/`.
1. Boot Tails
2.
O
pen *Tools* → *Addons*
2.
Start the tor Browser and o
pen *Tools* → *Addons*
3. Select *Adblock Plus* in extensions
4. Open *Preferences* → *Filter preferences…*
5. For each filters, click *Actions* → *Update filters*
6. Close
Iceweasel
7. Copy the `.
mozilla/firefox/
default/adblockplus/patterns.ini` from
this
Iceweasel
instance to the
`config/chroot_local-includes/etc/
iceweasel/profile
/adblockplus`
6. Close
the Tor Browser
7. Copy the `.
tor-browser/profile.
default/adblockplus/patterns.ini` from
this
Tor Browser
instance to the
`config/chroot_local-includes/etc/
tor-browser/profile.default
/adblockplus`
directory in the Tails Git checkout.
8. Commit:
git commit -m 'Update AdBlock Plus patterns.' \
config/chroot_local-includes/etc/
iceweasel/profile
/adblockplus/patterns.ini
config/chroot_local-includes/etc/
tor-browser/profile.default
/adblockplus/patterns.ini
Upgrade bundled binary Debian packages
--------------------------------------
...
...
@@ -116,7 +110,6 @@ Correct all the errors that are not in the ignored list of
Then see the relevant release processes:
* [[iceweasel]]
* [[liveusb-creator]]
* [[tails-greeter]]
* [[perl5lib]]
...
...
@@ -127,6 +120,11 @@ Then see the relevant release processes:
* build a Debian package
* upload it to our [[APT repository]]
Upgrade the Tor Browser
-----------------------
See the dedicated page: [[tor-browser]]
Update PO files
---------------
...
...
@@ -479,15 +477,6 @@ Prepare upgrade-description files
Upload images
=============
Sanity check
------------
Verify that the current source for Firefox is still the same we've
used when preparing our custom Iceweasel package: e.g. FF17.0.8 got
re-tagged and re-uploaded at the last minute, due to a test failure.
Better catch this before people spend time doing manual tests.
## Announce, seed and test the Torrents
Announce and seed the Torrents.
...
...
@@ -622,7 +611,7 @@ image to be released was *built*. Including:
- the list of BSA fixed in packages we ship since those that were in
the previous release of Tails:
<https://lists.debian.org/debian-backports-announce/>
- the list of MFSA fixed by the
iceweasel
update:
- the list of MFSA fixed by the
Tor Browser
update:
<https://www.mozilla.org/security/announce/>
If preparing a release candidate
...
...
@@ -679,12 +668,6 @@ Testing
Go wild!
========
Sanity check
------------
Verify once more that the current source for Firefox is still the same
we've used when preparing our custom Iceweasel packages.
Push
----
...
...
wiki/src/contribute/release_process/Debian_security_updates.mdwn
View file @
23965452
...
...
@@ -5,17 +5,6 @@ by delaying a Tails release a bit to wait for a DSA to happen.
[[!toc levels=2]]
Iceweasel
=========
Mozilla updates are scheduled in advance. Searching the web for the
next (point-)release number tells you when it will be released. Add
2-3 days to this release date, and you know when a xulrunner/iceweasel
Debian security update will be ready on the mirrors.
See the [releases page](http://wiki.mozilla.org/Releases) on Mozilla
wiki.
Debian security team
====================
...
...
wiki/src/contribute/release_process/iceweasel.mdwn
deleted
100644 → 0
View file @
6c6d7392
[[!meta title="Releasing Iceweasel + Torbrowser patches"]]
[[!toc levels=2]]
1. Prepare environment
======================
* Clone our Tor browser
[[Git repository|contribute/git#other-repositories]] if you do not
have it handy yet.
* Add (and fetch from) a Git remote for the Debian iceweasel packaging
repository:
git remote add -f debian git://git.debian.org/git/pkg-mozilla/iceweasel.git
* Export the new upstream release to the environment of the one shell
or three that will be used:
export VERSION=17.0.9esr
2. Was Iceweasel updated?
=========================
It might have been updated in one of these sources:
* branch `esr/master` in `git://git.debian.org/git/pkg-mozilla/iceweasel.git`
* <http://mozilla.debian.net/pool/iceweasel-esr/i/iceweasel/>
**If** it was updated, then skip to [[New Iceweasel release|iceweasel#new-iceweasel-release]].
**Else**, skip to [[New Firefox release|iceweasel#new-firefox-release]].
<a id="new-firefox-release"></a>
3. New Firefox release
======================
If Iceweasel was not updated to match the new Firefox release we want,
a bit more work is needed.
Note that usually, we're doing these steps (usually on Sunday or
Monday) *before* the new ESR was officially released (which usually
happens on Tuesday). Mozilla make the source available on previous
Friday or Saturday, so that downstreams (such as us!) can get their
stuff ready in time for the security announce.
* Download the Firefox tarball and detached signature from
<https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/VERSION/source/>
(`VERSION` is the version we want to build, that is something like
`17.0.7esr`).
If it's not ready there yet, look at
<https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/VERSION-candidates/>
instead: Mozilla now only moves the tarballs to the `releases` directory after
it has passed their internal QA.
* Check the signature.
* Put the tarball in the parent directory of your Iceweasel Git repository.
* Extract the tarball.
* `cd` into the extracted directory.
* Copy the `debian/` directory from our previous package into the new
upstream source directory.
* Add a `debian/changelog` entry matching the new
upstream version. Use 0 for the Debian packaging version, e.g.
`17.0.5esr-0`, to leave room for the official packaging that we will
want to merge when it's out:
dch -v ${VERSION}-0 "New upstream release."
* If you had to download a *candidate* version above, patch
`debian/upstream.mk` so that it downloads stuff from the same place,
e.g.:
--- a/debian/upstream.mk
+++ b/debian/upstream.mk
@@ -89,12 +89,12 @@ ifndef L10N_CHANNEL
L10N_CHANNEL := $(SOURCE_CHANNEL)
endif
-BASE_URL = ftp://ftp.mozilla.org/pub/mozilla.org/$(PRODUCT_NAME)/$(SOURCE_TYPE)
+BASE_URL = ftp://ftp.mozilla.org/pub/mozilla.org/$(PRODUCT_NAME)/candidates
L10N_FILTER = awk '(NF == 1 || /linux/) && $$1 != "en-US" { print $$1 }'
$(call lazy,L10N_LANGS,$$(shell $$(L10N_FILTER) $(PRODUCT)/locales/shipped-locales))
ifeq ($(SOURCE_TYPE),releases)
-SOURCE_URL = $(BASE_URL)/$(SOURCE_VERSION)/source/$(PRODUCT_NAME)-$(SOURCE_VERSION).source.tar.bz2
+SOURCE_URL = $(BASE_URL)/$(SOURCE_VERSION)-candidates/build1/source/$(PRODUCT_NAME)-$(SOURCE_VERSION).source.tar.bz2
SOURCE_REV = $(call uc,$(PRODUCT_NAME))_$(subst .,_,$(SOURCE_VERSION))_RELEASE
L10N_REV = $(SOURCE_REV)
SOURCE_REPO = http://hg.mozilla.org/releases/$(SOURCE_CHANNEL)
**Beware**: make sure to replace `build1` with the name of the
directory you downloaded the upstream candidate tarball above.
* Download and repack the other tarballs:
make -f debian/rules download
* `cd` into our Iceweasel Git directory.
* Checkout the `tails/master` branch.
* Unapply all quilt patches and commit:
quilt pop -a && \
git add . && git reset HEAD .pc && git commit -a -m 'Unapply all quilt patches.'
* Get yourself a new upstream branch:
git branch -D upstream && \
git branch upstream tails/master
* Trick the tarball importer to import the correct version:
cp ../mozilla-esr24/browser/config/version.txt browser/config/ && \
cp ../mozilla-esr24/debian/changelog debian/
* Import the new upstream release into the `upstream` branch:
make -f debian/rules import
* Merge the import commit into `tails/master`:
git reset --hard && git merge upstream
* Get the `debian` directory back:
git checkout HEAD^ -- debian && \
git commit -m 'Get Debian packaging directory back.'
* Don't ignore `.mozconfig`'s:
grep -v -F '/.mozconfig*' .gitignore | sponge .gitignore && \
git commit -m "Don't ignore .mozconfig's." .gitignore
* Cleanup quilt status:
rm -rf .pc
* Apply all quilt patches:
quilt push -a
It might be that the last patch (`configure.patch`) fails. Ignore it
for now.
* Commit:
git add . && git reset HEAD .pc && git commit -a -m 'Apply all quilt patches.'
<a id="new-iceweasel-release"></a>
4. New Iceweasel release
=========================
Skip this entire stage if you imported a new Firefox release.
The way to proceed is different depending on whether Debian's
iceweasel was pushed to it yet, or not.
If Debian's iceweasel was pushed to Git already
-----------------------------------------------
* Retrieve the update from the iceweasel Git repository and verify the
Git tag you want to import, e.g.
git fetch debian && git tag -v debian/17.0.8esr-1
* Checkout our `tails/master` branch.
* Unapply all Torbrowser patches:
- If quilt knows they are applied (`quilt applied` will tell you),
then use `quilt pop` as many times as needed.
- Else, some manual care is needed so that quilt internal state
matches the actual state of the source tree. We need to manually
unapply all quilt patches, then reapply them all:
for p in $(tac debian/patches/series) ; do
patch -p1 -R < "debian/patches/$p"
done && quilt push -a
... and then use `quilt pop` as many times as needed to unapply
all Torbrowser patches.
* `git add` the new files and the modified ones