commit d012b01d949d2e5192a7d0f463936f7d79b446df parent 40ec2f144fe407efc9ce44e09848351e228b3d37 Author: Morgan <morgan@torproject.org> Date: Wed, 2 Apr 2025 19:24:59 +0000 TB 43616: Customize Gitlab Issue and Merge Request templates Diffstat:
| A | .gitlab/issue_templates/062 Rebase - Legacy.md | | | 93 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | .gitlab/issue_templates/070 Uplift.md | | | 30 | ++++++++++++++++++++++++++++++ |
| A | .gitlab/issue_templates/080 Security Backports.md | | | 82 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | .gitlab/issue_templates/100 Release QA - Desktop.md | | | 221 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | .gitlab/issue_templates/101 Release QA - Android.md | | | 113 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | .gitlab/issue_templates/110 Firefox Release Review.md | | | 67 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | .gitlab/issue_templates/120 Bugzilla Audit.md | | | 21 | +++++++++++++++++++++ |
| M | .gitlab/issue_templates/Default.md | | | 6 | ++++++ |
8 files changed, 633 insertions(+), 0 deletions(-)
diff --git a/.gitlab/issue_templates/062 Rebase - Legacy.md b/.gitlab/issue_templates/062 Rebase - Legacy.md @@ -0,0 +1,93 @@ +# โคต๏ธ Rebase Legacy + +**NOTE:** All examples in this template reference the rebase from 115.17.0esr to 115.18.0esr + +<details> + <summary>Explanation of Variables</summary> + +- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc + - **Example**: `115.18.0` +- `$(ESR_TAG)`: the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)` + - **Example**: `FIREFOX_115_18_0esr_BUILD1` +- `$(ESR_TAG_PREV)`: the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from) + - **Example**: `FIREFOX_115_17_0esr_BUILD1` +- `$(BASE_BROWSER_BRANCH)`: the full name of the current `base-browser` branch + - **Example**: `base-browser-115.18.0esr-13.5-1` +- `$(BASE_BROWSER_BRANCH_PREV)`: the full name of the previous `base-browser` branch + - **Example**: `base-browser-115.17.0esr-13.5-1` +- `$(TOR_BROWSER_BRANCH)`: the full name of the current `tor-browser` branch + - **Example**: `tor-browser-115.18.0esr-13.5-1` +- `$(TOR_BROWSER_BRANCH_PREV)`: the full name of the previous `tor-browser` branch + - **Example**: `tor-browser-115.17.0esr-13.5-1` +</details> + +### **Bookkeeping** + +- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Apps%3A%3AType%3A%3AReleasePreparation) issue. + +### Update Branch Protection Rules + +- [ ] In [Repository Settings](https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/repository): + - [ ] Remove previous legacy `base-browser` and `tor-browser` branch protection rules (this will prevent pushing new changes to the branches being rebased) + - [ ] Create new `tor-browser` branch protection rule: + - **Branch**: `tor-browser-$(ESR_VERSION)esr-13.5-1*` + - **Example**: `tor-browser-115.18.0esr-13.5-1*` + - **Allowed to merge**: `Maintainers` + - **Allowed to push and merge**: `Maintainers` + - **Allowed to force push**: `false` + +### **Identify the Firefox Tagged Commit and Create New Branches** + +- [ ] Fetch Mozilla's firefox repo and identify this release's ESR-115 ${ESR_TAG} +- [ ] Create new legacy `tor-browser` branch from + - Branch name in the form: `tor-browser-$(ESR_VERSION)esr-13.5-1` + - **Example**: `tor-browser-115.18.0esr-13.5-1` +- [ ] Push new `tor-browser` branch to `upstream` +- [ ] Push new `$(ESR_TAG)` to `upstream` + +### **Rebase tor-browser** + +- [ ] Checkout a new local branch for the `tor-browser` rebase + - **Example**: `git branch tor-browser-rebase FIREFOX_115_18_0esr_BUILD1` +- [ ] `tor-browser` rebase + - [ ] Note the current git hash of `HEAD` for `tor-browser` rebase+autosquash step: `git rev-parse HEAD` + - [ ] Cherry-pick the appropriate previous `tor-browser` branch's commit range up to the last `tor-browser` `build1` tag + - **Example**: `git cherry-pick FIREFOX_115_17_0esr_BUILD1..tor-browser-115.17.0esr-13.5-1-build2` + - [ ] Rebase and autosquash these newly cherry-picked commits: `git rebase --autosquash --interactive $(PREV_HEAD)` + - **Example**: `git rebase --autosquash --interactive FIREFOX_115_18_0esr_BUILD1` + - [ ] Cherry-pick remainder of patches after the last `tor-browser` `build1` tag + - **Example**: `git cherry-pick tor-browser-115.17.0esr-13.5-1-build1..upstream/tor-browser-115.17.0esr-13.5-1` + - [ ] Rebase and `pick` new security backport patches to the end of the **MOZILLA BACKPORTS** section of the commit history + - **Example**: `git rebase --interactive FIREFOX_115_18_0esr_BUILD1` + - [ ] Rebase and autosquash again, this time replacing all `fixup` and `squash` commands with `pick`. The goal here is to have all of the `fixup` and `squash` commits beside the commit which they modify, but kept un-squashed for easy debugging/bisecting. + - **Example**: `git rebase --autosquash --interactive FIREFOX_115_18_0esr_BUILD1` +- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution: + - [ ] diff of diffs: + - Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or - + - `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff` + - `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff` + - diff `current_patchset.diff` and `rebased_patchset.diff` + - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` + - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD` + - **Example**: `git range-dif FIREFOX_115_17_0esr_BUILD1..upstream/tor-browser-115.17.0esr-13.5-1 FIREFOX_115_18_0esr_BUILD1..HEAD` +- [ ] Open MR for the `tor-browser` rebase +- [ ] Merge + +### **Sign and Tag** + +- [ ] Sign/Tag `HEAD` of the merged `tor-browser` branch: + - In **tor-browser.git**, checkout the new legacy `tor-browser` branch + - In **tor-browser-build.git**, run signing script: + ```bash + ./tools/browser/sign-tag.torbrowser legacy build1 + ``` + - [ ] Push tag to `upstream` + +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Rebase" +/label ~"Apps::Impact::High" +/label ~"Priority::Blocker" diff --git a/.gitlab/issue_templates/070 Uplift.md b/.gitlab/issue_templates/070 Uplift.md @@ -0,0 +1,30 @@ +# โฌ๏ธ **Uplift** +<!-- +Title: + Uplift tor-browser#12345: Title of Issue + +This is an issue for tracking uplift of a patch-set to Firefox +--> + +## Book-keeping + +### Gitlab Issue(s) +- tor-browser#xxxxx +- mullvad-browser#xyz + +### Merge Request(s) +- tor-browser!xyz + +### Upstream Mozilla Issue(s): +- https://bugzilla.mozilla.org/show_bug.cgi?id=12345 + +## Notes +<!-- +Whatever additional info, context, etc that would be helpful for uplifting --> + +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Uplift" diff --git a/.gitlab/issue_templates/080 Security Backports.md b/.gitlab/issue_templates/080 Security Backports.md @@ -0,0 +1,82 @@ +# ๐ก๏ธ **Security Backports** + +<details> + <summary>Explanation of Variables</summary> + +- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc + - **Example**: `102.8.0` +- `$(RR_VERSION)`: the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the `$(ESR_VERSION)`, but Mozilla's Firefox for Android is based off of the `$(RR_VERSION)` so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train. + - **Example**: `110` +- `$(PROJECT_NAME)`: the name of the browser project, either `base-browser` or `tor-browser` +- `$(TOR_BROWSER_MAJOR)`: the Tor Browser major version + - **Example**: `12` +- `$(TOR_BROWSER_MINOR)`: the Tor Browser minor version + - **Example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10` +- `$(BUILD_N)`: a project's build revision within a its branch; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build. + - **Example**: `build1` +</details> + +**NOTE:** It is assumed the `tor-browser` rebases (stable and alpha) have already happened and there exists a `build1` build tags for both `base-browser` and `tor-browser` (stable and alpha) + +## **Bookkeeping** + +- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Apps%3A%3AType%3A%3AReleasePreparation) issues (alpha, stable, and legacy). + +## **Security Vulnerabilities Report**: https://www.mozilla.org/en-US/security/advisories/ + +- Potentially Affected Components: + - `firefox`/`geckoview`: https://github.com/mozilla/gecko-dev + +- [ ] Go through the `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` report and create a candidate list of CVEs which potentially need to be backported in this issue: + - CVEs which are explicitly labeled as 'Android' only + - CVEs which are fixed in Rapid Release but not in ESR + - 'Memory safety bugs' fixed in Rapid Release but not in ESR +- [ ] Foreach issue: + - Create link to the CVE on [mozilla.org](https://www.mozilla.org/en-US/security/advisories/) + - **Example**: https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/#CVE-2023-25740 + - Create link to the associated Bugzilla issues (found in the CVE description) + - Create links to the relevant `gecko-dev`/other commit hashes which need to be backported OR a brief justification for why the fix does not need to be backported + - To find the `gecko-dev` version of a `mozilla-central`, search for a unique string in the relevant `mozilla-central` commit message in the `gecko-dev/release` branch log. + - **NOTE:** This process is unfortunately somewhat poorly defined/ad-hoc given the general variation in how Bugzilla issues are labeled and resolved. In general this is going to involve a bit of hunting to identify needed commits or determining whether or not the fix is relevant. + +## CVEs + +<!-- CVE Resolution Template, foreach CVE to investigate add an entry in the form: +- [ ] https://www.mozilla.org/en-US/security/advisories/mfsaYYYY-NN/#CVE-YYYY-XXXXX // CVE description + - https://bugzilla.mozilla.org/show_bug.cgi?id=NNNNNN // Bugzilla issue + - **Note**: Any relevant info about this fix, justification for why it is not necessary, etc + - **Patches** + - firefox: https://link.to/relevant/patch + --> + +## **tor-browser**: https://gitlab.torproject.org/tpo/applications/tor-browser.git +- [ ] Backport security fixes from Firefox rapid-release + - [ ] Backport patches to `tor-browser` stable branch + - [ ] Open MR + - [ ] Merge + - [ ] cherry-pick patches onto: + - [ ] `base-browser` stable + - [ ] `mullvad-browser` stable + - [ ] Sign/Tag commits: + - In **tor-browser-build.git**, run signing script: + ```bash + ./tools/browser/sign-tag.${PROJECT_NAME} ${CHANNEL} ${BUILD_N} + ``` + - [ ] `base-browser` stable + - [ ] `tor-browser` stable + - [ ] `mullvad-browser` stable + + - [ ] Push tags to `upstream` +- **OR** +- [ ] No backports + +<!-- Do not edit beneath this line <3 --> + +--- + +/confidential +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Product::MullvadBrowser" +/label ~"Apps::Type::Backport" +/label ~"Apps::Impact::High" +/label ~"Priority::Blocker" diff --git a/.gitlab/issue_templates/100 Release QA - Desktop.md b/.gitlab/issue_templates/100 Release QA - Desktop.md @@ -0,0 +1,221 @@ +# โ Release QA - Desktop + +Manual QA test check-list for major desktop releases. Please copy/paste form into your own comment, fill out relevant info and run through the checklist! + +<details> + <summary>Tor Browser Desktop QA Checklist</summary> + +``` +# System Information + +- Version: Tor Browser XXX +- OS: Windows|macOS|Linux YYY +- CPU Architecture: +- Profile: New|Old + +# Features + +## Base functionality +- [ ] Tor Browser launches successfully +- [ ] Connects to the Tor network + - [ ] Homepage loads: + - [ ] about:tor + - [ ] about:blank + - [ ] custom +- [ ] Tor Browser loads URLs passed by command-line after bootstrapped +- [ ] Localisation (Browser chrome) + - [ ] Language notification/message bar + - [ ] Spoof English + - [ ] Check especially the recently added strings + - [ ] New Locales + - [ ] Bulgarian, Belarusian, Portuguese (PT) +- [ ] UI Customisations: + - [ ] New Identity + - [ ] Toolbar icon + - [ ] Hamburger menu + - [ ] File menu + - [ ] New circuit for this site + - [ ] Circuit display + - [ ] Hamburger menu + - [ ] File menu + - [ ] No Firefox extras (Sync, Pocket, Report broken site, Tracking protection, etc) + - [ ] No unified extensions button (puzzle piece) + - [ ] NoScript button hidden + - [ ] Context Menu Populated +- [ ] Fingerprinting resistance: https://arkenfox.github.io/TZP/tzp.html +- [ ] Security level (Standard, Safer, Safest) + - Displays in: + - toolbar icon + - toolbar panel + - about:preferences#privacy + - [ ] On switch, each UI element is updated + - [ ] On custom config (toggle `svg.disabled`) + - [ ] each UI element displays warning + - [ ] `Restore defaults` reverts custom prefs + - **TODO**: test pages verifying correct behaviour +- [ ] New identity +- [ ] Betterboxing + - [ ] Reuse last window size + - [ ] Content alignment + - [ ] Window size indicator on window resize + - [ ] No letterboxing: + - [ ] empty tabs or privileged pages (eg: about:blank, about:about) + - [ ] full-screen video + - [ ] pdf viewer + - [ ] reader-mode +- [ ] Downloads Warning + - [ ] Downloads toolbar panel + - [ ] about:downloads + - [ ] Library window (<kbd>Ctrl</kbd>+<kbd>Shift</kbd>+<kbd>o</kbd>) +- [ ] Drag and Drop protections: + - [ ] Dragging a link from a tab to another tab in the same window works + - [ ] Dragging a link from a tab to another tab in a separate window works + - [ ] Dragging a link into the library creates a bookmark + - [ ] Dragging a link from Tor Browser to Firefox doesn't work + - [ ] Dragging a link from Firefox to Tor Browser works + - [ ] Dragging a link from Tor Browser to another app (e.g., text editor) doesn't work + - [ ] Repeat with page favicon + +## Proxy safety +- [ ] Tor exit test: https://check.torproject.org +- [ ] Circuit isolation + - Following websites should all report different IP addresses + - https://ifconfig.io + - https://myip.wtf + - https://wtfismyip.com +- [ ] DNS leaks: https://dnsleaktest.com +- [ ] Circuit Display + - [ ] Website => circuit + - [ ] Remote PDF => circuit + - [ ] Remote image => circuit + - [ ] .onion Website => circuit with onion-service relays + - [ ] .tor.onion Website => circuit with onion-service relays, link to true onion address + - http://ft.securedrop.tor.onion + - [ ] Website in reader mode => circuit (same as w/o reader mode) + - [ ] Local image => no circuit + - [ ] Local SVG with remote content => catch-all circuit, but not shown + - [ ] Local PDF => no circuit + - [ ] Local HTML `file://` with local resources => no circuit + - [ ] Local HTML `file://` with remote resources => catch-all circuit, but not shown + +## Connectivity + Anti-Censorship +- [ ] Tor daemon config by environment variables + - https://gitlab.torproject.org/tpo/applications/team/-/wikis/Environment-variables-and-related-preferences +- [ ] Internet Test ( bootstrap, also visible in about:preferences#connection ) + - [ ] Fails when offline (Goes to offline about:neterror) + - **NOTE**: platform dependent, expected that Linux will just try to bootstrap forever + - [ ] Succeeds when online +- [ ] Bridges: + - Bootstrap + - Browse: https://check.torproject.org + - Bridge node in circuit-display + - Bridge cards + - Disable + - Remove + - [ ] Default bridges: + - [ ] Removable as a group, not editable + - [ ] obfs4 + - [ ] meek + - [ ] snowflake + - [ ] User provided bridges: + - [ ] Removable and editable individually + - [ ] obfs4 from https://bridges.torproject.org + - [ ] webtunnel from https://bridges.torproject.org + - [ ] conjure from [gitlab](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/blob/main/client/torrc?ref_type=heads#L6) + - [ ] Request bridges... + - [ ] Removable as a group, but not editable + - [ ] Succeeds when bootstrapped + - [ ] Succeeds when not bootstrapped + - **TODO**: Lox +- [ ] Connect Assist + - Useful pref: `torbrowser.debug.censorship_level` (0-5; least to most censored) + - [ ] Connect Automatically checkbox triggers bootstrapping after one successful bootstrap attempt + - [ ] Auto-bootstrap updates Tor connection settings on success + - [ ] Auto-bootstrap restore previous Tor connection settings on failure + +## Web Browsing +- [ ] HTTPS-Only: http://http.badssl.com +- [ ] Crypto-currency warning on http website + - **TODO**: we should provide an example page +- [ ] .onion: + - [ ] torproject.org onion: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/ + - [ ] Onion-Location pill + - [ ] Client authentication + - You can create an ephemeral client-auth onion-service using [onion share](https://onionshare.org) + - [ ] Remember key option saves the key between sessions. + - [ ] Saved keys are viewable in preferences (privacy). + - [ ] Can remove individual keys. + - [ ] Can remove all keys at once. + - [ ] Onion service errors + - [ ] invalid onion: http://invalid.onion + - [ ] onion offline: http://wfdn32ds656ycma5gvrh7duvdvxbg2ygzr3no3ijsya25qm6nnko4iqd.onion/ + - [ ] onion baddssl: https://gitlab.torproject.org/tpo/applications/team/-/wikis/Development-Information/BadSSL-But-Onion + - **TODO** all the identity block states + - **TODO** client auth +- [ ] **TODO**: .securedrop.tor.onion +- [ ] **TODO**: onion-service alt-svc +- [ ] HTML5 Video: https://onion-tests.pierov.org/video.html + - [ ] H264 + - [ ] VP9 + - [ ] VP8 + - [ ] AV1 + - [ ] Theora + - [ ] MPEG4 + mp3: only audio should work + - [ ] HEVC + AAC: should not work +- [ ] WebSocket Test: https://websocketking.com/ + +## External Components +- [ ] NoScript + - [ ] Latest Version: https://addons.mozilla.org/en-US/firefox/addon/noscript/ + - [ ] Not removable from about:addons + - [ ] Tests: https://test-data.tbb.torproject.org/test-data/noscript/ + - **TODO**: fix test pages + +## Tor Settings (about:preferences#connection) +- [ ] Proxy + - [ ] Bad Proxy Address Reports Error; e.g. any bad bad proxy address/port/etc + - [ ] On initial failure gives error modal + - [ ] On browser restart, will also give an error if provided a bad setting + - [ ] Good Proxy Works + - [ ] SOCKS5 +- [ ] Bridge + - [ ] Bad Bridge Fails with error modal; eg: `0:0` + - [ ] Modifying Bridges *during* bootstrap should cancel bootstrap +- [ ] Firewall + - [ ] UI shouldn't accept bad ports (e.g. invalid port numbers, non-numbers, etc) +- [ ] Each individual setting type has it's own validation (i.e. not all or nothing anymore) + +## Upgrades +- [ ] Build-to-Build upgrade from: + - [ ] Previous minor version + - [ ] Previous major version + - [ ] Previous watershed release + - **NOTE**: a watershed release is a release which all previous versions will first update to before updating to latest; the most recent watershed is Tor Browser 14.0 + - Updater Documentation: https://gitlab.torproject.org/tpo/applications/wiki/-/wikis/Development-Information/Tor-Browser/Updater + +``` + +</details> + +Please lay claim to a platform in the comments: + +- Windows + - Windows 10, Windows 11 + - x86 + - x86_64 +- macOS + - 10.15, 15.x + - x86_64 + - aarch64 +- Linux + - x86_64 + - aarch64 + +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Test" +/label ~"Apps::Impact::High" +/label ~"Priority::Blocker" diff --git a/.gitlab/issue_templates/101 Release QA - Android.md b/.gitlab/issue_templates/101 Release QA - Android.md @@ -0,0 +1,113 @@ +# โ Release QA - Android + +Manual QA test check-list for major android releases. Please copy/paste form into your own comment, fill out relevant info and run through the checklist! + +<details> + <summary>Tor Browser Android QA Checklist</summary> + +``` +# System Information + +- Version: Tor Browser XXX +- OS: Android YYY +- Device + CPU Architecture: ZZZ + +# Features + +## Base functionality +- [ ] Tor Browser launches successfully +- [ ] Connects to the Tor network +- [ ] Localisation (Browser chrome) + - [ ] Check especially the recently added strings +- [ ] Toolbars and menus work +- [ ] Fingerprinting resistance: https://arkenfox.github.io/TZP/tzp.html +- [ ] Security level (Standard, Safer, Safest) + - **TODO**: test pages verifying correct behaviour +- [ ] Bookmarks: for now ensure adding/removing/etc work as expected and doesn't busy-spin + +### Localisation +- [ ] New Locales + - [ ] Bulgarian, Belarusian, Portuguese (PT) + +## Proxy safety +- [ ] Tor exit test: https://check.torproject.org +- [ ] Circuit isolation + - Following websites should all report different IP addresses + - https://ifconfig.io + - https://myip.wtf + - https://wtfismyip.com +- [ ] DNS leaks: https://dnsleaktest.com + +## Connectivity + Anti-Censorship +- [ ] Internet Test (try connect assist while actually offline) + - [ ] We expect this to fail but we should see what it actually does +- [ ] Bridges: + - Bootstrap + - Browse: https://check.torproject.org + - [ ] Default bridges: + - [ ] obfs4 + - [ ] meek + - [ ] snowflake + - [ ] User provided bridges: + - [ ] obfs4 from https://bridges.torproject.org + - [ ] webtunnel from https://bridges.torproject.org + - [ ] conjure from [gitlab](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/blob/main/client/torrc?ref_type=heads#L6) +- [ ] Connect Assist + - Useful pref: `torbrowser.debug.censorship_level` (0-5; least to most censored) + - [ ] Connect Automatically checkbox triggers bootstrapping after one successful bootstrap attempt + - [ ] Auto-bootstrap updates Tor connection settings on success + - [ ] Auto-bootstrap restore previous Tor connection settings on failure + +## Web Browsing +- [ ] HTTPS-Only: http://http.badssl.com +- [ ] .onion: + - [ ] torproject.org onion: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/ + - [ ] Onion service errors + - [ ] invalid onion: http://invalid.onion + - [ ] onion offline: http://wfdn32ds656ycma5gvrh7duvdvxbg2ygzr3no3ijsya25qm6nnko4iqd.onion/ + - [ ] onion baddssl: https://gitlab.torproject.org/tpo/applications/team/-/wikis/Development-Information/BadSSL-But-Onion + - **TODO** all the identity block states + - **TODO** client auth +- [ ] **TODO**: .securedrop.tor.onion +- [ ] **TODO**: onion-service alt-svc +- [ ] HTML5 Video: https://onion-tests.pierov.org/video.html + - [ ] H264 + - [ ] VP9 + - [ ] VP8 + - [ ] AV1 + - [ ] Theora + - [ ] MPEG4 + mp3: only audio should work + - [ ] HEVC + AAC: should not work +- [ ] WebSocket Test: https://websocketking.com/ + +## External Components +- [ ] NoScript + - [ ] Latest Version: https://addons.mozilla.org/en-US/firefox/addon/noscript/ + - [ ] Not removable from about:addons + - [ ] Tests: https://test-data.tbb.torproject.org/test-data/noscript/ + - **TODO**: fix test pages + +## Upgrades +- [ ] Build-to-Build upgrade from: + - [ ] Previous minor version + - [ ] Previous major version + +``` + +</details> + +Please lay claim to an architecture in the comments: + +Architectures: +- x86_64 +- arm32 +- aarch64 + +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Test" +/label ~"Apps::Impact::High" +/label ~"Priority::Blocker" diff --git a/.gitlab/issue_templates/110 Firefox Release Review.md b/.gitlab/issue_templates/110 Firefox Release Review.md @@ -0,0 +1,67 @@ +# ๐ Firefox Release Review + +**NOTE** This issue presumes the branches and tags for the next Firefox release have already been created in tor-browser.git + +## Bugzilla Triage + +- [ ] Generate Bugzilla triage CSV + - Run (from `tor-browser-build` root): + ```bash + ./tools/browser/generate-bugzilla-triage-csv ${FIREFOX_VERSION} ${TRIAGE_ISSUE_NUMBER} > out.csv + ``` + - `${FIREFOX_VERSION}`: the major Firefox version of the nightly to review + - **Example**: 129 + - `${TRIAGE_ISSUE_NUMBER}`: this `tor-browser` issue + - **Example**: `43303` + - **Example**: + ```bash + ./tools/browser/generate-bugzilla-triage-csv 129 43303 > 129.csv + ``` +- [ ] Attach the generated CSV file to the triage isssue +- [ ] Import to Google Sheets ( https://sheets.google.com ) + - Create blank spreadsheet + - **Title**: `Bugzilla Triage ${VERSION}` + - Import CSV: File > Import > Upload + - **Import location**: "Replace spreadsheet" + - **Separator type**: "Comma" + - **Convert text to numbers, dates, and fomulas**: "โ " + - Convert 'Review' column's issue cells to check-boxes: + - Select relevant cells (i.e.: `A2:A1554` for in the 129 triage) + - Insert > Checkbox + - Convert 'Triaged by' cells to check-boxes + - Share Spreadsheet + - ๐ Share > General access + - Change `Restricted` to `Anyone with the link` + - Post link in an internal note on this issue +- [ ] Assign requested reviewers to this issue + - **NOTE**: We currently have 3 blocks of reviewers in rotation: + - bea, boklm, ma1 + - dan_b, henry-x, pierov + - clairehurst, morgan, jwilde +- [ ] Set the issue's `Due Date` to 10 weeks after this version's "Beta starts" date or 2 weeks after the next ESR's "Beta starts" date (whichever is sooner) + - **Release Calendar**: https://whattrainisitnow.com/calendar/ + +## Release Notes Review + +<!-- + Ticket author! Find and post links to the release notes here! + - Release notes for users: https://www.firefox.com/en-US/releases/ + - Release notes for developers: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases +--> + +- [ ] Release Notes for Users (often includes multiple point releases): + - https://www.firefox.com/firefox/${FIREFOX_VERSION}/releasenotes/ +- [ ] Release Notes for Developers + - https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/${FIREFOX_VERSION} + +--- + +- Bugzilla Triage and Release Notes Review Completed by: + - [ ] reviewer 1 <!-- replace with reviewer name :) --> + - [ ] reviewer 2 <!-- replace with reviewer name :) --> + - [ ] reviewer 3 <!-- replace with reviewer name :) --> + +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Triage" +/label ~"Priority::Blocker" +/milestone %"Tor Browser 16.0" diff --git a/.gitlab/issue_templates/120 Bugzilla Audit.md b/.gitlab/issue_templates/120 Bugzilla Audit.md @@ -0,0 +1,21 @@ +# ๐ Bugzilla Audit +<!-- +Title: + Review Mozilla <bugzilla-num>: <bugzilla-description> +--> + +**Bugzilla**: https://bugzilla.mozilla.org/show_bug.cgi?id= + +## Description + +<!-- Briefly describe why this issue needs further review --> + +<!-- Do not edit beneath this line <3 --> + +--- + +/label ~"esr-153" +/label ~"Apps::Product::TorBrowser" +/label ~"Apps::Type::Audit" +/label ~"Priority::Blocker" +/milestone %"Tor Browser 16.0" diff --git a/.gitlab/issue_templates/Default.md b/.gitlab/issue_templates/Default.md @@ -18,4 +18,10 @@ Please select the appropriate issue template from the **Description** drop-down. - โ **Revert** - revert a change - โคต๏ธ **Rebase - Alpha** - rebase alpha to latest Firefox Nightly version - โคต๏ธ **Rebase - Stable** - rebase stable to latest Firefox ESR version +- โฌ๏ธ **Uplift** - uplift change to upstream project +- ๐ก๏ธ **Security Backports** - cherry-pick security fixes from Firefox - ๐จ **Emergency Security Issue** - manage fixing and publishing a critical security fix +- โ **Release QA - Desktop** - test and verify functionality of our Desktop release +- โ **Release QA - Android** - test and verify functionality of our Android release +- ๐ **Firefox Release Review** - identify upstream Firefox issues which need to be audited +- ๐ **Bugzilla Audit** - determine if/how an upstream change affects the browser