Here are the steps that the maintainer should take when putting out a new Tor release. It is split in 3 stages and coupled with our Tor CI Release pipeline.
Before we begin, first rule is to make sure:
- Our CIs (*nix and Windows) pass for each version to release
- Coverity has no new alerts
To start with, if you are doing a security release, this must be done few days prior to the release:
- If this is going to be an important security release, give the packagers
advance warning, via
[email protected]
.
The following must be done 2 days at the very least prior to the release:
-
Add the version(s) in the dirauth-conf git repository as the RecommendedVersion and RequiredVersion so they can be approved by the authorities and be in the consensus before the release.
-
Send a pre-release announcement to
[email protected]
in order to inform every teams in Tor of the upcoming release. This is so we can avoid creating release surprises and sync with other teams. -
Ask the network-team to review the
changes/
files in all versions we are about to release. This step is encouraged but not mandatory.
To build the tarballs to release, we need to launch the CI release pipeline:
https://gitlab.torproject.org/tpo/core/tor-ci-release
The versions.yml
needs to be modified with the Tor versions you want to
release. Once done, git commit and push to trigger the release pipeline.
The first two stages (Preliminary and Patches) will be run automatically. The Build stage needs to be triggered manually once all generated patches have been merged upstream.
-
Download the generated patches from the
Patches
stage.Apply these patches to the
main
orrelease
branch as appropriate. (Version bumps apply tomaint
; anything touching the changelog should apply only tomain
orrelease
.)When updating the version, it will be on
maint
branches and so to merge-forward, usegit merge -s ours
. For instance, if merging the version change ofmaint-0.4.5
intomaint-0.4.6
, do onmaint-0.4.6
this command:git merge -s ours maint-0.4.5
. And then you can proceed with a git-merge-forward. -
For the ChangeLog and ReleaseNotes, you need to write a blurb at the top explaining a bit the release.
-
Review, modify if needed, and merge them upstream.
-
Manually trigger the
maintained
job in theBuild
stage so the CI can build the tarballs without errors.
Once this is done, each selected developers need to build the tarballs in a reproducible way using:
https://gitlab.torproject.org/tpo/core/tor-ci-reproducible
Steps are:
-
Run
./build.sh
which will download everything you need, including the latest tarballs from the release CI, and auto-commit the signatures if the checksum match. You will need to confirm the commits. -
If all is good,
git push origin main
your signatures.
Once all signatures from all selected developers have been committed:
-
Manually trigger the
signature
job in thePost-process
stage of the CI release pipeline. -
If it passes, the tarball(s) and signature(s) will be available as artifacts and should be used for the release.
-
Put them on
dist.torproject.org
:Upload the tarball and its sig to the dist website:
rsync -avP tor-*.gz{,.asc} dist-master.torproject.org:/srv/dist-master.torproject.org/htdocs/
Then, on dist-master.torproject.org, run:
static-update-component dist.torproject.org
For an alpha or latest stable, open an MR in https://gitlab.torproject.org/tpo/web/tpo that updates the
databags/versions.ini
to note the new version.(NOTE: Due to #17805, there can only be one stable version listed at once. Nonetheless, do not call your version "alpha" if it is stable, or people will get confused.)
(NOTE: It will take a while for the website update scripts to update the website.)
Once the tarballs have been uploaded and are ready to be announced, we need to do the following:
-
Tag versions (
main
branch orrelease
branch as appropriate) usinggit tag -s tor-0.x.y.z-<status>
and then push the tag(s):git push origin tor-0.x.y.z-<status>
(This should be the
main
orrelease
branch because that is the one from which the tarballs are built. We want our tags to match our tarballs.) -
Merge upstream the artifacts from the
patches
job in thePost-process
stage of the CI release pipeline.Like step (2.1) above, the
-dev
version bump need to be done manually with agit merge -s ours
. -
Write and post the release announcement for the
forum.torproject.net
in theNews -> Tor Release Announcement
category.If possible, mention in which Tor Browser version (with dates) the release will be in. This usually only applies to the latest stable.
-
Inform
[email protected]
with the releasing pointing to the Forum. Append the ChangeLog there. We do this until we can automate such post from the forum directly. -
Update torproject.org website by submitting a MR to https://gitlab.torproject.org/tpo/web/tpo
The
databags/versions.ini
file is the one to change with the newly released version(s).
-
Create the
maint-x.y.z
andrelease-x.y.z
branches at the version tag. Then update the./scripts/git/git-list-tor-branches.sh
with the new version. -
Update
./scripts/git/git-list-tor-branches.sh
and./scripts/ci/ci-driver.sh
with the new version inmaint-x.y.z
and then merge forward into main. (If you haven't pushed remotely the new branches, merge the local branch). -
In
main
, bump version to the next series:tor-x.y.0-alpha-dev
and then tag it:git tag -s tor-x.y.0-alpha-dev
If for some reason you need to contact a bunch of packagers without using the publicly archived tor-packagers list, you can try these people:
- {weasel,sysrqb,mikeperry} at torproject dot org
- {blueness} at gentoo dot org
- {paul} at invizbox dot io
- {vincent} at invizbox dot com
- {lfleischer} at archlinux dot org
- {Nathan} at freitas dot net
- {mike} at tig dot as
- {tails-rm} at boum dot org
- {simon} at sdeziel.info
- {yuri} at freebsd.org
- {mh+tor} at scrit.ch
- {security} at brave.com