We have partially upstreamed our secure autoconfiguration patches and eventually gave up, so we have to maintain a patch series for Thunderbird ourselves, that we apply while building Tails images.

We need to follow the following instructions whenever the patch series we have exported to tails.git does not apply anymore, therefore breaking the Tails images build process.

  1. On tails/tails, checkout a new topic branch.

  2. The first time you do this requires some additional steps (WARNING! this will download almost 2 GiB of data):

    1. Clone Tails' Thunderbird repo.

    2. Add a remote for Debian:

       git remote add debian-upstream https://salsa.debian.org/mozilla-team/thunderbird.git
      
  3. Set environment variables:

    Let's pretend the scenario is that Thunderbird 68.10.0-1~deb10u1 has just been released:

     VERSION="68.10.0-1~deb10u1"
     TAG="debian/1%$(echo ${VERSION:?} | tr '~' '_')"
    
  4. git fetch && git fetch debian-upstream

  5. Verify the signed tag:

     git tag -v "${TAG:?}"
    

    The tag should have been signed with one of the keys that follow; investigate if it's not the case:

    • 8B94 819C 2555 70A3 74B6 2CCD 26E3 C875 A744 20EF
    • B70D FC6F 134F ECFC 011E 62AA 8301 6014 251D 1DB0
    • D343 9DAA 19DC FACD AE87 9CF2 B999 CDB5 8C8D DBD2
  6. Let's update our branch to the new version:

     git checkout tails/bullseye && git merge origin/tails/bullseye && \
     git merge --no-edit "${TAG:?}"
    
  7. Let's ensure our patches still apply cleanly:

    1. Check if they do:

      quilt push -a
      
    2. Regardless of whether our patches applied cleanly, clean up:

      quilt pop -a && rm -rf .pc
      
    3. If our patches applied cleanly, move on. Otherwise:

      1. Create or refresh an up-to-date secure_account_creation-${VERSION:?} branch:

        • If that branch already exists: rebase our own commits onto the upstream/X.Y.Z branch you are upgrading to. For example:

            git checkout secure_account_creation-102
            git pull
            git rebase -i --onto upstream/102.42.0 upstream/102.3.0
          
        • Else, if that branch does not exist yet, that's probably because you're upgrading to a major new Thunderbird release. In that case, fork the branch off our most recent such branch, then rebase our own commits onto the upstream/X.Y.Z branch you are upgrading to. For example:

            git checkout -b secure_account_creation-102 secure_account_creation-91
            git rebase -i --onto upstream/102.42.0 upstream/91.5.0
          

        Either way, if a particular commit is not trivial to update, see #6156: it might be OK to drop that patch.

      2. Use git format-patch to save our commits to files.

        For example: git format-patch upstream/102.42.0..secure_account_creation-102

      3. On the tails/bullseye branch, replace the contents of debian/patches/secure-account-creation/ with these updated patches.

      4. Update debian/patches/series.

      5. Commit

      6. Verify that the updated patches apply cleanly:

        quilt push -a
        
      7. Regardless of whether our patches applied cleanly, clean up:

        quilt pop -a && rm -rf .pc
        
      8. Push. For example:

            git push --follow-tags -u origin secure_account_creation-102
        
  8. Git push:

     git push --follow-tags origin tails/bullseye
    
  9. Set variables according to your local environment:

     TAILS_GIT_CHECKOUT=/path/to/your/tails/git/checkout
     THUNDERBIRD_GIT_CHECKOUT=/path/to/your/thunderbird/git/checkout
    
  10. Update the patches in tails.git:

     THUNDERBIRD_GIT_COMMIT=$(git --git-dir="${THUNDERBIRD_GIT_CHECKOUT}/.git" rev-parse --verify HEAD)
     TAILS_GIT_PATCHES_DIR="config/chroot_local-includes/usr/share/tails/build/thunderbird-patches"
     cd "$TAILS_GIT_CHECKOUT" && \
     git rm -r "$TAILS_GIT_PATCHES_DIR" && \
     cp -r "${THUNDERBIRD_GIT_CHECKOUT}/debian/patches/secure-account-creation" \
        "$TAILS_GIT_PATCHES_DIR" && \
     grep -E '^secure-account-creation/' "${THUNDERBIRD_GIT_CHECKOUT}/debian/patches/series" \
        | perl -pE 's{^secure-account-creation/}{}' \
        > "${TAILS_GIT_PATCHES_DIR}/series" && \
     git add "$TAILS_GIT_PATCHES_DIR" && \
     git commit -m "Update Thunderbird patches from tails/thunderbird@${THUNDERBIRD_GIT_COMMIT}"
    
  11. In any patch that modifies mailnews.js, remove comments from the surrounding context lines.

    Rationale: this is necessary otherwise the patch won't apply on the version of mailnews.js that's in omni.ja, which has such comments stripped.

  12. Amend the last commit with these changes:

     git commit --amend "$TAILS_GIT_PATCHES_DIR"
    
  13. Ensure the Thunderbird account setup wizard works in an image built from your tails.git branch.