- contribute
- release process
- Updating Thunderbird patches
We have partially upstreamed our secure autoconfiguration patches and eventually gave up, so we have to maintain a patch series for Thunderbird ourselves, that we apply while building Tails images.
We need to follow the following instructions whenever the patch series we have exported to tails.git does not apply anymore, therefore breaking the Tails images build process.
On
tails/tails
, checkout a new topic branch.The first time you do this requires some additional steps (WARNING! this will download almost 2 GiB of data):
Clone Tails' Thunderbird repo.
Add a remote for Debian:
git remote add debian-upstream https://salsa.debian.org/mozilla-team/thunderbird.git
Set environment variables:
Let's pretend the scenario is that Thunderbird 68.10.0-1~deb10u1 has just been released:
VERSION="68.10.0-1~deb10u1" TAG="debian/1%$(echo ${VERSION:?} | tr '~' '_')"
git fetch && git fetch debian-upstream
Verify the signed tag:
git tag -v "${TAG:?}"
The tag should have been signed with one of the keys that follow; investigate if it's not the case:
8B94 819C 2555 70A3 74B6 2CCD 26E3 C875 A744 20EF
B70D FC6F 134F ECFC 011E 62AA 8301 6014 251D 1DB0
D343 9DAA 19DC FACD AE87 9CF2 B999 CDB5 8C8D DBD2
Let's update our branch to the new version:
git checkout tails/bullseye && git merge origin/tails/bullseye && \ git merge --no-edit "${TAG:?}"
Let's ensure our patches still apply cleanly:
Check if they do:
quilt push -a
Regardless of whether our patches applied cleanly, clean up:
quilt pop -a && rm -rf .pc
If our patches applied cleanly, move on. Otherwise:
Create or refresh an up-to-date
secure_account_creation-${VERSION:?}
branch:If that branch already exists: rebase our own commits onto the
upstream/X.Y.Z
branch you are upgrading to. For example:git checkout secure_account_creation-102 git pull git rebase -i --onto upstream/102.42.0 upstream/102.3.0
Else, if that branch does not exist yet, that's probably because you're upgrading to a major new Thunderbird release. In that case, fork the branch off our most recent such branch, then rebase our own commits onto the
upstream/X.Y.Z
branch you are upgrading to. For example:git checkout -b secure_account_creation-102 secure_account_creation-91 git rebase -i --onto upstream/102.42.0 upstream/91.5.0
Either way, if a particular commit is not trivial to update, see #6156: it might be OK to drop that patch.
Use
git format-patch
to save our commits to files.For example:
git format-patch upstream/102.42.0..secure_account_creation-102
On the
tails/bullseye
branch, replace the contents ofdebian/patches/secure-account-creation/
with these updated patches.Update
debian/patches/series
.Commit
Verify that the updated patches apply cleanly:
quilt push -a
Regardless of whether our patches applied cleanly, clean up:
quilt pop -a && rm -rf .pc
Push. For example:
git push --follow-tags -u origin secure_account_creation-102
Git push:
git push --follow-tags origin tails/bullseye
Set variables according to your local environment:
TAILS_GIT_CHECKOUT=/path/to/your/tails/git/checkout THUNDERBIRD_GIT_CHECKOUT=/path/to/your/thunderbird/git/checkout
Update the patches in tails.git:
THUNDERBIRD_GIT_COMMIT=$(git --git-dir="${THUNDERBIRD_GIT_CHECKOUT}/.git" rev-parse --verify HEAD) TAILS_GIT_PATCHES_DIR="config/chroot_local-includes/usr/share/tails/build/thunderbird-patches" cd "$TAILS_GIT_CHECKOUT" && \ git rm -r "$TAILS_GIT_PATCHES_DIR" && \ cp -r "${THUNDERBIRD_GIT_CHECKOUT}/debian/patches/secure-account-creation" \ "$TAILS_GIT_PATCHES_DIR" && \ grep -E '^secure-account-creation/' "${THUNDERBIRD_GIT_CHECKOUT}/debian/patches/series" \ | perl -pE 's{^secure-account-creation/}{}' \ > "${TAILS_GIT_PATCHES_DIR}/series" && \ git add "$TAILS_GIT_PATCHES_DIR" && \ git commit -m "Update Thunderbird patches from tails/thunderbird@${THUNDERBIRD_GIT_COMMIT}"
In any patch that modifies
mailnews.js
, remove comments from the surrounding context lines.Rationale: this is necessary otherwise the patch won't apply on the version of
mailnews.js
that's inomni.ja
, which has such comments stripped.Amend the last commit with these changes:
git commit --amend "$TAILS_GIT_PATCHES_DIR"
Ensure the Thunderbird account setup wizard works in an image built from your tails.git branch.