Until we have upstreamed our secure autoconfiguration patches we have to maintain Thunderbird ourselves. This means we need to thunderbird new versions hitting Debian stable.

The first time you do this requires some additional steps (WARNING! this will download almost 2 GiB of data):

  1. Clone Tails' Thunderbird repo.

  2. Add a remote for Debian:

     git remote add debian-upstream https://salsa.debian.org/mozilla-team/thunderbird.git

Let's pretend the scenario is that Thunderbird 60.0-3 has just been released:

TAG="debian/1%$(echo ${VERSION:?} | tr '~' '_')"
UPSTREAM_VERSION=$(echo ${VERSION:?} | perl -pi -E 's/-.*//')
  1. git fetch && git fetch debian-upstream

  2. Verify the signed tag:

     git tag -v "${TAG:?}"

    The tag should have been signed with one of the keys that follow; investigate if it's not the case:

    • 8B94 819C 2555 70A3 74B6 2CCD 26E3 C875 A744 20EF
    • B70D FC6F 134F ECFC 011E 62AA 8301 6014 251D 1DB0
    • D343 9DAA 19DC FACD AE87 9CF2 B999 CDB5 8C8D DBD2
  3. Let's update our branch to the new version:

     git checkout tails/stretch && git merge origin/tails/stretch && \
     git merge --no-edit "${TAG:?}"

    Now you most likely will have to deal with a merge conflict in debian/changelog -- just reorder the conflicting entries by version number, git add modified files as needed, and ensure a merge commit is created eventually.

  4. Let's ensure our patches still apply cleanly:

    1. Check if they do:

      quilt push -a
    2. Regardless of whether our patches applied cleanly, clean up:

      quilt pop -a && rm -rf .pc
    3. If our patches applied cleanly, move on. Otherwise:

      XXX (undocumented as we prefer focusing our efforts on upstreaming our patches than on documenting the current, temporary state of things): after reverse-engineering the state of our Git repository, it seems that one should create a new secure_account_creation-${VERSION:?} branch forked of the latest existing one, transplant our commits on top of ${TAG} with the appropriate --onto option, squash our commits into a new secure_account_creation-${VERSION:?}-squashed branch, extract updated patches from there into debian/patches/secure-account-creation/.

  5. Then let's release a new version:

     TAILS_VERSION="1:${VERSION:?}~deb9u1.0tails1" && \
     DISTRIBUTION="bugfix-${TICKET:?}-thunderbird-${UPSTREAM_VERSION:?}" && \
     dch \
        --newversion "${TAILS_VERSION:?}" \
        --force-bad-version \
        --distribution "${DISTRIBUTION:?}" \
        --force-distribution \
        "Rebuild with Tails' secure autoconfiguration patches." && \
     git commit debian/changelog \
         -m "document changes and release ${TAILS_VERSION:?}"
  6. Build packages in a Stretch amd64 chroot:

     gbp buildpackage \
         --git-debian-branch=tails/stretch \
  7. Tag the new version:

     gbp buildpackage --git-debian-branch=tails/stretch \
         --git-sign-tags --git-tag-only
  8. If you've built a package based on an upstream release (as in: what's before the first - in the package version number) whose .orig.tar.xz tarball was never uploaded to our custom APT repository, include all sources in the .changes file:

     cd path/to/build/artifacts/directory && \
     cp path/to/build-area/*${UPSTREAM_VERSION:?}*.orig*.tar.xz . && \
     CHANGES_FILE="thunderbird_$(echo "${TAILS_VERSION:?}" | sed 's/^1://')_amd64.changes" && \
     changestool "${CHANGES_FILE:?}" includeallsources
  9. Due to #11531 we won't be able to push the tag generated by gbp so we have to replace it with a differently named tag:

     GBP_TAG="debian/$(echo ${TAILS_VERSION:?} | tr '~:' '_%')"
     NEW_GBP_TAG="$(echo ${GBP_TAG:?} | sed 's@/1%@/@')" && \
     git tag -s "${NEW_GBP_TAG:?}" \
             -m "thunderbird Debian release 1:${TAILS_VERSION:?}" \
  10. Git push and upload packages:

     git push --follow-tags origin \
        ${NEW_GBP_TAG:?} \
        tails/stretch \
        upstream-60.x \
        pristine-tar && \
     (cd /path/to/build/artifacts && \
      debsign "${CHANGES_FILE:?}" && \
      dupload --to tails "${CHANGES_FILE:?}")

    Note: pushing some tags will fail due to #11531.