Until we have upstreamed our secure autoconfiguration patches we have to maintain Thunderbird ourselves. This means we need to thunderbird new versions hitting Debian stable.

The first time you do this requires some additional steps (WARNING! this will download almost 2 GiB of data):

  1. Clone Tails' Thunderbird repo.

  2. Add a remote for Debian:

     git remote add debian-upstream https://salsa.debian.org/mozilla-team/thunderbird.git

Let's pretend the scenario is that Thunderbird 52.3.0-4~deb9u1 has just been released:

TAG="debian/1%$(echo ${VERSION:?} | tr '~' '_')"
  1. git fetch && git fetch debian-upstream

  2. Verify the signed tag:

     git tag -v "${TAG:?}"

    The tag should have been signed with one of the keys that follow; investigate if it's not the case:

    • 8B94 819C 2555 70A3 74B6 2CCD 26E3 C875 A744 20EF
    • B70D FC6F 134F ECFC 011E 62AA 8301 6014 251D 1DB0
    • D343 9DAA 19DC FACD AE87 9CF2 B999 CDB5 8C8D DBD2
  3. Let's update our branch to the new version:

     git checkout tails/stretch && git merge origin/tails/stretch && \
     git merge --no-edit "${TAG:?}"

    Now you most likely will have to deal with a merge conflict in debian/changelog -- just reorder the conflicting entries by version number, git add modified files as needed, and ensure a merge commit is created eventually.

  4. Let's ensure our patches still apply cleanly:

    1. Check if they do:

      quilt push -a
    2. Regardless of whether our they do, clean up:

      quilt pop -a && rm -rf .pc
    3. If our patches applied cleanly, move on. Otherwise:

      XXX (undocumented as we prefer focusing our efforts on upstreaming our patches than on documenting the current, temporary state of things): after reverse-engineering the state of our Git repository, it seems that one should create a new secure_account_creation-${VERSION:?} branch forked of the latest existing one, transplant our commits on top of ${TAG} with the appropriate --onto option, squash our commits into a new secure_account_creation-${VERSION:?}-squashed branch, extract updated patches from there into debian/patches/secure-account-creation/.

  5. Then let's release a new version:

     TAILS_VERSION="1:${VERSION:?}.0tails1" && \
     DISTRIBUTION="feature-thunderbird-${VERSION:?}" && \
     dch \
        --newversion "${TAILS_VERSION:?}" \
        --force-bad-version \
        --distribution "${DISTRIBUTION:?}" \
        --force-distribution \
        "Rebuild Thunderbird with Tails' secure autoconfiguration patches." && \
     git commit debian/changelog \
         -m "document changes and release ${TAILS_VERSION:?}"
  6. Fetch the Debian sources to be used for the build:

     THUNDERBIRD_SOURCES="$(mktemp -d)" && \
     GIT_DIR="$(pwd)" && \
     ( \
     cd "${THUNDERBIRD_SOURCES:?}" && \
     apt --download-only source thunderbird="1:${VERSION:?}" && \
     mkdir -p "${GIT_DIR:?}/../tarballs/" && \
     for tarball in thunderbird_*.orig*.tar.xz ; do
        ln -s \
           "${GIT_DIR:?}/../tarballs/$tarball" \
     cp thunderbird_*.orig*.tar.xz "${GIT_DIR:?}/../tarballs/" \
     ) && \
     rm -rf "${THUNDERBIRD_SOURCES:?}"

    Note: we cannot use the pristine-tar branch since Jessie builds expect split .orig sources for l10n stuff, which is not the case in Sid, which pristine-tar is made for. Or something like this. Let's not waste time on investigating this.

  7. Build packages in a Stretch amd64 chroot:

     gbp buildpackage \
         --git-debian-branch=tails/stretch \
         --git-no-pristine-tar \
  8. Tag the new version:

     gbp buildpackage --git-debian-branch=tails/stretch \
         --git-sign-tags --git-tag-only
  9. Include all sources in the .changes file:

     CHANGES_FILE="../thunderbird_$(echo "${TAILS_VERSION?}" | sed 's/^1://')_amd64.changes" && \
     changestool "${CHANGES_FILE:?}" includeallsources
  10. Due to #11531 we won't be able to push the tag generated by gbp so we have to replace it with a differently named tag:

     GBP_TAG="debian/$(echo ${TAILS_VERSION:?} | tr '~:' '_%')"
     GBP_TAG_COMMIT="$(git rev-list -n 1 "${GBP_TAG}")"
     NEW_GBP_TAG="$(echo ${GBP_TAG:?} | sed 's@/1%@/@')" && \
     git tag -s "${NEW_GBP_TAG:?}" \
             -m "thunderbird Debian release 1:${TAILS_VERSION:?}" \
  11. Git push and upload packages:

     git push --follow-tags origin ${NEW_GBP_TAG:?} tails/stretch && \
     debsign "${CHANGES_FILE:?}" && \
     dupload --to tails "${CHANGES_FILE:?}"

    At the moment pushing $GBP_TAG may fail due to #11531. We'll just have to save these tags locally until when it's solved, and then push...