Releasing NSS
Stages of the NSS Release Cycle:
Normal development. This runs from the day after a Firefox merge until 2 weeks before the next Firefox merge. During this time, the version of NSS in mozilla-central and on NSS’s development branch are kept in sync by Updatebot.
Freezing for release. This starts 2 weeks before the next Firefox merge. During this time, mozilla-central tracks a release branch. Commits can still land on NSS’s development branch but they won’t be uplifted to mozilla-central.
Freezing a version for release
In the week prior to a NSS release, the version in mozilla-unified will be frozen. This is to ensure that new NSS versions have adequate testing in Firefox Nightly before making their way to Beta and Release.
The NSS Release owner will:
Make sure your local repo is up to date with
hg pullandhg checkout default.Make a branch for this NSS release.
hg branch NSS_3_XXX_BRANCHTag a beta for this NSS release.
hg tag NSS_3_XXX_BETA1Inspect the outgoing changes with
hg outgoingand verify they are correct.Push this branch and tag to the NSS repository.
hg push --new-branchWait for the changes to sync to Github (~15 minutes).
Manually uplift this version into mozilla-unified by running
./mach vendor security/nss/moz.yaml -r NSS_3_XXX_BETA1in mozilla-unified.
Warning
It may be that issues are uncovered by users running Firefox Nightly. If so, the appropriate changes should be made to this branch and to the development branch, then a new beta tagged and uplifted.
Warning
After this point, further submissions by Updatebot SHOULD be ignored to ensure that the frozen branch is not overwritten by further changes to the development branch.
Releasing NSS into Firefox
The NSS Release Owner will:
Make sure you’re on the appropriate branch (
hg checkout NSS_3_XXX_BRANCH).Update the NSS version numbers:
python3 automation/release/nss-release-helper.py remove_betaCommit the change:
hg commit -m "Set version numbers to 3.XXX finalAdd a release note named
nss_3_XXX.rsttodoc/rst/releasesand updateindex.rstin the release branch.Commit the release notes:
hg commit -m "Release notes for NSS 3.XXX".Tag the release version:
hg tag NSS_3_XXX_RTMPush the changes to the NSS repository.
hg pushSwitch the default branch and graft the release notes onto this branch:
hg graft -r {DOCS_COMMIT}.Manually uplift this version by running
./mach vendor security/nss/moz.yaml -r NSS_3_XXX_RTMin mozilla-unified.
Warning
./mach vendor does not currently update the root CA telemetry. This must be done manually.
Releasing NSS to downstream
You will need the gcloud tool installed from https://cloud.google.com/sdk/docs/install.
Create the release archives with
python automation/release/nss-release-helper.py create_nss_release_archive 3.XXX NSS_3_XXX_RTM ../stageAnnounce the release on dev-tech-crypto.
Preparing for the next release
File a new bug blocking the nss-uplift bug by cloning the current release bug.
Assign the next release owner in the rotation.
Update the NSS Release Calendar using the dates from https://whattrainisitnow.com/
Update the release tracker in the team meeting notes (internal only).
Update NSS to the next version:
python3 automation/release/nss-release-helper.py set_version_to_minor_release 3 XXX+1.
hg commit -m "Set version numbers to 3.{XXX+1} Beta"and push this commit.Approve any waiting commits from Updatebot.
Please now copy the checklist below and fill it out in the NSS release bug and close it:
[ ] - NSS XXX has been released into mozilla-central for Firefox XXX.
[ ] - NSS release binaries can be found at https://ftp.mozilla.org/pub/nss/releases/
[ ] - The release has been announced on dev-tech-crypto.
[ ] - The nss version has been updated on the default branch
[ ] - The next release bug has been filed.
[ ] - The release calendar has been updated.
Updating NSPR
NSPR releases are infrequent, but require changing the NSPR version is listed in automation/release/nspr-version.txt