We have partially upstreamed our secure autoconfiguration patches and eventually gave up, so we have to maintain a patch series for Thunderbird ourselves, that we apply while building Tails images.

We need to follow the following instructions whenever the patch series we have exported to tails.git does not apply anymore, therefore breaking the Tails images build process.

1. On tails/tails, checkout a new topic branch.

2. The first time you do this requires some additional steps (WARNING! this will download almost 2 GiB of data):

   1. Clone Tails' Thunderbird repo.

   2. Add a remote for Debian:

       git remote add debian-upstream https://salsa.debian.org/mozilla-team/thunderbird.git
      

3. Set environment variables:

   Let's pretend the scenario is that Thunderbird 68.10.0-1~deb10u1 has just been released:

    VERSION="68.10.0-1~deb10u1"
    TAG="debian/1%$(echo ${VERSION:?} | tr '~' '_')"
   

4. git fetch && git fetch debian-upstream

5. Verify the signed tag:

    git tag -v "${TAG:?}"
   

   The tag should have been signed with one of the keys that follow; investigate if it's not the case:

   • 8B94 819C 2555 70A3 74B6 2CCD 26E3 C875 A744 20EF
   • B70D FC6F 134F ECFC 011E 62AA 8301 6014 251D 1DB0
   • D343 9DAA 19DC FACD AE87 9CF2 B999 CDB5 8C8D DBD2

6. Let's update our branch to the new version:

    git checkout tails/bookworm && git merge origin/tails/bookworm && \
    git merge --no-edit "${TAG:?}"
   

   For merge conflicts, just git checkout --theirs (we only care about rebasing the patches, not building from this Git repo).

7. Make sure the patches apply cleanly with quilt push -a and commit any changes needed to achieve that. gbp pq can help updating our patch queue.

8. Git push:

    git push --follow-tags origin tails/bookworm
   

9. Set variables according to your local environment:

    TAILS_GIT_CHECKOUT=/path/to/your/tails/git/checkout
    THUNDERBIRD_GIT_CHECKOUT=/path/to/your/thunderbird/git/checkout
   

10. Update the patches in tails.git:

     THUNDERBIRD_GIT_COMMIT=$(git --git-dir="${THUNDERBIRD_GIT_CHECKOUT}/.git" rev-parse --verify HEAD)
     TAILS_GIT_PATCHES_DIR="config/chroot_local-includes/usr/share/tails/build/thunderbird-patches"
     cd "$TAILS_GIT_CHECKOUT" && \
     git rm -r "$TAILS_GIT_PATCHES_DIR" && \
     cp -r "${THUNDERBIRD_GIT_CHECKOUT}/debian/patches/secure-account-creation" \
        "$TAILS_GIT_PATCHES_DIR" && \
     grep -E '^secure-account-creation/' "${THUNDERBIRD_GIT_CHECKOUT}/debian/patches/series" \
        | perl -pE 's{^secure-account-creation/}{}' \
        > "${TAILS_GIT_PATCHES_DIR}/series" && \
     git add "$TAILS_GIT_PATCHES_DIR" && \
     git commit -m "Update Thunderbird patches from tails/thunderbird@${THUNDERBIRD_GIT_COMMIT}"
    

11. In any patch that modifies mailnews.js, remove comments from the surrounding context lines.

    Rationale: this is necessary otherwise the patch won't apply on the version of mailnews.js that's in omni.ja, which has such comments stripped.

12. Amend the last commit with these changes:

     git commit --amend "$TAILS_GIT_PATCHES_DIR"
    

13. Ensure the Thunderbird account setup wizard works in an image built from your tails.git branch.