13:38:42 <r2r0> #startmeeting 13:38:42 <MeetBot> Meeting started Wed Apr 22 13:38:42 2015 UTC. The chair is r2r0. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:38:42 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 13:38:48 <r2r0> that was quick 13:38:56 <evilaliv3> 2) legacy scenario for user that do not want clientside encryption and prefer to rely on encryption ooperated by the backend; this would be the same situazion for already instantiated nodes 13:38:58 <r2r0> I sent the request to the meetbot team only 10 minutes ago 13:40:33 <evilaliv3> the D2.3 is still to be discussed, and is not so much defined. as general score it will deal with features in order to betterli export/import keys and provide user rich capabilities in order to move from a browser to an other 13:40:53 <r2r0> I would also explore more and document the migration process 13:41:04 <r2r0> for going from legacy to end to end encrypted 13:41:07 <evilaliv3> it's will be basically an enrichment of D2.1 and D2.2 to a more seucre threat model 13:41:14 <evilaliv3> great r2r0 13:41:14 <r2r0> knowing what happens at every stage of the transition 13:41:31 <evilaliv3> by the way both model should need to exist; remember that 13:41:38 <r2r0> (ex. that you will still have legacy encrypted tips until all receivers have logged in and even once they log it still for the data retention period) 13:42:05 <r2r0> I bet if we think a bit about this we will figure out a lot of gotchas that are important to make clear to our users 13:42:13 <evilaliv3> so what i would like to ask you is to first concentrate on the point 2 of the 4 I written 13:42:43 <evilaliv3> and with me to work on the 1) 13:43:12 <r2r0> well 2 is just a matter of keeping also part of the code base and enabling it or disabling it depending on global node based settings 13:43:15 <r2r0> correct? 13:43:27 <evilaliv3> for all the other, that are more related to testing, integration, and finalization given the fact that i'm more able to follow it all due to my time availability i will try to take the lead 13:43:58 <evilaliv3> this is more 3 tant 2 r2r0 13:44:34 <evilaliv3> 2) is simply finalizing end-to-end encryption thinking that no legacy is involved 13:45:01 <evilaliv3> work on webworkers, deal with optimization and bla bla 13:45:22 <evilaliv3> it's the core of D2.1(for you) and D2.2(for elv) 13:46:04 <evilaliv3> obiviously i'm keeping in mind your current avaialability so i will support you on D2.1 in order to reach this score 13:46:53 <evilaliv3> i mentioned also D8 cause my tentative schedule includes the fixes and finalization of some of D8 subdeliverables 13:47:30 <evilaliv3> for this i will simply have to continue the refinement of solutions already studied by vecna that need to be finalized and i will ask you some reviews 13:48:45 <evilaliv3> what do you think? is there something specific you would like to work on or suggestion on this tentative schedule ? 13:56:47 <evilaliv3> MeetBot: r2r0 and elv are taking a coffee, here in in italy is coffee time. please be patient :) 13:56:47 <MeetBot> evilaliv3: Error: "r2r0" is not a valid command. 13:56:59 <elv> lol 14:03:00 <r2r0> lol 14:03:04 <r2r0> yeah I was distracted 14:03:13 <r2r0> multitasking... 14:03:41 <evilaliv3> :) 14:04:07 <r2r0> evilaliv3: ah yeah you are right, I was using the second numbering scheme :P 14:04:18 <r2r0> identifiers of things should be globally unique :P 14:05:11 <r2r0> evilaliv3: anyways I agree with all that has been said and have nothing to add 14:06:39 <evilaliv3> that said, for today i'm investigating few issues that has been reported or that i've found 14:06:58 <evilaliv3> i'm interested by today in solving: 14:07:00 <evilaliv3> https://github.com/globaleaks/GlobaLeaks/issues/1233 14:07:01 <elv> seems working 14:07:29 <evilaliv3> that is interesting for some integrations planned for various adopters and in order to provide support for the experiment for the IJF 14:08:00 <r2r0> I don't think I will be able to do much on globaleaks today 14:08:07 <evilaliv3> and some user seported that they losed some messages sent by whistleblowers 14:08:08 <r2r0> I am working on finding a big data solution for OONI 14:08:15 <evilaliv3> so i've to validate a little the migration script 14:08:32 <evilaliv3> k r2r0 14:08:37 <r2r0> the data pipeline is currently out of disk space and I am investigating scaling/migration options 14:09:20 <evilaliv3> for this period i'm more interested in your support on solution suggestions and hint on problem solving than on coding 14:10:10 <evilaliv3> so fine for this. if you are able to join this small meetings and eventually simply follow us with some code review that would be great 14:20:46 <elv> ok 14:20:56 <elv> so the plan for the next "major" release is 14:21:03 <elv> D2.{1,2} and D8 14:23:41 <elv> we should also talk about the naming, the release policy, and js/translation freeze on release tagging 14:25:12 <elv> evilaliv3: and today I'm taking a look at protractor 14:25:16 <r2r0> evilaliv3: will do. As you perhaps have seen I have been monitoring the issue tracker lately and usually comment there if I have something to say. 14:25:33 <elv> and was going to ask you to investigate the empty receivers list 14:25:47 <elv> WB submission works now 14:25:51 <elv> and is received correctly 14:26:03 <elv> but the receiver list is empty and the private messages are not working 14:26:29 <evilaliv3> receiver list on what API ? 14:27:07 <evilaliv3> receivers if i'm not remembering wrong on /receivers API are shown only if they are associated to a context 14:27:29 <evilaliv3> this is a thing i've changed on devel branch, but shoud still be the case on your branch 14:28:02 <evilaliv3> or you mean the recevier list in the Tip page? plese be more precise while reporting 14:28:23 <evilaliv3> r2r0: do you forsee any possible solution for https://github.com/globaleaks/GlobaLeaks/issues/1233 14:28:26 <evilaliv3> ? 14:28:58 <elv> the receiver list in the WB interface 14:29:23 <evilaliv3> the API returns an emty list or is the bug in the interface shoiwng this? 14:30:30 <evilaliv3> r2r0: i confirm that #1233 is related to third party cookies 14:31:35 <elv> the API returns an empty list 14:31:36 <evilaliv3> this seems to be an important problem for the idea of integration we had for various adopters (OCCRP) for the integration of the same platform in existing websites 14:39:06 <elv> evilaliv3: could that be the old receiver list problem? 14:39:12 <r2r0> evilaliv3: perhaps not using cookies 14:39:30 <r2r0> possibles places to look at: 14:39:47 <r2r0> * Storing session information in localstorage (may have same restrictions as third party cookies) 14:39:55 <r2r0> * Storing sessions information inside of the URI 14:40:29 <r2r0> * Using flash :^) 14:40:34 <evilaliv3> r2r0: i'mtninking someting similar 14:40:38 <evilaliv3> let me clarify 14:40:44 <r2r0> flash? 14:40:49 <evilaliv3> flurry 14:40:51 <r2r0> let's rewrite globaleaks in flash 14:40:54 <r2r0> :D 14:41:00 <r2r0> with nice neon animations 14:41:08 <evilaliv3> i'm doing it by night 14:41:16 <evilaliv3> anyway 14:41:28 <evilaliv3> we are not using cookies for sessions 14:41:42 <evilaliv3> so that we can disable cookie usage in relation to that 14:41:57 <evilaliv3> we are using cookies for the anti-csrf technique implemented 14:42:28 <evilaliv3> we should evaluate how pass from an implementation based on 1 cookie + 1 header 14:42:41 <evilaliv3> to an implementation based on 2 headers 14:42:56 <evilaliv3> this would not be difficult on backned side 14:43:01 <evilaliv3> the problem is on clientside 14:43:34 <evilaliv3> each request to the backend would set an Header that clientside should be intercepted and used accordingly 14:44:00 <evilaliv3> if i'm not wrong this would apply only to Ajax requests 14:44:19 <evilaliv3> so it would not be a problem 14:44:26 <evilaliv3> cause i'm thinking that also now 14:45:16 <evilaliv3> [damn enter] also now we are interceptin and injecting the xsrf token only in ajax requests 14:45:27 <evilaliv3> sound good to you? 14:45:36 <evilaliv3> this would solve two issues: 14:46:41 <evilaliv3> 1) we would be able to say: we are not using cookies both to privacy+security reasons (reducing possbile attack surfaces on that) 14:47:19 <evilaliv3> 2) we would be able to run whenever cookies are disabled, and for example to be integrated in third party website whenever globaleaks allows that (e.g. for the OCCRP use case) 14:48:32 <evilaliv3> r2r0 ? 14:57:57 <r2r0> yes that sounds like a good approach 14:58:06 <r2r0> I am not sure how to change the request headers in non XHR requests 14:59:23 <evilaliv3> i neither 14:59:32 <evilaliv3> but what i'm thinking is that we do not have to 15:00:01 <evilaliv3> if you think to current implementation we are simply using anti-csrf to XHR requests 15:00:37 <evilaliv3> cause we inject the cookie automatically (due to how cookies works) but the header is injected manually and only in XHR 15:01:32 <evilaliv3> i've been always sceptical of this implementation, but given that it works for sure changing from a cookie-based one to a header-based one would be easy 15:01:35 <evilaliv3> you see? 15:03:49 <elv> uhm. 15:11:05 <evilaliv3> elv: prot 15:17:04 <elv> lol 15:19:15 <elv> okay.. 16:55:12 <elv> r2r0: http://www.w3.org/TR/2013/WD-WebCryptoAPI-20130625/#dfn-WorkerCrypto 16:55:14 <elv> evilaliv3: http://www.w3.org/TR/2013/WD-WebCryptoAPI-20130625/#dfn-WorkerCrypto 16:55:29 <elv> openpgpjs does not work inside a web worker 16:55:43 <elv> it has webworker support for encryption/decryption but not for key generation 17:04:16 <GL-Github-Bot> [13GlobaLeaks] 15evilaliv3 pushed 2 new commits to 06devel: 02https://github.com/globaleaks/GlobaLeaks/compare/77cf0dfb2a20...dd1b46595c64 17:04:16 <GL-Github-Bot> 13GlobaLeaks/06devel 14da57fd8 15evilaliv3: Remove outdated code no more used 17:04:16 <GL-Github-Bot> 13GlobaLeaks/06devel 14dd1b465 15evilaliv3: Aligned unit tests to the change on anomaly thresholds 20:41:09 <GL-Github-Bot> [13GlobaLeaks] 15evilaliv3 pushed 1 new commit to 06devel: 02https://github.com/globaleaks/GlobaLeaks/commit/89d1c7f9efdb8068cd4efa062c69e7474972fd3e 20:41:09 <GL-Github-Bot> 13GlobaLeaks/06devel 1489d1c7f 15evilaliv3: Correct UTs in relation to fields resetting 10:22:32 <DrWhax> evilaliv3: hullo 10:23:44 <DrWhax> I upgraded tor2web at wildleaks and now something broke but its not obvious what broke 10:24:17 <DrWhax> and yes, it has apparmor now 10:27:57 <DrWhax> ohh I see, its globaleaks problem 10:27:58 <DrWhax> kewl 10:28:48 <DrWhax> * Starting GlobaLeaks daemon globaleaks 10:28:49 <DrWhax> * Enabling GlobaLeaks Network Sandboxing... 10:28:49 <DrWhax> ...fail! 10:28:56 <DrWhax> 2015-04-21 13:59:29+0000 [-] Received SIGTERM, shutting down. 10:28:57 <DrWhax> 2015-04-21 13:59:29+0000 [-] (TCP Port 8082 Closed) 10:28:57 <DrWhax> 2015-04-21 13:59:29+0000 [-] Stopping factory <cyclone.web.Application instance at 0x452e830> 10:29:00 <DrWhax> 2015-04-21 13:59:29+0000 [-] Main loop terminated. 10:29:01 <DrWhax> 2015-04-21 13:59:29+0000 [-] Server Shut Down. 10:29:02 <DrWhax> thats all I get :-/ 10:29:05 <DrWhax> 2015-04-21 13:59:29+0000 [-] Exiting GlobaLeaks 10:34:22 <DrWhax> wooooooo I think I know XD 10:34:43 <r2r0> naif: ping 10:39:22 <naif> elv: that's probably because openpgp.js switched entirely to webcrypto for keygen so assume that it does not need webworkers? 10:39:47 <naif> elv: as we can leverage webcrypto on receiver side but not on whistleblower side 10:40:56 <evilaliv3> DrWhax: solved? 10:41:19 <evilaliv3> r2r0: https://github.com/globaleaks/GlobaLeaks/issues/1245 10:41:35 <evilaliv3> i'm working on removing angular-ui-sortable, that has various limits 10:41:56 <evilaliv3> one is the impossibility to solve 1245 that it's causing various UI issues 10:42:19 <evilaliv3> one other is the fact that it uses jquery that is not needed anymore 10:42:42 <evilaliv3> we should use a good library, minimal specific to angularjs that offer use two features: 10:42:48 <evilaliv3> 1) sortable 10:42:57 <evilaliv3> 2) drag + drop 10:43:42 <evilaliv3> it's not a big deal to use your angular-native-dragdrop for dragdrop 10:43:50 <evilaliv3> but it wound be bad to have only one 10:44:45 <evilaliv3> i was looking at two possible: 10:44:46 <evilaliv3> https://github.com/bachvtuan/html5-sortable-angularjs 10:45:22 <evilaliv3> one is this that works but seems to be in a really early stage and i do not trust the crossbrowser compatibility offered 10:45:37 <evilaliv3> one is this other: https://github.com/a5hik/ng-sortable 10:46:41 <evilaliv3> both offer the concept of item-handle, that enable to restrict the handle for the sortable/dragging to a tag/selection of all the item 10:48:04 <evilaliv3> handle: '> .myHandle', 10:48:17 <evilaliv3> ok it seems that you already used this in past 10:48:28 <evilaliv3> so ok for the moment the issue is solved by using this 10:53:51 <r2r0> yeah I seem to recall something like that 10:55:27 <evilaliv3> ok it works, vary badly documented all this libraries. 10:59:10 <GL-Github-Bot> [13GlobaLeaks] 15evilaliv3 pushed 1 new commit to 06devel: 02https://github.com/globaleaks/GlobaLeaks/commit/43fe59ab043f06c728ef60534efb49444b00d63d 10:59:10 <GL-Github-Bot> 13GlobaLeaks/06devel 1443fe59a 15evilaliv3: Address issue #1245 11:16:15 <DrWhax> evilaliv3: solved indeed XD 11:16:19 <DrWhax> sorry! 11:48:05 <evilaliv3> np 12:08:48 <GL-Github-Bot> [13GlobaLeaks] 15evilaliv3 pushed 1 new commit to 06devel: 02https://github.com/globaleaks/GlobaLeaks/commit/37292e57ab47111ad0abf1dbefbb4197ce369188 12:08:48 <GL-Github-Bot> 13GlobaLeaks/06devel 1437292e5 15evilaliv3: Apply same solution of #1245 to field configuration UI 13:03:05 <evilaliv3> hi all beautiful people :) 13:03:26 <evilaliv3> r2r0: where can i read the documentation about how meetbot works ? 13:03:43 <evilaliv3> in the meantime i've opened the pad for today: http://piratepad.net/7h4d3q4cZV 13:04:13 <evilaliv3> we can use it for the scrum meeting, of who is working today (so probably only me and evl) 13:05:25 <evilaliv3> i will take care of saving the contents of the pads during these days in the meantime that we agree on the proper tools in order to minimize the manual saving of this things 13:08:43 <elv> hei evilaliv3 ;) 13:10:33 <evilaliv3> hi elv 13:10:50 <evilaliv3> i've filled the pad 13:11:02 <evilaliv3> can you proceed doing the same i did? 13:11:24 <evilaliv3> let's try to focus simply on the three basic questions of the scrum 13:11:27 <evilaliv3> What did you do yesterday? 13:11:27 <evilaliv3> What will you do today? 13:11:28 <evilaliv3> Are there any impediments in your way? 13:12:01 <evilaliv3> nor that we are going to apply it properly but simple as it is it should work on working on ourselfs and get things done 13:12:30 <evilaliv3> where you still do not have tickets open remember to open that and provide details and links 13:13:19 <evilaliv3> concerning what i think to do today i've put something rellated what we discussed yesterday. let me know if my help is still neded here or if you moved forward on the problem 13:13:47 <r2r0> evilaliv3: http://lmgtfy.com/?q=meetbot 13:14:05 <MeetBot> r2r0: Error: Can't start another meeting, one is in progress. 13:14:14 <r2r0> hum 13:14:19 <r2r0> when ddi you start it? 13:14:26 <r2r0> or did we not close the one of yesterday? 13:14:31 <elv> 1) experiments with webworkers and deterministic key generation 13:14:34 <r2r0> #endmeeting