17:00:26 <hellais> #startmeeting OONI weekly gathering 2016-08-29 17:00:26 <MeetBot> Meeting started Mon Aug 29 17:00:26 2016 UTC. The chair is hellais. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:26 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 17:00:37 <hellais> so, let's get this started 17:01:04 <darkk> hellais: in Soviet Russia you'll rather have github blocked (happened several times) than TorProject (never happened to the date) :-) 17:01:29 <hellais> #topic Discuss the update strategy from 1.x -> 2.x 17:01:43 <hellais> darkk: but eventually it got unblocked? 17:02:02 <darkk> hellais: true, just kidding 17:02:11 <sbs> darkk: lol 17:02:19 <hellais> :P 17:02:29 <anadahz> I think that if they blocked OONI/Tor servers updates will be our least of our conserns :) 17:02:46 <darkk> I'm serious about blocked github/wikipedia, but it was always unblocked in a day or so. 17:03:05 <darkk> So it's not a reason to avoid them. 17:03:18 <hellais> anadahz: what other concerns do you have if OONI/Tor servers are blocked? 17:03:43 <agrabeli> I think it's important to take the fingerprintability component seriously into consideration 17:03:45 <hellais> because it's a fact that they are blocked in many of the places where we operate and we have various ways of circumventing the blocking 17:04:01 <hellais> cloudfronting, tor bridges, etc. 17:04:30 <anadahz> hellais: that we 'll no be able to receive OONI measurements 17:04:58 <hellais> anadahz: we will, they can be submitted either via cloudfronting or tor hidden service (with bridges) 17:05:41 <anadahz> hellais: yeah but is there built in support that fallbacks to cloudfronting? 17:05:51 <sbs> agrabeli: +1 17:06:08 <hellais> anadahz: for collectors and test helpers yes. 17:06:37 <anadahz> hellais: :) 17:06:46 <hellais> I don't remember if it's also done for the bouncer, but if it's not yet implemented it's part of the design 17:06:51 <anadahz> but not for ooniprobe 17:07:04 <sbs> hellais: previously you mentioned of a 1.6.0.1 update that also adds the script for updating lepidopter, can you say more on that? 17:07:19 <hellais> yeah sorry we verted a bit off topic 17:07:31 <hellais> so let me provide first a tiny bit of context around this 17:08:31 <hellais> so, for the past week anadahz and darkk have been doing a feasability study for implementing automatic un-attending full OS/Image update of lepidopter. 17:09:02 <hellais> based on their analysis it seems apparent that whatever solution we are going to integrate, extend, implement, deploy will require a considerable amount of effort and time. 17:10:07 <hellais> moreover even if we are to go for the full OS update system, there are still some pi's out there that we will probably not be able to ship a new SD card to and hence we would still need to come up with some update system to trigger updates in them 17:10:38 <hellais> currently our update mechanism is based on some cronjob that run pip install --upgrade every 7 days and that is the only vector we can use to provide updates to all raspberry pi images. 17:11:02 <hellais> this means we have to work with what we have and come up with something that can work for them as well 17:11:49 <darkk> I'd say `deploy` is the hardest part as soon as on-the-fly migration for this PIs to any new scheme having OS-wide updates. Everything else _may_ be done in a similar sketchy way. 17:12:26 <hellais> given this I believe it's best to reprioritise our work for the upcoming week on a minimal update system that will work by updating only the ooniprobe software, provisioning the rapsberry pi images with the new software update mechanism and then handle the update to the 2.x series via this update mechanism 17:12:52 <hellais> paralell to this we should begin integrating 2.x into a new raspberry pi image that ships natively the update mechanism and the GUI 17:13:39 <willscott> don't the rpi's now already do a apt-get upgrade cron against the ooniprobe software? 17:14:13 <hellais> darkk: the idea is that at that in the immediate future we would not be doing on-the-fly migration to OS-wide updates. Instead we would do it in 2 steps: 1. Ship an updater via the pypi vector 2. Update to 2.x via the updater 17:14:27 <anadahz> willscott: no ooniprobe is being installed via pip, since there were no recente debian packages of ooniprobe 17:14:45 <willscott> anadahz: but does it periodically re-pip-install it? 17:14:57 <sbs> regarding on the fly update of the PIs, why wouldn't it be enough to run apt-get to fully update the OS (minus OONI)? 17:15:00 <anadahz> willscott: right 17:15:15 <willscott> isn't that enough? 17:15:16 <hellais> willscott: yes, however they actually don't do apt-get upgrade, but they do pip install --upgrade, which means that to handle raspberry pi specific updates we would have to include all this logic inside of the setup.py 17:15:45 <hellais> however setup.py is also used by others that don't run it within the context of lepidopter, so it would mean maintaining as part of the stock ooniprobe source tree a bunch of logic that is raspberry pi/lepidopter specific 17:15:48 <willscott> what other changes do you want to be able to make to the 1.x image via updates? 17:16:04 <hellais> it would be better to have this decoupled and part of something else that is only executed on the raspberry pi's 17:16:18 <sbs> hellais: yes, makes a lot of sense! 17:16:27 <darkk> sbs: as far as I see, the only reason to avoid that is (unlikely) FS corruption if power is lost during the update && upgrade. 17:16:42 <hellais> willscott: there are various changes that need to happen that are lepidopter specific. I made a partial list of them here: https://github.com/TheTorProject/ooni-probe/issues/593 17:16:47 <willscott> it sounds like 2 upgrade paths for the 1.x and 2.x images is duplicating effort to support something that seemed pretty clearly advertised as an alpha / "this may break in the future" status 17:17:00 <willscott> cool 17:18:11 <sbs> darkk: right, so there is a way of running the update (like having two partitions) that guarantees that a aborted-while-in-progress update can be restarted, correct? 17:19:03 <darkk> sbs: correct, but migration to alike schema is to complex to be done right now, so hellais suggests to postpone it. Makes perfect sense as old PIs will eventually die due to wearout :) 17:19:04 <hellais> willscott: yeah that is true, it was clear that it was an alpha and future versions may break, however a lot of partners have gone through a lot of effort to deploy these probes in very risky countries and it will be very hard for us to be able to reach them with a new SD card to do the update 17:19:06 <anadahz> willscott: true but apparently it's seems to be a big issue for people swapping SD cards 17:19:42 <anadahz> sbs: Yes a dual-copy partition method such as SWUpdate 17:20:01 <hellais> willscott: I can give you more details on this off the record, but let's just say that some of them have gone through pretty extreme length to get them into certain countries and these are countries where you can't exactly rely on post to send an SD card to 17:20:16 <hellais> also the people that have the pi's are not technically savy enough to be able to burn it themselves 17:20:26 <willscott> makes sense 17:20:43 <anadahz> sbs: another way is via partition overlays 17:20:46 <agrabeli> hellais & willscot: and in addition to this, most of the probe hosts in these countries aren't "technical" enough to make changes as needed 17:21:06 <anadahz> sbs: re: https://github.com/TheTorProject/lepidopter/pull/69 17:21:07 <sbs> darkk anadahz: thanks 17:21:12 <willscott> i guess the only other thing to think about is if the number of deployed pi's is such that it is less work to develop software for upgrade, or to manually do upgrades via ssh on each pi 17:22:08 <sbs> hellais: so, how will the update script be rolled out in practice from the context of setup.py running on lepidopter? 17:22:27 <hellais> willscott: some of these pis don't have ssh access, so that is also not something we can easily do on all of them 17:22:30 <agrabeli> willscott: there are a number of pis out there that we probably won't be able to do upgrades to via ssh 17:23:09 <darkk> hellais: but we can enable it via updater :) 17:23:22 <willscott> but how many, are those the ones you can't get an updated sd card to? 17:23:45 <willscott> (i'm not opposed to the plan put forth, just asking questions to see if there's a way to spend less developer time on this) 17:24:20 <anadahz> hellais: how many did you count last time? 17:24:21 <darkk> btw, have we ever seen a lepidopter-PI with damaged FS so far? 17:24:23 <sbs> would having ssh access (and so potentially unfettered power over the boxes) changes the terms of our agreemtns with partners and/or cause other legal issues? 17:24:30 <anadahz> darkk: yes mine 17:24:45 <anadahz> located in DE 17:25:22 <agrabeli> sbs: nothing in regards to ssh access is specified in MoUs, though some partners have been open to this 17:25:39 <hellais> sbs: good question, so basically the plan is the following. We cut a new release 1.6.1.1 and publish it to pypi. This new release runs as part of the setup.py a procedure that will 1. Remove the auto-update cronjob 2. Install updater.py and the public.asc key inside of the correct locations 3. Setup systemd to run this with an interval of 6h. 17:25:45 <anadahz> darkk: it died after ~6 months 17:26:02 <hellais> anadahz: how many what? 17:26:23 <darkk> hellais: you'd rather swap (2) and (1) 17:26:40 <anadahz> hellais: how many Pis are out there 17:26:47 <andresazp> does lepidopter pull from the mainstream pip package repository 17:26:48 <andresazp> ? 17:27:06 <hellais> darkk: sure, I mean this should all be done as a transaction, so if any of the steps fails it should revert back to the initial state 17:27:22 <agrabeli> anadahz: 20 17:27:46 <sbs> hellais: uhm, and of course these procedure is conditioned to the presence of lepidopter, right? 17:28:02 <hellais> anadahz: as agrabeli we have given out 20, but IRC there are only about 10-15 actively submitting measurements. 17:28:14 <hellais> sbs: yes of course. 17:28:57 <agrabeli> anadahz & willscott: there are 22 pis out there currently (sorry, miscounted earlier) 17:29:12 <sbs> hellais: I guess the minimal 1.6.1.1 can just do step 2 and do all the rest using updater.py, right? 17:29:22 <agrabeli> anadahz and willscott: out of all these pis, only 3 of them have tor hidden services 17:29:29 <hellais> the nice thing of doing this by replacing the setup.py with the updater is that we only have to implement the update once and we can perhaps at some point in the distant future remove this logic from the setup.py script entirely 17:29:48 <hellais> (we probably want to keep it there also for future versions just to be sure that everybody gets a chance to update) 17:30:04 <hellais> obviously it needs to also check if the updater is already installed and run only if it isn't 17:30:15 <anadahz> andresazp: yes that has the latest stable release 17:31:01 <agrabeli> we'll be shipping about 15 pis over the next month 17:31:46 <agrabeli> many of which will end up in countries that we won't have easy access to later on 17:31:53 <sbs> agrabeli: ack regarding the MoU... if possible I'd avoid us having root access on lepidopters because it increases the scope of what we can do using the probes way beyond the software we deploy using standard channels and this imho could put partners in a more troubling situation if cought, not to mention that say I have access to all lepidopters, I am compromised, and someone uses that access to do nastry thing 17:31:58 <sbs> s 17:32:17 <andresazp> If it’s Ok and there is time in the meeting I would love to share an overview of our plans for the Venezuela deployment to get feedback from you guys 17:32:46 <agrabeli> sbs: I totally agree with you. 17:32:51 <anadahz> sbs: very good point have a look at: https://github.com/TheTorProject/lepidopter/issues/35 17:33:46 <agrabeli> andresazp: yeah, we'd love to hear your overview 17:33:47 <darkk> anadahz: #35 is solvable with PAM 17:33:59 <darkk> agrabeli: compromised admin's key is harder to mitigate 17:34:12 <anadahz> andresazp: sure do you want to add this topic to the agenda (https://pad.riseup.net/p/ooni-irc-pad) ? 17:34:56 <andresazp> sure 17:35:39 <anadahz> hellais: I'm going to look at the lepidopter-update after the meeting, is there anything specific that you would like to share about the implementation? 17:36:27 <hellais> sbs: I expect it to be fairly hard to remove entirely root access from the lepidopter image without signficantly impacting our ability to expand the platform in the future. I mean one of the main reasons why we use a dedicated device is so it doesn't have any user data on it. Confidentiality of the local network is a concern, but I don't think it's eliminated by disabling root. 17:37:35 <sbs> hellais: I am not advocating against having a root user, I am advocating against us having ssh access as root 17:37:50 <agrabeli> sbs: agreed 17:37:51 <darkk> sbs: what's the difference? 17:38:12 <hellais> anadahz: I don't have anything specific to add. It's fairly simple how it works. The jist of it is 1. Check for certain github tag (called latest) that has in it's resources a file called "version" that contains the latest version number (they are ever increasing ints) 2. Download every update file from $current_version to $latest_version and on each download verify if it's signed 3. Each version execute the 17:38:18 <hellais> python update script 17:38:34 <hellais> that repo includes the update agent and the scripts for maintainers to manage the update service 17:38:57 <sbs> darkk: that we do not have the power to login to a specific raspberry and launch arbitrary commands, but we must roll out updates using our infrastructure -- which is more open and scrutinizable by third parties 17:39:51 <hellais> a gotcha is that I make the assumption the update script is indempotent so to shift the complexity into the update scripts themselves that are easier to update and the agent can stay the same in the long run 17:41:18 <hellais> anyways this is what I had to say here 17:41:32 <hellais> for me we can move onto the next topic if nobody has anything to add 17:41:52 <sbs> darkk: to further clarify, I think we should not have assh access, because I think we should not be able to run arbitrary commands on the probe in an unaccountable way, and I think this is also a safeguard for partners (one thing is if you can demonstrate what software was running, another if one can argue a partner gave a box to "foreign agents") 17:42:28 <agrabeli> sbs: +1 17:42:31 <sbs> hellais: I'll take some time to review the script more carefully and do some reasoning on its idempotence 17:43:21 <hellais> sbs: great thanks! 17:43:22 <agrabeli> in any case, I don't think we should have ssh access into partners' pis (for the reasons mentioned by sbs), though I think it is important that we are able to somehow troubleshoot remotely and that scripts get updated automatically 17:43:23 <sbs> hellais: we can talk about this offline 17:43:31 <hellais> #topic Set release date for the 2.x series 17:43:31 <darkk> sbs: I understand the point, but I'm still unsure if I accept it from engineering point of view (say, running update on 5 PIs over ssh may be MUCH easier then writing proper updater script in advance) 17:44:02 * darkk has to think more about good way to have troubleshooting access 17:45:03 <anadahz> sbs: I am also very conserned about having SSH access but it's nearly impossible to acheive this when you release only one lepidopter release 17:45:44 <hellais> re: ssh access, we could potentially have a feature exposed from the web UI that allows the user to enable and disable ssh access on demand 17:45:50 <sbs> darkk: I see your point and have similar feeling, but I guess here we need a way to strike a balance -- a possible solution could be to allow selected partners to give us ssh access in specific cases if they chose to do so (say we really don't known how to proceed and we ask one guy to enable ssh on his lepidopter - but that should not be the default) 17:46:24 <hellais> if we want to be extra careful we could even have this happen via a special account where every command executed is logged and written to an auditable log 17:46:35 <hellais> similarly to how teamviewer works 17:46:58 <anadahz> yeah GUI is an option 17:47:07 <hellais> the probe operator when they request support would go to some admin interface of the GUI and click enable remote SSH access and they get the hidden service address 17:47:14 <sbs> hellais: yep (even though, in theory, once we have root-like access -- which we would probably need to have? -- it's game over because we can subvert everything) 17:47:17 <hellais> and share it with us together with some secret 17:47:21 <anadahz> sbs: asking people to enable SSH access though it's very hard! 17:47:27 <agrabeli> wouldn't we want all future images to be updated by default? 17:47:28 <darkk> hellais: that's probably not a good idea. Too much work, too little trust to the log. 17:47:38 <sbs> anadahz: as hellais is saying, we can figure out a way to do that for them 17:48:08 <sbs> anadahz: I mean, a user friendly way to allow them to give us access to the SSH of the probe 17:48:44 <agrabeli> sure, it's easier to just ssh in to them, but that's something that shouldn't scale imho 17:48:49 <anadahz> yeah but then we need to check if this allign with the development tasks that we also need to implement.. 17:49:05 <sbs> agrabeli: yes, my understanding is that we want auto-updates but I think we want that using a specific procedure not remote ssh access 17:49:30 <hellais> it's true that we could potentially subvert it, I can think of some ways in which we could make this harder for us to do (like making all commands go through some sort of proxy that uploads them to an append only log), though this is quite some over-engineering and probably for a marginal benefit 17:49:33 <agrabeli> we might be able to ssh into some of the partner pis with their consent, but do we really want users in general and across time to have this option? 17:50:01 <hellais> I think in the end if the user is OK with giving us this sort of power and it's something to be used sparingly only in emergency situations it's probably ok 17:50:28 <sbs> hellais: I agree with the marginal benefit part, here I was just trying to explore all the facts of the problem and not suggesting to do something not so simpler 17:50:28 <sbs> * simple 17:50:37 <sbs> hellais: +1 17:50:42 <agrabeli> hellais: yeah, but only in rare occassions with the consent of the partner, and not as something provided as an option in the GUI 17:51:09 <sbs> agrabeli: I guess this could be an advanced option that we can request partners to enable in specific cases 17:51:10 <darkk> I'd say having some sort of hardware toggle is a good option. E.g. reading authorized_keys from USB stick :) 17:51:41 <sbs> darkk: that's brilliant 17:51:50 <darkk> it's visual, it's obvious, it's trivial to revoke 17:51:53 <anadahz> and I guess we take into consideration that all people that use lepidopter are partners? 17:52:39 <sbs> anadahz: well, if somebody else installs lepidopter, I am not sure we would even want to consider having ssh access on their probe 17:52:42 <anadahz> which is actually not really the case 17:52:51 <sbs> anadahz: do we? 17:53:06 <anadahz> sbs: sure but how can we do this with one release? 17:53:24 <anadahz> sbs: I have raised similar concerns over time.. 17:53:47 <anadahz> and it's not that easy to maintain 2 releases, or maybe is it? 17:54:26 <sbs> anadahz: I think I am missing some bits, so I do not fully understand why now you are talking about two releases 17:55:06 <andresazp> if ssh requires a signed key the partner has –or rtaher not have if he just dowload the image. Is that is still a problem? 17:55:56 <anadahz> sbs: if we could have a partner-only lepidopter release we wouldn't have to discuss about adding SSH or not now, if partners were OK with this. 17:56:53 <sbs> andresazp: yes, I think the difference is just that we give partners also the usb key and they choose, other people do not have the usb key 17:58:11 <sbs> anadahz: uhm, what about lepidopter is always lepidopter and partners can use a usb key to give us ssh access if needed? 17:58:18 <agrabeli> anadahz: I'm not sure most partners are comfortable with ssh (or even know what that is), though in general, as mentioned, I don't think we should be ssh-ing into people's boxes (whether they are partners or not) 17:59:43 <agrabeli> sbs: as darkk suggested? 18:00:23 <hellais> well whatever this option is it's going to have to be something that is to be enabled by performing some sort of action by the user, so I don't see how it's a problem to have it be a partner vs a non partner image 18:00:58 <agrabeli> sbs & darkk: I think that's a great idea, given that we do that only in limited cases, and with the consent of partners. it sounds like a better idea than including ssh access as an advanced option of the GUI, that anyone could enable (without fully understanding what they're enabling). 18:01:10 <sbs> agrabeli: yep 18:01:13 <hellais> that is if they are a partner they will perform the action (insert the USB stick, click on something in the GUI, jiggle the power cord twice and do a handstand, etc.) if they are not a partner they will not perform this action 18:01:14 <darkk> well, let me introduce 'degradation levels' for the lePIdopter: 1) it works ok 2) it may be repaired with ssh 3) SD card has to be replaced (bootloader & both root images are damaged) 4) whole PI has to be replaced (PSU failure, for example) 18:01:16 <anadahz> sbs: increased complication as not all partners have physical access to Pis 18:01:21 <darkk> the question is -- do we need step (2) 18:01:45 <darkk> may we may move to (3) any time we need (2) ? 18:01:52 <hellais> if we want to "enforce" that this action is not possible by non-partner probes, this could just be a matter of adding something to the setup wizard where the user declares if they are a partner or not 18:02:20 <anadahz> It seems that the lepidopter requirements are changing with the times and per discussion :P 18:03:30 <sbs> anadahz: I see, well, we should probably find the simplest solution that avoids exposing partners too much 18:03:58 <sbs> darkk: case 2) is probably a failure in the updater right? 18:05:00 <anadahz> as willscott mentioned lepidopter alpha mentioned to be an alpha. But it seems that we have deployed a bunch of Pis to people that cannot really replace the SD cards and now we find the most optimal ways to work around this. 18:05:12 <anadahz> s/mentioned/meant 18:05:23 <darkk> sbs: I can imagine several cases. Actually, it's `any case that needs human intelligence to solve`. It's something unplanned & unpredictable going wrong with software. 18:05:59 <darkk> sbs: anything that can't be solved by reboot and auto-wipe 18:07:00 <agrabeli> anadahz: yeah, I guess the problem comes down to how we roadmapped our deliverables. We probably should have only have started deploying probes once lepidopter was stable, and including all these features....but then again, if we had waited for that, we wouldn't have the measurements and country reports on time....ah well. :) 18:07:36 <andresazp> per my limited experience, we would’ve needed to change at least 4 SD cards in a few months of operation if we didn’t had SSH cause of an ufoseen problem 18:07:39 <anadahz> agrabeli: True! 18:08:34 <sbs> darkk: okay, right... I think I know too little about managing raspberry pis to estimate the likelyhood of this kind of problems, I trust the experience of anadahz and yourself 18:08:37 <anadahz> agrabeli: I'm describing the issue to the rest of the people to understand how we came to this solution 18:08:46 <darkk> andresazp: do you mean bricking lePIdopter via ssh unexpectedly? 18:10:03 <andresazp> We didn't use lepidoper, but my point was in support of the option for ssh access for unforseen problems if hte user allows 18:11:05 <andresazp> In our case, the problem we had would have not been fixed with running pip update 18:11:58 <darkk> andresazp: are the cases documented somewhere? The information regarding real failure scenario may be useful. 18:12:57 <darkk> I'd love to see them documented in ooni-operators@ mailing list :-) 18:13:13 <agrabeli> since we're running out of time, should we proceed to andresazp's topic (and cover topic 2 last)? 18:13:39 <agrabeli> darkk: +1 18:14:00 <sbs> agrabeli: yep! 18:14:13 <andresazp> @darkk I will try to write there a bit, some machines we expect had FS or Hw problems are being collected but we still dont have them 18:14:36 <andresazp> First of all, were you able to include our previous VE reports from to your DB? 18:14:59 <hellais> sounds good 18:15:31 <hellais> #topic Update from Venezuela 18:16:26 <hellais> andresazp: not yet, I have a copy of the big tarbal you gave me, but we have been holding back on integrating them to getting the pipeline into a more stable state (bulk loading of many measurements with the current system seems to not make the pipeline happy) and we also have some space issues 18:16:27 <andresazp> I shared the link to the compressed reports on an old meeting. It was on someone’s etherpad grain on a self-hosted sandstorm inscance 18:16:42 <andresazp> ok 18:17:34 <andresazp> So our plans for VE are more or less the following 18:19:07 <andresazp> Deploy at least 4x the Rpi as in the pilot – we want to use ooni 2.x but is not guaranteed as of yet 18:20:16 <andresazp> in 12 or more cities 18:21:15 <andresazp> it’s possible that we might use lepidopter, but i’m not sure 18:21:17 <andresazp> we will run our own backend, but would love help configuring it so that it report 18:21:30 <andresazp> so that it reports automatically to your pipeline 18:22:06 <andresazp> (asuming those parts still work as I understtod them) 18:23:07 <andresazp> we would run another server in python/django that would help us visuallize the collected data by our probles 18:23:47 <andresazp> taking in part the role of the ooni pipeline, the official pipeline should get all reports nontheless 18:26:14 <hellais> andresazp: this is great! 18:26:17 <hellais> a couple of questions: 18:26:28 <andresazp> It’s just smaller solution easer to get it going and intagre with other things. Here we would report “incedets” that cohesibly and contextually report an specific incent (not a measuement) 18:26:28 <hellais> 1) What is the size of the deployment you are looking at? 18:26:29 <andresazp> this would be for internal consuption but the code will be open 18:26:47 <hellais> 2) What is the timeline for the project (i.e. when are you going to begin collecting measurements) 18:26:50 <andresazp> 60 to 70 probles 18:27:01 <andresazp> probes* 18:27:24 <anadahz> andresazp: 60-70 probes in VE? 18:27:25 <andresazp> finally we would setup a website to check on all of the incedets 18:28:49 <agrabeli> andresazp: this all sounds fantastic! 18:28:55 <andresazp> an incident, conceptually, may reflect information form many measuemets/reports/probes – even difernets tests ortargets as long they are related, and put in context 18:30:21 <hellais> andresazp: that is a very interesting concept. I wonder if the concept at least could then be extended also to the explorer 18:30:29 <andresazp> simillarly as you weould say that police was vviolently disperssing a peaceful protest, and include a list of injuried people rateher than repeat X person was beated in LOCATION during the protest on DATE 18:30:38 <andresazp> wouldn’t 18:30:54 <andresazp> would* 18:30:57 <hellais> andresazp: these incidents are recorded by having trusted people review the measurements or are you also thinking of crowdsourcing the analysis? 18:32:02 <andresazp> someone with privilges to our server would post the indents or updtae them 18:32:36 <andresazp> after reviewing measurements 18:33:14 <andresazp> that server could get really complicated really fast, so we are keeping things simple for the being 18:33:42 <andresazp> We are working on developing a few extra tests, also 18:34:50 <andresazp> speed test, despite being a slow system, we believe we can saturate the connection, most common speeds are under 1mbit in ideal conditions 18:35:03 <andresazp> locally 18:35:36 <hellais> andresazp: you should look into measurement-kit for running speed tests. It has a pretty good implementation of NDT. 18:35:46 <hellais> and it also supports submitting the results to an ooni collector 18:35:53 <andresazp> I see 18:36:27 <andresazp> we have a simple implementarion that ran outside of ooni on the pilot but thought of integarting it 18:36:42 <hellais> andresazp: do you have an estimate of when the first measurements are to be coming in? 18:38:36 <andresazp> we wwnat to do something like the whatsapp conectivity, and VPN block tests for tunnel bear (site previusly blocked), Zello (a push to talk radio app that has been blocked) and hotspotshield 18:39:15 <sbs> andresazp: what system are you using for running measurements? 18:39:47 <andresazp> the pilot had rpi 2, rpi 2+ and ocacionally a b 18:39:59 <andresazp> all the new ones are 3b 18:40:02 <hellais> andresazp: if you haven't seen it you may be interested in this whatsapp test I wrote some time ago: https://github.com/TheTorProject/ooni-probe/blob/feature/whatsapp-test/ooni/nettests/blocking/whatsapp.py 18:40:40 <hellais> it's not really thorough, that is it doesn't actually speak the whatsapp protocol, but it does to a general connectivity test towards all the whatsapp endpoints used in the mobile app and web app 18:40:54 <sbs> andresazp: I was already working to make debian packages for measurement-kit 18:41:35 <sbs> andresazp: and apart from that, it you're interested I can help you to add measurement-kit for running NDT in your use case 18:42:01 <andresazp> That’s what we see, and pretty much would replaicate the approach unless service wants to partner help us make it a bit more sofisticated 18:42:26 <andresazp> SBS: That would be great 18:43:12 <andresazp> possibly this would be required for zello IIRC 18:43:46 <anadahz> andresazp: Since ooniprobe v2 is going to be the new stable release it will be really helpful if you could test ooniprobe 2.0.0 that will be shipped by default in lepidopter beta --planned to be released by the end of this week. 18:44:11 <andresazp> anadahz: Carlos is tesing it 18:44:25 <anadahz> nice° 18:45:05 <andresazp> There are some features that we need on v2 though, and I’m not sure if we might be able to implement or re-implement 18:45:10 <andresazp> things form v1 18:45:32 <hellais> andresazp: great! Reports on any bugs or feature requests would be super useful. 18:45:44 <hellais> andresazp: are there features that were present in v1 that you are missing in v2? 18:46:12 <andresazp> comments in some form. that we could use a dict for diferent values 18:46:26 <andresazp> or maybe just a sting 18:46:31 <andresazp> string* 18:46:37 <andresazp> that we could parse 18:46:46 <andresazp> either in the ooni settings 18:47:24 <andresazp> or as a flag or option when running a deck. I understand that running tests changed a lot on v2 18:48:03 <hellais> andresazp: you can do this in the new deck specification as well, by means of the annotations. 18:48:07 <sbs> andresazp: to better understand, you are talking about the deck format, correct? 18:48:38 <hellais> you can specify these both as global (for the whole deck) or task specific 18:51:08 <hellais> for example like this: https://gist.github.com/hellais/d4fce0a27ee18105e990e955d3de1df7 18:51:38 <andresazp> I havent been able to test v2 myself much, but I thought taht feature wans’t ready 18:52:21 <hellais> I see, it 18:53:08 <hellais> it should be working and I have done some testing of annotations as well. Though the best thing is if you report any type of difficulty you encouter with v2 or even if you need some specific feature or adjustment to be implement either as github ticket or even just by sending me an email 18:53:09 <andresazp> I believe Carlos tried to test it 18:53:30 <andresazp> but we will certainly double test 18:53:37 <andresazp> For a bit of conext: 18:54:10 <andresazp> On the VE pilot the annotations includuded hardcoded information like probe ID, ISP, city and wather te test was run by cron or manually by one of us. 18:54:11 <andresazp> The commands concatenated the request to run a certaing test, list with the contests of a file that ID’d the probe 18:56:15 <andresazp> contents* , sorry the lack of spellchek is killing me 18:57:29 <andresazp> In this we might be more able to help, is what we discussed about adding a flag for web_conectivity so that it doesn’t necesairly run HTTP_request 18:57:49 <andresazp> for bandwith reasosns 18:58:16 <andresazp> I’m all ears for any more feedback and also critisims 18:58:32 <hellais> yes I understand. I guess you could achieve the adding of this metadata by generating the decks on a per probe basis. 18:58:36 <andresazp> criticism of how we plan to do it 19:00:07 <hellais> andresazp: I fear that not running the http request part of the web_connectivity could lead you into not being able to identify various cases of censorship that don't rely on DNS based blocking. The bandwidth consumption of the web_connectivity test is much less than http_requests, but it's still much more than just doing the DNS resolutions obviously. 19:01:20 <hellais> I wonder how much mileage you would get from not running the http request only when the DNS doesn't match. 19:01:46 <andresazp> we would run the complete web_conectivity, including the http_request part, but not as freceuntly, probbaly just at night 19:02:13 <hellais> ah ok got it 19:03:00 <andresazp> DNS and TCP would ID virually all if not every case of internet block or censorship ever implemented in VE 19:03:55 <hellais> understood. I do see some benefit of implementing this in the web_connectivity 19:04:03 <hellais> it shouldn't be too hard to do either 19:04:06 <andresazp> DNS is by far the most common, 19:04:06 <andresazp> Blocked IPs was somewhatr common, but currently not used 19:05:40 <hellais> also it seems like it would be useful to have per-test scheduling information specified in the deck descriptor 19:05:51 <andresazp> You will probably find simmliar needs in countries with less sophisticated censorhsip programs and low conection speeds 19:06:05 <hellais> yes that makes sense 19:06:55 <andresazp> For our pilot we had a pretty specific sheduling for diferents tests and even diferent lists 19:07:37 <hellais> andresazp: it would be cool if you could share some information about this on some ticket on github so we can see to add it as a future feature. 19:07:39 <andresazp> so a high priority list would run more frecuently in order to have early data on critical election-related sites beign bloched 19:08:40 <andresazp> ok 19:08:46 <hellais> thanks for sharing with us your progress on this and please to keep us updated on how it moves forward and if there is anything we can do to help you! 19:09:50 <andresazp> Our release plan is: 19:10:01 <andresazp> early version of our server by Dec-Jan 19:10:25 <andresazp> early version of public site by Feb 19:11:55 <andresazp> Fiest probles on the street and new ooni-backend instance properly configured by November 19:12:05 <andresazp> or october 19:15:35 <hellais> November or October of this year? 19:15:40 <hellais> that is the server and public site will happen after the probes are deployed? 19:15:41 <andresazp> The first thing we might need help is in configuring a ooni v2 compatible ooni-backend 19:15:42 <andresazp> For the pilot we bearly got it set up 19:16:11 <hellais> sure we can help with that. The v2 probes however are backward compatible with older backends as well 19:16:29 <andresazp> we might have a priblem in our old server, then 19:16:44 <hellais> ok, we can speak more about this out of band 19:16:49 <andresazp> ok 19:17:02 <hellais> if there is nothing else to add I would say we can end this with a "slight bit of delay" :P 19:17:05 <andresazp> the public server is public site that shows info on ïncedents” 19:17:14 <andresazp> .. sorry 19:18:18 * graphiclunarkid waves - lurking in the meeting but has nothing to contribute this time. 19:19:01 <hellais> cool 19:19:14 <hellais> in that case thank you all for attending and have a good week! 19:19:16 <hellais> #endmeeting