#tor-dev log

18:00:51 <mikeperry> #startmeeting
18:00:51 <MeetBot> Meeting started Mon Aug 11 18:00:51 2014 UTC.  The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:51 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:01:30 <mikeperry> let's get started. I have a bit of lag today, so beware of falling typos
18:02:25 <mikeperry> last week, I wrote a draf blog post for the iSEC study of Tor browser, and had Roger and GK review it. I also sent it to iSEC and they had some further comments
18:02:51 <mikeperry> it's on the blog, but unpublished. I need to do a few more tweaks, but if you have a blog account, you can view it
18:03:57 <mikeperry> I also helped move the releases along. they are almost ready, but we're trying to transition helix into a more active role in the release process. I owe her a mail about the release post and the location for the alpha's
18:06:12 <mikeperry> there were also some final touches to put on our fudning proposal for the next two years. I think I gave armadev the details he needed for that
18:07:02 <mikeperry> I also pushed an esr31 branch, as well as arthuredelstein's bug-numbered patch branch (tor-browser-24.7.0esr-4.x-2 in tor-browser.git)
18:08:42 <mikeperry> this week, I am planning on getting the iSEC post up, give some comments and/or review, and/or merge the patches in https://trac.torproject.org/projects/tor/query?keywords=~MikePerry201408R, and update the design doc
18:09:22 <mikeperry> I probably should be creaing tickets for the various writings and paperwork things I'm doing, so people who are interested can comment. I will definitely do that for the design doc and the FF31 work
18:10:52 <mikeperry> I think I might also do the Firefox31 feature review, or at least starting it is on my radar. that's probably better done earlier than later (currently our roadmap from the dev meeting has it due October, but bumping it up seems wise)
18:11:28 <MarkSmith> Agree regarding the FF31 review.
18:11:45 <mikeperry> I also want to get an outline of the security properties we want for a hardened android system, but that's non-TBB
18:11:53 <arthuredelstein> Sorry, what's meant by FF31 feature review?
18:12:40 <mikeperry> every Firefox release has a developer document that describes the features added and API changes since the last release. Here's a example: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/24
18:13:04 <mikeperry> it also has a list of undocumented bugs tagged in the bugtracker that are meant to be added to that, but for some reason were not yet
18:13:39 <mikeperry> so going through all of that for Firefox 25->Firefox 31, and reviewing each API for fingerprinting, third party tracking, and potential proxy issue
18:13:42 <mikeperry> +s
18:13:55 <arthuredelstein> Makes sense. Thanks.
18:13:57 <mikeperry> I also do a grep of the source to check for new socket and networking calls
18:14:08 <mikeperry> to check for possibl new proxy issues
18:15:48 <mikeperry> that's it for me
18:18:39 * MarkSmith can go next
18:18:54 <MarkSmith> This past week, Kathy Brade and I spent time on a bunch of different things.
18:19:02 <MarkSmith> Other than miscellaneous bug triage and smoke testing of TB 3.6.4 and 4.0a1,
18:19:10 <MarkSmith> we committed a Tor Launcher fix that eliminates some errors that showed up on the browser console (this fix is not urgent; it can be picked up for the next 4.0 release).
18:19:22 <MarkSmith> We spent some time with XUL in order to provide some info to Isis for #12684.
18:19:50 <MarkSmith> As an experiment, we tried to reproduce the first TB 4.0a1 candidate builds on our own build machine;
18:19:57 <MarkSmith> Linux and Mac were OK but the Windows packages contain small differences in tor.exe.
18:20:05 <MarkSmith> We have not yet tried to determine the root cause.
18:20:17 <MarkSmith> We talked to Arthur about consolidating control port access code (Tor Launcher's tl-protocol.js and the new code he wrote for #8641).
18:20:28 <mikeperry> hrmm.. odd. I know GK comitted some toolchain updates for Windows to try to eliminate some of those
18:20:28 <MarkSmith> Our collective thinking is that we need the asynchronous code he implemented for some things and we need synchronous code for other things.
18:20:34 <mikeperry> (windows build differences)
18:20:39 <mikeperry> I guess more may remain
18:20:57 <MarkSmith> mikeperry: maybe we missed those somehow?  But we should've had them.
18:21:20 <MarkSmith> On the control port code, the best of both worlds would be to refactor things to share common code but provide both async and synchronous access.
18:21:47 <MarkSmith> I don't think it is urgent to consolidate the code but other people might disagree.
18:22:07 <MarkSmith> This week we will publish rebased browser and builder branches for #4234 so everything can be merged into the TB 4.0 codebase.
18:22:16 <MarkSmith> Also, we will respond to boklm r.e. the script that he wrote for #12622.  Quick feedback: his approach looks good.
18:22:32 <MarkSmith> That's all for us unless people have comments or questions.
18:24:09 <mikeperry> ok. playing the infrastructure game to find a place for #12622 to live will be fun, I bet
18:24:54 <MarkSmith> Suggestions for who can "own" that infrastructure part?  I don't really know anything about how our web site works, etc.
18:25:24 <Sebastian> mvdan: nickm: there, all caught up. mvdan: If you have any questions, just ping :)
18:26:59 <MarkSmith> Anyway, we will need to figure out deployment and make it happen.
18:27:22 <mikeperry> the tricky part is that we have only a volunteer sysadmin, and no real hardware/infrastructure. this needs a dedicated system for a few reasons, and whose job it will be to find/provide that, and how it will be integrated is an unknown. every time something like this comes up, there seems to be a lot of arguing and buck passing. I will do my best not to get upset like I often do in these situations :)
18:28:18 <MarkSmith> Why does it need a dedicated system?  Do you mean the place where the script runs or the place where we host the mar files and XML update info files?
18:28:24 <MarkSmith> Or both?
18:29:12 <mikeperry> the plac that runs the script is where I suspect to be the most issue. it needs to be both secure, and capable of running dynamic web code (python, yes?)
18:29:38 <mikeperry> that script will spit out urls and authentication info for mars, right? those mars can be on a static server at a different location?
18:29:42 <MarkSmith> The current approach is to have a script that runs offline to generate XML files and .htaccess files.
18:30:05 <boklm> actually, the script generate static .xml files and redirect rules, so it can be run on a developer machine who rsync the files to the public web server
18:30:06 <MarkSmith> Yes, the mars could be located anywhere.
18:30:19 <mikeperry> ah, great. that will be easier then
18:30:23 <MarkSmith> What boklm said :)
18:30:52 <MarkSmith> And even though I wanted a cool, live responder script this seems much safer.
18:32:45 <boklm> MarkSmith: does the updater require a specific SSL certificate (signed by a CA ? or one with a fixed fingerprint ?)
18:32:49 <mikeperry> do we have any thoughts on how to do incremental updates with our build system yet? or are we just going to roll out non-incremental mars for now and figure out incrementals later?
18:33:22 <mttp> What are the mars, now?
18:33:45 <boklm> mttp: the archive files used by the updater
18:34:03 <MarkSmith> boklm: the Firefox has some prefs that can be used to specify attributes of the update responder's SSL certificate.
18:34:53 <weasel> https://www.palfrader.org/volatile/2014-08-11-R1teIxGZcDo/screenshot.png
18:35:05 <weasel> boo.  torbrowser-launcher fails to download stuff.
18:35:11 <MarkSmith> mikeperry: We can start with full updates only.  We can generate incremental mars and everything will work though.
18:35:43 <MarkSmith> Incremental mars will need to be generated outside of the gitian-based build process I think and so there is a reproducibility concern.
18:36:11 <weasel> [ https://www.palfrader.org/volatile/2014-08-11-uEwqaobMKoc/stdin - missing sha256sums.txt-mikeperry.asc apparently ]
18:39:32 <mikeperry> weasel: which release was it trying to download?
18:39:56 <weasel> mikeperry: see the complete log -- it's trying to get 4.0-alpha-1.
18:40:34 <weasel> https://www.torproject.org/dist/torbrowser/4.0-alpha-1/ (also has nice index.html? files in it...)
18:41:05 <mikeperry> ok. yeah, I think we didn't relocate the signing files. I will make a note to discuss this with helix
18:41:28 <mikeperry> also, there is a cron script on check.torproject.org that we want to have point at a new location
18:41:33 <weasel> in the meantime, torbrower-launcher is unable to give me a TBB.  it can't even run the one it already has.
18:41:47 <mikeperry> oh man, bad failure mode
18:41:52 <weasel> yeah, no kidding
18:42:30 <mikeperry> there is a cron script on check that updates https://check.torproject.org/RecommendedTBBVersions using https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/recommended-versions
18:42:31 <weasel> manually cding into .torbrowser/tbb/x86_64/tor-browser_en-US/ and running ./start-tor-browser from there works,
18:42:49 <weasel> maybe that's ok for most of its users
18:43:08 <mikeperry> we want it to use https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob_plain/HEAD:/gitian/recommended-release-versions at some point
18:43:13 <mikeperry> instead of https://check.torproject.org/RecommendedTBBVersions using  https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/recommended-versions
18:43:27 <mikeperry> err instead of just https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/recommended-versions
18:44:00 <weasel> is there any reason to continue the use of a SPOF service for that text file?
18:44:20 <weasel> instead of something that's actually redundant and that people try to keep available more actively?
18:44:20 <mikeperry> the failure moe issue shoud probably be taken up with micah lee, but I'll get to fixing the signature and index issue before the official release
18:44:39 <weasel> (i.e. www.tpo)
18:45:53 <mikeperry> ah, yes we can possible put it on www, yes. that will require a new TBB release, but doable
18:46:58 <mikeperry> I will make a ticket for that
18:48:14 <mikeperry> who is next?
18:48:19 * boklm can go next
18:48:27 <boklm> So this week I have:
18:48:40 <boklm> - made a first version of a script for #12622 - https://trac.torproject.org/projects/tor/ticket/12622#comment:12
18:48:55 <boklm> - made a summary page of xpcshell test results for all commits: http://93.95.228.164/reports/index-browserunit.html
18:49:06 <weasel> mikeperry: (thanks!)
18:51:01 <boklm> Next week I'm planning to:
18:51:24 <boklm> - see with pearl crescent if we can test the update responder on real .mar files, and if there is some changes needed for #12622
18:51:33 <arthuredelstein> summary page is very nice
18:51:47 <boklm> - add an option in the testsuite to hide failures for already known issues, with a reference a trac ticket (which I had planned for this week but didn't do yet)
18:51:49 * helix is here
18:52:20 <boklm> that's it for me
18:53:15 <mttp> I can go next
18:53:44 <mikeperry> helix: I just sent you a mail about the release, and also note weasel's comment's. we can discuss this later, but I may be intermittently on/offline
18:53:53 <helix> ok
18:53:55 <mikeperry> for bits of today
18:54:05 <helix> got the email and will read scrollback and then I'll go after mttp :)
18:54:15 <mttp> We received more reports of the "Firefox is already running problem"
18:54:51 <mttp> This user said they were running Tor Browser on Windows and used it successfully 3 times before getting this message while trying to open it a 4th time
18:55:06 <mttp> And they saved it on the desktop
18:55:29 <mttp> I can't remember if there was more information to collect before making a ticket
18:56:51 <mikeperry> mttp: having them open the task manager and check for running firefox.exe processes and tor.exe processes is one step. getting a listing of files in the TBB profile directory (location changed in 4.0, but should be in Data/Browser/profile.default in 3.6.x) is another good piece of info
18:57:53 <mttp> Another issue on Windows is the "Tor is not working in this browser" message showing up after the user has been browsing for some time. The user that reported this issue was NOT in Iran (I thought this might be the answer at some point, but it looks like it's not)
18:58:32 <mttp> The user had not installed any antivirus or firewall, so I assume they just had whatever came by defualt with their system
18:58:46 <mikeperry> that is very odd. I think that check is only done at startup, iirc
18:59:17 <mttp> The user said they had been browsing for a few hours
19:00:08 <mttp> Also saved on the Desktop, using Windows 7
19:01:02 <mttp> And they couldn't reproduce the problem, i.e. it went away when they deleted Tor Browser and reinstalled it
19:01:13 <MarkSmith> Does the "Tor is not working in this browser" message mean they are viewing about:tor?
19:01:24 <MarkSmith> were viewing
19:01:49 <mttp> I don't think so, but let me check the ticket again for clues
19:03:18 <MarkSmith> Or did they see a "The proxy server is refusing connections" message?
19:03:58 <mttp> Ok sorry, I misreported--they said they had been browsing for "only a minute" and then got the message "tor unexpectedly exit"
19:04:29 <mttp> and after that they couldn't load any sites, so sounds like the browser stays open and usable
19:05:10 <mttp> The "Tor is not working in this  browser
19:05:22 <mttp> " message didn't happen in this case I was just misremembering
19:05:52 <mikeperry> were PTs involved?
19:05:53 <MarkSmith> Sounds like tor crashed or was killed… but of course we do not know why.
19:06:47 <mttp> The log message makes it look like PTs were indeed involved
19:07:30 <mttp> [NOTICE] Pluggable transport proxy (flashproxy exec Tor\PluggableTransports\flashproxy-client --register :0 :9000) does not provide any needed transports and will not be launched.
19:07:39 <mikeperry> sounds like oth of these may require new tickets in trac
19:07:43 <mikeperry> *both
19:07:50 <mttp> [NOTICE] Pluggable transport proxy (fte exec Tor\PluggableTransports\fteproxy --managed) does not provide any needed transports and will not be launched.
19:08:36 <mttp> ok, I'll do that this evening
19:09:49 <mttp> That's all for now.
19:10:30 * arthuredelstein can go next
19:11:01 <arthuredelstein> Last week I worked on polishing up #3455.
19:11:33 <arthuredelstein> I worked on a new patch for #8405
19:11:58 <arthuredelstein> And I started on #12620
19:12:32 <arthuredelstein> So this week I hope to continue on #12620
19:13:01 <mikeperry> awesome. thanks for picking that up
19:13:11 <arthuredelstein> my pleasure
19:13:40 * helix will go next if/when arthuredelstein is done
19:13:48 <arthuredelstein> done!
19:13:56 <helix> :)
19:14:15 <helix> I started porting my windows hardening changes that never really got totally finished to the 4.0 series, and it's going much better
19:14:21 <helix> I should have it done by the end of the week
19:14:42 <helix> I fixed those two issues weasel pointed out about 4.0-alpha-1 just now btw
19:14:51 <helix> and I'll get this release out today
19:15:10 <helix> that's pretty much it for me
19:15:33 <mikeperry> ok great. let me know if you need help with either of those
19:18:13 <helix> well, if you could write the remainder of the blog post I'll do the website tables :)
19:18:25 <mikeperry> ok
19:18:28 <helix> awesome
19:18:34 <helix> thank you
19:20:22 <mikeperry> anyone else? anything else?
19:21:16 <mikeperry> ok, then a reminder. if you want me to look at something, tag its ticket with MikePerry201408R. and in general don't forget to tag stuff with TorBrowserTeam201408 if you're working on it this month
19:21:52 <helix> team torbrowser
19:22:44 <mikeperry> tjr: I will reply to your mail later today btw
19:23:13 <helix> mikeperry: I have to disappear for 2h (gosh mondays are busy) but I'll work on the tables when I get back and if you send me the text to change (or edit the blog post yourself) just let me know if you need me to post it
19:23:18 <helix> I'm not sure how the permissions work
19:23:47 <mikeperry> ok, I might not have a stable connection until later today. we'll see. there's not a huge rush on this release though, so no worries
19:23:59 <helix> ok
19:24:00 <mikeperry> I will probably edit the post myself
19:24:04 <helix> great
19:24:10 <helix> so are we baf?
19:24:35 <mikeperry> indeed. I think that wraps it up. thanks everyone!
19:24:48 <mikeperry> #endmeeting *baf