17:58:22 #startmeeting tbb 17:58:22 Meeting started Mon Aug 25 17:58:22 2014 UTC. The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:58:22 Useful Commands: #action #agreed #help #info #idea #link #topic. 17:58:57 ok. let's get started 17:59:40 * GeKo is here 18:00:07 * isis is here 18:00:21 last week I merged a few patches from isis for the canvas prompt, and wrote a couple of patches to improve logging of the urls and scripts involved 18:00:54 I also reviewed all of my gsoc student's code, and send in his review 18:01:12 he did a good job, imo (mjuarez) 18:01:34 I look forward to seeing results based on his work soon. 18:02:05 I also discussed panopticlick 2.0 with gunes acar at the eff 18:02:19 this week I am for serious going to finish the Firefox feature-level review 18:02:25 for esr31 18:02:48 and hopefully merge the rest of the patches in MikePerry201408R 18:02:58 or at least comment on all of them 18:03:02 that's it for me 18:03:24 anything interesting to say about panopticlick? 18:04:00 it's still in the early stages. we just discussed new tests since the last one, and ways to study TBBs current defenses 18:04:08 we also discussed a few bugs 18:04:34 #11439 came up 18:05:17 OK; thanks. 18:05:18 and #5798 18:06:08 gunes the key thing I want out of a new panopticlick is the ability to get entropy/uniqueness reports per useragent 18:06:22 err s/gunes// there 18:06:54 it is made complicated by the fact that panopticlick removes duplicate results via cookies, which most TBB users won't persist 18:07:17 so we also disucces ways of asking the user for their TBB version and if they had tested before 18:07:29 vs provising a link from say about:tor and telling them to use that 18:09:47 It's not entirely clear to me that measuring entropy helps harden TBB, though. Osmy to identify all sources of entropy systematically. 18:09:56 Osmy -> Isn't it better just 18:10:57 well, it is not fully clear how much entropy our font limits allow in practice. nor our resolution fixes 18:11:28 having solid results on stuff like that can help us decide which defenses need more work, and how to prioritize things we haven't solved yet 18:12:24 it can also help us make the case with Mozilla for our defenses 18:12:51 esp if we are clearly doing better than Firefoxby a wide margin 18:13:29 right now, there is intense argument about some of our defenses being improvements rather than solutions, and if there might be better improvements 18:13:37 and if those are worth it 18:15:20 having data hopefully will make all of that clearer 18:15:31 I see. I guess I would tend to lean toward defending outlier TBB users with weird installed fonts, even if they don't show up much in the stats 18:15:39 for example 18:16:00 hmm 18:17:44 we discussed using the font results from flash and java to try to find fonts like that 18:18:27 Sorry, I think I've diverted the meeting. I may not have thought this through enough in any case. 18:18:32 but yeah, that sort of thing is an argument for a different solution to fonts. I think dcf1 did some initial analysis on including font packs with TBB, but I forget what those were. I think he found it was 10s of MB to get full coverage 18:18:56 yes, something like that IIRC 18:19:25 there is a research paper that argues in favour of trying to make worst-case anonymity better instead of trying to maximize entropy for entire anonymity set. 18:19:42 it may be worth talking to him if you;'re interested in that. once we have a incremental updates, such a cost might not be too bad 18:20:34 how is the incremental updater coming along? 18:20:43 for resolution and other things, it will be easy to see the outliers.. for fonts, we'll need to make inferences from secondary data sources (like the full font list from non-TBB users) 18:21:05 rl1987: Do you have a link? That's more or less what I was thinking about. 18:21:55 isis: we're going to roll out a non-incremental version first. that is ready for review and is in my pile for this week 18:22:26 so a thing that automatically pulls down 24MB when told to do so? 18:22:35 yes 18:23:08 i suppose it'll naturally get staged by people going online at different times, so okay 18:23:58 neat 18:24:07 here is what I did this week: 18:24:56 worked on getting ESR 31 built in our setup 18:25:08 I created the XUL part for #9387 18:25:38 atr leat a part that let me script things 18:25:45 *at least 18:26:10 I did some reviews and I fixed a bug in our nightliy setup (#12920) 18:26:54 cool. Giorgio also just landed the "Only load HTTPS-sourced scripts from HTTPS url bars" NoScript pref for #9387 18:27:04 this wekk I hope to get 31 ESR built on at least one platform successfully 18:27:33 and I think I can have a first thing to review for #9837 by Friday 18:27:45 err #9387 18:28:14 arthuredelstein: http://home.mit.bme.hu/~tgm/phd/publikaciok/2004/nordsec04/tg_nordsec2004_proceedings.pdf 18:28:23 and I planned to review at least the gitian bits for for the updater patch 18:28:39 I probably won't be able to do more :( 18:28:45 that's it for me 18:28:46 rl1987: thanks! :) 18:29:34 * MarkSmith can go next 18:30:16 Last week, Kathy Brade and I added riseup.net to the Bridge Help screen in Tor Launcher (#12895). 18:30:26 We also fixed #12444 and for our efforts we received 3 hearts from Lunar :) 18:30:38 We spent quite a bit of time on #10804 but we have not had much success reproducing the problem. 18:30:47 We tried on Mac OS and Windows; Linux is next. 18:30:56 We started to work on #11405 and plan to finish it today. 18:31:12 This week we will help land the #4234 changes and continue to work on other TorBrowserTeam201408 bugs. 18:31:21 That's all for us. 18:32:05 re #10804: an older copmuter helps and a debug build :) 18:32:40 OK. We tried the older computer idea., plus artificialy loading the computer with other tasks. 18:33:11 I see. I hit it quite reliably on my Linux box (which is annoying...) 18:33:11 We tried a debug build on Mac OS but not on Windows. But we can try that everywhere ;) 18:33:38 OK. Maybe we should've started on Linux. We will ping you if we cannot reproduce it there. But I know you are busy. 18:34:29 do that. I am happy to test a patch. 18:34:37 Do you encounter the bug only with a fresh start or ? 18:34:47 That is, wizard or no wizard? 18:35:01 no wizard 18:35:28 OK. That is the scenario we have mostly tried so far. 18:37:50 * arthuredelstein can go next 18:38:11 Last week I worked on debugging patches in https://github.com/arthuredelstein/tor-browser/commits/esr31-port-untested 18:38:22 And I added unit tests for 3 patches 18:38:42 I also did some cleanup on my patch for #8641 18:39:41 And then I started working on trying to get torbutton to show up on the esr31 port, which it currently does not. 18:39:53 This week I hope to continue to write unit tests and work on the torbutton issue for esr31 18:40:29 I guess the latter is #10751 18:40:38 That's all for me 18:40:57 * helix is here 18:41:05 can I go? :) 18:41:05 hi! 18:41:23 I'll guess that's a yes 18:41:34 * boklm will go after helix 18:41:44 so I submitted the first pass of the hardening patch for the 4.x series last week and GeKo reviewed it 18:41:55 I think I fixed #10077, but I need to double check the PTs 18:42:20 and I need to check why GeKo's bundles differed from mine, it could just be a mistake on my part since mine matched each other 18:42:46 but it should be done this week I think 18:42:53 nice 18:42:54 unless something strange happens 18:43:19 GeKo: gcc 4.8.3 is nice enough to write its version into the binaries so you can find if they were built with it by using strings :) 18:43:26 4.6.3 doesn't do this 18:43:33 aha! 18:44:19 other than that, assuming everything goes fine with the hardening, I'll go back and triage some more bugs 18:44:23 that's all for me 18:44:46 arthuredelstein: (re: #8641) awesome! 18:45:19 thanks! :) 18:46:19 so last week I merged a patch on the test suite from Gunes Acar 18:46:29 integrated mochitest tests into our test suite 18:46:47 made a few improvements on the xpcshell part (reading results from the generated xunit xml file rather than parsing the logs) 18:47:08 next week I'm planning to launch a rebuild of all our commits to run mochitest on them 18:47:17 and setup some nightly builds on our build VM (with LXC) 18:47:36 that's it for me 18:48:01 Hi 18:49:07 hi mttp 18:49:08 The "Proxy with no PTs doesn't work in TB 4.0-alpha" issue I mentioned last week, turned out to be the user was in Saudi Arabia and their ISP censored Tor, so PTs fixed the issue, (as far as I can tell) 18:49:44 I finally found a help desk user who was responsive enough to give me the data needed to open #12941 18:50:11 I had a user report the following, as well: 18:50:19 > Thanks for offering TOR. A remarkable software! 18:50:19 > i have been attempting to restore previous saved bookmarks all through 18:50:19 > version 363. Previous versions i had no problems with this. My browser 18:50:19 > freezes up and having to restart. Attempted with 364.1 Also freezes my 18:50:22 > browser. 18:51:08 I told the user that the Tor Browser team had not really touched the bookmarks code from Firefox and they should try to reproduce the issue in Firefox ESR. So far I have not heard back 18:52:43 As I wrote in this coming week's Tor Weekly News, I've seen multiple users on multiple VPN services who say they can't use Tor Browser through A VPN. To me this isn't that big of a deal. 18:53:23 I just tell them that using Tor Browser with a VPN isn't support, and that if they want a trusted entry into the Tor network to use a bridge, and that if they want to anonymize all traffic coming from their computer, to use Tails. 18:53:32 hrmm 18:54:19 I think it's probably a common usecase, actually.. it's probably worth finding out if its a specific VPN type 18:54:39 HMA and Hotspot shield 18:57:29 I can ask for logs next time I get asked about VPN support 18:57:33 hrmm 18:58:28 well I would say that combining circumvention VPNS might be weird.. who knows how those try to work. I was thinking generally.. if all OpenVPN setups are broken with Tor Browser, that's bad, for example 18:58:50 but still worth investigating. many of these things use OpenVPN underneath 18:59:21 Or certain services might block Tor, for their own reasons 19:00:20 true 19:02:03 data retention reasons? 19:02:48 maybe, I'm just speculating 19:03:08 That's all the support issues I have to report 19:03:51 Once helix finishes the hardening stuff this week I'll look at the expert bundle some more 19:04:20 ok 19:04:54 I'll provide an update, although it's more about lack of progress. 19:05:12 I've unpacked more of my computers, including my ubuntu box that is dedicated to stuff like building TBB. 19:05:42 It errors somewhere in gitian, with apt (or whatever package manager it is) throwing an error about a size mismatch. 19:06:02 ah, wait 19:06:12 My aim was to build a windows/linux/mac build and do a performance comparison, but I'm currently stuck on the 'build' part. 19:07:04 tjr: that one? https://github.com/devrandom/gitian-builder/issues/66 19:08:07 GeKo: quite possibly! That's the error at least, and it spits out a 127.0.0.1 ip also somewhere - so pretty likely 19:09:02 I have no concerns about bandwidth, is there an easy answer to "How do I 'not cache'"? 19:09:22 not that I know 19:09:36 just upgrade your ubuntu if you can 19:09:42 Okay. Well this gets me somewhere, so I will keep investigating along this line as I'm able to 19:09:47 if you can't, upgrade apt-cacher-ng 19:09:53 or just stop it then start it again 19:09:58 helix: I should be able to do one or both of those. 19:10:08 the one in 14.04 works fine most of the time, but still sometimes needs to be restarted 19:11:48 (That's all I have) 19:11:50 If you upgrade to 14.04, be aware of #12431 19:13:31 mikeperry: before I forget it a comment on my last comment in #12620 would be nice. 19:13:46 I am unsure wrt the websocket patch at least 19:13:51 I just booted it up... I am running 14.04, but I don't think I'm using LXC 19:14:39 tjr: Not using LXC should be good (or better) on 14.04 19:16:44 it could be a local firewall or other odd redirection issue perhaps? 19:16:51 if it is still happening with 14.04 19:17:03 and an up-to-date 14.04, too 19:17:29 sometimes I have to vmclean to make that issue go away :| but usually just restarting apt-cacher-ng is enough 19:19:55 ok, is that it for meeting-related items? 19:22:03 ok then. it's *baf* time 19:22:13 #endmeeting *baf*