19:02:33 #startmeeting 19:02:33 Meeting started Mon Dec 8 19:02:33 2014 UTC. The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:02:33 Useful Commands: #action #agreed #help #info #idea #link #topic. 19:02:59 we'll see whether mikeperry is making it to the meeting... 19:04:18 before we start with te usual business: I want to talk about the plan to get patches merged to Mozilla back upstrem at the end of the meeting 19:04:49 we only have about 8 weeks left before ESR 38 is essentially frozen 19:05:11 which is not much given that it includes christmas time 19:06:13 so anybody can think about a startegy and the most important things we want to have upstreamed by then. 19:06:24 *strategy 19:06:26 ok 19:07:17 my last week was mainly occupied by releasing 4.0.2 and 4.5-alpha-2 19:08:01 overall it worked as it should and I am especially happy how we worked together as a team: 19:08:35 thanks for the reviews on short notice, Mark and Kathy and thanks for the help with the incremental updates Nicolas 19:08:50 and thanks to Mike for being awesome as usual 19:09:03 Teamwork == good. 19:09:18 yes, indeed 19:10:23 additionally I looked at #13439 and reviwed and merged #13881 spent some time with scary timing attacks #11333 19:10:45 and got some order in my tickets. 19:11:55 next week I am currently planning to spend a bit more on #11333 investigating #13877 19:11:56 (oops) asn: thanks, will take a look tomorrow. 19:12:21 and working on #9387 + a bit on #10125. 19:13:15 oh I forgot I made a patch for the ReleaseProcess as well: #13916 19:13:25 that's it for me. 19:14:23 * MarkSmith can go next 19:14:35 Last week Kathy and I reviewed some fixes (#9387, #13439, #13671). 19:14:48 We also did some work on #13776 and #13379. 19:15:01 For #13379, we started planning the changes that we will need to make to libmar to add support for a more secure signature algorithm. 19:15:10 It is not clear if any Mozilla engineers are actively working on the bug GeKo filed 19:15:16 (https://bugzilla.mozilla.org/show_bug.cgi?id=1105689) but in any case Kathy and I do not 19:15:21 think we have time to wait for Mozilla to solve all of their transition / backwards compatibility issues. 19:15:29 Other opinions are welcome. 19:15:37 This week we will land a fix for #13776 and continue work on a better signature algorithm for #13379. 19:15:42 We can also help with code reviews, etc. 19:15:46 That's all for us. 19:16:10 I don't think we should wait for Mozilla here. 19:16:24 They have the problem that they already have SHA1 out there 19:16:40 There is some danger we could do something incompatibe with what they eventually do… but I am not sure they will move quickly. 19:16:43 but we don't have to deal with that with makes it easier on our side 19:16:50 Right. 19:17:31 Kathy and I will see what we can do to solve this for us and go from there. 19:17:39 sounds good 19:19:13 Who is next? 19:19:17 * boklm can go next 19:19:35 So I worked on some patches to fix #13857 19:20:21 I also worked on the setup of the testsuite on Windows, but it's not finished yet 19:20:31 This week I'm planning to finish the Windows testsuite setup to have it run automatically 19:20:42 I'm also planning to add a wiki page to document better the various tests we're running to make it easier to locate them 19:20:56 that's it for me 19:21:24 did you have a chance to look at the issue why the fte tests are failing so foten for some bundles? 19:21:32 *often 19:22:13 the settings test is failing due to the security slider 19:22:24 I didn't look in details, I'll try to do that this week 19:22:36 as the don't disable JIT anymore in the default setting 19:22:52 *we 19:22:53 ok 19:22:54 ok 19:24:29 (why not?) 19:25:04 qwerty1: why not what ? 19:25:15 disable jit 19:26:41 there are services broken due to that 19:26:54 ok 19:28:39 is there a bug# 19:30:21 qwerty1: mainly #9387 19:30:35 who is next? 19:30:37 * arthuredelstein can go next 19:31:00 Last week I had limited time, but I wrote a patch for #13881 19:31:18 This week I'll try and help with #13788 19:31:44 qwerty1: you mean broken services? at least #13069 19:32:16 and try to finish my unit tests for domain storage isolation, etc 19:32:35 yay 19:32:57 and hopefully helping with any other merging stuff 19:33:08 That's it for me 19:33:15 *Mozilla merging stuff 19:36:06 do we have anyone from support here by any chance? 19:39:45 thatht probably means: "no". so the merge plan: was is realistic? what should we aim for? 19:39:56 we have 7-8 weeks I guess 19:40:38 I want to focus on merging, while of course, fixing any bugs in my alpha code 19:41:24 Does anyone have the URL handy to load the relevant Mozilla bugs? 19:42:00 https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20whiteboard:[tor] 19:42:05 thx 19:42:29 landing patches in Mozilla is tricky, though. It's difficult to predict how long each one will take. 19:44:09 GeKo: Did you have something in mind regarding the ESR38 deadline? I suppose we can keep attempting to merge patches after that deadline as well. 19:44:27 arthuredelstein: if we could get your big patches for the domain isolation merged that might be good I think 19:44:40 I guess we need to balance "easy to land" vs. "will save us a lot of time later with patch maintenance/merging" 19:45:00 I am not sure bout the socks un/pw one though 19:45:34 but the other one giving a channel to the nsiprotocolproxyfilter seems promising 19:45:43 The SOCKS one seems to require that I create an associated UI for Firefox. I am willing to do this, but not sure if that's a good use of my time 19:45:52 from tor project's point of view 19:45:59 yes 19:46:10 nsIProtocolProxyFilter is almost there, but I ran into a broken unit test that has proved tricky to fix 19:46:21 Still puzzling over it 19:46:47 asking mcmanus might help he is pretty supportive 19:46:57 True, he's extremely helpful 19:47:46 the other big thing we should try getting into mozilla-central is our third party isolation thing I guess 19:48:12 the things we have the preference for to toggle it on and off 19:49:34 Yes. In looking at that, I think our patches may need some polishing. I see a lot of GetFirstPartyURI failures logged to browser console. 19:50:05 For example for OCSP requests and favicons 19:50:06 starting with https://bugzilla.mozilla.org/show_bug.cgi?id=962326 19:51:16 The noise in the browser console is pretty bad. mikeperry wanted all failures logged to help find problems, but maybe not so necessary now. 19:52:21 I wonder what Mozilla is willilng to live with here 19:52:30 *willing 19:53:14 MarkSmith: So without the changes Mike wanted TB console looks like regular ESR? 19:54:06 anyway, that are the big things I had in mind for the next weeks. not sure about smaller patches that are worth it 19:54:12 msvb-lab: I am not sure what you are asking. Without the changes there should be no change to the logging ;) 19:54:37 Yep that was my question. I just haven't looked myself, so had to ask (that's why.) 19:55:17 I think my plan for the mozIThirdPartyUtils bug would be rebasing to mozilla-central and looking for someone at Mozilla's side for review 19:55:28 and then start addressing the review comments 19:55:40 not sure if that is a good approach, though 19:55:58 Looking at https://bugzilla.mozilla.org/show_bug.cgi?id=962326, I guess progress stalled because we did not find a clear owner/reviewer on the Mozilla side. 19:58:21 http://arstechnica.com/security/2014/12/tor-privacy-service-used-in-a-majority-of-online-bank-heists-report-says/ => Nice of them to discuss wikipedia and google's special handling, and its negative consequences. 19:58:46 I think it stalled because a review wasn't formally requested. 19:59:36 I agree. 20:00:14 So I might actually do that this week: rebase the patch and ask for review 20:00:23 Here's my ticket regarding OCSP and favicons: https://trac.torproject.org/projects/tor/ticket/13670 20:00:41 we might see then what happens and whether the work we need to put into it is feasible for the ESR 38 deadline 20:00:54 I feel like we should maybe fix #13670 before submitting to Mozilla. 20:01:05 ok. 20:01:13 I would be happy to work on that, after my unit test task 20:01:40 arthuredelstein: Any idea how much effort it will take to fix #13670? 20:01:52 (I agree we should try to fix it first) 20:02:03 (before submitting to Mozilla) 20:02:31 I don't really know. I had a quick glance and it looked a bit tricky. 20:02:44 OK 20:05:14 arthuredelstein: we need that anyway for Tor Browser so might be smart to look at it after the unittest. 20:05:49 you might put your issue with the nsiprotocolproxy unittest in the mozilla bug so others could work on it meanwhile or help debug it 20:06:01 so we are not blocked there 20:06:32 GeKo: good suggestion 20:07:15 And yes, I'll look at #13670 after the unittest 20:07:23 ok. 20:10:08 I'd actually hear mikeperry's ideas here to. So discussing this further next week might make sense 20:10:41 might be a way to examine the patches we have to find other ones worth trying to get into ESR 38 20:11:11 s/actually/actually like to/ 20:11:15 MarkSmith: Oops, didn't mean to add your CC on that ticket :) 20:11:21 *remove 20:12:26 arthuredelstein: No problem. 20:12:45 ok, anything else for the meeting? 20:13:38 mikeperry said in his email: "We should have some 20:13:39 conversation about if we want to have a non-security 4.5-alpha-3 release 20:13:40 before the holdays with MAR signing and some of those other fixes that 20:13:41 didn't make it into 4.5-alpha-2, or if we want to hold off and do 20:13:42 nightly testing only." 20:13:59 But I would say until we have a fix for the signature issue (for MAR signing) 20:14:09 we need to wait on that decision / discussion. 20:14:44 I agree 20:15:15 I don't have anything else to discuss for now. 20:16:21 thanks for the meeting everybody 20:16:25 #endmeeting