19:00:05 #startmeeting tbb 19:00:05 Meeting started Mon Dec 15 19:00:05 2014 UTC. The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:05 Useful Commands: #action #agreed #help #info #idea #link #topic. 19:00:17 hello everyone 19:00:29 sorry for my absence the past two weeks 19:00:34 hello 19:01:04 I kept an eye on the scrollback and it seemed as though everything is going well. 19:02:21 last week wasn't a great week for my productivity though. I did some testing of the security slider and found a whole bunch of issues, and I looked at the new GPG key for TBB.. it's almost there, but not quite. I also began contacting people and discussing contracts as per my "advocate" roll, but I still have quite a few more mails to send there. hope to get through those today 19:02:49 Giorgio also has a new noscript for us, which should fix the issue that caused us to need to add "https:" to our whitelist for the security slider 19:03:21 and also avoid using prefs for temporary permissions, and further allow us to simplify the NoScript UI with new prefs 19:04:24 Mozilla is also serious about this Polaris project. I am meeting with them tomorrow. I think our focus for that should be as you all discussed last week: getting our third party identifier isolation patches merged by the FF38 freeze 19:05:33 we probably should also make a tag for items we know we want in 4.5-alpha, or maybe just 4.5-alpha-3, or some combination 19:06:33 Is that meeting something we could listen in on via vidyo? 19:06:37 I think that's it for me and direction setting. I will be travelling this week and will also need to be working on my CCC talk on reproducible builds, so I fear my productivity won't be great for TBB through the rest of the year 19:07:12 but I can still help with critical things, and making sure everyone's contracts are set for Q1+Q2 2015 19:07:22 mikeperry: I'm pretty curious about their "tracking protection" (see -internal mail). Could you try talking to them aboubt that too? 19:07:42 because it does not make much sense to me tbh 19:08:36 Maybe a Moz town hall meeting on Polaris sometime, like Arthur asks? 19:08:44 Anyone know? 19:09:44 GeKo: yeah, me either. I know they are focusing on this whitelisting scheme that is kind of unfortunate for us. but perhaps we can get some telemetry on usage of that + private browsing mode, for load estimates/statistics for a Tor-enabled PBM 19:10:03 that would be nice at least 19:11:38 arthuredelstein,msvb-lab: the meeting is at 11am PST tomorrow, but we're still not sure if it will be at EFF or Mozilla 19:12:21 err, not whitelisting, blacklisting of "bad" trackers 19:13:22 either way, I will try to reiterate that they want their "disable third party cookies" option to apply to all of the things we make network.thirdparty.isolate apply to, and see if I can convince them they want to do some usability testing on something like https://www.torproject.org/projects/torbrowser/design/NewCookieManager.png 19:13:26 I am skeptical that any blacklisting approach will truly empower Firefox users. 19:13:49 Any help Mozilla can provide is of course welcome. 19:16:44 yeah, me too. I think blacklisting will just create a different arms race. but I guess they probably want to show that they are doing something right away, and blacklisting is "something".. 19:17:05 *sigh* 19:17:07 Presumably Google is a "good" tracker? 19:17:17 they should merge and deploy our stuff 19:19:09 yeah, this will probably be a long road, still. but hey, they seem to be serious about it 19:19:34 yeah, the blacklisting ;) 19:20:00 anyway, here is what I did last week: 19:21:13 today I made another expedition to Mount Doom. And I am optimistic :) 19:21:33 do we have the One True Key at last? ;) 19:21:47 then we got gunes' patch landed (#13439) 19:22:00 we'll see, there is hope 19:22:25 did we cast it back into the firey chasm from whence it came? 19:22:37 (ick. "from whence".) 19:22:46 not yet 19:23:16 then I tried to fix #13877 but that fails currently 19:23:41 I think I opstpone that work until ESR 38 comes and we need to fix a bunch of OS X related stuff anyway 19:23:48 *postpone 19:24:01 then I fixed #10125 19:24:19 I can build Tor Browser on a Debian system now 19:24:37 although there is stil no python-vm-builder package 19:24:39 *still 19:25:09 I am currently testing the patch a bit but that should be done this week 19:25:38 then I reviewed #13379 and am quite happy 19:25:58 it seems well-tested, too (thanks Mark and Kathy). 19:26:22 :-) 19:26:32 hello 19:26:36 i need some help... 19:26:49 this week I'll test #13379 a bit. I am cur curious what is happening if we ship more than one key 19:27:08 a thing we should do from the beginning even if we only sign with one key for the moment 19:27:14 i would like to contribute to the org so if someone could guide me it will be a great help!! 19:27:52 then I plan to resume my #9387 work 19:28:08 mikeperry: would be nice if you could add the tings you found to the ticket 19:28:17 GeKo: I have a pile of notes on #9387. shall I just add them there? 19:28:33 yes, would be good 19:28:35 mostly around NoScript settings not being updated until New Identity 19:28:52 but a couple other UI/UX comments and other pref behaviors 19:29:42 finally I plan to look into the test failures happening with the nsiprotocolproxyservice patch 19:29:59 I have some hope geting that large patch into esr38 as well 19:30:04 *getting 19:30:12 that's it for me 19:30:41 * MarkSmith can go next 19:31:05 Last week Kathy and I implemented SHA512-based hashes for signed MAR files (#13379). 19:31:14 We landed a fix for #13776. 19:31:24 We also did some miscellaneous bug triage, e.g., #13893, #13920, 19:31:32 plus the incremental update failures reported by mikeperry and GeKo. 19:31:43 We also merged the nearly forgotten fix for #11449 into Torbutton. 19:31:53 This week we plan to review #13857 and follow up with any signed MAR issues that GeKo and other people find. 19:32:00 It is also worth noting that we will be out of the office most of next week (December 22-26). 19:32:11 And the week after Christmas (December 29 - January 2nd) we will have reduced availability to work on Tor items due to 19:32:17 the need to spend time on end of the year paperwork, tax filings, and other not-so-fun activities. 19:32:28 That's all for us. 19:33:37 * arthuredelstein can go next 19:34:10 Last week I worked on patches for #13749 19:34:29 I've posted one, and the other two are close 19:35:08 I also had another look at the unit test for the nsiprotocolproxyservice patch, but haven't solved it. 19:35:54 do you have a newer patch? because there is more than one test broken 19:36:08 with the one attached to the ticket 19:36:14 So this week I'll finish the patches for #13749 and also try to have a closer look at #13788 19:36:40 GeKo: The patch I posted on Mozilla has two unit tests broken, IIRC. 19:36:57 https://bugzilla.mozilla.org/show_bug.cgi?id=436344 19:37:02 I think they are probably related 19:37:35 ok. IIRC my try build has 5 failures at least (I ran all xpcshell tests and all mochitests) 19:37:38 on Linux 19:37:46 *had 19:37:56 I thin I fixed some of those 19:38:09 *think 19:38:26 aha! do you mind making your latest patch available somewhere? 19:38:41 Sure. Sorry for not doing so already 19:38:57 np 19:39:55 That's all for me. 19:40:57 * boklm can go next 19:41:18 since last week I added a test for the security slider #13682 19:41:47 atagar: do i need to upload a patch or something for the bug? 19:41:47 I tried to fix some problems running the testsuite on Windows, where the tor daemon does not get killed correctly and release its ports when using PT 19:41:55 for now I will disable the PT tests on Windows until this is fixed 19:42:10 This week I'm planning to: 19:42:15 review the patch arthuredelstein posted on #13749 19:42:27 rebase #13857 on the latest version of the signed MAR changes 19:42:46 investigate the fte random failures we have 19:43:02 samgtr: Nope. If you'd care for me to pull the change I can just fetch it from your repository. As mentioned on the ticket though it might be better to wait for the rest of the tests though. 19:43:05 that's all for me 19:47:06 boklm: the security slider behaviors may change slightly with the latest noscript and the set of things I noticed in the current branch. so just be aware, I guess. I will post my notes on #9387 19:47:41 mikeperry: ok 19:50:09 do we have anyone from support here? 19:51:27 I guess not. anything else? 19:51:36 Revisited #3246 last week. 19:52:16 ...and will be testing the incomplete Mozilla patch again this week, completing it hopefully. 19:52:41 nice 19:52:42 Hmm, what's with zwiebelbot. 19:53:05 Anyway, it's helping to get more familiar with the general FF cookie architecture. 19:53:20 And I've had more time lately to spend on this. 19:54:09 Not much else, but I think a new friend would like to ask about contributing. 19:54:12 ayushjjwala: You there? 19:54:34 yeah 19:55:16 If you found a bug or two on trac, and want to ask anything then go for it. 19:56:03 well i am goin through them...give me some more time to understand them! 19:56:11 Okay now problem. 19:56:25 mikeperry: By the way a exploit was supposedly found in TBB, so I sent him to you. 19:56:45 I think I'll keep on #3246 this week, and try to be at the Polaris meeting tomorrow. 19:57:10 Over. 19:57:45 who found what exploit? I don't see any mail 19:58:29 I couldn't figure out if he was serious or not. 19:58:54 atagar: can you merge the test code? I can start working on the next test then 19:58:58 If you receive no mail, then I assume the person discovered a user error or a flaw in their logic. 19:59:02 atagar: hope thats not a problem 19:59:58 samgtr: It's not a problem, but I'd rather have us do this in a feature branch until it's done. Little less messy that way (we can then merge a complete feature branch). 20:00:03 or they picked a poor subject and I missed the mail.. 20:00:29 mikeperry: Well I told them to encrypt it and he said he would, so you don't have so many of those do you? 20:00:50 Anyway what's the proper tbb-sec@ or tor-sec@ or address for exploit reporting? 20:01:14 atagar: okay sure, I will start working on the next test then 20:02:01 tor-assistants@ ? 20:02:01 atagar: that is the exit_used test 20:02:55 rl1987:...so send a preview to tor-assistants@ and then real code encrypted to whoever responds from tor-assistants@ right? 20:03:18 hrmm.. yeah, I think we still lack a proper security list 20:03:44 msvb-lab: I'm not really in position to answer that, but it might be a good idea. 20:04:30 mikeperry: do you agree? 20:06:01 yeah, probably the best option at the momement 20:06:10 I still don't see this pgp mail, unless it was PGP inline 20:06:17 and with a bad subject I can't search for 20:06:56 when did this person appear? 20:07:14 Two days ago, and we chatted on IRC. 20:07:53 You'll find it if you search me around then. Whoops, might have been yesterday sorry. 20:09:22 yeah, no mail that I can see. hrmm 20:09:29 well, I think this meeting is over anyway 20:09:36 thanks everyone! 20:09:42 #endmeeting *baf*