19:01:06 <mikeperry> #startmeeting tbb-dev 19:01:06 <MeetBot> Meeting started Tue Feb 17 19:01:06 2015 UTC. The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:01:06 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 19:01:10 <nickm> patch workshop is gazumped! 19:01:14 <mikeperry> oops 19:01:19 <Yawning> haha 19:01:22 <arthuredelstein> hi all 19:01:25 <mikeperry> did I just roll in over the patch workshop? 19:01:32 <TvdW> yep :) 19:01:32 <nickm> yeah but don't worry, we love you 19:01:34 <mikeperry> we can wander off into a new channel 19:01:37 <nickm> or we can 19:01:40 <Yawning> it's fine I think 19:01:45 <mikeperry> but then meetbot won't log. were you using meetbot? 19:01:50 <Yawning> no 19:02:01 <Yawning> so we should move 19:02:11 <Yawning> unless we were done 19:02:32 <Yawning> (I need to be in both meetings I think so ) 19:02:33 <rl1987> I think we're pretty much done, aren't we? 19:02:36 <Yawning> yah 19:03:53 <mikeperry> ok 19:04:06 <mikeperry> well, the tbb meeting shall commence then! 19:04:26 <Yawning> I have presents for y'all this week :P 19:04:43 * GeKo loves presents 19:05:14 <mikeperry> Last week, I did a bunch of work on the Torbutton menu and associated in-browser experience. I wrote patches for #8400, #9906, #9442, #14392, #14490, #14630, #14632, and #14849. 19:05:35 <mikeperry> I also reviewed and merged lot of patches, including #10280 and #12430. 19:05:48 <mikeperry> This week, we need to focus on getting everything ready for 4.5alpha4. Mozilla just tagged the latest ESR point release last night. I will be working on rebasing our patches for that today. 19:05:51 <nickm> Yawning: I think maybe if we watch, we will learn about something that we could do dsomething to help. 19:05:59 <mikeperry> We also have several tickets still in https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~TorBrowserTeam201502R that probably want to make it into 4.5alpha4, and some in there that maybe shouldn't. We should decide which is which. 19:06:51 <mikeperry> In terms of longer timespans, I think we should aim for stabilizing 4.5 soon. Probably by the next ESR point release, or shortly thereafter (once we have confidence in the new signed updater workflow and behavior) 19:07:24 <Yawning> mikeperry: I might have one or two more things for 4.5 beyond the patch I added, would that be bad? 19:07:30 <mikeperry> I suppose it may be rude to force people to switch to 4.5, so I think that means early/mid April 19:08:40 <mikeperry> Yawning: which patch did you add? anyway, as usual PT stuff can decide its own sub-component versioning for TBB 19:09:09 <mikeperry> I have a preference for PT things being latest-and-greatest anyway 19:09:35 <Yawning> #14919 19:09:41 <Yawning> today 19:09:48 <GeKo> for stabilizing 4.5: we should have #9387 ready by then which includes extra patches for disabling SVG and MathML 19:10:13 <GeKo> so, there is still a bunch of work involved in this regard 19:10:36 <MarkSmith> Do we need to patch Firefox for SVG and MathML disabling? 19:10:37 <mikeperry> I think I am more concerned about strings+UI for #9387 19:10:44 <mikeperry> but yes 19:10:52 <Yawning> it's relatively low risk unless I did something dumb in the new scramblesuit implementation 19:11:09 <Yawning> (fairly unlikely, the code is straight forward) 19:11:12 <GeKo> sure, strings+UI iare indeed more concerning 19:11:47 <GeKo> Yawning: the code looks good. I am aboubt to test things but am confident that the patch will make it into 4.5a4 19:11:52 <GeKo> *about 19:11:53 <mikeperry> MarkSmith: yes, we need patches for both. SVG is apparently extra tricky because we only want to disable it for content, and context is not always clear for that 19:11:53 <Yawning> beyond that I want to ship one alpha series with a goptlib patch 19:12:05 <Yawning> that uses socks5 instead of socks4 19:12:16 <Yawning> apparently psyphon has been using my branch randomly off github 19:12:21 <Yawning> so the code's fairly well tested 19:12:29 <Yawning> we just haven't merged it yet 19:12:30 <Yawning> heh 19:13:39 <Yawning> GeKo: lemmie know if anything blows up and I'll be happy to help 19:13:55 <MarkSmith> (OK; I found tickets #12827 and #13548) 19:14:37 <GeKo> sure and wrt to the goptlib patch: post a branch and we should be able to get it into the alpha after the next one. 19:14:42 <GeKo> Yawning: ^ 19:14:46 <Yawning> GeKo: sure thing 19:15:19 <Yawning> is there a rough estimate for the cycle time between the next alpha releases? a4 ->a5? 19:15:33 <GeKo> 6 weeks 19:15:36 <Yawning> I'm tempted to revisit the "make flashproxy actually useable out of the box" idea we had 19:15:39 <Yawning> ok 19:15:46 <mikeperry> https://wiki.mozilla.org/RapidRelease/Calendar 19:16:01 <mikeperry> 4.5a5 will likely be end of march, it seems 19:16:41 <Yawning> is there anything tor browser relatied that concerns me that I don't know about? 19:16:50 <mikeperry> with 4.5-stable coming out soon after (in my ideal world). at which point, we should focus on getting all of the 4.5 stuff rebased onto FF38-beta and start fixing unit tests and getting stuff updated in bugzilla 19:16:57 <Yawning> people apparently like obfs4 from what I've heard 19:17:31 <GeKo> mikeperry: sounds good. 19:17:34 <Yawning> and no one's complained about obfs2/obfs3 implemntations being replaces with mine which kind of suprises me 19:18:53 <GeKo> ok. here is what I did: 19:19:46 <GeKo> I worked on #14919, #14221, got #13169 sorted out and looked at #14851 and reviewed #5698 19:20:47 <GeKo> this week I plan to finish the cookie patch revie, do release related work 19:21:08 <GeKo> and get back to working on windows signing and fixing security slider issues. 19:21:17 <GeKo> that's it for me. 19:23:18 * MarkSmith can give a report 19:23:26 <MarkSmith> This past week, Kathy and I developed a fix for #13271. 19:23:33 <MarkSmith> We also fixed #14336 in the same patch. 19:23:40 <MarkSmith> We did some research for #13375; comments are welcome there. 19:23:50 <MarkSmith> We also did several code reviews and did a little research for #14392 (which mikeperry fixed). 19:23:58 <MarkSmith> Finally, we have been working on #14631. There are still a couple of issues to sort out, 19:24:04 <MarkSmith> and it will be a little messy, but we plan to follow mikeperry's advice 19:24:07 <MarkSmith> (create a Mozilla-acceptable patch and a separate patch that pulls in from Torbutton the new strings that are needed). 19:24:14 <MarkSmith> This week, we hope to finish #14631. 19:24:19 <MarkSmith> We will also stand by to help with any signed MAR files / updater issues that show up. 19:24:24 <MarkSmith> And we will spend some more time on code reviews. 19:24:30 <MarkSmith> That's all for us. 19:25:39 * boklm can go next 19:26:20 <boklm> So last week I added a test loading http://acid3.acidtests.org/ and checking that we get 100/100, and started looking at testing NoScript options (#13053) 19:26:29 <boklm> Today I updated the settings test to make it version aware, and make it work both for 4.0 and 4.5 versions (after GeKo mentioned this problem today): https://gitweb.torproject.org/boklm/tor-browser-bundle-testsuite.git/tree/mozmill-tests/tbb-tests/settings.js 19:26:42 <boklm> This week I'm planning to work on #13053 19:26:50 <boklm> that's all for me 19:27:43 * arthuredelstein can go next 19:27:55 <arthuredelstein> Last week I worked on #5698, #9442, #13670, #13882, #14555, #14866 and did a couple of code reviews. This week I'll continue to work on #5698, #13670, #14555. The following week I'll be mostly afk. 19:28:59 <arthuredelstein> That's it for me 19:29:59 <nickm> in case your algorithm for ginding stuff to solve doesn't match my algorithm for finding stuff for you to solve.... 19:30:04 <nickm> #14555 19:30:05 <nickm> is 19:30:10 <nickm> ready for your attention again 19:30:52 <arthuredelstein> Yes, I'll hopefully have a new patch in a day or two 19:32:59 <GeKo> mikeperry: looking at the list: #14919 should make it into the alpha, #13882 as well, maybe #13717. not sure about #14838. 19:33:29 <GeKo> the other stuff is ither already in or needs a bit more thinking imo 19:33:34 <GeKo> *either 19:33:59 <GeKo> #13882 needs a reviewer. if nobody steps up I can do that tomorrows 19:34:06 <arthuredelstein> Do you think #5698 has a chance if I get it fixed today? 19:34:15 <GeKo> *tomorrow even 19:34:24 <GeKo> arthuredelstein: depends on you I guess ;) 19:34:37 <arthuredelstein> cool :) 19:35:31 <GeKo> so #5698 as well if we have a patch by tomorrow 19:37:41 <MarkSmith> Kathy and I will review #13882 today or tomorrow 19:38:16 <mikeperry> I think we also want #14203. probably even for 4.0.4 19:38:17 <GeKo> thanks 19:38:41 <GeKo> oh, this is up for review? 19:39:07 <mikeperry> yeah, it wasn't tagged. I just saw it 19:39:20 * MarkSmith Just reviewed and commented in #14203. Looks like a good and safe fix. 19:39:22 <GeKo> nice, then yes 19:40:31 <GeKo> mikeperry: oh, and I think we should put a patch for #14851 both into 4.0.4 and 4.5a4. 19:40:44 <dcf11> What's the difference between TorBrowserTeam201502 and TorBrowserTeam201502R? I never know which one to tag. 19:40:47 <GeKo> your idea worked as far as I can see 19:41:02 <msvb-lab> dcf11: 'R' stands for 'ready for review.' 19:41:03 <Yawning> R for review? 19:41:16 <msvb-lab> Or release review. 19:41:17 <dcf11> So what does the non-R one mean? 19:41:49 <msvb-lab> dcf11: The date without R means target date. 19:41:58 <msvb-lab> But not necessarily 'Review-ready' yet. 19:42:11 <dcf11> Ohhh thanks. 19:42:24 <msvb-lab> dcf11: So many tickets have a date four months in the future, for example. 19:43:27 <mikeperry> https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#TracKeywords 19:43:32 <Yawning> (dcf11: off topic to this tor brwoser stuff, do you want a patch to meek-client that enables proxy support for socks 4/5? It'd use go.net) 19:46:29 <mikeperry> ok, is there anything else for TBB? 19:47:35 <mikeperry> if you're going to review a ticket, remember to tag it with your name+month. we should probably get a second pair of eyes on any C++ patches, too 19:48:35 <mikeperry> oh, this is also going to be fun for us FYI: https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/. but I guess we can just add in our own key into our builds for that 19:48:55 <mikeperry> (yay, more key material to juggle during releasing :/) 19:48:56 <GeKo> indeed 19:49:13 <MarkSmith> Annoying for developers but safer for users I am sure. 19:51:15 <mikeperry> I have an inherent distrust of app stores. I think the developer should still be in exclusive control of at least one of the signing keys 19:51:40 <GeKo> +1 19:51:51 <MarkSmith> Well, I guess I should say "Mozilla assures us it will be better for users." 19:52:16 <mikeperry> there's also censorship concerns, which the EFF is worried about 19:52:29 <mikeperry> (in addition to losing control of the HTTPS-Everywhere signing key) 19:52:39 <MarkSmith> Censorship is a good point. Definitely less s/w freedom with centrally controlled distribution. 19:54:09 <GeKo> I wonder whether we just should patch that feature out especially if we ship all extensions via our updater ourselves 19:55:26 <MarkSmith> I think nightly builds / Aurora won't check signatures, right? So there should be a way to disable it. 19:55:35 <GeKo> yes 19:55:36 <MarkSmith> (without too much hassle for us) 19:55:37 <mikeperry> I think I want users to still be able to install addons in TBB from AMO if they wish (though I have been debating warning users who navigate to the addons store page that Firefox addons may not always be safe for Tor Browser) 19:56:14 <arthuredelstein> A warning seems like a very good idea. 19:56:22 <GeKo> yes, I was primarily concerned about the extensions we ship and the hassle that brings for us 19:56:32 <MarkSmith> Or warn before install of any add-on? 19:56:33 <GeKo> + loosing the full control 19:56:44 <arthuredelstein> MarkSmith: +1 19:56:52 <GeKo> so, we could implement a whitelist or something 19:59:12 <mikeperry> I think blanket warn. I am not sure I want to get in the business of auditing secondary addons just yet, esp given fingerprinting concerns 19:59:24 <mikeperry> (for a whitelist) 19:59:47 <MarkSmith> Someone should file a ticket ;) 20:00:55 <msvb-lab> There is some form of extension warning already of 'unkown location' and thus already a condition where a blanket could be hard coded. 20:01:03 <mikeperry> ok, I will do so 20:01:54 <GeKo> not sure what you mean with fingerprinting concerns here but what I have in mind is e.g. a whitelist for Torbutton and Tor Launcher to be installable without having to put them through AMO 20:01:57 <msvb-lab> Is there evidence or statistics that indicate users are installing extensions? 20:02:49 <GeKo> I don't want to have some AMO reviewer being able to decline an update to these extensions for $reasons 20:05:01 <mikeperry> ok, #14924 20:06:34 <mikeperry> ok, I think that should be it for today then? 20:08:03 <mikeperry> #endmeeting *baf*