18:00:20 <mikeperr1> #startmeeting tbb-dev 18:00:20 <MeetBot> Meeting started Mon Jun 1 18:00:20 2015 UTC. The chair is mikeperr1. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:20 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 18:00:23 <hiddenEnemy> new coder looking to work on frent end stuff.. anyone here i can talk to? 18:02:11 <mikeperry> hiddenEnemy: we're about to start the tor browser developer meeting. I suppose you can watch and learn? 18:02:25 <hiddenEnemy> no probs 18:03:36 <GeKo> mikeperr1 started the meeting, we'll see if mikeperry can end it then ;) 18:03:37 <mikeperry> I will start by giving my status update from last week. Most of my time was spend working on non-TBB things (bw auths, Tor Labs, funding proposals). I did write up some initial ideas on exploit bounties 18:03:45 <mikeperry> heh, yeah 18:04:07 <GeKo> did you get my bounty mail? 18:04:46 <GeKo> I rather avoided sending it to all people as this felt a bit weird as I was not included in the conversation (no worries about that) 18:04:51 <mikeperry> This week will probably be another light week for me TBB-wise. Other than our status report, I will have to be in meetings Wednesday-Saturday. So if my input is likely to be needed this week, please try to get it soon 18:05:48 <mikeperry> strangely I don't see your mail, unless you changed the subject line? 18:06:05 <mikeperry> I saw your mail about HTTP/3. I am registered for the workshop successfully 18:07:01 <GeKo> good, yes I changed the subject to "Encrypted, srsly" 18:07:04 <mikeperry> that 8 minute timer thing was weird, but I think it is just an eventbrite payment portal thing, not the final end of ticket acceptance for the event 18:07:45 <GeKo> dunno, it felt weird and I was like "oh god, what should I do now..." 18:08:19 <mikeperry> no worries. I am sure it will be flexible still if we need to swap 18:10:41 <mikeperry> yeah, wrt the exploit bounties, the mail was a little unclear about how the Mozilla bounty would be handled. my thinking is that we would only allow people to double dip for item 5 on that list (the ASAN/Security Slider bugs). And I think yes, if you can pop ASAN and security slider, you should get more (up to 200%) 18:11:27 <mikeperry> breaking out of ASAN should be very, very difficult without Javascript. I want to give some extra incentive to discover if I'm right about that 18:11:38 <GeKo> yeah, fine by me 18:13:10 <GeKo> mikeperry: we might want to look at asn's ideas on his pad, like paying more if we have easier steps to reproduce etc. 18:13:40 <GeKo> https://etherpad.mozilla.org/GhGEnyUNLp 18:14:09 <mikeperry> yeah. he had some good ideas we should adopt. I saw them in the mail 18:14:10 * GeKo shuts up now 18:14:20 <mikeperry> oh, which I think you were still missing from 18:15:03 <GeKo> yes 18:15:04 <mikeperry> anyway, yeah, I'm also done with my sloppy status update. again, please try to flag me down before Wednesday if you need input this week 18:15:22 <mikeperry> otherwise it may end up waiting until next week 18:16:08 <mikeperry> which I think is when we'll tag for 5.0a1 18:16:22 <mikeperry> err, wait. what's this 38.0.5 business: https://wiki.mozilla.org/RapidRelease/Calendar#Future_branch_dates 18:16:57 <mikeperry> I don't see any build tags 18:17:19 <mikeperry> it looks like the schedule got bumped a bit too.. bleh 18:19:42 <mikeperry> well, that's a head scratcher. I see candidates on https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/ for 38.0.5, but not anything for 31esr.. I wonder what this also means for 38esr.. very odd 18:19:47 <GeKo> no ESR 18:20:19 <mcs> Yes, I think 38.0.5 (not ESR) is an "extra" non-ESR release. Confusing. 18:20:39 <mcs> Maybe contracturally obligated (that's a guess) 18:21:03 <mikeperry> yeah, the whole schedule appears to have been changed for it 18:21:14 <GeKo> but we want to get a logjam fix out anyway, mike, right ;) 18:21:22 <GeKo> (we can talk about that later) 18:21:32 <mcs> https://www.mozilla.org/en-US/firefox/38.0.5beta/releasenotes/ 18:24:16 <mikeperry> heh. that page is kind of sparse. I think this means that 5.0a1 might not be until June 30th, though who knows 18:24:36 <mikeperry> the bugzilla link is rather long, though 18:27:01 <mikeperry> ok, who wants to go next. we'll have to table deciding what to do about this until later 18:28:30 <n8fr8> just a quick note that amoghbl1 is making great progress on the Orfox work: https://dev.guardianproject.info/projects/orfox-private-browser/ 18:28:42 <n8fr8> a few patches were causing problems, so we need to review them to see if they are necessary/applicable to the android env 18:28:47 <n8fr8> and rewrite them if so 18:29:08 * n8fr8 is on a train with sketchy internet 18:30:38 <GeKo> who is keeping track of all the additional things we need to patch/modify for android? 18:31:18 <amoghbl1> well, that would be me I guess GeKo 18:31:40 <GeKo> fine, do you have a list somewhere? 18:31:57 <amoghbl1> https://people.torproject.org/~amoghbl1/Orfox/tbb_patches/ 18:32:14 <n8fr8> this is our official project tracker: https://dev.guardianproject.info/projects/orfox-private-browser/issues 18:32:24 <arthuredelstein> amoghbl1: In case it's useful, I'm working on a new branch now, here: https://github.com/arthuredelstein/tor-browser/tree/tb_GECKO380esr_2015050513_RELBRANCH+1 18:32:26 <n8fr8> so we are working on getting the problematic patches in there as tickets 18:32:47 <GeKo> no, no I was thinking about things we did not need to touch because they were not available in a desktop environment 18:32:48 <amoghbl1> check out the skip_list file for a report/list 18:33:25 <n8fr8> GeKo: these are the patches that make Firefox on Android crash (the "skip_list") 18:34:58 <GeKo> n8fr8: that's not what I mean 18:35:44 <GeKo> I mean features we don't care about in a desktop environment (and we thererfore did not patch nor filed bugs about) but that are available on android 18:36:12 <GeKo> I guess there is a ton of these things 18:36:44 <mikeperry> IIRC, amoghbl1 found a bunch of Java-related issues. I am not sure where that mail went 18:37:00 <n8fr8> ah, sorry, right GeKo the other way around 18:37:22 <n8fr8> some of that is here: https://dev.guardianproject.info/projects/orfox-private-browser/wiki 18:37:30 <mikeperry> I also saw some issues during my FF31 networking review. RTSP could bypass proxies, IRRC. There was also some weird UDP keepalive stuff on the LAN 18:37:32 <n8fr8> https://dev.guardianproject.info/attachments/download/1580/firefox-for-android-layers.txt 18:37:58 <n8fr8> but we have more work to do on that layer, and it is a moving target as well 18:38:06 <GeKo> mikeperry: yeah, ike that + who knows waht wrt to fingerprinting 18:38:24 <n8fr8> at this point, our goal is not "Tor Browser for Android" it is "something better than Orweb" 18:38:33 <n8fr8> and "not based on ANdroid's broken WebView" 18:38:41 <GeKo> ah, okay, nevermind then :) 18:38:57 <GeKo> s/ike that/something like that/ 18:39:23 <n8fr8> i mean, we are on that track, GeKo, for sure, but for now, just getting the TB patches mostly working, and the Android/Java layer properly proxying is our next big mielstone 18:39:37 <GeKo> cool 18:41:23 <GeKo> here is what I did last week: 18:42:23 <GeKo> I finished all the gitian bits for ESR 38, the tor-browser-bundle things for Mac still need to get tested finally and attached to the ticket 18:42:31 <GeKo> I backported a patch for #7256 18:42:46 <GeKo> err 18:42:52 <GeKo> #7561 18:43:23 <GeKo> I spent a surprising amount of time testing the fix for #16014 18:43:56 <GeKo> I started my review of undocumented Mozilla bugs which I'll finish this week 18:44:40 <GeKo> I filed some bugs for esr38 I found while testing bundles 18:45:12 <GeKo> I submitted a custom bundle to our test suite, so far I got no results back 18:45:27 <GeKo> boklm: how long is this supposed to take? 18:45:51 <GeKo> next week I plan to finish the remaining OS X gititan bits 18:46:26 <GeKo> I might play with switching to our clang-based cross-compiler for tor as well and add building it to our descriptor 18:46:35 <GeKo> then I'll finish the Mozilla bug review 18:47:01 <GeKo> and I start looking at the GMP/EME/Openh264 stuff that got introduced 18:47:14 <GeKo> that's it for now 18:47:47 <boklm> GeKo: for the 5.0a1-esr38-test build, a sha256sums.txt file (and signature) is missing in the directory 18:48:15 <GeKo> aha! 18:48:31 <GeKo> let me add that then 18:50:43 * arthuredelstein can go 18:50:54 <arthuredelstein> This past week I worked on #15196, primarily trying to finish rewriting the font-limiting patch. It's turned out to be quite tricky, but I'm hoping I can get it working this week. 18:51:19 <arthuredelstein> I also worked on some final touches to the patch at https://bugzilla.mozilla.org/show_bug.cgi?id=418986 and I think I should be able to post it soon. 18:51:44 <mikeperry> hrmm. the font limiting patch may need to be done a different way entirely anyway, eventually 18:52:03 <arthuredelstein> Yes, I was thinking about trying to tie it to first-party domain in any case 18:52:48 <mikeperry> mozilla had a bug with some ideas for preferring only a limited list of system fonts, which would be at a different layer than the CSS (and a more correct one). and then there's #13313 18:53:06 <mikeperry> either of these might be better uses of time than trying to get the CSS-based patch to work again 18:53:16 <arthuredelstein> Aha. I should look for that Mozilla patch. 18:53:31 <arthuredelstein> I figured #13313 is maybe the optimal solution, but a bigger project. 18:54:14 <GeKo> yes 18:54:36 <arthuredelstein> I'll look into both of those options and see what makes sense. 18:54:43 <mikeperry> https://bugzilla.mozilla.org/show_bug.cgi?id=1121643 18:55:04 <mikeperry> https://bugzilla.mozilla.org/show_bug.cgi?id=998844 is the support code that would hopefully make #13313 easier.. it landed in FF32 it looks like 18:55:07 <arthuredelstein> Thanks 18:55:45 <amoghbl1> arthuredelstein, the 72 patches listed there are infact your work, could you review the report I wrote for me? 18:57:19 <amoghbl1> s/work/branch 18:57:20 <arthuredelstein> amoghbl1: Not really my work -- I just rebased those patches. But happy to look at your report. Where is it? 18:57:34 <amoghbl1> https://people.torproject.org/~amoghbl1/Orfox/tbb_patches/skip_list 18:58:18 <amoghbl1> arthuredelstein ^ 18:58:44 <arthuredelstein> Sure, I'll have a look. 18:59:04 * mcs can give a report 18:59:14 <arthuredelstein> Regarding #16200, this week I'll try to test if the various features of TorButton are working with the #15196 branch. 18:59:21 <arthuredelstein> And if there is time, I'd like to work on upstreaming more patches to Mozilla. 18:59:27 <arthuredelstein> Go ahead, mcs! :) 18:59:45 <mcs> Last week, Kathy and I spent a little time spot-checking some of the patches on Arthur's tb_GECKO380esr_2015050513_RELBRANCH+1 branch and we made some comments in #15196. 18:59:53 <mcs> We investigated some things GeKo found in his review and testing for #16014; we are still working on this. 18:59:59 <mcs> We filed #16236 as a spinoff of #16014. 19:00:06 <mcs> Finally, we only made a tiny amount of progress in reviewing the Firefox developer docs for the releases since Firefox 31 (#16090) but we plan to do more this week. 19:00:11 <mcs> We will also push our #15145 changes to a branch or maybe we should create a Tor Launcher maint-0.2.7 branch for the TB 4.5.x series. 19:00:21 <mcs> That's all for now. 19:03:04 * boklm can go next 19:03:16 <mikeperry> interesting. #16236 (and other registry pollution) are technically tbb-disk-leak bugs 19:03:32 <mcs> mikeperry: Right. 19:04:16 <boklm> Last week I continued splitting tor-browser-31.7.0esr-4.5-1 into topic branches and pushing them separately on Mozilla Try to see which one fail tests 19:04:20 <boklm> I started a tool to help merge / pull / push the branches and list Try results: https://lists.torproject.org/pipermail/tbb-dev/2015-June/000276.html 19:04:32 <boklm> This week I'm planning to do the topic branch splitting on Arthur's esr38 branch 19:04:39 <boklm> And implement the commands to push branches to Mozilla Try, and to rebase the patches to a new firefox version 19:04:49 <boklm> That's all for now. 19:05:47 <mikeperry> what are you writing your tool in, btw? 19:05:56 <boklm> it's in perl 19:05:58 <mikeperry> I think I might be sad at more perl. 19:06:00 <mikeperry> aw :/ 19:06:51 <mikeperry> the update responses stuff is troublesome to get working on tpo machines, because it needs a bunch of sketch CPAN modules, and CPAN doesn't seem to authenticate anything 19:07:08 <boklm> hmm, there should be debian packages for those modules 19:07:32 <GeKo> there are, I only installed debian packages on my debian build machine 19:07:43 <boklm> so we shouldn't need to use CPAN directly 19:07:50 <mikeperry> yeah, there are. I don't have sudo on most of the tpo machines 19:07:59 <boklm> ah 19:09:54 <mikeperry> perl is also kinda gross generally.. hrmm 19:11:07 <mikeperry> I don't think its worth forcing you not to write it in perl, or rewrite what you have... but bleh.. I guess I should have asked last week 19:12:09 <TvdW> perl is an amazing language that saves a lot of developer time though ;) 19:12:21 <TvdW> worth putting up with the gross parts if it saves so much time 19:12:31 <GeKo> uh oh 19:12:37 * TvdW leaves again 19:14:37 <mikeperry> perl is pretty much technical debt by nature. it might be easy now, but it will be painful to update later. but, I supose this is till an experiment, and if the tool is mostly written already, I guess keep at it 19:14:55 <boklm> hmm, I don't think perl is gross, but maybe that's because I'm used to it. 19:14:55 <arthuredelstein> boklm: I had good luck with another git->hg tool. Just trying to find the name of it. 19:15:12 <GeKo> mikeperry: fwiw https://bugzilla.mozilla.org/show_bug.cgi?id=885777 + see the dependent bugs 19:15:22 <TvdW> mikeperry: as someone who does 40h of perl every week, I have to disagree :) 19:15:25 <GeKo> I am really happy about that momentum at Mozilla 19:15:45 <arthuredelstein> https://github.com/mozilla/moz-git-tools 19:15:49 <arthuredelstein> boklm: ^ 19:16:08 <arthuredelstein> Might be worth a look as a basis for your tool 19:16:11 <boklm> arthuredelstein: ah yes, I have seen this 19:16:27 <arthuredelstein> A little tricky to set up, but then it worked very smoothly 19:16:46 <arthuredelstein> Namely `git push-to-try...` 19:19:56 <mikeperry> ok, anything else in the way of status updates? 19:20:05 <tjr> I don't have much to report on. I tried building arthuredelstein's branch with GeKo's tb-builder branch. got errors on the linux build in tbb 19:20:35 <tjr> Never the same one, but usually around Unified_cpp or layout or spellcheck 19:20:48 <tjr> not going to have time to fiddle with it this week; traveling 19:22:16 <arthuredelstein> tjr: So they were intermittent build errors? 19:22:27 <GeKo> if you need help debugging this let me know 19:22:40 <tjr> well, i never got a successfull build after... 6 or 7 tries. 19:23:28 <tjr> i saves 3 of the errors, i can mail them if that's useful. can probably generate many more too :-p 19:23:33 <arthuredelstein> I wonder if you were running out of memory or disk space in the VM. 19:23:50 <tjr> I just didn't want to bug you with them, since it's not that important that i get it building right now. i can wait 19:24:01 <arthuredelstein> tjr: Thanks, that would be useful. 19:25:13 <mikeperry> any other questions? 19:25:29 <GeKo> tjr: what arthuredelstein said your symptoms fit quite well here 19:26:14 <mikeperry> I will try to pop into mozilla's IRC channels and try to dig up more info about 38.0.5, though there might not be much I can do about a release this week :/ 19:26:42 <GeKo> speaking of release 19:27:02 <GeKo> the logjam fix got backported to esr31 and I thought we could start building over the weekend 19:27:12 <GeKo> I can preparee everything for it 19:27:15 <mikeperry> ah, yes, I just saw that 19:27:33 <mikeperry> oddly no other fixes seem to have been backported from 38.0.5 19:27:41 <GeKo> then we could rlease next tuesday giving another three weeks to the next release 19:28:30 <GeKo> might be better than a 4 weeks/2 weeks schedule 19:28:46 <mikeperry> what do we want to do about the alpha channel in that case? keep them on 31esr? 19:29:33 <mikeperry> it seems a little early to push them onto 38 19:29:37 <GeKo> yes 19:29:53 <arthuredelstein> Yes, probably better to wait a bit longer 19:29:55 <GeKo> just a bunch of bugfixes 19:31:28 <arthuredelstein> GeKo: Shall I add your patch at #7561 to the ESR38 branch? Or do you think it needs additional review first? 19:32:08 <GeKo> arthuredelstein: you doing the review and adding it is fine :) 19:32:18 <mikeperry> GeKo: ok, I should be able to start a build during these meetings if it is ready to go 19:32:19 <arthuredelstein> OK, sounds good. :) 19:32:57 <mikeperry> (though gunner will be involved, so I may have to stare him down wrt the laptop rule if I try to do that at the wrong time) 19:33:13 <GeKo> lol 19:34:28 <mikeperry> ok, so I think we're set then. thanks, everyone! 19:34:37 <mikeperry> #endmeeting tbb-dev 19:34:42 <mikeperry> heh, nope 19:35:12 <mikeperr1> #endmeeting tbb-dev