18:01:53 <mikeperry> #startmeeting tbb-dev 18:01:53 <MeetBot> Meeting started Mon Jun 15 18:01:53 2015 UTC. The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:53 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 18:02:17 * n8fr8 n8fr8 and amoghbl1 are here to share orfox updates 18:02:18 <mikeperry> ok, I can go first. 18:02:25 <mikeperry> ah, cool 18:02:59 <mikeperry> well, last week, I rebuilt 4.5.2 and 5.0a2 again to include the OpenSSL update and Tor 0.2.6.9. 18:03:05 <mikeperry> I also filed, tagged, and organized the tickets in the ff38-esr tag. I sent a mail to tbb-dev about this. The tag tbb-5.0a3-essential is the set of things we really need to get done in 5.0a3 by June 30th. The tag tbb-5.0a-highrisk is the set of things we probably should get into an alpha release before 18:03:10 <mikeperry> 5.0-stable. Feel free to add tickets to either list or suggest changes. 18:03:15 <mikeperry> I also broke off a chunk to work on myself over the next couple weeks: https://trac.torproject.org/projects/tor/query?keywords=~MikePerry201506 18:03:23 <mikeperry> This week, my plan is do my best to ignore bureaucratic things and work on those tickets. I may also help GK with 4.5.2 and 5.0a2, depending on what needs to be done. 18:04:08 <mikeperry> that is it for me for now 18:04:09 <GeKo> reading my mail from the weekend might help here :) it is encrypted, srsly 18:04:36 <arthuredelstein> What date are we aiming for 5.0-stable? 18:04:50 <GeKo> the thing is the openssl folks broke the ABI in 1.0.1n (thanks to dkg for the hint) 18:05:09 <GeKo> and released openssl 1.0.1o to fix this 18:05:30 <GeKo> arthuredelstein: the date when esr31 is EOL 18:05:32 <mikeperry> *barf* 18:05:36 <GeKo> mid-august 18:06:21 <arthuredelstein> GeKo: Makes sense, thanks 18:06:27 <GeKo> here is what I did: 18:07:05 <GeKo> I worked on the 4.5.2 and 5.0a2 releases 18:07:24 <GeKo> I think I fixed all the toolchain things I defeinitely want to have in 5.0 18:07:37 <GeKo> this includes the remaining bits for #16181 and #16351 18:08:02 <GeKo> then I finished reviewing #16090 and filed all the missing tickets 18:08:30 <GeKo> I wrote a patch for #14387 18:09:10 <GeKo> I am basically done with #16285 and #15910 18:09:29 <GeKo> I need to clean up my patches and post my branches 18:09:56 <GeKo> this week I plan to do 18:10:53 <GeKo> finishing the EME and GMP bits, working on the traacking protection bug 18:11:03 <GeKo> #16282 18:11:28 <GeKo> and I might look at high risk things to get moved forward 18:12:27 <GeKo> I think I should start with #15578 as well 18:12:36 <GeKo> that's it for now 18:14:00 <GeKo> mikeperry: I wonder if I should take #15482 from you given the time I already spent with looking at the Gecko Media Plugins 18:14:12 <GeKo> err #15842 18:14:48 <GeKo> not having GMPs on the radar was basically the reason why Mozilla did not merge the original patch 18:15:27 <mikeperry> ok. what is your plan with that? to have the patch allow them? 18:15:44 <mikeperry> I think ourblock-everything-but-flash patch may also block GMPs? 18:16:13 <GeKo> I think we should start with blocking them as well 18:16:32 <GeKo> especially the adobe cdm is a nightmare 18:17:31 <GeKo> we might want to have a more fine-grained approach in the long run though wrt gmps 18:17:47 <mikeperry> so apparently there is a "keyless" way to do EME to use the same API but without DRM.. I saw a post somewhere recommending that people use/allow that even if they oppose DRM.. whoi knows what that means for us.. 18:18:26 <GeKo> yes, I quoted that in the EME bug we have 18:18:29 <mikeperry> ah you mention it 18:19:06 <GeKo> and hsivonen has a point I think but Mozilla does not allow that distinction yet 18:19:44 <GeKo> which is why I'd like to refere cases like that to a more fine-grained approach later 18:19:51 <GeKo> *refer 18:20:28 <mikeperry> ok, so it's either all-or-none at this point then? 18:21:01 <GeKo> yes, that makes the most sense to me at this point and is reflecting the particular mozilla bug iirc 18:21:04 <mikeperry> I guess we should just completely disable it for no 18:21:12 <mikeperry> s/no/now 18:21:39 <GeKo> yes 18:24:12 <mikeperry> #15842 is now yours then 18:24:45 <mikeperry> who wants to go next? 18:25:06 * mcs will give a report 18:25:15 <mcs> Last week, we did some bug triage and code reviews. 18:25:22 <mcs> We worked on our deliverable list for the 2H 2015 contract cycle. 18:25:27 <mcs> We committed our fix for #15145. Note that if other Tor Launcher fixes need to be made for TB 4.5.next, a branch should be created (don't pick up the #15145 changes). 18:25:41 <mcs> We did some analysis and testing for #13035 and we fixed #16356. 18:25:50 <mcs> Finally, we started to work on #16300 (understanding the feature and implementation with an eye toward how best to insert our URL-bar isolation). 18:25:58 <mcs> This week we will work more on #16300 and then look at other tbb-5.0a3-essential or tbb-5.0a-highrisk issues. 18:26:02 <mcs> That's it. 18:27:00 * arthuredelstein can go 18:27:07 <arthuredelstein> Last week I upstreamed a couple of patches to Mozilla https://bugzilla.mozilla.org/show_bug.cgi?id=967812 and https://bugzilla.mozilla.org/show_bug.cgi?id=629558, 18:27:10 <arthuredelstein> which correspond to #2950 and #2949. 18:27:18 <arthuredelstein> I reviewed #16356 (and committed it to my ESR38 branch) 18:27:24 <arthuredelstein> and I wrote a patch for #15646, which is just about ready. 18:27:32 <arthuredelstein> I also started working on unit tests for #16315. 18:27:44 <arthuredelstein> This week I plan to pick some tbb-5.0a3-essential tickets and work on those. 18:27:59 <arthuredelstein> That's all for me 18:28:18 * n8fr8 amoghbl1 and i are up 18:28:47 <n8fr8> Good progress this week on getting all the bits of network code in the Android/Java layered proxied 18:28:54 <n8fr8> https://dev.guardianproject.info/news/223 18:28:55 <GeKo> arthuredelstein: I have only skimmed the upstreamed patch for #2950 but how does it fix the crash we get on New Identity? 18:29:29 <n8fr8> the hope is that this could be upstreamed into a centralized proxy setting 18:30:07 <arthuredelstein> GeKo: If I understand correctly, that crash had to do with toggling the pref. The upstreamed version is static, so instead of toggling, we just clear the permissions db using `Services.perms.removeAll()`. 18:30:41 <GeKo> hrm... that might help, right 18:30:58 <n8fr8> remaining tasks before our next public alpha are to remove unneeded android permissions, implement the orfox branding, and complete the network leak testing: https://dev.guardianproject.info/projects/orfox-private-browser/issues?fixed_version_id=169&set_filter=1&status_id=o 18:31:02 <n8fr8> anything else, amoghbl1? 18:31:12 <amoghbl1> that's about it n8fr8 18:31:32 <amoghbl1> and the two files differ from the tor-browser repo part 18:31:32 <n8fr8> thanks for the hard work, amoghbl1, and the help TBB team in any reviews you have been, can do 18:31:57 <GeKo> arthuredelstein: still, I am wondering what happens if users are toggling the pref manually. Do they blow their browser away then? 18:32:27 <GeKo> especially if we are assuming that this is bound to a private browsing mode which can be toggled on and off 18:32:54 <arthuredelstein> GeKo: In the upstreamed version, I think nothing happens. They need to restart the browser for a new permissions db to be created. (Sorry for interrupting, n8fr8 and amoghbl1) 18:33:29 <GeKo> ah, okay 18:33:40 <arthuredelstein> GeKo: But I should check this again 18:34:10 <mikeperry> amoghbl1,n8fr8: you probably want to disable https://developer.mozilla.org/en-US/docs/Web/API/Device_Storage_API 18:34:57 <n8fr8> okay, adding a ticket for that 18:35:21 <n8fr8> all in all, i am happy with how few changes we've have to make thus far, so we are a relatively clean set of patches on top of the TB ESR38 branch 18:35:22 <n8fr8> https://github.com/amoghbl1/tor-browser/commits/orfox-tb_GECKO380esr_2015050513_RELBRANCH 18:35:25 <mikeperry> there are a couple other prefs we've noticed 18:36:07 <mikeperry> media.rtsp.enabled needs to be disabled, I think, or it may leak UDP for some video sites 18:36:27 <n8fr8> seems that Device Storage API is FirefoxOS not Android but we'll look into it 18:36:43 <mikeperry> services.push.udp.wakeupEnabled 18:36:46 <n8fr8> yeah, i think RTSP is off, but we'll double check that. 18:37:24 <arthuredelstein> GeKo: #16357 18:37:33 <mikeperry> arthuredelstein: is Services.perms.removeAll synchronous? 18:37:44 <GeKo> yeah, I saw that one 18:39:49 <arthuredelstein> mikeperry: I'm checking that now. 18:40:33 <mikeperry> it looks like the memory removal is synchronous, but the disk one is async 18:41:04 <mikeperry> oh, I am on ff31 branch though 18:42:01 <arthuredelstein> I think you may be right in any case. 18:43:07 <arthuredelstein> There's a weird comment here: https://dxr.mozilla.org/mozilla-central/source/extensions/cookie/nsPermissionManager.cpp#1128 18:43:53 <arthuredelstein> It looks like observers are notified, but before the disk db is wiped. :( 18:44:39 <mikeperry> from that comment, it sounds like the disk version is just some kind of backup.. 18:45:27 <arthuredelstein> Of course it's not just a backup, because it gets read when FF starts up. 18:46:31 <arthuredelstein> I guess the important question is whether there is any chance for the old disk db to be read after removeAll is called. 18:46:54 <mikeperry> but perhaps it's using some kind of caching/copy-on-write.. it looks like reads of the permission manager only use the memory db during normal operation 18:47:47 <mikeperry> ex: nsPermissionManager::GetPermissionHashKey 18:50:12 * boklm can go next 18:50:25 <boklm> I made some improvements on the hardening checks we are doing: 18:50:27 <boklm> Changed the tests from Warning to Errors, with lists of files to ignore: https://lists.torproject.org/pipermail/tbb-dev/2015-June/000287.html 18:50:36 <boklm> I added a DEP/ASLR check on Windows binaries (using the script tom posted on #15138) 18:50:44 <boklm> I didn't deploy those changes yet, I'm planning to do it tomorrow. 18:50:55 <boklm> This week I'm planning to fix the acid3 false positive errors we have, and review more Try test results 18:51:01 <boklm> that's all for me. 18:51:10 <GeKo> do we have tickets for all of these files? 18:51:36 <boklm> I don't think we have for all of them 18:52:01 <boklm> I can check and open missing ones 18:52:44 <GeKo> please, if we don't report errors anymore I think we should at least be aware of the underlying issue 18:52:51 <mikeperry> the meek and obfsproxy are due to golang being lame and rejecting hardening 18:52:59 <GeKo> that is true 18:53:19 <mikeperry> however, I am concerned about the stack_canary ones 18:53:22 <GeKo> but i was not aware of the python things for instance 18:53:27 <GeKo> , yes 18:53:58 <GeKo> there is a ticket for the first 5 but the other ones are not covered, yet 18:54:02 <mikeperry> the python ones are a bit concerning too. those are probably a bug in the module build process 18:54:30 <GeKo> #13056 18:54:59 <GeKo> ah, no we have them there too 18:57:19 <boklm> so we need a ticket for DEP/ASLR for the python files ? 18:57:53 <GeKo> yeah, I think so 18:58:23 <GeKo> basisally for all the windows things 18:58:28 <GeKo> *basically 18:59:17 <boklm> ok 19:02:43 <arthuredelstein> mikeperry: In nsPermissionManager, the only place where the disk permissions db is read is in ::Init() { ... ::Read() ...} . I think ::Init() is only called once in a Firefox session (because nsPermissionsManager is a singleton), so it appears we can treat RemoveAll() as synchronous. 19:03:15 <mikeperry> ok, great 19:05:26 <mikeperry> anything else for this week? does anyone have any alterations/suggestions/questions about the tbb-5.0 tagged tickets? 19:07:10 <mikeperry> GeKo: the OpenSSL thing is annoying.. one thing that may be somewhat common is people copying in a custom-compiled or system tor binary into their TBB dir 19:07:37 <GeKo> yeah, that is the only scenario I came up with where we would have issues 19:07:40 <mikeperry> I think it should still use the system openssl in most cases for that though 19:07:53 <mcs> Ticket tagging seems reasonable. Obviously, anything we can get done sooner is better. 19:08:25 <mcs> Or better said: getting stuff done sooner will lead to a better 5.0 release and less stress for us 19:09:52 <GeKo> mikeperry: I am not sure if that holds on linux, osx and windows 19:10:43 <mikeperry> GeKo: no, I appear to be mistaken. the library paths are set by the script, which means throwing a custom tor into the TBB path may make people sad :/ 19:11:03 <GeKo> yes, this is what I meant 19:12:00 <mikeperry> did you already sign the bundles again? 19:12:46 <GeKo> yes, I was in gambling mood yesterday and today :D 19:13:13 <mikeperry> ok, let's just release and make a note on the blog post 19:13:48 <GeKo> you sigs are the only things that are missing in the 4.5.2 and 5.0a2 dirs 19:13:52 <GeKo> *your 19:14:28 <mikeperry> either way, we're updating the tor binary and the openssl binary together, so people will have to accept the update and then go back in and try to break their setup, I think 19:14:38 <mikeperry> unless they also edited the start-tor-browser scripts.. 19:15:00 <GeKo> yes 19:16:47 <mikeperry> so where are you in the release process? right before the .htaccess and copy to dist? 19:17:37 <GeKo> yes 19:18:12 <mikeperry> ok, I will add my sigs and release it later today/this evening 19:18:37 <teor> mikeperry: when I was testing a custom tor in TBB 4.0 and 4.5 on OS X, I modified the tor path in the script, not the tor binary. It worked fine. 19:18:53 <teor> Maybe we could recommend people do that rather than moving binaries. 19:19:00 <GeKo> that should not be a problem 19:19:07 <GeKo> yeah 19:19:12 <mikeperry> actually, unclear, because we also set LD_LIBRARY_PATH 19:19:27 <mikeperry> so if you don't also edit that, your new tor path will use our bad openssl lib, and probably crash 19:19:41 <GeKo> hm... 19:22:46 <mikeperry> so teor's tbb will probably update and then stop working :/ 19:22:59 <mikeperry> because we did not update start-tor-browser in this release 19:23:44 <mikeperry> I think nickm is in a similar situation 19:24:09 <GeKo> man, this sucks 19:24:20 <mikeperry> (I remember him telluing me about copying alpha tor binaries into his path 19:24:22 <mikeperry> ) 19:26:39 <nickm> symlinking 19:26:42 <nickm> but yeah 19:26:51 <nickm> and don't worry; we know what we're getting into 19:27:08 <nickm> "No user-serviceable parts inside" 19:27:43 <mcs> I guess a question for the Tor Browser team would be "How many people will this impact?" 19:27:51 <mcs> (impossible to know) 19:28:11 <mikeperry> yeah, I think the types of people it will impact is still limited to hackers and developers 19:28:25 <mcs> So, in other words, people who are used to pain? 19:28:44 <nickm> people who understand "you broke it, you can keep both pieces" 19:31:28 <mikeperry> ok. I think in the interst of saving GeKo's time and sanity, we just go with this release as-is then? 19:32:02 <mikeperry> we should file bug for this though, so it shows up in the 4.5.3 changelog 19:32:26 <mikeperry> "hey, we fixed that thing we broke on purpose in the last release!" :) 19:32:30 <GeKo> yes, filing the bug is a good idea 19:32:45 <GeKo> haha 19:33:38 <mcs> Will the breakage be obvious, e.g., tor crashes on startup every time? Or do we know? 19:34:02 <mcs> (if it is obvious, and we mention it in our release notes, it seems OK to me) 19:34:36 <GeKo> dunno actually. 19:34:55 <teor> I completely agree: "don't do that, unless you enjoy re-downloading Tor Browser when it breaks" 19:35:43 <teor> mcs: oh yeah, breakage is obvious: "Tor failed to launch" etc 19:35:59 <mcs> OK. Ship it? 19:36:38 <teor> (Which is exactly why I *stopped* screwing with TBB internals) 19:36:56 <GeKo> I think so. 19:37:02 <mikeperry> I am trying it now. 19:37:10 <mikeperry> the tor binary seemed to run "ok" with the bad openssl 19:37:31 <GeKo> I a actually not convinced that we break system tor usage 19:37:36 <GeKo> *am 19:38:50 <mikeperry> strange 19:38:51 <teor> Replacing the embedded tor with /opt/bin/tor from macports works fine 19:39:02 <mikeperry> yeah, it worlks fine for me too 19:39:13 <mikeperry> maybe we don't use the hmac that they broke? 19:39:20 <teor> But macports tor uses macports ssl 19:39:51 <mikeperry> I just put the tbb 4.5.1 tor binary inside a tbb 4.5.2 dir, and it still worked.. 19:40:35 <mikeperry> and it said "tor 0.2.6.7 with openssl 1.0.1n" so it did use the "incompatible openssl 19:41:01 <teor> I tried it with 0.2.7.1-alpha compiled using afl-fuzz, and it still worked 19:41:12 <teor> It appears very hard to end up with two pieces 19:41:23 <GeKo> even better :) 19:41:43 <GeKo> and in two weeks the next Tor Browser is coming fixing this issue 19:44:36 <mikeperry> I think we must not be using the hmac function in quwstion externally to openssl 19:44:57 <mikeperry> in question too 19:48:09 <teor> I got it to hang once, force quit, then "tor has unexpectedly exited"on relaunch, but the third time was fine 19:48:26 <teor> Tor v0.2.7.1-alpha-dev (git-ef2b2ceb9cc7fb6a) running on Darwin with Libevent 2.0.22-stable, OpenSSL 1.1.0-dev and Zlib 1.2.8. 19:48:31 <mikeperry> hrmm... might be some weird flavor of memory corruption then :/ 19:48:59 <teor> OpenSSL? Memory corruption? 19:50:16 <teor> Never! 19:51:50 <teor> Yeah, or it could be discoveryd or my router playing up. My machine isn't playing nicely tonight. 19:53:25 <mikeperry> we use HMAC(), not HMAC_CTX_init*(). the bug is in how HMAC_CTX was changed, which we do not use externally to openssl in tor 19:55:39 <mikeperry> so I think we're actually not affected 19:55:57 <mikeperry> the 0.2.7.1 crash must have been something else, teor 19:56:06 <teor> I agree 19:57:25 <mikeperry> ok, I think we can end this meeting then. *phew* that was a close call 19:58:01 <mikeperry> sorry for the long meeting everyone, but at least we got to the bottom of that 19:58:46 <mikeperry> GeKo: I will pick up where you left off and finish the release 19:58:58 <mikeperry> thanks everyone! 19:59:03 <mikeperry> #endmeeting tbb-dev