#tor-dev log

18:01:56 <mikeperry> #startmeeting app-dev
18:01:56 <MeetBot> Meeting started Mon Aug 10 18:01:56 2015 UTC.  The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:56 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:02:33 <Yawning> #16756 needs mikeperry input at his highness' convenience.
18:02:58 <mikeperry> ok, will take a look
18:03:09 <Yawning> ty <3
18:03:11 <mikeperry> let's get started with the applications meeting reportbacks though
18:03:18 <mikeperry> Last week, I wrote our status report, triaged the last set of tbb-5.0 tickets, reviewed and merged the final couple tickets, wrote a fix for #16730, attended to some meetings, and dealt with the 5.0 builds over the weekend.
18:03:38 <mikeperry> This week, my plan is to get the releases out and watch for regressions.  Barring any catastrophies, I will go over the backlog, and try to plan some kind of vacation (which I sorely need).
18:04:14 <mikeperry> I think that's it for me for now. I'm sure this week will have enough surprises in store to keep me busy
18:07:26 * ilv can go next
18:07:42 <ilv> Last week I sent my status report for SoP (Enhance GetTor), and started to work on enabling GetTor to send links to download Tor Browser in more locales (currently just en-US)
18:08:36 <ilv> This week I'll be working on getting the XMPP bot ready (I'll also research if it's possible to add otr)
18:09:14 <mikeperry> ilv: awesome
18:09:21 <ilv> That's it for me
18:09:38 <ilv> mikeperry: thanks :)
18:10:04 <mikeperry> ilv: one of the thing I am hoping is easier for TBB 5.5-alpha is a multi-lingual version (#12967)
18:10:14 <mikeperry> that might make gettor easier to use, perhaps?
18:10:25 <ilv> definitely!
18:11:17 <mikeperry> not sure what the timeline on that will be
18:11:44 <mikeperry> I need to go over our roadmap and backlog and figure out the post-5.0 schedule still
18:12:28 <ilv> I see, ok
18:12:44 * n8fr8 team orfox has a quick report
18:12:53 <GeKo> I think it makes sense to plan this with the hardened build series
18:12:54 <n8fr8> amoghbl1 and I are still progressing on torbutton for orfox/android, but from what I did last week, it seems promising. Mozilla mobile add-on tooling/SDK has vastly improved since I last looked at it, and it seems we hopefully might be able to make the core TorButton code "mobile enabled" instead of forking...
18:13:42 <mikeperry> wow
18:13:45 <n8fr8> also the mozilla exploit from last week does not affect Firefox on Android
18:13:56 <mikeperry> what are you going to do about all of the toggle cruft in torbutton? :)
18:14:03 <n8fr8> (different downloader/PDF code)
18:14:22 * ilv feels safe :)
18:14:23 <n8fr8> we will see!
18:14:50 <mikeperry> yeah, we are trying to rush 5.0 out for that bug. 4.5 wasn't targeted in the wild, but 5.0a users might be vulnerable at the lower security levels :/
18:15:21 <mikeperry> unfortunately, the need to switch to FF38-esr also right now has tied our hands. it's been a stressful weekend just getting everything ready :(
18:15:58 <n8fr8> well, at least with orfox being based on TB5/esr38 it seems we are all well aligned, which was one of our goals from the spain meeting
18:16:38 <n8fr8> that is all for now!
18:18:51 <mcs> Is it time to clean up more of the toggle cruft?
18:19:06 <GeKo> it's always that time :)
18:19:16 <mikeperry> yes, we should probably remove much of it in the 5.5 series
18:19:27 <mikeperry> that's actually on the roadmap already :)
18:19:51 <mcs> Maybe a better question is "which one of us owns that task?"
18:20:25 <mcs> anyway, I do not want to distract from the standup report portion of the meeting.
18:20:28 <mikeperry> right now it looks like arthur and you (if you want it)
18:21:08 <mcs> OK.  Kathy and I will talk to Arthur about it.
18:21:21 <arthured1lstein> Sounds good :)
18:22:35 * mcs can go next
18:22:45 <mcs> Last week, Kathy and I created patches for #16715 (merged by mikeperry for TB 5.0; thanks!)
18:22:51 <mcs> We also fixed #16731 (reviewed and merged by GeKo for TB 5.0; thanks!)
18:22:59 <mcs> We also filed #16735 and did a little work on it but are now waiting to make contact with Jeremy Todaro (the original creator of the HTML page that became about:tor).
18:23:07 <mcs> We spent some time creating a patch for #16722 but mikeperry and GeKo came up with a better fix.
18:23:14 <mcs> We started looking at #13512 again after a long break and will work on it more this week.
18:23:20 <mcs> Today we reviewed the revised patch for Mozilla #232227 (System colors for form elements used when browser.display.use_system_colors is set to false).
18:23:28 <mcs> This week we also plan to work on #16753 and of course we will help with any TB 5.0 and 5.5 alpha issues that come up.
18:23:33 <mcs> That's all for us.
18:24:39 <GeKo> here is what i did:
18:25:09 <GeKo> I spent some time preparing stuff for 5.0 and 5.5a1
18:25:19 <GeKo> I worked on the tiles bug #16722
18:25:46 <GeKo> today I fought with signing our stable release which should be done now
18:26:07 <GeKo> and I updated our HACKING document with a section about bisecting Tor Browser things
18:26:57 <GeKo> this week we have two releases and I somehow hope to turn back to my two longstanding bugs, #15538 and #15578
18:27:04 <GeKo> that's it for now
18:29:04 <mikeperry> mcs: we should perhaps file a bug to track https://trac.torproject.org/projects/tor/ticket/16715#comment:5? or do you want to track it on Mozilla's side?
18:30:00 <mcs> mikeperry: Either way.  We should file a bug in one place or the other or both.
18:30:43 <arthuredelstein> Probably on bugzilla.mozilla.org makes more sense.
18:31:19 <mcs> arthuredelstein: You are right.  Should I file a Bugzilla bug or do you want to?
18:31:21 <arthuredelstein> I'm happy to post it. We can add it to https://docs.google.com/spreadsheets/d/1rF4Gah_OEequYDfPedoQu3oETM5Gj4NagxDuKQG-IOk/ as well
18:31:26 <mcs> thanks!
18:32:20 * arthuredelstein can go
18:32:29 <arthuredelstein> Last week I worked on improving our font fingerprinting patches, #13313 and #16672.
18:32:39 <arthuredelstein> Mainly I tried, in this iteration, to make the whitelisting/bundling of fonts as user-friendly as possible, by favoring aesthetics over strict fingerprinting perfection.
18:32:44 <arthuredelstein> So I whitelisted various OS fonts on Mac and Windows, and I bundled some better-looking fonts for Linux.
18:32:55 <arthuredelstein> I also worked on our Keyboard Event fingerprinting patch (#15646). This corrected some issues with Alt keys and the backspace key.
18:33:00 <arthuredelstein> And I upstreamed a patch to Firefox https://bugzilla.mozilla.org/1173171, which corresponds to our #14455.
18:33:04 <arthuredelstein> This week I will work on further refining font defenses.
18:33:10 <arthuredelstein> The main difficulty right now is getting font fingerprints to be the same on various linux flavors.
18:33:14 <arthuredelstein> I may also work on improving keyboard anti-fingerprinting, and possibly #14429. I may also work on more upstreaming to Firefox.
18:33:29 <arthuredelstein> That's it for me.
18:35:23 * boklm can go next
18:35:36 <boklm> This week I fixed some issues in the test suite: https://lists.torproject.org/pipermail/tor-qa/2015-August/000667.html
18:35:39 <boklm> I investigated and fixed #16311 (but still need to open a mozilla bug for it)
18:35:42 <mikeperry> arthuredelstein: re #16672, it is really weird that dcf1's bundles successfully disabled antialiasing and subpixel rendering, but ours do not. it might be worth trying to debug/take apart his old bundles, if the debug symbols still work
18:35:49 <boklm> I launched some tbb builds (5.0-build3 is matching, 5.5 is still building at the moment)
18:36:01 <boklm> I tried a patch to fix an "error: unused variable 'rv'" on Try (but it did not build because of #16497): https://github.com/boklm/gecko-dev/commit/391cbecbccf89deb6d83817eb5bfb14b896af324
18:36:15 <boklm> This week I'm planning to rebase on 38.2.0 / sync / submit to Try my split branch repo
18:36:24 <boklm> Open a mozilla bug for #16311. I will also be going to CCCamp.
18:36:24 <arthuredelstein> mikeperry: Yes, good point. I think that's probably my next step.
18:36:42 <boklm> That's it for me.
18:36:48 <mikeperry> cool, thanks boklm
18:37:01 <mikeperry> we should also go through the list of DOM objects you found on tor-qa
18:37:12 <GeKo> boklm: o already opened one for #16311 let me look where it is
18:37:17 <GeKo> *I
18:37:19 <boklm> ah ok
18:37:46 <mikeperry> some of these should have been disabled by pref. I wonder if they are present but empty or something. we should check that
18:38:17 <boklm> mikeperry: should we open a ticket for that ?
18:38:39 <mikeperry> yes, probably
18:40:28 <arthuredelstein> (I forgot to mention that I will be on vacation and afk August 17-24.)
18:42:03 <arlolra> boklm: did you see emails from sukhe?
18:42:16 <Yawning> (are ze reports done?)
18:42:47 <boklm> arlolra: ah yes, I need to answer to that
18:43:09 <mikeperry> arlolra: aha! welcome. is sukhe here too? how goes tor messenger?
18:44:19 <arlolra> doesn't look like he is
18:44:46 <arlolra> mikeperry: we've got a blog post all queued up, just smoothing out some build issues
18:45:20 <arlolra> is there documentation somewhere on TB's updater? how it differs from mozilla's default and whatnot
18:46:26 <GeKo> not really
18:46:33 <mikeperry> hrm, unfortunately no
18:47:00 <mcs> arlolra: I don't think there is much documentation.  You could look at our patches or ask questiions or course ;(
18:47:21 <arlolra> ok, will do. thanks
18:49:27 <mikeperry> arlolra: boklm should also be able to help with the server-side updater bits, of course
18:50:24 <mikeperry> ok, anyone else? Yawning did you have something more?
18:50:27 <arlolra> great
18:50:31 <Yawning> yeah
18:50:51 <Yawning> I'm willing to buy someone a boottle of alcohol of their choice (within reason)
18:50:57 <Yawning> to get #10140 fixed
18:51:27 <Yawning> I'd do it myself but gitian at this point would be bad for my mental health
18:51:40 <Yawning> and what remains of my liver function
18:52:04 <mikeperry> is that still blocked on the weird mac special case for the langpack?
18:52:09 <Yawning> (I've been talking to the people that gave us the locale data so I can get it updated or do the updates if I need)
18:52:14 <GeKo> i think so
18:52:15 <Yawning> as of 17 months ago
18:52:18 <Yawning> apparently
18:52:25 <Yawning> OSX is incredibly popular here
18:52:33 <Yawning> (as is IOS)
18:52:47 <mikeperry> we can just hack that as a special case
18:52:48 <Yawning> but I don't have hardware for it, so I can't tell ifv it's required or not
18:53:20 <Yawning> mmk
18:53:27 <mikeperry> if you remind us again next week, its more likely to get done. it shouldn't be too hard, but now is a bad time for us to be introducing bloody hacks into gitian, in case something happens with this release again
18:53:30 <Yawning> sorry to be kind of insistent about this
18:53:35 <Yawning> yeah I understand
18:53:40 <Yawning> I'll remind y'all thanks
18:54:08 <Yawning> (the freedom situation here is deterioating, so, kind of want this sinc eit's more needed heh)
18:54:46 <Yawning> I can go over the locale data at some point as well
18:55:59 <arthuredelstein> How expensive is it to add more languages in general? Would it be feasible to add 10 more?
18:56:51 <GeKo> well, it depends. ideally we would do the same as Mozilla I think
18:57:13 <arthuredelstein> Here's the list. It's long: https://www.mozilla.org/en-US/firefox/all/
18:57:43 <mikeperry> it requires an insane amount of disk space to do it the way Mozilla does. I think we should have a top 10 and then everything else in #12967
18:58:10 <mikeperry> not just disk space even.. also build transfew time
18:58:15 <GeKo> yes. probably
18:58:28 <mikeperry> I spend hours copying TB builds between systems as-is :(
18:58:45 <GeKo> you are not alone :)
18:59:19 <arthuredelstein> Is that because it's airgapped?
18:59:43 * Yawning bites tounge
18:59:50 <mikeperry> well, my problem is the build machine is not on the same network as tpo
19:00:02 <mikeperry> so just the rsync takes hours
19:00:46 <Yawning> Is it because your wifi thing catches on fire tryign to push bits?
19:00:46 <mcs> mikeperry: How many TB builds do we want, ideally?  One for each of our "top 10" languages and an 11th for all of the other languages?  Or just one (per platform)?
19:00:47 <mikeperry> there's another copy step from people.tpo to dist, and that takes several minutes
19:00:49 <Yawning> :P
19:01:07 <mikeperry> mcs: I guess it depends on the size of that universal bundle
19:01:12 <mcs> fair enough
19:01:22 <mikeperry> I am a bit worried that with all fonts and 82 langpacks, we may be looking at a 100MB TBB
19:01:43 <Yawning> I *think* out of our userbase by country the only language that isn't supported well is ja_JP
19:01:46 <Yawning> might be wrong
19:01:56 <Yawning> (out of the top X that is)
19:02:04 <GeKo> you could be right here
19:02:58 <arthuredelstein> Seems like Hindi and Urdu might be potentially good top-X languages to include.
19:03:51 <Yawning> devanagari shouldn't require crazy fonts
19:04:19 <mikeperry> in the past certain sponsors have paid us to carry particular languages. I think they probably assumed they could pay us to do that once and we'd do it forever. pretty sure we're not bound to carry any languages at the moment, so we can probably do the samrt/strategic thing we want here
19:05:52 <arthuredelstein> Is there any way we could build/copy TBB on a fast VPS, in parallel?
19:06:19 <arthuredelstein> Seems like it could lessen the build pain in general.
19:06:24 <mikeperry> I am thinking the smart thing is custom bundles for popular locales (or locales we think *should be popular, if only we supported them as first-class bundles, and then a universal bundle for the remainder of officially supported Firefox locales)
19:07:33 <arthuredelstein> Does Mozilla bundle extra fonts for weird languages? Because the #13313 bundling already includes fonts for virtually every living language.
19:07:38 <Yawning> (Note Urdu doesn't use devanagari, no idea how complicated the Urdu one is)
19:07:54 <arthuredelstein> (Urdu uses Arabic/Persian script -- no problem.)
19:07:55 <mikeperry> we could probably easily split out mac, win and linux and do them in parallel, if LXC support were more dependable
19:08:17 <Yawning> arthuredelstein: TIL, thanks.
19:08:20 <Yawning> ^_^
19:08:31 <mikeperry> beyond that, probably had to parallelize without switching out gitian for something else
19:08:38 <Lever> yesterday i stated my problem and no one answer me
19:08:43 <Lever> http://www.imgdumper.nl/uploads8/55c7b730b91dd/55c7b730a12f1-Tor.png
19:08:50 <Lever> http://www.imgdumper.nl/uploads8/55c7b80e06e9d/55c7b80deb6b8-TorII.png
19:09:10 <Yawning> arthuredelstein: I guess the only real mess is CJKV and Unihan related these days
19:10:11 <arthuredelstein> Yawning: Yeah -- unihan is a real pity.
19:10:39 <mikeperry> ok, any more application development-related questions/discussion?
19:11:09 <ilv> I have a question, how is RecommendedTBBVersions updated?
19:11:26 <ilv> the question related to this #16551
19:11:28 <Yawning> I assume it's better to wait on the build system madness to be fixed before soliciting localization for messenger
19:11:39 <mikeperry> GeKo: did you prep 5.0 and 5.5 in your build dir, or just 5.0?
19:11:56 <Yawning> If it's something that should be done now, i can ask the people if they want to do it
19:12:29 <GeKo> mikeperry: 5.0. I'll do 5.5 tomorrow
19:12:54 <GeKo> but I sent a message to tor-qa for testing it
19:13:10 <GeKo> (you might want to sign your sha256 sums files)
19:13:28 <mikeperry> GeKo: ok, shall I write the blog post and push 5.0 out then today?
19:14:22 <GeKo> i think we can give it one more day testing given that the exploit was not working in esr31 based browsers
19:15:00 <GeKo> that said a blog post draft would be nice :)
19:15:14 <mikeperry> the exploit is being updated. they added a mac target apparently. not sure if they added a ff31 target yet :/
19:15:33 <GeKo> interesting.
19:16:07 <mikeperry> the clock is probaby also ticking before someone picks it up and does that work independently :/
19:16:34 <GeKo> yeah, it got popular it seems.
19:17:08 <mikeperry> I emailed dan+security group with some questions about the exploit wrt NoScript, disabling pdf.js, and future e10s sandboxing, so we can mention in the blog post some details about the security slider and future sandboxing work, etc
19:17:49 <GeKo> good idea
19:18:56 <GeKo> so, if you feel like we should release today due to the exploit then go for it
19:19:17 <GeKo> i am leaning towards giving it another day test coverage
19:19:26 <GeKo> trusting mozilla engineers here
19:21:22 <mikeperry> well, they never did say that esr31 was 100% not vulnerable, right? they just said the particular exploit in the wild failed against 31 for some reason
19:23:39 <GeKo> yes. i read it that way that if they thought esr31 could get exploited there too (within one week) they'd released a checmspill for it as well
19:23:51 <GeKo> *chemspill
19:24:21 <GeKo> but that is speculation on my side I admit as I don't have access to the bugs
19:25:59 <GeKo> "we determined that the vulnerability isn't present in the current 31
19:26:00 <GeKo> ESR."
19:26:26 <GeKo> that's what the firefox release manager says at least
19:28:55 <mikeperry> hrmm.. so much confusion. that's not exactly what I remember hearing, but who knows.
19:29:33 <mikeperry> "
19:29:35 <mikeperry> Brian: Good question. I hope we can make that clear at least in this bug. The exploit we were addressing did not work in 31. So, no, we didn't patch 31.8.0 ESR."
19:29:46 <mikeperry> https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c33
19:30:03 <mikeperry> but https://bugzilla.mozilla.org/show_bug.cgi?id=1178058 is still secret
19:30:16 <GeKo> the quote i made is from the enterprise mailing list
19:31:10 <GeKo> in the second mail by Liz Henry in the ESR 38.1.1 released thread
19:31:35 <mikeperry> so we maybe dodged a bullet. but that also means that the thing we should be hurrying on is 5.5a1, I suppose. I guess we need to be sure to get both out by tomorrow then
19:31:54 <GeKo> yes that was my thinking
19:33:01 <mcs> Why the rush for 5.5a1?  I am missing some important info.
19:33:36 <mikeperry> because 5.a4 and 5.a3 were based on FF38-esr, which definitely is vulnerable to the exploit
19:33:45 <mikeperry> so the alpha channel TBB users are vulnerable
19:34:08 <mcs> But we could upgrade them to 5.0 (non-alpha)
19:34:35 <GeKo> hmm
19:34:36 <mikeperry> now, I bet the exploit will still fail against TBB as-is, because of our alteration of $HOME and the bundle dir
19:35:07 <mcs> But someone might adapt the exploit to target TBB
19:35:29 <mikeperry> we didn't make incrementals for 5.0a4->5.0, since we made 5.5a1 instead.. I supose we could have considered that pushing everyone to 5.0 would be faster :/
19:35:45 <mcs> Anyway, it sounds like (depending on testing), 5.5a1 may be ready to go soon
19:35:46 <mikeperry> little late now, I think. it won't be faster at this point
19:35:49 <mcs> right
19:39:03 <mikeperry> ok, well, I will draft blog posts for 5.0 and 5.5 as soon as I hear from dan about a best guess wrt the security slider stopping it in 5.0a4
19:39:57 <GeKo> if I look at the exploit or what people claim to be it is it needs JS
19:40:13 <GeKo> so setting the slider to high would stop it
19:43:37 <mikeperry> ok, that sounds good then
19:43:54 <mikeperry> anything else?
19:45:27 <mikeperry> (medium-high should *probably* be OK, too, since I bet the types of sites that have https on them don't deal with sketchy ad networks like this, but that is less certain)
19:45:48 <mikeperry> anyways, I am going to call the meeting. thanks everyone!
19:45:52 <mikeperry> #endmeeting *baf*