19:00:44 <GeKo> #startmeeting tor-browser
19:00:44 <MeetBot> Meeting started Mon Mar 21 19:00:44 2016 UTC.  The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:44 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:00:51 <GeKo> hello everybody
19:01:13 <boklm> hi
19:01:16 <arthuredelstein> hi
19:01:30 <GeKo> i can go first today
19:02:49 <GeKo> last week if fought with my internect connectivity and with a "chemspill" Mozilla release and investigated #18577
19:03:09 <GeKo> moreover, i testest and merged the pieces for #13252 we have so far
19:03:40 <GeKo> i spent time with the GSoC applications and the bulk of my time went into the esr45 feature review
19:04:07 <GeKo> i went through all the dev docs and opened tickets for (possible) issues i've found
19:04:20 <GeKo> a second pair of eyes would be helpful
19:05:28 <GeKo> i've priorizied the tickets for 6.0a5 with tbb-6.0a5
19:05:30 <GeKo> https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-6.0a5
19:05:54 <GeKo> we should discuss later if that makes sense and think about dividing the workload
19:06:29 <GeKo> this week i plan to help with the esr45 branch and might try some builds
19:06:42 <GeKo> then i start with the tbb-6.0a5 stuff
19:07:07 <GeKo> probably some GSoC stuff needs to get done and i hope to find some time for the developer doc
19:07:12 <GeKo> that's it for me.
19:10:59 * boklm can go next
19:11:13 * arthuredelstein can go after boklm
19:11:30 <boklm> This past week I helped with the unexpected new release. I converted some tests to marionette on #16009 and added support for OSX.
19:11:36 <boklm> This week I'm planning to merge my marionette branch to master to start using it. Work on #18597 and #18569. Look at the GSoC applications.
19:11:47 <boklm> That's it for me.
19:13:29 <arthuredelstein> Last week I worked on #15197. I have a full branch which I will post later today. So far I haven't been able to test the full build because of #18127. I also reviewed some of the patches for #13252.
19:14:08 <arthuredelstein> This week I will work on writing some regression tests for the #15197 branch as well as anything else needed for ESR45.
19:14:27 <arthuredelstein> That's it for me.
19:15:07 <mikeperry> I have been performing the TBB network audit. I am through the NSPR calls, and about to start on the XPCOM stuff. After that, all that remains is Android, and I think Amogh is handling that
19:15:32 <mikeperry> I found some thing that need deeper investigation, and some things that need to be preffed off or patched
19:16:01 <mikeperry> (fo example, the DOM push service appears capable of using UDP)
19:16:55 <GeKo> but that is part of service workers which are disabled in esr45, no?
19:18:12 <GeKo> but yes, we should  make sure nothing is leaking even with service workers disabled
19:18:41 <mcs> what was Mozilla
19:19:00 <mcs> what was Mozilla’s reason for disabling service workers in ESR45?
19:19:21 <mcs> (too experimental?)
19:19:35 <GeKo> tha the api is likely changing too much in the near future
19:19:45 <mcs> OK. Good to know.
19:19:46 <GeKo> so, yes
19:21:02 <mikeperry> ServiceWorkers are crazy powerful. there were also some vulnerabilities related to their power allowing surprising things to happen in the browser
19:21:31 <mikeperry> we are probably going to need to stay away from them for quite a while, I think. they are very hard to analyze for the normal browser threat model, let alone ours
19:21:49 <GeKo> indeed
19:21:56 <arthuredelstein> I agree as well
19:24:56 <mikeperry> I also have a question about #13252 after everyone is done. but I think we have more updates?
19:25:07 * mcs will give an update now
19:25:15 <mcs> Last week, Kathy and I revised some of our patches for #13252.
19:25:20 <mcs> We worked on #18495 but have not found a solution yet.
19:25:28 <mcs> We reviewed the patches for #18466 and #18557.
19:25:37 <mcs> This week we will work more on repackaging FTE (advice from Python experts is welcome).
19:25:43 <mcs> We will also help GeKo with any #13252 build and signing issues that come up.
19:25:48 <mcs> This week we also plan to look at other ff45-esr tickets and triage some bugs that we have been ignoring (such as #18330).
19:25:54 <mcs> That’s all for us.
19:26:46 <GeKo> er #13252. mike had some worries similar to teor's comment 23 about write protected dirs
19:27:11 <GeKo> how bad is the current design for people having Tor Browser in /Applications?
19:27:27 <GeKo> does that fail totally?
19:27:50 <mcs> They need to have write access, same as today. Or similar to today.
19:29:02 <mcs> I guess the scenario to worry about is if someone can install in /Applications but not write there?
19:29:27 <GeKo> yes
19:29:48 <GeKo> not sure how prevalent this one is on OS X though
19:29:51 <mikeperry> yes, I am worried in particular about users who already installed in /Applications by entering their admin password, which actually gives them write access to TorBrowser.app
19:29:57 <mcs> Probably Kathy and I (or someone) should test on a Mac OS system where the logged in user does not have write access to /Applications. I am not sure how common that is though.
19:30:09 <mcs> ah, OK.
19:30:12 <mikeperry> when the update arrives with this code, it will try to create the side-by-side dir, and fail. I think this is not so good :/
19:30:37 <mcs> I did not realize that that prompt gives them write access to TorBrowser.app. That’s bad for the new world order.
19:31:13 <mikeperry> yeah, we may need to do the ~/Library thing after all
19:31:38 <mcs> If that is even somewhat common we need to think about supporting both side-by-side as well as ~/Library or something. Ricochet does something like that.
19:31:40 <mcs> Right.
19:32:01 <mcs> I assume we do not want to only support ~/Library though.
19:32:58 <GeKo> it seems the ricochet approach as you sketched it is a fine onw
19:33:00 <GeKo> *one
19:34:13 <GeKo> is anyone else here for an status updates?
19:36:43 <GeKo> okay. let's move to the discussion phase
19:37:24 <GeKo> https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-6.0a5 contains the stuff i think we should have in the alpha for testing
19:37:40 <GeKo> (we might find more while testing, though)
19:38:44 <GeKo> mcs: i wonder if you could put the canvas and svg tickets on your plate?
19:39:10 <GeKo> that is #18599 #15640 and #18602?
19:39:42 <GeKo> i think i work on #14970 at least
19:39:48 <mcs> GeKo: yes, we were planning to take those
19:40:08 <GeKo> arthuredelstein: any preferences?
19:40:16 <mcs> (do you want to update the owner in trac or should we do it?)
19:40:28 <GeKo> go ahead
19:40:31 <mcs> ok
19:40:46 <GeKo> arthuredelstein: i think #16328 and #16998 might be worthwhile
19:41:07 <GeKo> er #16673
19:41:20 <GeKo> instead of #16328
19:41:36 <arthuredelstein> Yes, I could take those two
19:41:51 <GeKo> okay lets start with that, thanks
19:42:20 <arthuredelstein> sounds good
19:43:15 <GeKo> we can adjust the work at the next meeting if needed (if more urgent things come up)
19:43:33 <GeKo> speaking of which: when do we have our next meeting?
19:44:00 <GeKo> i guess next monday is a holiday in lots of places
19:44:13 <arthuredelstein> I might go for #16326 as well if no one else has claimed it.
19:44:29 <GeKo> yeah, good one, please do
19:44:40 <mcs> I am OK with meeting next Monday but we could also delay by a day.
19:45:05 <GeKo> i am fine with it too fwiw
19:45:23 <GeKo> but i am fine with moving it either
19:45:39 * boklm is fine with either
19:46:46 <arthuredelstein> I'm OK with either
19:47:20 <GeKo> okay. then lets keep next monday
19:48:25 <GeKo> what else do we have for the meeting?
19:49:35 <arthuredelstein> I wanted to ask about #18127.
19:49:53 <arthuredelstein> Do we have a patch that already solves the problem?
19:51:07 <GeKo> yes.
19:51:25 <GeKo> there is just the detail missing how to handle the need for sudo
19:52:08 <GeKo> mikeperry: if you have an opinion for #18127 (see my last comment) then please state it in the ticket
19:53:07 <GeKo> arthuredelstein: if you take boklm's bug_18127-v2 branches (gitian-builder and tor-browser-bundle) that should work
19:56:02 <GeKo> alright, thanks for attending this meeting *baf*
19:56:06 <GeKo> #endmeeting