18:00:59 #startmeeting tor browser 18:00:59 Meeting started Mon Aug 29 18:00:59 2016 UTC. The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:59 Useful Commands: #action #agreed #help #info #idea #link #topic. 18:01:05 hi all! 18:01:28 i hope at least some have made it to the meeting given all the oftc issues 18:01:35 hi 18:01:36 let's get started 18:02:16 i guess i can go first today 18:02:55 i worked on the design doc and wrote a small fix for #19995 18:03:09 i spent some time to work on our signing infrastructure 18:03:37 and if all went well we can do releases without me being available in the future 18:03:50 i guess we test that (sort of) with the next alpha 18:04:16 i resumed work on #13893 18:05:23 i took a look at the patches in #19410, #19528 and #19459 18:06:08 and #15852 which got merged meanwhile 18:06:56 this week i plan to work on the design document, review the unix domain socket patches and work further on the EMET bug 18:07:26 apart from that the usual begin-of-the-month admin stuff resurfaces 18:07:31 that's it from me 18:09:08 * mcs will go next 18:09:17 Last week, Kathy and I created patches for #14271 and #14272. 18:09:24 We revised our patch for #19733. 18:09:30 We made some small changes to our #15852 patch which GeKo merged into torbutton master (thanks). 18:09:37 We reviewed some patches. 18:09:42 Also, I finalized travel plans for the Seattle dev meeting. I will be there Sunday afternoon - Thursday evening. 18:09:48 This week we will continue working on Unix domain socket support, e.g., #14273 and maybe we will look at #19646 as well. 18:09:50 neat 18:09:59 We will be away from keyboard this Friday (September 2nd) through next Tuesday (September 6th). 18:10:04 That means we will miss next week’s meeting even if it is delayed by a day. 18:10:10 That’s all for now. 18:11:28 who is next? 18:11:33 * boklm will go next 18:11:43 This past week I investigated #12736 and I started working on #20018 18:11:55 This week I'm planning to update release process doc for #19410, make a revised patch for #19528, and work on #20018 and #19067 18:12:12 That's it for me 18:13:13 * arthuredelstein can go 18:13:32 Hi, everyone. This past week I worked on #19459. I proposed a patch, but now found a problem with it on Linux. There are some reflow events that happen before the window is drawn to screen, which makes it very hard to control the final contentWindow dimensions. This week I will continue to work on this patch. 18:14:16 Also this week, I worked on reviewing some isolation patches that our Mozilla friends are uplifting, including https://bugzilla.mozilla.org/show_bug.cgi?id=1264593, https://bugzilla.mozilla.org/show_bug.cgi?id=1264567, https://bugzilla.mozilla.org/show_bug.cgi?id=1289319 18:14:35 They are making rapid progress! 18:14:50 (During the dicussion I would like to bring up a question the Mozilla folks have been asking about.) 18:15:08 That's it for me. 18:15:30 https://bugzilla.mozilla.org/show_bug.cgi?id=870346#c1 might be of interest to you 18:16:04 That does look relevant 18:16:05 arthuredelstein: and this + my experience with the resizing code made me quite skeptic that we can solve this from JS land 18:16:12 but we'll see I guess ;) 18:16:25 You may be right, although I'm not sure how to solve it from C++ either! 18:16:40 yeah. 18:16:57 this is actually the reason why we have the mutation observer in torbutton right now 18:17:07 Basically, I can make it work on all platforms without a mutation observer, but the user sees a resize. 18:17:15 It can be a smallish resize, but that's still ugly. 18:17:38 because the https-e icon resizes the window after adding the button to the toolbar 18:18:07 I hadn't even tested in with https-e... 18:18:10 s/in/it 18:18:13 (actually it resizes the window slightly by adding the button to the toolbar 18:18:16 ) 18:18:24 Does that happen after the window has been painted to screen? 18:18:25 but maybe the new icon solves this? 18:18:47 not sure anymore 18:19:50 anyway, if we get the same behavior with the patch moved to firefox that would be fine i guess 18:20:03 Some of the existing Mozilla code (TabsInTitleBar.js) already uses mutation observers, so I wouldn't rule it out as acceptable. 18:20:20 (I mean for chrome window layout.) 18:20:25 yes 18:22:03 okay, is anybody else here for the status update? 18:23:16 alright, let's move on to the discussion phase 18:23:30 i don't have anything beyond the usual sponsorU reminder 18:23:44 arthuredelstein: you had something for discussion? 18:24:04 Yes -- the Mozilla engineers have been asking about our strategy of releasing on ESRs. 18:24:37 They are interested to know if, in the future, if they succeeded in uploading all or nearly all of our patches, if we would transition to following the main release channel instead of ESRs. 18:25:08 hm 18:25:11 In part this might affect Mozilla priorities. 18:25:23 in which regard? 18:26:03 In terms of which patches to focus on uplifting, and perhaps other things that I don't fully understand. 18:26:18 what don't you understand? 18:26:21 maybe I can explain better? 18:26:25 o/ 18:26:46 huseby: Yes, that would help! :) 18:27:01 huseby: hi and thanks for doing all the amazing patch uplift work 18:27:07 really appreciated :) 18:27:10 GeKo: sure :) 18:27:15 so here's what we're looking at 18:27:38 it seems likely that we're not going to get *all* of the patches uplifted before 52 (the next ESR) forks from central 18:27:55 which means there are two paths to follow 18:28:34 1) if TBB stays on ESR, we need to work with you to prioritize which patches do make it into 52 since we'll have to wait another year before you get the rest. 18:29:12 2) if TBB commits to moving to release, then it doesn't matter because once you move to release, you'll be getting the patches on our regular release cycle 18:29:37 my personal opinion is that you should move to release 18:30:01 AFAIK, you chose to use ESR because you were going to be maintaining a heavy patch load and rebasing was easier 18:30:12 ESR release pace at once-per-year allowed you to keep up 18:30:19 but now that patch load is approaching zero 18:30:20 that is one of the main reasons 18:30:23 fast approaching zero 18:30:26 but not the only one 18:30:54 the other big one is that we need time for feature reviews and write new patches 18:30:54 ok, good :) see this is why we're having this conversation :) 18:31:15 GeKo: maybe we should do a joint pros/cons session at the dev meetup? 18:31:16 and it turned out that we basically started esr45 with the same amount of patches than we started with using esr38 18:31:27 despite stuff getting merged meanwhile 18:31:48 + we have one engineer less on the team than usual 18:32:21 it seems this indicates 1) 18:32:27 alas 18:33:01 we could have such a session at the dev meeting 18:33:43 i guess we are happy to talk about this and we could prepare some pro/cons write-up for discussion 18:34:00 I think it's definitely worth reviewing. 18:34:04 but i fear we are not there yet 18:34:08 GeKo: my main concern is that ESR's only get the most critical security fixes 18:34:29 there are quite a few security fixes that are serious, but don't rise to the level where we include it in the ESR 18:34:36 that is one point 18:34:47 and I worry that some of the serious-but-not-serious-enough bugs would/could expose your users. 18:34:56 yes 18:35:25 being on release would alleviate much of that worry 18:35:25 on the other hand all the time i see the advisories for release i am glad we are on ESR :) 18:35:43 meaning we don't have to worry about those in addition to the ones for ESR 18:36:53 Having some data would aid this discussion, e.g., how many patches will not be uplifted. are more security issues associated with new Firefox features, etc. 18:37:14 (as opposed to new holes in old code) 18:37:27 i guess this could be part of the write-up for the discussion or part of the session itself 18:37:38 and sounds very reasonable to have 18:37:47 vi x 18:37:58 oops :) 18:38:17 GeKo: except, those advisories might also be affecting ESR but not getting fixed in ESR :) 18:38:39 well, i was only talking about the things i see with respect to new features 18:38:43 mcs: https://wiki.mozilla.org/Security/Tor_Uplift/Tracking 18:38:51 we are focusing on first party isolation 18:38:58 that's the only thing we've committed to for the next ESR 18:39:07 but I've been sneaking other patches in there too 18:39:24 I'm about to land the patch for disabling the "this plugin is disabled" barrier 18:39:29 things like that 18:39:36 there's work on font enumeration happening 18:39:40 on the side 18:39:50 and a couple of our interns landed the disabling mathml and svg patches 18:40:45 huseby: there are other moments i am really glad about that we are staying on ESR 18:41:13 if you look at fixup releases you'll see that release has much more of them than ESR 18:41:28 which would likely mean we'd need much more of them, too 18:41:38 and these are really expensive for us 18:42:08 GeKo: that makes sense. 18:42:11 What is the biggest expense involved in fixup releases? 18:42:15 we're not trying to push you either way 18:42:33 just want to know sooner rather than later which path you want to take 18:42:36 if it is #1 18:42:41 oh, and i was glad we stayed on esr38 while mozilla struggled to get (esr)45 into shape 18:42:44 then we need to plan on prioritizing this week or next 18:42:53 IIRC it took 3 follow-up releases 18:43:05 and there was still fallout in firefox 46 and 47 18:43:55 arthuredelstein: that it takes focus away from other tasks and takes a bunch of time to prepare and sign everything and write blog posts etc 18:44:23 huseby: so, i am pretty sure for esr52 it will be #1 18:44:34 we might be in better shape for esr59 18:44:55 GeKo: roger 18:45:00 I'll report back on that 18:45:10 thanks 18:45:32 GeKo: how can we best do the prioritization? 18:45:44 I can give you a list of the patches that most likely *won't* make esr2 18:45:47 esr52 18:45:53 you mean with the firt party isolation area? 18:46:00 or in general? 18:46:04 *within 18:46:13 first party isolation is supposed to make it 18:46:20 we're trying really hard to make that happen 18:46:28 all of it? wow 18:46:32 that would be neat 18:46:32 it's the remainder that we're talking about 18:46:45 (maybe, it's based on origin attributes....don't count those chickens yet) 18:47:03 GeKo: Makes sense (re release expense) 18:47:10 okay. if you can give me the list of patches you have on your radar and are wondering about 18:47:20 then i'll have a look 18:47:48 we could talk about them on the meeting next week 18:48:11 then everybody has a say and can help 18:49:41 huseby: maybe sending this to tbb-dev would be the right thing and we could already start a discussion there? 18:51:18 okay. do we have something else to dicuss? 18:51:44 I can go next if everyone else is done :) 18:51:58 ah, hi, sure :) 18:52:29 hi. so we are quite close to the Tor Messenger release with the updater... we would like to get the Windows and OS X builds signed with the respective certs 18:53:04 can I just complete the builds and point them to you and then you can sign and upload and we release them? 18:53:14 we can do this. 18:53:23 perhaps we can decide a more streamlined strategy later but for now we can just do this 18:53:53 yeah. boklm can do the windows stuff 18:54:01 and soon the os x stuff as well 18:54:14 and otherwise ping me and we'll get this done 18:54:21 ok great, thanks. I will ping you when we are ready 18:55:37 that's it from me. we will be finalizing the builds today and plan to release by Wednesday (flexible if we can get the builds signed) 18:55:46 exciting. i hope it goes well :) 18:56:02 yeah! 18:56:13 the updater was much needed 18:56:36 ok. anything else for today? 18:57:37 thanks everybody *baf* 18:57:38 #endmeeting