17:59:48 #startmeeting tor-browser 17:59:48 Meeting started Mon Apr 24 17:59:48 2017 UTC. The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:59:48 Useful Commands: #action #agreed #help #info #idea #link #topic. 17:59:53 hi all! 17:59:59 hi 18:00:01 \o 18:00:04 hi! 18:00:05 it's been a while but finally we have another tor browser meeting! 18:00:07 hi! 18:00:14 hi! 18:00:20 oh, so many today, nice 18:00:49 * flexlibris and Phoul bring greetings from the community team 18:00:56 first of all before the status reports let me thank all of your for the help to get the alpha based on esr52 out 18:00:57 * Samdney lurks 18:01:14 that's been a bunch of work 18:01:44 special thanks to boklm for dealing with all the server-side update stuff over the weekend/holidays 18:01:55 * isabela lurks too 18:02:15 so, status reports first. who wants to go? 18:03:27 okay, i can be the first one then i guess 18:03:51 i helped with the releases and last minute patches and the fallout from it 18:04:11 we have a bunch of good bug reports we need to follow up 18:04:37 i needed to spend my time on following up on some loose ends, like #21795 and #20683 18:04:50 i reviewd and tested #21962 18:05:21 i started to review #20761 but am not done with it yet. sorry mcs 18:05:31 it's on top of my list for this week 18:05:48 np. I know you have been busy ;) 18:05:57 i spent my time organizing a bunch of things more to them later 18:07:03 this week i plan to close #19048 and #21625 doing the remaining tasks there 18:07:17 i hope to get a bunch of reviews done 18:07:44 and plan to work on #21886 18:07:55 that's it for me for now 18:08:13 * mcs will go next 18:08:20 Since our last meeting, Kathy and I created patches for #21876, #21778, #21930, and #21962. 18:08:34 We updated our patch for #20761. 18:08:39 We did our best to test the updater that shipped in 7.0a3 (time will tell how we did at that task). 18:08:44 Also, we reviewed a bunch of patches. 18:08:50 This week we are already looking at a newly reported 7.0a2 -> 7.0a3 updater issue (#22041). 18:08:58 We also plan to revisit #21766 and then move on to other tbb-7.0-must-alpha tickets. 18:09:04 That’s all for us. 18:09:55 * arthuredelstein can go 18:10:01 *go 18:10:08 Since last time, 18:10:26 I wrote patches for #21569, 18:10:33 #10286 and #10283. 18:10:45 I evaluated the Presentation API for #18862 18:10:53 In paralell with mcs and brade I tried an approach to #21962, 18:10:58 and opened #22002 as a result. 18:11:10 I backported a Mozilla patch for #21875. 18:11:14 And I met with the tor uplift team. 18:11:41 This week I will work more on tbb-7.0-must patches, focusing on fingerprinting/linkability tickets. 18:11:50 Plus whatever else might be needed. 18:11:52 That's it for me. 18:12:16 I can go 18:12:27 Gotten some MinGW patches landed and am working on some more. Also going to start pushing to get this into TaskCluster, even broken. 18:12:33 I completed a prototype for the add-on versioncheck onion service using EOTK. Next step is to explore how we're going to production-ize it. 18:12:39 As far as Moz stuff goes: 18:12:44 We've done more planning for our Fennec work, including coming up with a plan for doing proxy bypass testing. Now someone (me) needs to write an Android VPN Service for this purpose... 18:12:53 There's a Shield Study that's doing some anti-fingerprinting measurement work to see how much breakage it causes. https://github.com/mozilla/shield-study-privacy I also opened https://github.com/mozilla/shield-study-privacy to try and collect all the anti-fingerprinting telemetry and measurements we want to perform. 18:13:21 Other than that, a bunch of internal security process stuff was put on my plate :-/ 18:13:23 That's it 18:13:41 tjr: so, where are we with the sandbox compilation? 18:13:56 that's the single-most needed bit for the windows side right now 18:14:04 We can compile the sandbox in debug mode and investigate crashes. 18:14:47 okay. do you have time for that or should i try to put it on my plate? 18:15:22 I don't think I'm going to have time for it... at least not this week... 18:15:41 okay. 18:15:45 I've been trying to find time for it for a bit and it hasn't happened; sorry 18:15:52 no worries 18:16:37 who is next? 18:16:42 * boklm can go next 18:17:00 Since last meeting I have been working on #21907, #18530, #19316, #20814, #21981 and helped publish the new releases. 18:17:13 This week I'm planning to work on #21982. On the rbm build side, I'm planning to try to fix the build of snowflake for linux32. 18:17:20 That's it for me. 18:18:05 boklm: we could try to get the nightly builds going on ln5's box 18:18:12 yes 18:18:23 and the rbm thing setup there as well 18:18:48 which is pretty exciting! 18:18:50 I can help ln5 doing that when he has some time 18:19:53 thanks. i think a first step would be to get those vms you uploaded updated to match your latest ones 18:20:16 as ln5 can't create new ones as well right now due to #21838 18:20:44 ok 18:20:47 who else is here for some status update? 18:21:52 okay, discussion time then 18:22:10 i saw we have folks from the community team here 18:22:16 how can we help? 18:22:23 hey yall 18:22:49 hi! 18:22:49 GeKo: in AMS we talked about having the community team come to occasional applications meetings and share user feedback 18:23:04 yes! 18:23:06 that is such a great idea 18:23:30 so, we have some feedback we can share, and we also want to hear your ideas 18:24:11 it seems pretty straightforward that if we hear from users stuff that we think is useful to you, we should just come tell you, but maybe there are particular ways you'd like us to do it? 18:24:27 Phoul, do you wanna share some of the feedback you've gotten? 18:24:35 Sure! 18:25:25 flexlibris: this meeting is fine or filing trac tickets for important stuff 18:25:38 So one of the biggest issues (for many years now) is the clock skew issue. Users continue to hit this, not know whats happening and contact us. We have also been contacted by users looking for Tor Browser's in languages that our compontents have translations for, but Firefox does not. I'm not sure what the best way forward with those requests is. 18:26:25 Phoul: What languages are they requesting? 18:26:29 components* 18:26:44 I dont actually have a list handy, but I can get that sent to someone or put it in a ticket. 18:26:52 Has come up a couple times over the last few weeks. 18:27:01 I think I have a ticket where that list could go... let me look 18:27:21 Phoul: regarding the first issue we have some ideas like #21542 18:27:44 it is pretty high on our todo list but right now getting 7.0 into stable shape is even higher 18:28:06 Makes sense, just thought id mention it :) 18:28:15 but once we have a bit breathing room that issue will be worked on 18:29:38 the first one is a bit tricky because we need to solve #17400 first 18:30:19 as we don't have the capacity to ship a bundle per locale per platform per architecture for all the locales we want 18:30:49 Here's a ticket where the list could go: #20628 18:30:50 thus, before we ship any new locale that ticket needs to get solved 18:31:06 the ux team is aware of that 18:31:08 arthuredelstein: will get them added after this meeting :) 18:31:15 Thank you! :) 18:31:18 also, I know the Twitter functionality stuff is fixed in the most recent update, but Phoul and I were wondering more generally about QA for intensive websites like Twitter 18:31:23 The clock skew problem is interesting. 18:31:34 and we need to do some coordination but that said it is pretty high on our prioity list 18:31:44 I assume that's "SSL Certs are invalid because the user's clock is way off" Or does it affect connecting to tor too....? 18:32:12 To add to what flexlibris just said, I was wondering if we used Selenium or something for TB testing, and if so, if we could have tests for some popular sites like Twitter/Github/others. 18:32:41 tjr: it prevents tor from bootstrapping if its far enough off. 18:32:48 tjr: it's not just ssl certs iirc 18:33:35 flexlibris: what do you have in mind? 18:33:43 Ah okay so it's a little-t tor problem first; and then if we fixed that it would propagate to the browser too most likely. Is there a spec anywhere on how we might address this? 18:34:09 GeKo: see what Phoul said ^^ 18:34:53 tjr: #10059 has some discussion you might find interesting 18:35:04 aha 18:35:12 Phoul, flexlibris (to testing): I remember on a AMS meeting that one of the mozilla guys talked about how they test firefox and that they would do some stuff also for us (was in a meeting about the launcher ux) 18:35:29 Phoul: we have some marionette tests. However testing Twitter features is not very simple, especially since they can change how their website work at any time. 18:35:40 tjr: also see #9675 18:35:42 Samdney: do you remember who the Mozilla person was? 18:36:03 flexlibris: I don't know his name :( 18:36:09 I think selenium would be a very nice way to catch things that break when important websites change. 18:36:42 flexlibris: perhaps linda can help, I don't know 18:37:14 boklm: I'm not familiar with marionette, but I assume its similar. True about the test needing to be maintained though, I'm not sure how often Twitter changes the bits we'd care about for testing. 18:37:32 ... correction: it was in the tor-slider ux meeting 18:38:10 Other sites change less though, like Github. 18:38:30 In the most recent Twitter case, though, the bottleneck was we didn't have the capacity to make an extra point release after we made the fix. 18:39:00 Would it have been any different if caught in QA vs after release? 18:39:35 The Mozilla person might have been Christoph (I thinkl he was in that meeting anyway). 18:39:39 difference* (sorry, im typing very delayed) 18:39:56 arthuredelstein: well, actually the problem was that the issue did not get a higher prio earlier as it basically was #16540 18:40:11 err 18:40:22 #16450 18:40:53 Aha, I hadn't realized that. 18:41:16 Phoul: i don't think so 18:42:09 GeKo: fair enough. Might still be worth considering in the future to catch breakage, even if it wouldnt have helped this time. :) 18:42:47 indeed. i think opening a ticket and thinking about a way how to implement stuff is a good thing to do. 18:42:53 i can do this after the meeting 18:43:28 I don't think we had anything else to share 18:43:35 Phoul: ^^ 18:43:36 thanks! 18:43:42 That was all :) 18:43:57 pretty helpful 18:43:58 let us know how we can be helpful as we make the support portal 18:44:21 we'll come to the meeting from time to time 18:44:39 So as far as clock skew goes, I'm trying to find any statistics about how off they are in user's browsers 18:45:07 But a dead-simple thing we _could_ do is look at the build date of the browser and the current time and if the user's time is behind the build date, and we get a conneciton error, tell them to check their clock. 18:45:24 Generally the skew is of a few hours 18:45:35 Ah, that won't work then 18:46:14 Wait, wouldn't a consensus up to 24 hours old work though? Unless it's skewed forward a few hours... 18:48:49 okay. i have some items too 18:49:03 first next week on monday do we have a meeting? 18:49:18 there is a holiday at least in some countries 18:49:32 i think i can make it to the meeting at least 18:49:53 the other thing is i updated the ticket list 18:50:11 right now important items are tagged with tbb-7.0-must-alpha 18:50:21 and thery are order roughly according priority 18:50:31 Kathy and I are available next Monday for a meeting 18:50:36 As am I 18:50:39 I think I can make it too 18:50:52 if any of you does not know what to do picking a ticket from that list with highest prio first is the things to do 18:50:59 okay, then we'll have a meeting 18:51:07 thanks for assigning priorities, etc. 18:51:30 please mark those ticket either by adding a keyword or assigning it to you 18:51:43 will do 18:51:50 and if you find a ticket you think should be on this list bring it up 18:51:57 or add it 18:52:21 i'll go over this list more frequently to update things i guess 18:52:43 then we have 7 weeks until we must update to 7.0 18:53:07 i guess we want to have 7.0 out a bit earlier maybe 1 or two weeks for a soft launch 18:53:24 * mcs is feeling a little pressure :) 18:53:24 which means 5-6 weeks for getting it into stable shape 18:53:31 yeah, no kidding 18:53:34 I think you mentioned we might release a second alpha? 18:53:37 so any bugs, so little time 18:53:39 many 18:53:52 yes, i think we should have another alpha 18:53:59 like in about 3 weeks 18:54:14 sounds like a good idea 18:54:17 to pick up the work we've done since then and give it out for more testing 18:54:56 another alpha sounds like a good idea… that will also allow a “field test” of the 7.0 updater 18:55:07 yep 18:55:10 So for the full 5-6 weeks we theoretically want to finish all tickets in https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-7.0-must, correct? 18:55:18 yes 18:56:05 okay, another alpha in about 3 weels 18:56:07 *weeks 18:56:38 another alpha sounds like a good idea 18:57:11 the last item i have: i updated the dependenies on other teams/organizations we have right now 18:57:19 which is on https://storm.torproject.org/shared/gf-PXTTtFJyzrpqDoGepLwXa4Sr4JUb-hWIK6yqylxs 18:57:49 i don't expect to get more dependencies added but there might some, especially for objective 2.1 18:57:53 we'll see 18:57:54 GeKo: Is this the Tor Browser meeting? 18:58:04 yes, another 2 minutes :) 18:58:08 hi! 18:58:27 legind: if you have something for the meeting, go for it 18:58:28 I didn't miss it then :) I have one quick item/announcement if that's okay 18:58:33 sure 19:00:07 For HTTPS Everywhere we've coded up a working PoC for delivering and verifying rulesets separately from the extension itself. This only works for the WebExtensions version currently, so once TB stable is rebased to 52 I'll be able to test if it works properly. At that point, every day or so we'll have new rulesets being checked from the EFF site 19:00:32 If there are fingerprintability concerns we should have those in our purview. We're planning on releasing this in the next few months 19:00:36 legind: you can do this right now with the latest alpha 19:00:47 7.0a3 is already based on esr52 19:01:00 GeKo: I will do testing with 7.0a3 then 19:01:27 currently the Firefox extension is still XPCOM, but once TB stable moves to 52 I can finally ditch the old extension 19:01:54 let me think a bit more about the fingerprinting thing 19:02:17 do you have written down your thoughts about that one somewhere? 19:02:29 Are most Firefox users using the WebExt-based version now? 19:02:29 like when you designed this new feature? 19:02:56 No, this is a new feature we just have a PoC for and honestly I haven't considered it much 19:03:26 mcs: No Firefox users are using WebExt currently 19:03:37 okay 19:03:48 They're all using XPCOM. Only Webext users are on Chrome or Opera right now 19:04:14 mlerph 19:04:24 But XPCOM will be deprecated in Nov due to FF57 19:04:31 Thanks. I am a little worried about the transition (e.g., if there are behavior differences btw Firefox and Chrome’s APIs). 19:04:33 and ESR 45 doesn't support it well 19:04:51 right. 19:04:52 mcs: I understand, that's what I'll be testing for 19:04:56 sounds good 19:05:16 I've been waiting on TB to make that jump for Firefox users 19:05:37 okay, i think that's it for today 19:05:47 GeKo: I assume there is nothing in browser land that requires my attention 19:05:48 Also Fennec doesn't support WebExt very well either, but that's a different story 19:06:26 Yawning: maybe #22053? 19:06:44 not sure if it's your issue though 19:06:55 apart from that i think you are fine 19:07:06 *baf* 19:07:09 #endmeeting