18:01:00 #startmeeting tor-browser 18:01:00 Meeting started Mon Jun 18 18:01:00 2018 UTC. The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:00 Useful Commands: #action #agreed #help #info #idea #link #topic. 18:01:07 hi all! 18:01:09 hi! 18:01:14 hello 18:01:15 o/ 18:01:15 oh, richard's guest trick 18:01:18 pospeselr: better :) 18:01:25 s/trick/bug/g 18:01:54 alright, we are suppposed to have two new folks at the meeting today! exciting! 18:02:04 sisbell: welcome! 18:02:11 oooh, new friends :) 18:02:23 sisbell will help with the android side of tor browser 18:02:27 sisbell: welcome! 18:02:31 sisbell: welcome! 18:02:32 yay! 18:02:34 hi! sisbell welcome! 18:02:46 thanks everyone 18:03:17 welcome! 18:03:34 (who's the other folk?) 18:03:37 the other one is anny gakhokidze from mozilla 18:03:44 ah 18:03:52 sisbell: welcome! 18:03:56 at least they wanted to make it but maybe not to the irc part 18:04:03 anyway, let's get started 18:04:15 as usual our meeting pad is at https://storm.torproject.org/shared/tHoN4Ii7rLSjPE0OP4gydX4cMGadsXmRQNc-6lwru0N 18:04:28 please add what you were up to last week and what you plan to do this week 18:04:39 if there is stuff you want to discuss, mark it bold 18:05:01 or put it under the Discussion section 18:05:42 sisbell: hi! Welcome :) 18:06:43 mcs: originally i wanted to look myself at #26381 but i might not have enough time for that until we start building, so, yes, please look at it 18:07:03 GeKo: OK 18:08:25 pospeselr: noted, i'll take a look and we can sync after the meeting i guess 18:08:56 generally, grabbing tickets with ff60-esr and prio high is a safe bet 18:09:03 alright I'll find myself one then! 18:09:43 pospeselr: oh, there is still the moz bug open about /proc requirements i think 18:09:55 i guess you need to decide whether you really want to have asecond review 18:10:14 or whether you are fine with jld's and set the checkin-needed keyword 18:10:22 (i think the latter is a good approach) 18:10:34 oh, you actually got both, nvm then 18:10:56 so, just setting the "checkin-needed" keyword is what you want 18:11:06 (probably after checking that you patch did not bitrot) 18:11:09 *your 18:11:46 arthuredelstein: do you feel we can merge #26128 18:11:46 alright I'll see if it still applies 18:11:47 ? 18:11:59 or is there some follow-up needed? 18:12:03 then I need to change a flag somewhere? 18:12:29 no, just adding the "checkin-needed" keyword. 18:12:43 then abot picks this up and autolands your patch 18:12:48 ah I see 18:12:53 did not know that 18:13:15 yeah, it's s different workflow... 18:13:43 GeKo: I think the current 26128 patch is probably OK for an alpha. There are a couple of issues I'm aware of: (1) using as "http:" as a site causes what appear to be harmless CSP warnings and (2) Any custom per-site settings will be lost whenever the user changes the global security setting. Both of these problems probably require NoScript patches but maybe aren't too serious 18:14:23 sounds okay to me too. 18:14:38 i can merge the patch after the meeting 18:14:46 could you open follow-up tickets? 18:14:59 sure, will do 18:15:02 thx 18:15:50 igt0: how did your torbutton testing go? 18:16:09 i see you had it on your plate for this week but not for next week anymore 18:16:59 are there some things we need to redo for mobile? 18:17:59 GeKo, after our changes to FF60, it is working. However I embedded it inside FF. Because of the issues are discussed before. (the extension loader for mobile is different from the desktop one) 18:18:48 great 18:19:40 igt0: what's your plan for that? 18:19:57 i.e. should that be in the first alpha for tor browser for mobile? 18:20:21 in order to allow first-party domain isolation for instance? 18:20:51 igt0: i think i have a solution for the extensions (and by that, i mean we can continue using Orfox's solution - using a distribution directory) 18:20:57 GeKo, yep there are few things that are important. 18:23:14 sysrqb: igt0: could you coordinate and work on the respective patches 18:23:41 we might want to have this early in our tree i think because it might be a change we want to test thoroughly 18:24:08 GeKo: yes 18:24:12 okey dokey 18:24:18 great, thx 18:24:29 so discussion time 18:24:52 1) we can use the "status: " messages the network-team is using in #tor-dev 18:25:16 i heard from a bunch of people that this is something we want 18:25:28 so, let's start with it and keep us better updated 18:25:45 ok 18:25:46 sounds good 18:25:55 2) a related point 18:26:10 wasn't there a site or something that puts them all in one place, or did I dream that? 18:26:15 are most of us using irssi or are there other clients that we should support? 18:26:31 pospeselr: there is a bot that is capturing stuff 18:26:38 (regarding ahf's irssi-plug-in) 18:26:44 ahf wrote an irssi script that folks can use 18:26:44 I use Pidgin, but I can easily switch 18:26:51 ah, there s a bot? 18:27:13 well, i had ahf's thing in mind 18:27:19 okay 18:27:26 probably mislabeled as bot 18:27:42 okay, the second item: 18:27:55 this is mostly a reminder 18:28:05 i know nick opened a ticket for creating service for tracking this 18:28:06 that it seems like that will not be available very soon 18:28:06 (sorry, lag) 18:28:19 if you come a cross a bug you need longer to fix, please file it on trac anyway 18:28:26 and work further on it afterwards 18:28:39 that helps finding workaround and fixes faster 18:28:57 related: should we assign to individuals instead of say tbb-team? 18:29:09 I was not sure if I should remove tbb-team from the assigned list 18:29:25 i am fine with that 18:29:30 ok 18:29:30 and know pospeselr is doing that 18:29:42 but if you do so, please add tbb-team to the cc list 18:30:02 because there are folks that filter their important bugs via the tbb-team owner 18:30:12 GeKo: what do you mean by “if you come a cross a bug you need longer to fix, please file it on trac anyway” 18:30:16 and they would lose bug updates 18:30:26 Do you mean “please make sure everything has a trac ticket”? 18:30:34 (every known issue) 18:30:56 i want to avoid that we start working on bugs, say for days or weeks 18:31:08 which are not filed yet and then file them when a patch is ready 18:31:22 GeKo: Got it. 18:31:38 (adding tbb-team to the cc list also allows receiving updates through the tbb-bugs mailing list) 18:31:40 because that's a potential waste of dev time as we are working around the globe and find fixes faster together 18:31:54 boklm: yeah that 18:32:24 igt0: re your points 18:32:32 Taking ownership while actively working on a ticket seems like a good idea too (and something I sometimes forget to do). 18:32:44 agreed 18:33:01 and i am fine supporting different approaches or converging on one 18:33:05 yeah, that is why I thought we should assign instead of just being on the CC since assign is more explicit 18:33:18 right now there are folks using a keyword like GeorgKoppen201806 18:33:34 or one directly assigns the ticket to oneself 18:33:40 either way works for me at least 18:34:09 igt0: okay, so service workers are disabled in esr60 18:34:29 so we are still good here because dealing with that one will be a nightmare 18:34:42 but eventually we need to take that hit 18:34:54 we have a ticket on trac but i have not looked that deep yet 18:35:35 #15563 18:35:45 okey, it is because google is pushing hard PWA on mobile now. So we are going to see more and more sites using it. 18:36:02 yep 18:36:16 re orbot 18:36:30 that's still the guardion project doing so 18:36:39 we are no in charge for the browser side only 18:37:08 sysrqb: so, re tor browser for android based on esr60 18:37:14 what do other folks thinkg? 18:37:16 *think 18:37:27 are we good with that idea? 18:38:22 when arthuredelstein and i spoke at the all-hands, this seemed like the best idea 18:38:27 It is confusing to me to call is esr60 since there is no such thing from Mozilla… or am I confused? 18:38:46 and isabela agreed, but i want to make sure we are all in agreement 9as much as possible) 18:38:56 mcs: that is true 18:39:08 Is it really “Firefox for Android 60 with security patches that we (Tor Browser tean) notices?" 18:39:20 yes 18:39:20 that's probably closer to the truth 18:39:24 I think the idea is good as long as we can be “in the loop” with Mozilla for potential fixes. 18:39:43 we would need to use the esr60 branch, not the regular 60 branch 18:40:04 to get backported security fixes 18:40:06 yes, this worked out more or less in the past but there is room for improvement 18:40:16 So, For the amount of people we have, it is great, my concern is when FF updates the android SDK and we don't. 18:40:22 (the "in the loop" part) 18:40:42 igt0: they won't for esr60 18:41:07 but i can feel your pain :) 18:41:28 I mean, if they update in the next versions and we need it for fix a sec bug. 18:41:32 i think it's unlikely they will move to a newer SDK version and break backporting 18:41:35 so, i guess the best we can do is catch the problematic things on mozilla-central 18:41:36 but it is a risk 18:41:39 igt0: Is your concern that newer patches will require a newer Android SDK? or something else? (I know very little about all things Android) 18:41:51 and then start early backporting and testing 18:41:56 mcs, yes 18:42:24 I can see how that could be messy. But there is risk no matter what we do :) 18:42:30 sysrqb: i think we should try it 18:42:36 okay 18:42:39 and we are still in the alpha cycle for a while 18:42:57 yep, I am +1 for using esr60, though. 18:43:01 so we can get used to it to a good workflow that tries to minimize disruption and surprises 18:43:04 true, we have a few months for testing this plan 18:43:35 great, that takes one of my concerns away 18:43:39 If there are any mobile-specific security fixes, I wonder if we could convince Mozilla to backport them to esr60 18:44:01 i doubt that 18:44:08 It seems like a reasonable request under the goal of "help Tor Browser" 18:44:11 i mean they won't even have infra to test that 18:44:12 similar to uplift 18:44:40 oh, because there is no taskcluster build for mobile esr? 18:44:42 and they won't want to ship a patch where they don't know the impact 18:44:44 yes 18:44:58 so, it's not just a matter of backporting 18:45:18 well, sure we could try asking but i am skeptical tbh 18:45:51 alright, release preparations 18:46:08 so, for the stable i need somone looking at #26221 18:46:22 (I'm thinking given that fennec development has slowed it might not be such a large request. But I'm not sure who to ask.) 18:46:50 there will be another review needed for another crash bug fix backport 18:46:59 i'll ping people if needed 18:47:16 who wants to help with building the stable? 18:47:35 I'm available to help 18:47:45 great, thanks 18:48:18 so, i hope we have evertyhing ready for starting the build on wed latest thu 18:48:23 now the alpha 18:48:37 i think we are in good shape toochain-wise 18:48:51 and our three blockers from last time shouls be good as well 18:49:03 so the plan is to start building the next alpha based on esr60 18:49:22 now, what ux features should we try to still squeeze in? 18:49:47 what was the 3) from last time? 18:50:02 we'll get the new circuit display, and the .onion padlock indicator 18:50:04 i added bullet points there, basically circuit display and onion padlock indicator 18:50:11 I was trying to pushing it out because we all wanted it for the alpha but we need to continue working on it. So, i'm afraid we will not have onboarding for alpha release, but we will working on it to have the best version for stable. 18:50:27 boklm: a patch for the proxy bypass bug that we needed a new patch for esr60 for 18:50:35 ah ok, thanks 18:50:36 it seems we'll get a last minute one 18:50:37 that said, our research coordinator starts this week so we will collect alpha's issues/feedback and work together with the community team on it 18:51:02 antonela: sounds good 18:51:23 do you think we could get a new set of icons replacing the tor browser icon for the alpha? 18:51:43 good question, i think my last version needs review 18:51:46 or do you want to have all this landed in one alpha 18:51:54 ? 18:52:13 the brand update is something i'd like to have 18:52:33 but wondering how deep i can work on it during colombia 18:52:45 I will try and finish #26321 and #26322 this week (minor fixups for circuit display) 18:52:52 great 18:52:54 cool, thanks arthur 18:53:06 antonela: so, this would be #25693? 18:53:31 or #25702? 18:53:45 the second one 18:53:58 the first one is almost done, we are using entire Photon UI for this release 18:54:10 all the ui/ux improvements were based on it 18:54:28 so basically what is missing is the brand update, which is closer to @25702 18:54:32 oops # 18:55:17 also, during all hands, the design team at firefox shared with me their Sketch design files (similar to give you access to a repo ha) so will make all browser related work easier and faster \o/ 18:55:30 \o/ 18:55:56 antonela: so, what do you propose? we have time, say, until thursday to include stuff 18:56:53 cool, i'll work on the icons this week and probably we will have it then 18:57:07 nice 18:57:11 thursday eod? 18:57:23 in our tor-browser repo yes 18:57:27 perfect 18:57:40 okay, sandboxing 18:58:00 i heard there was quite some discussion around that at the all hands meeting 18:58:24 yes! 18:58:27 sysrqb: i wonder whether we should essentially have an extra meeting just for that item with some more stakeholders if needed 18:58:46 GeKo: that's probably a good idea, yes 18:58:50 and meanwhile you update your plan and we can resume discussin it 18:58:54 or better 18:59:09 you update it and we have the meeting afterwards 18:59:21 sounds good 18:59:31 using it as a blueprint or possible approach to discuss 18:59:39 yeah 19:00:02 fwiw, i am a huge fan of this separate launcher idea just did not have the time to drive this 19:00:09 so, i am excited :) 19:00:19 let's see what we can do :) 19:00:24 and let's use the momentum we have 19:00:44 great 19:00:58 does that sound like a good plan to everyone? 19:01:20 sounds good to me! 19:02:08 arthuredelstein: sysrqb: do you have the feeling it would be worthwhile inviting moz sandboxing folks to mexico? 19:02:24 so far i was reluctant because i felt it would waste their time 19:02:32 as we were not ready yet 19:02:37 dealing with other stuff 19:03:09 but i guess after we got 8.0 out there is still some time to work harder on sandboxing plans/ideas 19:03:14 that might change that... 19:03:26 I think tjr invited somebody already possibly 19:04:17 okay, i'll check with him but what's your feeling here? 19:04:30 yes, it would likely be a good diea 19:04:31 i tink tom invited jim (his manager) 19:04:32 i dont remember who else was invited from that team 19:05:12 okay, i'll coordinate with him and let jon know then, thanks 19:05:15 I guess I'm not sure given that what we want to do is perhaps somewhat orthogonal to what Mozilla wants to do. 19:05:42 yes that's been one of my main concerns 19:06:02 my thinking is maybe they make progress on their sandboxing within the next 3 months, and we can benfit from that 19:06:05 (knowlege/experience/...) 19:06:14 What's probably a good idea is whoever works on the sandbox stays in close contact with members of the Mozilla team 19:06:16 *benefit 19:06:32 agreed to both 19:06:49 okay, final point then i guess, next meeting 19:06:55 arthuredelstein: true,  19:07:09 i'll be travelling next monday evening UTC and parts of tuesday 19:07:15 so i can't make the monday meeting 19:07:23 could we move it to tuesday instead? 19:07:33 same time, same place? 19:07:40 works for me 19:07:41 GeKo: Tuesday is OK for me. 19:07:57 Tuesday works for me 19:08:04 me too 19:08:08 it works for me 19:08:27 sisbell: (next tor browser meeting next tuesday same time, instead of next monday) 19:08:36 works for you? 19:08:42 that works 19:08:46 great 19:09:03 alright, do we have anything else for today? 19:09:15 (apart from "sorry for the long meeting") 19:09:47 okay, does not seem to be th case 19:09:53 sorry for the long meeting 19:09:56 (ok for me as well) 19:10:01 *baf* 19:10:08 #endmeeting