18:58:55 #startmeeting tor browser 11/12 18:58:55 Meeting started Mon Nov 12 18:58:55 2018 UTC. The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:58:55 Useful Commands: #action #agreed #help #info #idea #link #topic. 18:58:55 tbb meeting? 18:59:00 indeed! 18:59:06 hello all 18:59:08 o/ 18:59:14 hi! 18:59:19 another week, another meeting 18:59:27 the pad is at https://storm.torproject.org/shared/tHoN4Ii7rLSjPE0OP4gydX4cMGadsXmRQNc-6lwru0N 18:59:29 hi everyone! 18:59:36 hey 18:59:39 hi! 18:59:40 please enter you items and mark items to talk about bold 19:00:17 hi 19:00:34 o/ 19:01:33 hello! 19:01:39 and congrats arthuredelstein :D 19:01:53 :) 19:01:55 indeed 19:02:17 trader :) 19:02:28 (just kidding!) 19:03:12 alright 19:03:12 :D 19:03:24 some folks are still typing but we should probably start 19:03:30 tjr: you are up 19:04:04 cubeb audio remoting temp files 19:04:41 yeah, i had a hard time too, to fully grasp the reply but i can try a second time and do something about it 19:04:43 I'm not sure if mcs or GeKo you got more out of that email than I did - I think we need to dig more into the thing and figure out when they're used, and if we want to do anything to avoid them 19:04:54 i agree 19:04:59 Does that mean I can leave that with you GeKo? 19:05:04 yes 19:05:09 great; thx 19:05:23 agreed, sounds like we need to dig a little more 19:05:48 As for the web extension process: i was worried that pref may disappear before Tor stops needing it. Do you expect to have the two extensions integrated into the browser by the next esr? 19:05:57 Or should i make sure those prefs don't disappear? 19:06:16 what do you mean by integrated? 19:07:09 i am not sure yet whether we want to bake in noscript as, say, as systems extension 19:07:27 Right; but noscript can function as a web extension. launcher/button can't 19:07:33 yep 19:07:45 Is the plan is just to move button/launcher extensions into the source tree; or to integrate them into the browser as not-an-extension? 19:08:30 torbutton should vanish as an extension until we get to the next esr 19:09:03 then the question is whether the browser/web extension communication would hit the same issue 19:09:15 which i don't know the answer to 19:10:09 Hm. okay. Well, I'll start an email discussion and just probe if these prefs are being considered for removal to be safe 19:10:36 i hope treating torbutton that way solves this issue, though 19:10:41 sounds good, thanks 19:11:06 tjr: re switching to the clang toolchain. 19:11:06 * tjr is fin 19:11:11 ah, yea? 19:11:25 i think i'd like to have that after we have the accessibility thing in our alphas 19:11:35 sure 19:11:51 i mean we need a pretty new mingw-w64 revision anyway for that 19:12:22 and i think getting that feature out before starting to seriously change our toolchains 19:12:34 is a good thing for our users 19:12:53 go ahead if you want to work on it :) 19:13:07 otherwise we'll probably pick that up in dec or so as planned 19:13:19 Sure. My main concern/hope is getting the kinks ironed out before mid/late january while I can help 19:13:19 (or we work together on it. whatever works for you) 19:13:28 sounds doable 19:13:35 * GeKo famous last words 19:14:04 pospeselr: you are up 19:14:25 hey hello 19:15:09 I've made a few updates to the #3600 doc, trying to rectify all the conflicting issues associated with redirects and cookies and what-not 19:16:21 I'm planning on reading the last mix and match section through carefully. But it might not be until later this week. 19:16:29 the storm links tells me "You do not have permission to access this grain" 19:16:43 i try to find some time as well to give it a second look and think more about the problem 19:16:43 anyway nothing in particular to discuss at the moment, going to be focusing this week on the work that needs to happen regardless of which combo of solution we converge on 19:17:04 boklm: one sec 19:17:13 i guess it should be https://storm.torproject.org/shared/Kw99Ow0ExZFFC6FKD5CeryfVFAoAL9Z_iEVlflI0fiL 19:17:15 https://storm.torproject.org/shared/Kw99Ow0ExZFFC6FKD5CeryfVFAoAL9Z_iEVlflI0fiL 19:17:20 thanks 19:17:24 seems so :) 19:17:39 grabbed the wrong link from my notes :p 19:17:53 anyway, that is all 19:18:01 thanks 19:18:04 sisbell: hey! 19:18:27 hey 19:18:53 so, i worry we might fall behind our plan to get TBA-a2 out next week 19:19:09 which is why i tried to help with #27443 19:19:41 my current plan is to figure out what changed in rust 1.28 to make the problem go away and hopefully just backport a tiny patch :) 19:19:43 I can timebox the 1/26/1.28 investigation 19:20:06 And then say tomorrow, if no solution, maybe go with 1.28 for now? 19:20:26 Then we would have time to do testing for the release 19:20:42 so 1.27.2 is still broken 19:20:59 and i know that the nightly on 06/01 is working 19:21:23 my plan would be that you work on the orbot build integration into tor-browser-build 19:21:41 while i continue the investigation for #27443 so that we save some time 19:21:55 i think i can figure our the issue tomorrow or on wed 19:22:08 GeKo: Sure, I'll start back up on orbot then + the makefile 19:22:25 so, it should give us plenty of time to prepare all the patches to have our stuff for building ready this week 19:22:40 sounds good, please coordinate with sysrqb for the build process 19:22:46 When does code complete need to be done, leaving time for testing? 19:23:30 what do you mean? 19:24:00 I assume there's a block of time before release that we need for testing 19:24:26 of the apk 19:24:46 yes 19:25:13 ideally we only need to worry about features to get in next week and test our toolchain as good as we can 19:25:22 but all the toolchain work landed by then 19:25:43 Ok, that makes sense. 19:25:53 great, thanks 19:26:08 pili: i think it's your turn 19:26:37 hi, just a reminder that we have the release meeting this week on Wednesday at 18:00 UTC 19:26:57 19:00 19:27:21 or otherwise i can't make it (again :) ) 19:27:38 * GeKo pili got stuck in CEST 19:27:42 oops, I keep getting that one wrong, I need to update my calendar :D 19:27:46 (sorry :) ) 19:28:05 we caught it earlier this time :) 19:28:48 that's all! 19:28:56 okay. 19:29:10 arthuredelstein: do you have an update? 19:29:27 (i know this questions starts to sound weird, but still ;p ) 19:29:59 GeKo: Is it not visible on the document? 19:30:17 hm. let me reload 19:30:19 * antonela cannot bold 19:30:21 maybe it didn't sync 19:30:34 nope, not showing here, too 19:31:00 just a sec, I will try pasting it again 19:31:14 antonela: hey, do we plan aUX sync this week for the security controls? 19:31:20 *a UX 19:31:29 yes, we should 19:31:37 the release metting is at the same hour 19:31:56 do you want to take over it? or having another meeting? 19:32:09 I pasted it again, is it visible? 19:32:14 right above nov 5 19:32:14 pili: ^ 19:32:26 arthuredelstein: now i see it, thanks 19:32:26 we could share, I don't mind :) 19:33:29 wow i lost my update after reload for arthur :/ 19:33:37 arthuredelstein: so, do you have determined when your last day working on code will be? 19:33:46 i mean as part of the tor browser team? 19:34:06 i am just wondering about the thing you want to do until then 19:34:09 *things 19:34:48 GeKo: Last official day would be Nov. 21 19:34:56 or are those the items you listed on the pad 19:34:58 ok 19:36:31 Let me know if there are any things it would be useful for me to do between now and then 19:37:11 i think getting the permissions patch working and upstreamed sounds useful 19:37:29 i wonder about upstreaming #22343 as well 19:37:42 maybe that could be something for ethan's team, though 19:37:44 I will still be around for discussions indefinitely to help with handing things off 19:37:57 yes, I can at least get that started 19:38:03 indefinitely? sounds good! :) 19:38:09 (: 19:38:18 assuming I am immortal :) 19:38:25 hah 19:38:35 reasonable assumption 19:38:56 arthuredelstein: could you add the items you think you need/should hand off to the discussion item on restructuring the team? 19:39:09 (while we finish our status updates) 19:39:26 sure! 19:39:44 antonela: okay, i think you are up 19:39:59 thanks 19:40:08 tor browser icon survey ended and I updated the ticket with the winner! I also made a different version for each channel release 19:40:20 which are the plans? wait for 8.5? release on next release? 19:41:28 hm. 19:41:53 i am not sure about what is needed for having different icons for different series 19:41:58 i played with iconutil and i have an .icns for mac os. I'll have assets for tba as well, both app and playstore. I need to read more about Windows and Linux. 19:42:06 so far we only had one icon for everything. 19:42:16 thus, this might need some time for investigation 19:43:13 antonela: how about you finish the assets while we figure out what we need on our side for icons on three different series? 19:43:17 can we get some help from firefox folks on this tjr? 19:43:32 mozilla user different branding directories for each, i tihnk we'd need some changes for supporting this 19:43:36 I assume this is something that is done for firefox also 19:43:37 err, *use 19:43:42 aah 19:43:46 yeah 19:43:54 thanks for clarifying :) 19:44:08 GeKo: sounds like a plan - let 19:44:09 who wants to grab that investigation and run with it? 19:44:15 I dont know anything, but if you can write up what you need I can ask around? 19:44:16 let's do it 19:44:45 tjr: it's ok, I think the team here knows how that could work :) 19:45:35 mcs: could brade and you put that on your list? 19:46:00 i think all the other folks might be busy with wrap up or tba release 19:46:09 or fixing test suites 19:46:46 pospeselr: or you if you want to have some distraction :) 19:46:52 GeKo: We can take a look. Do we need to work on it now or soon or ? 19:46:53 yeah sounds like a nice divergence 19:47:19 pospeselr :D 19:47:20 mcs: nowish would be good but let richard take it 19:47:27 pospeselr: thanks 19:47:31 OK; thanks! 19:47:32 :D 19:47:39 okay, long status updates 19:47:46 anything more for today in that regard? 19:48:14 discussion time then i think 19:48:21 so, two announcements first 19:48:58 1) it's time for ou bi-annual 1:1s again, so just to give everyone a heads-up and that everyone can start think about it 19:49:09 i'll reach out to folks individually 19:49:26 (arthuredelstein: to you as well :) ) 19:49:53 2) we need to restructure who is doing what now that arthur is leaving 19:50:06 we should all think about those items arthur started to list 19:50:24 we probably need to drop some and others need to get picked up by other folks 19:50:37 we should make a decision about it next week 19:50:49 to have some smooth transition 19:51:22 Kathy and I can take the lead on the annual rebase unless someone else wants it. 19:51:29 arthuredelstein: the uplift/mozilla coordination is missing from the things we need to take over 19:51:35 yes, I just added that 19:51:36 right? 19:51:43 hah, thanks 19:51:50 mcs: noted 19:52:05 alright 19:52:16 I'm hoping to continue to attend those meetings, but good to have someone actually from Tor Browser team there. 19:52:22 pili: it's you again if you want about the snap store idea 19:52:41 hi, yes, not sure if everyone saw irl's email about the snap store 19:52:51 hello 19:52:56 hi :) 19:53:01 arthuredelstein: yeah. i think it's too important for tor/moz coordination. so we should make sure someone from tor is showing up 19:53:22 i can talk about the snap store if that is useful 19:53:22 definitely 19:53:37 I was wondering what people here thought about it and what we can do to help out 19:53:41 irl: so, how is the tor browser snap created right now? 19:53:50 irl: yup might be useful to give some context 19:54:14 currently we use a modified torbrowser-launcher 19:54:29 we ship the tarball inside the snap and then when a user runs it it is extracted into their home directory on first run 19:54:36 subsequent runs just launch from the home directory 19:54:49 we use tor browser's updater to make the updates go over tor 19:55:09 so, this takes the builds as we distribute them? 19:55:13 yeah 19:55:47 do snaps provide an update mechanism? 19:55:55 it would be nice if we could help micah with torbrowser-launcher 19:55:56 they do 19:56:00 but we're already overloaded, it seems 19:56:42 i was at canonical's offices last week and they are keen for us to get this snap into the store 19:56:47 so they can provide us with help 19:56:58 in particular, they offered to test the snap before we publish it 19:57:07 just using it to browse around and click things 19:57:23 i'm worried about your comment that torbrowser-lancher spends a significant amount of time broken (in some way) 19:57:28 right 19:57:38 this is because it is broken in ubuntu's universe archive 19:57:46 while the github releases are all working nicely 19:57:51 and ubuntu ships a broken thing for 6 months 19:58:00 ah! 19:58:04 is that on us for not providing timely updates? 19:58:15 nope, it's on the ubuntu packaging maintainer 19:58:19 (hint: there isn't one) 19:58:19 or is it a side effect of the ubuntu apt-get release cycle? 19:58:23 do you know if the firefox snap (if it exists) is using the firefox internal updater, or using snap to update itself? 19:58:37 there is a firefox snap and the tor browser snap is based on this 19:58:44 i don't know if it's using its internal updater or not 19:58:51 i would guess not as it's system-wide installation 19:59:09 i didn't want to spend the time hacking tor browser into something that can be installed system wide 19:59:31 ah, yes 19:59:35 but that would be near to have :) 19:59:41 *neat 19:59:55 if tor browser team make a system wide installable tor browser, i'll make a snap for it 19:59:56 what is the advantage to us using the browser updater vs. relying on the snap update mechanism? quicker updates? 20:00:05 mcs: easier packaging 20:00:30 if we use the snap mechanism then we have to modify torbrowser-launcher to also update the already installed tor browser 20:01:24 so having a system installable tor browser would avoid the need to use torbrowser-launcher 20:01:34 yeah, it would look more like the firefox snap then 20:01:45 but if we had this then we'd already have torbrowser debian packages 20:02:11 this is the main debian policy blocker 20:02:20 is that advantage of torbrowser-launcherover tor-browser that torbrowser-launcher comes with additional hardeneing? 20:02:26 no 20:02:32 we actually have to disable this for the snap store 20:02:44 snaps provide their own "confinement" but it's for the whole snap 20:03:01 we can't use it to isolate the different parts of tor browser as the apparmor policies in the launcher do 20:03:22 i have discussed this with canonical people, and it looks like it could go on the roadmap, but not in the near future 20:04:21 i think the main benefits of the snap are ease of installation and that we're in control of the update cycle 20:04:27 i wonder whether we should think harder about our linux mess 20:04:42 like: what do we want? 20:04:51 what can and should we support? 20:05:10 i did discuss briefly in mexico that we should really have a packaging/software distribution person 20:05:14 with my tor browser hat on i am happy the way mozilla daies this 20:05:20 *does 20:05:30 what does mozilla do? 20:05:30 they provide the source code and ship bundles 20:05:42 what is a bundle? 20:05:52 but the distros pick this up and provide firefox as they see fit 20:06:00 a .tar.xz file 20:06:17 and the distros have good coordination with upstream 20:06:26 a firefox release manager was my mentor for joining the debian project 20:06:32 yeah 20:06:38 they are not relying on solely distros picking it up 20:06:46 glandium is working for mozilla as well 20:06:49 sure 20:07:00 but the point is 20:07:18 they don't provide linux firefox release for all the distros themselves 20:07:31 and we as the tor browser team should not do this either i think 20:07:46 ah right, i don't think the tor browser team should do this 20:07:57 i think we should have a packaging person 20:08:16 es sense :/ 20:08:16 ~. 20:08:17 that might be a good thing, yes 20:08:34 so, we should look at that as part of the application team 20:08:51 for now i'm probably ok to maintain the tor browser snap but i'd be happy to hand it off as soon as a person appears to hand it off to 20:08:56 I think having some way to install a Tor Browser on a read only partition (for system install) would be nice and allow easier packaging 20:09:05 boklm: definitely 20:09:29 I'm wondering if Tails is doing something like that 20:09:52 irl: okay, how do we proceed? 20:10:19 the process can happen pretty independently of any release cycle as we can just ship whatever is the latest at the time we do it 20:10:27 should i reply to your mail and point to the applications team and some packaging person we might want? 20:10:30 mostly i need to coordinate with stephw 20:10:42 canonical would like to do comms stuff about it 20:10:50 GeKo: yes, that sounds good 20:10:50 i can imagine 20:11:20 okay. i'll do that tomorrow then or on wed 20:11:29 excellent (: thanks 20:11:36 sounds good :) 20:11:45 irl: thanks for picking that up 20:11:58 do we have anything else to discuss for today? 20:12:19 later maybe we could look at integrating the snap build into our build process 20:12:49 hm! 20:13:10 i'm still not sure i understand the benefit of using torbrowser-launcher over just shipping the tarball and extracting it 20:13:15 but that's okay :) 20:13:30 sysrqb: same 20:13:36 it gives you a more linuxy experience 20:13:42 about getting stuff from your distro 20:13:49 via apt-get 20:14:12 and not needing to deal with tarballs (and signatures!) 20:14:12 right, but that's the benefit of the snap, right? 20:14:19 but why not just have a deb for the latest tor-browser in the apt-get repos? 20:14:25 i'm not sure why the snap needs to use torbrowser-launcher 20:14:32 sysrqb: I think the issue is that snap can only install files read-only, but current tor browser bundles expect the users to have write permission on it 20:14:46 ahhhh 20:14:57 that'd make sense 20:14:59 okay folks let me end the meeting and then we can discuss further 20:15:07 okay :) 20:15:12 sorry for the long meeting, thanks all! *baf* 20:15:15 #endmeeting