14:59:26 #startmeeting S27 02/25 14:59:26 Meeting started Tue Feb 25 14:59:26 2020 UTC. The chair is pili. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:59:26 Useful Commands: #action #agreed #help #info #idea #link #topic. 14:59:33 hello! 14:59:33 hi everyone 14:59:37 who's around today? :) 14:59:41 hello 14:59:49 * syverson_ is lurking. 14:59:53 here's the pad as usual: https://pad.riseup.net/p/s27-meeting-keep 15:00:04 please add any updates and discussion points to the pad 15:00:07 hi 15:00:10 just over a month to go!! :) 15:00:15 hey syverson_ nice to see you around :) 15:00:20 hi at all 15:00:31 o/ 15:00:45 Hi antonela (et al) 15:00:58 hello! 15:01:14 o/ 15:01:29 hi! 15:02:34 will give until 10 past or so for updates :) 15:04:51 syverson_: hey thanks for the email! 15:05:00 i knew it would be a fun thread the moment i saw aaron's email 15:05:12 :) 15:05:12 i just replied with a hopefully useful response 15:05:34 * asn wriitng status 15:05:44 Can't see my email while on OFTC. Will look after meeting. 15:06:17 are you using VR mode? 15:06:25 :) 15:07:21 ok I think we're more or less there 15:07:31 let's start by discussing/answering some of the bolded items 15:08:02 dgoulet: u've done some hs work this week, do u think it's worht mentioning in pad? 15:08:03 and then we can review objectives and deliverables in reverse order this week (starting with O2A5 and working our way backwards) 15:08:05 so that it gets to the last report 15:08:33 here's the wiki page to have everyone on the same page regarding deliverables: https://trac.torproject.org/projects/tor/wiki/org/sponsors/Sponsor27 15:08:42 asn: not really except the warning logs and analyzing freenode's logs :S 15:09:39 dgoulet: ok 15:09:44 brade/mcs: about the "Learn More" links, we're currently thinking that these should go in the tb-manual(.tpo) 15:10:34 we were going to get our outreachy intern c1e0 to look into it but this is her last week 15:10:41 so she may not get around to it 15:10:46 (hello world, i am kind of nearby too) 15:10:51 why tb-manual pili? why not support.tpo? 15:11:21 well, support is more about questions, right? and what is the question in that case? :) 15:11:31 and even if there is a question... it probably makes sense to point to the manual for how to use this new feature 15:11:50 https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean? 15:11:57 "what does your connection is not secure means?" for example 15:12:20 im happy to discuss it with ggus at the community meeting, tho 15:12:22 oh, sorry, I was thinking about the client auth learn more 15:12:33 well, same? 15:12:42 we have several “learn more” links to worry about :) 15:12:51 yep 15:13:20 yes, for the client auth I still think it makes more sense in the manual 15:13:25 I actually think the client auth one is more important than the onion error links. 15:13:28 for the errors support.tpo makes more sense to me 15:14:03 it sounds like we don't know where the boundary is between the "tor browser manual" topics and "support portal" topics 15:14:24 these do overlap between the two 15:14:26 yup 15:14:50 I still think that feature should be explained in the manual and support can point to the manual 15:15:22 I'm happy to change my mind though 15:15:30 maybe there is a distinction of "why is this happening to me?" - which is support 15:15:36 sysrqb: yup 15:15:42 and "how do i do this thing, or how do i do it correctly" which is manual 15:15:46 "the manual" 15:16:00 mcs: when do you need the links by? 15:16:37 because we can create placeholder links easily enough 15:16:46 if we want it in the next release, then this week 15:16:52 or next week, at the latest 15:17:12 pili: I would say we must have something before we ship in a stable release, although it would have been good to have them for alpha. 15:17:20 otherwise it will slip to the end of march for Alpha 15:17:25 placeholder at least would mean the browser side is ready 15:17:35 yep 15:18:42 ok, let me add to websites meeting discussion and try to get some action on it this week 15:18:44 my suggestion would be to drop the “learn more” links from the error pages for now but keep them for the client auth prefs and prompt 15:18:47 sounds good 15:19:09 and thanks 15:19:21 ok, let's move on then :) 15:19:32 acat: Re #21952 and meta tags 15:19:44 I haven't looked at the latest update yet, let me read quickly 15:21:29 acat: have you looked at the relevant code? 15:21:43 do you have a feeling about how much work that will require? 15:21:49 sysrqb: +1 15:21:56 (work = time?) 15:22:28 I think it's fine to keep what we have and iterate on it outside of this project as long as we have a working solution that serves as a good start 15:22:50 as in, are we already increasing the use of onion services through redirects with the existing work? 15:22:57 that's how i feel, too 15:23:08 but if it is "easy", then i'll take the updated patch :) 15:23:18 metatag support seems nice to have if it is easy though 15:23:21 yup 15:23:23 what sysrqb said 15:23:24 sysrqb: difficult to say, but i think 2 days, but then we need new reviews and so on 15:23:29 if it's not, thne we have a lot of other tickets we need to work on 15:23:39 hrm 15:24:59 it's sad that will likes the idea 15:25:04 i mean, i like the idea, too 15:25:10 *Will 15:25:27 what is the idea that will likes in tldr mode? 15:25:32 move it from http header to something html? 15:25:35 but i think we shouldn't spend another 2-3 (or more days on this) 15:26:15 asn: it's easy to ignore, and if you support "the thing", then you can act on it 15:26:24 if you don't support it, then nothing changes 15:26:39 maybe acat has a better tl;dr for it :) 15:27:13 ack got it 15:27:37 so fb puts it in its html, and tb parses it? 15:27:47 is this the first occurence of tb parsing HTML? 15:27:55 yes 15:27:57 so, let's give acat 2-3 days to try to implement this and if it's looking like it will take longer we just go with what we have already? 15:28:02 sysrqb: fun 15:28:04 just to be clear what we're going to do :) 15:28:35 all agreed? 15:28:38 Will also says facebook will probably never use this, but he thinks other sites are more likely to add the html 15:28:39 asn: so there are some headers that have an equivalent tag in html (see https://www.w3.org/TR/WCAG20-TECHS/H76.html) 15:28:52 i suggested doing that for onion-location 15:29:39 so that it will work either with a header or with a HTML tag 15:29:48 interesting 15:29:50 ack thx 15:31:05 pili: acat: okay, let's try it 15:31:22 ok, shall we move on to review objectives? 15:31:36 or does someone have any other topics/comments before we move on to that? 15:33:21 ok 15:33:50 so let's start with O2A5: #30029 15:34:19 which is really just #28005 15:34:52 acat: I guess we need to find you some reviewers? 15:35:26 yup, i think a UX review first would be better 15:35:58 could i have a build to play with it? 15:36:02 antonela: is that ok? how does that fit in with your other work? 15:36:25 antonela: here https://people.torproject.org/~acat/builds/28005_testbuild/ 15:36:25 i think im done with everything, i just need to review all the things now 15:36:38 and for O2A5 I believe we're also waiting on some update channels from securedrop 15:36:44 at least some test ones 15:36:58 acat: thank you! 15:37:21 which looks like may not happen for a couple of weeks 15:37:22 at least 15:37:28 acat: are there any other blockers/dependencies for you on this item? 15:37:47 not that i can think of 15:38:12 ok, so once you have a UX review, if there are no UX revisions we will need some code review 15:38:30 sysrqb: who do you think would be good for this one, so I can add them to the ticket already 15:38:34 acat: your question about rewriting .onion -> .tor.onion 15:39:00 i believe that was the original plan 15:39:29 but i understand a concern about it 15:39:55 this also reminds me of the discussion we had ~two years ago on this topic 15:39:59 hmm true, if we need that, that would be a blocker :) 15:40:30 where rewriting the address messes with tls cert verification, and any urls within the document 15:40:49 if the webserver doesn't know about the rewrite and assumes everything uses the .onion address 15:41:26 so maybe we should not implement that rewrite until we solve these problems 15:41:52 well, but the url rewrites here are just cosmetic, right? i mean, we just rewrite what is displayed in the urlbar 15:41:58 i guess tls cert validation shouldn't be affected, because this is at a different layer 15:42:12 yeah 15:42:14 that's true 15:42:23 i wonder if that will be confusing, though 15:42:44 the url says .tor.onion and all other components remain .onion 15:42:53 maybe most users wouldn't notice 15:43:22 mmm 15:43:40 okay. i'm okay with the current patch, as you described it on the ticket 15:43:57 15:43 <+sysrqb> the url says .tor.onion and all other components remain .onion 15:43:57 15:43 <+sysrqb> maybe most users wouldn't notice 15:44:05 can we have a "learn more" situation for the ones who do notice? 15:44:06 but we can iterate on it, and modify https-e for the next version 15:44:21 asn: so much learning happening :) 15:44:34 asn: but, yes, i don't see why we couldn't add that 15:45:04 I disagree; 15:46:00 I don't think we should add it now. In the long run, it is a great feature but now is not the time. We don't have resources to write the content and it will be bad to send users to a page that isn't complete 15:46:35 yeah same 15:46:44 +1 15:46:45 how users can learn that other components remain .onion? which other components? 15:46:48 are you referring to the learn more page? 15:47:26 sysrqb: yes I was but there is also burden on UX for designing placement of "Learn More" in browser 15:47:41 i didn't mean to imply we would/could add this immediately 15:47:52 i only meant it is something we could technically add in the future 15:47:58 sorry that wasn't clear 15:48:16 ok 15:49:13 especially if this only lands in nightly for some time period 15:49:29 i'm not worried about confusing people 15:49:34 ok, so we'll continue with the patch as is 15:49:43 and we still need to find 2 reviewers 15:50:14 i'll be one of them 15:50:23 anything else on O2A5? 15:50:25 thanks sysrqb 15:50:34 we only have 10 minutes left in the meeting although maybe that's ok since we already discussed other deliverables last week 15:50:47 brade or mcs: dcan either of you give a second review? 15:50:53 *can 15:51:22 anyone else who feels they are blocked on any of their work please speak up now :) 15:51:41 sysrqb: sure; add me and we will both look at it 15:51:55 thanks 15:52:39 than you 15:52:43 *thank 15:53:22 ok, anyone else blocked on anything? 15:53:23 or any last topics for discussion? 15:54:22 im groot 15:54:42 +1 15:54:56 secure drop is working on a big release but jenn was supportive so i think we are going to be groot with it as well 15:55:20 yup :) 15:55:56 ok 15:56:03 let's leave it there for today then 15:56:07 thanks everyone 15:56:10 #endmeeting