14:59:06 <pili> #startmeeting S27 03/03 14:59:06 <MeetBot> Meeting started Tue Mar 3 14:59:06 2020 UTC. The chair is pili. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:59:06 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:59:13 <asn> hello!!! 14:59:16 <brade> o/ 14:59:18 <pili> hello hello 14:59:21 <mcs> hi 14:59:23 <pili> who else is around today? :) 14:59:39 <T0_7_> hello pili, nice meeting up again 14:59:39 <pili> here's the pad while everyone else shows up: https://pad.riseup.net/p/s27-meeting-keep 14:59:44 <acat> hi 14:59:51 <antonela> h 14:59:52 <antonela> i 14:59:54 <sysrqb> o/ 15:00:01 <pili> please add your updates :) 15:06:00 <pili> ok 15:06:12 <pili> let's get started 15:06:25 <pili> I'll move my discussion point until the end 15:06:27 <asn> oh we reapplied to learning lab? :) 15:07:04 <pili> asn: yeah, I did 15:07:05 <pili> this will be a smaller thing 15:07:06 <pili> more like a blog post 15:07:16 <asn> i see 15:07:17 <pili> they were offering help to showcase our work here, so we'll see how that goes :) 15:08:17 <pili> asn: I think the first discussion point is yours? 15:08:26 * antonela added jenn's questions so we can talk about each of them together 15:08:28 <asn> yes 15:08:38 <asn> i mainly have thoughts about (1) 15:08:56 <asn> i think so far we've been commiting to .tor.onion as our pseudo-tld 15:09:08 <asn> i wanted to make sure that we all think it's a sensible thing to do 15:09:26 <asn> im mostly worried that if in the future we find the best superior name system, and we have already used .tor.onion for HTTPS-E 15:09:31 <asn> we wont be able to use it for the best superior system 15:09:33 <asn> perhaps 15:09:50 <pili> what are the alternatives? .tor? 15:10:14 <asn> people dont like .tor because it's not an official tld, and if people try to use it with chrome it will leak to the DNS servers 15:10:23 <asn> so securedrop people were not comfortable with it at all 15:10:27 <antonela> but .tor can be an official tld 15:10:27 <pili> ok 15:10:37 <asn> antonela: it could, but we would need lobbying work 15:10:48 <antonela> yes 15:10:51 <asn> people have said that it's gonna be quite hard to get it 15:10:55 <asn> but we havent really tried yet 15:10:58 <antonela> yes 15:10:59 <antonela> yes 15:11:05 <antonela> we can have whatever we want in .tor, now is https-e but in the future could be another resolver tech stack 15:11:17 <asn> right 15:11:20 <asn> u mean .tor.onion? 15:11:21 <asn> or .tor? 15:11:33 <antonela> and the medium term plan could be making .tor a tld 15:11:40 <asn> right 15:11:41 <pili> so, another way of looking at it, why do we think .tor.onion is not the best? 15:11:52 <antonela> well, everything can be better pili 15:11:57 <asn> .tor.onion is the best pseudo-tld we have given the constraints of the problem 15:12:08 <mcs> The problem I see is that if we encourgage use of foo.tor.onion then users will expect foo.tor.onion to always take them to the same foo. 15:12:26 <mcs> and if we switch to a different name provider that may not be true 15:12:46 <mcs> but I am not sure how to avoid this problem 15:12:49 <asn> right, or even if we allow custom rulesets in https-e 15:12:55 <asn> then the naming won't be global 15:13:04 <pili> well, if people want to use namecoin they'd be using .bit for example 15:13:08 <pili> seems to me like the name depends on the mechanism you're using 15:13:15 <antonela> i really dream with a blogpost that says: "Now, Tor Browser gives you .onion domains that you can remember. Read about .tor" 15:13:20 <mcs> maybe we need to make it clear that this experiment is not a global name system 15:13:24 <pili> so I don't see the problem of coupling .tor.onion to HTTPSE 15:13:42 <asn> syverson_: sysrqb: thoughts? 15:13:46 <sysrqb> with the current situation, we are only adding name mappings for domains we know will be stable 15:14:00 <pili> I don't see how you can have global naming without centralization :) 15:14:03 <sysrqb> there should never be a conflict with nytimes.com.tor.onion 15:14:03 <antonela> and that is the point of jenn's question: should we say news outlets to publish this name? is something we can see running in the medium/long term? 15:14:09 <pili> happy to be educated though :) 15:14:23 <sysrqb> regardless of moving to another naming scheme/system 15:14:30 <syverson_> Trying to formulate any answer that is short and responsive. 15:15:04 <pili> hey syverson_ good to have you here 15:15:23 <sysrqb> pili: yes, we must have centralization *somewhere* 15:15:33 <syverson_> This definitely sounds like a shortterm stopgap suggestion IMO, which seem consistent with the goals of S27. 15:15:52 <sysrqb> and if we use the current dns as that centralization/conflict resolution then we should never a problem 15:16:27 <syverson_> By dns, you mean the naming not the lookup, yes? 15:16:59 <sysrqb> especially because securedrop would scope these names within the company's existing dns name 15:17:02 <sysrqb> syverson_: yes 15:17:04 <pili> I think part of the problem with trying to make these decisions is that we're still only experimenting and this is only a proof of concept 15:17:05 <sysrqb> sorry, that wasn't clear 15:17:49 <asn> syverson_: what is securedrops suggested naming scheme? 15:17:54 <asn> like what did jenn make in the ruleset? 15:17:57 <syverson_> pili: True. But our intended experiment is completely backwards compatible. 15:17:59 <asn> is it nytimes.com.tor.onion ? 15:18:13 <antonela> pili: true, but we can reach stable with this 15:18:15 <asn> or nytimes.securedrop.tor.onion ? 15:19:35 <asn> "from":"^https://www\\.2600\\.com\\.securedrop\\.onion","to":"http://lxa4rh3xy2s7cvfy.onion" 15:19:47 <asn> www.2600.com.securedrop.onion -> http://lxa4rh3xy2s7cvfy.onion 15:19:53 <asn> there you have it 15:20:20 <asn> she didnt use .tor.onion i think 15:20:21 <antonela> i dont think nytimes.com.tor.onion is a real escenario if we have headers working properly and/or becoming standard 15:20:29 <syverson_> asn: no lxa4rh3xy2s7cvfy.onion.securedrop.com 15:20:59 <sysrqb> https://github.com/redshiftzero/securedrop-httpse/blob/master/rulesets/2600-hacker-quarterly-securedrop-ruleset.xml 15:21:28 <syverson_> or securedrop.onion/?onion=lxa4rh3xy2s7cvfy 15:21:29 <sysrqb> <ruleset name="2600: The Hacker Quarterly"> 15:21:29 <sysrqb> <target host="www.2600.com.securedrop.tor.onion" /> 15:21:29 <sysrqb> <rule from="^http[s]?://www.2600.com.securedrop.tor.onion" 15:21:29 <sysrqb> to="http://lxa4rh3xy2s7cvfy.onion" /> 15:21:29 <acat> asn: i thinks he did use .tor.onion, did you check https://redshiftzero.github.io/securedrop-httpse/default.rulesets.1582940785.gz? 15:21:30 <sysrqb> </ruleset> 15:21:35 <acat> *she 15:21:41 <asn> syverson_: ah thanks for this 15:21:57 <asn> acat: hmm perhaps i checked the wrong thing. i just gunzipped default.rulesets.1567398063 and lessed it 15:22:03 <asn> from here https://redshiftzero.github.io/securedrop-httpse/ 15:22:06 <syverson_> arggh securedrop.com/?onion=lxa4rh3xy2s7cvfy 15:22:15 <sysrqb> this seems fine to me 15:22:26 <sysrqb> she even uses the securedrop.tor.onion namespace 15:22:30 <asn> right i like that 15:22:35 <asn> i like the namespacing 15:22:43 <asn> it's important! 15:22:49 <sysrqb> :) 15:22:50 <antonela> is the core idea of all this 15:23:14 <asn> ok so we all think this is worth and not destructive enough to go forward? 15:23:18 <pili> +1 15:23:21 <asn> with das experiment? 15:23:22 <acat> with the current rules only www.nytimes.com.securedrop.tor.onion will work (not nytimes.com.securedrop.tor.onion) 15:23:37 <sysrqb> yeah, i was (kinda) expecting securedrop.2600.com.tor.onion 15:23:44 <sysrqb> but i like her scoping more 15:23:56 <asn> acat: but that's a "bug" not a design issue, right? 15:24:21 <sysrqb> acat: yeah, i think that should be changed 15:24:25 <acat> yeah, not sure if she did it for some reason, but i guess it can be changed 15:24:26 <kushal> asn, bug as in missing for without www. part? 15:24:27 <antonela> do we need the .com? 15:24:37 <asn> kushal: o/ 15:24:44 <sysrqb> antonela: yeah 15:24:45 <asn> kushal: yeah that perhaps it would be preferable to omit the www 15:24:53 <asn> but perhaps that's up to how securedrop do their UX analysis 15:24:56 <sysrqb> antonela: because of jen's example of ABC 15:25:05 <kushal> asn, understood, I think it is more as in the example. 15:25:06 <sysrqb> there are many organizations named ABC 15:25:10 <asn> kushal: right 15:25:35 <antonela> mmmm 15:26:51 <mcs> how does this work with multiple rulesets? does the securedrop ruleset only allow names under securedrop.tor.onion or could it have a rule for nytimes.tor.onion? 15:27:15 <kushal> mcs, only for securedrop.tor.onion ruleset 15:27:17 <sysrqb> it depends on how the ruleset is added 15:27:58 <mcs> I think limiting the scope for now is better for this experiment 15:28:02 <asn> agreed 15:28:12 <kushal> yes. 15:28:15 <asn> iiuc, the rulesets we add as tor browser will have a very specific scope 15:28:20 <syverson_> Yes. an added ruleset is completely trusted and a singlepoint. 15:28:21 <asn> now if we ever do custom rulesets, we will need to think how to do that 15:28:53 <mcs> I assume conflicts are resolved in a sane way, e.g., the rulesets must be ordered 15:29:13 <sysrqb> err. i wouldn't bet my life on that 15:29:32 <asn> :p 15:29:41 <syverson_> There is nothing current to make that so, AFAIK. 15:29:54 <sysrqb> but we would add this update channel with only scope of *.securedrop.tor.onion 15:30:26 <antonela> so, we take care about the trusted name space and the .tor and the .onion 15:30:36 <sysrqb> hrm 15:30:46 <sysrqb> i wonder if we can exclude this scope from the eff's update channel 15:30:46 <syverson_> sysrqb: what governs scoping? 15:31:03 <sysrqb> when you add an update channel the scope may be specified 15:31:15 <sysrqb> and then https-e filters rules based on that 15:31:18 <sysrqb> (based on my understanding) 15:31:23 <sysrqb> acat: do you remember more details? 15:31:30 <acat> yes, that's also my understanding :) 15:31:37 * antonela phew :) 15:31:50 <sysrqb> oh good :) 15:31:59 <asn> and the scope is specified locally right? it's not like the eff update channel can change its scope online, or something 15:32:13 <sysrqb> correct 15:32:16 <asn> or the securedrop update channel can override its scope 15:32:16 <asn> ok 15:32:32 <asn> and does the eff update channel have a scope right now? or its wildcard? that is, it can write on top of our rules? 15:32:39 <sysrqb> we'd need to set the scope when we compile the browser, somehow 15:32:45 <sysrqb> i don't know how we do that, yet 15:32:47 <asn> ack 15:32:57 <syverson_> How does the interface notify the user if a channel changes its scope? 15:32:58 <sysrqb> asn: i think it does not have a scope 15:33:00 <sysrqb> so *.* 15:33:05 <asn> fun 15:33:19 <sysrqb> syverson_: i have no idea 15:33:34 <syverson_> That could be an issue. 15:33:38 <sysrqb> maybe it doesn't, but the extension simply ignores entries 15:33:39 <asn> are we concerned about this? i remember in stockholm we were saying that perhaps update channels should be restricted onion-only or https-only, so that the eff update channel cannot rewrite our rules 15:33:58 <asn> concerned about the *.* i mean 15:34:45 <syverson_> sysrqb: you mean unless the user takes an action to accept the scope change? 15:34:50 <asn> we can also move on from this topic :) 15:34:58 <syverson_> asn: +1 15:35:06 <sysrqb> syverson_: ah, yes 15:35:16 <sysrqb> or adjusts the configured scope 15:35:26 <sysrqb> but i don't know if this information is presented to the user 15:35:28 <pili> ok, can we confirm what we have decided then? :) 15:35:32 <pili> if we're going to move on 15:35:35 <sysrqb> we should investigate this :) 15:35:54 <antonela> short comment, i dont think user needs to take action on accept the scope change - we don't have a ui for custom rulesets nor we are exposing this to users 15:36:01 <pili> I think regarding question (1) we can confirm to jen about .tor.onion, correct? 15:36:31 <asn> pili: yes thats my understanding! 15:36:48 <antonela> yes, and that move us to the next question 15:37:04 <pili> ok, everyone ok with moving on to question 2? 15:37:21 <sysrqb> sure :) 15:37:26 <pili> ok, for (2) this is a very good question and something we need to discuss today and agree on soon 15:37:43 <pili> (if not today... ;P ) 15:37:46 <antonela> i hope we can reach stable with this 15:38:59 <sysrqb> i expect this will reach the stable release 15:39:22 <antonela> glad my hopes and your expectations are aligned sysrqb 15:39:23 <sysrqb> but only with limited name mappings 15:39:28 <mcs> I think we should treat it as an experiment for a while and not be in a hurry to take it to the stable release. 15:39:49 <mcs> But I am not sure how to evaluate success if we only release in alpha 15:39:51 <sysrqb> this will not be in the 9.5 stable release 15:40:05 <sysrqb> mcs: yes, i agree 15:40:10 <mcs> post-9.5 seems OK to me. 15:40:17 <pili> ok, so we're aiming for 10.0 stable then 15:40:28 <mcs> Jenn wants to know for server load purposes, right? 15:40:28 <antonela> so, the plan is go alpha for 9.5 and then X will be stable 15:40:41 <asn> what does this mean in terms of timing, if i may ask? 15:40:46 <sysrqb> hmmm 15:40:47 <asn> like in terms of human months 15:40:58 <sysrqb> asn: yeah, that is the question 15:41:03 <antonela> 9.5 june, X end of the year? 15:41:13 <sysrqb> because with our migration to the rapid releases 15:41:31 <sysrqb> our stable/alpha/nightly channels will be very different 15:41:45 <sysrqb> we can let this bake on alpha (beta?) for a while 15:41:55 <sysrqb> whatever we end up calling it 15:42:10 <sysrqb> and we can consider releasing it in stable later this year 15:42:35 <sysrqb> but if we want more UI/UX changes, like the .onion to .tor.onion mapping 15:42:40 <sysrqb> and Learn More link 15:42:45 <sysrqb> which require browser changes 15:43:02 <antonela> oh 15:43:03 <sysrqb> then this is not something we can release in the next few months 15:43:03 <pili> I have 9.5 stable due mid April, so we could release on 10.0a1 then? 15:43:31 <pili> I mean, we don't have to do it then, but that's what we had discussed for 9.5 stable previously :) 15:43:39 <pili> (which can change also) 15:43:46 <antonela> right 15:43:46 <sysrqb> yeah 15:43:49 <dgoulet> "release early release often" ? :D 15:43:51 <asn> if this requires more browser changes we hope that these are gonna happen outside of s27? 15:43:53 <sysrqb> we can keep this as alpha-only for a while 15:44:04 <sysrqb> asn: yes 15:44:13 <asn> i would love this feature to be out on alphas soon so that people can try it out. i think it's a kick ass feature. 15:44:22 <sysrqb> dgoulet: only if the feature is ready :) 15:44:47 <sysrqb> but yes, i would like this to be in an alpha release soon 15:44:53 <antonela> releasing in alpha is a not public release 15:44:59 <asn> are we afraid that because more work needs to happen out of s27 this will go stale when s27 ends? 15:45:09 <pili> ok, so to answer jen, we can tell her it will be in an alpha around mid april? 15:45:32 <antonela> i mean, the main question from trusted parties is: should nytimes make this url public? 15:45:32 <pili> asn: I don't think so, it may need to wait until after june though 15:45:48 <antonela> if we release in alpha, that doesn't make sense 15:45:59 <asn> right 15:46:12 <asn> if we release only in alpha they cant make that url public, until it gets to stable 15:46:21 <asn> beacuse we need to assume that all users have access to the feature 15:47:10 <sysrqb> this depends on when a version of https-e is released with the modifications we need 15:47:31 <sysrqb> hrm! 15:47:36 <pili> what are the risks with releasing this with 9.5 stable? 15:47:39 <sysrqb> hmm 15:47:48 <pili> I understand we don't want to rush things 15:47:52 <sysrqb> htis is an https-e only features right now 15:48:02 <pili> do we have any specific issues in mind though? 15:48:03 <sysrqb> so when stable picks up the version that includes this functionality 15:48:13 <sysrqb> we can't control whether it is available on stbale 15:48:16 <sysrqb> stable 15:48:39 <sysrqb> we should think about this 15:48:44 <sysrqb> i don't want this in stable immediately 15:49:03 <sysrqb> acat: can we pref this? somehow? 15:49:03 <pili> ok, so the issue is the dependency on httpse? :) 15:49:06 <pili> I wouldn't want it to go straight to stable either 15:49:26 <sysrqb> pili: yes, dependency on https-e 15:49:36 <pili> maybe we can think about what's the next alpha we could get it in and see how much time that gives us for testing it out before it will make it to stable? 15:49:41 <sysrqb> and how comfortable we are with it, after some testing 15:49:41 <antonela> well, but this was something we already knew 15:50:02 <mcs> I thought acat’s patches do not require a new HTTPS-E (but maybe I am confused) 15:50:15 <acat> sysrqb: ok, i can revise the patch to put it behind a pref 15:50:29 <acat> mcs: correct, they do not 15:50:36 <sysrqb> oh 15:50:42 <asn> hehe 15:50:44 <sysrqb> then i am confused. one moment 15:50:53 * asn gives sysrqb a moment 15:51:04 <pili> another way to look at it is, is it worth delaying 9.5 stable a month or so to give us more time to get confident with this in alpha? 15:51:08 <pili> what was the issue that legind created in httpse then? :S 15:51:25 * pili needs a moment to double check her email also :P 15:51:32 <acat> pili: that's to implement .onion -> .tor.onion urlbar rewrites 15:51:40 <pili> thanks acat 15:51:49 <sysrqb> okay, i see 15:52:19 <sysrqb> i was confused. good. 15:52:39 <sysrqb> we can get this into an alpha this month 15:52:52 <sysrqb> but we probably won't include it in 9.5-stable 15:53:04 <pili> ok 15:53:13 <antonela> :S 15:53:31 <sysrqb> we can discuss when it will be included in a stable release 15:53:37 <antonela> maybe we need a to-do list to make it stable before anything 15:53:39 <sysrqb> most likely after the migration 15:53:48 <pili> ok, let's move that discussion to email possibly 15:53:58 <pili> we have 5 minutes and 1 more question to answer :) 15:54:03 <sysrqb> antonela: yes, we should decide what a "stable" version looks like 15:54:05 <pili> (and another discussion item) 15:54:15 <antonela> sysrqb: i thought we were in that phase now :( 15:54:29 <pili> I will start a thread after this meeting 15:54:47 <sysrqb> antonela: let's discuss 15:54:57 <antonela> yep 15:55:14 <pili> ok, question 3- I guess is asking about when this would make it to android 15:55:31 <pili> which would not happen until after fenix migration 15:55:55 <sysrqb> i wonder how the https-e ruleset will interact with tor browser on android without the other UI changes 15:55:55 <pili> so we're looking at mid- late 2020? 15:56:27 <sysrqb> i guess the .tor.onoin will be rewirtten to the .onion? 15:56:32 <antonela> the interesting thing about the chromium client is that brave already ships https-e 15:56:38 <mcs> acat: any thoughts about Android support? will some things “just work?" 15:56:51 <antonela> so browsers shipping https-e and tor can get this feature like automagically 15:57:05 <sysrqb> pili: yeah, probably late 2020? 15:57:11 <pili> ok 15:57:12 <sysrqb> hard to know now, really 15:57:12 <acat> mcs: we would have to implement it for Fenix I guess, although we could share some parts of it 15:57:19 <sysrqb> pili: definitely after the fenix migration 15:57:28 <syverson_> sysrqb: right, i was confused by acat's earlier saying the rewrite was in the other direction. 15:57:50 <mcs> acat: thanks; sounds like a post-fenix thing then as sysrqb said 15:57:54 <acat> mcs: ideally just the changes in browser.js would have to be ported to Fenix 15:58:33 <acat> but who knows, as i also had to change some copy-paste logic 15:59:09 <sysrqb> syverson_: we are considering both directions 15:59:19 <syverson_> ? 15:59:58 <syverson_> sysrqb: maybe you can explain to me later today. 15:59:58 <sysrqb> but i assume if the ruleset is used as-is on android, then the url will be rewritten to the .onion 15:59:59 <pili> (we're at the hour, I don't think there's anyone in here next so we can continue the discussion for a short while) 16:00:04 <sysrqb> acat: does that make sense? 16:00:10 <pili> I will need to drop in about ~15 minutes though :) 16:00:27 <sysrqb> acat: without the browser changes? only applying the ruleset 16:00:31 <sysrqb> syverson_: sure 16:00:53 <acat> sysrqb: ah yes yes, sorry i misunderstood 16:00:56 <acat> you're right 16:01:22 <sysrqb> okay, cool. good, good 16:01:30 <pili> I think we have answered question 3 from jen in any case :) 16:01:33 <sysrqb> i think we can wrap up this meeting 16:01:49 <pili> asn: did you want to briefly discuss community portal updates? 16:01:56 <pili> for onion services section? 16:01:57 <antonela> whoever replies jenn please add sysrqb to the thread 16:01:59 <asn> nah it's fine 16:02:01 <asn> nothign important there 16:02:04 <asn> let's keep it for next week 16:02:09 <pili> ok, we'll defer to next week 16:02:12 <pili> thanks everyone! 16:02:15 <mcs> thx 16:02:15 <antonela> thanks! 16:02:22 <pili> #endmeeting