17:59:07 #startmeeting Tor Browser meeting 19 October 2020 17:59:07 Meeting started Mon Oct 19 17:59:07 2020 UTC. The chair is sysrqb. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:59:07 Useful Commands: #action #agreed #help #info #idea #link #topic. 17:59:24 o/ 18:00:37 https://pad.riseup.net/p/tor-tbb-2020-keep is the pad 18:01:52 hi! 18:02:01 hello! 18:02:07 hey! 18:03:19 TBB Release meeting schedule looks off; Oct 19 is a Monday (today, even) 18:03:33 * sysrqb went through ~150 moderated blog comments 18:04:11 we're nearly at 0 comments on Tor Browser blog posts 18:04:53 there are two requests on the 10.0a8 blog post that we should put somehwere on our 10.0 radar 18:10:02 * Jeremy_Rand_Talos wonders whether Riseup's pad is having issues or if I just got assigned a crappy Tor circuit 18:11:19 i think it is having issues 18:12:14 ok then 18:12:25 * Jeremy_Rand_Talos waits patiently for it to come back online 18:13:40 are people updating their statuses? what do we have for today on discussion? 18:13:41 okay, let's get started 18:13:54 I was :) 18:13:57 the problem of the riseup pad is with the onion service 18:13:58 ok 18:15:01 We have 10.0.2 and 10.5a2 being releaesd this week 18:16:15 I went through the backlog of blog comments from 10, 10.0.1, and 10.5a1 releases 18:16:36 there weren't many surprising bugs reported 18:17:21 but i'll open some tickets and we can investigate them 18:17:33 are you using the milestone 10.0 for the release? 18:17:43 https://gitlab.torproject.org/groups/tpo/applications/-/milestones/1 18:18:11 for example: https://blog.torproject.org/comment/289871#comment-289871 18:18:36 yes, we are putting all tickets that should be included in 10.0 into the Tor Browser 10.0 milestone 18:19:12 that includes tickets that should go into a 10.0 release, but not necessarily the next 10.0.x version 18:19:53 and another comment we should look at: https://blog.torproject.org/comment/289743#comment-289743 18:20:30 but, overlal, most of the comments were about youtube not working in Tor Browser 10 and 10.5a1 18:20:48 and re-enabling javascript.enabled on Safer 18:22:05 right 18:22:21 As for Android, the two comments we should consider fixing are 18:22:35 1) missing Quit button 18:22:57 2) a comment that third-party cookies are enabled 18:23:03 i've tried playing videos with a win32 bundle 18:23:05 3) locale leak 18:23:14 (three comments...) 18:23:21 because i got contacted by our resident cypherpunk who was quite upset about it 18:23:51 i could not repro (easily) because youtube and other video platforms work fine 18:24:10 and i don't really understand why the 32bit part plays a role here 18:24:23 given that the cache is not bound to the bitness 18:24:37 anyway... 18:25:11 okay, that's good you couldn't repro 18:25:11 but is it a 32 bit windows too? 18:25:24 thanks for looking at it 18:26:31 acat: nope 18:26:37 it could be an issue due to 32-bit and a small amount of memory, maybe? 18:26:38 but still 18:28:39 in any case, i'll open a ticket for it and may be someone can find a 32-bit windows system and test it 18:28:53 we only have one comment about this over the last two months 18:29:03 and none during the alpha testing period 18:29:13 so it isn't affecting many people 18:29:26 yeah 18:29:34 considering we received ~50 comments about youtube not working 18:29:35 i am not too worried about it 18:30:40 should be possible to test with one of the x86 images from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ 18:30:48 and for android, we're already working on the locale leak by not including all system locales 18:31:11 yeah, i should open a ticket for that 18:31:16 acat: ah, great, i forgot they provide an x86 image, too 18:31:27 i have a 64-bit image locally here 18:32:48 as the for the missing Quit button 18:33:00 if users are looking for that, then we can expose it easily 18:33:21 i can create a patch for that after this meeting 18:33:39 the comment about third-party cookies is interesting 18:33:53 i guess that is a result of disabling tracking protection 18:34:08 and the resulting default cookie policy 18:34:40 so that is unfortunate, if it's true 18:34:43 hey! you are all seeing feedback from comments. Let's include ggus in this conversations so we can get feedback across the board 18:35:01 frontdesk and social media 18:35:12 that's a good idea, yes 18:35:36 and let's see how is the best way to bring the feedback from ggus into this work 18:35:47 sysrqb: you mean the cookie value we set is not obeyed for mobile? 18:35:50 i think he has been filling in issues 18:36:32 GeKo: yes, the cookie value set in GV, that is my assumption 18:37:24 i need to dig into the code and see what is happening 18:38:33 we only flipped the default tracking protection value, so it defaults to off 18:38:54 yeah 18:39:05 in theoriy this should be fine, though 18:39:19 as cookies are part of first party isolation 18:39:21 right, that was my/our hope 18:39:40 the tricky thing is, though, that mozilla saw *more* breakage that way 18:39:47 oh 18:39:52 than by outright disabling 3rd party cookies 18:39:54 yeah 18:40:10 sites have worked around third party cookie blocking 18:40:11 that sounds counterintuitive 18:40:15 no 18:40:35 but they assume once the cookies are available they work as intended 18:40:46 well, yes, sort of counterintuitive 18:40:53 i see 18:40:54 but it kind of makes sense as well :) 18:41:25 yes 18:41:50 in any case, i think we should look at this before releasing 10.0a9 18:41:52 but still worth investigating 18:42:50 this will delay releasing that version 18:42:58 we need to fix another thing 18:43:06 i got pinged by mozilla folks 18:43:19 and they see telemetry pings from us in their logs 18:43:28 so that is *not* disabled for some reason 18:43:37 from Fenix or desktop or both? 18:43:42 fenix 18:43:54 hrm 18:43:56 it's like 5000 last week 18:44:10 go glean is still making connections 18:44:12 *so 18:44:19 well, yes 18:44:31 are we sure it's glean? 18:44:33 i'll file a ticket after the meeting with all the info i got 18:44:35 yes 18:45:10 we should have disabled it with out patch 18:45:17 but i need to look closer where the bug is 18:45:31 *to figure out where the bug is 18:45:56 thanks 18:46:03 *our 18:47:37 let's see if we can get 10.0a9 tagged before this weekend 18:47:48 with fixing the bugs we've discussed 18:49:58 so on our list of bugs are: 1) telemetry, 2) locale leak, 3) Quit button, 4) TorService stopping, 5) 3rd party cookies 18:50:23 oh, and EOY campaign for the home screen 18:50:51 yep 18:50:54 Is that list missing any must-do bugs? 18:51:24 we should have a clear understanding for the password and history upgrade issue 18:51:34 yes 18:51:38 but it's not a hard blocker for tagging the alpha 18:51:43 and migrate the security slider 18:51:51 (if possible) 18:51:52 given that alpha users are already past that threshold 18:51:57 yes 18:52:13 ah true, not blocker for the alpha 18:52:17 however, it might be worth testing any code that results out of that investigation in that alpha 18:52:23 so... 18:52:55 yes 18:53:08 there are likely some alpha users who did not yet upgrade 18:53:15 so any migration changes will still affect them 18:53:21 true 18:53:33 but i expect most already upgraded 18:53:44 so we won't get much testing from them 18:53:53 what about our f-droid users? 18:53:58 so..we should test it ourselves 18:54:16 i need to ping hans 18:54:26 so they did not get upgraded yet 18:55:33 yeah, I didn't tell Hans about 10.0a8, so that update didn't happen 18:55:49 and maybe we should wait until 10.0a9 18:55:56 and then those users can test the migration 18:56:45 is that a crazy idea? 18:57:08 wfm 18:57:19 +1 18:57:25 okay,great 18:57:27 we have a plan 18:57:33 again :) 18:57:42 :) 18:57:44 one week at a time 18:58:04 okay 18:58:07 thanks everyone 18:58:15 have a good week 18:58:19 o/ 18:58:21 o/ 18:58:26 #endmeeting