15:00:02 <sysrqb> #startmeeting Tor Browser weekly meeting 7 December 2021
15:00:02 <MeetBot> Meeting started Tue Dec  7 15:00:02 2021 UTC.  The chair is sysrqb. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:02 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:00:16 <boklm> hi
15:00:19 <sysrqb> Hello!
15:00:23 <PieroV> Hi
15:00:24 <sysrqb> Pad: https://pad.riseup.net/p/tor-tbb-keep
15:00:28 * nickm lurks until/unless needed
15:00:36 * donuts hasn't even left
15:00:44 <GeKo> o/
15:01:43 <Jeremy_Rand_Talos_> Hi!
15:01:44 <richard> o/
15:02:00 <richard> donuts: I've protonified the circuit display ui tour
15:02:08 <richard> i'll put up a video after this meeting for your enjoyment
15:02:12 <donuts> :O
15:02:14 <donuts> awesome, thanks!
15:06:46 <sysrqb> alright
15:07:21 <sysrqb> First I'd like to welcome PieroV
15:07:37 <sysrqb> he joined the browser team last week
15:07:57 <PieroV> Thanks :)
15:08:02 <donuts> welcome PieroV :D
15:08:04 <boklm> welcome PieroV!
15:08:28 <PieroV> Thanks everybody ^_^
15:08:49 <Jeremy_Rand_Talos_> Cool, welcome!
15:09:34 <sysrqb> Second, as some of you already know, GeKo is temporarily helping triage/maintain Windows/macOS/Linux Tor Browser this month
15:09:41 <sysrqb> while I concentrate on Android
15:10:29 <sysrqb> so expect more guidance from him over the next couple weeks
15:11:32 <donuts> roughly what end of the week do you think 11.0.2 will be published? just so I can coordinate the user support side of things
15:11:56 <sysrqb> today
15:12:02 <donuts> oh ho
15:12:34 <sysrqb> but it's probably about 6-8 hours away, depending how slowness of web servers
15:12:48 <sysrqb> *depending on slownless
15:12:50 <donuts> okay np, could you ping me when the blog post is up and I'll divert the forum comments etc.?
15:12:55 <sysrqb> gah. slowness
15:13:02 <sysrqb> donuts: yes, will do
15:13:13 <donuts> ty, the post itself should crosspost now too
15:13:22 <sysrqb> nice
15:13:42 <donuts> championquizzer fyi ^
15:13:53 <donuts> (I'll continue to take care of the main thread on the forum)
15:14:14 <sysrqb> tyvm :)
15:15:38 <sysrqb> the only discussion item on the pad is related our security policy
15:15:59 <championquizzer> donuts: thanks!
15:16:50 <sysrqb> last week nickm and I talk about our current policy and a possible general policy that can apply to all Tor projects/applications/programs/etc.
15:17:19 <sysrqb> Tor Browser doesn't have a well defined policy outside of HackerOne
15:18:08 <sysrqb> that H1 policy is good, but I believe we (as Tor) can provide a more unified description of our policy in a centralized place
15:18:41 <sysrqb> and then each project can always provide additional information related to themselves, when necessary
15:19:40 <sysrqb> For reference, the current H1 policy is defined at: https://hackerone.com/torproject
15:21:23 <sysrqb> as a next step, we should review that current policy and discuss what should be changed/improved, and then we can discuss with nickm (and others) about what common patterns we can include in a general/global security policy for Tor
15:21:37 <nickm> (ok if I suggest a couple of things?)
15:21:45 <sysrqb> yes, please do
15:22:13 <nickm> Ok! So, I'm hoping that we can unify our process across the org, including have a registry of security issues that we track and do regular retrospectives on.
15:22:38 <nickm> I'm hoping that the network team's current policy can also serve as a starting point, but every team's needs will be different
15:23:13 <nickm> There are a few main benefits we've found to having a written policy and process.  One is that it's harder to forget to do steps that we've decided are important...
15:23:28 <nickm> ... another is that we don't have to make stressful decisions while we're in the middle of a stressful process.
15:23:49 <nickm> (ie, we don't have to figure out "how do we treat remote crash bugs" while we're debugging an issue and working on a security fix)
15:24:00 <nickm> The policy that we use is over here: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPolicy
15:24:07 <nickm> It's got three main parts:
15:24:12 <nickm> - How to classify issues by severity
15:24:24 <nickm> - What we do about issues, depending on their severity and whether they are public
15:24:39 <nickm> - Provisions for maintenence of an issue repository, over here: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
15:25:08 <nickm> I'm hoping that as an organization we can use a unified issue repository, though we'll probably need something a little heavier than just a wiki page
15:25:16 <gaba> great that you are doing this! it was the idea when we run with ggus the session on sec policies at Tor. We couldnt continue working on it but it would be great to have it across TPI next year.
15:25:40 <nickm> I'm hoping that as next steps for the TB team, y'all can also look over the network team policies and see which parts would also make sense for you, and which you'd want to change or expand
15:26:04 <nickm> I'm starting with the TB team because your needs are specific and important
15:26:08 <nickm> (end of text-dump)
15:26:15 <sysrqb> thanks nickm !
15:26:30 <donuts> +1, sounds like a great initiative
15:26:37 <sysrqb> would anyone like to help me with this (or take the lead on it)?
15:27:34 <sysrqb> You can think about it, and then let me know later this week
15:29:26 <sysrqb> okay, that was the only discussion item on the pad
15:29:59 <GeKo> we should discuss a bit desktop work and what to prioritize next
15:30:13 <sysrqb> how's that going so far?
15:30:18 <GeKo> great
15:30:28 <richard> sysrqb: i'd be happy to help w/ coming up with security stuffs (sorry had to go feed cats)
15:30:35 <GeKo> PieroV did really amazing work the last days
15:30:35 <donuts> thanks for creating that milestone GeKo
15:30:42 <GeKo> it was already there :)
15:30:44 <donuts> I think you got everything but I'll doublecheck my lists
15:30:50 <sysrqb> awesome
15:31:01 <sysrqb> richard: thanks!
15:31:07 <GeKo> he found and filed https://bugzilla.mozilla.org/show_bug.cgi?id=1744719
15:31:21 <richard> claps in the chat for PieroV
15:31:22 <GeKo> which is the underlying issues for three extension/crash issues
15:31:25 <richard> *clap clap*
15:31:27 <GeKo> we are dealing with
15:31:31 <sysrqb> excellent!
15:31:32 <GeKo> *issue
15:31:32 <PieroV> Thanks :)
15:31:44 <donuts> win10 tab crashes, win10 extension issues, linux font issues are the most reported bugs
15:31:50 <donuts> followed by the missing features on startup bug
15:31:58 <GeKo> it solves the first two
15:32:10 <donuts> yep! great job PieroV
15:32:19 <GeKo> it's a perf improvement
15:32:30 <richard> so that leaves fonts and the mysterious torconnect race condition
15:32:30 <PieroV> Thanks! What's about missing features on startup?
15:32:32 <GeKo> the underlying patch causing the problem
15:32:44 <GeKo> so i'll back that out later
15:32:53 <GeKo> and then we can test the result in our nightlies
15:33:02 <GeKo> i'll pick that for the alphas, too
15:33:11 <GeKo> so we have a wider testing group
15:33:31 <donuts> PieroV: applications/tor-browser#40679
15:33:38 <GeKo> richard: my reasoning was to put you on that mysterious torconnect issue
15:33:46 <richard> makes sense to me
15:33:50 <GeKo> under the assumption you know most about the torconnect part
15:33:58 <richard> it is my mysterious component
15:34:03 <GeKo> heh
15:34:09 <donuts> ha
15:34:35 <GeKo> boklm: you are still up working on the toolchain update for tba, right?
15:35:07 <GeKo> i wonder if PieroV could take the font issue from you then
15:35:20 <PieroV> GeKo: okay, I can try
15:35:39 <boklm> GeKo: yes, I think PieroV can take it
15:35:47 <GeKo> okay, then we have a plan
15:35:48 <PieroV> I also found an assert when opening about:tor, I don't know if it's related to these startup problems (but it's after the connection to the network)
15:35:51 <richard> do we have a reliable repro for that yet, apart from 'install gentoo' ?
15:36:07 <sysrqb> PieroV: is that only on Windows?
15:36:18 <sysrqb> richard: the fonts issue?
15:36:23 <richard> mmhm
15:36:28 <GeKo> richard: i think the font issue duncan[m] is talking about is not related to gentoo
15:36:29 <PieroV> sysrqb: I think so. But you need to compile with debug on, which I did not do on Linux
15:36:30 <GeKo> one sec
15:36:34 <sysrqb> richard: not gentoo :)
15:36:48 <sysrqb> i believe fedora 33 (?) was reliable
15:36:52 <boklm> it seems the fonts issue happens on fedora mainly
15:37:06 <donuts> there's the missing fonts issues for both the browser chrome and content, and then the monospace font issue
15:37:08 <donuts> I'm assuming they're all related in some way but idk
15:37:21 <GeKo> tor-browser#40685 is one of them
15:37:27 <GeKo> but not the one i meant
15:37:32 <sysrqb> richard: we landed a last-minute patch in 11.0.2 related to the gentoo wayland issue
15:37:42 <boklm> and ubuntu has the monospace issue
15:37:55 <donuts> oh the gentoo one is the wayland dependency I think
15:37:58 <donuts> so that too
15:38:05 <sysrqb> yes
15:38:15 <GeKo> https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40382 i guess
15:38:36 <boklm> tor-browser-build#40387 is the 3rd font issue
15:38:38 <richard> ahh right ok
15:38:40 <donuts> so there are linux four font tickets in total
15:39:51 <donuts> I've pasted them all in the pad for ref
15:39:51 <GeKo> yeah
15:40:11 <sysrqb> for tor-browser-build#40382 I found one font that is "causing" the issue
15:40:28 <sysrqb> i'm worried about slowly deleting bundled fonts
15:40:33 <GeKo> PieroV: could you file that MOZ_ASSERT ticket later on, so we don't forget about it?
15:40:37 <GeKo> yeah
15:40:40 <GeKo> i agree
15:40:42 <PieroV> GeKo: sure
15:40:53 <GeKo> it would be worth figuring out what is actually going on
15:41:22 <sysrqb> yeah. i'll post a comment on tor-browser-build#40382, but we should try understanding why these fonts are problematic
15:42:52 <sysrqb> i am worried this is a time sink, too, but I hope we can try investigating it, at least
15:43:09 <GeKo> yeah. we should try a bit and see how hard it is
15:43:30 <GeKo> and at the end we should come up with workaround at least
15:43:48 <GeKo> even if that means we need to remove some (more) fonts
15:44:06 <sysrqb> yep
15:44:11 <sysrqb> thanks
15:44:20 <GeKo> okay
15:44:22 <richard> have we tried loading said bad fonts from vanilla firefox?
15:44:31 <GeKo> i'll prep the alpha release tomorrow
15:44:35 <sysrqb> richard: i think no
15:44:58 <GeKo> trying to squeeze as much fixes as possible into it
15:45:14 <GeKo> richard threw a bunch of reviews over the wall in the last 24h :)
15:45:27 <GeKo> so, i try to get to some of them at least
15:45:29 <richard> it's all css mostly nonsense
15:45:35 <GeKo> yeah
15:45:49 <GeKo> that's it from my side i think
15:46:13 <GeKo> richard: i asked gaba and i think it's okay to put sponsor work on hold for the remaining two weeks or so
15:46:23 <sysrqb> great, thanks GeKo
15:46:28 <GeKo> to get some tb 11 fallout fixed
15:46:32 <richard> okey, works for me
15:46:32 <GeKo> oh, one thing i forgot
15:46:34 <donuts> oh that takes some S96 pressure off on my end too
15:46:43 <donuts> ty GeKo
15:46:52 <GeKo> where are we with auditing the closed bugs etc.?
15:47:04 <GeKo> are there any pieces left?
15:47:15 <GeKo> donuts: yw
15:47:31 <GeKo> https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40588 for instance
15:47:33 <sysrqb> GeKo: those are on my plate as part of getting Android up-to-date
15:47:45 <GeKo> it seems richard reviewed a part
15:47:48 <sysrqb> I need to update those tickets
15:47:56 <GeKo> but other parts were missing
15:48:11 <GeKo> sysrqb: you can bounce those things over to me if that helps
15:48:11 <sysrqb> yes, we split some of them. I believe I stopped at Moz93
15:48:25 <GeKo> okay
15:48:28 <sysrqb> okay, thanks. I'll review what I did
15:48:32 <sysrqb> and I'll let you know
15:48:41 <GeKo> yeah, if there are things missing in particular for tb 11 let me know
15:48:52 <sysrqb> will do
15:48:57 <GeKo> thanks
15:49:05 <GeKo> that's all from me, for realz
15:50:08 <sysrqb> I'll wait another minute in case anyone has a final comment or question
15:50:30 <PieroV> So, should I take up all the fonts issues?
15:50:39 <PieroV> And in case, with which order?
15:51:01 <GeKo> let's see
15:51:49 <GeKo> #40382 is a good start
15:52:21 <PieroV> Okay, I'll assign it to myself then
15:52:23 <GeKo> and #40387, too
15:52:28 <GeKo> sounds good
15:52:58 <GeKo> PieroV: keeping an eye on the mozilla ticket and following up if they need anything is good, too
15:53:41 <PieroV> Okay. Should I do some deeper investigation?
15:54:18 <PieroV> Because they asked _how_ is the patch is related to the crashes
15:54:39 <GeKo> i think right now let's see what the folks at mozilla come up with
15:54:47 <GeKo> we have a workaround we need to test anyway
15:54:50 <PieroV> Makes sense
15:56:20 <sysrqb> Alright, thanks everyone! Have a great week
15:56:24 <donuts> thank you everyone! 🙏
15:56:26 <sysrqb> #endmeeting