15:00:02 #startmeeting Tor Browser weekly meeting 7 December 2021 15:00:02 Meeting started Tue Dec 7 15:00:02 2021 UTC. The chair is sysrqb. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:02 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:00:16 hi 15:00:19 Hello! 15:00:23 Hi 15:00:24 Pad: https://pad.riseup.net/p/tor-tbb-keep 15:00:28 * nickm lurks until/unless needed 15:00:36 * donuts hasn't even left 15:00:44 o/ 15:01:43 Hi! 15:01:44 o/ 15:02:00 donuts: I've protonified the circuit display ui tour 15:02:08 i'll put up a video after this meeting for your enjoyment 15:02:12 :O 15:02:14 awesome, thanks! 15:06:46 alright 15:07:21 First I'd like to welcome PieroV 15:07:37 he joined the browser team last week 15:07:57 Thanks :) 15:08:02 welcome PieroV :D 15:08:04 welcome PieroV! 15:08:28 Thanks everybody ^_^ 15:08:49 Cool, welcome! 15:09:34 Second, as some of you already know, GeKo is temporarily helping triage/maintain Windows/macOS/Linux Tor Browser this month 15:09:41 while I concentrate on Android 15:10:29 so expect more guidance from him over the next couple weeks 15:11:32 roughly what end of the week do you think 11.0.2 will be published? just so I can coordinate the user support side of things 15:11:56 today 15:12:02 oh ho 15:12:34 but it's probably about 6-8 hours away, depending how slowness of web servers 15:12:48 *depending on slownless 15:12:50 okay np, could you ping me when the blog post is up and I'll divert the forum comments etc.? 15:12:55 gah. slowness 15:13:02 donuts: yes, will do 15:13:13 ty, the post itself should crosspost now too 15:13:22 nice 15:13:42 championquizzer fyi ^ 15:13:53 (I'll continue to take care of the main thread on the forum) 15:14:14 tyvm :) 15:15:38 the only discussion item on the pad is related our security policy 15:15:59 donuts: thanks! 15:16:50 last week nickm and I talk about our current policy and a possible general policy that can apply to all Tor projects/applications/programs/etc. 15:17:19 Tor Browser doesn't have a well defined policy outside of HackerOne 15:18:08 that H1 policy is good, but I believe we (as Tor) can provide a more unified description of our policy in a centralized place 15:18:41 and then each project can always provide additional information related to themselves, when necessary 15:19:40 For reference, the current H1 policy is defined at: https://hackerone.com/torproject 15:21:23 as a next step, we should review that current policy and discuss what should be changed/improved, and then we can discuss with nickm (and others) about what common patterns we can include in a general/global security policy for Tor 15:21:37 (ok if I suggest a couple of things?) 15:21:45 yes, please do 15:22:13 Ok! So, I'm hoping that we can unify our process across the org, including have a registry of security issues that we track and do regular retrospectives on. 15:22:38 I'm hoping that the network team's current policy can also serve as a starting point, but every team's needs will be different 15:23:13 There are a few main benefits we've found to having a written policy and process. One is that it's harder to forget to do steps that we've decided are important... 15:23:28 ... another is that we don't have to make stressful decisions while we're in the middle of a stressful process. 15:23:49 (ie, we don't have to figure out "how do we treat remote crash bugs" while we're debugging an issue and working on a security fix) 15:24:00 The policy that we use is over here: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPolicy 15:24:07 It's got three main parts: 15:24:12 - How to classify issues by severity 15:24:24 - What we do about issues, depending on their severity and whether they are public 15:24:39 - Provisions for maintenence of an issue repository, over here: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE 15:25:08 I'm hoping that as an organization we can use a unified issue repository, though we'll probably need something a little heavier than just a wiki page 15:25:16 great that you are doing this! it was the idea when we run with ggus the session on sec policies at Tor. We couldnt continue working on it but it would be great to have it across TPI next year. 15:25:40 I'm hoping that as next steps for the TB team, y'all can also look over the network team policies and see which parts would also make sense for you, and which you'd want to change or expand 15:26:04 I'm starting with the TB team because your needs are specific and important 15:26:08 (end of text-dump) 15:26:15 thanks nickm ! 15:26:30 +1, sounds like a great initiative 15:26:37 would anyone like to help me with this (or take the lead on it)? 15:27:34 You can think about it, and then let me know later this week 15:29:26 okay, that was the only discussion item on the pad 15:29:59 we should discuss a bit desktop work and what to prioritize next 15:30:13 how's that going so far? 15:30:18 great 15:30:28 sysrqb: i'd be happy to help w/ coming up with security stuffs (sorry had to go feed cats) 15:30:35 PieroV did really amazing work the last days 15:30:35 thanks for creating that milestone GeKo 15:30:42 it was already there :) 15:30:44 I think you got everything but I'll doublecheck my lists 15:30:50 awesome 15:31:01 richard: thanks! 15:31:07 he found and filed https://bugzilla.mozilla.org/show_bug.cgi?id=1744719 15:31:21 claps in the chat for PieroV 15:31:22 which is the underlying issues for three extension/crash issues 15:31:25 *clap clap* 15:31:27 we are dealing with 15:31:31 excellent! 15:31:32 *issue 15:31:32 Thanks :) 15:31:44 win10 tab crashes, win10 extension issues, linux font issues are the most reported bugs 15:31:50 followed by the missing features on startup bug 15:31:58 it solves the first two 15:32:10 yep! great job PieroV 15:32:19 it's a perf improvement 15:32:30 so that leaves fonts and the mysterious torconnect race condition 15:32:30 Thanks! What's about missing features on startup? 15:32:32 the underlying patch causing the problem 15:32:44 so i'll back that out later 15:32:53 and then we can test the result in our nightlies 15:33:02 i'll pick that for the alphas, too 15:33:11 so we have a wider testing group 15:33:31 PieroV: applications/tor-browser#40679 15:33:38 richard: my reasoning was to put you on that mysterious torconnect issue 15:33:46 makes sense to me 15:33:50 under the assumption you know most about the torconnect part 15:33:58 it is my mysterious component 15:34:03 heh 15:34:09 ha 15:34:35 boklm: you are still up working on the toolchain update for tba, right? 15:35:07 i wonder if PieroV could take the font issue from you then 15:35:20 GeKo: okay, I can try 15:35:39 GeKo: yes, I think PieroV can take it 15:35:47 okay, then we have a plan 15:35:48 I also found an assert when opening about:tor, I don't know if it's related to these startup problems (but it's after the connection to the network) 15:35:51 do we have a reliable repro for that yet, apart from 'install gentoo' ? 15:36:07 PieroV: is that only on Windows? 15:36:18 richard: the fonts issue? 15:36:23 mmhm 15:36:28 richard: i think the font issue duncan[m] is talking about is not related to gentoo 15:36:29 sysrqb: I think so. But you need to compile with debug on, which I did not do on Linux 15:36:30 one sec 15:36:34 richard: not gentoo :) 15:36:48 i believe fedora 33 (?) was reliable 15:36:52 it seems the fonts issue happens on fedora mainly 15:37:06 there's the missing fonts issues for both the browser chrome and content, and then the monospace font issue 15:37:08 I'm assuming they're all related in some way but idk 15:37:21 tor-browser#40685 is one of them 15:37:27 but not the one i meant 15:37:32 richard: we landed a last-minute patch in 11.0.2 related to the gentoo wayland issue 15:37:42 and ubuntu has the monospace issue 15:37:55 oh the gentoo one is the wayland dependency I think 15:37:58 so that too 15:38:05 yes 15:38:15 https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40382 i guess 15:38:36 tor-browser-build#40387 is the 3rd font issue 15:38:38 ahh right ok 15:38:40 so there are linux four font tickets in total 15:39:51 I've pasted them all in the pad for ref 15:39:51 yeah 15:40:11 for tor-browser-build#40382 I found one font that is "causing" the issue 15:40:28 i'm worried about slowly deleting bundled fonts 15:40:33 PieroV: could you file that MOZ_ASSERT ticket later on, so we don't forget about it? 15:40:37 yeah 15:40:40 i agree 15:40:42 GeKo: sure 15:40:53 it would be worth figuring out what is actually going on 15:41:22 yeah. i'll post a comment on tor-browser-build#40382, but we should try understanding why these fonts are problematic 15:42:52 i am worried this is a time sink, too, but I hope we can try investigating it, at least 15:43:09 yeah. we should try a bit and see how hard it is 15:43:30 and at the end we should come up with workaround at least 15:43:48 even if that means we need to remove some (more) fonts 15:44:06 yep 15:44:11 thanks 15:44:20 okay 15:44:22 have we tried loading said bad fonts from vanilla firefox? 15:44:31 i'll prep the alpha release tomorrow 15:44:35 richard: i think no 15:44:58 trying to squeeze as much fixes as possible into it 15:45:14 richard threw a bunch of reviews over the wall in the last 24h :) 15:45:27 so, i try to get to some of them at least 15:45:29 it's all css mostly nonsense 15:45:35 yeah 15:45:49 that's it from my side i think 15:46:13 richard: i asked gaba and i think it's okay to put sponsor work on hold for the remaining two weeks or so 15:46:23 great, thanks GeKo 15:46:28 to get some tb 11 fallout fixed 15:46:32 okey, works for me 15:46:32 oh, one thing i forgot 15:46:34 oh that takes some S96 pressure off on my end too 15:46:43 ty GeKo 15:46:52 where are we with auditing the closed bugs etc.? 15:47:04 are there any pieces left? 15:47:15 donuts: yw 15:47:31 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40588 for instance 15:47:33 GeKo: those are on my plate as part of getting Android up-to-date 15:47:45 it seems richard reviewed a part 15:47:48 I need to update those tickets 15:47:56 but other parts were missing 15:48:11 sysrqb: you can bounce those things over to me if that helps 15:48:11 yes, we split some of them. I believe I stopped at Moz93 15:48:25 okay 15:48:28 okay, thanks. I'll review what I did 15:48:32 and I'll let you know 15:48:41 yeah, if there are things missing in particular for tb 11 let me know 15:48:52 will do 15:48:57 thanks 15:49:05 that's all from me, for realz 15:50:08 I'll wait another minute in case anyone has a final comment or question 15:50:30 So, should I take up all the fonts issues? 15:50:39 And in case, with which order? 15:51:01 let's see 15:51:49 #40382 is a good start 15:52:21 Okay, I'll assign it to myself then 15:52:23 and #40387, too 15:52:28 sounds good 15:52:58 PieroV: keeping an eye on the mozilla ticket and following up if they need anything is good, too 15:53:41 Okay. Should I do some deeper investigation? 15:54:18 Because they asked _how_ is the patch is related to the crashes 15:54:39 i think right now let's see what the folks at mozilla come up with 15:54:47 we have a workaround we need to test anyway 15:54:50 Makes sense 15:56:20 Alright, thanks everyone! Have a great week 15:56:24 thank you everyone! 🙏 15:56:26 #endmeeting