18:04:55 <donuts> #startmeeting Tor Browser Release Meeting 2022-12-12 18:04:55 <MeetBot> Meeting started Mon Dec 12 18:04:55 2022 UTC. The chair is donuts. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:04:55 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 18:05:26 <donuts> well now it's started :) 18:05:40 <donuts> congratulations on last week's release everyone \o/ 18:05:49 <PieroV> Thanks! Congrats team :) 18:06:01 <PieroV> And everyone who helped :) 18:06:24 <donuts> do we want to talk about 12.0 now, or start with future releases like we normally do? 18:06:41 <richard> best to stick to the script i think 18:06:52 <PieroV> I've added retrospective, but I wasn't sure we needed to talk about it :) 18:07:14 <donuts> we talked about feedback/bugs earlier, so we can open up the floor for process points later 18:07:24 <donuts> however let's do 12.0.1 first 18:07:41 <donuts> "Prepared, but waiting for Android CVEs"? 18:07:52 <PieroV> I've written that, not 100% sure it's correct 18:08:09 <PieroV> But CVE/security bugfixes are coming out tomorrow/Wed 18:08:20 <richard> yep 18:08:22 <PieroV> And that's something that is going to happen forever with Android now 18:08:32 <PieroV> (hence the second discussion point) 18:08:32 <richard> we will need another browser tag for ma1's DnD fixes 18:08:46 <richard> and but it's a mostly simple minor update 18:08:49 <donuts> yeah, what will the DnD fixes in that release be specifically (ma1?)? 18:09:25 <ma1> I've just pushed a MR which makes the bookmarks and the dnd navigation work again 18:09:39 <donuts> awesome! dnd navigation? 18:09:46 <richard> drag and drop* 18:10:10 <richard> oh dragging to the tab bar 18:10:19 <donuts> aha got it, from the canvas/page? 18:10:20 <richard> to create a new tab (right?) 18:10:24 <ma1> yeah 18:10:30 <richard> yeah from the content window 18:10:32 <donuts> whaaaaat 18:10:39 <donuts> nice! 18:10:58 <ma1> also on the URL bar. And on the bookmark bar to create bookmarks. And onto the places windows/panels. And so on. 18:11:11 <donuts> that's fantastic, I'm super happy with that 18:11:18 <ma1> The only thing which should be blocked ATM is dropping in another app 18:11:35 <donuts> we may want to consider some visual UX to explain why you can't dnd things _out_ of tor browser at some point, maybe 18:11:35 <donuts> yeah 18:11:36 <ma1> (which is what we wanted in the first place) 18:11:36 <richard> there's still some outstanding commetns on that MR last I checked, but i suspect it'l be ready for tomorrow/the day after 18:11:44 <donuts> but that's less urgent 18:11:50 <ma1> richard, I suspect I've fixed all that 2 minutes ago 18:12:00 <ma1> (including dnd within the same window) 18:12:02 <richard> nice nice 18:12:13 <PieroV> ma1: other apps, or other TBB windows? 18:12:23 <donuts> ah good question 18:12:25 <ma1> other apps 18:12:34 <donuts> so does window to window work? 18:12:35 <richard> the letterboxing improvements are v nice too, but i want to wait until thorin has had a chance to break it before we backport to stable 18:13:05 <ma1> PieroV, let me check 18:13:47 <ma1> no, not window to window. Just inside the same window, or onto the UI 18:14:04 <donuts> okay good to know 18:14:12 <PieroV> Which is goodish since that might cause the leak 18:14:23 <donuts> yeah, if it's dragged over the desktop? 18:14:35 <PieroV> (I was also suggesting that we could block only on Linux if we're sure macOS and Windows don't start the DNS query) 18:15:05 <PieroV> donuts: gk said when it's moved outside a TBB window 18:15:09 <richard> I would not count on that being stable between macOS/windows releases 18:15:10 <PieroV> But I couldn't reproduce 18:15:18 <donuts> pierov: right 18:15:24 <PieroV> richard: but at least it's more testable 18:15:33 <PieroV> but we can stay on the safe side, too 18:15:45 <richard> yeah i think i'd rather stay on the safe side there 18:15:56 <richard> windows at least already has a history of doing dns requests when you wouldn't expect it to 18:16:02 <donuts> so we'll continue applying the same level of protections to all? 18:16:23 <richard> yeah 18:16:24 <PieroV> Also, I was suggesting that we could mask/encrypt URLs so that we don't leak when dragging but maybe we could support drag and drop between windows in this way 18:16:34 <PieroV> Not sure it's a good idea though, but we can try in the future 18:17:09 <richard> i saw that in the backlog, and actually think that's a pretty good idea but would def require some tlc 18:17:17 <richard> around both the crypto and the UX 18:17:47 <PieroV> tlc being? :) 18:17:52 <donuts> tender loving care :) 18:17:55 <richard> tender locing care 18:18:01 <richard> loving* 18:18:06 <donuts> it's a great idea though 18:18:31 <donuts> I wonder to what degree our user complaints will decrease with intra-window dnd though, versus between-window 18:18:32 <PieroV> maybe we could open an issue to follow 18:18:57 <donuts> yep sounds good to me 18:18:59 <richard> i suspect between window will be noticed and missed 18:19:22 <richard> yeah wfm 18:19:50 <donuts> nice, awesome progress on this issue and some cool ideas too 18:20:19 <donuts> anything else we need to chat about for 12.0.1? 18:20:24 <PieroV> Well, yes :) 18:20:30 <PieroV> The main thing is still here 18:20:38 <PieroV> Android is going to block stable releases 18:20:45 <richard> yes 18:20:52 <PieroV> We can tag, but we might need to tag again 18:21:04 <richard> I think i can poke tjr about setting up some way for us to get access to those before the become public 18:22:07 <richard> i already automatically have access to the bugzilla issues, but the problem is that the android pieces all live in different repos and may not use the associated bugzilla numbers in their commit messages 18:22:23 <PieroV> But what should we do until that becomes a possibility, if it ever does? 18:22:35 <PieroV> I fear some bug tracking now lives on Jira 18:22:42 <PieroV> Especially for Android 18:23:12 <PieroV> I had a suggestion a few days ago 18:23:18 <richard> tbh i don't see a technical solution here vOv 18:23:21 <richard> oh? 18:23:30 <PieroV> And it's: we always release desktop a few days earlier than Android 18:23:52 <PieroV> But we always to the combined release, without doing only desktop or only Android unless strictly needed 18:24:28 <PieroV> We cherry-pick at head, and move to the beginning of the patchset at the next rebase 18:24:42 <PieroV> be it a new ESR release, or a -2 rebase that we do for any reason 18:24:58 <PieroV> I see only this solution, from a practical point of view 18:25:03 <PieroV> At least for now 18:25:40 <PieroV> Opinions? 18:25:47 <richard> i'm not sure i'm following 18:26:01 <PieroV> We continue releasing desktop as always 18:26:05 <richard> right right 18:26:08 <PieroV> And we publish Android a few days later 18:26:19 <PieroV> With a build2 tag 18:26:27 <PieroV> But under the same version 18:27:07 <richard> ah hm 18:27:28 <PieroV> And if there isn't anything to patch, we just build build1 later 18:28:25 <richard> that's fine, but they would most likely require different version numbers 18:29:16 <PieroV> Why? 18:30:18 <richard> well actually, i guess it could work 18:31:50 <ma1> In the meanwhile I've fixed cross-window drag & drop too :) 18:31:53 <richard> i suspect wed' need to tweak the signing/publishing scripts slightly to handle adding new files to the dist directories 18:32:19 <donuts> ma1: whaaa? how? 18:32:38 <richard> ok, let's try it for 12.0.2 assuming i don't social engineer my way to getting the CVEs early 18:32:49 <PieroV> wfm 18:33:26 <ma1> I've created a tor-browser custom data flavor to pass url lists inside the browser without leaking them out. 18:33:26 <richard> do you all think it would be helpful to have a 12.0 retrospective next week? 18:33:31 <donuts> so desktop first, android later, same version number? 18:33:37 <richard> donuts: yeah 18:33:40 <donuts> richard: yeah we could do it as a proper meeting, with audio 18:33:42 <donuts> might be nicer 18:33:47 <PieroV> Yes, that's my proposal for now 18:33:47 <richard> yeah for sure 18:34:08 <donuts> awesome, I'm happy with that 18:34:53 <PieroV> Maybe we should drop blog posts 18:35:05 <PieroV> Like richard propsed a while ago 18:35:18 <PieroV> So we don't pollute blog.torproject.org with release posts :D 18:35:39 <donuts> I'm going to try and squeeze in a release post tempalte into the /download redesign work 18:35:40 <richard> we had the entire first page of blog posts at one point in november iirc 18:35:46 <donuts> something more bare-bones 18:35:54 <donuts> we can still do full blog posts for major releases though 18:36:03 <PieroV> Yes, agree with that 18:36:37 <donuts> but yeah I agree that long term these probably shouldn't be blog posts 18:36:51 <richard> tweets? :p 18:36:54 <richard> or toots 18:37:00 <donuts> especially if we're gonna double the fun with this release plan 18:37:14 <donuts> iirc network posts straight to the forum now 18:37:19 <donuts> although arti gets blog posts still 18:37:35 <PieroV> and to the mailing list, I think 18:37:39 <donuts> I'd like to have something more visual that TB can open in a new tab after it updates though 18:37:40 <richard> do we have any sense/metrics of engagement on those posts? 18:37:43 <richard> does anyone read them? 18:37:44 <donuts> or we can link to from about:tor 18:37:57 <richard> donuts: I do like that idea 18:38:33 <donuts> maybe this could be a TB 12.5 thing 18:39:04 <donuts> richard: re engagement, just forum views/comments 18:39:13 <donuts> since they get crossposted there automagically 18:39:22 <PieroV> donuts: I think we have some patch to prevent a new page from being opened 18:39:35 <PieroV> I'd be happy to drop it, and richard probably happier when it comes to delete code :D 18:39:45 <donuts> pierov: oh? why does that exist? 18:40:00 <PieroV> I've discovered last week or a pair of weeks ago 18:40:02 <PieroV> Don't remember 18:40:07 <donuts> hrm, curious 18:40:14 <PieroV> But it's nested in the torbutton + about:tor implementation 18:40:18 <PieroV> Lots of stuff there :( 18:40:36 <PieroV> Lots to unroll, cleanup, refactor, etc 18:41:30 <donuts> so long term goal: nice release post template under /download that TB points to after updating, short term goal: keep posting on the blog or we can consider going straight to the forum for minor releases? 18:42:33 <richard> let's not worry about new posting strategy until the new year and keep posting on the blog for this year 18:42:45 <donuts> yeah, for sure 18:43:19 <donuts> anything else to discuss today then? 18:43:36 <PieroV> we've received a MR just now 18:43:41 <PieroV> From the gentoo user :) 18:43:52 <PieroV> I think we can get it on 12.0, too 18:44:00 <richard> say what you will about linux users at least they know how to make a merge request :3 18:44:02 <PieroV> 12.0.1 18:44:11 <PieroV> ikr? :) 18:44:20 <richard> bless them 18:44:29 <donuts> they've adapted to survive to their environment 18:44:51 <donuts> >:D 18:45:28 <richard> lol 18:46:21 <PieroV> I don't have anything to add then 18:46:25 <PieroV> We can call it here for me 18:46:33 <richard> wfm 18:47:19 <donuts> #endmeeting