14:58:40 <richard> #startmeeting Tor Browser Weekly meeting 2023-03-06 14:58:40 <MeetBot> Meeting started Mon Mar 6 14:58:40 2023 UTC. The chair is richard. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:58:40 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:58:47 <boklm> hi 14:58:49 <PieroV> o/ 14:58:50 <gaba> hi! 14:58:52 <richard> it's browser time 14:58:53 <richard> https://pad.riseup.net/p/tor-tbb-keep 14:58:56 <ma1> hi 15:00:01 <dan_b> o/ 15:00:08 <richard> hello hello everyone 15:00:13 <Jeremy_Rand_36C3[m]> Hi! 15:00:26 <dan_b> shouldn't it be more like "it's browsing time"? 15:00:58 <richard> mighty morphin browsin' rangers? 15:01:07 <richard> anyway 15:01:12 <dan_b> totally 15:01:34 <Jeremy_Rand_36C3[m]> "Monday Marcho/ 06"? lol 15:01:48 <richard> window focus is hard 15:01:56 <Jeremy_Rand_36C3[m]> I know right? 15:03:21 <richard> ok i've no major points today 15:03:42 <richard> but first up, our new signing machines are getting plugged in this week! 15:04:08 <richard> after a comedy of bad/mismatched schedules since limerick 15:04:54 <richard> we've an issue tracking the work in gitlab but i expect this will be mostly a me and boklm thing to worry about 15:05:39 <richard> somewhat tangential to that, our windows code signing is expiring in May, so in the midst of all the signing machine migration we'll need to setup a new one 15:06:42 <richard> henry-x and dan_b: can you each give a high-level update on your s30/s96 UX work, any blockers, etc? 15:06:50 <dan_b> i can go 15:07:17 <dan_b> still working on the "prioritize onion" popup fixes. learned a lot, i think with henry-x's feedback this morning i have a good path forward 15:07:33 <dan_b> after that I still have a good bundle assigned to me last i checked. hopefully most should go a lot faster 15:08:09 <dan_b> also unrelated, my home network stopped responding so I can't log on to my mac to test mac stuff. trying to arrange a friend to go by and trouble shoot 15:08:37 <PieroV> typical computers >:[ 15:09:00 <dan_b> if your worried about timing of issues, let me know if you want me to pause the prioritize onion popup work and see if i can blow through some of hte other tasks quickly to derisk? 15:09:17 <dan_b> or am good to keep digging through this one 15:09:21 <richard> donuts: are you here by any chance? 15:10:06 <donuts> yep! 15:10:10 <richard> hey! 15:10:25 <donuts> hello :) 15:10:25 <richard> do we have a set date for when we need s30/96 builds for user testing? 15:10:46 <donuts> For S30, the usability testing begins this month 15:11:08 <donuts> I think it's march 16th, but I can check the ticket 15:11:39 <dan_b> oh that's informative. I def vote to temp pause this and see if I can iddentify and clear some easier issues first? 15:11:56 <richard> ok, and does that cover all of the UX updates we've been making or only a subset? 15:12:00 <henry-x> For me, I was thinking about the html structure for tor-browser#41600 . There's some limited interactivity in the popup, like the "Copy (onion) address" button, so I'll have to figure out how that is going to work with a keyboard 15:12:18 <donuts> okay the schedule currently has usability testing for Tor Browser on the 17th and 18th 15:12:29 <richard> ok 15:12:32 <donuts> richard: as many as possible please 15:12:43 <henry-x> 17th of what? 15:12:47 <donuts> March 15:13:00 <donuts> for S96, we don't need any specific fixes done (it can be tested as is) 15:13:24 <henry-x> ok, I'll work a bit less on the fluent/weblate stuff then 15:13:42 <donuts> anything that doesn't make it into usability testing in Ecuador in March can be pushed to Mexico in April 15:14:00 <richard> ok, if eitherof you have any s131 tasks y'all aren't actively working on please unassign yourself and we can redistribute 15:14:03 <donuts> but yep S30 fixes are top top priority :) 15:14:52 <henry-x> Re the usability test, is it just going to be the alpha/nightly build? Or are we doing a separate build for it? 15:14:54 <donuts> we can also test nightly builds this month, if that makes things slightly easier 15:14:59 <donuts> aha, snap 15:15:05 <donuts> the original plan was to test alphas 15:15:19 <donuts> but it's a moderated test, so the facilitator can have a nightly installed instead 15:15:33 <richard> do you know what platform they would need? 15:15:46 <richard> well basically if there are no M1 macs that makes nightly a lot easier 15:15:54 <richard> otherwise we'd need to codesing for macOS 15:16:07 <donuts> Nah has both an M1 machine and a Linux machine, I think they're planning on taking the latter though 15:16:38 <richard> ok we're almost certainly going to be doing the testing in nightly then 15:16:41 <richard> looking at the release calendar 15:17:53 <donuts> that's totally fine 15:18:07 <richard> ok that leaves the remaining s131 things 15:18:57 <donuts> thanks everyone ^^ 15:19:06 <richard> the remaining work falls into 4ish categories: about:preferences cleanup/remaining firefox feature removal, updater stuffs, webrtc, and *bug fixes* 15:20:10 <richard> and we have an ESR update coming at the end of this week 15:20:48 <richard> dan_b: I think you have the about:preferences cleanup ticket assigned to you, can you pick that up PieroV? 15:20:57 <dan_b> i do 15:21:05 <dan_b> its in MR stage but it's paused on UX feedback 15:21:20 <donuts> mmm which ticket's that? 15:21:21 <PieroV> richard: nope, that one is for Tor Browser 15:21:24 <PieroV> And needs UX 15:21:56 <richard> oh awesome, i must have missed that 15:21:59 <dan_b> tor-browser!538 15:22:01 * richard skimming 15:22:10 <dan_b> for tor-browser#40656 15:22:17 <donuts> oh yes, we won't get anywhere near that until TB 13.0 15:22:26 <donuts> but it definitely does need UX 15:22:32 <PieroV> TL;DR: if we just hide the options we risk of getting very inconsistent UX 15:22:40 <dan_b> and also i think the corresponding privacy-browser#34 15:23:51 <richard> less so in privacy-browser tho right? 15:24:06 <PieroV> Yes, but still UX dependent 15:24:33 <PieroV> We provided a list of stuff, but I think it's never been reviewed? 15:24:43 <ma1> PieroV, do you mean that we should track were in the UI these preferences are observed and hide / lock the controls? 15:24:52 <ma1> w/were/where 15:25:07 <donuts> yep, plus I think it could use some design work rather than just removing preferences wholesale 15:25:20 <PieroV> ma1: if we hide options that were visible, what do we do about users that customized them? 15:25:31 <donuts> however the UX Team have three sponsors ending this/next month (and another potentially in Q3) so anything that's not explicitly spelled out in a contract is going to be later in the year from us, I'm afraid 15:25:39 <donuts> *this/next quarter 15:25:40 <PieroV> We should let them know that we've removed them, or it might be confusing 15:25:56 <ma1> right 15:26:02 <PieroV> And if we don't restore their defaults, how do we provide a way to do that? 15:26:12 <PieroV> Not all features are equal, though 15:26:18 <PieroV> The most scary one is password management 15:27:22 <donuts> yeah, this is potentially a rabbit whole and it needs thought through properly 15:27:26 <ma1> It seems we'll need a migration wizard 15:27:30 <donuts> *rabbit hole 15:28:39 <donuts> so, can we roadmap:future this for Q3/Q4? 15:28:56 <PieroV> I think so for Tor Browser 15:29:10 <PieroV> For S131 a better option would be remove first, and in case add back later 15:29:19 <PieroV> To avoid a similar need for a migration 15:29:23 <richard> we need a removal plan for s131 for the initial release 15:29:25 <PieroV> However, I think that the updater is top priority 15:29:27 <richard> yeah that^ 15:29:44 <donuts> right, so just remove them from the privacy browser for the time being? 15:29:57 <richard> yeah 15:30:08 <donuts> cool, makes sense 15:30:59 <richard> donuts: should we just starting ripping things out then and then come back to UX for freedback once it 'works'? 15:31:33 <donuts> richard: yeah that sounds like a plan ^^ 15:31:39 <richard> ack 15:31:50 <dan_b> right now I have pb#34 assigned to me cus I had the tor-browser issue (with details) and MR 15:32:32 <richard> ok, let's let PieroV take those from you in the meantime 15:32:45 <dan_b> cool will assign 15:33:42 <richard> next up is the updater: we have endpoints so it *should* be a matter of updating the relevant browser pieces, and setting up a pipeline w/ s131 about deploying MARs 15:34:21 <richard> I'll see about getting these pieces up and running over the next weeks. if all goes well we'll be able to update the last alpha to the initial stable 15:34:25 <PieroV> I had to deal with the updater patch, alas, with the macro cleanup 15:34:51 <boklm> do we need something from the updater patch in privacybrowser? 15:35:05 <PieroV> Having the data directory outside the browser simplifies a couple of things that were handled in these patches 15:35:12 <richard> well we'll have several more builds to iron out any problems 15:35:28 <PieroV> But I think we'll need to investigate what actually the updater patches do 15:35:39 <PieroV> And have them interact with the portable mode flag, if needed 15:35:55 <PieroV> Because we also customize the path where updates are saved 15:36:34 <PieroV> I think the symlink stuff won't be needed 15:36:49 <PieroV> (well, IIRC, it could be deleted from Tor Browser, too) 15:37:01 <PieroV> MAR signing might be needed 15:40:10 <richard> ok sounds like i need to coallate/track all of these things, will do that after this meeting 15:40:19 <richard> finally the last bit is webrtc 15:40:41 <PieroV> Enabled and working on Linux and macOS 15:40:46 <richard> i pinged msim, seems like his hardware issues have been resolved and should be updating his MR this week 15:41:07 <richard> but if it gets to abotu wednesday and we haven't any progress on it then we can just do the relevant squash/rebase ourselves 15:41:26 <richard> I'd like to get it enabled for windows for this week's build 15:41:41 <richard> and can also confirm it's working in Linux, been using it for BBB without issues :) 15:41:58 <richard> and ma1 you have the IP leak audit check related to that as well 15:42:26 <ma1> webrtc, you mean? It was among my priorities this week 15:42:40 <richard> ma1: yep :) 15:43:11 <richard> and with that does anyone else have anything else to discuss/announce/etc? 15:43:24 <Jeremy_Rand_36C3[m]> Couple of minor things 15:43:51 <Jeremy_Rand_36C3[m]> (1) It sounds like gaba is back? Would be cool to figure out scheduling a Tor Demo Day. 15:44:16 <richard> ok if I've missed/glossed over anything re s131 we can chat later on IRC 15:44:27 <richard> go for it jeremy 15:44:37 <richard> and yes it seems like gaba is back from some time off 15:45:01 <Jeremy_Rand_36C3[m]> (2) I get the impression that all the Browser Team people are super busy this month; any idea how soon boklm will likely be able to review the openssl/linux-arm MR I sent in yesterday? 15:45:14 <boklm> I'm planning to look at it this week 15:45:21 <Jeremy_Rand_36C3[m]> boklm: ok great, thanks 15:45:45 <PieroV> Jeremy_Rand_36C3[m]: actually a few days ago I 15:45:55 <PieroV> asked a slightly related thing 15:46:07 <PieroV> Maybe you know something, too :) 15:46:26 <PieroV> If I understand correctly, tor could use NSS instead of OpenSSL 15:46:50 <Jeremy_Rand_36C3[m]> gaba: FYI Robert Min has SOCKSification working in a demoable state, so doing a Tor Demo Day this month should work for us 15:47:03 <gaba> great! i will check on when it can work 15:47:07 <Jeremy_Rand_36C3[m]> PieroV: ah yes, I saw you mentioned that but didn't have a chance to reply. 15:48:04 <Jeremy_Rand_36C3[m]> PieroV: NSS and OpenSSL have slightly different feature sets, are we confident that Tor's NSS support is on par feature wise with OpenSSL? I know OpenSSL supports Ed25519 certs while NSS doesn't, for example. 15:48:26 <PieroV> Oh, okay, that makes sense 15:49:00 <Jeremy_Rand_36C3[m]> PieroV: seems like the Network Team would probably know something about that 15:49:31 <Jeremy_Rand_36C3[m]> That said, if it is on par feature-wise, it seems like a good way to shave off some bytes from the binary 15:49:43 <Jeremy_Rand_36C3[m]> So certainly seems worth investigating 15:51:27 <richard> ok 15:51:34 <Jeremy_Rand_36C3[m]> PieroV: also note that NSS has a different TLS fingerprint from OpenSSL, but (1) I suspect PT makes that irrelevant, and (2) NSS is probably less censored than OpenSSL since NSS is what Firefox and Chromium use 15:51:59 <PieroV> That's very interesting, thanks! 15:52:27 <Jeremy_Rand_36C3[m]> But maybe having both OpenSSL and NSS based Tor in production usage at the same time is an anonymity set risk? 15:52:31 <Jeremy_Rand_36C3[m]> Not sure. 15:53:01 <richard> jeremy: depends, tor-brwoser desktop users tend to update to latest pretty quickly 15:53:20 <richard> so the window where we'd have two anonymity sets is fairly short 15:53:33 <Jeremy_Rand_36C3[m]> richard: right, but a lot of users are on system Tor, which will probably stay with OpenSSL unless we tell OS distros to switch 15:53:51 <Jeremy_Rand_36C3[m]> e.g. Tails and Whonix users 15:54:02 <richard> truue 15:54:10 <richard> well anyway 15:54:27 <Jeremy_Rand_36C3[m]> Anyway it definitely seems worth looking into 15:54:28 <richard> we can continue these chatters in IRC 15:54:41 <Jeremy_Rand_36C3[m]> Yep. Nothing else from my end for the meeting. 15:54:44 <richard> so let's #endmeeting and give you all 5 minutes before your next one :D 15:54:47 <richard> #endmeeting