#tor-meeting log

15:00:59 <morganava> #startmeeting Tor Browser Weekly Meeting 2024-08-12
15:00:59 <MeetBot> Meeting started Mon Aug 12 15:00:59 2024 UTC.  The chair is morganava. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:59 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:01:00 <bellatchau> o/
15:01:14 <morganava> guys you'll never guess where the pad is this week
15:01:16 <morganava> its right here -> https://pad.riseup.net/p/tor-tbb-keep
15:01:22 <jwilde> o/
15:01:31 <morganava> as usual please update your section with todos/todones
15:01:37 <morganava> and add any  discussion points for this week
15:01:54 <Jeremy_Rand_Lab19[m]> Hi!
15:02:16 <morganava> my goal this week is to complete my remaining bugzilla triages and prep/sign/publish 13.5a2
15:02:27 <morganava> *hopefully* we wont' run into any fun with signing Android this week
15:02:30 <Jeremy_Rand_Lab19[m]> Apologies for missing the last few meetings, some meatspace drama (U.S. health care system sucks) derailed me
15:02:32 <morganava> but we'll see
15:02:43 <Jeremy_Rand_Lab19[m]> Happy to be back
15:02:46 <morganava> jeremy: what problems in the american healthcare system how can this beeee
15:03:03 <PieroV> 13.5a2?
15:03:09 <morganava> er
15:03:10 <morganava> 14.0a2
15:03:13 <PieroV> 14.0a2 I assume :)
15:03:14 <morganava> i know what release we're on
15:03:19 <Jeremy_Rand_Lab19[m]> morganava: yeah, combine the ridiculous US health care system with the ridiculous nature of patent trolls, and you get my drama
15:03:22 <morganava> for some reason the current version keeps goinng up
15:03:24 <PieroV> Probably you got confused with 13.5.2
15:03:30 <morganava> yesss
15:04:06 <morganava> speaking of triage, i think 127 is the only one that has not been triaged yet (at least as of last Thursday)
15:04:25 <dan_b> that sounds like a me one
15:04:27 <morganava> iirc the assignees there are myself, dan_b and jwilde
15:04:32 <dan_b> yep
15:04:43 <morganava> evetything else has had at least 2 pairs of eyeballs looking at it
15:04:59 <morganava> which honestly is kind of neat, thx everyone for helping with the paperwork :)
15:05:06 <dan_b> so yeah, i just have a few last tests to fix this morning in 128 android rebase, then wait for claire's comments (i think i just saw some in email) address those, one final rebase to 128.1, and it's ready
15:05:38 <morganava> dan_b: 👏👏👏
15:06:24 <morganava> if folks have any downtime, it may be good to look and see what issues your colleagues created triage issues for to get a broader view of the type s of things we may care about (all linked from the parent issues in tor-browser-sepc)
15:07:33 <morganava> oh and thx to everyone that helped get macOS signing working last week \o/
15:08:54 <morganava> and speaking of accomplishments, micah has taken charge of reviving 'onion-news' and i've been bubbling up cool stuff folks have been doing
15:09:54 <dan_b> yes, the first one was cool and just packed with stuff everyone else has been doing 👍
15:09:56 <morganava> so if there's anything cool y'all have been working on, problems fixed, etc, etc that is worth a headline for the rest of the org to see plz let me know and I'll pass it along (but I am trying to notice and note the good stuff that is happening)
15:10:16 <morganava> or just ping him directly, i ain't no gatekeeper
15:10:33 <morganava> alright, onto discussion points!
15:10:35 <morganava> (do we have any?)
15:10:45 <PieroV> I think the work on the pipelines would be good for the news
15:10:48 * Jeremy_Rand_Lab19[m] has one
15:11:02 <PieroV> To explain that we finally found why GitLab was always tired
15:11:08 <morganava> jeremy: cloudflare has been notified of the useragent change
15:11:09 <PieroV> And the challenges we have to face :(
15:11:35 <Jeremy_Rand_Lab19[m]> alright thanks morganava . Wonder why I'm seeing lots of CAPTCHAs then... :/
15:12:14 <PieroV> Jeremy_Rand_Lab19[m]: I'm seeing more also with stable and with MB
15:12:27 <Jeremy_Rand_Lab19[m]> ah interesting
15:12:29 <PieroV> (MB on my connection, not on Tor, neither Mullvad VPN)
15:13:20 <Jeremy_Rand_Lab19[m]> guess I get to return to my old pastime of complaining to website operators who use Cloudflare
15:13:37 <morganava> so we told them in June to update to `Mozilla/5.0 (Windows NT 10.0; rv:128.0) Gecko/20100101 Firefox/128.0`
15:13:56 <PieroV> Yeah, I found also some invidio.us instances use CloudFlare :|
15:13:56 <morganava> jeremy: if you can draft some short report w/ repro steps I can pass it along
15:14:15 <Jeremy_Rand_Lab19[m]> morganava: I *assume* they understand that other parts of the browser fingerprint will change with the ESR transition, not just the user agent?
15:14:45 <Jeremy_Rand_Lab19[m]> But I wonder if they've actually bothered to fix their fingerprinting scripts for this
15:14:49 <morganava> one would presume so, but as far as I know the useragent should trump the rest of it
15:14:59 <morganava> otherwise what would be the point
15:15:21 <Jeremy_Rand_Lab19[m]> anyway noted, I'll take notes on which sites show the issue and let you know
15:15:41 <morganava> but like i said, if there are reproducible issues we can ~complain~ submit our feedback
15:15:58 <Jeremy_Rand_Lab19[m]> morganava: UA probably won't trump it, CF needs to update the fingerprint whitelist (which maybe they did, maybe not)
15:17:00 <Jeremy_Rand_Lab19[m]> If getting around CF CAPTCHAs were as easy as telling curl to use TB's UA, that'd be a nice universe I'd like to live in
15:17:15 <morganava> lol
15:17:23 <Jeremy_Rand_Lab19[m]> oh whoops you disconnected
15:17:35 <Jeremy_Rand_Lab19[m]> not sure if you saw my message before you dropped "UA probably won't trump it, CF needs to update the fingerprint whitelist (which maybe they did, maybe not)"
15:17:36 <PieroV> Jeremy_Rand_Lab19[m]: I'm kinda sure they also use TLS information
15:18:25 <PieroV> Maybe you can implement a curl with neko :D
15:18:27 <morganava> well as i said, give me repro steps and i can pass them along
15:19:14 <Jeremy_Rand_Lab19[m]> PieroV: they definitely use TLS ClientHello fingerprinting, but I think they also do some stuff with JavaScript depending on what security level the website operator set in the CF control panel
15:19:23 <Jeremy_Rand_Lab19[m]> PieroV: I actually did once make a TLS intercepting proxy that rewrote the ClientHello and HTTP headers to get around CF's fingerprinting
15:19:24 <Jeremy_Rand_Lab19[m]> But it wasn't stable enough to release
15:19:27 <Jeremy_Rand_Lab19[m]> anyways
15:19:29 <Jeremy_Rand_Lab19[m]> yes will give you details once I can check which sites have the issue
15:19:38 <Jeremy_Rand_Lab19[m]> next topic please?
15:19:39 <morganava> alright great!
15:19:41 <morganava> anything else from folks? anyone blockers?
15:19:51 <morganava> help needed?
15:20:04 * PieroV switched to the audit results
15:20:12 <PieroV> I'm going in order
15:20:29 <PieroV> But let me know if you found some issues for me you think are particularly urgent
15:20:47 <PieroV> Like 14.0a2 urgent (e.g., the regional locale thing)
15:21:36 <morganava> yes.. evaluating the priority of the review issues is on my todo list this week
15:25:11 <morganava> alright i will presume your silencce impliles nothign else to chat about
15:25:26 * Jeremy_Rand_Lab19[m] has nothing
15:25:32 * PieroV neither
15:25:32 <morganava> have a good week everyone o/
15:25:41 <Jeremy_Rand_Lab19[m]> thanks!
15:25:46 <morganava> #endmeeting