#tor-meeting log

15:02:06 <morganava> #startmeeting Tor Browser Weekly Meeting 2024-09-30
15:02:06 <MeetBot> Meeting started Mon Sep 30 15:02:06 2024 UTC.  The chair is morganava. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:06 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:02:16 <morganava> pad: https://pad.riseup.net/p/tor-tbb-keep
15:02:16 <boklm> o/
15:02:19 <donuts> o/
15:02:48 <jwilde> o/
15:02:49 <ma1> o/
15:03:42 <morganava> so many releases last week
15:04:09 <morganava> 13.5a10 is publishesd and its update xmls were pushed on Friday along with 14.0a7
15:04:28 <morganava> has any had a chance to verify legacy builds update to the right channel based on their OS?
15:04:42 <PieroV> No, but I can try to
15:05:06 <PieroV> morganava: is macOS 10.14 supposed to update to 13.5a10 as well?
15:05:12 <morganava> dan_b had windows setup last week
15:05:16 <morganava> PieroV: yeah
15:06:01 <PieroV> Okay, I can check all legacy desktop platforms then
15:06:05 <dan_b> want me to pop over to that and test 13.5a update again?
15:06:09 <PieroV> I have both Windows 7 and old macOS
15:06:23 <dan_b> ah nice
15:07:47 <morganava> ok this week we have 2 planned releases
15:08:10 <morganava> 13.5.6 and 14.0a8
15:08:33 <morganava> the main thing we need to get into 13.5.6 is the YEC backports, which I believe both of those MRs are on my plate
15:08:39 <morganava> so I'l have those reviewed today
15:08:40 <ma1> 13.5 sec backports from 131 are almost done (2 bugs left): I offlined all the bugs yesterday and worked them disconnected on the airplane today :)
15:09:00 <morganava> and 14.0a8 is our RC2
15:09:11 <PieroV> morganava: we have a very major blocker for 14.0
15:09:15 <PieroV> The pref reivew
15:09:17 <dan_b> i have the main YEC mr for 14a and reviewing and testing now
15:09:20 <dan_b> for tba
15:09:42 <morganava> (thx dan_b)
15:10:08 <ma1> It seems we've got the culprit for "the extensions can't be installed" problem, but we need to discuss it briefly when you want.
15:10:48 <ma1> (the fix would be simple, but it goes against a previous choice which I'm not sure is worth to preserve)
15:10:51 <morganava> ok, what work remains on the pref review an
15:10:54 <morganava> and then let's chat on the android extensions problem
15:11:12 <PieroV> morganava: the whole work I guess?
15:11:29 <henry-x> morganava also need the donate URL for YEC. I'll add a merge request for that as well
15:13:54 <dan_b> +1 for android
15:14:27 <morganava> kk I'll be sure to poke al about that url today
15:14:34 <henry-x> we did get some urls in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43149#note_3084489
15:15:35 <donuts> would it be useful in future for us to post a single issue for both desktop and android, so there aren't so many parallel conversations?
15:15:36 <donuts> or a parent issue where common questions can be asked?
15:15:38 <morganava> oh alright, so looks like we're good on the url front then?
15:15:52 <morganava> donuts: yeah most likely :p
15:15:58 <donuts> i've noticed that often questions are answered for one platform, but not the other
15:16:47 <henry-x> I think that would make sense next time around
15:16:56 <donuts> ack, i'll mention it to nicob
15:17:23 <morganava> sounds like a job for... an issue template
15:17:25 <morganava> ok maybe not
15:17:41 <morganava> alright, pref review
15:17:59 <Jeremy_Rand_Lab19[m]> Hi!
15:18:00 <Jeremy_Rand_Lab19[m]> Sorry I'm late
15:18:04 <morganava> tldr; we need to review our 001- and 000- js files and ensure the prefs we have set still make sense yeah?
15:18:09 <Jeremy_Rand_Lab19[m]> (Just finished submitting to NLnet, thanks to everyone who helped with providing feedback)
15:18:16 <morganava> gl jeremy o/
15:18:33 <Jeremy_Rand_Lab19[m]> thanks morganava :)
15:20:59 <morganava> ah found it: tor-browser#42356
15:21:16 <PieroV> morganava: it was also in the pad :)
15:22:13 <morganava> currently assigned to ma1, is this something you can get to this week giorgio or should we divide this up among a few other engineers?
15:22:23 <morganava> the pad is lost in a sea of tabs
15:22:43 <ma1> morganava, I can do it
15:23:01 <PieroV> 13.5a9 fails to update because of a 404
15:23:16 <morganava> *interesting*
15:24:34 <PieroV> It seems like https://aus1.torproject.org/torbrowser/update_pre13.5a10/alpha/WINNT_x86-gcc3-x64/13.5a9/ALL is an infinite redirect
15:25:25 <morganava> alright should be an easy fix in the end then
15:25:43 <morganava> guess i didn't stare at the .htaccess regex updates long enough after all
15:26:10 <boklm> ah yes, we should have the watershed redirects in update_pre13.5a10/alpha
15:26:13 <boklm> shouldn't
15:26:18 <PieroV> Probably the new rules shouldn't be in the htaccess there
15:26:23 <PieroV> Only in the one for 14.0a7
15:26:23 <boklm> yes
15:27:06 <boklm> I can update tor-browser-update-responses.git to remove them now
15:27:10 <morganava> sounds like an easy fix for after the meeting then
15:28:37 <morganava> this week after the (hopefully) last alpha build, I'll also plan to prep+build 14.0 stable at the end of this week so it's ready for an october 14 release
15:29:58 <morganava> in the meantime for this week, (apart from aforementioned blockers) priorities remain any remaining "Review Bugzilla..." issues followed by ~14.0 Stable labeled issues in ~Next followed by ~Backlog
15:30:08 <morganava> helpful gitlab query -> https://gitlab.torproject.org/groups/tpo/applications/-/boards?not[label_name][]=14.5%20stable&label_name[]=14.0%20stable
15:31:04 <morganava> ma1: alright now what's going on w/ android extensions? I saw there's a pref that can be flipped which fixes at least the symptoms?
15:32:01 <ma1> Basically yes, but it allows AMO to fingerprint installed extensions w versions.
15:32:16 <ma1> Not something they cannot do through update pings as far as I can tell, though.
15:32:28 <ma1> https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43132#note_3085025
15:32:47 <ma1> This is an update ping: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=2&id={73a6fe31-595d-460b-a920-fcc0f8843232}&version=11.4.40&maxAppVersion=*&status=userEnabled&appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appVersion=115.15.0&appOS=Linux&appABI=x86_64-gcc3&locale=en-US&currentAppVersion=115.15.0&updateType=112&compatMode=normal
15:34:18 <ma1> flipping that pref exposes a navigator.mozAddonManager object on addons.mozilla.org only which could be abused by Mozilla to probe installed extensions for the same information (installed/enabled/version)
15:34:35 <ma1> when you visit the site.
15:34:42 * morganava reading
15:36:53 <ma1> So, I think the main problem would be an user disabling extensions updates because they don't want to send out this information + Mozilla doing the evil thing + them visiting addons.mozilla.org
15:37:24 <morganava> ok
15:37:43 <ma1> (atm I believe mozilla uses this API on AMO only to do a "magic trick" and show the right "Install" button state)
15:37:49 <morganava> so is the object we're disabling one of those custom things that gets superpowers when queried from mozilla domains?
15:38:02 <morganava> right
15:38:46 <ma1> Nope, no superpower. It's just an additional object you can find on navigator if you access it from addons.mozilla.org
15:39:05 <morganava> well, i'd call that a superpower :p
15:39:08 <morganava> but yeah that's what i meant
15:39:24 <morganava> so then why has the unrelated addon installation system now broken with that object disabled?
15:39:27 <ma1> believe it or not, once upon a time it was exposed everywhere :)
15:39:33 <morganava> jesus of course
15:40:45 <ma1> Because the built-in collection which we fallback since we disabled the custom one relies on the AMO API which is disabled by that pref.
15:40:55 <ma1> (the object is exposed if the API is enabled)
15:41:42 <ma1> So if we disabled that pref we 1) break the addons manager which doesn't show anymore the "get more extensions" button - 2) fallback to download instead of install for XPIs
15:42:04 <ma1> s/"get more/"find more/
15:42:11 <morganava> is this some new thing specific to Android add-on? i.e. why doesn't desktop break?
15:42:34 <ma1> We broke it by removing our custom collection which bypassed the API
15:42:46 <ma1> (it's a Web API whose result we cached)
15:43:30 <morganava> ooh
15:43:39 <ma1> Desktop does its own different thing. It's a legacy of Fenix's controlled rollout of extensions.
15:43:41 <morganava> this is what the allowed-extensions json file was for
15:43:45 <ma1> yep
15:43:54 <morganava> phhhhbt
15:45:12 <PieroV> The allowed-addons.json was also very broken fwiw
15:45:17 <ma1> So, we either rollback our allowed-extensions removal or we flip the pref at least on android.
15:45:58 <morganava> would it be possible to make this navigator object respect RFP
15:46:06 <ma1> ... or I dig deeper in the code and patch the mozAddonManager exposure by a different mean, while keeping the isValidHost path
15:46:18 <morganava> ie just query the relevant info and not report all the juicy telemetry
15:46:55 <morganava> or is that a bridge too far for the next week ^^;
15:47:17 <PieroV> ma1: was this a regression from 115?
15:47:21 <ma1> Let me show you how it work atm
15:47:23 <ma1> PieroV, yes.
15:47:57 <ma1> await navigator.mozAddonManager.getAddonByID("{73a6fe31-595d-460b-a920-fcc0f8843232}")
15:47:59 <ma1> Addon { id: "{73a6fe31-595d-460b-a920-fcc0f8843232}", version: "11.4.40rc1", type: "extension", name: "NoScript", description: "Maximum protection for your browser: NoScript allows active content only for trusted domains of your choice to prevent exploitation.", isEnabled: true, isActive: true, canUninstall: true }
15:48:26 <ma1> so, it's version + enabled + active
15:48:44 <PieroV> I've reinstalled 13.5.3 in my emulator, and it seems it's broken as well
15:48:44 <ma1> and they need to enumerate ids to create a fingerprint
15:49:36 <ma1> PieroV, I'm sure I've checked, but lemme check on the fly again
15:50:09 <PieroV> Wait, I cleared the storage
15:50:21 <PieroV> At a certain point I had a fake 14.0x stable
15:50:36 <PieroV> And after clearing the storage it worked
15:51:10 <PieroV> I guess finding why it broke between the two ESRs will be too hard/not worth ^_^;
15:51:53 <ma1> So, my 13.5.4 has not "find more" button but if I go to AMO manually I can install
15:52:21 <PieroV> Same
15:52:24 <ma1> When I flipped the pref on a 14 alpha, I got back bot the "find more" button and the install power
15:52:35 <ma1> s/bot/both :D
15:53:16 <ma1> So my proposal:
15:53:41 <ma1> since we don't provide users with UI for disabling automatic updates on Android, I think it would be acceptable to flip the pref only there. WDYT?
15:54:13 <ma1> (the update ping provides arguably more information, and on a regular basis)
15:54:35 <morganava> the browser update ping you mean?
15:54:42 <ma1> addons update ping
15:55:00 <PieroV> I think it could be a solution short-term, but we could try to fix for 14.0 or try to solve it soon after the release and then backport
15:55:08 <ma1> https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=2&id={73a6fe31-595d-460b-a920-fcc0f8843232}&version=11.4.40&maxAppVersion=*&status=userEnabled&appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appVersion=115.15.0&appOS=Linux&appABI=x86_64-gcc3&locale=en-US&currentAppVersion=115.15.0&updateType=112&compatMode=normal
15:55:09 <morganava> yeah I agree^
15:55:46 <ma1> +1
15:56:18 <morganava> can you drop all this info in a new 14.5 + 14.0 + Backport labeled issue, and we'll resolve the current one with this short-term fix
15:56:27 <ma1> sure
15:56:55 <PieroV> BTW, thorin outsmarted us again
15:56:58 <PieroV> https://bugzilla.mozilla.org/show_bug.cgi?id=1847172
15:57:12 <PieroV> It was right here: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42054#note_2949858
15:57:24 <hiro> o/
15:57:38 <ma1> ouch!
15:57:59 <morganava> damn
15:58:10 <morganava> hi hiro o/
15:58:16 <morganava> what news from the front?
15:58:29 <PieroV> Or, the meta ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1822640
15:59:32 <hiro> just putting a little bit of pressure on you browser people morganava :)
15:59:47 <morganava> lol i think we have enough
15:59:49 <morganava> ok
15:59:59 <morganava> have a good week folks let's continue whatever else... OFFLINE
16:00:01 <morganava> #endmeeting