#tor-meeting2 log

18:29:27 <sysrqb> #startmeeting Tor Browser Team Meeting 2 March 2020
18:29:27 <MeetBot> Meeting started Mon Mar  2 18:29:27 2020 UTC.  The chair is sysrqb. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:29:27 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:29:34 <sysrqb> Hello everyone!
18:29:44 <sysrqb> Happy March (!?)
18:29:44 <boklm> hi
18:30:03 <pospeselr> o/
18:30:07 <pili> hi
18:30:11 <acat> hi
18:30:32 <mcs> hi
18:31:14 <brade> hi
18:31:38 <antonela> hello
18:31:50 <tjr> o/
18:32:06 <sisbell> hi
18:32:54 <pospeselr> \o/
18:33:49 <Jeremy_Rand_Talos> hello!
18:34:09 * antonela https://pad.riseup.net/p/TorBrowserTeamMeetingNotes-keep
18:37:07 <sysrqb> Okay, let's get started
18:38:18 <sysrqb> this is the last week for writing peer feedback
18:38:28 <sysrqb> (due March 6, 2020)
18:39:54 <sysrqb> pospeselr: #13410
18:40:01 <pospeselr> howdy
18:40:17 <pospeselr> this bug fix has turned into a feature
18:40:18 <sysrqb> silly question, what do you mean by 1.1 - 1.6?
18:40:26 <sysrqb> ha.
18:40:37 <pospeselr> sections of the SOOC spec
18:40:47 <sysrqb> ooooh
18:41:38 <brade> pili: is this bug required to be fixed for the contract or can we just document that we researched it and have plans for how to fix it
18:41:50 <pospeselr> https://github.com/alecmuffett/onion-dv-certificate-proposal/blob/master/text/draft-muffett-same-origin-onion-certificates.txt#L119
18:42:07 <pili> let me see
18:42:17 <pospeselr> ya i ask becuase i don't know what our timetable looks like here
18:43:05 <sysrqb> i would strongly prefer not burning 1-2 weeks on this
18:43:08 <pili> pospeselr: this project is supposed to end this month but we have an extension for the DoS trip
18:43:23 <pili> I need to double check how that affects reporting deadlines
18:43:35 <pili> I believe the final report is due a month after the end of the project
18:43:58 <brade> sysrqb: I agree but I'd rather not review, land and then back out patches either
18:44:07 <pili> I'm worried that if we drop it halfway we will never pick it up again
18:45:11 <pospeselr> same
18:45:25 <pili> do we think there's going to be a lot more work involved in this other than reviewing ?
18:46:19 <brade> pili: can you explain?
18:46:37 <sysrqb> brade: yeah, that's a good point.
18:46:48 <brade> pili: I don't see the point in landing something we don't want to keep unless we need to contractually
18:47:41 <sysrqb> pospeselr: patch is very small, but if this isn't a solution we want long-term, then we should think about what we really want
18:47:59 <antonela> why don't we want sooc?
18:48:03 * antonela do we want sooc?
18:48:08 <sysrqb> *pospeselr's patch
18:48:22 <pili> I wasn't aware we didn't want it :)
18:48:22 <sysrqb> antonela: we do, maybe. but it's a larger task
18:48:34 <pospeselr> so yeah the patch that 'works' is very small and basically only implements 1.2, but as is opens up various potential security holes that I don't fully understand
18:48:39 <antonela> sysrqb: right, it is, i wonder what is a better time to work on it than now
18:48:41 <pili> ok
18:48:43 <pospeselr> (hence all the other constraints)
18:48:44 <pili> hmm
18:48:45 <sysrqb> i think none of us have thought about it or looked at the cost of implementing it
18:49:27 <pospeselr> yeah i didn't know about SOOC or that we would endup so deep in cert/security code
18:49:32 <sysrqb> maybe alec finished drafting his spec, but it wasn't finished the last time i looked
18:49:35 <pospeselr> going in i thought this was just going to be a UX patch
18:50:07 <pili> brade: I need to double check the contract but I don't think anyone wants us to waste time implementing things that are not necessary/useful :)
18:50:18 <pospeselr> sysrqb: he has not finished it (ie is still full of todos), though everything is there for an implementer to follow
18:50:39 <pospeselr> and he didn't seem particularly interested in finishing it any time soon
18:51:00 <sysrqb> yeah, that's fine. he's not a full-time tor browser developer
18:51:04 <sysrqb> okay
18:51:07 <pospeselr> yeah :)
18:51:23 <pospeselr> everything an implementer needs is there I mean*
18:51:35 <brade> I think it would be good if pospeselr would document his current understanding of what needs to be done
18:51:46 <sysrqb> ^ i agree
18:52:19 <pospeselr> ok I can do that
18:52:21 <sysrqb> pospeselr: can you braindump on that ticket (or in an email to tor-dev@)?
18:52:29 <pili> "In particular we plan to: Improve Tor Browser behavior when an onion site supports HTTPS but the HTTPS is not from an approved certificated. "
18:52:31 <sysrqb> whichever makes more sense
18:53:04 <sysrqb> pili: okay
18:53:06 <pili> that's from the proposal and lists ticket #13410
18:54:25 <sysrqb> i don't think we should include a patch that could lead to reducing the security of our users
18:54:32 <brade> agreed
18:54:38 <sysrqb> regardless of what our proposal said
18:55:04 <sysrqb> so, i am happy with pospeselr documenting what he learned from the last week
18:55:39 <sysrqb> and we can either explain the situation to the funder or we can find another way of fulfilling that goal
18:56:16 <sysrqb> (with preference for explaining why we won't achieve that goal, but how we plan on solving it in the future)
18:56:44 <pili> ok
18:56:47 <pili> sounds good to me :)
18:57:48 <sysrqb> maybe there is a smaller piece of this we can implement now, as a way of showing we really do want to solve this
18:57:53 <sysrqb> and the funding did not go to waste
18:58:19 <sysrqb> but i need to look closer at SOOC and pospeselr patch before i have any idea what that may be
18:58:35 <pospeselr> the full discussion doc is here: https://docs.google.com/document/d/1xE5eaDMiOKphDxijK9tfIWHUB-h-fTG8tb3laofXLSc/edit#
18:58:45 <pospeselr> though i haven't had a chance to read through all of it
18:58:51 <sysrqb> thanks!
19:00:05 <sysrqb> okay. sisbell
19:00:11 <sysrqb> what's the situation with JNI support?
19:00:26 <sysrqb> is that needed for something?
19:00:44 <sysrqb> i thought statically compiling tor was working
19:00:50 <sisbell> This deals with moving toward not needing to invoke tor as a process on Android
19:00:59 <sysrqb> right
19:01:29 <sysrqb> but i thought this wasn't a priority because you got the tor process working for now, right?
19:01:30 <sisbell> So its a side issue to getting tor working, not a requirement
19:02:05 <sisbell> I can't take some other priorities,
19:02:18 <sysrqb> okay. i would prefer not getting distracted by this right now
19:02:23 <sysrqb> if possible
19:02:35 <sisbell> Sure, what would be the priority then?
19:02:38 <sisbell> Fenix?
19:03:00 <sysrqb> yes, fenix and android-components
19:03:17 <sisbell> Cool, thats an intertesting one
19:03:41 <sysrqb> i'll want you're help eventually with moving tor browser patches from our fennec implementation to fenix
19:03:52 <sysrqb> and working with antonela on new UI/UX
19:04:00 <sysrqb> we're not there yet
19:04:00 <sisbell> I can start by getting a new toolchain for android into a tbb branch
19:04:18 <sysrqb> that would be great
19:04:35 <sysrqb> (after thr tor build stuff is done)
19:05:34 <sisbell> I think tor is close, mostly I'm just waiting on the builds at this point, testing tweeks
19:05:47 <sysrqb> great
19:05:56 <sysrqb> i'll review those this week, too
19:06:39 <sisbell> boklm got a number merged already so I think its 3 more issues to address
19:06:40 <sysrqb> okay, everything else looks good
19:06:54 <sysrqb> great
19:07:54 <sysrqb> i think that is everything for this meeting
19:08:12 <sysrqb> anything we shoudl discuss before i close this?
19:08:22 <antonela> < is groot
19:08:32 <mcs> assign reviewers for boklm’s tickets?
19:08:35 <mcs> e.g., #33403
19:08:50 <sysrqb> ah, right, i was planning on taking thos
19:08:52 <sysrqb> e
19:08:53 <mcs> and #33402
19:09:02 <mcs> sounds good. small patches maybe?
19:09:06 <sysrqb> yeah
19:09:12 <boklm> yes, small patches
19:09:14 <mcs> OK. I have nothing else :)
19:09:16 <boklm> thanks
19:09:18 <sysrqb> :)
19:09:50 <sysrqb> okay, thanks everyone! have a good week, and happy hacking :)
19:09:56 <sysrqb> #endmeeting