18:29:27 #startmeeting Tor Browser Team Meeting 2 March 2020 18:29:27 Meeting started Mon Mar 2 18:29:27 2020 UTC. The chair is sysrqb. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:29:27 Useful Commands: #action #agreed #help #info #idea #link #topic. 18:29:34 Hello everyone! 18:29:44 Happy March (!?) 18:29:44 hi 18:30:03 o/ 18:30:07 hi 18:30:11 hi 18:30:32 hi 18:31:14 hi 18:31:38 hello 18:31:50 o/ 18:32:06 hi 18:32:54 \o/ 18:33:49 hello! 18:34:09 * antonela https://pad.riseup.net/p/TorBrowserTeamMeetingNotes-keep 18:37:07 Okay, let's get started 18:38:18 this is the last week for writing peer feedback 18:38:28 (due March 6, 2020) 18:39:54 pospeselr: #13410 18:40:01 howdy 18:40:17 this bug fix has turned into a feature 18:40:18 silly question, what do you mean by 1.1 - 1.6? 18:40:26 ha. 18:40:37 sections of the SOOC spec 18:40:47 ooooh 18:41:38 pili: is this bug required to be fixed for the contract or can we just document that we researched it and have plans for how to fix it 18:41:50 https://github.com/alecmuffett/onion-dv-certificate-proposal/blob/master/text/draft-muffett-same-origin-onion-certificates.txt#L119 18:42:07 let me see 18:42:17 ya i ask becuase i don't know what our timetable looks like here 18:43:05 i would strongly prefer not burning 1-2 weeks on this 18:43:08 pospeselr: this project is supposed to end this month but we have an extension for the DoS trip 18:43:23 I need to double check how that affects reporting deadlines 18:43:35 I believe the final report is due a month after the end of the project 18:43:58 sysrqb: I agree but I'd rather not review, land and then back out patches either 18:44:07 I'm worried that if we drop it halfway we will never pick it up again 18:45:11 same 18:45:25 do we think there's going to be a lot more work involved in this other than reviewing ? 18:46:19 pili: can you explain? 18:46:37 brade: yeah, that's a good point. 18:46:48 pili: I don't see the point in landing something we don't want to keep unless we need to contractually 18:47:41 pospeselr: patch is very small, but if this isn't a solution we want long-term, then we should think about what we really want 18:47:59 why don't we want sooc? 18:48:03 * antonela do we want sooc? 18:48:08 *pospeselr's patch 18:48:22 I wasn't aware we didn't want it :) 18:48:22 antonela: we do, maybe. but it's a larger task 18:48:34 so yeah the patch that 'works' is very small and basically only implements 1.2, but as is opens up various potential security holes that I don't fully understand 18:48:39 sysrqb: right, it is, i wonder what is a better time to work on it than now 18:48:41 ok 18:48:43 (hence all the other constraints) 18:48:44 hmm 18:48:45 i think none of us have thought about it or looked at the cost of implementing it 18:49:27 yeah i didn't know about SOOC or that we would endup so deep in cert/security code 18:49:32 maybe alec finished drafting his spec, but it wasn't finished the last time i looked 18:49:35 going in i thought this was just going to be a UX patch 18:50:07 brade: I need to double check the contract but I don't think anyone wants us to waste time implementing things that are not necessary/useful :) 18:50:18 sysrqb: he has not finished it (ie is still full of todos), though everything is there for an implementer to follow 18:50:39 and he didn't seem particularly interested in finishing it any time soon 18:51:00 yeah, that's fine. he's not a full-time tor browser developer 18:51:04 okay 18:51:07 yeah :) 18:51:23 everything an implementer needs is there I mean* 18:51:35 I think it would be good if pospeselr would document his current understanding of what needs to be done 18:51:46 ^ i agree 18:52:19 ok I can do that 18:52:21 pospeselr: can you braindump on that ticket (or in an email to tor-dev@)? 18:52:29 "In particular we plan to: Improve Tor Browser behavior when an onion site supports HTTPS but the HTTPS is not from an approved certificated. " 18:52:31 whichever makes more sense 18:53:04 pili: okay 18:53:06 that's from the proposal and lists ticket #13410 18:54:25 i don't think we should include a patch that could lead to reducing the security of our users 18:54:32 agreed 18:54:38 regardless of what our proposal said 18:55:04 so, i am happy with pospeselr documenting what he learned from the last week 18:55:39 and we can either explain the situation to the funder or we can find another way of fulfilling that goal 18:56:16 (with preference for explaining why we won't achieve that goal, but how we plan on solving it in the future) 18:56:44 ok 18:56:47 sounds good to me :) 18:57:48 maybe there is a smaller piece of this we can implement now, as a way of showing we really do want to solve this 18:57:53 and the funding did not go to waste 18:58:19 but i need to look closer at SOOC and pospeselr patch before i have any idea what that may be 18:58:35 the full discussion doc is here: https://docs.google.com/document/d/1xE5eaDMiOKphDxijK9tfIWHUB-h-fTG8tb3laofXLSc/edit# 18:58:45 though i haven't had a chance to read through all of it 18:58:51 thanks! 19:00:05 okay. sisbell 19:00:11 what's the situation with JNI support? 19:00:26 is that needed for something? 19:00:44 i thought statically compiling tor was working 19:00:50 This deals with moving toward not needing to invoke tor as a process on Android 19:00:59 right 19:01:29 but i thought this wasn't a priority because you got the tor process working for now, right? 19:01:30 So its a side issue to getting tor working, not a requirement 19:02:05 I can't take some other priorities, 19:02:18 okay. i would prefer not getting distracted by this right now 19:02:23 if possible 19:02:35 Sure, what would be the priority then? 19:02:38 Fenix? 19:03:00 yes, fenix and android-components 19:03:17 Cool, thats an intertesting one 19:03:41 i'll want you're help eventually with moving tor browser patches from our fennec implementation to fenix 19:03:52 and working with antonela on new UI/UX 19:04:00 we're not there yet 19:04:00 I can start by getting a new toolchain for android into a tbb branch 19:04:18 that would be great 19:04:35 (after thr tor build stuff is done) 19:05:34 I think tor is close, mostly I'm just waiting on the builds at this point, testing tweeks 19:05:47 great 19:05:56 i'll review those this week, too 19:06:39 boklm got a number merged already so I think its 3 more issues to address 19:06:40 okay, everything else looks good 19:06:54 great 19:07:54 i think that is everything for this meeting 19:08:12 anything we shoudl discuss before i close this? 19:08:22 < is groot 19:08:32 assign reviewers for boklm’s tickets? 19:08:35 e.g., #33403 19:08:50 ah, right, i was planning on taking thos 19:08:52 e 19:08:53 and #33402 19:09:02 sounds good. small patches maybe? 19:09:06 yeah 19:09:12 yes, small patches 19:09:14 OK. I have nothing else :) 19:09:16 thanks 19:09:18 :) 19:09:50 okay, thanks everyone! have a good week, and happy hacking :) 19:09:56 #endmeeting