17:59:23 #startmeeting Tor Browser Team Meeting 23 March 2020 17:59:23 Meeting started Mon Mar 23 17:59:23 2020 UTC. The chair is sysrqb. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:59:23 Useful Commands: #action #agreed #help #info #idea #link #topic. 17:59:25 o/ 17:59:29 o/ 17:59:38 hi! 17:59:39 hi 17:59:46 hi 17:59:47 * antonela fills the tea cup 17:59:48 whoops. I wanted to delete most of that line. 17:59:53 hello, hello 18:00:22 hi 18:00:32 o/ 18:01:42 hi 18:06:03 okay, let's see 18:06:05 what we have 18:07:40 i don't see any bolded items 18:07:55 so i guess we'll jump directly into Discussions 18:08:29 related to the first item 18:08:48 we now have partial funding for migrating onto firefox rapid release 18:08:53 which is a relief 18:09:02 that is now sponsor 58 18:09:34 and, with that, please tag any Fenix related tickets with sponsor58 18:09:58 and any tickets related to migrating our core patches to rapid release as sponsor58 18:10:08 we don't have any funding for the desktop-specific work 18:10:52 so anything related to desktop UI, or automatic updater, etc. are not covered by s58 18:11:50 i don't think we have any tickets like this, yet. but we may create them as this project progresses 18:12:03 make sense? 18:12:31 👍 18:12:48 we could tag the as sponsor58-can 18:13:07 i think pili is outlining everything covered by s58 on the Sponsor58 wiki page 18:13:16 because it would still be nice to track what the full scope of the project would have been 18:13:17 but that's optional ;) 18:13:18 yup 18:13:18 so that should help when deciding if something is covered or not 18:13:30 and, if you are in doubt, ask :) 18:13:57 yeah, tagging it as -can is a good idea 18:14:13 there is still a chance we may get funding from a different funder for the desktop-specific work 18:14:29 but i'm not expecting that will happen, at this point 18:14:56 (we don't have one in the pipeline right now, so it seems unlikely) 18:15:44 okay, item 2 is about pili's email regarding scheduling a retrospective 18:15:55 if you got the email, and you didn't fill out the doodle, please do that 18:16:09 I think we had planned it for the end of this month/beginning of next 18:16:09 item 3. pili, you're up :) 18:16:14 yup 18:16:19 yes, that was the original plan 18:16:21 we are having a docshackathon this week 18:16:24 (thanks) 18:16:32 run by the community team 18:17:17 and it occurred to me that some of you may know of documentation that is missing from the Tor Browser manual 18:17:18 if so, please let me know and I'll create a ticket and tag it "docshackathon" 18:17:19 or feel free to do it yourselves :) 18:17:38 neat 18:18:05 does this docshackathon only cover the tor browser manual? 18:18:18 or can we include other missing/out-dated docs? 18:18:34 maybe on support.tpo or another site? 18:19:01 sysrqb: hey, we're covering all the websites that we have user documentation 18:19:04 i don't have any specific in mind right now 18:19:09 ggus: hey :) 18:19:13 support.pto, community.tpo, tb-manual.tpo :) 18:19:15 ggus: okay, great 18:19:20 thanks! 18:20:05 any questions about this? 18:21:00 * sysrqb assumes not 18:21:15 i added one final item about release management 18:21:26 in tbb, Help > About Tor Browser we have some links that i'd like to change. should i open tickets for this in trac? 18:21:38 ggus: yes please! 18:21:46 eg, the link to relay is pointing to 2019.www... 18:21:48 ok! 18:22:06 yep 18:22:25 pili, is it desired to have me at the retrospective? (I don't see any emails about it, but the mail server I use is having trouble lately, so not sure if that's because I'm not expected to attend or if an email got dropped...) 18:22:50 (I won't be annoyed if I'm not supposed to attend, just wasn't sure) 18:23:16 hey Jeremy_Rand_Talos I was thinking it would be just the Tor Browser team for this one :) 18:23:27 pili, ok, sounds good. :) 18:23:29 I only sent it to employees 18:23:30 Jeremy_Rand_Talos: i think we'll limit this to people working on Tor Project sponsored work for now 18:23:32 ggus: you could add some more to #33671 if the fixes are simple 18:23:46 yup, sysrqb put it much better than me :D 18:23:58 Thanks sysrqb 18:24:10 ggus: never mind; you said About Tor Browser not about:tor 18:24:33 so new ticket probably 18:25:12 Release Management: i'd like to review our release process a few times each year, maybe quarterly 18:25:27 primarily to make sure everyone is happy with their roles 18:25:57 and rotate if that is good for team health 18:26:16 this isn't a disucssion we need to have right now 18:26:57 but i think we can distribute the load better/differently 18:27:30 sounds like a good discussion to have. and improving the process to reduce pain is an ongoing effort I suppose 18:27:39 yes 18:28:18 let's take a few minutes now and discuss it 18:28:37 i don't want to assume this meeting will always take 1 hour 18:28:51 but we have "some time" 18:29:11 currently boklm and pospeselr are building the releases 18:29:40 I am doing most of the signing, and boklm is running the gpg signing piece 18:30:08 I can help out if ppl are overloaded 18:30:11 then i'm uploading the packages to the webservers, and boklm or I write the blog post 18:30:32 in the past, we did separate the signing and publish steps more (usually GeKo was doing the signing, an I was doing the publishing) 18:30:34 the signing pieces and webserver prices are resrticted to boklm or myself 18:31:09 s/prices/pieces/ 18:31:11 building is not terribly distracting for me 18:31:28 what is the effort involved in building releases for people? :) 18:31:46 oh, and boklm or i tag the various git repos 18:31:49 if we're talking in terms of points? (1 point = 1 day = 8hrs) 18:32:06 though historically there's been blocks of time needed for attention when build tooling changes (looking at you runc) 18:32:09 because we should build this into our capacity planning 18:32:36 and to me it feels like it can be quite labour intensive when we're trying to get a release out 18:32:45 pili: building and signing when everything works is a fraction of a point for me 18:33:14 over an entire release, it takes roughly 1 pt for me, right now 18:33:17 pospeselr: right, I wonder about the cost of context switching and checking if/when the build/signing process has worked? 18:33:19 so if there's more there I can do I have some points available 18:33:24 but we can reduce that 18:33:28 but I don't know the exact process everyone follows :) 18:33:47 * acat can also help if needed (e.g. building or something else) 18:33:47 let's start at the beginning 18:34:27 i'm fine with keeping the preparations and git tagging/signing taks 18:34:31 tasks 18:35:05 boklm: pospeselr: do you want to keep the building or would either of you like to hand that off to someone else? 18:35:15 I can continue building 18:35:47 I can keep building 18:36:28 okay. thanks 18:37:14 boklm: would you prefer taking the publishing tasks again? 18:37:35 i wanted to do them, for a few releases, so i understood what they involved 18:38:02 someone else can create the blog posts, too 18:38:46 i can help with the blogpost, but boklm has been doing an awesome job 18:39:08 yes, I could do the publishing task again, and you can also do it some of the time if you want 18:40:29 do you want to create the blogpost, as well? 18:40:42 someone else on the team can help with that, too 18:40:49 antonela can help with the blog post 18:41:19 yep i can :) 18:41:34 great 18:42:01 i'd be willing to help as well if you need more eyes :) 18:42:29 * antonela noted pospeselr as a reviewer :) 18:42:45 maybe we can check for each release who will do each task? 18:42:45 i think anyone can help, as long as you have a blog account 18:43:10 boklm: yes, i'll add a note about that 18:43:30 we can discuss during the weekly meeting before we start building 18:43:45 do we have a single point of failure for any task? signing? 18:44:06 yes, currently for signing, i am the only person who can sign macOS packages 18:44:10 (contingency planning is on my mind lately) 18:44:18 OK. don’t get sick please :) 18:44:25 what's the limiting factor for macOS packages? 18:44:34 i'm mostly a spof for android signing, although GeKo technically has that ability, too 18:44:42 pospeselr: sigh. :) 18:44:50 so. 18:45:26 beginning last year, macOS packages must be signed+timestamped+notarized+stapled 18:45:43 previously, packages were only signed, and this could be accomplished offline 18:45:48 without need for an internet conection 18:45:53 *connection 18:46:20 now signing+timestamping are coupled and the computer must have an internet connection when signing takes place 18:46:52 our signing infrastructure is offline, so the mac computer we previously used for macOS signing does not current work 18:47:20 i have a macOS computer which i am currently using for signing 18:47:39 this was a stop-gap measure GeKo used, and he handed it off to me :) 18:48:15 on this topic, I've made progress in getting our "offline" signing machine working for our needs 18:48:57 and, maybe, within the next week or two we can use that for signing, instead of the computer I have 18:49:05 what is missing still? 18:49:14 when that happens, boklm and GeKo would both have access to it for remote signing 18:49:43 GeKo: i believe the last piece is fully unlocking the keychain 18:50:18 the gui prompt for the keychain passphrase when you run codesign is different than `security unlock-keychain` 18:50:45 that's true 18:51:02 so you need the right incantation for unlocking it? 18:51:07 yes 18:51:08 or 18:51:28 it think it will be in the history of the macos machine 18:51:36 if you look long enough back 18:51:43 if we temporarily enable vnc on the computer and sign the packages over vnc and using the gui prompt 18:51:51 nah 18:52:10 i didn't think you would like that option 18:52:16 :) 18:52:19 i looked in the history 18:52:24 but maybe there is another command i missed 18:52:32 i'll look and ask you if i don't see it 18:52:40 okay, yeah 18:52:53 ping me and we can figure this out 18:52:57 cool 18:53:03 i think i have notes about the commands somewhere, too 18:53:06 I don’t know the details of what you need to fix, but this might be relevant: https://stackoverflow.com/questions/39868578/ 18:53:07 i think this is the last blocker 18:53:51 (that stack overflow Q+A is about importing keys but maybe the problem we need to solve is similar) 18:54:06 mcs: thanks i'll read through it 18:54:57 i found a different stackoverflow which sounded related, too 18:55:01 https://stackoverflow.com/questions/20205162/user-interaction-is-not-allowed-trying-to-sign-an-osx-app-using-codesign 18:55:12 hrm. no 18:55:17 https://stackoverflow.com/a/52115968 18:55:18 yes 18:55:33 but i didn't get it working after following that, either 18:56:05 but I'll look at this with GeKo 18:56:12 Apple has a way of making things difficult. Anyway, it sounds like you are working on these spof areas already. 18:56:20 and i'll update the ticket when we know more 18:56:56 #32173 18:57:15 yeah, we're slowly trying to reduce/eliminate single points of failure 18:57:49 oh, Google Play access and uploading new apks is another one 18:58:02 i need to give someone else access to that, too 18:58:25 okay, i think that covers this topic 18:58:27 If there is any android related taks related to release, I can help out. 18:58:33 just ping me 18:58:48 sisbell: thanks 18:59:15 i'll close this meeting on that note 18:59:18 thanks everyone 18:59:24 #endmeeting