#globaleaks log

13:38:42 <r2r0> #startmeeting
13:38:42 <MeetBot> Meeting started Wed Apr 22 13:38:42 2015 UTC.  The chair is r2r0. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:38:42 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
13:38:48 <r2r0> that was quick
13:38:56 <evilaliv3> 2) legacy scenario for user that do not want clientside encryption and prefer to rely on encryption ooperated by the backend; this would be the same situazion for already instantiated nodes
13:38:58 <r2r0> I sent the request to the meetbot team only 10 minutes ago
13:40:33 <evilaliv3> the D2.3 is still to be discussed, and is not so much defined. as general score it will deal with features in order to betterli export/import keys and provide user rich capabilities in order to move from a browser to an other
13:40:53 <r2r0> I would also explore more and document the migration process
13:41:04 <r2r0> for going from legacy to end to end encrypted
13:41:07 <evilaliv3> it's will be basically an enrichment of D2.1 and D2.2 to a more seucre threat model
13:41:14 <evilaliv3> great r2r0
13:41:14 <r2r0> knowing what happens at every stage of the transition
13:41:31 <evilaliv3> by the way both model should need to exist; remember that
13:41:38 <r2r0> (ex. that you will still have legacy encrypted tips until all receivers have logged in and even once they log it still for the data retention period)
13:42:05 <r2r0> I bet if we think a bit about this we will figure out a lot of gotchas that are important to make clear to our users
13:42:13 <evilaliv3> so what i would like to ask you is to first concentrate on the point 2 of the 4 I written
13:42:43 <evilaliv3> and with me to work on the 1)
13:43:12 <r2r0> well 2 is just a matter of keeping also part of the code base and enabling it or disabling it depending on global node based settings
13:43:15 <r2r0> correct?
13:43:27 <evilaliv3> for all the other, that are more related to testing, integration, and finalization given the fact that i'm more able to follow it all due to my time availability i will try to take the lead
13:43:58 <evilaliv3> this is more 3 tant 2 r2r0
13:44:34 <evilaliv3> 2) is simply finalizing end-to-end encryption thinking that no legacy is involved
13:45:01 <evilaliv3> work on webworkers, deal with optimization and bla bla
13:45:22 <evilaliv3> it's the core of D2.1(for you) and D2.2(for elv)
13:46:04 <evilaliv3> obiviously i'm keeping in mind your current avaialability so i will support you on D2.1 in order to reach this score
13:46:53 <evilaliv3> i mentioned also D8 cause my tentative schedule includes the fixes and finalization of some of D8 subdeliverables
13:47:30 <evilaliv3> for this i will simply have to continue the refinement of solutions already studied by vecna that need to be finalized and i will ask you some reviews
13:48:45 <evilaliv3> what do you think? is there something specific you would like to work on or suggestion on this tentative schedule ?
13:56:47 <evilaliv3> MeetBot: r2r0 and elv are taking a coffee, here in in italy is coffee time. please be patient :)
13:56:47 <MeetBot> evilaliv3: Error: "r2r0" is not a valid command.
13:56:59 <elv> lol
14:03:00 <r2r0> lol
14:03:04 <r2r0> yeah I was distracted
14:03:13 <r2r0> multitasking...
14:03:41 <evilaliv3> :)
14:04:07 <r2r0> evilaliv3: ah yeah you are right, I was using the second numbering scheme :P
14:04:18 <r2r0> identifiers of things should be globally unique :P
14:05:11 <r2r0> evilaliv3: anyways I agree with all that has been said and have nothing to add
14:06:39 <evilaliv3> that said, for today i'm investigating few issues that has been reported or that i've found
14:06:58 <evilaliv3> i'm interested by today in solving:
14:07:00 <evilaliv3> https://github.com/globaleaks/GlobaLeaks/issues/1233
14:07:01 <elv> seems working
14:07:29 <evilaliv3> that is interesting for some integrations planned for various adopters and in order to provide support for the experiment for the IJF
14:08:00 <r2r0> I don't think I will be able to do much on globaleaks today
14:08:07 <evilaliv3> and some user seported that they losed some messages sent by whistleblowers
14:08:08 <r2r0> I am working on finding a big data solution for OONI
14:08:15 <evilaliv3> so i've to validate a little the migration script
14:08:32 <evilaliv3> k r2r0
14:08:37 <r2r0> the data pipeline is currently out of disk space and I am investigating scaling/migration options
14:09:20 <evilaliv3> for this period i'm more interested in your support on solution suggestions and hint on problem solving than on coding
14:10:10 <evilaliv3> so fine for this. if you are able to join this small meetings and eventually simply follow us with some code review that would be great
14:20:46 <elv> ok
14:20:56 <elv> so the plan for the next "major" release is
14:21:03 <elv> D2.{1,2} and D8
14:23:41 <elv> we should also talk about the naming, the release policy, and js/translation freeze on release tagging
14:25:12 <elv> evilaliv3: and today I'm taking a look at protractor
14:25:16 <r2r0> evilaliv3: will do. As you perhaps have seen I have been monitoring the issue tracker lately and usually comment there if I have something to say.
14:25:33 <elv> and was going to ask you to investigate the empty receivers list
14:25:47 <elv> WB submission works now
14:25:51 <elv> and is received correctly
14:26:03 <elv> but the receiver list is empty and the private messages are not working
14:26:29 <evilaliv3> receiver list on what API ?
14:27:07 <evilaliv3> receivers if i'm not remembering wrong on /receivers API are shown only if they are associated to a context
14:27:29 <evilaliv3> this is a thing i've changed on devel branch, but shoud still be the case on your branch
14:28:02 <evilaliv3> or you mean the recevier list in the Tip page? plese be more precise while reporting
14:28:23 <evilaliv3> r2r0: do you forsee any possible solution for https://github.com/globaleaks/GlobaLeaks/issues/1233
14:28:26 <evilaliv3> ?
14:28:58 <elv> the receiver list in the WB interface
14:29:23 <evilaliv3> the API returns an emty list or is the bug in the interface shoiwng this?
14:30:30 <evilaliv3> r2r0: i confirm that #1233 is related to third party cookies
14:31:35 <elv> the API returns an empty list
14:31:36 <evilaliv3> this seems to be an important problem for the idea of integration we had for various adopters (OCCRP) for the integration of the same platform in existing websites
14:39:06 <elv> evilaliv3: could that be the old receiver list problem?
14:39:12 <r2r0> evilaliv3: perhaps not using cookies
14:39:30 <r2r0> possibles places to look at:
14:39:47 <r2r0> * Storing session information in localstorage (may have same restrictions as third party cookies)
14:39:55 <r2r0> * Storing sessions information inside of the URI
14:40:29 <r2r0> * Using flash :^)
14:40:34 <evilaliv3> r2r0: i'mtninking someting similar
14:40:38 <evilaliv3> let me clarify
14:40:44 <r2r0> flash?
14:40:49 <evilaliv3> flurry
14:40:51 <r2r0> let's rewrite globaleaks in flash
14:40:54 <r2r0> :D
14:41:00 <r2r0> with nice neon animations
14:41:08 <evilaliv3> i'm doing it by night
14:41:16 <evilaliv3> anyway
14:41:28 <evilaliv3> we are not using cookies for sessions
14:41:42 <evilaliv3> so that we can disable cookie usage in relation to that
14:41:57 <evilaliv3> we are using cookies for the anti-csrf technique implemented
14:42:28 <evilaliv3> we should evaluate how pass from an implementation based on 1 cookie + 1 header
14:42:41 <evilaliv3> to an implementation based on 2 headers
14:42:56 <evilaliv3> this would not be difficult on backned side
14:43:01 <evilaliv3> the problem is on clientside
14:43:34 <evilaliv3> each request to the backend would set an Header that clientside should be intercepted and used accordingly
14:44:00 <evilaliv3> if i'm not wrong this would apply only to Ajax requests
14:44:19 <evilaliv3> so it would not be a problem
14:44:26 <evilaliv3> cause i'm thinking that also now
14:45:16 <evilaliv3> [damn enter]  also now we are interceptin and injecting the xsrf token only in ajax requests
14:45:27 <evilaliv3> sound good to you?
14:45:36 <evilaliv3> this would solve two issues:
14:46:41 <evilaliv3> 1) we would be able to say: we are not using cookies both to privacy+security reasons (reducing possbile attack surfaces on that)
14:47:19 <evilaliv3> 2) we would be able to run whenever cookies are disabled, and for example to be integrated in third party website whenever globaleaks allows that (e.g. for the OCCRP use case)
14:48:32 <evilaliv3> r2r0 ?
14:57:57 <r2r0> yes that sounds like a good approach
14:58:06 <r2r0> I am not sure how to change the request headers in non XHR requests
14:59:23 <evilaliv3> i neither
14:59:32 <evilaliv3> but what i'm thinking is that we do not have to
15:00:01 <evilaliv3> if you think to current implementation we are simply using anti-csrf to XHR requests
15:00:37 <evilaliv3> cause we inject the cookie automatically (due to how cookies works) but the header is injected manually and only in XHR
15:01:32 <evilaliv3> i've been always sceptical of this implementation, but given that it works for sure changing from a cookie-based one to a header-based one would be easy
15:01:35 <evilaliv3> you see?
15:03:49 <elv> uhm.
15:11:05 <evilaliv3> elv: prot
15:17:04 <elv> lol
15:19:15 <elv> okay..
16:55:12 <elv> r2r0: http://www.w3.org/TR/2013/WD-WebCryptoAPI-20130625/#dfn-WorkerCrypto
16:55:14 <elv> evilaliv3: http://www.w3.org/TR/2013/WD-WebCryptoAPI-20130625/#dfn-WorkerCrypto
16:55:29 <elv> openpgpjs does not work inside a web worker
16:55:43 <elv> it has webworker support for encryption/decryption but not for key generation
17:04:16 <GL-Github-Bot> [13GlobaLeaks] 15evilaliv3 pushed 2 new commits to 06devel: 02https://github.com/globaleaks/GlobaLeaks/compare/77cf0dfb2a20...dd1b46595c64
17:04:16 <GL-Github-Bot> 13GlobaLeaks/06devel 14da57fd8 15evilaliv3: Remove outdated code no more used
17:04:16 <GL-Github-Bot> 13GlobaLeaks/06devel 14dd1b465 15evilaliv3: Aligned unit tests to the change on anomaly thresholds
20:41:09 <GL-Github-Bot> [13GlobaLeaks] 15evilaliv3 pushed 1 new commit to 06devel: 02https://github.com/globaleaks/GlobaLeaks/commit/89d1c7f9efdb8068cd4efa062c69e7474972fd3e
20:41:09 <GL-Github-Bot> 13GlobaLeaks/06devel 1489d1c7f 15evilaliv3: Correct UTs in relation to fields resetting
10:22:32 <DrWhax> evilaliv3: hullo
10:23:44 <DrWhax> I upgraded tor2web at wildleaks and now something broke but its not obvious what broke
10:24:17 <DrWhax> and yes, it has apparmor now
10:27:57 <DrWhax> ohh I see, its globaleaks problem
10:27:58 <DrWhax> kewl
10:28:48 <DrWhax> * Starting GlobaLeaks daemon globaleaks
10:28:49 <DrWhax> * Enabling GlobaLeaks Network Sandboxing...
10:28:49 <DrWhax> ...fail!
10:28:56 <DrWhax> 2015-04-21 13:59:29+0000 [-] Received SIGTERM, shutting down.
10:28:57 <DrWhax> 2015-04-21 13:59:29+0000 [-] (TCP Port 8082 Closed)
10:28:57 <DrWhax> 2015-04-21 13:59:29+0000 [-] Stopping factory &lt;cyclone.web.Application instance at 0x452e830&gt;
10:29:00 <DrWhax> 2015-04-21 13:59:29+0000 [-] Main loop terminated.
10:29:01 <DrWhax> 2015-04-21 13:59:29+0000 [-] Server Shut Down.
10:29:02 <DrWhax> thats all I get :-/
10:29:05 <DrWhax> 2015-04-21 13:59:29+0000 [-] Exiting GlobaLeaks
10:34:22 <DrWhax> wooooooo I think I know XD
10:34:43 <r2r0> naif: ping
10:39:22 <naif> elv: that's probably because openpgp.js switched entirely to webcrypto for keygen so assume that it does not need webworkers?
10:39:47 <naif> elv: as we can leverage webcrypto on receiver side but not on whistleblower side
10:40:56 <evilaliv3> DrWhax: solved?
10:41:19 <evilaliv3> r2r0: https://github.com/globaleaks/GlobaLeaks/issues/1245
10:41:35 <evilaliv3> i'm working on removing angular-ui-sortable, that has various limits
10:41:56 <evilaliv3> one is the impossibility to solve 1245 that it's causing various UI issues
10:42:19 <evilaliv3> one other is the fact that it uses jquery that is not needed anymore
10:42:42 <evilaliv3> we should use a good library, minimal specific to angularjs that offer use two features:
10:42:48 <evilaliv3> 1) sortable
10:42:57 <evilaliv3> 2) drag + drop
10:43:42 <evilaliv3> it's not a big deal to use your angular-native-dragdrop for dragdrop
10:43:50 <evilaliv3> but it wound be bad to have only one
10:44:45 <evilaliv3> i was looking at two possible:
10:44:46 <evilaliv3> https://github.com/bachvtuan/html5-sortable-angularjs
10:45:22 <evilaliv3> one is this that works but seems to be in a really early stage and i do not trust the crossbrowser compatibility offered
10:45:37 <evilaliv3> one is this other: https://github.com/a5hik/ng-sortable
10:46:41 <evilaliv3> both offer the concept of item-handle, that enable to restrict the handle for the sortable/dragging to a tag/selection of all the item
10:48:04 <evilaliv3> handle: '> .myHandle',
10:48:17 <evilaliv3> ok it seems that you already used this in past
10:48:28 <evilaliv3> so ok for the moment the issue is solved by using this
10:53:51 <r2r0> yeah I seem to recall something like that
10:55:27 <evilaliv3> ok it works, vary badly documented all this libraries.
10:59:10 <GL-Github-Bot> [13GlobaLeaks] 15evilaliv3 pushed 1 new commit to 06devel: 02https://github.com/globaleaks/GlobaLeaks/commit/43fe59ab043f06c728ef60534efb49444b00d63d
10:59:10 <GL-Github-Bot> 13GlobaLeaks/06devel 1443fe59a 15evilaliv3: Address issue #1245
11:16:15 <DrWhax> evilaliv3: solved indeed XD
11:16:19 <DrWhax> sorry!
11:48:05 <evilaliv3> np
12:08:48 <GL-Github-Bot> [13GlobaLeaks] 15evilaliv3 pushed 1 new commit to 06devel: 02https://github.com/globaleaks/GlobaLeaks/commit/37292e57ab47111ad0abf1dbefbb4197ce369188
12:08:48 <GL-Github-Bot> 13GlobaLeaks/06devel 1437292e5 15evilaliv3: Apply same solution of #1245 to field configuration UI
13:03:05 <evilaliv3> hi all beautiful people :)
13:03:26 <evilaliv3> r2r0: where can i read the documentation about how meetbot works ?
13:03:43 <evilaliv3> in the meantime i've opened the pad for today: http://piratepad.net/7h4d3q4cZV
13:04:13 <evilaliv3> we can use it for the scrum meeting, of who is working today (so probably only me and evl)
13:05:25 <evilaliv3> i will take care of saving the contents of the pads during these days in the meantime that we agree on the proper tools in order to minimize the manual saving of this things
13:08:43 <elv> hei evilaliv3 ;)
13:10:33 <evilaliv3> hi elv
13:10:50 <evilaliv3> i've filled the pad
13:11:02 <evilaliv3> can you proceed doing the same i did?
13:11:24 <evilaliv3> let's try to focus simply on the three basic questions of the scrum
13:11:27 <evilaliv3> What did you do yesterday?
13:11:27 <evilaliv3> What will you do today?
13:11:28 <evilaliv3> Are there any impediments in your way?
13:12:01 <evilaliv3> nor that we are going to apply it properly but simple as it is it should work on working on ourselfs and get things done
13:12:30 <evilaliv3> where you still do not have tickets open remember to open that and provide details and links
13:13:19 <evilaliv3> concerning what i think to do today i've put something rellated what we discussed yesterday. let me know if my help is still neded here or if you moved forward on the problem
13:13:47 <r2r0> evilaliv3: http://lmgtfy.com/?q=meetbot
13:14:05 <MeetBot> r2r0: Error: Can't start another meeting, one is in progress.
13:14:14 <r2r0> hum
13:14:19 <r2r0> when ddi you start it?
13:14:26 <r2r0> or did we not close the one of yesterday?
13:14:31 <elv> 1) experiments with webworkers and deterministic key generation
13:14:34 <r2r0> #endmeeting