#globaleaks log

13:00:24 <evilaliv3> #startmeeting
13:00:24 <MeetBot> Meeting started Thu May 14 13:00:24 2015 UTC.  The chair is evilaliv3. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:24 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
13:00:29 <evilaliv3> halo!
13:00:41 <evilaliv3> i've opened the pad for the daily scrum meeting: http://piratepad.net/4tf6dnUdqw
13:06:15 <evilaliv3> okay so evl,
13:06:28 <elv> hellais: :D
13:06:32 <evilaliv3> i've a new task assignment that would be really imporant to address
13:06:35 <evilaliv3> https://github.com/globaleaks/GlobaLeaks/issues/969
13:06:43 <evilaliv3> https://github.com/globaleaks/GlobaLeaks/issues/137
13:06:57 <evilaliv3> it's already described as naif like to repeat
13:07:02 <elv> ghgh
13:07:08 <evilaliv3> but let'ts add some precise note
13:07:12 <hellais> elv: sup?:
13:07:19 <elv> evilaliv3: what about the other tickets we took node on our gdoc?
13:07:20 <evilaliv3> what i would like to ask you is:
13:07:24 <elv> hellais: ;)
13:07:33 <elv> note not node
13:07:41 <elv> naif: u there?
13:07:45 * hellais confused
13:07:46 <evilaliv3> verify what browser primitives are needed by scrypt and openpgp.js
13:08:05 <evilaliv3> (the minimium is dictated by openpgp)
13:08:32 <evilaliv3> take as reference: http://caniuse.com/#search=crypto
13:08:38 <elv> ok, question:
13:08:57 <elv> this is for the receiver/admin side
13:09:12 <evilaliv3> write a simple detector (you can use a simple html file separated from globaleaks, as we did when i gived to you the task assignment before engaging you on ghlobaleaks)
13:09:15 <elv> but for the whistleblower side, does it make sense to focus on torbrowser?
13:09:28 <evilaliv3> this is a routine that will be runned when the application start
13:09:41 <evilaliv3> and will verify the capabilities of the user browser
13:09:49 <elv> evilaliv3: ok a set of checks about browser capabilites
13:10:07 <elv> i have something on the old end2end branch i think
13:10:15 <elv> taken from the previous scrypt implementation
13:10:43 <evilaliv3> if the browser is not able to run globaleaks it would provide a user an funny page like: http://abetterbrowser.org/
13:10:57 <naif> a useful page
13:11:14 <evilaliv3> great, but i repeat proceed simply writing a good piece of code of ~20 lines that do the detection
13:11:17 <evilaliv3> :)
13:11:20 <naif> with nice icons, responsive and links to fix the problem (ie: download a modern browser)
13:11:44 <evilaliv3> you can use:
13:11:45 <naif> bw almost everything is already defined on the ticket
13:12:17 <evilaliv3> you can use only the following libraries:
13:12:20 <evilaliv3> https://github.com/ded/bowser
13:12:50 <evilaliv3> and that's it!
13:12:59 <evilaliv3> if it wont be enough you can add:
13:13:02 <evilaliv3> http://modernizr.com/
13:13:56 <elv> okay
13:14:20 <evilaliv3> withouth any angular, any jquery, nothing
13:14:25 <elv> yep no problem
13:14:32 <elv> consider it done for end2end rel
13:14:45 <evilaliv3> rel?
13:14:46 <elv> another question that i would like to raise
13:14:49 <elv> release
13:14:59 <evilaliv3> ok
13:15:03 <evilaliv3> before continuing
13:15:08 <evilaliv3> let me clarify a bit
13:15:17 <evilaliv3> why i'm asking you to use only this libraries?
13:15:34 <evilaliv3> cause we want this routine to be runned before angularjs is loaded
13:15:46 <evilaliv3> and this routine should be safe 100%
13:16:03 <evilaliv3> the messages provided should be shown without relying on any librariy
13:16:24 <evilaliv3> this way any browser failure can be detected befor it happen :)
13:16:31 <evilaliv3> and avoided :)
13:16:47 <evilaliv3> ok, what was your question ?
13:17:10 <elv> i would like to take a look to the tickets we considered for inclusion in the release
13:17:11 <naif> the ticket contain much more
13:17:12 <naif> https://github.com/globaleaks/GlobaLeaks/issues/137#issuecomment-100814120
13:17:43 <naif> with openpgp.js inclusion we also need to log client-access-failure somehow
13:17:54 <naif> because we will break many clients and we need to know how many
13:19:28 <evilaliv3> elv: consider that all the tickets related to pgp, scrypt and this detection should be closed be befor releasing end2end
13:19:52 <elv> ok, there are more things:
13:20:05 <evilaliv3> https://github.com/globaleaks/GlobaLeaks/milestones/2015%20May
13:20:07 <elv> Discuss new release naming/tagging - 3.0.0?
13:20:08 <elv> - https://github.com/globaleaks/GlobaLeaks/issues/776
13:20:11 <evilaliv3> you can take this as reference
13:20:22 <evilaliv3> elv: do not mind to the naming
13:20:40 <elv> Dependencies freeze on tag/release
13:20:43 <evilaliv3> using a 3.0.0 would be ok, but all will depends on the stability
13:20:49 <elv> pgp key clientside
13:20:52 <evilaliv3> before having a 3.0.0 we would need a pentest
13:21:02 <elv> openpgpjs as library (this is done)
13:21:03 <evilaliv3> so probably we will call it 2.70
13:21:06 <evilaliv3> we will iterate
13:21:09 <elv> donation badge <------
13:21:17 <elv> improve password strength checker in UI
13:21:18 <evilaliv3> and then we will push out a 3.0.0 at the end of the OTF grant
13:21:29 <evilaliv3> that is in 9 month from now
13:21:41 <evilaliv3> this would be a great target
13:21:44 <elv> k
13:22:06 <naif> donation badge does not sounds like a priority IMHO, if we need to do out-of-roadmap-stuff, there are the Adopters stuff waiting
13:22:30 <hellais> naif: I think electron (electron.atom.io) is superior to nodewebkit in various regards.
13:22:33 <evilaliv3> the dependency freeze depends on the features we still need to finish
13:22:50 <hellais> naif: we are using it to build the GUI for ooni: github.com/hellais/network-meter
13:22:51 <evilaliv3> e.g. if you would need modernizr now (i would suggest for it, hellais?)
13:23:23 <evilaliv3> or e.g. angular-timer, angular-relative-dates and some sall others)
13:23:28 <hellais> evilaliv3: I don't understand the question
13:24:01 <naif> hellais: yes but 4 out of 5 core developers of node.js moved to io.js that's backing nw.js. Until they fix the issue, i consider node.js risky for the future
13:24:06 <evilaliv3> i was breafly asking you: what is your suggestion to implement a safe browser detection in relation to crypto/html5 fancy feautres and bla bla?
13:24:15 <elv> evilaliv3: we could freeze every 2.x version
13:24:23 <naif> evilaliv3: if (windows.crypto); then
13:24:24 <elv> we freeze for 2.70.x
13:24:27 <elv> then for 2.71.x
13:24:39 <elv> so we start to experiment with it
13:24:48 <evilaliv3> sure naif, but we wannt to write all tetection routines customs?
13:24:58 <elv> anyway for the checker ok, i'll take this log as a reference
13:25:02 <evilaliv3> i was evaluating using standard one like bowser/modernizr
13:25:20 <naif> evilaliv3: if the numbers of functions are 2 or 3, then yes, it make sense to make a single one liner
13:25:47 <evilaliv3> elv quite all is freezed, noting is changing so far, what is causing problems to you on this side?
13:26:37 <elv> I'm referencing the ticket about freezing dependencies
13:26:43 <evilaliv3> naif, detecting ie8, ie9, other browsers in a safe way etc is not something doable  with a simple one liner
13:26:54 <evilaliv3> in a cross compatible way and without failures i mean
13:27:14 <elv> anyway the point is not one-line but working-detection :p
13:27:33 <hellais> naif: why do you think node.js is risky for the future? What issue?
13:27:40 <naif> evilaliv3: if we need 2/3 functions and we can test if those are available or not, it's simpler. Then we know that only IE11 have it, so it would works
13:28:01 <evilaliv3> ah sure naif
13:28:08 <evilaliv3> but we need also to check for other things
13:28:09 <evilaliv3> like:
13:28:21 <hellais> evilaliv3: yeah I agree with naif I think you should just do duck typing style detection
13:28:24 <naif> evilaliv3: let's make a list on the ticket, then evaluate what must be probed
13:28:26 <evilaliv3> cookies enabled or not, probable in the future local storage or not
13:28:29 <naif> hellais: http://anandmanisankar.com/posts/nodejs-iojs-why-the-fork/
13:29:00 <evilaliv3> anyhow i've never said "USE BOWSER, USE MODERNIZR"
13:29:11 <evilaliv3> i've written: try to avoid any use of libraries
13:29:14 <elv> evilaliv3: u got the point?
13:29:21 <elv> the freeze of libraries
13:29:22 <evilaliv3> if needed eventually bowser, modernizrd
13:29:38 <evilaliv3> now is elv that need to do a research on that and do the proper analysis
13:30:07 <elv> i have to go for an hour and half, and then i'll read the logs
13:30:24 <elv> if u have suggestions about it i'll take care of testing them
13:30:43 <evilaliv3> k
13:30:58 <evilaliv3> i will take a little look and i will write mine suggestion on the ticket
13:31:11 <evilaliv3> remember to fill: http://piratepad.net/4tf6dnUdqw
13:31:18 <hellais> naif: looks like a tempest in a teapot
13:31:29 <evilaliv3> it's important to auto asses a schedule on our duties
13:31:30 <hellais> I wouldn't jump on the flashy new project bandwagon just yet
13:31:43 <evilaliv3> and to self avaulate ourself in our productivity
13:31:55 <evilaliv3> i neither
13:32:02 <evilaliv3> i'm with the hell man
13:32:14 <evilaliv3> hell yeah!
13:55:53 <naif> end of meeting?
14:04:00 <evilaliv3> #endmeeting