13:00:24 #startmeeting 13:00:24 Meeting started Thu May 14 13:00:24 2015 UTC. The chair is evilaliv3. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:00:24 Useful Commands: #action #agreed #help #info #idea #link #topic. 13:00:29 halo! 13:00:41 i've opened the pad for the daily scrum meeting: http://piratepad.net/4tf6dnUdqw 13:06:15 okay so evl, 13:06:28 hellais: :D 13:06:32 i've a new task assignment that would be really imporant to address 13:06:35 https://github.com/globaleaks/GlobaLeaks/issues/969 13:06:43 https://github.com/globaleaks/GlobaLeaks/issues/137 13:06:57 it's already described as naif like to repeat 13:07:02 ghgh 13:07:08 but let'ts add some precise note 13:07:12 elv: sup?: 13:07:19 evilaliv3: what about the other tickets we took node on our gdoc? 13:07:20 what i would like to ask you is: 13:07:24 hellais: ;) 13:07:33 note not node 13:07:41 naif: u there? 13:07:45 * hellais confused 13:07:46 verify what browser primitives are needed by scrypt and openpgp.js 13:08:05 (the minimium is dictated by openpgp) 13:08:32 take as reference: http://caniuse.com/#search=crypto 13:08:38 ok, question: 13:08:57 this is for the receiver/admin side 13:09:12 write a simple detector (you can use a simple html file separated from globaleaks, as we did when i gived to you the task assignment before engaging you on ghlobaleaks) 13:09:15 but for the whistleblower side, does it make sense to focus on torbrowser? 13:09:28 this is a routine that will be runned when the application start 13:09:41 and will verify the capabilities of the user browser 13:09:49 evilaliv3: ok a set of checks about browser capabilites 13:10:07 i have something on the old end2end branch i think 13:10:15 taken from the previous scrypt implementation 13:10:43 if the browser is not able to run globaleaks it would provide a user an funny page like: http://abetterbrowser.org/ 13:10:57 a useful page 13:11:14 great, but i repeat proceed simply writing a good piece of code of ~20 lines that do the detection 13:11:17 :) 13:11:20 with nice icons, responsive and links to fix the problem (ie: download a modern browser) 13:11:44 you can use: 13:11:45 bw almost everything is already defined on the ticket 13:12:17 you can use only the following libraries: 13:12:20 https://github.com/ded/bowser 13:12:50 and that's it! 13:12:59 if it wont be enough you can add: 13:13:02 http://modernizr.com/ 13:13:56 okay 13:14:20 withouth any angular, any jquery, nothing 13:14:25 yep no problem 13:14:32 consider it done for end2end rel 13:14:45 rel? 13:14:46 another question that i would like to raise 13:14:49 release 13:14:59 ok 13:15:03 before continuing 13:15:08 let me clarify a bit 13:15:17 why i'm asking you to use only this libraries? 13:15:34 cause we want this routine to be runned before angularjs is loaded 13:15:46 and this routine should be safe 100% 13:16:03 the messages provided should be shown without relying on any librariy 13:16:24 this way any browser failure can be detected befor it happen :) 13:16:31 and avoided :) 13:16:47 ok, what was your question ? 13:17:10 i would like to take a look to the tickets we considered for inclusion in the release 13:17:11 the ticket contain much more 13:17:12 https://github.com/globaleaks/GlobaLeaks/issues/137#issuecomment-100814120 13:17:43 with openpgp.js inclusion we also need to log client-access-failure somehow 13:17:54 because we will break many clients and we need to know how many 13:19:28 elv: consider that all the tickets related to pgp, scrypt and this detection should be closed be befor releasing end2end 13:19:52 ok, there are more things: 13:20:05 https://github.com/globaleaks/GlobaLeaks/milestones/2015%20May 13:20:07 Discuss new release naming/tagging - 3.0.0? 13:20:08 - https://github.com/globaleaks/GlobaLeaks/issues/776 13:20:11 you can take this as reference 13:20:22 elv: do not mind to the naming 13:20:40 Dependencies freeze on tag/release 13:20:43 using a 3.0.0 would be ok, but all will depends on the stability 13:20:49 pgp key clientside 13:20:52 before having a 3.0.0 we would need a pentest 13:21:02 openpgpjs as library (this is done) 13:21:03 so probably we will call it 2.70 13:21:06 we will iterate 13:21:09 donation badge <------ 13:21:17 improve password strength checker in UI 13:21:18 and then we will push out a 3.0.0 at the end of the OTF grant 13:21:29 that is in 9 month from now 13:21:41 this would be a great target 13:21:44 k 13:22:06 donation badge does not sounds like a priority IMHO, if we need to do out-of-roadmap-stuff, there are the Adopters stuff waiting 13:22:30 naif: I think electron (electron.atom.io) is superior to nodewebkit in various regards. 13:22:33 the dependency freeze depends on the features we still need to finish 13:22:50 naif: we are using it to build the GUI for ooni: github.com/hellais/network-meter 13:22:51 e.g. if you would need modernizr now (i would suggest for it, hellais?) 13:23:23 or e.g. angular-timer, angular-relative-dates and some sall others) 13:23:28 evilaliv3: I don't understand the question 13:24:01 hellais: yes but 4 out of 5 core developers of node.js moved to io.js that's backing nw.js. Until they fix the issue, i consider node.js risky for the future 13:24:06 i was breafly asking you: what is your suggestion to implement a safe browser detection in relation to crypto/html5 fancy feautres and bla bla? 13:24:15 evilaliv3: we could freeze every 2.x version 13:24:23 evilaliv3: if (windows.crypto); then 13:24:24 we freeze for 2.70.x 13:24:27 then for 2.71.x 13:24:39 so we start to experiment with it 13:24:48 sure naif, but we wannt to write all tetection routines customs? 13:24:58 anyway for the checker ok, i'll take this log as a reference 13:25:02 i was evaluating using standard one like bowser/modernizr 13:25:20 evilaliv3: if the numbers of functions are 2 or 3, then yes, it make sense to make a single one liner 13:25:47 elv quite all is freezed, noting is changing so far, what is causing problems to you on this side? 13:26:37 I'm referencing the ticket about freezing dependencies 13:26:43 naif, detecting ie8, ie9, other browsers in a safe way etc is not something doable with a simple one liner 13:26:54 in a cross compatible way and without failures i mean 13:27:14 anyway the point is not one-line but working-detection :p 13:27:33 naif: why do you think node.js is risky for the future? What issue? 13:27:40 evilaliv3: if we need 2/3 functions and we can test if those are available or not, it's simpler. Then we know that only IE11 have it, so it would works 13:28:01 ah sure naif 13:28:08 but we need also to check for other things 13:28:09 like: 13:28:21 evilaliv3: yeah I agree with naif I think you should just do duck typing style detection 13:28:24 evilaliv3: let's make a list on the ticket, then evaluate what must be probed 13:28:26 cookies enabled or not, probable in the future local storage or not 13:28:29 hellais: http://anandmanisankar.com/posts/nodejs-iojs-why-the-fork/ 13:29:00 anyhow i've never said "USE BOWSER, USE MODERNIZR" 13:29:11 i've written: try to avoid any use of libraries 13:29:14 evilaliv3: u got the point? 13:29:21 the freeze of libraries 13:29:22 if needed eventually bowser, modernizrd 13:29:38 now is elv that need to do a research on that and do the proper analysis 13:30:07 i have to go for an hour and half, and then i'll read the logs 13:30:24 if u have suggestions about it i'll take care of testing them 13:30:43 k 13:30:58 i will take a little look and i will write mine suggestion on the ticket 13:31:11 remember to fill: http://piratepad.net/4tf6dnUdqw 13:31:18 naif: looks like a tempest in a teapot 13:31:29 it's important to auto asses a schedule on our duties 13:31:30 I wouldn't jump on the flashy new project bandwagon just yet 13:31:43 and to self avaulate ourself in our productivity 13:31:55 i neither 13:32:02 i'm with the hell man 13:32:14 hell yeah! 13:55:53 end of meeting? 14:04:00 #endmeeting