18:00:51 #startmeeting 18:00:51 Meeting started Mon Aug 11 18:00:51 2014 UTC. The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:51 Useful Commands: #action #agreed #help #info #idea #link #topic. 18:01:30 let's get started. I have a bit of lag today, so beware of falling typos 18:02:25 last week, I wrote a draf blog post for the iSEC study of Tor browser, and had Roger and GK review it. I also sent it to iSEC and they had some further comments 18:02:51 it's on the blog, but unpublished. I need to do a few more tweaks, but if you have a blog account, you can view it 18:03:57 I also helped move the releases along. they are almost ready, but we're trying to transition helix into a more active role in the release process. I owe her a mail about the release post and the location for the alpha's 18:06:12 there were also some final touches to put on our fudning proposal for the next two years. I think I gave armadev the details he needed for that 18:07:02 I also pushed an esr31 branch, as well as arthuredelstein's bug-numbered patch branch (tor-browser-24.7.0esr-4.x-2 in tor-browser.git) 18:08:42 this week, I am planning on getting the iSEC post up, give some comments and/or review, and/or merge the patches in https://trac.torproject.org/projects/tor/query?keywords=~MikePerry201408R, and update the design doc 18:09:22 I probably should be creaing tickets for the various writings and paperwork things I'm doing, so people who are interested can comment. I will definitely do that for the design doc and the FF31 work 18:10:52 I think I might also do the Firefox31 feature review, or at least starting it is on my radar. that's probably better done earlier than later (currently our roadmap from the dev meeting has it due October, but bumping it up seems wise) 18:11:28 Agree regarding the FF31 review. 18:11:45 I also want to get an outline of the security properties we want for a hardened android system, but that's non-TBB 18:11:53 Sorry, what's meant by FF31 feature review? 18:12:40 every Firefox release has a developer document that describes the features added and API changes since the last release. Here's a example: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/24 18:13:04 it also has a list of undocumented bugs tagged in the bugtracker that are meant to be added to that, but for some reason were not yet 18:13:39 so going through all of that for Firefox 25->Firefox 31, and reviewing each API for fingerprinting, third party tracking, and potential proxy issue 18:13:42 +s 18:13:55 Makes sense. Thanks. 18:13:57 I also do a grep of the source to check for new socket and networking calls 18:14:08 to check for possibl new proxy issues 18:15:48 that's it for me 18:18:39 * MarkSmith can go next 18:18:54 This past week, Kathy Brade and I spent time on a bunch of different things. 18:19:02 Other than miscellaneous bug triage and smoke testing of TB 3.6.4 and 4.0a1, 18:19:10 we committed a Tor Launcher fix that eliminates some errors that showed up on the browser console (this fix is not urgent; it can be picked up for the next 4.0 release). 18:19:22 We spent some time with XUL in order to provide some info to Isis for #12684. 18:19:50 As an experiment, we tried to reproduce the first TB 4.0a1 candidate builds on our own build machine; 18:19:57 Linux and Mac were OK but the Windows packages contain small differences in tor.exe. 18:20:05 We have not yet tried to determine the root cause. 18:20:17 We talked to Arthur about consolidating control port access code (Tor Launcher's tl-protocol.js and the new code he wrote for #8641). 18:20:28 hrmm.. odd. I know GK comitted some toolchain updates for Windows to try to eliminate some of those 18:20:28 Our collective thinking is that we need the asynchronous code he implemented for some things and we need synchronous code for other things. 18:20:34 (windows build differences) 18:20:39 I guess more may remain 18:20:57 mikeperry: maybe we missed those somehow? But we should've had them. 18:21:20 On the control port code, the best of both worlds would be to refactor things to share common code but provide both async and synchronous access. 18:21:47 I don't think it is urgent to consolidate the code but other people might disagree. 18:22:07 This week we will publish rebased browser and builder branches for #4234 so everything can be merged into the TB 4.0 codebase. 18:22:16 Also, we will respond to boklm r.e. the script that he wrote for #12622. Quick feedback: his approach looks good. 18:22:32 That's all for us unless people have comments or questions. 18:24:09 ok. playing the infrastructure game to find a place for #12622 to live will be fun, I bet 18:24:54 Suggestions for who can "own" that infrastructure part? I don't really know anything about how our web site works, etc. 18:25:24 mvdan: nickm: there, all caught up. mvdan: If you have any questions, just ping :) 18:26:59 Anyway, we will need to figure out deployment and make it happen. 18:27:22 the tricky part is that we have only a volunteer sysadmin, and no real hardware/infrastructure. this needs a dedicated system for a few reasons, and whose job it will be to find/provide that, and how it will be integrated is an unknown. every time something like this comes up, there seems to be a lot of arguing and buck passing. I will do my best not to get upset like I often do in these situations :) 18:28:18 Why does it need a dedicated system? Do you mean the place where the script runs or the place where we host the mar files and XML update info files? 18:28:24 Or both? 18:29:12 the plac that runs the script is where I suspect to be the most issue. it needs to be both secure, and capable of running dynamic web code (python, yes?) 18:29:38 that script will spit out urls and authentication info for mars, right? those mars can be on a static server at a different location? 18:29:42 The current approach is to have a script that runs offline to generate XML files and .htaccess files. 18:30:05 actually, the script generate static .xml files and redirect rules, so it can be run on a developer machine who rsync the files to the public web server 18:30:06 Yes, the mars could be located anywhere. 18:30:19 ah, great. that will be easier then 18:30:23 What boklm said :) 18:30:52 And even though I wanted a cool, live responder script this seems much safer. 18:32:45 MarkSmith: does the updater require a specific SSL certificate (signed by a CA ? or one with a fixed fingerprint ?) 18:32:49 do we have any thoughts on how to do incremental updates with our build system yet? or are we just going to roll out non-incremental mars for now and figure out incrementals later? 18:33:22 What are the mars, now? 18:33:45 mttp: the archive files used by the updater 18:34:03 boklm: the Firefox has some prefs that can be used to specify attributes of the update responder's SSL certificate. 18:34:53 https://www.palfrader.org/volatile/2014-08-11-R1teIxGZcDo/screenshot.png 18:35:05 boo. torbrowser-launcher fails to download stuff. 18:35:11 mikeperry: We can start with full updates only. We can generate incremental mars and everything will work though. 18:35:43 Incremental mars will need to be generated outside of the gitian-based build process I think and so there is a reproducibility concern. 18:36:11 [ https://www.palfrader.org/volatile/2014-08-11-uEwqaobMKoc/stdin - missing sha256sums.txt-mikeperry.asc apparently ] 18:39:32 weasel: which release was it trying to download? 18:39:56 mikeperry: see the complete log -- it's trying to get 4.0-alpha-1. 18:40:34 https://www.torproject.org/dist/torbrowser/4.0-alpha-1/ (also has nice index.html? files in it...) 18:41:05 ok. yeah, I think we didn't relocate the signing files. I will make a note to discuss this with helix 18:41:28 also, there is a cron script on check.torproject.org that we want to have point at a new location 18:41:33 in the meantime, torbrower-launcher is unable to give me a TBB. it can't even run the one it already has. 18:41:47 oh man, bad failure mode 18:41:52 yeah, no kidding 18:42:30 there is a cron script on check that updates https://check.torproject.org/RecommendedTBBVersions using https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/recommended-versions 18:42:31 manually cding into .torbrowser/tbb/x86_64/tor-browser_en-US/ and running ./start-tor-browser from there works, 18:42:49 maybe that's ok for most of its users 18:43:08 we want it to use https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob_plain/HEAD:/gitian/recommended-release-versions at some point 18:43:13 instead of https://check.torproject.org/RecommendedTBBVersions using https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/recommended-versions 18:43:27 err instead of just https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/recommended-versions 18:44:00 is there any reason to continue the use of a SPOF service for that text file? 18:44:20 instead of something that's actually redundant and that people try to keep available more actively? 18:44:20 the failure moe issue shoud probably be taken up with micah lee, but I'll get to fixing the signature and index issue before the official release 18:44:39 (i.e. www.tpo) 18:45:53 ah, yes we can possible put it on www, yes. that will require a new TBB release, but doable 18:46:58 I will make a ticket for that 18:48:14 who is next? 18:48:19 * boklm can go next 18:48:27 So this week I have: 18:48:40 - made a first version of a script for #12622 - https://trac.torproject.org/projects/tor/ticket/12622#comment:12 18:48:55 - made a summary page of xpcshell test results for all commits: http://93.95.228.164/reports/index-browserunit.html 18:49:06 mikeperry: (thanks!) 18:51:01 Next week I'm planning to: 18:51:24 - see with pearl crescent if we can test the update responder on real .mar files, and if there is some changes needed for #12622 18:51:33 summary page is very nice 18:51:47 - add an option in the testsuite to hide failures for already known issues, with a reference a trac ticket (which I had planned for this week but didn't do yet) 18:51:49 * helix is here 18:52:20 that's it for me 18:53:15 I can go next 18:53:44 helix: I just sent you a mail about the release, and also note weasel's comment's. we can discuss this later, but I may be intermittently on/offline 18:53:53 ok 18:53:55 for bits of today 18:54:05 got the email and will read scrollback and then I'll go after mttp :) 18:54:15 We received more reports of the "Firefox is already running problem" 18:54:51 This user said they were running Tor Browser on Windows and used it successfully 3 times before getting this message while trying to open it a 4th time 18:55:06 And they saved it on the desktop 18:55:29 I can't remember if there was more information to collect before making a ticket 18:56:51 mttp: having them open the task manager and check for running firefox.exe processes and tor.exe processes is one step. getting a listing of files in the TBB profile directory (location changed in 4.0, but should be in Data/Browser/profile.default in 3.6.x) is another good piece of info 18:57:53 Another issue on Windows is the "Tor is not working in this browser" message showing up after the user has been browsing for some time. The user that reported this issue was NOT in Iran (I thought this might be the answer at some point, but it looks like it's not) 18:58:32 The user had not installed any antivirus or firewall, so I assume they just had whatever came by defualt with their system 18:58:46 that is very odd. I think that check is only done at startup, iirc 18:59:17 The user said they had been browsing for a few hours 19:00:08 Also saved on the Desktop, using Windows 7 19:01:02 And they couldn't reproduce the problem, i.e. it went away when they deleted Tor Browser and reinstalled it 19:01:13 Does the "Tor is not working in this browser" message mean they are viewing about:tor? 19:01:24 were viewing 19:01:49 I don't think so, but let me check the ticket again for clues 19:03:18 Or did they see a "The proxy server is refusing connections" message? 19:03:58 Ok sorry, I misreported--they said they had been browsing for "only a minute" and then got the message "tor unexpectedly exit" 19:04:29 and after that they couldn't load any sites, so sounds like the browser stays open and usable 19:05:10 The "Tor is not working in this browser 19:05:22 " message didn't happen in this case I was just misremembering 19:05:52 were PTs involved? 19:05:53 Sounds like tor crashed or was killed… but of course we do not know why. 19:06:47 The log message makes it look like PTs were indeed involved 19:07:30 [NOTICE] Pluggable transport proxy (flashproxy exec Tor\PluggableTransports\flashproxy-client --register :0 :9000) does not provide any needed transports and will not be launched. 19:07:39 sounds like oth of these may require new tickets in trac 19:07:43 *both 19:07:50 [NOTICE] Pluggable transport proxy (fte exec Tor\PluggableTransports\fteproxy --managed) does not provide any needed transports and will not be launched. 19:08:36 ok, I'll do that this evening 19:09:49 That's all for now. 19:10:30 * arthuredelstein can go next 19:11:01 Last week I worked on polishing up #3455. 19:11:33 I worked on a new patch for #8405 19:11:58 And I started on #12620 19:12:32 So this week I hope to continue on #12620 19:13:01 awesome. thanks for picking that up 19:13:11 my pleasure 19:13:40 * helix will go next if/when arthuredelstein is done 19:13:48 done! 19:13:56 :) 19:14:15 I started porting my windows hardening changes that never really got totally finished to the 4.0 series, and it's going much better 19:14:21 I should have it done by the end of the week 19:14:42 I fixed those two issues weasel pointed out about 4.0-alpha-1 just now btw 19:14:51 and I'll get this release out today 19:15:10 that's pretty much it for me 19:15:33 ok great. let me know if you need help with either of those 19:18:13 well, if you could write the remainder of the blog post I'll do the website tables :) 19:18:25 ok 19:18:28 awesome 19:18:34 thank you 19:20:22 anyone else? anything else? 19:21:16 ok, then a reminder. if you want me to look at something, tag its ticket with MikePerry201408R. and in general don't forget to tag stuff with TorBrowserTeam201408 if you're working on it this month 19:21:52 team torbrowser 19:22:44 tjr: I will reply to your mail later today btw 19:23:13 mikeperry: I have to disappear for 2h (gosh mondays are busy) but I'll work on the tables when I get back and if you send me the text to change (or edit the blog post yourself) just let me know if you need me to post it 19:23:18 I'm not sure how the permissions work 19:23:47 ok, I might not have a stable connection until later today. we'll see. there's not a huge rush on this release though, so no worries 19:23:59 ok 19:24:00 I will probably edit the post myself 19:24:04 great 19:24:10 so are we baf? 19:24:35 indeed. I think that wraps it up. thanks everyone! 19:24:48 #endmeeting *baf