#tor-dev log

17:58:22 <mikeperry> #startmeeting tbb
17:58:22 <MeetBot> Meeting started Mon Aug 25 17:58:22 2014 UTC.  The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:58:22 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
17:58:57 <mikeperry> ok. let's get started
17:59:40 * GeKo is here
18:00:07 * isis is here
18:00:21 <mikeperry> last week I merged a few patches from isis for the canvas prompt, and wrote a couple of patches to improve logging of the urls and scripts involved
18:00:54 <mikeperry> I also reviewed all of my gsoc student's code, and send in his review
18:01:12 <mikeperry> he did a good job, imo (mjuarez)
18:01:34 <mikeperry> I look forward to seeing results based on his work soon.
18:02:05 <mikeperry> I also discussed panopticlick 2.0 with gunes acar at the eff
18:02:19 <mikeperry> this week I am for serious going to finish the Firefox feature-level review
18:02:25 <mikeperry> for esr31
18:02:48 <mikeperry> and hopefully merge the rest of the patches in MikePerry201408R
18:02:58 <mikeperry> or at least comment on all of them
18:03:02 <mikeperry> that's it for me
18:03:24 <MarkSmith> anything interesting to say about panopticlick?
18:04:00 <mikeperry> it's still in the early stages. we just discussed new tests since the last one, and ways to study TBBs current defenses
18:04:08 <mikeperry> we also discussed a few bugs
18:04:34 <mikeperry> #11439 came up
18:05:17 <MarkSmith> OK; thanks.
18:05:18 <mikeperry> and #5798
18:06:08 <mikeperry> gunes the key thing I want out of a new panopticlick is the ability to get entropy/uniqueness reports per useragent
18:06:22 <mikeperry> err s/gunes// there
18:06:54 <mikeperry> it is made complicated by the fact that panopticlick removes duplicate results via cookies, which most TBB users won't persist
18:07:17 <mikeperry> so we also disucces ways of asking the user for their TBB version and if they had tested before
18:07:29 <mikeperry> vs provising a link from say about:tor and telling them to use that
18:09:47 <arthuredelstein> It's not entirely clear to me that measuring entropy helps harden TBB, though. Osmy to identify all sources of entropy systematically.
18:09:56 <arthuredelstein> Osmy -> Isn't it better just
18:10:57 <mikeperry> well, it is not fully clear how much entropy our font limits allow in practice. nor our resolution fixes
18:11:28 <mikeperry> having solid results on stuff like that can help us decide which defenses need more work, and how to prioritize things we haven't solved yet
18:12:24 <mikeperry> it can also help us make the case with Mozilla for our defenses
18:12:51 <mikeperry> esp if we are clearly doing better than Firefoxby a wide margin
18:13:29 <mikeperry> right now, there is intense argument about some of our defenses being improvements rather than solutions, and if there might be better improvements
18:13:37 <mikeperry> and if those are worth it
18:15:20 <mikeperry> having data hopefully will make all of that clearer
18:15:31 <arthuredelstein> I see. I guess I would tend to lean toward defending outlier TBB users with weird installed fonts, even if they don't show up much in the stats
18:15:39 <arthuredelstein> for example
18:16:00 <GeKo> hmm
18:17:44 <mikeperry> we discussed using the font results from flash and java to try to find fonts like that
18:18:27 <arthuredelstein> Sorry, I think I've diverted the meeting. I may not have thought this through enough in any case.
18:18:32 <mikeperry> but yeah, that sort of thing is an argument for a different solution to fonts. I think dcf1 did some initial analysis on including font packs with TBB, but I forget what those were. I think he found it was 10s of MB to get full coverage
18:18:56 <GeKo> yes, something like that IIRC
18:19:25 <rl1987> there is a research paper that argues in favour of trying to make worst-case anonymity better instead of trying to maximize entropy for entire anonymity set.
18:19:42 <mikeperry> it may be worth talking to him if you;'re interested in that. once we have a incremental updates, such a cost might not be too bad
18:20:34 <isis> how is the incremental updater coming along?
18:20:43 <mikeperry> for resolution and other things, it will be easy to see the outliers.. for fonts, we'll need to make inferences from secondary data sources (like the full font list from non-TBB users)
18:21:05 <arthuredelstein> rl1987: Do you have a link? That's more or less what I was thinking about.
18:21:55 <mikeperry> isis: we're going to roll out a non-incremental version first. that is ready for review and is in my pile for this week
18:22:26 <isis> so a thing that automatically pulls down 24MB when told to do so?
18:22:35 <GeKo> yes
18:23:08 <isis> i suppose it'll naturally get staged by people going online at different times, so okay
18:23:58 <isis> neat
18:24:07 <GeKo> here is what I did this week:
18:24:56 <GeKo> worked on getting ESR 31 built in our setup
18:25:08 <GeKo> I created the XUL part for #9387
18:25:38 <GeKo> atr leat a part that let me script things
18:25:45 <GeKo> *at least
18:26:10 <GeKo> I did some reviews and I fixed a bug in our nightliy setup (#12920)
18:26:54 <mikeperry> cool. Giorgio also just landed the "Only load HTTPS-sourced scripts from HTTPS url bars" NoScript pref for #9387
18:27:04 <GeKo> this wekk I hope to get 31 ESR built on at least one platform successfully
18:27:33 <GeKo> and I think I can have a first thing to review for #9837 by Friday
18:27:45 <GeKo> err #9387
18:28:14 <rl1987> arthuredelstein: http://home.mit.bme.hu/~tgm/phd/publikaciok/2004/nordsec04/tg_nordsec2004_proceedings.pdf
18:28:23 <GeKo> and I planned to review at least the gitian bits for for the updater patch
18:28:39 <GeKo> I probably won't be able to do more :(
18:28:45 <GeKo> that's it for me
18:28:46 <arthuredelstein> rl1987: thanks! :)
18:29:34 * MarkSmith can go next
18:30:16 <MarkSmith> Last week, Kathy Brade and I added riseup.net to the Bridge Help screen in Tor Launcher (#12895).
18:30:26 <MarkSmith> We also fixed #12444 and for our efforts we received 3 hearts from Lunar :)
18:30:38 <MarkSmith> We spent quite a bit of time on #10804 but we have not had much success reproducing the problem.
18:30:47 <MarkSmith> We tried on Mac OS and Windows; Linux is next.
18:30:56 <MarkSmith> We started to work on #11405 and plan to finish it today.
18:31:12 <MarkSmith> This week we will help land the #4234 changes and continue to work on other TorBrowserTeam201408 bugs.
18:31:21 <MarkSmith> That's all for us.
18:32:05 <GeKo> re #10804: an older copmuter helps and a debug build :)
18:32:40 <MarkSmith> OK.  We tried the older computer idea., plus artificialy loading the computer with other tasks.
18:33:11 <GeKo> I see. I hit it quite reliably on my Linux box (which is annoying...)
18:33:11 <MarkSmith> We tried a debug build on Mac OS but not on Windows.  But we can try that everywhere ;)
18:33:38 <MarkSmith> OK.  Maybe we should've started on Linux.  We will ping you if we cannot reproduce it there.  But I know you are busy.
18:34:29 <GeKo> do that. I am happy to test a patch.
18:34:37 <MarkSmith> Do you encounter the bug only with a fresh start or ?
18:34:47 <MarkSmith> That is, wizard or no wizard?
18:35:01 <GeKo> no wizard
18:35:28 <MarkSmith> OK.  That is the scenario we have mostly tried so far.
18:37:50 * arthuredelstein can go next
18:38:11 <arthuredelstein> Last week I worked on debugging patches in https://github.com/arthuredelstein/tor-browser/commits/esr31-port-untested
18:38:22 <arthuredelstein> And I added unit tests for 3 patches
18:38:42 <arthuredelstein> I also did some cleanup on my patch for #8641
18:39:41 <arthuredelstein> And then I started working on trying to get torbutton to show up on the esr31 port, which it currently does not.
18:39:53 <arthuredelstein> This week I hope to continue to write unit tests and work on the torbutton issue for esr31
18:40:29 <arthuredelstein> I guess the latter is #10751
18:40:38 <arthuredelstein> That's all for me
18:40:57 * helix is here
18:41:05 <helix> can I go? :)
18:41:05 <GeKo> hi!
18:41:23 <helix> I'll guess that's a yes
18:41:34 * boklm will go after helix
18:41:44 <helix> so I submitted the first pass of the hardening patch for the 4.x series last week and GeKo reviewed it
18:41:55 <helix> I think I fixed #10077, but I need to double check the PTs
18:42:20 <helix> and I need to check why GeKo's bundles differed from mine, it could just be a mistake on my part since mine matched each other
18:42:46 <helix> but it should be done this week I think
18:42:53 <GeKo> nice
18:42:54 <helix> unless something strange happens
18:43:19 <helix> GeKo: gcc 4.8.3 is nice enough to write its version into the binaries so you can find if they were built with it by using strings :)
18:43:26 <helix> 4.6.3 doesn't do this
18:43:33 <GeKo> aha!
18:44:19 <helix> other than that, assuming everything goes fine with the hardening, I'll go back and triage some more bugs
18:44:23 <helix> that's all for me
18:44:46 <isis> arthuredelstein: (re: #8641) awesome!
18:45:19 <arthuredelstein> thanks! :)
18:46:19 <boklm> so last week I merged a patch on the test suite from Gunes Acar
18:46:29 <boklm> integrated mochitest tests into our test suite
18:46:47 <boklm> made a few improvements on the xpcshell part (reading results from the generated xunit xml file rather than parsing the logs)
18:47:08 <boklm> next week I'm planning to launch a rebuild of all our commits to run mochitest on them
18:47:17 <boklm> and setup some nightly builds on our build VM (with LXC)
18:47:36 <boklm> that's it for me
18:48:01 <mttp> Hi
18:49:07 <boklm> hi mttp
18:49:08 <mttp> The "Proxy with no PTs doesn't work in TB 4.0-alpha" issue I mentioned last week, turned out to be the user was in Saudi Arabia and their ISP censored Tor, so PTs fixed the issue, (as far as I can tell)
18:49:44 <mttp> I finally found a help desk user who was responsive enough to give me the data needed to open #12941
18:50:11 <mttp> I had a user report the following, as well:
18:50:19 <mttp> > Thanks for offering TOR. A remarkable software!
18:50:19 <mttp> > i have been attempting to restore previous saved bookmarks all through
18:50:19 <mttp> > version 363. Previous versions i had no problems with this. My browser
18:50:19 <mttp> > freezes up and having to restart. Attempted with 364.1 Also freezes my
18:50:22 <mttp> > browser.
18:51:08 <mttp> I told the user that the Tor Browser team had not really touched the bookmarks code from Firefox and they should try to reproduce the issue in Firefox ESR. So far I have not heard back
18:52:43 <mttp> As I wrote in this coming week's Tor Weekly News, I've seen multiple users on multiple VPN services who say they can't use Tor Browser through A VPN. To me this isn't that big of a deal.
18:53:23 <mttp> I just tell them that using Tor Browser with a VPN isn't support, and that if they want a trusted entry into the Tor network to use a bridge, and that if they want to anonymize all traffic coming from their computer, to use Tails.
18:53:32 <mikeperry> hrmm
18:54:19 <mikeperry> I think it's probably a common usecase, actually.. it's probably worth finding out if its a specific VPN type
18:54:39 <mttp> HMA and Hotspot shield
18:57:29 <mttp> I can ask for logs next time I get asked about VPN support
18:57:33 <mikeperry> hrmm
18:58:28 <mikeperry> well I would say that combining circumvention VPNS might be weird.. who knows how those try to work. I was thinking generally.. if all OpenVPN setups are broken with Tor Browser, that's bad, for example
18:58:50 <mikeperry> but still worth investigating. many of these things use OpenVPN underneath
18:59:21 <mttp> Or certain services might block Tor, for their own reasons
19:00:20 <mikeperry> true
19:02:03 <rl1987> data retention reasons?
19:02:48 <mttp> maybe, I'm just speculating
19:03:08 <mttp> That's all the support issues I have to report
19:03:51 <mttp> Once helix finishes the hardening stuff this week I'll look at the expert bundle some more
19:04:20 <mikeperry> ok
19:04:54 <tjr> I'll provide an update, although it's more about lack of progress.
19:05:12 <tjr> I've unpacked more of my computers, including my ubuntu box that is dedicated to stuff like building TBB.
19:05:42 <tjr> It errors somewhere in gitian, with apt (or whatever package manager it is) throwing an error about a size mismatch.
19:06:02 <GeKo> ah, wait
19:06:12 <tjr> My aim was to build a windows/linux/mac build and do a performance comparison, but I'm currently stuck on the 'build' part.
19:07:04 <GeKo> tjr: that one? https://github.com/devrandom/gitian-builder/issues/66
19:08:07 <tjr> GeKo: quite possibly!  That's the error at least, and it spits out a 127.0.0.1 ip also somewhere - so pretty likely
19:09:02 <tjr> I have no concerns about bandwidth, is there an easy answer to "How do I 'not cache'"?
19:09:22 <GeKo> not that I know
19:09:36 <helix> just upgrade your ubuntu if you can
19:09:42 <tjr> Okay.  Well this gets me somewhere, so I will keep investigating along this line as I'm able to
19:09:47 <helix> if you can't, upgrade apt-cacher-ng
19:09:53 <helix> or just stop it then start it again
19:09:58 <tjr> helix: I should be able to do one or both of those.
19:10:08 <helix> the one in 14.04 works fine most of the time, but still sometimes needs to be restarted
19:11:48 <tjr> (That's all I have)
19:11:50 <MarkSmith> If you upgrade to 14.04, be aware of #12431
19:13:31 <GeKo> mikeperry: before I forget it a comment on my last comment in #12620 would be nice.
19:13:46 <GeKo> I am unsure wrt the websocket patch at least
19:13:51 <tjr> I just booted it up... I am running 14.04, but I don't think I'm using LXC
19:14:39 <MarkSmith> tjr: Not using LXC should be good (or better) on 14.04
19:16:44 <mikeperry> it could be a local firewall or other odd redirection issue perhaps?
19:16:51 <mikeperry> if it is still happening with 14.04
19:17:03 <mikeperry> and an up-to-date 14.04, too
19:17:29 <helix> sometimes I have to vmclean to make that issue go away :| but usually just restarting apt-cacher-ng is enough
19:19:55 <mikeperry> ok, is that it for meeting-related items?
19:22:03 <mikeperry> ok then. it's *baf* time
19:22:13 <mikeperry> #endmeeting *baf*