#tor-dev log

19:00:05 <mikeperry> #startmeeting tbb
19:00:05 <MeetBot> Meeting started Mon Dec 15 19:00:05 2014 UTC.  The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:05 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:00:17 <mikeperry> hello everyone
19:00:29 <mikeperry> sorry for my absence the past two weeks
19:00:34 <boklm> hello
19:01:04 <mikeperry> I kept an eye on the scrollback and it seemed as though everything is going well.
19:02:21 <mikeperry> last week wasn't a great week for my productivity though. I did some testing of the security slider and found a whole bunch of issues, and I looked at the new GPG key for TBB.. it's almost there, but not quite. I also began contacting people and discussing contracts as per my "advocate" roll, but I still have quite a few more mails to send there. hope to get through those today
19:02:49 <mikeperry> Giorgio also has a new noscript for us, which should fix the issue that caused us to need to add "https:" to our whitelist for the security slider
19:03:21 <mikeperry> and also avoid using prefs for temporary permissions, and further allow us to simplify the NoScript UI with new prefs
19:04:24 <mikeperry> Mozilla is also serious about this Polaris project. I am meeting with them tomorrow. I think our focus for that should be as you all discussed last week: getting our third party identifier isolation patches merged by the FF38 freeze
19:05:33 <mikeperry> we probably should also make a tag for items we know we want in 4.5-alpha, or maybe just 4.5-alpha-3, or some combination
19:06:33 <arthuredelstein> Is that meeting something we could listen in on via vidyo?
19:06:37 <mikeperry> I think that's it for me and direction setting. I will be travelling this week and will also need to be working on my CCC talk on reproducible builds, so I fear my productivity won't be great for TBB through the rest of the year
19:07:12 <mikeperry> but I can still help with critical things, and making sure everyone's contracts are set for Q1+Q2 2015
19:07:22 <GeKo> mikeperry: I'm pretty curious about their "tracking protection" (see -internal mail). Could you try talking to them aboubt that too?
19:07:42 <GeKo> because it does not make much sense to me tbh
19:08:36 <msvb-lab> Maybe a Moz town hall meeting on Polaris sometime, like Arthur asks?
19:08:44 <msvb-lab> Anyone know?
19:09:44 <mikeperry> GeKo: yeah, me either. I know they are focusing on this whitelisting scheme that is kind of unfortunate for us. but perhaps we can get some telemetry on usage of that + private browsing mode, for load estimates/statistics for a Tor-enabled PBM
19:10:03 <GeKo> that would be nice at least
19:11:38 <mikeperry> arthuredelstein,msvb-lab: the meeting is at 11am PST tomorrow, but we're still not sure if it will be at EFF or Mozilla
19:12:21 <mikeperry> err, not whitelisting, blacklisting of "bad" trackers
19:13:22 <mikeperry> either way, I will try to reiterate that they want their "disable third party cookies" option to apply to all of the things we make network.thirdparty.isolate apply to, and see if I can convince them they want to do some usability testing on something like https://www.torproject.org/projects/torbrowser/design/NewCookieManager.png
19:13:26 <MarkSmith> I am skeptical that any blacklisting approach will truly empower Firefox users.
19:13:49 <MarkSmith> Any help Mozilla can provide is of course welcome.
19:16:44 <mikeperry> yeah, me too. I think blacklisting will just create a different arms race. but I guess they probably want to show that they are doing something right away, and blacklisting is "something"..
19:17:05 <GeKo> *sigh*
19:17:07 <arthuredelstein> Presumably Google is a "good" tracker?
19:17:17 <GeKo> they should merge and deploy our stuff
19:19:09 <mikeperry> yeah, this will probably be a long road, still. but hey, they seem to be serious about it
19:19:34 <GeKo> yeah, the blacklisting ;)
19:20:00 <GeKo> anyway, here is what I did last week:
19:21:13 <GeKo> today I made another expedition to Mount Doom. And I am optimistic :)
19:21:33 <mikeperry> do we have the One True Key at last? ;)
19:21:47 <GeKo> then we got gunes' patch landed (#13439)
19:22:00 <GeKo> we'll see, there is hope
19:22:25 <weasel> did we cast it back into the firey chasm from whence it came?
19:22:37 <weasel> (ick.  "from whence".)
19:22:46 <GeKo> not yet
19:23:16 <GeKo> then I tried to fix #13877 but that fails currently
19:23:41 <GeKo> I think I opstpone that work until ESR 38 comes and we need to fix a bunch of OS X related stuff anyway
19:23:48 <GeKo> *postpone
19:24:01 <GeKo> then I fixed #10125
19:24:19 <GeKo> I can build Tor Browser on a Debian system now
19:24:37 <GeKo> although there is stil no python-vm-builder package
19:24:39 <GeKo> *still
19:25:09 <GeKo> I am currently testing the patch a bit but that should be done this week
19:25:38 <GeKo> then I reviewed #13379 and am quite happy
19:25:58 <GeKo> it seems well-tested, too (thanks Mark and Kathy).
19:26:22 <MarkSmith> :-)
19:26:32 <ayushjjwala> hello
19:26:36 <ayushjjwala> i need some help...
19:26:49 <GeKo> this week I'll test #13379 a bit. I am cur curious what is happening if we ship more than one key
19:27:08 <GeKo> a thing we should do from the beginning even if we only sign with one key for the moment
19:27:14 <ayushjjwala> i would like to contribute to the org so if someone could guide me it will be a great help!!
19:27:52 <GeKo> then I plan to resume my #9387 work
19:28:08 <GeKo> mikeperry: would be nice if you could add the tings you found to the ticket
19:28:17 <mikeperry> GeKo: I have a pile of notes on #9387. shall I just add them there?
19:28:33 <GeKo> yes, would be good
19:28:35 <mikeperry> mostly around NoScript settings not being updated until New Identity
19:28:52 <mikeperry> but a couple other UI/UX comments and other pref behaviors
19:29:42 <GeKo> finally I plan to look into the test failures happening with the nsiprotocolproxyservice patch
19:29:59 <GeKo> I have some hope geting that large patch into esr38 as well
19:30:04 <GeKo> *getting
19:30:12 <GeKo> that's it for me
19:30:41 * MarkSmith can go next
19:31:05 <MarkSmith> Last week Kathy and I implemented SHA512-based hashes for signed MAR files (#13379).
19:31:14 <MarkSmith> We landed a fix for #13776.
19:31:24 <MarkSmith> We also did some miscellaneous bug triage, e.g., #13893, #13920,
19:31:32 <MarkSmith> plus the incremental update failures reported by mikeperry and GeKo.
19:31:43 <MarkSmith> We also merged the nearly forgotten fix for #11449 into Torbutton.
19:31:53 <MarkSmith> This week we plan to review #13857 and follow up with any signed MAR issues that GeKo and other people find.
19:32:00 <MarkSmith> It is also worth noting that we will be out of the office most of next week (December 22-26).
19:32:11 <MarkSmith> And the week after Christmas (December 29 - January 2nd) we will have reduced availability to work on Tor items due to
19:32:17 <MarkSmith> the need to spend time on end of the year paperwork, tax filings, and other not-so-fun activities.
19:32:28 <MarkSmith> That's all for us.
19:33:37 * arthuredelstein can go next
19:34:10 <arthuredelstein> Last week I worked on patches for #13749
19:34:29 <arthuredelstein> I've posted one, and the other two are close
19:35:08 <arthuredelstein> I also had another look at the unit test for the nsiprotocolproxyservice patch, but haven't solved it.
19:35:54 <GeKo> do you have a newer patch? because there is more than one test broken
19:36:08 <GeKo> with the one attached to the ticket
19:36:14 <arthuredelstein> So this week I'll finish the patches for #13749 and also try to have a closer look at #13788
19:36:40 <arthuredelstein> GeKo: The patch I posted on Mozilla has two unit tests broken, IIRC.
19:36:57 <arthuredelstein> https://bugzilla.mozilla.org/show_bug.cgi?id=436344
19:37:02 <arthuredelstein> I think they are probably related
19:37:35 <GeKo> ok. IIRC my try build has 5 failures at least (I ran all xpcshell tests and all mochitests)
19:37:38 <GeKo> on Linux
19:37:46 <GeKo> *had
19:37:56 <arthuredelstein> I thin I fixed some of those
19:38:09 <arthuredelstein> *think
19:38:26 <GeKo> aha! do you mind making your latest patch available somewhere?
19:38:41 <arthuredelstein> Sure. Sorry for not doing so already
19:38:57 <GeKo> np
19:39:55 <arthuredelstein> That's all for me.
19:40:57 * boklm can go next
19:41:18 <boklm> since last week I added a test for the security slider #13682
19:41:47 <samgtr> atagar: do i need to upload a patch or something for the bug?
19:41:47 <boklm> I tried to fix some problems running the testsuite on Windows, where the tor daemon does not get killed correctly and release its ports when using PT
19:41:55 <boklm> for now I will disable the PT tests on Windows until this is fixed
19:42:10 <boklm> This week I'm planning to:
19:42:15 <boklm> review the patch arthuredelstein posted on #13749
19:42:27 <boklm> rebase #13857 on the latest version of the signed MAR changes
19:42:46 <boklm> investigate the fte random failures we have
19:43:02 <atagar> samgtr: Nope. If you'd care for me to pull the change I can just fetch it from your repository. As mentioned on the ticket though it might be better to wait for the rest of the tests though.
19:43:05 <boklm> that's all for me
19:47:06 <mikeperry> boklm: the security slider behaviors may change slightly with the latest noscript and the set of things I noticed in the current branch. so just be aware, I guess. I will post my notes on #9387
19:47:41 <boklm> mikeperry: ok
19:50:09 <mikeperry> do we have anyone from support here?
19:51:27 <mikeperry> I guess not. anything else?
19:51:36 <msvb-lab> Revisited #3246 last week.
19:52:16 <msvb-lab> ...and will be testing the incomplete Mozilla patch again this week, completing it hopefully.
19:52:41 <GeKo> nice
19:52:42 <msvb-lab> Hmm, what's with zwiebelbot.
19:53:05 <msvb-lab> Anyway, it's helping to get more familiar with the general FF cookie architecture.
19:53:20 <msvb-lab> And I've had more time lately to spend on this.
19:54:09 <msvb-lab> Not much else, but I think a new friend would like to ask about contributing.
19:54:12 <msvb-lab> ayushjjwala: You there?
19:54:34 <ayushjjwala> yeah
19:55:16 <msvb-lab> If you found a bug or two on trac, and want to ask anything then go for it.
19:56:03 <ayushjjwala> well i am goin through them...give me some more time to understand them!
19:56:11 <msvb-lab> Okay now problem.
19:56:25 <msvb-lab> mikeperry: By the way a exploit was supposedly found in TBB, so I sent him to you.
19:56:45 <msvb-lab> I think I'll keep on #3246 this week, and try to be at the Polaris meeting tomorrow.
19:57:10 <msvb-lab> Over.
19:57:45 <mikeperry> who found what exploit? I don't see any mail
19:58:29 <msvb-lab> I couldn't figure out if he was serious or not.
19:58:54 <samgtr> atagar: can you merge the test code? I can start working on the next test then
19:58:58 <msvb-lab> If you receive no mail, then I assume the person discovered a user error or a flaw in their logic.
19:59:02 <samgtr> atagar: hope thats not a problem
19:59:58 <atagar> samgtr: It's not a problem, but I'd rather have us do this in a feature branch until it's done. Little less messy that way (we can then merge a complete feature branch).
20:00:03 <mikeperry> or they picked a poor subject and I missed the mail..
20:00:29 <msvb-lab> mikeperry: Well I told them to encrypt it and he said he would, so you don't have so many of those do you?
20:00:50 <msvb-lab> Anyway what's the proper tbb-sec@ or tor-sec@ or address for exploit reporting?
20:01:14 <samgtr> atagar: okay sure, I will start working on the next test then
20:02:01 <rl1987> tor-assistants@ ?
20:02:01 <samgtr> atagar: that is the exit_used test
20:02:55 <msvb-lab> rl1987:...so send a preview to tor-assistants@ and then real code encrypted to whoever responds from tor-assistants@ right?
20:03:18 <mikeperry> hrmm.. yeah, I think we still lack a proper security list
20:03:44 <rl1987> msvb-lab: I'm not really in position to answer that, but it might be a good idea.
20:04:30 <rl1987> mikeperry: do you agree?
20:06:01 <mikeperry> yeah, probably the best option at the momement
20:06:10 <mikeperry> I still don't see this pgp mail, unless it was PGP inline
20:06:17 <mikeperry> and with a bad subject I can't search for
20:06:56 <mikeperry> when did this person appear?
20:07:14 <msvb-lab> Two days ago, and we chatted on IRC.
20:07:53 <msvb-lab> You'll find it if you search me around then. Whoops, might have been yesterday sorry.
20:09:22 <mikeperry> yeah, no mail that I can see. hrmm
20:09:29 <mikeperry> well, I think this meeting is over anyway
20:09:36 <mikeperry> thanks everyone!
20:09:42 <mikeperry> #endmeeting *baf*