#tor-dev log

19:01:06 <mikeperry> #startmeeting tbb-dev
19:01:06 <MeetBot> Meeting started Tue Feb 17 19:01:06 2015 UTC.  The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:01:06 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:01:10 <nickm> patch workshop is gazumped!
19:01:14 <mikeperry> oops
19:01:19 <Yawning> haha
19:01:22 <arthuredelstein> hi all
19:01:25 <mikeperry> did I just roll in over the patch workshop?
19:01:32 <TvdW> yep :)
19:01:32 <nickm> yeah but don't worry, we love you
19:01:34 <mikeperry> we can wander off into a new channel
19:01:37 <nickm> or we can
19:01:40 <Yawning> it's fine I think
19:01:45 <mikeperry> but then meetbot won't log. were you using meetbot?
19:01:50 <Yawning> no
19:02:01 <Yawning> so we should move
19:02:11 <Yawning> unless we were done
19:02:32 <Yawning> (I need to be in both meetings I think so )
19:02:33 <rl1987> I think we're pretty much done, aren't we?
19:02:36 <Yawning> yah
19:03:53 <mikeperry> ok
19:04:06 <mikeperry> well, the tbb meeting shall commence then!
19:04:26 <Yawning> I have presents for y'all this week :P
19:04:43 * GeKo loves presents
19:05:14 <mikeperry> Last week, I did a bunch of work on the Torbutton menu and associated in-browser experience. I wrote patches for #8400, #9906, #9442, #14392, #14490, #14630, #14632, and #14849.
19:05:35 <mikeperry> I also reviewed and merged lot of patches, including #10280 and #12430.
19:05:48 <mikeperry> This week, we need to focus on getting everything ready for 4.5alpha4. Mozilla just tagged the latest ESR point release last night. I will be working on rebasing our patches for that today.
19:05:51 <nickm> Yawning: I think maybe if we watch, we will learn about something that we could do dsomething to help.
19:05:59 <mikeperry> We also have several tickets still in https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~TorBrowserTeam201502R that probably want to make it into 4.5alpha4, and some in there that maybe shouldn't. We should decide which is which.
19:06:51 <mikeperry> In terms of longer timespans, I think we should aim for stabilizing 4.5 soon. Probably by the next ESR point release, or shortly thereafter (once we have confidence in the new signed updater workflow and behavior)
19:07:24 <Yawning> mikeperry: I might have one or two more things for 4.5 beyond the patch I added, would that be bad?
19:07:30 <mikeperry> I suppose it may be rude to force people to switch to 4.5, so I think that means early/mid April
19:08:40 <mikeperry> Yawning: which patch did you add? anyway, as usual PT stuff can decide its own sub-component versioning for TBB
19:09:09 <mikeperry> I have a preference for PT things being latest-and-greatest anyway
19:09:35 <Yawning> #14919
19:09:41 <Yawning> today
19:09:48 <GeKo> for stabilizing 4.5: we should have #9387 ready by then which includes extra patches for disabling SVG and MathML
19:10:13 <GeKo> so, there is still a bunch of work involved in this regard
19:10:36 <MarkSmith> Do we need to patch Firefox for SVG and MathML disabling?
19:10:37 <mikeperry> I think I am more concerned about strings+UI for #9387
19:10:44 <mikeperry> but yes
19:10:52 <Yawning> it's relatively low risk unless I did something dumb in the new scramblesuit implementation
19:11:09 <Yawning> (fairly unlikely, the code is straight forward)
19:11:12 <GeKo> sure, strings+UI iare indeed more concerning
19:11:47 <GeKo> Yawning: the code looks good. I am aboubt to test things but am confident that the patch will make it into 4.5a4
19:11:52 <GeKo> *about
19:11:53 <mikeperry> MarkSmith: yes, we need patches for both. SVG is apparently extra tricky because we only want to disable it for content, and context is not always clear for that
19:11:53 <Yawning> beyond that I want to ship one alpha series with a goptlib patch
19:12:05 <Yawning> that uses socks5 instead of socks4
19:12:16 <Yawning> apparently psyphon has been using my branch randomly off github
19:12:21 <Yawning> so the code's fairly well tested
19:12:29 <Yawning> we just haven't merged it yet
19:12:30 <Yawning> heh
19:13:39 <Yawning> GeKo: lemmie know if anything blows up and I'll be happy to help
19:13:55 <MarkSmith> (OK; I found tickets #12827 and #13548)
19:14:37 <GeKo> sure and wrt to the goptlib patch: post a branch and we should be able to get it into the alpha after the next one.
19:14:42 <GeKo> Yawning: ^
19:14:46 <Yawning> GeKo: sure thing
19:15:19 <Yawning> is there a rough estimate for the cycle time between the next alpha releases? a4 ->a5?
19:15:33 <GeKo> 6 weeks
19:15:36 <Yawning> I'm tempted to revisit the "make flashproxy actually useable out of the box" idea we had
19:15:39 <Yawning> ok
19:15:46 <mikeperry> https://wiki.mozilla.org/RapidRelease/Calendar
19:16:01 <mikeperry> 4.5a5 will likely be end of march, it seems
19:16:41 <Yawning> is there anything tor browser relatied that concerns me that I don't know about?
19:16:50 <mikeperry> with 4.5-stable coming out soon after (in my ideal world). at which point, we should focus on getting all of the 4.5 stuff rebased onto FF38-beta and start fixing unit tests and getting stuff updated in bugzilla
19:16:57 <Yawning> people apparently like obfs4 from what I've heard
19:17:31 <GeKo> mikeperry: sounds good.
19:17:34 <Yawning> and no one's complained about obfs2/obfs3 implemntations being replaces with mine which kind of suprises me
19:18:53 <GeKo> ok. here is what I did:
19:19:46 <GeKo> I worked on #14919, #14221, got #13169 sorted out and looked at #14851 and reviewed #5698
19:20:47 <GeKo> this week I plan to finish the cookie patch revie, do release related work
19:21:08 <GeKo> and get back to working on windows signing and fixing security slider issues.
19:21:17 <GeKo> that's it for me.
19:23:18 * MarkSmith can give a report
19:23:26 <MarkSmith> This past week, Kathy and I developed a fix for #13271.
19:23:33 <MarkSmith> We also fixed #14336 in the same patch.
19:23:40 <MarkSmith> We did some research for #13375; comments are welcome there.
19:23:50 <MarkSmith> We also did several code reviews and did a little research for #14392 (which mikeperry fixed).
19:23:58 <MarkSmith> Finally, we have been working on #14631.  There are still a couple of issues to sort out,
19:24:04 <MarkSmith> and it will be a little messy, but we plan to follow mikeperry's advice
19:24:07 <MarkSmith> (create a Mozilla-acceptable patch and a separate patch that pulls in from Torbutton the new strings that are needed).
19:24:14 <MarkSmith> This week, we hope to finish #14631.
19:24:19 <MarkSmith> We will also stand by to help with any signed MAR files / updater issues that show up.
19:24:24 <MarkSmith> And we will spend some more time on code reviews.
19:24:30 <MarkSmith> That's all for us.
19:25:39 * boklm can go next
19:26:20 <boklm> So last week I added a test loading http://acid3.acidtests.org/ and checking that we get 100/100, and started looking at testing NoScript options (#13053)
19:26:29 <boklm> Today I updated the settings test to make it version aware, and make it work both for 4.0 and 4.5 versions (after GeKo mentioned this problem today): https://gitweb.torproject.org/boklm/tor-browser-bundle-testsuite.git/tree/mozmill-tests/tbb-tests/settings.js
19:26:42 <boklm> This week I'm planning to work on #13053
19:26:50 <boklm> that's all for me
19:27:43 * arthuredelstein can go next
19:27:55 <arthuredelstein> Last week I worked on #5698, #9442, #13670, #13882, #14555, #14866 and did a couple of code reviews. This week I'll continue to work on #5698, #13670, #14555. The following week I'll be mostly afk.
19:28:59 <arthuredelstein> That's it for me
19:29:59 <nickm> in case your algorithm for ginding stuff to solve doesn't match my algorithm for finding stuff for you to solve....
19:30:04 <nickm> #14555
19:30:05 <nickm> is
19:30:10 <nickm> ready for your attention again
19:30:52 <arthuredelstein> Yes, I'll hopefully have a new patch in a day or two
19:32:59 <GeKo> mikeperry: looking at the list: #14919 should make it into the alpha, #13882 as well, maybe #13717. not sure about #14838.
19:33:29 <GeKo> the other stuff is ither already in or needs a bit more thinking imo
19:33:34 <GeKo> *either
19:33:59 <GeKo> #13882 needs a reviewer. if nobody steps up I can do that tomorrows
19:34:06 <arthuredelstein> Do you think #5698 has a chance if I get it fixed today?
19:34:15 <GeKo> *tomorrow even
19:34:24 <GeKo> arthuredelstein: depends on you I guess ;)
19:34:37 <arthuredelstein> cool :)
19:35:31 <GeKo> so #5698 as well if we have a patch by tomorrow
19:37:41 <MarkSmith> Kathy and I will review #13882 today or tomorrow
19:38:16 <mikeperry> I think we also want #14203. probably even for 4.0.4
19:38:17 <GeKo> thanks
19:38:41 <GeKo> oh, this is up for review?
19:39:07 <mikeperry> yeah, it wasn't tagged. I just saw it
19:39:20 * MarkSmith Just reviewed and commented in #14203.  Looks like a good and safe fix.
19:39:22 <GeKo> nice, then yes
19:40:31 <GeKo> mikeperry: oh, and I think we should put a patch for #14851 both into 4.0.4 and 4.5a4.
19:40:44 <dcf11> What's the difference between TorBrowserTeam201502 and TorBrowserTeam201502R? I never know which one to tag.
19:40:47 <GeKo> your idea worked as far as I can see
19:41:02 <msvb-lab> dcf11: 'R' stands for 'ready for review.'
19:41:03 <Yawning> R for review?
19:41:16 <msvb-lab> Or release review.
19:41:17 <dcf11> So what does the non-R one mean?
19:41:49 <msvb-lab> dcf11: The date without R means target date.
19:41:58 <msvb-lab> But not necessarily 'Review-ready' yet.
19:42:11 <dcf11> Ohhh thanks.
19:42:24 <msvb-lab> dcf11: So many tickets have a date four months in the future, for example.
19:43:27 <mikeperry> https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#TracKeywords
19:43:32 <Yawning> (dcf11: off topic to this tor brwoser stuff, do you want a patch to meek-client that enables proxy support for socks 4/5? It'd use go.net)
19:46:29 <mikeperry> ok, is there anything else for TBB?
19:47:35 <mikeperry> if you're going to review a ticket, remember to tag it with your name+month. we should probably get a second pair of eyes on any C++ patches, too
19:48:35 <mikeperry> oh, this is also going to be fun for us FYI: https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/. but I guess we can just add in our own key into our builds for that
19:48:55 <mikeperry> (yay, more key material to juggle during releasing :/)
19:48:56 <GeKo> indeed
19:49:13 <MarkSmith> Annoying for developers but safer for users I am sure.
19:51:15 <mikeperry> I have an inherent distrust of app stores. I think the developer should still be in exclusive control of at least one of the signing keys
19:51:40 <GeKo> +1
19:51:51 <MarkSmith> Well, I guess I should say "Mozilla assures us it will be better for users."
19:52:16 <mikeperry> there's also censorship concerns, which the EFF is worried about
19:52:29 <mikeperry> (in addition to losing control of the HTTPS-Everywhere signing key)
19:52:39 <MarkSmith> Censorship is a good point.  Definitely less s/w freedom with centrally controlled distribution.
19:54:09 <GeKo> I wonder whether we just should patch that feature out especially if we ship all extensions via our updater ourselves
19:55:26 <MarkSmith> I think nightly builds / Aurora won't check signatures, right?  So there should be a way to disable it.
19:55:35 <GeKo> yes
19:55:36 <MarkSmith> (without too much hassle for us)
19:55:37 <mikeperry> I think I want users to still be able to install addons in TBB from AMO if they wish (though I have been debating warning users who navigate to the addons store page that Firefox addons may not always be safe for Tor Browser)
19:56:14 <arthuredelstein> A warning seems like a very good idea.
19:56:22 <GeKo> yes, I was primarily concerned about the extensions we ship and the hassle that brings for us
19:56:32 <MarkSmith> Or warn before install of any add-on?
19:56:33 <GeKo> + loosing the full control
19:56:44 <arthuredelstein> MarkSmith: +1
19:56:52 <GeKo> so, we could implement a whitelist or something
19:59:12 <mikeperry> I think blanket warn. I am not sure I want to get in the business of auditing secondary addons just yet, esp given fingerprinting concerns
19:59:24 <mikeperry> (for a whitelist)
19:59:47 <MarkSmith> Someone should file a ticket ;)
20:00:55 <msvb-lab> There is some form of extension warning already of 'unkown location' and thus already a condition where a blanket could be hard coded.
20:01:03 <mikeperry> ok, I will do so
20:01:54 <GeKo> not sure what you mean with fingerprinting concerns here but what I have in mind is e.g. a whitelist for Torbutton and Tor Launcher to be installable without having to put them through AMO
20:01:57 <msvb-lab> Is there evidence or statistics that indicate users are installing extensions?
20:02:49 <GeKo> I don't want to have some AMO reviewer being able to decline an update to these extensions for $reasons
20:05:01 <mikeperry> ok, #14924
20:06:34 <mikeperry> ok, I think that should be it for today then?
20:08:03 <mikeperry> #endmeeting *baf*