#tor-dev log

18:00:20 <mikeperr1> #startmeeting tbb-dev
18:00:20 <MeetBot> Meeting started Mon Jun  1 18:00:20 2015 UTC.  The chair is mikeperr1. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:20 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:00:23 <hiddenEnemy> new coder looking to work on frent end stuff.. anyone here i can talk to?
18:02:11 <mikeperry> hiddenEnemy: we're about to start the tor browser developer meeting. I suppose you can watch and learn?
18:02:25 <hiddenEnemy> no probs
18:03:36 <GeKo> mikeperr1 started the meeting, we'll see if mikeperry can end it then ;)
18:03:37 <mikeperry> I will start by giving my status update from last week. Most of my time was spend working on non-TBB things (bw auths, Tor Labs, funding proposals). I did write up some initial ideas on exploit bounties
18:03:45 <mikeperry> heh, yeah
18:04:07 <GeKo> did you get my bounty mail?
18:04:46 <GeKo> I rather avoided sending it to all people as this felt a bit weird as I was not included in the conversation (no worries about that)
18:04:51 <mikeperry> This week will probably be another light week for me TBB-wise. Other than our status report, I will have to be in meetings Wednesday-Saturday. So if my input is likely to be needed this week, please try to get it soon
18:05:48 <mikeperry> strangely I don't see your mail, unless you changed the subject line?
18:06:05 <mikeperry> I saw your mail about HTTP/3. I am registered for the workshop successfully
18:07:01 <GeKo> good, yes I changed the subject to "Encrypted, srsly"
18:07:04 <mikeperry> that 8 minute timer thing was weird, but I think it is just an eventbrite payment portal thing, not the final end of ticket acceptance for the event
18:07:45 <GeKo> dunno, it felt weird and I was like "oh god, what should I do now..."
18:08:19 <mikeperry> no worries. I am sure it will be flexible still if we need to swap
18:10:41 <mikeperry> yeah, wrt the exploit bounties, the mail was a little unclear about how the Mozilla bounty would be handled. my thinking is that we would only allow people to double dip for item 5 on that list (the ASAN/Security Slider bugs). And I think yes, if you can pop ASAN and security slider, you should get more (up to 200%)
18:11:27 <mikeperry> breaking out of ASAN should be very, very difficult without Javascript. I want to give some extra incentive to discover if I'm right about that
18:11:38 <GeKo> yeah, fine by me
18:13:10 <GeKo> mikeperry: we might want to look at asn's ideas on his pad, like paying more if we have easier steps to reproduce etc.
18:13:40 <GeKo> https://etherpad.mozilla.org/GhGEnyUNLp
18:14:09 <mikeperry> yeah. he had some good ideas we should adopt. I saw them in the mail
18:14:10 * GeKo shuts up now
18:14:20 <mikeperry> oh, which I think you were still missing from
18:15:03 <GeKo> yes
18:15:04 <mikeperry> anyway, yeah, I'm also done with my sloppy status update. again, please try to flag me down before Wednesday if you need input this week
18:15:22 <mikeperry> otherwise it may end up waiting until next week
18:16:08 <mikeperry> which I think is when we'll tag for 5.0a1
18:16:22 <mikeperry> err, wait. what's this 38.0.5 business: https://wiki.mozilla.org/RapidRelease/Calendar#Future_branch_dates
18:16:57 <mikeperry> I don't see any build tags
18:17:19 <mikeperry> it looks like the schedule got bumped a bit too.. bleh
18:19:42 <mikeperry> well, that's a head scratcher. I see candidates on https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/ for 38.0.5, but not anything for 31esr.. I wonder what this also means for 38esr.. very odd
18:19:47 <GeKo> no ESR
18:20:19 <mcs> Yes, I think 38.0.5 (not ESR) is an "extra" non-ESR release.  Confusing.
18:20:39 <mcs> Maybe contracturally obligated (that's a guess)
18:21:03 <mikeperry> yeah, the whole schedule appears to have been changed for it
18:21:14 <GeKo> but we want to get a logjam fix out anyway, mike, right ;)
18:21:22 <GeKo> (we can talk about that later)
18:21:32 <mcs> https://www.mozilla.org/en-US/firefox/38.0.5beta/releasenotes/
18:24:16 <mikeperry> heh. that page is kind of sparse. I think this means that 5.0a1 might not be until June 30th, though who knows
18:24:36 <mikeperry> the bugzilla link is rather long, though
18:27:01 <mikeperry> ok, who wants to go next. we'll have to table deciding what to do about this until later
18:28:30 <n8fr8> just a quick note that amoghbl1 is making great progress on the Orfox work: https://dev.guardianproject.info/projects/orfox-private-browser/
18:28:42 <n8fr8> a few patches were causing problems, so we need to review them to see if they are necessary/applicable to the android env
18:28:47 <n8fr8> and rewrite them if so
18:29:08 * n8fr8 is on a train with sketchy internet
18:30:38 <GeKo> who is keeping track of all the additional things we need to patch/modify for android?
18:31:18 <amoghbl1> well, that would be me I guess GeKo
18:31:40 <GeKo> fine, do you have a list somewhere?
18:31:57 <amoghbl1> https://people.torproject.org/~amoghbl1/Orfox/tbb_patches/
18:32:14 <n8fr8> this is our official project tracker: https://dev.guardianproject.info/projects/orfox-private-browser/issues
18:32:24 <arthuredelstein> amoghbl1: In case it's useful, I'm working on a new branch now, here: https://github.com/arthuredelstein/tor-browser/tree/tb_GECKO380esr_2015050513_RELBRANCH+1
18:32:26 <n8fr8> so we are working on getting the problematic patches in there as tickets
18:32:47 <GeKo> no, no I was thinking about things we did not need to touch because they were not available in a desktop environment
18:32:48 <amoghbl1> check out the skip_list file for a report/list
18:33:25 <n8fr8> GeKo: these are the patches that make Firefox on Android crash (the "skip_list")
18:34:58 <GeKo> n8fr8: that's not what I mean
18:35:44 <GeKo> I mean features we don't care about in a desktop environment (and we thererfore did not patch nor filed bugs about) but that are available  on android
18:36:12 <GeKo> I guess there is a ton of these things
18:36:44 <mikeperry> IIRC, amoghbl1 found a bunch of Java-related issues. I am not sure where that mail went
18:37:00 <n8fr8> ah, sorry, right GeKo the other way around
18:37:22 <n8fr8> some of that is here: https://dev.guardianproject.info/projects/orfox-private-browser/wiki
18:37:30 <mikeperry> I also saw some issues during my FF31 networking review. RTSP could bypass proxies, IRRC. There was also some weird UDP keepalive stuff on the LAN
18:37:32 <n8fr8> https://dev.guardianproject.info/attachments/download/1580/firefox-for-android-layers.txt
18:37:58 <n8fr8> but we have more work to do on that layer, and it is a moving target as well
18:38:06 <GeKo> mikeperry: yeah, ike that + who knows waht wrt to fingerprinting
18:38:24 <n8fr8> at this point, our goal is not "Tor Browser for Android" it is "something better than Orweb"
18:38:33 <n8fr8> and "not based on ANdroid's broken WebView"
18:38:41 <GeKo> ah, okay, nevermind then :)
18:38:57 <GeKo> s/ike that/something like that/
18:39:23 <n8fr8> i mean, we are on that track, GeKo, for sure, but for now, just getting the TB patches mostly working, and the Android/Java layer properly proxying is our next big mielstone
18:39:37 <GeKo> cool
18:41:23 <GeKo> here is what I did last week:
18:42:23 <GeKo> I finished all the gitian bits for ESR 38, the tor-browser-bundle things for Mac still need to get tested finally and attached to the ticket
18:42:31 <GeKo> I backported a patch for #7256
18:42:46 <GeKo> err
18:42:52 <GeKo> #7561
18:43:23 <GeKo> I spent a surprising amount of time testing the fix for #16014
18:43:56 <GeKo> I started my review of undocumented Mozilla bugs which I'll finish this week
18:44:40 <GeKo> I filed some bugs for esr38 I found while testing bundles
18:45:12 <GeKo> I submitted a custom bundle to our test suite, so far I got no results back
18:45:27 <GeKo> boklm: how long is this supposed to take?
18:45:51 <GeKo> next week I plan to finish the remaining OS X gititan bits
18:46:26 <GeKo> I might play with switching to our clang-based cross-compiler for tor as well and add building it to our descriptor
18:46:35 <GeKo> then I'll finish the Mozilla bug review
18:47:01 <GeKo> and I start looking at the GMP/EME/Openh264 stuff that got introduced
18:47:14 <GeKo> that's it for now
18:47:47 <boklm> GeKo: for the 5.0a1-esr38-test build, a sha256sums.txt file (and signature) is missing in the directory
18:48:15 <GeKo> aha!
18:48:31 <GeKo> let me add that then
18:50:43 * arthuredelstein can go
18:50:54 <arthuredelstein> This past week I worked on #15196, primarily trying to finish rewriting the font-limiting patch. It's turned out to be quite tricky, but I'm hoping I can get it working this week.
18:51:19 <arthuredelstein> I also worked on some final touches to the patch at https://bugzilla.mozilla.org/show_bug.cgi?id=418986 and I think I should be able to post it soon.
18:51:44 <mikeperry> hrmm. the font limiting patch may need to be done a different way entirely anyway, eventually
18:52:03 <arthuredelstein> Yes, I was thinking about trying to tie it to first-party domain in any case
18:52:48 <mikeperry> mozilla had a bug with some ideas for preferring only a limited list of system fonts, which would be at a different layer than the CSS (and a more correct one). and then there's #13313
18:53:06 <mikeperry> either of these might be better uses of time than trying to get the CSS-based patch to work again
18:53:16 <arthuredelstein> Aha. I should look for that Mozilla patch.
18:53:31 <arthuredelstein> I figured #13313 is maybe the optimal solution, but a bigger project.
18:54:14 <GeKo> yes
18:54:36 <arthuredelstein> I'll look into both of those options and see what makes sense.
18:54:43 <mikeperry> https://bugzilla.mozilla.org/show_bug.cgi?id=1121643
18:55:04 <mikeperry> https://bugzilla.mozilla.org/show_bug.cgi?id=998844 is the support code that would hopefully make #13313 easier.. it landed in FF32 it looks like
18:55:07 <arthuredelstein> Thanks
18:55:45 <amoghbl1> arthuredelstein, the 72 patches listed there are infact your work, could you review the report I wrote for me?
18:57:19 <amoghbl1> s/work/branch
18:57:20 <arthuredelstein> amoghbl1: Not really my work -- I just rebased those patches. But happy to look at your report. Where is it?
18:57:34 <amoghbl1> https://people.torproject.org/~amoghbl1/Orfox/tbb_patches/skip_list
18:58:18 <amoghbl1> arthuredelstein ^
18:58:44 <arthuredelstein> Sure, I'll have a look.
18:59:04 * mcs can give a report
18:59:14 <arthuredelstein> Regarding #16200, this week I'll try to test if the various features of TorButton are working with the #15196 branch.
18:59:21 <arthuredelstein> And if there is time, I'd like to work on upstreaming more patches to Mozilla.
18:59:27 <arthuredelstein> Go ahead, mcs! :)
18:59:45 <mcs> Last week, Kathy and I spent a little time spot-checking some of the patches on Arthur's tb_GECKO380esr_2015050513_RELBRANCH+1 branch and we made some comments in #15196.
18:59:53 <mcs> We investigated some things GeKo found in his review and testing for #16014; we are still working on this.
18:59:59 <mcs> We filed #16236 as a spinoff of #16014.
19:00:06 <mcs> Finally, we only made a tiny amount of progress in reviewing the Firefox developer docs for the releases since Firefox 31 (#16090) but we plan to do more this week.
19:00:11 <mcs> We will also push our #15145 changes to a branch or maybe we should create a Tor Launcher maint-0.2.7 branch for the TB 4.5.x series.
19:00:21 <mcs> That's all for now.
19:03:04 * boklm can go next
19:03:16 <mikeperry> interesting. #16236 (and other registry pollution) are technically tbb-disk-leak bugs
19:03:32 <mcs> mikeperry: Right.
19:04:16 <boklm> Last week I continued splitting tor-browser-31.7.0esr-4.5-1 into topic branches and pushing them separately on Mozilla Try to see which one fail tests
19:04:20 <boklm> I started a tool to help merge / pull / push the branches and list Try results: https://lists.torproject.org/pipermail/tbb-dev/2015-June/000276.html
19:04:32 <boklm> This week I'm planning to do the topic branch splitting on Arthur's esr38 branch
19:04:39 <boklm> And implement the commands to push branches to Mozilla Try, and to rebase the patches to a new firefox version
19:04:49 <boklm> That's all for now.
19:05:47 <mikeperry> what are you writing your tool in, btw?
19:05:56 <boklm> it's in perl
19:05:58 <mikeperry> I think I might be sad at more perl.
19:06:00 <mikeperry> aw :/
19:06:51 <mikeperry> the update responses stuff is troublesome to get working on tpo machines, because it needs a bunch of sketch CPAN modules, and CPAN doesn't seem to authenticate anything
19:07:08 <boklm> hmm, there should be debian packages for those modules
19:07:32 <GeKo> there are, I only installed debian packages on my debian build machine
19:07:43 <boklm> so we shouldn't need to use CPAN directly
19:07:50 <mikeperry> yeah, there are. I don't have sudo on most of the tpo machines
19:07:59 <boklm> ah
19:09:54 <mikeperry> perl is also kinda gross generally.. hrmm
19:11:07 <mikeperry> I don't think its worth forcing you not to write it in perl, or rewrite what you have... but bleh.. I guess I should have asked last week
19:12:09 <TvdW> perl is an amazing language that saves a lot of developer time though ;)
19:12:21 <TvdW> worth putting up with the gross parts if it saves so much time
19:12:31 <GeKo> uh oh
19:12:37 * TvdW leaves again
19:14:37 <mikeperry> perl is pretty much technical debt by nature. it might be easy now, but it will be painful to update later. but, I supose this is till an experiment, and if the tool is mostly written already, I guess keep at it
19:14:55 <boklm> hmm, I don't think perl is gross, but maybe that's because I'm used to it.
19:14:55 <arthuredelstein> boklm: I had good luck with another git->hg tool. Just trying to find the name of it.
19:15:12 <GeKo> mikeperry: fwiw https://bugzilla.mozilla.org/show_bug.cgi?id=885777 + see the dependent bugs
19:15:22 <TvdW> mikeperry: as someone who does 40h of perl every week, I have to disagree :)
19:15:25 <GeKo> I am really happy about that momentum at Mozilla
19:15:45 <arthuredelstein> https://github.com/mozilla/moz-git-tools
19:15:49 <arthuredelstein> boklm: ^
19:16:08 <arthuredelstein> Might be worth a look as a basis for your tool
19:16:11 <boklm> arthuredelstein: ah yes, I have seen this
19:16:27 <arthuredelstein> A little tricky to set up, but then it worked very smoothly
19:16:46 <arthuredelstein> Namely `git push-to-try...`
19:19:56 <mikeperry> ok, anything else in the way of status updates?
19:20:05 <tjr> I don't have much to report on.  I tried building arthuredelstein's branch with GeKo's tb-builder branch.  got errors on the linux build in tbb
19:20:35 <tjr> Never the same one, but usually around Unified_cpp or layout or spellcheck
19:20:48 <tjr> not going to have time to fiddle with it this week; traveling
19:22:16 <arthuredelstein> tjr: So they were intermittent build errors?
19:22:27 <GeKo> if you need help debugging this let me know
19:22:40 <tjr> well, i never got a successfull build after... 6 or 7 tries.
19:23:28 <tjr> i saves 3 of the errors, i can mail them if that's useful.  can probably generate many more too :-p
19:23:33 <arthuredelstein> I wonder if you were running out of memory or disk space in the VM.
19:23:50 <tjr> I just didn't want to bug you with them, since it's not that important that i get it building right now.  i can wait
19:24:01 <arthuredelstein> tjr: Thanks, that would be useful.
19:25:13 <mikeperry> any other questions?
19:25:29 <GeKo> tjr: what arthuredelstein said your symptoms fit quite well here
19:26:14 <mikeperry> I will try to pop into mozilla's IRC channels and try to dig up more info about 38.0.5, though there might not be much I can do about a release this week :/
19:26:42 <GeKo> speaking of release
19:27:02 <GeKo> the logjam fix got backported to esr31 and I thought we could start building over the weekend
19:27:12 <GeKo> I can preparee everything for it
19:27:15 <mikeperry> ah, yes, I just saw that
19:27:33 <mikeperry> oddly no other fixes seem to have been backported from 38.0.5
19:27:41 <GeKo> then we could rlease next tuesday giving another three weeks to the next release
19:28:30 <GeKo> might be better than a 4 weeks/2 weeks schedule
19:28:46 <mikeperry> what do we want to do about the alpha channel in that case? keep them on 31esr?
19:29:33 <mikeperry> it seems a little early to push them onto 38
19:29:37 <GeKo> yes
19:29:53 <arthuredelstein> Yes, probably better to wait a bit longer
19:29:55 <GeKo> just a bunch of bugfixes
19:31:28 <arthuredelstein> GeKo: Shall I add your patch at #7561 to the ESR38 branch? Or do you think it needs additional review first?
19:32:08 <GeKo> arthuredelstein: you doing the review and adding it is fine :)
19:32:18 <mikeperry> GeKo: ok, I should be able to start a build during these meetings if it is ready to go
19:32:19 <arthuredelstein> OK, sounds good. :)
19:32:57 <mikeperry> (though gunner will be involved, so I may have to stare him down wrt the laptop rule if I try to do that at the wrong time)
19:33:13 <GeKo> lol
19:34:28 <mikeperry> ok, so I think we're set then. thanks, everyone!
19:34:37 <mikeperry> #endmeeting tbb-dev
19:34:42 <mikeperry> heh, nope
19:35:12 <mikeperr1> #endmeeting tbb-dev