18:00:20 #startmeeting tbb-dev 18:00:20 Meeting started Mon Jun 1 18:00:20 2015 UTC. The chair is mikeperr1. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:20 Useful Commands: #action #agreed #help #info #idea #link #topic. 18:00:23 new coder looking to work on frent end stuff.. anyone here i can talk to? 18:02:11 hiddenEnemy: we're about to start the tor browser developer meeting. I suppose you can watch and learn? 18:02:25 no probs 18:03:36 mikeperr1 started the meeting, we'll see if mikeperry can end it then ;) 18:03:37 I will start by giving my status update from last week. Most of my time was spend working on non-TBB things (bw auths, Tor Labs, funding proposals). I did write up some initial ideas on exploit bounties 18:03:45 heh, yeah 18:04:07 did you get my bounty mail? 18:04:46 I rather avoided sending it to all people as this felt a bit weird as I was not included in the conversation (no worries about that) 18:04:51 This week will probably be another light week for me TBB-wise. Other than our status report, I will have to be in meetings Wednesday-Saturday. So if my input is likely to be needed this week, please try to get it soon 18:05:48 strangely I don't see your mail, unless you changed the subject line? 18:06:05 I saw your mail about HTTP/3. I am registered for the workshop successfully 18:07:01 good, yes I changed the subject to "Encrypted, srsly" 18:07:04 that 8 minute timer thing was weird, but I think it is just an eventbrite payment portal thing, not the final end of ticket acceptance for the event 18:07:45 dunno, it felt weird and I was like "oh god, what should I do now..." 18:08:19 no worries. I am sure it will be flexible still if we need to swap 18:10:41 yeah, wrt the exploit bounties, the mail was a little unclear about how the Mozilla bounty would be handled. my thinking is that we would only allow people to double dip for item 5 on that list (the ASAN/Security Slider bugs). And I think yes, if you can pop ASAN and security slider, you should get more (up to 200%) 18:11:27 breaking out of ASAN should be very, very difficult without Javascript. I want to give some extra incentive to discover if I'm right about that 18:11:38 yeah, fine by me 18:13:10 mikeperry: we might want to look at asn's ideas on his pad, like paying more if we have easier steps to reproduce etc. 18:13:40 https://etherpad.mozilla.org/GhGEnyUNLp 18:14:09 yeah. he had some good ideas we should adopt. I saw them in the mail 18:14:10 * GeKo shuts up now 18:14:20 oh, which I think you were still missing from 18:15:03 yes 18:15:04 anyway, yeah, I'm also done with my sloppy status update. again, please try to flag me down before Wednesday if you need input this week 18:15:22 otherwise it may end up waiting until next week 18:16:08 which I think is when we'll tag for 5.0a1 18:16:22 err, wait. what's this 38.0.5 business: https://wiki.mozilla.org/RapidRelease/Calendar#Future_branch_dates 18:16:57 I don't see any build tags 18:17:19 it looks like the schedule got bumped a bit too.. bleh 18:19:42 well, that's a head scratcher. I see candidates on https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/ for 38.0.5, but not anything for 31esr.. I wonder what this also means for 38esr.. very odd 18:19:47 no ESR 18:20:19 Yes, I think 38.0.5 (not ESR) is an "extra" non-ESR release. Confusing. 18:20:39 Maybe contracturally obligated (that's a guess) 18:21:03 yeah, the whole schedule appears to have been changed for it 18:21:14 but we want to get a logjam fix out anyway, mike, right ;) 18:21:22 (we can talk about that later) 18:21:32 https://www.mozilla.org/en-US/firefox/38.0.5beta/releasenotes/ 18:24:16 heh. that page is kind of sparse. I think this means that 5.0a1 might not be until June 30th, though who knows 18:24:36 the bugzilla link is rather long, though 18:27:01 ok, who wants to go next. we'll have to table deciding what to do about this until later 18:28:30 just a quick note that amoghbl1 is making great progress on the Orfox work: https://dev.guardianproject.info/projects/orfox-private-browser/ 18:28:42 a few patches were causing problems, so we need to review them to see if they are necessary/applicable to the android env 18:28:47 and rewrite them if so 18:29:08 * n8fr8 is on a train with sketchy internet 18:30:38 who is keeping track of all the additional things we need to patch/modify for android? 18:31:18 well, that would be me I guess GeKo 18:31:40 fine, do you have a list somewhere? 18:31:57 https://people.torproject.org/~amoghbl1/Orfox/tbb_patches/ 18:32:14 this is our official project tracker: https://dev.guardianproject.info/projects/orfox-private-browser/issues 18:32:24 amoghbl1: In case it's useful, I'm working on a new branch now, here: https://github.com/arthuredelstein/tor-browser/tree/tb_GECKO380esr_2015050513_RELBRANCH+1 18:32:26 so we are working on getting the problematic patches in there as tickets 18:32:47 no, no I was thinking about things we did not need to touch because they were not available in a desktop environment 18:32:48 check out the skip_list file for a report/list 18:33:25 GeKo: these are the patches that make Firefox on Android crash (the "skip_list") 18:34:58 n8fr8: that's not what I mean 18:35:44 I mean features we don't care about in a desktop environment (and we thererfore did not patch nor filed bugs about) but that are available on android 18:36:12 I guess there is a ton of these things 18:36:44 IIRC, amoghbl1 found a bunch of Java-related issues. I am not sure where that mail went 18:37:00 ah, sorry, right GeKo the other way around 18:37:22 some of that is here: https://dev.guardianproject.info/projects/orfox-private-browser/wiki 18:37:30 I also saw some issues during my FF31 networking review. RTSP could bypass proxies, IRRC. There was also some weird UDP keepalive stuff on the LAN 18:37:32 https://dev.guardianproject.info/attachments/download/1580/firefox-for-android-layers.txt 18:37:58 but we have more work to do on that layer, and it is a moving target as well 18:38:06 mikeperry: yeah, ike that + who knows waht wrt to fingerprinting 18:38:24 at this point, our goal is not "Tor Browser for Android" it is "something better than Orweb" 18:38:33 and "not based on ANdroid's broken WebView" 18:38:41 ah, okay, nevermind then :) 18:38:57 s/ike that/something like that/ 18:39:23 i mean, we are on that track, GeKo, for sure, but for now, just getting the TB patches mostly working, and the Android/Java layer properly proxying is our next big mielstone 18:39:37 cool 18:41:23 here is what I did last week: 18:42:23 I finished all the gitian bits for ESR 38, the tor-browser-bundle things for Mac still need to get tested finally and attached to the ticket 18:42:31 I backported a patch for #7256 18:42:46 err 18:42:52 #7561 18:43:23 I spent a surprising amount of time testing the fix for #16014 18:43:56 I started my review of undocumented Mozilla bugs which I'll finish this week 18:44:40 I filed some bugs for esr38 I found while testing bundles 18:45:12 I submitted a custom bundle to our test suite, so far I got no results back 18:45:27 boklm: how long is this supposed to take? 18:45:51 next week I plan to finish the remaining OS X gititan bits 18:46:26 I might play with switching to our clang-based cross-compiler for tor as well and add building it to our descriptor 18:46:35 then I'll finish the Mozilla bug review 18:47:01 and I start looking at the GMP/EME/Openh264 stuff that got introduced 18:47:14 that's it for now 18:47:47 GeKo: for the 5.0a1-esr38-test build, a sha256sums.txt file (and signature) is missing in the directory 18:48:15 aha! 18:48:31 let me add that then 18:50:43 * arthuredelstein can go 18:50:54 This past week I worked on #15196, primarily trying to finish rewriting the font-limiting patch. It's turned out to be quite tricky, but I'm hoping I can get it working this week. 18:51:19 I also worked on some final touches to the patch at https://bugzilla.mozilla.org/show_bug.cgi?id=418986 and I think I should be able to post it soon. 18:51:44 hrmm. the font limiting patch may need to be done a different way entirely anyway, eventually 18:52:03 Yes, I was thinking about trying to tie it to first-party domain in any case 18:52:48 mozilla had a bug with some ideas for preferring only a limited list of system fonts, which would be at a different layer than the CSS (and a more correct one). and then there's #13313 18:53:06 either of these might be better uses of time than trying to get the CSS-based patch to work again 18:53:16 Aha. I should look for that Mozilla patch. 18:53:31 I figured #13313 is maybe the optimal solution, but a bigger project. 18:54:14 yes 18:54:36 I'll look into both of those options and see what makes sense. 18:54:43 https://bugzilla.mozilla.org/show_bug.cgi?id=1121643 18:55:04 https://bugzilla.mozilla.org/show_bug.cgi?id=998844 is the support code that would hopefully make #13313 easier.. it landed in FF32 it looks like 18:55:07 Thanks 18:55:45 arthuredelstein, the 72 patches listed there are infact your work, could you review the report I wrote for me? 18:57:19 s/work/branch 18:57:20 amoghbl1: Not really my work -- I just rebased those patches. But happy to look at your report. Where is it? 18:57:34 https://people.torproject.org/~amoghbl1/Orfox/tbb_patches/skip_list 18:58:18 arthuredelstein ^ 18:58:44 Sure, I'll have a look. 18:59:04 * mcs can give a report 18:59:14 Regarding #16200, this week I'll try to test if the various features of TorButton are working with the #15196 branch. 18:59:21 And if there is time, I'd like to work on upstreaming more patches to Mozilla. 18:59:27 Go ahead, mcs! :) 18:59:45 Last week, Kathy and I spent a little time spot-checking some of the patches on Arthur's tb_GECKO380esr_2015050513_RELBRANCH+1 branch and we made some comments in #15196. 18:59:53 We investigated some things GeKo found in his review and testing for #16014; we are still working on this. 18:59:59 We filed #16236 as a spinoff of #16014. 19:00:06 Finally, we only made a tiny amount of progress in reviewing the Firefox developer docs for the releases since Firefox 31 (#16090) but we plan to do more this week. 19:00:11 We will also push our #15145 changes to a branch or maybe we should create a Tor Launcher maint-0.2.7 branch for the TB 4.5.x series. 19:00:21 That's all for now. 19:03:04 * boklm can go next 19:03:16 interesting. #16236 (and other registry pollution) are technically tbb-disk-leak bugs 19:03:32 mikeperry: Right. 19:04:16 Last week I continued splitting tor-browser-31.7.0esr-4.5-1 into topic branches and pushing them separately on Mozilla Try to see which one fail tests 19:04:20 I started a tool to help merge / pull / push the branches and list Try results: https://lists.torproject.org/pipermail/tbb-dev/2015-June/000276.html 19:04:32 This week I'm planning to do the topic branch splitting on Arthur's esr38 branch 19:04:39 And implement the commands to push branches to Mozilla Try, and to rebase the patches to a new firefox version 19:04:49 That's all for now. 19:05:47 what are you writing your tool in, btw? 19:05:56 it's in perl 19:05:58 I think I might be sad at more perl. 19:06:00 aw :/ 19:06:51 the update responses stuff is troublesome to get working on tpo machines, because it needs a bunch of sketch CPAN modules, and CPAN doesn't seem to authenticate anything 19:07:08 hmm, there should be debian packages for those modules 19:07:32 there are, I only installed debian packages on my debian build machine 19:07:43 so we shouldn't need to use CPAN directly 19:07:50 yeah, there are. I don't have sudo on most of the tpo machines 19:07:59 ah 19:09:54 perl is also kinda gross generally.. hrmm 19:11:07 I don't think its worth forcing you not to write it in perl, or rewrite what you have... but bleh.. I guess I should have asked last week 19:12:09 perl is an amazing language that saves a lot of developer time though ;) 19:12:21 worth putting up with the gross parts if it saves so much time 19:12:31 uh oh 19:12:37 * TvdW leaves again 19:14:37 perl is pretty much technical debt by nature. it might be easy now, but it will be painful to update later. but, I supose this is till an experiment, and if the tool is mostly written already, I guess keep at it 19:14:55 hmm, I don't think perl is gross, but maybe that's because I'm used to it. 19:14:55 boklm: I had good luck with another git->hg tool. Just trying to find the name of it. 19:15:12 mikeperry: fwiw https://bugzilla.mozilla.org/show_bug.cgi?id=885777 + see the dependent bugs 19:15:22 mikeperry: as someone who does 40h of perl every week, I have to disagree :) 19:15:25 I am really happy about that momentum at Mozilla 19:15:45 https://github.com/mozilla/moz-git-tools 19:15:49 boklm: ^ 19:16:08 Might be worth a look as a basis for your tool 19:16:11 arthuredelstein: ah yes, I have seen this 19:16:27 A little tricky to set up, but then it worked very smoothly 19:16:46 Namely `git push-to-try...` 19:19:56 ok, anything else in the way of status updates? 19:20:05 I don't have much to report on. I tried building arthuredelstein's branch with GeKo's tb-builder branch. got errors on the linux build in tbb 19:20:35 Never the same one, but usually around Unified_cpp or layout or spellcheck 19:20:48 not going to have time to fiddle with it this week; traveling 19:22:16 tjr: So they were intermittent build errors? 19:22:27 if you need help debugging this let me know 19:22:40 well, i never got a successfull build after... 6 or 7 tries. 19:23:28 i saves 3 of the errors, i can mail them if that's useful. can probably generate many more too :-p 19:23:33 I wonder if you were running out of memory or disk space in the VM. 19:23:50 I just didn't want to bug you with them, since it's not that important that i get it building right now. i can wait 19:24:01 tjr: Thanks, that would be useful. 19:25:13 any other questions? 19:25:29 tjr: what arthuredelstein said your symptoms fit quite well here 19:26:14 I will try to pop into mozilla's IRC channels and try to dig up more info about 38.0.5, though there might not be much I can do about a release this week :/ 19:26:42 speaking of release 19:27:02 the logjam fix got backported to esr31 and I thought we could start building over the weekend 19:27:12 I can preparee everything for it 19:27:15 ah, yes, I just saw that 19:27:33 oddly no other fixes seem to have been backported from 38.0.5 19:27:41 then we could rlease next tuesday giving another three weeks to the next release 19:28:30 might be better than a 4 weeks/2 weeks schedule 19:28:46 what do we want to do about the alpha channel in that case? keep them on 31esr? 19:29:33 it seems a little early to push them onto 38 19:29:37 yes 19:29:53 Yes, probably better to wait a bit longer 19:29:55 just a bunch of bugfixes 19:31:28 GeKo: Shall I add your patch at #7561 to the ESR38 branch? Or do you think it needs additional review first? 19:32:08 arthuredelstein: you doing the review and adding it is fine :) 19:32:18 GeKo: ok, I should be able to start a build during these meetings if it is ready to go 19:32:19 OK, sounds good. :) 19:32:57 (though gunner will be involved, so I may have to stare him down wrt the laptop rule if I try to do that at the wrong time) 19:33:13 lol 19:34:28 ok, so I think we're set then. thanks, everyone! 19:34:37 #endmeeting tbb-dev 19:34:42 heh, nope 19:35:12 #endmeeting tbb-dev