#tor-dev log

18:02:07 <mikeperry> #startmeeting app-dev
18:02:07 <MeetBot> Meeting started Mon Aug 17 18:02:07 2015 UTC.  The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:02:07 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:02:54 <mikeperry> ok, let's get started
18:03:07 <mikeperry> Last week, I helped get 5.0 out the door, and then got a crash report from tjr that turned out to be #16771. I helped diagnose that crash, and once we confirmed the rest of the code was behaving properly, I decided to start a build for 5.0.1.
18:03:19 <mikeperry> This week, I'll be helping release 5.0.1, and then I think I might spend some time working on some patches to core-tor, and maybe a tiny patch from https://trac.torproject.org/projects/tor/query?keywords=~tbb-5.0&status=!closed.
18:03:32 <mikeperry> We might end up having to do another release, 5.0.2, for issues outside of our control next week, so if you're planning on fixing any tbb-5.0 tickets, try to have them in early this week. The excitement never ends!
18:04:34 <mikeperry> If you're looking for things to do for post-5.0, we do have the roadmap up: https://trac.torproject.org/projects/tor/wiki/org/roadmaps/TorBrowser. Those months for those tasks are the target completion dates, not the start dates.  If stuff ever calms down, I will try to figure out a higher-resolution scedule, and/or a per-person menu if it is wanted/helpful.
18:04:55 <mikeperry> that's it for me.
18:05:54 * amoghbl1 here about Orfox
18:06:01 <amoghbl1> I'll go
18:06:38 <amoghbl1> I've been looking into porting torbutton to android, haven't worked with plugins before so it's a little slow
18:07:10 <GeKo> mikeperry: we should figure out a higher resolution schedule or something at the dev meeting as i assume things won't calm down considerably before it
18:08:15 <amoghbl1> n8fr8 should be uploading a beta sometime soon
18:08:38 <amoghbl1> to the play store that is...
18:08:58 <amoghbl1> I've been on holiday for most part of last week, so that's it from me!
18:09:43 <mikeperry> amoghbl1: ok. I sent your patches to Patrick McManus, but haven't heard back yet
18:09:57 <mikeperry> the java network ones
18:10:10 <amoghbl1> thats great mikeperry thanks
18:10:36 <amoghbl1> I think I need to update those and centralize it though... Haven't looked into that in a while
18:11:29 <mikeperry> ok, if you do that, please ping me, and I'll ping him again
18:12:22 <mikeperry> oh, and actually, can you maybe annotate your section of https://gitweb.torproject.org/tor-browser-spec.git/tree/audits/FF38_NETWORK_AUDIT with what you had to fix, in addition to what was OK in the first place?
18:12:39 <amoghbl1> ok, will do
18:12:48 <mikeperry> or if just one fix handled several things (like passing in a proxy object into the java code), noting that would be helpful
18:14:33 <mikeperry> ok, who wants to go next?
18:14:47 * ilv can go next
18:15:06 <ilv> Last week I worked on xmpp bot for gettor (still on progress, though). I also did some work (again) on gettor body of the email autoresponder in order to make it simpler.
18:15:25 <ilv> Today I'll send my 3rd status report for sop (midterm). During the week I'll finish remaining stuff on the xmpp bot and start working on the twitter bot. I'll also take a look at what boklm commented on #16551
18:15:46 <ilv> that's it for me
18:16:45 <mikeperry> ilv: cool. I think last week you asked about the RcommendedVersions file, but we didn't have a good answer for you. we should maybe discuss that at the end or after the meeting
18:17:28 <mikeperry> ilv: when does your sop term end, btw?
18:17:51 <ilv> sure, sounds great
18:18:10 <ilv> it ends by october 13th
18:18:32 <ilv> i'm on the "winter schedule"
18:19:03 * mrphs is trying to keep him around for more than that, but paperwork takes forever... :(
18:19:20 <GeKo> here is what i did:
18:19:26 <GeKo> pre-, post- and pre-release work
18:19:40 <GeKo> investigated #16729
18:19:40 <GeKo> wrote patches for #16727 and #12240
18:19:40 <GeKo> helped with the UX proposal
18:20:21 <GeKo> this week i still need to file bugs that popped up in the comments
18:20:43 <GeKo> thanks for #16842, mcs, that was one of them
18:21:09 <mcs> GeKo: no problem
18:21:39 <GeKo> then i hope to get back on track for the automated windows signing on a linux box
18:21:53 <Yawning> ;_;
18:22:15 <GeKo> no more plans at the moment, there will surely be enough surprises this week...
18:22:21 <GeKo> that's it for now
18:23:54 * mcs can go next
18:24:01 <mcs> Last week, Kathy and I posted patches for #13512, #16778, and #16797.
18:24:13 <mcs> We did some work on #16753 but do not have a nice fix yet.
18:24:20 <mcs> We completed another code review for Mozilla #232227 (System colors for form elements used when browser.display.use_system_colors is set to false).
18:24:34 <mcs> We also completed some Tor Browser code reviews (#16727, #16771) and triaged assorted TB 5.0 bugs.
18:24:48 <mcs> This week we plan to fix #16842 and then work on additional tbb-5.0-regression tickets (https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-5.0-regression)
18:24:57 <mcs> If we have more time we will work on #16753 (which affects the TB 5.5 alpha series).
18:25:03 <mcs> That's all for us.
18:28:18 * boklm can go next
18:28:35 <boklm> I added a test page to enumerate dom objects in Worker threads for #16758 and posted the diff between 4.5.3 and 5.0
18:28:38 <boklm> I have been building 5.0.1-build1 today and it is matching
18:28:50 <boklm> This week I will add a SharedWorker test for #16758, look at #16551, synchronise my split branch repo and push it to Try
18:28:59 <boklm> that's all for me
18:29:30 <mikeperry> boklm: yay, thanks for building
18:30:20 <mikeperry> your split branch repo is also on the pile of "things to look into if the weekly release malestrom ever dies down"
18:30:35 <arlolra> boklm: any chance you can help sukhe with 32bit builds. I think he's stuck there
18:32:17 <boklm> arlolra: I will try to look at it this week
18:32:34 <arlolra> thanks
18:33:57 <mikeperry> do we have an arthuredelstein? or arlolra, if you want to give a brief standaup status, that is also fine
18:34:26 <GeKo> arthuredelstein should be on vacation
18:35:29 <mikeperry> ah, right. 17-24? i forgot about that
18:36:02 <GeKo> yes
18:36:33 <arlolra> not much to report on my end, besides being blocked on those 32bit builds. its looking good that i'll be starting on the webrtc pt soon
18:38:42 <mikeperry> arlolra: is this for the final alpha tor messenger builds?
18:38:58 <mikeperry> arlolra: are you guys planning on announcing them wider than tor-dev?
18:39:57 <arlolra> we're planning on putting up this blog post asap https://etherpad.wikimedia.org/p/tor-messenger-blog
18:40:57 <mikeperry> GeKo: in #15493, you noted you might have a fix to eliminate a lot of the race conditions, but you also mentioned needing more logs. If you don't have time to prepare a fix, maybe update the bug with more details about what race conditions you are aware of?
18:41:28 <arlolra> we were pretty set to go on that, but gecko 42 requires gtk+ 3 and that's causing some issues with our build env
18:42:35 <GeKo> mikepeery: yeah, sounds good. i think getting at least a partial fix into the next alpha might be worthhile
18:43:27 <mikeperry> arlolra: is InstantBird following RapidRelease instead of ESR for some reason?
18:43:52 * GeKo had the same qustion
18:43:55 <GeKo> *question
18:44:08 <arlolra> there is a reason
18:44:24 <mikeperry> Thunderbird follows ESR. seems weird instantbird doesn't
18:44:52 <arlolra> instantbird has been slow in making releases. their next one will match thunderbird
18:45:32 <mikeperry> mcs: since arthuredelstein is on vacation, can you maybe look into #16781? I think that might be our second most user-annoying regression in 5.0 (at least from https://trac.torproject.org/projects/tor/query?keywords=~tbb-5.0&status=!closed&order=priority.. I suppose GeKo still needs to file more tickets from the blog)
18:45:52 <mcs> mikeperry: yes, we will take a look.
18:46:01 <arlolra> there's also a bunch of patches that would need to be uplifted in order for otr to work. those landed after the latest esr
18:46:27 <arlolra> so, yes, we do plan to follow esr in the future, as it catches up
18:47:14 <mikeperry> ok
18:48:47 <mikeperry> any other status updates or questions from anyone else?
18:49:15 <Yawning> yeah
18:50:16 <Yawning> that localization thing?
18:50:22 <Yawning> was supposed to remind y'all cuz of release madness
18:50:41 <Yawning> (also I'd like to look over the ja_JP locale, do I need to do something special to see out transifex stuff?)
18:50:44 <mikeperry> the release madness hasn't stopped. we have *two* more coming in the next week-ish :(
18:51:07 <Yawning> urgh
18:51:35 <Yawning> is this something I should be able to do?
18:51:51 <Yawning> we're just going to kludge OSX ja_JP right?
18:51:59 <GeKo> yeah, releasing every two weeks is boring let's do it every week
18:53:13 <arlolra> ha
18:53:30 <Yawning> if I offered bribes of alcohol at the dev meeting or whatever
18:53:41 <Yawning> or a cat ear headband to whoever implements it
18:53:50 <mikeperry> yeah, should just be some shell in fetch-inputs.sh
18:54:00 <Yawning> aight
18:54:01 <mikeperry> the for i in $BUNDLE_LOCALES
18:54:04 <Yawning> I'll look at it
18:54:05 <mikeperry> loop
18:54:29 <mikeperry> it just needs a special case to handle the mac langpack xpi
18:54:40 <Yawning> ok
18:54:56 <Yawning> someone should double check the translation to make sure it's sane
18:55:03 <mikeperry> https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/38.2.0esr-candidates/build2/mac/
18:55:10 <Yawning> I guess that someone would be me, since I'm the only one that uh
18:55:13 <mikeperry> for some reason it has an extra -mac on the end :/
18:55:18 <mcs> Mozilla's translation or ours (e.g., Torbutton, etc.)
18:55:18 <Yawning> does moonspeak
18:55:21 <mcs> ?
18:55:23 <Yawning> ours
18:55:30 <Yawning> I assume mozilla's stuff is fine
18:55:48 <atagar> nickm: just spotted the ed additions to the specs - thanks!
18:55:57 <mcs> You should be able to look at the trsnslations.git repo (assuming you can figure out which files are relevant)
18:56:13 * atagar plans to give it a read and add stem support this weekend
18:56:20 <mcs> ummm.  make that translations.git
18:56:39 <Yawning> aight thanks
18:57:00 <mcs> https://gitweb.torproject.org/translation.git/
18:57:18 <Yawning> the only difference is just the name right?
18:57:27 <mcs> not that the branches that begin with abouttor are used in Torbutton
18:57:32 <Yawning> I don't need to convert the locale to some fucked up mac only char encoding or whatever rigth?
18:57:32 <mcs> note that...
18:57:57 <mcs> I think Mozilla uses UTF-8 for everything, don't they?
18:57:58 <Yawning> (UTF-8 and not like... EUC or Shit-JIS)
18:58:02 <Yawning> I dunno
18:58:11 <GeKo> UTF-8 i think, yes
18:58:47 <mcs> Oh, and if you want to make changes to the translations I am afraid you need to deal with Transifex
18:59:31 <mikeperry> (err https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/38.2.0esr-candidates/build2/mac/xpi/ for mac xpis for the current release)
18:59:31 <mrphs> you can either do it on their platform, or download the strings, edit them and upload them back to transifex
18:59:55 <Yawning> ;_;
19:00:03 <Yawning> it might just be ok
19:00:08 <Yawning> I'll see how good it is
19:00:23 <Yawning> the bridgedb japanese locale is like... horribad
19:01:50 <Yawning> ok I think I know how to proceed sorry for bugging y'all
19:02:33 <mikeperry> ok, GeKo, how are we on 5.0.1?
19:02:56 <mikeperry> it appears to be in the process of uploading to https://people.torproject.org/~gk/builds/5.0.1/?
19:03:09 <GeKo> you can release it today, i am rsyncing the signed stuff
19:03:56 <GeKo> then i'll do a bit of testing and then i'll ping you when it is ready from my point of view
19:04:48 <mikeperry> ok
19:06:09 <isis> Yawning: but… it has "おっとスパゲッティ！" for "Uh oh, spaghettios!"
19:06:18 <mikeperry> ilv: do you remember the ticket for improving the RecommendedTBBVersions file? I seem to have lost it
19:06:33 <ilv> yeah, #16551
19:06:55 <ilv> i'll try to summarize the discussion:
19:07:09 <ilv> so, the thing is I was wondering if it is possible to have a json file, alternative to recommendedtbbversions, that could supply some more information, like direct download links for latest tor browser, and have a more friendly format to be used by other apps.
19:07:22 <ilv> with that in mind I was wondering how is recommendedtbbversion generated, so maybe we could have an extra script that could be run every time recommendedtbbversions is generated. (I did something here https://gist.github.com/ilv/c8303107878a1417f370)
19:07:45 <ilv> I still haven't look at the script mentioned by boklm, but I think it could be used to do that. The idea would be to create a new json file, since the url mentioned there are kinda complicated (e.g. https://dist.torproject.org/torbrowser/update_2/release/Linux_x86_64-gcc3/x/en-US)
19:08:09 <ilv> So, If no ones disagrees whit this, I think I'm the right direction. If not, please tell me :)
19:08:21 <ilv> no one*
19:08:34 <GeKo> recommendedtbbversions is edited manually
19:08:39 <mikeperry> RecommendedTBBVersions is hand-generated
19:09:12 <ilv> ok, that was I thought
19:09:32 <ilv> but, directly? or via git or something?
19:09:37 <mikeperry> is there a reason why that XML is not sufficient? I am a bit wary of needing to have yet one more version file to keep in sync
19:09:59 <Yawning> (how do I get unit test output from jenkins if it fails?)
19:10:02 <mikeperry> https://dist.torproject.org/torbrowser/update_2/release/Linux_x86_64-gcc3/x/en-US is at least generated as part of the release process, mostly
19:10:17 <mikeperry> ilv: RecommendedTBBVersions is committed into the website git
19:10:32 <mikeperry> that XML file is synced to the mirrors ourside of git
19:10:35 <mikeperry> err outside
19:10:46 <ilv> the main reason is that some times it recommends more than one version
19:11:12 <ilv> ok, i see
19:11:21 <mikeperry> https://dist.torproject.org/torbrowser/update_2/release/Linux_x86_64-gcc3/x/en-US will only ever give one.
19:11:52 <mikeperry> (the latest in an alpha or release channel)
19:12:16 <mikeperry> RecommendedTBBVersions will list all versions that are not currently vulnerable or deprecated
19:12:34 <mikeperry> for example, we probably won't de-list 5.0 from RecommendedTBBVersions. we'll just add 5.0.1
19:12:55 <mikeperry> but the urls for each platform like https://dist.torproject.org/torbrowser/update_2/release/Linux_x86_64-gcc3/x/en-US will list only 5.0.1
19:13:13 <GeKo> ilv: what is the problem with more than one version?
19:13:33 <ilv> mikeperry: ok, I understand
19:14:00 <mikeperry> if you want to host a json export of the XML using https://gist.github.com/ilv/c8303107878a1417f370, that is fine with me
19:14:31 <ilv> GeKo: that the apps that use that file need to add extra logic to know when that happens, I know, it's not a big deal, but it would make things easier
19:15:26 <Yawning> weasel: halp, I broke the debian i386 clang build and want to see how the test is failing
19:15:29 <ilv> mikeperry: ok, that script generates something like this: https://trac.torproject.org/projects/tor/attachment/ticket/16551/latest_tbversion.txt
19:15:40 <mikeperry> I am just not sure I personally want to commit to running yet another standalone script during the release process, and needing to remember every time, and dealing with problems if it fails
19:15:41 <ilv> mikeperry: host it, you mean like openning a ticket to have it on tpo as well?
19:15:55 <ilv> mikeperry: ok
19:16:33 <GeKo> no, please not yet another thing in the release process
19:17:00 <mikeperry> if there was any other magic way for it to autogenerate those json urls without us ever actually needing to run the script, that would be ideal
19:17:13 <mikeperry> like if it monitored the TBB XML files itself somehow
19:17:36 <ilv> ok, I'll see what I can do
19:17:46 <ilv> mikeperry, Geko: thanks for the feedback!
19:17:53 <mikeperry> but then still, I am a litle reluctant to make it my job to kick the thing if it crashes some random release 9 months from now
19:17:55 <GeKo> some git commit hook maybe?
19:18:17 <ilv> that would be an option
19:18:20 <boklm> one option could be to extend the update_responses script to generate a .json file similar to this latest_tbversion.txt in addition to the .xml files used by the updated
19:18:46 <ilv> boklm: yes, that is what i was thinking
19:18:57 <boklm> and make it available at an URL like https://dist.torproject.org/torbrowser/update_2/release/update.json
19:19:50 <mikeperry> if it is part of the same update_responses step we have to do anyway, that is definitely less bad than some standalone thing we need to remember to run/monitor to ensure it hasn't failed
19:20:57 <ilv> it should be part of that process, the idea would be not to add and additional step
19:21:13 <ilv> add an*
19:23:08 <ilv> that works for me, so I'll take a look at it unless someone is not ok with it
19:23:09 <mikeperry> ok, that sounds like the beginnings of a plan then. maybe you can work with boklm to get it together, and report any issues or questions or patches next week?
19:23:26 <ilv> mikeperry: sounds fine to me
19:23:51 <boklm> ok
19:24:17 <ilv> thanks again!
19:24:29 <mikeperry> ok, np
19:24:49 <armadev> Watson Ladd discovered that NSS does not properly perform Elliptical
19:24:50 <armadev> Curve Cryptography (ECC) multiplication, allowing a remote attacker
19:24:50 <armadev> to potentially spoof ECDSA signatures.
19:24:51 <armadev> it never ends, does it
19:25:16 * mikeperry raises his gavel threateningly
19:25:27 <mikeperry> where is that from?
19:25:36 <armadev> To: debian-security-announce@lists.debian.org
19:25:36 <armadev> Subject: [SECURITY] [DSA 3336-1] nss security update
19:25:59 <armadev> CVE-2015-2721 and CVE-2015-2730
19:26:32 <mikeperry> I wonder if that is our security issue for next week's release, or if it is yet another one
19:27:27 <mikeperry> oh, no, I that that is just debian being behind
19:27:34 <armadev> i think so too.
19:28:21 <armadev> so we don't yet know the details for next week, and i should go hunting?
19:29:01 <mikeperry> yes, those two CVEs were fixed in 38.1.0
19:29:52 <fr4t1> hello. looking for someone how can provide some information re Tor Browser crashing at tumblr. Is this the right channel for such questions? Or should I be going elsewhere?
19:30:15 <mikeperry> the only thing that concerns me is the release date. I got a medium-high vote of confidence it will be August 25th, but since it wasn't "Oh yeah, we already have a fix and its tested and ready to go. we are 100% certain we won't slip", I decided we should do 5.0.1 now, rather than risk making everyone wait until Sept 1st or something
19:30:41 <Yawning> fr4t1: #tor it's a known issue, new version with a fix will be today
19:31:03 <Yawning> (that's what 5.0.1 is for right? the blob null deref?)
19:31:10 <mikeperry> yes
19:31:49 <mikeperry> ok, I am closing this thing down. we're starting to get into the long tail
19:31:54 <mikeperry> #endmeeting *baf*