18:02:07 #startmeeting app-dev 18:02:07 Meeting started Mon Aug 17 18:02:07 2015 UTC. The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:02:07 Useful Commands: #action #agreed #help #info #idea #link #topic. 18:02:54 ok, let's get started 18:03:07 Last week, I helped get 5.0 out the door, and then got a crash report from tjr that turned out to be #16771. I helped diagnose that crash, and once we confirmed the rest of the code was behaving properly, I decided to start a build for 5.0.1. 18:03:19 This week, I'll be helping release 5.0.1, and then I think I might spend some time working on some patches to core-tor, and maybe a tiny patch from https://trac.torproject.org/projects/tor/query?keywords=~tbb-5.0&status=!closed. 18:03:32 We might end up having to do another release, 5.0.2, for issues outside of our control next week, so if you're planning on fixing any tbb-5.0 tickets, try to have them in early this week. The excitement never ends! 18:04:34 If you're looking for things to do for post-5.0, we do have the roadmap up: https://trac.torproject.org/projects/tor/wiki/org/roadmaps/TorBrowser. Those months for those tasks are the target completion dates, not the start dates. If stuff ever calms down, I will try to figure out a higher-resolution scedule, and/or a per-person menu if it is wanted/helpful. 18:04:55 that's it for me. 18:05:54 * amoghbl1 here about Orfox 18:06:01 I'll go 18:06:38 I've been looking into porting torbutton to android, haven't worked with plugins before so it's a little slow 18:07:10 mikeperry: we should figure out a higher resolution schedule or something at the dev meeting as i assume things won't calm down considerably before it 18:08:15 n8fr8 should be uploading a beta sometime soon 18:08:38 to the play store that is... 18:08:58 I've been on holiday for most part of last week, so that's it from me! 18:09:43 amoghbl1: ok. I sent your patches to Patrick McManus, but haven't heard back yet 18:09:57 the java network ones 18:10:10 thats great mikeperry thanks 18:10:36 I think I need to update those and centralize it though... Haven't looked into that in a while 18:11:29 ok, if you do that, please ping me, and I'll ping him again 18:12:22 oh, and actually, can you maybe annotate your section of https://gitweb.torproject.org/tor-browser-spec.git/tree/audits/FF38_NETWORK_AUDIT with what you had to fix, in addition to what was OK in the first place? 18:12:39 ok, will do 18:12:48 or if just one fix handled several things (like passing in a proxy object into the java code), noting that would be helpful 18:14:33 ok, who wants to go next? 18:14:47 * ilv can go next 18:15:06 Last week I worked on xmpp bot for gettor (still on progress, though). I also did some work (again) on gettor body of the email autoresponder in order to make it simpler. 18:15:25 Today I'll send my 3rd status report for sop (midterm). During the week I'll finish remaining stuff on the xmpp bot and start working on the twitter bot. I'll also take a look at what boklm commented on #16551 18:15:46 that's it for me 18:16:45 ilv: cool. I think last week you asked about the RcommendedVersions file, but we didn't have a good answer for you. we should maybe discuss that at the end or after the meeting 18:17:28 ilv: when does your sop term end, btw? 18:17:51 sure, sounds great 18:18:10 it ends by october 13th 18:18:32 i'm on the "winter schedule" 18:19:03 * mrphs is trying to keep him around for more than that, but paperwork takes forever... :( 18:19:20 here is what i did: 18:19:26 pre-, post- and pre-release work 18:19:40 investigated #16729 18:19:40 wrote patches for #16727 and #12240 18:19:40 helped with the UX proposal 18:20:21 this week i still need to file bugs that popped up in the comments 18:20:43 thanks for #16842, mcs, that was one of them 18:21:09 GeKo: no problem 18:21:39 then i hope to get back on track for the automated windows signing on a linux box 18:21:53 ;_; 18:22:15 no more plans at the moment, there will surely be enough surprises this week... 18:22:21 that's it for now 18:23:54 * mcs can go next 18:24:01 Last week, Kathy and I posted patches for #13512, #16778, and #16797. 18:24:13 We did some work on #16753 but do not have a nice fix yet. 18:24:20 We completed another code review for Mozilla #232227 (System colors for form elements used when browser.display.use_system_colors is set to false). 18:24:34 We also completed some Tor Browser code reviews (#16727, #16771) and triaged assorted TB 5.0 bugs. 18:24:48 This week we plan to fix #16842 and then work on additional tbb-5.0-regression tickets (https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-5.0-regression) 18:24:57 If we have more time we will work on #16753 (which affects the TB 5.5 alpha series). 18:25:03 That's all for us. 18:28:18 * boklm can go next 18:28:35 I added a test page to enumerate dom objects in Worker threads for #16758 and posted the diff between 4.5.3 and 5.0 18:28:38 I have been building 5.0.1-build1 today and it is matching 18:28:50 This week I will add a SharedWorker test for #16758, look at #16551, synchronise my split branch repo and push it to Try 18:28:59 that's all for me 18:29:30 boklm: yay, thanks for building 18:30:20 your split branch repo is also on the pile of "things to look into if the weekly release malestrom ever dies down" 18:30:35 boklm: any chance you can help sukhe with 32bit builds. I think he's stuck there 18:32:17 arlolra: I will try to look at it this week 18:32:34 thanks 18:33:57 do we have an arthuredelstein? or arlolra, if you want to give a brief standaup status, that is also fine 18:34:26 arthuredelstein should be on vacation 18:35:29 ah, right. 17-24? i forgot about that 18:36:02 yes 18:36:33 not much to report on my end, besides being blocked on those 32bit builds. its looking good that i'll be starting on the webrtc pt soon 18:38:42 arlolra: is this for the final alpha tor messenger builds? 18:38:58 arlolra: are you guys planning on announcing them wider than tor-dev? 18:39:57 we're planning on putting up this blog post asap https://etherpad.wikimedia.org/p/tor-messenger-blog 18:40:57 GeKo: in #15493, you noted you might have a fix to eliminate a lot of the race conditions, but you also mentioned needing more logs. If you don't have time to prepare a fix, maybe update the bug with more details about what race conditions you are aware of? 18:41:28 we were pretty set to go on that, but gecko 42 requires gtk+ 3 and that's causing some issues with our build env 18:42:35 mikepeery: yeah, sounds good. i think getting at least a partial fix into the next alpha might be worthhile 18:43:27 arlolra: is InstantBird following RapidRelease instead of ESR for some reason? 18:43:52 * GeKo had the same qustion 18:43:55 *question 18:44:08 there is a reason 18:44:24 Thunderbird follows ESR. seems weird instantbird doesn't 18:44:52 instantbird has been slow in making releases. their next one will match thunderbird 18:45:32 mcs: since arthuredelstein is on vacation, can you maybe look into #16781? I think that might be our second most user-annoying regression in 5.0 (at least from https://trac.torproject.org/projects/tor/query?keywords=~tbb-5.0&status=!closed&order=priority.. I suppose GeKo still needs to file more tickets from the blog) 18:45:52 mikeperry: yes, we will take a look. 18:46:01 there's also a bunch of patches that would need to be uplifted in order for otr to work. those landed after the latest esr 18:46:27 so, yes, we do plan to follow esr in the future, as it catches up 18:47:14 ok 18:48:47 any other status updates or questions from anyone else? 18:49:15 yeah 18:50:16 that localization thing? 18:50:22 was supposed to remind y'all cuz of release madness 18:50:41 (also I'd like to look over the ja_JP locale, do I need to do something special to see out transifex stuff?) 18:50:44 the release madness hasn't stopped. we have *two* more coming in the next week-ish :( 18:51:07 urgh 18:51:35 is this something I should be able to do? 18:51:51 we're just going to kludge OSX ja_JP right? 18:51:59 yeah, releasing every two weeks is boring let's do it every week 18:53:13 ha 18:53:30 if I offered bribes of alcohol at the dev meeting or whatever 18:53:41 or a cat ear headband to whoever implements it 18:53:50 yeah, should just be some shell in fetch-inputs.sh 18:54:00 aight 18:54:01 the for i in $BUNDLE_LOCALES 18:54:04 I'll look at it 18:54:05 loop 18:54:29 it just needs a special case to handle the mac langpack xpi 18:54:40 ok 18:54:56 someone should double check the translation to make sure it's sane 18:55:03 https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/38.2.0esr-candidates/build2/mac/ 18:55:10 I guess that someone would be me, since I'm the only one that uh 18:55:13 for some reason it has an extra -mac on the end :/ 18:55:18 Mozilla's translation or ours (e.g., Torbutton, etc.) 18:55:18 does moonspeak 18:55:21 ? 18:55:23 ours 18:55:30 I assume mozilla's stuff is fine 18:55:48 nickm: just spotted the ed additions to the specs - thanks! 18:55:57 You should be able to look at the trsnslations.git repo (assuming you can figure out which files are relevant) 18:56:13 * atagar plans to give it a read and add stem support this weekend 18:56:20 ummm. make that translations.git 18:56:39 aight thanks 18:57:00 https://gitweb.torproject.org/translation.git/ 18:57:18 the only difference is just the name right? 18:57:27 not that the branches that begin with abouttor are used in Torbutton 18:57:32 I don't need to convert the locale to some fucked up mac only char encoding or whatever rigth? 18:57:32 note that... 18:57:57 I think Mozilla uses UTF-8 for everything, don't they? 18:57:58 (UTF-8 and not like... EUC or Shit-JIS) 18:58:02 I dunno 18:58:11 UTF-8 i think, yes 18:58:47 Oh, and if you want to make changes to the translations I am afraid you need to deal with Transifex 18:59:31 (err https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/38.2.0esr-candidates/build2/mac/xpi/ for mac xpis for the current release) 18:59:31 you can either do it on their platform, or download the strings, edit them and upload them back to transifex 18:59:55 ;_; 19:00:03 it might just be ok 19:00:08 I'll see how good it is 19:00:23 the bridgedb japanese locale is like... horribad 19:01:50 ok I think I know how to proceed sorry for bugging y'all 19:02:33 ok, GeKo, how are we on 5.0.1? 19:02:56 it appears to be in the process of uploading to https://people.torproject.org/~gk/builds/5.0.1/? 19:03:09 you can release it today, i am rsyncing the signed stuff 19:03:56 then i'll do a bit of testing and then i'll ping you when it is ready from my point of view 19:04:48 ok 19:06:09 Yawning: but… it has "おっとスパゲッティ!" for "Uh oh, spaghettios!" 19:06:18 ilv: do you remember the ticket for improving the RecommendedTBBVersions file? I seem to have lost it 19:06:33 yeah, #16551 19:06:55 i'll try to summarize the discussion: 19:07:09 so, the thing is I was wondering if it is possible to have a json file, alternative to recommendedtbbversions, that could supply some more information, like direct download links for latest tor browser, and have a more friendly format to be used by other apps. 19:07:22 with that in mind I was wondering how is recommendedtbbversion generated, so maybe we could have an extra script that could be run every time recommendedtbbversions is generated. (I did something here https://gist.github.com/ilv/c8303107878a1417f370) 19:07:45 I still haven't look at the script mentioned by boklm, but I think it could be used to do that. The idea would be to create a new json file, since the url mentioned there are kinda complicated (e.g. https://dist.torproject.org/torbrowser/update_2/release/Linux_x86_64-gcc3/x/en-US) 19:08:09 So, If no ones disagrees whit this, I think I'm the right direction. If not, please tell me :) 19:08:21 no one* 19:08:34 recommendedtbbversions is edited manually 19:08:39 RecommendedTBBVersions is hand-generated 19:09:12 ok, that was I thought 19:09:32 but, directly? or via git or something? 19:09:37 is there a reason why that XML is not sufficient? I am a bit wary of needing to have yet one more version file to keep in sync 19:09:59 (how do I get unit test output from jenkins if it fails?) 19:10:02 https://dist.torproject.org/torbrowser/update_2/release/Linux_x86_64-gcc3/x/en-US is at least generated as part of the release process, mostly 19:10:17 ilv: RecommendedTBBVersions is committed into the website git 19:10:32 that XML file is synced to the mirrors ourside of git 19:10:35 err outside 19:10:46 the main reason is that some times it recommends more than one version 19:11:12 ok, i see 19:11:21 https://dist.torproject.org/torbrowser/update_2/release/Linux_x86_64-gcc3/x/en-US will only ever give one. 19:11:52 (the latest in an alpha or release channel) 19:12:16 RecommendedTBBVersions will list all versions that are not currently vulnerable or deprecated 19:12:34 for example, we probably won't de-list 5.0 from RecommendedTBBVersions. we'll just add 5.0.1 19:12:55 but the urls for each platform like https://dist.torproject.org/torbrowser/update_2/release/Linux_x86_64-gcc3/x/en-US will list only 5.0.1 19:13:13 ilv: what is the problem with more than one version? 19:13:33 mikeperry: ok, I understand 19:14:00 if you want to host a json export of the XML using https://gist.github.com/ilv/c8303107878a1417f370, that is fine with me 19:14:31 GeKo: that the apps that use that file need to add extra logic to know when that happens, I know, it's not a big deal, but it would make things easier 19:15:26 weasel: halp, I broke the debian i386 clang build and want to see how the test is failing 19:15:29 mikeperry: ok, that script generates something like this: https://trac.torproject.org/projects/tor/attachment/ticket/16551/latest_tbversion.txt 19:15:40 I am just not sure I personally want to commit to running yet another standalone script during the release process, and needing to remember every time, and dealing with problems if it fails 19:15:41 mikeperry: host it, you mean like openning a ticket to have it on tpo as well? 19:15:55 mikeperry: ok 19:16:33 no, please not yet another thing in the release process 19:17:00 if there was any other magic way for it to autogenerate those json urls without us ever actually needing to run the script, that would be ideal 19:17:13 like if it monitored the TBB XML files itself somehow 19:17:36 ok, I'll see what I can do 19:17:46 mikeperry, Geko: thanks for the feedback! 19:17:53 but then still, I am a litle reluctant to make it my job to kick the thing if it crashes some random release 9 months from now 19:17:55 some git commit hook maybe? 19:18:17 that would be an option 19:18:20 one option could be to extend the update_responses script to generate a .json file similar to this latest_tbversion.txt in addition to the .xml files used by the updated 19:18:46 boklm: yes, that is what i was thinking 19:18:57 and make it available at an URL like https://dist.torproject.org/torbrowser/update_2/release/update.json 19:19:50 if it is part of the same update_responses step we have to do anyway, that is definitely less bad than some standalone thing we need to remember to run/monitor to ensure it hasn't failed 19:20:57 it should be part of that process, the idea would be not to add and additional step 19:21:13 add an* 19:23:08 that works for me, so I'll take a look at it unless someone is not ok with it 19:23:09 ok, that sounds like the beginnings of a plan then. maybe you can work with boklm to get it together, and report any issues or questions or patches next week? 19:23:26 mikeperry: sounds fine to me 19:23:51 ok 19:24:17 thanks again! 19:24:29 ok, np 19:24:49 Watson Ladd discovered that NSS does not properly perform Elliptical 19:24:50 Curve Cryptography (ECC) multiplication, allowing a remote attacker 19:24:50 to potentially spoof ECDSA signatures. 19:24:51 it never ends, does it 19:25:16 * mikeperry raises his gavel threateningly 19:25:27 where is that from? 19:25:36 To: debian-security-announce@lists.debian.org 19:25:36 Subject: [SECURITY] [DSA 3336-1] nss security update 19:25:59 CVE-2015-2721 and CVE-2015-2730 19:26:32 I wonder if that is our security issue for next week's release, or if it is yet another one 19:27:27 oh, no, I that that is just debian being behind 19:27:34 i think so too. 19:28:21 so we don't yet know the details for next week, and i should go hunting? 19:29:01 yes, those two CVEs were fixed in 38.1.0 19:29:52 hello. looking for someone how can provide some information re Tor Browser crashing at tumblr. Is this the right channel for such questions? Or should I be going elsewhere? 19:30:15 the only thing that concerns me is the release date. I got a medium-high vote of confidence it will be August 25th, but since it wasn't "Oh yeah, we already have a fix and its tested and ready to go. we are 100% certain we won't slip", I decided we should do 5.0.1 now, rather than risk making everyone wait until Sept 1st or something 19:30:41 fr4t1: #tor it's a known issue, new version with a fix will be today 19:31:03 (that's what 5.0.1 is for right? the blob null deref?) 19:31:10 yes 19:31:49 ok, I am closing this thing down. we're starting to get into the long tail 19:31:54 #endmeeting *baf*