19:00:44 #startmeeting tor-browser 19:00:44 Meeting started Mon Mar 21 19:00:44 2016 UTC. The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:44 Useful Commands: #action #agreed #help #info #idea #link #topic. 19:00:51 hello everybody 19:01:13 hi 19:01:16 hi 19:01:30 i can go first today 19:02:49 last week if fought with my internect connectivity and with a "chemspill" Mozilla release and investigated #18577 19:03:09 moreover, i testest and merged the pieces for #13252 we have so far 19:03:40 i spent time with the GSoC applications and the bulk of my time went into the esr45 feature review 19:04:07 i went through all the dev docs and opened tickets for (possible) issues i've found 19:04:20 a second pair of eyes would be helpful 19:05:28 i've priorizied the tickets for 6.0a5 with tbb-6.0a5 19:05:30 https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-6.0a5 19:05:54 we should discuss later if that makes sense and think about dividing the workload 19:06:29 this week i plan to help with the esr45 branch and might try some builds 19:06:42 then i start with the tbb-6.0a5 stuff 19:07:07 probably some GSoC stuff needs to get done and i hope to find some time for the developer doc 19:07:12 that's it for me. 19:10:59 * boklm can go next 19:11:13 * arthuredelstein can go after boklm 19:11:30 This past week I helped with the unexpected new release. I converted some tests to marionette on #16009 and added support for OSX. 19:11:36 This week I'm planning to merge my marionette branch to master to start using it. Work on #18597 and #18569. Look at the GSoC applications. 19:11:47 That's it for me. 19:13:29 Last week I worked on #15197. I have a full branch which I will post later today. So far I haven't been able to test the full build because of #18127. I also reviewed some of the patches for #13252. 19:14:08 This week I will work on writing some regression tests for the #15197 branch as well as anything else needed for ESR45. 19:14:27 That's it for me. 19:15:07 I have been performing the TBB network audit. I am through the NSPR calls, and about to start on the XPCOM stuff. After that, all that remains is Android, and I think Amogh is handling that 19:15:32 I found some thing that need deeper investigation, and some things that need to be preffed off or patched 19:16:01 (fo example, the DOM push service appears capable of using UDP) 19:16:55 but that is part of service workers which are disabled in esr45, no? 19:18:12 but yes, we should make sure nothing is leaking even with service workers disabled 19:18:41 what was Mozilla 19:19:00 what was Mozilla’s reason for disabling service workers in ESR45? 19:19:21 (too experimental?) 19:19:35 tha the api is likely changing too much in the near future 19:19:45 OK. Good to know. 19:19:46 so, yes 19:21:02 ServiceWorkers are crazy powerful. there were also some vulnerabilities related to their power allowing surprising things to happen in the browser 19:21:31 we are probably going to need to stay away from them for quite a while, I think. they are very hard to analyze for the normal browser threat model, let alone ours 19:21:49 indeed 19:21:56 I agree as well 19:24:56 I also have a question about #13252 after everyone is done. but I think we have more updates? 19:25:07 * mcs will give an update now 19:25:15 Last week, Kathy and I revised some of our patches for #13252. 19:25:20 We worked on #18495 but have not found a solution yet. 19:25:28 We reviewed the patches for #18466 and #18557. 19:25:37 This week we will work more on repackaging FTE (advice from Python experts is welcome). 19:25:43 We will also help GeKo with any #13252 build and signing issues that come up. 19:25:48 This week we also plan to look at other ff45-esr tickets and triage some bugs that we have been ignoring (such as #18330). 19:25:54 That’s all for us. 19:26:46 er #13252. mike had some worries similar to teor's comment 23 about write protected dirs 19:27:11 how bad is the current design for people having Tor Browser in /Applications? 19:27:27 does that fail totally? 19:27:50 They need to have write access, same as today. Or similar to today. 19:29:02 I guess the scenario to worry about is if someone can install in /Applications but not write there? 19:29:27 yes 19:29:48 not sure how prevalent this one is on OS X though 19:29:51 yes, I am worried in particular about users who already installed in /Applications by entering their admin password, which actually gives them write access to TorBrowser.app 19:29:57 Probably Kathy and I (or someone) should test on a Mac OS system where the logged in user does not have write access to /Applications. I am not sure how common that is though. 19:30:09 ah, OK. 19:30:12 when the update arrives with this code, it will try to create the side-by-side dir, and fail. I think this is not so good :/ 19:30:37 I did not realize that that prompt gives them write access to TorBrowser.app. That’s bad for the new world order. 19:31:13 yeah, we may need to do the ~/Library thing after all 19:31:38 If that is even somewhat common we need to think about supporting both side-by-side as well as ~/Library or something. Ricochet does something like that. 19:31:40 Right. 19:32:01 I assume we do not want to only support ~/Library though. 19:32:58 it seems the ricochet approach as you sketched it is a fine onw 19:33:00 *one 19:34:13 is anyone else here for an status updates? 19:36:43 okay. let's move to the discussion phase 19:37:24 https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-6.0a5 contains the stuff i think we should have in the alpha for testing 19:37:40 (we might find more while testing, though) 19:38:44 mcs: i wonder if you could put the canvas and svg tickets on your plate? 19:39:10 that is #18599 #15640 and #18602? 19:39:42 i think i work on #14970 at least 19:39:48 GeKo: yes, we were planning to take those 19:40:08 arthuredelstein: any preferences? 19:40:16 (do you want to update the owner in trac or should we do it?) 19:40:28 go ahead 19:40:31 ok 19:40:46 arthuredelstein: i think #16328 and #16998 might be worthwhile 19:41:07 er #16673 19:41:20 instead of #16328 19:41:36 Yes, I could take those two 19:41:51 okay lets start with that, thanks 19:42:20 sounds good 19:43:15 we can adjust the work at the next meeting if needed (if more urgent things come up) 19:43:33 speaking of which: when do we have our next meeting? 19:44:00 i guess next monday is a holiday in lots of places 19:44:13 I might go for #16326 as well if no one else has claimed it. 19:44:29 yeah, good one, please do 19:44:40 I am OK with meeting next Monday but we could also delay by a day. 19:45:05 i am fine with it too fwiw 19:45:23 but i am fine with moving it either 19:45:39 * boklm is fine with either 19:46:46 I'm OK with either 19:47:20 okay. then lets keep next monday 19:48:25 what else do we have for the meeting? 19:49:35 I wanted to ask about #18127. 19:49:53 Do we have a patch that already solves the problem? 19:51:07 yes. 19:51:25 there is just the detail missing how to handle the need for sudo 19:52:08 mikeperry: if you have an opinion for #18127 (see my last comment) then please state it in the ticket 19:53:07 arthuredelstein: if you take boklm's bug_18127-v2 branches (gitian-builder and tor-browser-bundle) that should work 19:56:02 alright, thanks for attending this meeting *baf* 19:56:06 #endmeeting