#tor-dev log

18:01:02 <GeKo> #startmeeting tor-browser
18:01:02 <MeetBot> Meeting started Mon May 30 18:01:02 2016 UTC.  The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:02 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:01:15 <GeKo> hi everyone!
18:01:43 <GeKo> let's get started. here is what i did last week in the tor browser area:
18:01:53 <GeKo> i worked on the 6.0 release
18:02:36 <GeKo> i backported two mozilla patches #19189 and #19187
18:03:07 <GeKo> i investigated #18860
18:03:31 <GeKo> i reviewed a bunch of tickets (although i did n ot merge any yet)
18:03:51 <GeKo> i started to wrap up the esr45 stuff looking over the bugs tagged with ff45-esr
18:04:15 <GeKo> and i began thinking about the upcoming tasks for our SponsorU
18:04:40 <GeKo> this week i'll deal with 6.0 fallout if there is any and start preparing 6.0.1 and 6.5a1.
18:05:16 <GeKo> i plan to work on the SponsorU tasks as well so that we can chat about that next monday
18:05:29 <GeKo> oh, and the usual admin stuff is due as well
18:05:47 <GeKo> that's it for me
18:05:48 <mcs> A possibly dumb question: what is the status of the 6.0 release?
18:06:01 <GeKo> it is about to go live i think
18:06:13 <boklm> yes, I will finish publishing it after this meeting
18:06:16 <mcs> OK. Thanks. I have been afk for a few days...
18:06:26 <mcs> (mostly away)
18:06:33 <GeKo> good!
18:06:41 <GeKo> hopefully refreshed :)
18:06:59 <mcs> Yes; thanks. Did a bunch of hiking over the weekend.
18:10:25 * boklm can go next
18:10:42 <boklm> This past week I worked on #19067, #19137, posted a patch on #18291
18:10:47 <boklm> I helped getting the 6.0 release out (I will finish publishing it after this meeting)
18:10:54 <boklm> This week I'm planning to work on #19067 and #15994, and help with the new releases
18:11:05 <boklm> that's it for me
18:11:24 * mcs can give a report
18:11:29 <Yawning> "Killed process 19931 (firefox) total-vm:21490211044kB, anon-rss:14243708kB, file-rss:0kB, shmem-rss:104kB" lol
18:11:29 <mcs> Last week, Kathy and I finished #18912.
18:11:35 <mcs> We reviewed patches for #18884, #18914, #18950.
18:11:42 <mcs> Then we made our own Tor Browser 6.0 build (so we could embed our own MAR signing certificate) and did some testing of the 6.0 updater.
18:11:48 <mcs> We did not find any issues.
18:11:53 <mcs> Then we were away from keyboard for a few days over the weekend and we still need to catch up on what we missed.
18:11:58 <mcs> We do not yet have plans for this week other than the usual release follow up.
18:12:03 <mcs> That’s all for now.
18:12:36 * arthuredelstein can go
18:12:51 <arthuredelstein> Last week I finished testing #18884, revised my patch for #18914,
18:13:02 <arthuredelstein> wrote patches for #19186 and #19193,
18:13:09 <arthuredelstein> and did some research on #13017 and reading on #13018.
18:13:25 <arthuredelstein> This week I thought I would possibly work on a fix for #13017,
18:13:32 <arthuredelstein> work on #18860 and #18923 and look into what can be done for #13018.
18:13:38 <arthuredelstein> If there's time I will try to update some of our patches on bugzilla.mozilla.org.
18:13:43 <arthuredelstein> I will be afk this afternoon and most of Tuesday.
18:13:47 <arthuredelstein> That's it for me.
18:14:46 <GeKo> i've not worked through your analysis of #13017 yet. but is that now a tbb-fingerprinting-os thing or not.
18:14:59 <GeKo> it seemed to me the answer is "no" after skimming your comment
18:15:30 <GeKo> is it as #13018 a symptom of the same underlying issue?
18:15:39 <arthuredelstein> Yes, I think so.
18:16:03 <GeKo> aha, interesting
18:16:08 <arthuredelstein> I think both of them are tbb-fingerprinting-os+
18:16:24 <GeKo> hehe, that's what i thought, too :)
18:16:26 <arthuredelstein> That is, certainly they allow OS fingerprinting, but there maybe be multiple distinguishable sets within platforms.
18:16:50 <GeKo> okay, makes sense, thanks
18:17:13 <arthuredelstein> One thing that would be helpful, especially for #13018, would be some kind of Tor-Browser-only Panopticlick
18:17:21 <arthuredelstein> Like if we had a button on about:tor
18:17:29 <mikeperry> we could try an experiment where we provide a libm.so and set LD_LIBRARY_PATH to override /lib
18:17:54 <mikeperry> and see if fingerprints that used to be different (ie between debian and ubuntu) are now the same, for JS math and this
18:18:15 <Yawning> (I have tbb related questions unrelated to "holy shit, it just caused the oom killer to fire")
18:18:47 <GeKo> yeah, this could be easily a part of better understanding both bugs
18:18:56 <GeKo> while working on a fix
18:18:57 <mikeperry> shall I comment on the bug?
18:19:08 <GeKo> yes, thanks
18:20:07 <GeKo> who else is here for a status update?
18:21:28 <mikeperry> I am working on a funding proposal for a Tor Browsr Mobile, to bring OrFox to feature and experience parity with Tor Browser Desktop
18:22:36 <mikeperry> my current estimate is that with amoghbl1 helping with integrating into our build system and build reproducibility, and an additional full time engineer, we should be able to support concurrent releases of Tor Browser for Android with the rest of our releases
18:23:55 <mikeperry> that will involve a port of Torbutton to FF mobile, UI/UX work on it, and the same for Tor Launcher
18:24:16 <mikeperry> and additionally, fingerprinting and tracking work specific to android
18:24:35 <GeKo> do we know when this would start if we'd get this money? i keep forgetting that
18:24:58 <arthuredelstein> Fantastic.
18:25:03 <mikeperry> not clear
18:25:45 <mikeperry> we should also expect that the full time engineer hire to take around 1-3 months, as it did with arthuredelstein and mcs+brade
18:26:22 <mikeperry> we're going to want someone who can work in JS/XPCOM/JetPack, Java (on Android), and C++
18:27:03 <GeKo> mikeperry: i like the text, although i am not sure how to distill it in the proper format.
18:27:14 <mikeperry> so we'll also need to plan for that. knowing how much time we'd have between acceptance and start of work/funding will be useful for that lead time
18:27:22 <GeKo> i am inclined to say tha we'd need 2 instead of 1.5 engineers though
18:27:27 <GeKo> *that
18:27:52 <GeKo> there are a bunch of unknowns i think
18:28:27 <GeKo> and i expect surprises while porting our extensions to mobile and getting a proper UI there
18:29:22 <Yawning> if you're porting tor launcher does this mean, no more orbot?
18:29:35 <GeKo> yes that is part of the plan
18:29:46 <mikeperry> well, orbot should be optional in the ideal world
18:29:46 <Yawning> (or patches to detect if orbot exists and use it?)
18:29:55 <Yawning> ah so option b
18:30:03 <mikeperry> but obviously a contingency plan would be to still require orbot, if Tor Launcher proves too difficult to port
18:30:37 <GeKo> mikeperry: oh, and we might want to mention that during that one year preparing patchesfor a new esr would be part of the job
18:30:51 <GeKo> including dealing with new mobile specific features
18:31:32 <mikeperry> I mentioned that in the task list. just clarified a bit
18:32:37 <GeKo> ah, yes, i read it just as "getting a mobile browser based on esr45 out"
18:34:46 <GeKo> okay. time for discussion i guess: yawning, what's up?
18:34:57 <amoghbl1> I also wanted to discuss general plans about Orfox and what to work on for the next few weeks, could we discuss that stuff now??
18:35:37 <Yawning> few questions
18:35:45 <GeKo> hi, amoghbl1! yes, it's discussion time.
18:35:51 <Yawning> Are we going to get in the business of "which CAs are evil"
18:36:05 <GeKo> i don't think so
18:36:08 <Yawning> (Blue Coat has a CA now, but with pathlen set to 0, I'm not overly worried)
18:36:23 <Yawning> #19192
18:36:40 <amoghbl1> Perfect, GeKo. First up would be talking about the first two weeks part of my GSoC...
18:37:03 <amoghbl1> I want to do the rebase work onto the latest tbb branch
18:37:04 <Yawning> their CA can't make more CAs, and I don't see them shipping the private key in their dpi shitboxes
18:37:06 <amoghbl1> Which one would that be??
18:37:15 <GeKo> yawning: yes, there is a corresponding bugzilla bug and i plan to watch closely what mozilla is doing
18:37:20 <Yawning> ok
18:37:21 <GeKo> and i agree.
18:37:35 <Yawning> (add a link to the bugzilla ticket?)
18:37:43 <GeKo> yes, one sec
18:37:59 <Yawning> 2) Can the tor browser isolation stuff be changed to include the pid?
18:38:12 <Yawning> like example.com:pid:number
18:38:20 <Yawning> instead of example.com:number
18:38:56 <Yawning> it's not a big deal, but the behavior would be "more consistent" with a system tor
18:39:19 <GeKo> aha, interesting. file a ticket?
18:39:23 <Yawning> (bikeshed over if pid wrapping/reuse is an issue, just want a unique, per invocation identifier to be part of the auth string)
18:39:44 <Yawning> I shall
18:39:47 <Yawning> it should be trivial
18:40:26 <Yawning> 3) (last one) SInce 6.0 is out, we will merge dcf's stuff to bump Go up to something modern right?  I'e been writing new code under the assumption that at least 1.6 is avilable.
18:40:30 <arthuredelstein> amoghbl1: Here's the full list of tor-browser.git branches. The latest one is at the bottom. https://gitweb.torproject.org/tor-browser.git/refs/heads?h=esr24
18:41:15 <GeKo> Yawning: yes. i plan to do that latest this thursday
18:41:31 <Yawning> ty <3
18:41:42 <arthuredelstein> Yawning: cc me on your ticket for (2)
18:42:12 <amoghbl1> Thanks arthuredelstein. I'm not so sure about jumping directly to 45.1.1, I might first try things with 38.8.0 and then move along
18:42:14 <Yawning> arthuredelstein: k
18:42:43 <arthuredelstein> amoghbl1: Why not jump directly?
18:43:09 <arthuredelstein> I guess maybe your existing patches are already written for 38 ESR?
18:43:18 <amoghbl1> Cause that might include a bunch of Android specific patches...
18:45:20 <amoghbl1> But yes, moving to 45 is on the list for me
18:45:33 <amoghbl1> Another thing I wanted to bring up, was tracking Orfox tickets
18:46:12 <amoghbl1> I had a short email conversation with n8fr8, and he seems to agree that we should start using trac instead of the guardian project stuff
18:46:44 <arthuredelstein> Yawning: thanks
18:46:50 <GeKo> yes. as i said i've tagged stuff under tbb-mobile at the moment
18:47:27 <GeKo> we could create an OrFox subcomponent for the time being
18:47:47 <amoghbl1> Yes, so I think we will start opening new bugs there and tag it with the same, instead of having 2 trackers as we do now...
18:50:37 <GeKo> looking forward to it, thanks.
18:50:46 <GeKo> do we have something else?
18:51:10 <amoghbl1> I think that's about it that I have for now
18:51:22 <amoghbl1> Will start with the rebase work!
18:51:27 <Yawning> arthuredelstein: #19206
18:52:28 <Yawning> tag it according to the arcane scheme, bikeshed over if `pid` is enough etc, I think the rationale behind having something is solid
18:53:38 <GeKo> for the releases: freeze for alpha related patches it thursday for stable ones wednesday
18:53:54 <GeKo> (i might make exceptions to the latter in case 6.0 is blowing up)
18:54:54 <GeKo> mcs: oh, in case you look for something valuable to work on this week for the alpha: #19164 and #12523 seem to be in reach.
18:55:13 <GeKo> i planned to work on it as i am particularly interested in the latter
18:55:26 <GeKo> (maybe only for hardened?)
18:55:33 <GeKo> but i might not get to it.
18:55:33 <mcs> GeKo: Thanks. We will take a look.
18:55:53 <GeKo> thanks. it seems we are done?
18:56:36 <GeKo> *baf*
18:56:43 <GeKo> #endmeeting