#tor-dev log

17:59:48 <GeKo> #startmeeting tor-browser
17:59:48 <MeetBot> Meeting started Mon Apr 24 17:59:48 2017 UTC.  The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:59:48 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
17:59:53 <GeKo> hi all!
17:59:59 <mcs> hi
18:00:01 <Phoul> \o
18:00:04 <arthuredelstein> hi!
18:00:05 <GeKo> it's been a while but finally we have another tor browser meeting!
18:00:07 <flexlibris> hi!
18:00:14 <boklm> hi!
18:00:20 <GeKo> oh, so many today, nice
18:00:49 * flexlibris and Phoul bring greetings from the community team
18:00:56 <GeKo> first of all before the status reports let me thank all of your for the help to get the alpha based on esr52 out
18:00:57 * Samdney lurks
18:01:14 <GeKo> that's been a bunch of work
18:01:44 <GeKo> special thanks to boklm for dealing with all the server-side update stuff over the weekend/holidays
18:01:55 * isabela lurks too
18:02:15 <GeKo> so, status reports first. who wants to go?
18:03:27 <GeKo> okay, i can be the first one then i guess
18:03:51 <GeKo> i helped with the releases and last minute patches and the fallout from it
18:04:11 <GeKo> we have a bunch of good bug reports we need to follow up
18:04:37 <GeKo> i needed to spend my time on following up on some loose ends, like #21795 and #20683
18:04:50 <GeKo> i reviewd and tested #21962
18:05:21 <GeKo> i started to review #20761 but am not done with it yet. sorry mcs
18:05:31 <GeKo> it's on top of my list for this week
18:05:48 <mcs> np. I know you have been busy ;)
18:05:57 <GeKo> i spent my time organizing a bunch of things more to them later
18:07:03 <GeKo> this week i plan to close #19048 and #21625 doing the remaining tasks there
18:07:17 <GeKo> i hope to get a bunch of reviews done
18:07:44 <GeKo> and plan to work on #21886
18:07:55 <GeKo> that's it for me for now
18:08:13 * mcs will go next
18:08:20 <mcs> Since our last meeting, Kathy and I created patches for #21876, #21778, #21930, and #21962.
18:08:34 <mcs> We updated our patch for #20761.
18:08:39 <mcs> We did our best to test the updater that shipped in 7.0a3 (time will tell how we did at that task).
18:08:44 <mcs> Also, we reviewed a bunch of patches.
18:08:50 <mcs> This week we are already looking at a newly reported 7.0a2 -> 7.0a3 updater issue (#22041).
18:08:58 <mcs> We also plan to revisit #21766 and then move on to other tbb-7.0-must-alpha tickets.
18:09:04 <mcs> That’s all for us.
18:09:55 * arthuredelstein can go
18:10:01 <arthuredelstein> *go
18:10:08 <arthuredelstein> Since last time,
18:10:26 <arthuredelstein> I wrote patches for #21569,
18:10:33 <arthuredelstein> #10286 and #10283.
18:10:45 <arthuredelstein> I evaluated the Presentation API for #18862
18:10:53 <arthuredelstein> In paralell with mcs and brade I tried an approach to #21962,
18:10:58 <arthuredelstein> and opened #22002 as a result.
18:11:10 <arthuredelstein> I backported a Mozilla patch for #21875.
18:11:14 <arthuredelstein> And I met with the tor uplift team.
18:11:41 <arthuredelstein> This week I will work more on  tbb-7.0-must patches, focusing on fingerprinting/linkability tickets.
18:11:50 <arthuredelstein> Plus whatever else might be needed.
18:11:52 <arthuredelstein> That's it for me.
18:12:16 <tjr> I can go
18:12:27 <tjr> Gotten some MinGW patches landed and am working on some more. Also going to start pushing to get this into TaskCluster, even broken.
18:12:33 <tjr> I completed a prototype for the add-on versioncheck onion service using EOTK. Next step is to explore how we're going to production-ize it.
18:12:39 <tjr> As far as Moz stuff goes:
18:12:44 <tjr> We've done more planning for our Fennec work, including coming up with a plan for doing proxy bypass testing. Now someone (me) needs to write an Android VPN Service for this purpose...
18:12:53 <tjr> There's a Shield Study that's doing some anti-fingerprinting measurement work to see how much breakage it causes. https://github.com/mozilla/shield-study-privacy I also opened https://github.com/mozilla/shield-study-privacy to try and collect all the anti-fingerprinting telemetry and measurements we want to perform.
18:13:21 <tjr> Other than that, a bunch of internal security process stuff was put on my plate :-/
18:13:23 <tjr> That's it
18:13:41 <GeKo> tjr: so, where are we with the sandbox compilation?
18:13:56 <GeKo> that's the single-most needed bit for the windows side right now
18:14:04 <tjr> We can compile the sandbox in debug mode and investigate crashes.
18:14:47 <GeKo> okay. do you have time for that or should i try to put it on my plate?
18:15:22 <tjr> I don't think I'm going to have time for it... at least not this week...
18:15:41 <GeKo> okay.
18:15:45 <tjr> I've been trying to find time for it for a bit and it hasn't happened; sorry
18:15:52 <GeKo> no worries
18:16:37 <GeKo> who is next?
18:16:42 * boklm can go next
18:17:00 <boklm> Since last meeting I have been working on #21907, #18530, #19316, #20814, #21981 and helped publish the new releases.
18:17:13 <boklm> This week I'm planning to work on #21982. On the rbm build side, I'm planning to try to fix the build of snowflake for linux32.
18:17:20 <boklm> That's it for me.
18:18:05 <GeKo> boklm: we could try to get the nightly builds going on ln5's box
18:18:12 <boklm> yes
18:18:23 <GeKo> and the rbm thing setup there as well
18:18:48 <GeKo> which is pretty exciting!
18:18:50 <boklm> I can help ln5 doing that when he has some time
18:19:53 <GeKo> thanks. i think a first step would be to get those vms you uploaded updated to match your latest ones
18:20:16 <GeKo> as ln5 can't create new ones as well right now due to #21838
18:20:44 <boklm> ok
18:20:47 <GeKo> who else is here for some status update?
18:21:52 <GeKo> okay, discussion time then
18:22:10 <GeKo> i saw we have folks from the community team here
18:22:16 <GeKo> how can we help?
18:22:23 <flexlibris> hey yall
18:22:49 <GeKo> hi!
18:22:49 <flexlibris> GeKo: in AMS we talked about having the community team come to occasional applications meetings and share user feedback
18:23:04 <GeKo> yes!
18:23:06 <arthuredelstein> that is such a great idea
18:23:30 <flexlibris> so, we have some feedback we can share, and we also want to hear your ideas
18:24:11 <flexlibris> it seems pretty straightforward that if we hear from users stuff that we think is useful to you, we should just come tell you, but maybe there are particular ways you'd like us to do it?
18:24:27 <flexlibris> Phoul, do you wanna share some of the feedback you've gotten?
18:24:35 <Phoul> Sure!
18:25:25 <GeKo> flexlibris: this meeting is fine or filing trac tickets for important stuff
18:25:38 <Phoul> So one of the biggest issues (for many years now) is the clock skew issue. Users continue to hit this, not know whats happening and contact us. We have also been contacted by users looking for Tor Browser's in languages that our compontents have translations for, but Firefox does not. I'm not sure what the best way forward with those requests is.
18:26:25 <arthuredelstein> Phoul: What languages are they requesting?
18:26:29 <Phoul> components*
18:26:44 <Phoul> I dont actually have a list handy, but I can get that sent to someone or put it in a ticket.
18:26:52 <Phoul> Has come up a couple times over the last few weeks.
18:27:01 <arthuredelstein> I think I have a ticket where that list could go... let me look
18:27:21 <GeKo> Phoul: regarding the first issue we have some ideas like #21542
18:27:44 <GeKo> it is pretty high on our todo list but right now getting 7.0 into stable shape is even higher
18:28:06 <Phoul> Makes sense, just thought id mention it :)
18:28:15 <GeKo> but once we have a bit breathing room that issue will be worked on
18:29:38 <GeKo> the first one is a bit tricky because we need to solve #17400 first
18:30:19 <GeKo> as we don't have the capacity to ship a bundle per locale per platform per architecture for all the locales we want
18:30:49 <arthuredelstein> Here's a ticket where the list could go: #20628
18:30:50 <GeKo> thus, before we ship any new locale that ticket needs to get solved
18:31:06 <GeKo> the ux team is aware of that
18:31:08 <Phoul> arthuredelstein: will get them added after this meeting :)
18:31:15 <arthuredelstein> Thank you! :)
18:31:18 <flexlibris> also, I know the Twitter functionality stuff is fixed in the most recent update, but Phoul and I were wondering more generally about QA for intensive websites like Twitter
18:31:23 <tjr> The clock skew problem is interesting.
18:31:34 <GeKo> and we need to do some coordination but that said it is pretty high on our prioity list
18:31:44 <tjr> I assume that's "SSL Certs are invalid because the user's clock is way off"  Or does it affect connecting to tor too....?
18:32:12 <Phoul> To add to what flexlibris just said, I was wondering if we used Selenium or something for TB testing, and if so, if we could have tests for some popular sites like Twitter/Github/others.
18:32:41 <Phoul> tjr: it prevents tor from bootstrapping if its far enough off.
18:32:48 <GeKo> tjr: it's not just ssl certs iirc
18:33:35 <GeKo> flexlibris: what do you have in mind?
18:33:43 <tjr> Ah okay so it's a little-t tor problem first; and then if we fixed that it would propagate to the browser too most likely. Is there a spec anywhere on how we might address this?
18:34:09 <flexlibris> GeKo: see what Phoul said ^^
18:34:53 <GeKo> tjr: #10059 has some discussion you might find interesting
18:35:04 <GeKo> aha
18:35:12 <Samdney> Phoul, flexlibris (to testing): I remember on a AMS meeting that one of the mozilla guys talked about how they test firefox and that they would do some stuff also for us (was in a meeting about the launcher ux)
18:35:29 <boklm> Phoul: we have some marionette tests. However testing Twitter features is not very simple, especially since they can change how their website work at any time.
18:35:40 <mcs> tjr: also see #9675
18:35:42 <flexlibris> Samdney: do you remember who the Mozilla person was?
18:36:03 <Samdney> flexlibris: I don't know his name :(
18:36:09 <arthuredelstein> I think selenium would be a very nice way to catch things that break when important websites change.
18:36:42 <Samdney> flexlibris: perhaps linda can help, I don't know
18:37:14 <Phoul> boklm: I'm not familiar with marionette, but I assume its similar. True about the test needing to be maintained though, I'm not sure how often Twitter changes the bits we'd care about for testing.
18:37:32 <Samdney> ... correction: it was in the tor-slider ux meeting
18:38:10 <Phoul> Other sites change less though, like Github.
18:38:30 <arthuredelstein> In the most recent Twitter case, though, the bottleneck was we didn't have the capacity to make an extra point release after we made the fix.
18:39:00 <Phoul> Would it have been any different if caught in QA vs after release?
18:39:35 <mcs> The Mozilla person might have been Christoph (I thinkl he was in that meeting anyway).
18:39:39 <Phoul> difference* (sorry, im typing very delayed)
18:39:56 <GeKo> arthuredelstein: well, actually the problem was that the issue did not get a higher prio earlier as it basically was #16540
18:40:11 <GeKo> err
18:40:22 <GeKo> #16450
18:40:53 <arthuredelstein> Aha, I hadn't realized that.
18:41:16 <GeKo> Phoul: i don't think so
18:42:09 <Phoul> GeKo: fair enough. Might still be worth considering in the future to catch breakage, even if it wouldnt have helped this time. :)
18:42:47 <GeKo> indeed. i think opening a ticket and thinking about a way how to implement stuff is a good thing to do.
18:42:53 <GeKo> i can do this after the meeting
18:43:28 <flexlibris> I don't think we had anything else to share
18:43:35 <flexlibris> Phoul: ^^
18:43:36 <GeKo> thanks!
18:43:42 <Phoul> That was all :)
18:43:57 <GeKo> pretty helpful
18:43:58 <flexlibris> let us know how we can be helpful as we make the support portal
18:44:21 <flexlibris> we'll come to the meeting from time to time
18:44:39 <tjr> So as far as clock skew goes, I'm trying to find any statistics about how off they are in user's browsers
18:45:07 <tjr> But a dead-simple thing we _could_ do is look at the build date of the browser and the current time and if the user's time is behind the build date, and we get a conneciton error, tell them to check their clock.
18:45:24 <Phoul> Generally the skew is of a few hours
18:45:35 <tjr> Ah, that won't work then
18:46:14 <tjr> Wait, wouldn't a consensus up to 24 hours old work though? Unless it's skewed forward a few hours...
18:48:49 <GeKo> okay. i have some items too
18:49:03 <GeKo> first next week on monday do we have a meeting?
18:49:18 <GeKo> there is a holiday at least in some countries
18:49:32 <GeKo> i think i can make it to the meeting at least
18:49:53 <GeKo> the other thing is i updated the ticket list
18:50:11 <GeKo> right now important items are tagged with tbb-7.0-must-alpha
18:50:21 <GeKo> and thery are order roughly according priority
18:50:31 <mcs> Kathy and I are available next Monday for a meeting
18:50:36 <arthuredelstein> As am I
18:50:39 <boklm> I think I can make it too
18:50:52 <GeKo> if any of you does not know what to do picking a ticket from that list with highest prio first is the things to do
18:50:59 <GeKo> okay, then we'll have a meeting
18:51:07 <mcs> thanks for assigning priorities, etc.
18:51:30 <GeKo> please mark those ticket either by adding a keyword or assigning it to you
18:51:43 <arthuredelstein> will do
18:51:50 <GeKo> and if you find a ticket you think should be on this list bring it up
18:51:57 <GeKo> or add it
18:52:21 <GeKo> i'll go over this list more frequently to update things i guess
18:52:43 <GeKo> then we have 7 weeks until we must update to 7.0
18:53:07 <GeKo> i guess we want to have 7.0 out a bit earlier maybe 1 or two weeks for a soft launch
18:53:24 * mcs is feeling a little pressure :)
18:53:24 <GeKo> which means 5-6 weeks for getting it into stable shape
18:53:31 <GeKo> yeah, no kidding
18:53:34 <arthuredelstein> I think you mentioned we might release a second alpha?
18:53:37 <mcs> so any bugs, so little time
18:53:39 <mcs> many
18:53:52 <GeKo> yes, i think we should have another alpha
18:53:59 <GeKo> like in about 3 weeks
18:54:14 <arthuredelstein> sounds like a good idea
18:54:17 <GeKo> to pick up the work we've done since then and give it out for more testing
18:54:56 <mcs> another alpha sounds like a good idea… that will also allow a “field test” of the 7.0 updater
18:55:07 <GeKo> yep
18:55:10 <arthuredelstein> So for the full 5-6 weeks we theoretically want to finish all tickets in https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-7.0-must, correct?
18:55:18 <GeKo> yes
18:56:05 <GeKo> okay, another alpha in about 3 weels
18:56:07 <GeKo> *weeks
18:56:38 <boklm> another alpha sounds like a good idea
18:57:11 <GeKo> the last item i have: i updated the dependenies on other teams/organizations we have right now
18:57:19 <GeKo> which is on https://storm.torproject.org/shared/gf-PXTTtFJyzrpqDoGepLwXa4Sr4JUb-hWIK6yqylxs
18:57:49 <GeKo> i don't expect to get more dependencies added but there might some, especially for objective 2.1
18:57:53 <GeKo> we'll see
18:57:54 <legind> GeKo: Is this the Tor Browser meeting?
18:58:04 <GeKo> yes, another 2 minutes :)
18:58:08 <GeKo> hi!
18:58:27 <GeKo> legind: if you have something for the meeting, go for it
18:58:28 <legind> I didn't miss it then :)  I have one quick item/announcement if that's okay
18:58:33 <GeKo> sure
19:00:07 <legind> For HTTPS Everywhere we've coded up a working PoC for delivering and verifying rulesets separately from the extension itself.  This only works for the WebExtensions version currently, so once TB stable is rebased to 52 I'll be able to test if it works properly.  At that point, every day or so we'll have new rulesets being checked from the EFF site
19:00:32 <legind> If there are fingerprintability concerns we should have those in our purview.  We're planning on releasing this in the next few months
19:00:36 <GeKo> legind: you can do this right now with the latest alpha
19:00:47 <GeKo> 7.0a3 is already based on esr52
19:01:00 <legind> GeKo: I will do testing with 7.0a3 then
19:01:27 <legind> currently the Firefox extension is still XPCOM, but once TB stable moves to 52 I can finally ditch the old extension
19:01:54 <GeKo> let me think a bit more about the fingerprinting thing
19:02:17 <GeKo> do you have written down your thoughts about that one somewhere?
19:02:29 <mcs> Are most Firefox users using the WebExt-based version now?
19:02:29 <GeKo> like when you designed this new feature?
19:02:56 <legind> No, this is a new feature we just have a PoC for and honestly I haven't considered it much
19:03:26 <legind> mcs: No Firefox users are using WebExt currently
19:03:37 <GeKo> okay
19:03:48 <legind> They're all using XPCOM.  Only Webext users are on Chrome or Opera right now
19:04:14 <Yawning> mlerph
19:04:24 <legind> But XPCOM will be deprecated in Nov due to FF57
19:04:31 <mcs> Thanks. I am a little worried about the transition (e.g., if there are behavior differences btw Firefox and Chrome’s APIs).
19:04:33 <legind> and ESR 45 doesn't support it well
19:04:51 <mcs> right.
19:04:52 <legind> mcs: I understand, that's what I'll be testing for
19:04:56 <mcs> sounds good
19:05:16 <legind> I've been waiting on TB to make that jump for Firefox users
19:05:37 <GeKo> okay, i think that's it for today
19:05:47 <Yawning> GeKo: I assume there is nothing in browser land that requires my attention
19:05:48 <legind> Also Fennec doesn't support WebExt very well either, but that's a different story
19:06:26 <GeKo> Yawning: maybe #22053?
19:06:44 <GeKo> not sure if it's your issue though
19:06:55 <GeKo> apart from that i think you are fine
19:07:06 <GeKo> *baf*
19:07:09 <GeKo> #endmeeting