18:59:36 <GeKo> #startmeeting tor browser
18:59:36 <MeetBot> Meeting started Mon Nov 27 18:59:36 2017 UTC.  The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:59:36 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:59:41 <GeKo> hi all!
19:00:01 <GeKo> i hope everyone had a nice weekend/thanksgiving
19:00:16 <GeKo> so, let's get started with the final week of november
19:00:22 <pospeselr> quite refreshing
19:00:31 <GeKo> good!
19:00:42 <boklm> hi
19:00:53 <GeKo> as a reminder we'll have the roadmap discussion later on our agenda
19:00:58 <GeKo> see: https://storm.torproject.org/shared/roevbMxlBi5rxSAh57iRjy8w1MB2HZArEmM2JekbqPM
19:01:09 <GeKo> for the current draft
19:01:34 <GeKo> iirc i have included all the things that came to mind, but let's doublecheck later
19:01:41 <GeKo> so status updates first
19:01:53 <GeKo> who wants to go?
19:01:57 * t0mmy is lurking
19:01:57 * mcs will go
19:02:06 <mcs> Last week, Kathy and I had a short week but we did work some more on the UI part of #23136.
19:02:13 <mcs> We also investigated a Tor Launcher issue that was reported in #24367 (and earlier today we created #24428).
19:02:37 <mcs> This week we plan to provide a patch for #24428 and work on moat integration.
19:02:44 <mcs> That's all for us.
19:02:48 <GeKo> mcs: do you feel #23136 is actually a tor launcher issue?
19:02:53 <GeKo> err
19:02:56 <GeKo> #24367
19:03:15 <GeKo> because i am still not convinced that that's the case
19:03:18 <mcs> No, just the thing we spun off as #24428.
19:03:32 <mcs> I think the part about switching PTs is a tor thing.
19:03:37 <GeKo> yep
19:03:59 <GeKo> i guess i can go next
19:04:02 <mcs> (maybe Tor Launcher should do something different to make things work better, but I trust the network people to tell us if so)
19:04:10 <GeKo> i agree
19:04:27 <GeKo> last week i spent quite some time helping with #24367
19:05:11 <GeKo> then i worked on a blog post about how we use fastly including things boklm wrote earlier and arma's feedback
19:05:20 <GeKo> it might go live this week, we'll see
19:05:36 <GeKo> then i worked on #20322
19:05:51 <GeKo> i think we get this for free when we switch to a clang-based toolchain
19:06:11 <GeKo> thus, i think we should avoid trying to fix that for gcc right now
19:06:23 <GeKo> (apart from that this would not be trivial)
19:06:35 * isabela is around
19:06:45 <GeKo> then i started to look at #24154
19:06:57 * isabela has a question for discussion time :)
19:06:59 <GeKo> and reviewed and merged patches needed for #21998
19:07:25 <GeKo> this week i'll merge the remaining ones and get the fuzzing going
19:07:45 <GeKo> then i plan to go over all the things for sponsor4 and wrap it up as good as we can
19:07:57 <GeKo> + do the monthly team admin work
19:08:02 <GeKo> that's it for me
19:08:17 <GeKo> who is next?
19:08:23 <pospeselr> I'll go!
19:08:54 <GeKo> (oh i got dragged into bisecting https://bugzilla.mozilla.org/show_bug.cgi?id=1375471 as well; i'll probably continue with that too)
19:09:18 <pospeselr> short week last week due to the holiday, but I got a patch up ad verified for  #23970
19:09:28 <pospeselr> saw your comment GeKo, will split it up into component patches today
19:11:54 <GeKo> pospeselr: good. anything else for the week?
19:13:05 <GeKo> i guess #17933 was it, right?
19:13:35 <GeKo> okay. richard will get back to us i guess. who is next?
19:13:54 * arthuredelstein can go
19:13:59 <arthuredelstein> Hi everyone!
19:14:04 <GeKo> o/
19:14:05 <arthuredelstein> Last week I also had a short week, but worked on #18101.
19:14:23 <arthuredelstein> I'm going to keep working on that to try complete it and then focus on MPX and #23930,
19:14:41 <arthuredelstein> and also hope to finish up testing for #23745.
19:14:49 <GeKo> sounds good.
19:14:58 <GeKo> i need something for you for next week:
19:15:22 <GeKo> could you update the ubsan ticket mentioning the t hings you've worked on
19:15:52 <GeKo> + could you assemble a list of all the tickets you helped mozilla with regarding fingerpinting/uplifting stuff?
19:16:03 <arthuredelstein> Sure! I'll do that this week.
19:16:09 <GeKo> + update the MPX ticket
19:16:17 <GeKo> so we can create reports for the spnsor
19:16:20 <GeKo> thanks!
19:16:27 <arthuredelstein> Should the list of mozilla tickets go back to the beginning of time? Or is there a start date?
19:16:53 <GeKo> last year november/december when the grant started
19:17:23 <arthuredelstein> OK, sounds good. Will do.
19:17:39 <pospeselr> hey all back, tor office's internet likes to die randomly
19:17:48 <arthuredelstein> (Also, I've been bugging exit relay operators to fix their dns.)
19:17:48 <GeKo> welcome!
19:17:56 <arthuredelstein> That's it for me.
19:18:45 <GeKo> who is next?
19:19:07 * boklm can go
19:19:11 * tjr does not have a report
19:19:20 <boklm> This past week I worked on #21998 and #23738. I also looked at the migration of archive.tpo to its new host.
19:19:27 <boklm> This week I'm planning to finish #23738, write something on the Tor Browser Hacking wiki page about adding new fpcentral tests, and look at Android OS applications
19:19:34 <boklm> That's it for me
19:20:36 <GeKo> okay. thanks. anyone else here by chance for a report back?
19:21:28 <GeKo> let's start the dicussion part then
19:21:45 <GeKo> we have the roadmap for today
19:22:13 <GeKo> i have updated the draft with the things the network team had regarding .nion UX
19:22:17 <GeKo> *.onion
19:22:37 <GeKo> and it should contain now all the things other teams need from us and things we could work on until march
19:22:55 <GeKo> i think we are quite flexible when it comes to who is doing what
19:23:27 <GeKo> so, if there are things we should juggle around in that regard let me know
19:23:32 <GeKo> now or later on is fine
19:23:52 <GeKo> so, first question would be: does the roadmap make sense?
19:24:02 <GeKo> are there things that are missing?
19:24:38 <arthuredelstein> One issue that isn't explicitly mentioned (I think) is upgrading torbutton and torlauncher to esr59
19:24:51 <GeKo> oh, it is i think
19:25:01 <GeKo> Investigate Torbutton and Tor Launcher compatibility
19:25:11 <GeKo> i gues i could add a "with ESR59"
19:25:14 <GeKo> *guess
19:25:20 <arthuredelstein> Aha, got it.
19:25:44 <arthuredelstein> I just didn't grok it properly but it already made sense
19:26:13 <GeKo> no, that's fine. let's make those things as explicit as needed
19:26:34 <mcs> what is “Orbot functionality check” (line 55)?
19:27:24 <GeKo> arthuredelstein: the "Rebase our patches for ESR59" could easily include your mozilla-central rebase plan if we want that fwiw
19:27:57 <mcs> It may also be helpful to include a milestone/target date for shipping Tor Browser on Android.
19:27:59 <arthuredelstein> Yeah, although I see them as somewhat separable projects
19:28:19 <GeKo> mcs: that's part of sponsor8 where we need to investigate what functionality orbot currently probides to fit in our tor browser on mobile idea
19:28:45 * isabela has a question for the team
19:28:45 <mcs> GeKo: thanks; makes sense
19:28:57 <GeKo> meaning that the browser should start it and control it etc.
19:29:18 <arthuredelstein> Re " Investigate Torbutton and Tor Launcher compatibility eith ESR59
19:29:22 <arthuredelstein> "
19:29:41 <arthuredelstein> I guess that might be relevant to porting both to mobile
19:29:58 <arthuredelstein> So maybe that investigation should happen earlier?
19:30:18 <GeKo> arthuredelstein: i agree. i think i update the roadmap mentioning it explicitely when we agree on how to proceed (re: rebasing to mozilla-central)
19:30:36 <arthuredelstein> ok, sounds good
19:31:56 <GeKo> arthuredelstein: i think i would want to keep that separated for now
19:32:10 <GeKo> the investigation for the port is basically starting next week
19:32:16 <GeKo> of the week thereafter
19:32:40 <arthuredelstein> the port will be targeting esr59, right?
19:32:44 <GeKo> firefox 59 is still somee week away
19:33:01 <GeKo> not necessarily
19:33:23 <GeKo> we want to have this ported as fast as possible to test with the current browser code i think
19:33:38 <arthuredelstein> Well in any case, I guess the question is whether we are restricted to webextensions
19:33:45 <GeKo> i'd be happy to see this happen before we start with the esr59 transition
19:34:11 <GeKo> you mean for mobile?
19:34:20 <arthuredelstein> right
19:34:25 <arthuredelstein> I
19:35:31 <arthuredelstein> guess I might be confused about this? I can't remember if non-webextensions are also deprecated for mobile
19:36:03 <GeKo> i'd have to so some research for that, so not sure
19:36:19 <GeKo> but this would be a fine question for the mobile folks starting soon
19:36:32 <GeKo> and definitely we should find an answer to early on
19:36:44 <GeKo> *definitely one
19:36:44 <arthuredelstein> So, if the same codebase is going to be used for desktop and mobile, then the compatibility questions make come up soon.
19:37:06 <arthuredelstein> (codebases for torbutton and torlauncher)
19:37:18 <arthuredelstein> s/make/may
19:37:59 <GeKo> yep.
19:39:04 <GeKo> i think we can adapt the roadmap in that case to move the investigation part to an earlier slot
19:39:50 <GeKo> right now i am still under the impression the codebase is not exactly the same for desktop/mobile
19:40:29 <arthuredelstein> the torbutton/torlauncher codebases?
19:40:57 <GeKo> no the desktop/mobile ones for both
19:41:16 <GeKo> we could think a bout changing that while we are at it
19:41:44 <GeKo> but the costs and benefits are not clear to me yet
19:42:42 <GeKo> (well the benfits are pretty clear i think but the costs are not)
19:43:24 <GeKo> do we have anything else?
19:43:29 <GeKo> isabela: ?
19:43:33 <isabela> oi
19:44:02 <tjr> I was wondering about the 'Exposing TB as Tor Browser' email
19:44:06 <isabela> i have a question about testing tor launcher and a suggestion related to following up on work ux is doing that is related to tb
19:44:40 <tjr> And if I should pursue creating a dom api that we can hang anti-fingerprinting booleans off of like 'CanvasRequiresPermission' or something
19:44:41 <isabela> i went through the ui and tested the bridges on mac and had brazukas doing it on linux
19:44:55 <isabela> besides snowflake not working which i think is expected
19:45:10 <GeKo> i think it should work actually :)
19:45:16 <isabela> i dont have anything else to report but i also wonder if i should be testing more
19:45:20 <isabela> GeKo: ! oh
19:45:23 <isabela> ok
19:45:27 <isabela> then i will document that :)
19:45:48 <isabela> i havent tested proxy configurations for instance
19:46:28 <isabela> anw if you have suggestions on what else we should be doing let me know (antonela is also testing it)
19:47:03 <GeKo> tjr: what would the alternatives be? i was not really happy with those that came up on -tbb-dev iirc
19:47:11 <mcs> isabela: are you testing the initial setup as well as the Network Settings window? If not, please test the latter some since code is shared.
19:47:44 <isabela> next i will work on the help text - and on that topic, I would like to suggest a process to make it simple for who want to review ux work on tb stuff can follow
19:47:57 <isabela> mcs: good to know, will do!
19:48:09 <tjr> Alternatives would be: do nothing, and hope websites use strange clues to detect if AntiFingerpriting mode is enabled and behave more intelligently ; or
19:48:17 <isabela> my suggestion is that we just email tb dev ml whenever there is something new for y'all to look at
19:48:36 <tjr> 1) improve the canvas prompt to not trigger if it's fired in the first n seconds and then 2) document the strange trick(s) and say "You should do this"
19:48:41 <isabela> sometimes that might come with an invite to join a meeting
19:48:52 <isabela> does that sounds good?
19:49:29 <GeKo> yes
19:49:38 <isabela> cool, that was it
19:49:46 <isabela> i will document the snowflake problem
19:50:26 <arthuredelstein> tjr: I'm a fan of the (1) idea in any case, especially if triggered by user interaction.
19:50:45 <GeKo> tjr: hm. i was wondering whether there is really no other way to detect the emoji thing than using some canvas code
19:51:18 <GeKo> i mean we have a bunch of issues rendeing emojis correctly due to our font fingerprinting thing
19:51:39 <GeKo> wouldn't it be easier to use that one for now?
19:51:55 <GeKo> but, sure it's not guaranteeed to stay in that state :)
19:52:42 <GeKo> or maybe there is some other non-canvas means i am not awrae of right now
19:53:03 <tjr> (I am also in support of not showing the prompt if triggered in the first n seconds, no matter what.)
19:53:26 <tjr> I don't know if there is a better way of doing the emoji check. I presume not, or WP would have done it
19:53:40 <arthuredelstein> Not necessarily :)
19:54:40 <arthuredelstein> Are there any other similar problems besides canvas fingerprinting that make exposing TB as TB a useful thing?
19:54:41 <GeKo> i am fine with 1) i think
19:55:10 <GeKo> but we should make n short
19:55:25 <tjr> Well, my hope is that if we expose the information, websites that are broken will fix *themselves* by using the dom property
19:55:48 <GeKo> yes, please
19:55:50 <tjr> Doing simple things like if(!antifingerprinting) { //use video stats api to adjust video frame rate }
19:56:15 <GeKo> but i fear mozilla folks are quite resistant to include such a non-standard thing
19:56:33 <isabela> mcs: i am actually getting an error sometimes when changing PTs using network settings (not the launcher settings)
19:56:42 <GeKo> which i could understand, sort of
19:57:09 <tjr> Me too! But I'll go ask and try to get their buy-in.
19:57:11 <arthuredelstein> prefix it with moz?
19:57:29 <mcs> isabela: That would not surprise me. Please file a ticket and we will determine if it is a tor problem or a Tor Launcher one.
19:57:33 <isabela> mcs: https://share.riseup.net/#jFEsY8NrWv-_Z_XhTmrXlQ (it does not happens all the time tho)
19:57:38 <isabela> i will do
19:57:42 <GeKo> arthuredelstein: sure. but i had the  impression mozilla wants to get away from that ingeneral
19:57:46 <arthuredelstein> Or maybe it can be something added to the useragent string?
19:58:07 <GeKo> that's a thing i want to avoid if possible
19:58:29 <isabela> mcs: i will go to the post office first, and do it when i am back o/
19:58:34 <isabela> thanks all o/ bbl
19:58:37 <arthuredelstein> GeKo: Why do you want to avoid it?
19:59:24 <arthuredelstein> I think the thing that worries me about exposing TB as TB is that some websites will block Tor users or degrade their experience because it's easy to do.
19:59:47 <GeKo> that's one concern
19:59:55 <arthuredelstein> Of course, it's already possible to do this by feature detection or exit IP blocking, but that requires more effort and sophistication.
20:00:05 <GeKo> then we should not send additional bytes around for such a minor case
20:00:38 <arthuredelstein> I guess I think it depends on if there are problems besides the canvas problem. Because I think we have a solution for the canvas problem more or less.
20:01:35 <GeKo> i think ideally, i want to have this exopsed in a standard compliant way
20:01:40 <GeKo> *exposed
20:01:57 <GeKo> and then websites could easily query that if they really needed it
20:02:28 <GeKo> the UA is/has been (mis)used for so many things
20:02:39 <GeKo> we should not continue/start with that again
20:02:44 <mcs> Tor Browser may change over time too, so UA is a hammer for many different nails :)
20:02:59 <mcs> (e.g., maybe canvas extraction can be allowed someday)
20:03:04 <GeKo> yep
20:03:26 <GeKo> anyway, time to wrap up i guess
20:03:36 <arthuredelstein> mcs: good point
20:03:39 <GeKo> do we have anything left for today, urgent announcements etc.?
20:04:48 <GeKo> thanks all then *baf*
20:04:50 <pospeselr> nothing from me
20:04:51 <GeKo> #endmeeting