#tor-meeting log

19:00:20 <GeKo> #startmeeting tor browser
19:00:20 <MeetBot> Meeting started Mon Feb 26 19:00:20 2018 UTC.  The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:20 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:00:31 <GeKo> t0mmy: https://storm.torproject.org/shared/tHoN4Ii7rLSjPE0OP4gydX4cMGadsXmRQNc-6lwru0N
19:00:33 <GeKo> and welcome
19:00:53 <arthuredelstein> hi everyone
19:00:55 <GeKo> hi all for a new meeting
19:00:57 <t0mmy> GeKo thanks!
19:01:03 <isabela> hello
19:01:11 <GeKo> the pad link is above, please add your items if you did not have already
19:01:20 <isabela> kk
19:01:29 <GeKo> and read through and flag items of other in case you want to discuss them
19:01:55 <boklm> hi
19:02:53 <sysrqb> o/
19:03:46 <igt0> !!!
19:03:58 * antonela is lurking
19:04:14 <tjr> \o
19:05:22 <pospeselr> hi hello
19:05:46 <GeKo> alright
19:05:58 <GeKo> tjr is not the first one today :)
19:06:10 <GeKo> igt0: you are up
19:06:54 * igt0 typing
19:08:57 <igt0> So last week after reading the comments in the #25013 and talking wit sysrqb I changed my approach, now I am trying to make tor button a system extension. And I am using mozilla central. So the problem about mozilla central is because it deprecated a bunch of things so I am updating the extension to use the latest APIs or css properties.
19:09:43 <igt0> so i wonder if someone already tried to rebase tor patches on top of the m-c or ff59. So I could use it. Since I could run the tests.
19:10:48 <igt0> sysrqb, told me in the #tor-project that arthuredelstein is working a branch that we could use it :)
19:10:51 <tjr> Hm. System Extensions use internal APIs that are not guaranteed to be maintained, not change, or even keep existing.  What's in there for 60 will stay there; but if you intend to follow Mozilla's releases, you will find yourself in trouble eventually. I don't know if that will be 62 or 68 or what, but eventually something you rely on will disappear
19:10:52 <sysrqb> I assume it depends on how many of the patches are uplifted before ESR60 is released
19:12:05 <sysrqb> I think system addons are an easy solution for the next ~6 months
19:12:15 <sysrqb> we'll likely need a better, ong term, solution by then
19:12:18 <sysrqb> *long
19:12:32 <GeKo> yes
19:12:50 <GeKo> i don't see it as a long-term solution either
19:12:53 <sysrqb> i chatted with some addon devs, aswan in particular, and they (roughly)agreed
19:13:26 <sysrqb> not that they were hapy, but they didn't see another immediate solution
19:13:43 <GeKo> ok, good
19:13:46 <sysrqb> err, happy
19:14:38 <arthuredelstein> I guess when internal APIs disappear, then the torbutton or torlauncher code will break regardless of whether it is a system extension or an internal module
19:14:47 <arthuredelstein> So we'll need to keep revising either way
19:15:10 <arthuredelstein> until the functionality in question becomes part of Firefox itself
19:15:19 <GeKo> yep
19:15:20 <sysrqb> I already ran into that with torlaucher, Mozilla riped out old APIs after legacy extensions were deprecated
19:15:40 <sysrqb> luckily it was easily fixed
19:16:50 <GeKo> igt0: so where are we with your issue from the pad?
19:17:55 <igt0> GeKo, sysrqb answered :), I can keep working on m-c until we uplift tor patches.
19:18:00 <GeKo> k
19:18:30 <GeKo> i see we don'tave anything else marked bold, great
19:18:39 <GeKo> then let's move on to the disucssion
19:19:09 <GeKo> t0mmy: do you want to say something about that potential grant?
19:19:15 <t0mmy> sure thing
19:19:40 <t0mmy> hi all -- I think I've chatted to all of you, but just in case, hi, I'm Tor's grant writer
19:19:48 <pospeselr> o/
19:20:21 <t0mmy> FB has a call for proposals out for $100k to research privacy-preserving technology that'll benefit end users.
19:20:27 <t0mmy> https://research.fb.com/programs/research-awards/proposals/secure-the-internet-grants/
19:21:15 <sysrqb> huh.
19:21:49 <t0mmy> Given their focus on end users, I think "research" in this instance isn't limited to papers, etc. I'm treating it as "research and deploy" in the sense of "think about the problem a bit and then do a thing." I think we could get this money for the browser team, and so I wanted to check in and get a sense of what sort of work this proposal could
19:21:58 <t0mmy> cover.
19:22:23 <t0mmy> GeKo and I have already talked a bit about research to fight fingerprinting, but I'm all ears. /end
19:22:58 <arthuredelstein> Does it need to be a new project?
19:23:55 <t0mmy> I don't believe so; no indication on the site.
19:24:12 <tjr> Not sure what the fingerprinting discussion was, but 'fixing' canvas fingerprinting once and for all could be a good topic/subtopic
19:24:34 <GeKo> the discussion was how to solve best fingerprinting
19:24:47 <GeKo> it's basically an unresolved research problem
19:25:08 <GeKo> should we try to hide all users in a group (as we try)
19:25:22 <GeKo> or should we rather try a randomization approach
19:25:28 <GeKo> or a hybrid one?
19:25:47 <tjr> You should talk to Stephen about this in Rome too :)
19:25:58 <GeKo> there is a section for that in our design doc citing papers etc.
19:25:59 <GeKo> sure
19:26:39 <mcs> I wonder if the fingerprinting area is too much in need of basic research (vs. the applied research focus mentioned on the fb.com page)? But it would be good to do more in that area.
19:27:11 <GeKo> mcs: in which regard basic research vs. applied research?
19:27:23 <t0mmy> Yeah, they do want a timeline with deliverables (e.g. tools) as part of the proposal.
19:27:52 <mcs> Do we know enough to be able to provide a timeline for something that would provide practical benefits to end-users?
19:28:41 <mcs> In other words, does more fundamental/academic style research need to be done first? I don’t know the answer.
19:29:00 <mcs> (the fb.com RFP seems to be asking for deployable results)
19:29:42 <mcs> I will also add that fingerprinting is not my area of expertise, so other should have a better sense of what could be proposed.
19:29:50 <mcs> s/other/other people/
19:29:59 <tjr> (I was wondering if there was a build/packaging proposal in here somewhere with reproducible builds, PTs, or something like that but perhaps not, as they aren' very end usery.)
19:30:53 <t0mmy> PTs are very end-user-y, especially for FB, but it's my understanding that we'd have to hire someone new and that's a lot of overhead
19:31:05 <GeKo> yep
19:31:22 <arthuredelstein> One idea might be trying to build the next iteration of tor-launcher with "1-click" setup. User chooses their country, and PT/bridges get auto-setup. Would require "research" from OONI side, UX research, and implementation.
19:32:18 <antonela> arthuredelstein: oh <3
19:32:23 <GeKo> well, not just from the OONI and UX side
19:32:39 <mcs> arthuredelstein: +1 to that idea, but we need tor things too
19:32:41 <GeKo> the hard part is estimating the dangers of a auto-setup
19:32:56 <GeKo> *an
19:33:00 <arthuredelstein> you're right, that as well.
19:33:13 <arthuredelstein> All bad problems are an opportunity for research :)
19:33:23 <GeKo> heh
19:33:42 <sysrqb> i guess the next question is "who does the research?"
19:34:13 <sysrqb> do we partner with a research group?
19:34:35 <GeKo> we could.
19:34:47 <GeKo> or we could try to do researchy stuff ourselves
19:34:54 <GeKo> using our fpcentral
19:35:13 <GeKo> and getting things implemented directly into tor browser :)
19:35:21 <sysrqb> mmm, that's true
19:35:43 <GeKo> the risk i see is that we can do less dev work this way
19:35:52 <sysrqb> measuring the risk associated with probing PTs would be more difficult for us
19:35:58 <sysrqb> yeah
19:36:01 <GeKo> i agree
19:36:03 <arthuredelstein> Another basic form of fingerprinting research I think would be useful is just to look very careful at every single web API and CSS API and find new ways of fingerprinting (and mitigations)
19:36:23 <GeKo> true
19:36:27 <arthuredelstein> I think there are bound to be a number we have missed
19:36:52 <GeKo> the question again is whether we should apply to get that work done
19:37:11 <GeKo> we could use that while preparing for a new esr, true
19:37:59 <igt0> a tool/framework/crawler to detect fingerprinting, it would be amazing.
19:39:06 <GeKo> t0mmy: okay, i think we have some additional ideas. i think i'd like to hear arma's input as well
19:39:17 <GeKo> as i think he had some ideas/suggestions
19:39:30 <GeKo> what was the deadline for that proposal?
19:39:40 <t0mmy> he did. let's circle back on this when armadev's back in a few days
19:39:44 <GeKo> (the fb site is currently not opening in my tor browser)
19:39:54 <GeKo> ok.
19:40:00 <t0mmy> March 31, so we have some time. If we'd like to go for it, I'd like to have the idea cemented by March 10 or thereabouts
19:40:18 <GeKo> sounds like a thing to discuss at the dev meeting :)
19:40:35 <GeKo> at least to hammer some details down
19:40:48 <t0mmy> For sure! I won't be around but y'all can report back. =)
19:41:01 <GeKo> sure. thanks for joining us today!
19:41:08 <t0mmy> thanks for having me!
19:41:23 <GeKo> does anyone else have additional things for the meeting?
19:42:11 <GeKo> thanks all then! *baf*
19:42:16 <GeKo> #endmeeting