15:00:31 #startmeeting S27 05/21 15:00:31 * sysrqb is lurking 15:00:31 Meeting started Tue May 21 15:00:31 2019 UTC. The chair is pili. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:31 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:00:33 hi everyone 15:00:43 o/ 15:01:14 pad is here: https://storm.torproject.org/shared/cftEAPBUYEZQ6cCPWPsf-t35WIz49JBEk2ozYJVkNVB 15:01:31 (or at whichever link people have saved in the past...) 15:01:43 we're missing asn today 15:01:58 happy to see everyone that is here :) 15:02:39 please feel free to start adding any updates in the pad as well as any discussion points and/or blockers and dependencies that you want to talk through with the rest of the team 15:05:27 I'll start with my updates for now :) 15:05:46 the main one is that it's almost time to start writing the second monthly report 15:06:43 so gaba and I might be reaching out for some clarification on progress on some of the items 15:07:14 dgoulet: any updates from the network team? :) 15:08:00 I heard from asn yesterday that he'd made a bit of progress on #30381 but has otherwise been occupied with other work 15:09:11 pili: yes so mainly we are both stuck in finalizing things for the 0.4.1 tor freeze that was last week. 15:09:26 we made some progress on the DDoS front of s27 at least 15:10:06 and I wonder also where we are with TB on control port event vs socks error. Last time I looked at the ticket, we were back to SOCKS errors? 15:10:22 I guess that's one for mcs and brade 15:10:41 dgoulet: yes, SOCKS :-/ 15:10:46 are we set on that direction? For us, it implies a new proposal, change of spec and then code so it is a bit more involving than a new control port event ehhe 15:10:48 ok 15:11:49 mcs and I are not confident of Mozilla’s HTTP Connect implementation; that it is at the right level and will meet our needs 15:11:50 seems like no one is happy about this :) 15:11:58 I have no idea if asn had more things on the list but that is the big piece missing before we start that code so onward! 15:12:05 brade: ok! 15:13:27 we'll go in overdrive for s27 starting this week since we both (asn and I) kind of finished our pre-freeze stuff ;) 15:13:31 -- 15:13:53 dgoulet: great news, thanks! :) 15:14:15 so we'll go ahead with the socks errors implementation then? 15:14:27 yup 15:14:38 is that going to change the time estimates at all? 15:14:39 we had a proposal a while back to expand those, we might revive it with a new version 15:14:48 as it seems like it's more work on the network team side? 15:15:15 pili: not sure since control port also requires us spec and all... and SOCKS errors should be "faster" on the spec side, and possibly not too bad on the code side :) 15:15:29 ok, sounds good then :) 15:15:34 pili: SOOOO in theory, less time :P 15:15:36 we'll see 15:15:53 let's assume it's the same, just in case :D 15:16:09 yup yup 15:16:24 ok, any other updates from the network team? or any other comments on this from the browser team or shall we move on with browser team updates? 15:18:28 ok, let's move on 15:18:43 brade any exciting updates to share from browser side? :) 15:18:55 (otherwise I can just read the pad) 15:19:03 just trying to figure things out :-) yes, see pad 15:19:24 need feedback on 30237 15:19:57 i think acat gave good one 15:20:43 yes, thanks for that review brade! 15:20:44 yes but more opinions are welcome 15:20:46 i am quite concerned about possible spoofing by website 15:20:50 s 15:20:58 GeKo: as are we 15:21:08 i can try looking over the whole ideas later today/early tomorrow 15:21:15 brade: my only comment is that I enjoyed reading about the line of death, but that's not useful for you I know :) 15:21:22 originally i used the http auth UI, which has some limitations, will expand in a comment 15:21:25 I wish Mozilla had a good option so we didn’t need to write our own 15:22:01 antonela: ideally same type of UI mechanism is used for auth and errors 15:22:28 yep 15:22:34 pili: I enjoyed reading about it too (when antonela first pointed to it) 15:23:20 ok, so I guess we need some more feedback from people on #30237 15:23:36 yes, thanks acat too! 15:24:11 do we agree that we don't want to make the credential dialog spoofable? 15:24:21 definitely! 15:24:24 ye sure 15:24:27 that's probably the first big decision to make 15:24:52 okay, good 15:24:53 GeKo: mcs and I think that Mozilla is not doing a good job in this area 15:25:02 well, i agree 15:25:11 but here we are :) 15:25:15 because they got good improvements saving passwords 15:25:20 but this is not a password 15:25:34 yes 15:26:31 lets see, i'll comment some findings about the http auth ui i got when i configured mine 8) 15:27:13 ok, so antonela will try some things out and report back? or you already did? :) 15:27:14 and we hopefully get some feedback from others on this 15:27:33 i made a first approach in #30024 15:27:48 well, we already talked about all this ideas, i just put them together 15:28:01 It may have some errors but take it as a conversation starter 15:28:22 (like alt-svc doesn't allow users prompt, and so on) 15:28:48 i had more questions than answers at the end, so i think we are in a good path 15:29:49 ok, so this is probably a good time to go into the UX team updates :) 15:29:56 if there's nothing else on #30237 15:30:51 haha sorry, i read quickly 15:31:14 antonela: do you need some feedback on #30024 yourself? :) 15:33:07 what that means? that needs review yes, if the browser team has throughs/ideas, those are welcome 15:33:29 yup, great 15:34:29 ok, I think that's everyone's updates then 15:34:57 we already discussed some of the current blockers already: 15:36:10 - network team was waiting for confirmation on approach for #30382 and we've agreed to go with socks errors 15:36:44 - brade and mcs are waiting for more feedback/reviews on #30237 for the TBB UI for client auth 15:37:04 yeah there is a chance we might do those even if TB doesn't need them... but much lower priority for now (#30382) 15:37:59 - antonela would like a review on #30024 from browser team (and others) for the alternative onion service workflow 15:38:06 any other blockers/dependencies? 15:39:15 i dont think so 15:39:30 ok, let's move on to stakeholder updates 15:39:35 anyone have any? :) 15:41:14 ok, I'll go then, syverson_ and I had a good talk today about the work they've been doing that may overlap with some of the S27 project objectives 15:41:31 and if there is any way we can take advantage of the research they've done on this already 15:41:57 mainly around usability of long onion names and alt-svc / alt-onion 15:42:27 * syverson_ says hi 15:42:41 I think we should have at least one session at the dev meeting in stockholm dedicated to S27, probably 2 at least though 15:43:02 syverson_: o/ 15:43:10 hi syverson_! 15:43:35 one for O2A5: human-memorable onion addresses 15:43:52 and another on alt-svc 15:44:13 does anyone have any other suggestions on what would be good to discuss in stockholm for this project? 15:45:13 I'll take that as a no then... ;) 15:45:16 We have a (crappy) WebExtension already built to counter the tracking and censorship inherent in alt services 15:45:18 but feel free to suggest any to me if you think about it 15:45:27 would be happy to talk about that there. 15:45:38 sounds good! 15:45:53 a demo could be nice also :) 15:46:34 planning to do one at HotPETs if talk is accepted. Can certainly demo this and all other features of extension at tordev meeting too. 15:47:39 yeah, not sure how many of us will stick around for HotPETs unfortunately 15:48:03 ok, any other items or comments from anyone? 15:48:24 hence can demo at tordevmeeting too 15:49:47 great! :) 15:50:40 ok, no one seems to be very chatty today, so I think I will call the meeting over and give people 10 minutes back ;) 15:50:47 thanks everyone for joining! 15:50:54 #endmeeting