18:00:22 <gaba> #startmeeting Browser July 20th 18:00:22 <MeetBot> Meeting started Mon Jul 20 18:00:22 2020 UTC. The chair is gaba. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:22 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 18:00:27 <gaba> Pad is in http://kfahv6wfkbezjyg4r6mlhpmieydbebr5vkok5r34ya464gqz6c44bnyd.onion/p/tor-tbb-2020-keep 18:00:28 <Jeremy_Rand_Talos> hi! 18:02:06 <gaba> please update the statuses. We will wait :) 18:03:25 <gaba> and add anything you may have to discuss to the agenda 18:06:09 <gaba> ok. should we start? 18:06:35 <sysrqb> good for me 18:06:58 <gaba> is the board up to date on what everybody is working on ? https://gitlab.torproject.org/groups/tpo/applications/-/boards 18:07:06 <gaba> are people using this board or finding it useful? 18:07:57 <GeKo> not sure yet :) 18:08:09 <GeKo> i still have some problems adjusting to the gitlab ui 18:08:16 <GeKo> with all the colors and stuff 18:08:56 <sysrqb> me too, but I haven't tried as hard as I should 18:09:21 <gaba> ok 18:09:37 <sysrqb> i think it'll be helpful in the future when I don't know what is needed within the next month 18:09:50 <sysrqb> but right now, we have an quickly approaching deadline 18:09:51 <GeKo> heh 18:09:52 <gaba> ok 18:10:03 <sysrqb> and we know what is needed in general 18:11:32 <sysrqb> okay, reviews 18:12:03 <sysrqb> https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Needs%20Review&assignee_id=None&label_name[]=Sponsor%2058 18:12:11 <sysrqb> is empty, so that seems good 18:12:31 <gaba> all reviews are assigned 18:12:32 <gaba> nice 18:12:47 <gaba> does anybody have any review that you think nobody is taking care of? 18:12:54 <antonela> should i move my tickets which need comments to [review 18:13:01 <GeKo> i plan to look over the Merge Ready items to get them finally merged :) 18:13:15 <antonela> or we are actively working on them and reviews are just merge requests 18:13:23 <GeKo> antonela: i think pinging folks might be enough? 18:13:28 <GeKo> but i am fine either way 18:13:30 <gaba> antonela: please do and unassign yourself 18:13:51 <antonela> but i did not finish 18:13:58 <gaba> oh 18:14:02 <gaba> you just need comments 18:14:17 <antonela> right 18:14:19 <mcs> Can someone remind me what the protocol is for getting things reviewed? Create an MR and then add Needs Review? 18:14:19 <gaba> pinging people or comment with their names on it may be good 18:14:21 <gaba> to focus 18:14:29 <GeKo> mcs: yes 18:14:34 <mcs> oh, and reassign to the reviewer 18:14:39 <GeKo> yes 18:14:42 <antonela> right, matt has it in his todo list i bet 18:14:44 <mcs> I think brade and I missed some steps last week :) 18:14:50 <GeKo> (the MR that is) 18:15:10 <gaba> yes 18:15:19 <mcs> so reassign the MR and leave the issue assigned to the patch author? 18:15:43 <GeKo> yes 18:15:49 <mcs> thx 18:17:02 <sysrqb> I don't see anyone requesting help with any tickets/issues 18:17:45 <sysrqb> please grab someone's attention if you need during the week 18:18:34 <sysrqb> so, discussion topics 18:18:38 <sysrqb> we have a few this week 18:18:48 <gaba> I left the discussion on line 51 from last week there 18:18:55 <gaba> in case there is any other question about it 18:19:10 <sysrqb> yes, thanks 18:19:39 <sysrqb> i don't have anything to add on that 18:19:44 <mcs> good info; thanks 18:20:41 <sysrqb> okay, next item 18:20:55 <GeKo> gaba: we should probably go over the tickets you tagged with s58 after the meeting 18:21:01 <GeKo> some are not s58 related 18:21:14 <GeKo> (just to get the milestones right) 18:21:24 <gaba> yes 18:21:41 <sysrqb> some of you may be aware of the discussion that preceded tpo/applications/tor-browser#40033 18:22:13 <sysrqb> but, the short summary is that we know there exist some onion services that do not terminate at the onion service 18:22:25 <sysrqb> the connection extends passed the onion serices to a remote host 18:22:33 <gaba> mostly in enterprise onions, right? 18:22:55 <sysrqb> the onion service doesn't provide any guarantees about the "onion service" -> "remote web server" connection 18:23:14 <gaba> :( 18:23:22 <Jeremy_Rand_Talos> sysrqb, are you talking about TLS in Whonix-style scenarios as well as enterprise infra? 18:23:33 <sysrqb> if that connection goes over the internet, then a http connection between tor browser and an onion srevice using http may be secure 18:24:04 <sysrqb> but if the onion service -> remote server connection is not encrypted in another way, then the http connection is happening over the internet 18:24:08 <sysrqb> so fun times. 18:24:25 <sysrqb> Jeremy_Rand_Talos: not in particular 18:24:35 <sysrqb> gaba: yes, i hope 18:24:50 <sysrqb> but i don't know how often an onion service is deployed like this 18:25:09 <sysrqb> therefore, we have a problem 18:25:40 <sysrqb> where Tor Browser assumes onion services connections are secure 18:25:46 <ahf> hopefully none of them are deployed where the last link is over the internet with HTTP? :o 18:25:52 <Jeremy_Rand_Talos> sysrqb, so, IMO it's unwise to treat non-TLS onion as secure, because in Whonix style threat models the Tor daemon is in a different trust domain than the application, and onions terminate at the Tor daemon 18:26:04 <GeKo> ahf: there are 18:26:06 <sysrqb> (providing authenticity, integrity, and confidentiality) 18:26:14 <ahf> ok 18:26:16 <GeKo> which is the problem :) 18:26:57 <sysrqb> Jeremy_Rand_Talos: if that is in your theat model 18:27:04 <sysrqb> then I argue you're doing it wrong 18:27:15 <sysrqb> and Tor Browser should have its own tor client 18:27:25 <sysrqb> and that client connects to another gateway tor client 18:28:06 <sysrqb> using a remote tor client is kinda weird 18:28:45 <sysrqb> so, maybe this would be better discusssed at a dedicated meeting 18:29:09 <Jeremy_Rand_Talos> sysrqb, yeah let's defer my comment for later, don't want to hijack the convo :) 18:29:10 <sysrqb> and i saw acat snuck a comment onto tpo/applications/tor-browser#40033 just before the meeting 18:29:56 <sysrqb> but, given that we know about deployments where an onion service connection should not be considered as a secure channel 18:30:12 <sysrqb> we should think about what assumptions we can/should make about onion service connections 18:30:34 <sysrqb> and, maybe, what we should start doing such that in the future we can correctly make that assumption 18:30:41 <sysrqb> and what we should do in the mean time 18:30:55 <sysrqb> because tpo/applications/tor-browser#40033 has usability implications 18:31:36 <sysrqb> we have a release next week, and that should (probably) include a fix, of some sort 18:31:53 <sysrqb> so maybe i'lltry scheduling a meeting in the next day or two for this 18:32:06 <gaba> we are supposed to have a release meeting tomorrow 18:32:10 <gaba> at the same time as today 18:32:11 <sysrqb> (we have too many discussion topics today for that) 18:32:26 <gaba> https://pad.riseup.net/p/tor-browser-release-meeting-keep 18:32:30 <sysrqb> oh, true, we can take over the release meeting with this topic 18:32:36 <sysrqb> good idgaba 18:32:38 <gaba> yes 18:32:39 <gaba> let's do that 18:32:41 <sysrqb> *idea 18:32:49 <sysrqb> great 18:32:50 <gaba> do you think we should announce that this meeting its happening tomorrow? 18:32:52 <GeKo> sysrqb: i think we should not waste time to try to get into contact 18:32:59 <GeKo> with the problematic onion services we know 18:33:04 <gaba> in tor-project or tor-internal@ 18:33:10 <GeKo> maybe we can find a way to fix things together with them 18:33:23 <GeKo> because the problem runs way deeper than just cookies 18:33:32 <sysrqb> GeKo: yes, i agree 18:33:37 <GeKo> if we think we need to backout the cookie patch 18:34:02 <GeKo> we should bite the bullet and do not treat *any* http://xxxx.onion as secure 18:34:19 <acat> and change the security expectations patch i guess 18:34:24 <GeKo> which has far-ranging usability issues for mixed content and password entering 18:34:35 <GeKo> see #21321 18:34:51 <GeKo> and additionally, #23439 18:35:07 <GeKo> at the end of the day 18:35:22 <GeKo> if http gets strike-through or blocked 18:35:25 * Jeremy_Rand_Talos notes that a potential medium to long term solution is discussed in #33568 18:35:31 <GeKo> http://xxxxx.onion would need too 18:35:45 <sysrqb> yes 18:35:54 <GeKo> so, if we want to cross that bridge then we should be ready to burn down that whole thing 18:36:02 <GeKo> which we worked on over the last years 18:36:57 <GeKo> let alone getting all the code ripped out of firefox as we upstreamed everything here 18:37:06 <Jeremy_Rand_Talos> sysrqb, I don't usually attend the release meetings, but if this topic will be covered at this one, I would probably want to attend; what's the timeslot (so I know to keep my schedule open for it)? 18:37:20 <sysrqb> Jeremy_Rand_Talos: same time as this meeting 18:37:29 <Jeremy_Rand_Talos> ok, and that's tomorrow? 18:37:33 <sysrqb> gaba: but we should make clear our assumptions ues 18:37:37 <sysrqb> arg. 18:37:38 <sysrqb> yes 18:37:47 <sysrqb> gaba: maybe tor-project 18:37:51 <gaba> ok 18:38:01 <gaba> done 18:38:10 <sysrqb> GeKo: yes, i'm conflicted. 18:38:42 <sysrqb> but we should create a plan 18:38:48 <sysrqb> for one solution or another 18:38:55 <gaba> ok. Let's discuss this tomorrow 18:39:22 <sysrqb> yeah 18:39:28 <gaba> There are a few more topics in the agenda and only 20 min more of meeting :) 18:39:34 <GeKo> sysrqb: could you get it going making contact to whomever knows anything about the problematic onion service setups? 18:39:57 <GeKo> i feel we still don't have all the information or possible view points to make a proper decision 18:40:08 <sysrqb> GeKo: sure, yes 18:40:22 <GeKo> we have things alec said, yes. but that's it from the server side 18:41:04 <sysrqb> yeah 18:41:15 <sysrqb> okay. Fenix on Gitlab 18:41:16 <mikeperry> are problematic onion services exclusively the ones that have expensive .onion TLS certs? 18:41:31 <sysrqb> mikeperry: no 18:42:00 <GeKo> i don't think we know of any others, no? 18:42:04 <sysrqb> because, as the argument goes, if the webserver sends a cookie containing a credential over http but sets the secure attribute 18:42:14 <sysrqb> then, even though the original channel was not secure 18:42:26 <sysrqb> the browser should not echo that cookie over an insure channel in the future 18:42:31 <sysrqb> *insecure 18:43:00 <acat> but as GeKo said, then the actual problem is not just cookies, but anything that assumes that's a secure connection (e.g. logins) 18:43:13 <sysrqb> so, if the browser doesn't know if the onion service is terminated locally or remotely, then it can't make a decision about whether the channel was secure 18:43:21 <sysrqb> acat: right 18:43:25 <sysrqb> i agree 18:43:52 <sysrqb> okay. GitLab 18:44:14 <sysrqb> mirroring the fenix repo from github seems reasonable 18:44:22 <sysrqb> i know gitlab has a mirroring feature 18:44:29 <sysrqb> but i don't know how it works 18:44:34 <ahf> we have no way right now of automatically updating it, but i was thinking of pulling it over seems like a good start 18:44:46 <ahf> i also don't know if we want to do it via gitolite? 18:45:00 <GeKo> sysrqb: why would we want to mirror the whole repo and not just create branches as we need them 18:45:08 <GeKo> as we do right now for tor-browser? 18:45:20 <sysrqb> true 18:45:43 <gaba> Fenix hosting on Gitlab :) 18:45:44 <sysrqb> we'll create thosee branches manually 18:46:03 <sysrqb> so we can simply push the branches onto gitlab directly 18:46:09 <ahf> the fenix repo does already have a lot of branches in it, including their release branches 18:46:36 <sysrqb> and we should maintain signed HEAD git commit 18:46:47 <sysrqb> as we plan for the other repos 18:47:26 <ahf> with a signature someone in tor makes or is that something they provide? 18:47:41 <sysrqb> one of GeKo or myself (right now) 18:48:38 <ahf> cool 18:48:47 <sysrqb> ahf: how difficult is setting up CI on gitlab? 18:48:54 <ahf> very easy! 18:48:59 <ahf> and the machines that hans came with a beefy 18:49:06 <acat> and how heavy can it be? :) 18:49:06 <sysrqb> i'd like to run the existing unit tests in fenix (and other android projects) 18:49:21 <ahf> https://gitlab.torproject.org/tpo/core/tor/-/blob/master/.gitlab-ci.yml 18:49:29 <ahf> is all it needs to for tor to build on debian 18:49:41 <sysrqb> neat, thanks 18:50:08 <ahf> and the machines have 32 cores and a lot of RAM, so things are moving fast there 18:50:13 <sysrqb> while we are starting from a clean place, i'd like to try maintaining the tests in the next projects 18:50:16 <sysrqb> and adjusting them as needed 18:50:38 <ahf> so this is for fenix you are thinking? 18:50:58 <sysrqb> yes, and android-componetns, application services, glean 18:51:07 <sysrqb> but those can come after fenix 18:51:17 <ahf> hm, i haven't tried running fenix' test because i have just messed around in the build systems 18:51:27 <ahf> but maybe if it is very easy to run then it wouldn't be much work to do 18:51:38 <acat> sysrqb: and what about tor browser (desktop)? 18:51:48 <sysrqb> acat: we want that, too 18:52:06 <sysrqb> but i think that is a separate project 18:52:16 <sysrqb> and we can run the testsuite locally until then 18:52:43 <acat> we could maybe at least have linting (./mach lint) 18:52:57 <acat> although we can also run locally, i guess 18:53:24 <sysrqb> specifically we need to solve tpo/applications/tor-browser-build#23631 18:53:28 <ahf> how about i try to move a fenic repo over on gitlab just to see how that goes and try to see if i can do anything useful with it via gitlab ci? i wanted to the first today anyway 18:53:29 <sysrqb> acat: that's true 18:53:32 <sysrqb> we can try that 18:53:54 <sysrqb> ahf: sure 18:54:03 <sysrqb> i've run the tests fenix locally 18:54:08 <GeKo> sysrqb: boklm has a good patch for that i think 18:54:12 <ahf> you just run them on linux sysrqb? 18:54:13 <sysrqb> so i can help with getting the config setup 18:54:16 <ahf> without any emulator or anything? 18:54:25 <GeKo> we get to that ticket after we are done with release migration 18:54:28 <sysrqb> ahf: yes, linux 18:54:35 <ahf> sweet, gonna try that 18:54:37 <sysrqb> GeKo: yeah, i haven't looked at it, though 18:54:39 <GeKo> (and are getting rid of wheezy for linux) 18:54:52 <sysrqb> but i am happy to see it 18:55:19 <sysrqb> ahf: it's only the java/kotlin tests, which are platform independent 18:55:34 <sysrqb> i think there are android-specific tests, bu i haven't looked at them yet 18:55:47 <ahf> oki! 18:56:06 <sysrqb> okay, quickly tpo/applications/tor-browser#33962 18:56:27 <sysrqb> whose discussion item was DoH? 18:56:29 <mikeperry> yeah basically I realized that patch makes it unsafe for ppl to use DoH 18:56:32 <mikeperry> but is itself safe 18:56:43 <mikeperry> idk if that matters to us but I wanteds to flag it 18:56:59 <mikeperry> because I could see ppl on eg tor-talk going yolo to test DoH 18:57:50 <sysrqb> can we easily patch out the parallel request? 18:58:07 <mikeperry> and it will first break, and then they may decide to flip that pref, and then that becomes unsafe.. and not because DoH itself leaks, but because there's this perf experiment stuff, and some other fallback cases to native 18:58:57 <sysrqb> okay 18:59:00 <mikeperry> sysrqb: yeah it will be blocked by that pref.. like we could make a separate patch to disable DoH and not have that pref apply to DoH 18:59:13 <mikeperry> and then the parallel rerquests would fail due to that patch 18:59:27 <sysrqb> can you create a gitlab issue for it? 18:59:47 <sysrqb> this is something we should track 19:00:14 <mikeperry> ok 19:00:17 <sysrqb> in particular, related to tpo/applications/tor-browser#30753 19:00:37 <sysrqb> (we missed the "Tor Browser 9" boat) 19:00:39 <sysrqb> thanks 19:01:01 <sysrqb> we're running a few minutes over time 19:01:11 <sysrqb> so i'll end the meeting here 19:01:19 <sysrqb> mikeperry: thanks for bringing that up 19:01:22 <sysrqb> thanks everyone 19:01:29 <sysrqb> o/ 19:01:30 <Jeremy_Rand_Talos> thanks! 19:01:33 <acat> thanks 19:01:43 <ahf> o/ 19:01:58 <gaba> #endmeeting