#tor-meeting log

18:01:03 <sysrqb> #startmeeting Tor Browser meeting 21 September 2020
18:01:03 <MeetBot> Meeting started Mon Sep 21 18:01:03 2020 UTC.  The chair is sysrqb. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:03 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:01:38 <sysrqb> This is the time and place
18:01:45 <sysrqb> here is the pad: https://pad.riseup.net/p/tor-tbb-2020-keep
18:02:09 <sysrqb> you are the participants, wllcome all
18:02:14 <sysrqb> *welcome all
18:02:25 <Jeremy_Rand_Talos> hello!
18:03:15 <antonela> hello!
18:03:29 <ahf> hello
18:05:07 <gaba> so far we only have 1 discussion item
18:06:26 <sysrqb> sorry, now we have two
18:07:29 <sysrqb> ahf: "Mobile API usage survey"?
18:07:50 <sysrqb> is that sitll a work in progress or are you already sending it to people?
18:07:54 <sysrqb> *still
18:08:23 <ahf> we have tested it with benjamin
18:08:43 <ahf> about what they need for ios
18:09:06 <ahf> but the pad needs some revisions i think. i dont know what next step is here, but i think gaba might know?
18:09:41 <sysrqb> okay. cool
18:10:22 <sysrqb> please don't forget to include us (browser/application people) in it :)
18:10:25 <ahf> network team need to figure out what we need to do for people who are integrating tor because right now it is a bit of a pain
18:10:27 <ahf> no no no
18:10:31 <ahf> you are coming in for the android stuff
18:10:35 <ahf> XD
18:10:45 <sysrqb> sounds good
18:12:21 <sysrqb> alrighty. we have Tor Browser 10.0 and 10.5a1 releases this week
18:12:59 <sysrqb> we'll see later in this week if we can release the first android alpha based on fenix
18:13:25 <gaba> wrt to api survey, the next step will be for me to start organizing meeting with people.
18:13:28 <sysrqb> we still have some implementation peices remaining, and some build reproducibility
18:13:31 <gaba> sysrqb: i will include browser
18:13:47 <sysrqb> gaba: thanks
18:14:47 <gaba> sysrqb: one more thing. the issue for the survey is https://gitlab.torproject.org/tpo/core/team/-/issues/14
18:15:41 <sysrqb> great, thanks
18:16:08 <sysrqb> i hope i can follow along, but i'll probably forget and then participate in the survey when it's ready :)
18:16:31 <gaba> ok
18:17:34 <sysrqb> mikeperry: did you already start on the audit script?
18:18:00 <sysrqb> and you don't have another natural disaster headed your way this week, right?
18:18:18 <mikeperry> no
18:18:19 * sysrqb is losing track of all the natural disasters
18:18:50 <sysrqb> okay
18:19:00 <mikeperry> I am still thinking about how to do it and if I should include desktop stuff too
18:19:05 <mikeperry> I am guessing android is most important?
18:19:26 <sysrqb> most important, yes, but if you can get desktop for free (or alomost free) then please try to include it
18:19:45 <sysrqb> we'll need desktop before we move onto the release train for that piece
18:20:02 <sysrqb> but that isn't in the pipeline for another couple months (probably, maybe)
18:20:10 <GeKo> and there is mobile code that uses general network proxy settings in geckoview
18:20:16 <mikeperry> making sloppy script is easy. making it nice and easy to add things and give context and such may be trickier
18:20:26 <GeKo> see fenix#40045
18:20:49 <GeKo> so, i am not sure whether there is a clear line we can draw here
18:21:11 * antonela needs to step out - door, brb
18:21:19 <sysrqb> k
18:23:05 <mikeperry> yah
18:23:24 <mikeperry> that client could also get set to a basic http client, which I think uses system proxy settings
18:23:36 <mikeperry> or to the system webkit
18:23:46 <sysrqb> yeah, and application-services#1 reminded me of https://bugzilla.mozilla.org/show_bug.cgi?id=1620045, too
18:25:02 <sysrqb> the positive answer is that it seems mozilla is generlly respecting the network proxy settings
18:25:44 <sysrqb> the unfortunate part is that the APIs are very flexible, and changing from (for example) gecko to webkit is very easy
18:25:54 <mikeperry> when I looked at the client usage, it looked ok
18:25:55 <mikeperry> yah
18:26:13 <sysrqb> so we need to make sure these parts don't change in the future (accidently)
18:26:29 <acat> i wonder if sth like https://developer.android.com/studio/command-line/apkanalyzer can help here
18:27:12 <sysrqb> acat: that looks nice
18:27:25 <sysrqb> getting a diff between apks
18:27:48 <sysrqb> we should catch these issues during code review when we rebase, too
18:28:07 <sysrqb> but i'd feel better if we had some tooling to help here, too
18:29:43 <sysrqb> acat: can you open an issue for something like "investigate tools for identifying changes between fenix versions"?
18:29:55 <sysrqb> the wording could be better
18:29:56 <acat> sure
18:30:02 <sysrqb> but something so we're reminded that we want this
18:30:18 <sysrqb> and you can add the apkanalyzer as a possible option
18:30:34 <sysrqb> thanks
18:30:44 <sysrqb> antonela: are you back?
18:31:53 <sysrqb> ahf: are you looking at the fenix migration stuff this week, as well?
18:33:00 <GeKo> right, we need to test one at least once for alpha users
18:33:20 <GeKo> so, probably at least one additional alpha after the first one
18:33:31 <ahf> sysrqb: i think i will be done tomorrow morning with it, then probably try to grab something else from you
18:33:49 <sysrqb> ahf: great, thanks
18:34:56 <sysrqb> GeKo: is your comment for the migration or diff tooling?
18:35:16 <GeKo> migration
18:37:09 <sysrqb> i'm not sure i follow why we need at least two alphas for testing the migration
18:37:28 <ahf> is it from alpha to alpha or what do you mean by that?
18:37:31 <sysrqb> i think we want two for general testing, so i'm not opposed to this
18:37:35 <GeKo> yes
18:37:53 <ahf> ok
18:37:58 <GeKo> we should test whether the fennec alpha -> fenix alpha migration works
18:38:16 <GeKo> so we have an idea whether the fennec stable -> fenix stable migration works
18:38:17 <ahf> ah, right. i thought you meant one fenix alpha to another fenix alpha. makes sense
18:39:02 <GeKo> hrm
18:39:21 <GeKo> what happens to fennec alpha users once we release the first fenix alpha?
18:39:56 <GeKo> maybe i have the logic wrong here
18:40:03 <sysrqb> if they are using a recent-enough android version, then they become fenix users
18:40:13 <GeKo> and if not?
18:40:14 <sysrqb> we're migrating in-place
18:40:24 <sysrqb> then they never upgrade
18:40:25 <ahf> no, it sounds right. if we continue those two channels they will be upgraded so that needs to be tested too
18:40:32 <sysrqb> same as fennec
18:40:40 <GeKo> aha, okay you get that for free then
18:40:49 <sysrqb> yes
18:40:57 <GeKo> why do we need to test the upgrade logic then
18:40:59 <GeKo> ?
18:41:11 <GeKo> because that seems to be like a normal update then, no?
18:41:15 <GeKo> "normal"
18:41:23 <sysrqb> mostly just a sanity check
18:41:34 <GeKo> ah, okay. then scratch my comment
18:41:36 <sysrqb> ah, and because fenix stores information different
18:41:38 <ahf> to make sure that bookmarks and other state isn't dropped. i took it as a make sure nothing breaks
18:41:41 <sysrqb> which is why there is custom migration logic
18:41:48 <ahf> and there is some logic to upgrade from one to another
18:42:00 <ahf> i don't know if i use the term upgrade there correctly. sounds like it should be called migrated here
18:42:00 <GeKo> from one fenix to another one?
18:42:09 <ahf> no
18:42:27 <ahf> from current TB to Fenix based TB
18:42:32 <GeKo> k
18:42:49 <GeKo> so, yes, then there is no need for two alphas for that, cool
18:43:00 <antonela> sysrqb: now back, sorry
18:43:10 <GeKo> we get the fallout from upgrading to the first fenix alpha, nice
18:43:11 <sysrqb> good, i'm glad you're on the same page now :)
18:43:23 <sysrqb> yeah
18:43:23 <ahf> buenos
18:43:48 <sysrqb> antonela: cool. as usual, i am late in asking this, but is there a comms plan for Tor Browser 10.0 release?
18:44:08 <sysrqb> are we just releasing the normal blog post?
18:44:34 <antonela> normal blogpost, some social media, i'm copypasting your changelog from tor-qa
18:44:51 <antonela> we can discuss the details of the highlights right after this meeting
18:45:04 <sysrqb> okay
18:45:06 <antonela> what we will do with tba?
18:45:21 <sysrqb> that is the next question/discussion item
18:45:26 <antonela> great
18:46:37 <sysrqb> i reached out to mozilla, and they will help us (some amount) for discovered/disclosed security issues over the next couple weeks
18:47:18 <sysrqb> i dislike the idea of discouraging people using the current Tor Browser app during this time
18:47:51 <sysrqb> because that sends mixed signals and will likely scare people away from tor browser on win the longer-term
18:48:43 <mikeperry> +1 nice
18:48:56 <antonela> i agree, do we have a list of potential threats? something we want to advice people specificly on?
18:49:28 <sysrqb> i'd like to say something like "Android Tor Browser is under active development, and we are supporting the current Android Tor Browser until the new version is ready. We expect the new Android Tor Browser will be released in the beginning of October."
18:49:58 <acat> sounds good to me
18:50:08 <sysrqb> i don't think we should commit a specific releae day
18:50:22 <sysrqb> but I hope "Early october" is vague enough that we have some flexibility
18:50:41 <antonela> we can use the same comms pattern we did during 9.06 about disabling JS https://www.torproject.org/download/
18:50:49 <GeKo> sysrqb: we should mention that mozilla is helping us keeping an eye on potential security issues in the mean time
18:50:52 <antonela> banner in /download and a mention in the release blogpost
18:51:16 <GeKo> because users would start wondering what the security story is here
18:51:17 <sysrqb> GeKo: i'll confirm Mozilla is okay with saying this publically
18:51:23 <sysrqb> yeah
18:51:34 <sysrqb> we are walking a fine line here
18:51:42 <GeKo> yeah
18:51:58 <GeKo> i am totally fine seeing some hand-wavy thing on our blog
18:52:15 <GeKo> being non-committing etc.
18:52:32 <GeKo> and making sure the blame falls on us if we mess up
18:53:07 <sysrqb> yeah
18:54:09 <sysrqb> okay, good
18:55:16 <sysrqb> i was hoping we could assign people for remaining unassigned tickets
18:55:19 <sysrqb> https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&milestone_title=Tor%20Browser%3A%2010.0&assignee_id=None
18:55:32 <sysrqb> for the Tor Browser 10.0 milestone
18:55:41 <sysrqb> but with 3 minutes remaining, i don't think we have time
18:56:35 <sysrqb> GeKo: did you add the FF82 tickets into the milestone in preparation for 10.0.1 (or 10.0.2) whichever comes at the end of October?
18:56:59 <sysrqb> as in, this milestone now has tickets for future 10.0 releases?
18:57:19 <GeKo> the milestone is meant to be for the whole life of 10.0
18:57:39 <sysrqb> yeah
18:57:40 <GeKo> if things should land in 10.5 first they should go into the 10.5 milestone
18:57:46 <GeKo> and then get backported
18:57:49 <GeKo> imo
18:57:57 <GeKo> but with the fenix things this is tricky
18:58:05 <GeKo> because we still target 10.0 for them
18:58:14 <sysrqb> yeah, i agree, i wonder how we should tag issues that should go into specific 10.0 releases
18:58:18 <GeKo> hence the milestone for the ff82 tickets
18:58:34 <GeKo> so
18:59:09 <GeKo> the original idea was to use the 10.0 milestone for all minor releases, too
18:59:27 <GeKo> because there would not be so much changes between bugfix only releases
18:59:53 <GeKo> however, the mobile world is following a different model now
18:59:56 <sysrqb> ah ha
19:00:02 <GeKo> with the regular release train
19:00:03 <sysrqb> right, okay, that makes sense
19:00:52 <GeKo> so, i think we need to figure out whether we still want to adhere to the .0 and .5 releases as major releases
19:01:01 <GeKo> or whether mobile changes that part
19:01:21 <GeKo> and then we can figure out whether the .0 milestone is enough to track everything
19:01:32 <sysrqb> yes, but that can be in a different meeting
19:01:37 <GeKo> or whether we need to have something more finegrained
19:01:40 <GeKo> yep
19:01:40 <sysrqb> but we should discuss it
19:01:59 <GeKo> yeah.
19:02:14 <GeKo> right now things that land on 10.0.x first have 10.0 as milestone
19:02:33 <GeKo> and those with 10.5(a)x 10.5
19:02:34 <sysrqb> wfm
19:02:39 <GeKo> at least that's the idea
19:03:05 <sysrqb> yep
19:03:21 <sysrqb> okay, i think antonela answered the final discussion point on the ticket
19:03:52 <sysrqb> so, with that i'll close this meeting
19:03:56 <sysrqb> thanks everyone
19:04:08 <sysrqb> sorry we ran a little over time
19:04:11 <sysrqb> #endmeeting