#tor-meeting log

10:59:50 <richard> #startmeeting Tor Browser Weekly Meeting 2022-06-21
10:59:50 <MeetBot> Meeting started Tue Jun 21 10:59:50 2022 UTC.  The chair is richard. Information about MeetBot at http://wiki.debian.org/MeetBot.
10:59:50 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
10:59:57 <richard> it's that time of the week once more
11:00:40 <richard> if you could also take the time to update your gitlab boards as well that would be swell
11:00:51 * msim will be back in 30 seconds to run and get some water
11:02:30 <msim> richard: could you send the pad link again?
11:02:40 <richard> https://pad.riseup.net/p/tor-tbb-keep
11:02:46 <msim> thanks :)
11:02:51 <richard> :)
11:03:39 <PieroV> richard: can I move stuff from next to backlog?
11:04:56 <richard> yeah if you're not working on it please do
11:05:59 <richard> ideally I'd like to get all of our tickets properly labeled/categorized before the new hires start (you know, so we have an idea of what work needs to be done)
11:06:16 <richard> so any help in your local neighborhood is helpful :)
11:09:53 <richard> ok everyone
11:10:16 <richard> i don't see any bolded items
11:10:34 <msim> bolded one thing just then
11:10:46 <richard> :)
11:10:56 <msim> (do i just start talking about it?)
11:11:02 <richard> yeah go right ahead :)
11:11:21 <msim> okay so tjr has done afaict all the work on mozilla's end on the webrtc work so far
11:11:31 <msim> but that's been a very slow process over the last 5 years
11:11:52 <msim> 2 months ago tjr added a comment to one of the tickets saying he'd be happy to mentor someone, so atm i'm trying to schedule a time to take him up on that offer
11:12:09 <msim> in the meantime though, since tor-browser-build!443 is (hopefully for real this time) done
11:12:29 <msim> what should i be doing? richard do you want me to do some other tickets in the meanwhile?
11:13:05 <msim> (also i haven't checked but i'm also blocked by the base-browser building in tbb)
11:13:23 <richard> I assume you've verified !443 builds when rebased against master?
11:13:45 <msim> not yet, build is running on tb-build-05 right now
11:13:51 <boklm> there might be some changes needed after !443 gets reviewed again
11:13:56 <msim> only just got access to it today, so toolchaining is slow D:
11:14:12 <richard> boklm: yes
11:14:23 <msim> boklm: that's true
11:14:56 <richard> I've only glanced over it but I wonder if tor-browser should be consuming the PTs directly from the tor project rather than individually now
11:15:23 <richard> but that discussion can go on the MR
11:15:41 <boklm> ah, you mean making the PTs as dependencies on projects/tor?
11:15:53 <msim> they already are now as part of the expert bundle
11:16:21 <richard> yes, there should in theory now be some duplication of work there
11:16:40 <richard> but I'm happy to leave it with your judgement boklm
11:16:59 <boklm> I will look at the MR
11:17:05 <msim> afaict now there's no reason to have the non expert bundle any more - the expert bundle just adds the PT stuff in, which isn't exactly a lot of overhead
11:17:22 <richard> msim: I'll see about finding you another ticket to work on in the interim later today
11:17:25 <boklm> what is the "non expert bundle"?
11:17:46 <msim> boklm: i'm using "non expert bundle" in regards to what it generates with expert_bundle set to 0
11:17:50 <msim> so like, the normal package i guess
11:18:10 <PieroV> (I wonder whether this could benefit also core Tor people (re: the email thread about reproducible build in the GitLab CI))
11:19:19 <boklm> the thread about Gitlab CI is about building debian tor packages
11:20:29 <msim> it looks like the only difference between the regular bundle and the expert bundle (which was windows only), was that the expert bundle included gencert.exe
11:22:06 <msim> since tor-browser has to consume PTs anyway, the only overhead by replacing the regular bundle with the expert bundle would be gencert.exe on windows
11:22:57 <boklm> we can discuss that in the MR
11:23:10 <richard> perfect
11:23:17 <richard> ok let's move on to PieroV's discussion items
11:23:22 <msim> boklm: sounds good
11:23:50 <PieroV> So, 13 years ago, there was a CVE on TLS
11:24:25 <PieroV> So, Mozilla added a preference to require a safe negotiation, but never enforced by default
11:25:17 <PieroV> Because the possible problem was that many servers didn't support that negotiation (RFC 5746). Moz hasn't updated the preference, but in these 12 years things changed, and for SSL Labs 99.2% of sites now has that RFC
11:25:41 <PieroV> Can we enforce the preference in 11.5? Or should we delay it to 12.0, so that we can get some alpha test?
11:26:19 <boklm> what happens with the 0.8% sites if we enable that?
11:26:19 <PieroV> Normally it would be the second, I think, but 99,2% is high enough, for me
11:26:37 <PieroV> Uhm, either error, or downgrade to http I think
11:26:58 <PieroV> I should create some server that doesn't support it, just to see the outcome
11:27:11 <boklm> I think we could test it in one or two alpha releases before backporting to stable
11:27:51 <msim> i might raise this with tjr when i talk to him next, since the last edit on the wiki page that PieroV linked was by someone who doesn't work at Moz anymore
11:28:05 <richard> so the problem there was I'd hoped the next stable (ignoring 11.0.15) would be 11.5 >:[
11:28:05 <msim> and the last edit before that was 2015
11:28:22 <boklm> (not including it in 11.5 directly, but not waiting until 12.0 either)
11:28:34 <richard> oh right
11:28:37 <richard> we can just do that
11:29:20 <richard> yeah let's plan on it for the next alpha
11:29:23 <boklm> including it in 12.0a1, and backporting later in something like 11.5.1 or 11.5.2
11:29:40 <richard> precisely what boklm said^
11:29:47 <PieroV> Okay, sounds good to me
11:31:08 <richard> ok next thing while I update the issue tracker
11:31:08 <PieroV> I've added a FF102-esr even though is a small abuse of the tag
11:31:56 <PieroV> Next thing is whether we should just yolo and include all Noto Sans fonts, or switch to an include by default, and exclude only if there's some reason
11:32:11 <PieroV> It's less than +4 MB when using LZMA
11:32:20 <PieroV> +16MB uncompressed IIRC
11:34:15 <boklm> so it would make it easier to solve some fonts issues?
11:34:36 <PieroV> it would be proactive, rather than waiting for users telling that font x doesn't work
11:35:12 <boklm> ok
11:35:50 <richard> PieroV: do you have any insight into why we haven't included them all before now?
11:36:09 <boklm> ah, I was wondering the same
11:36:10 <PieroV> richard: we were stuck on a Noto Font version from 2015
11:36:19 <PieroV> So I think they just didn't exist, back then
11:37:23 <richard> wfm
11:37:36 <boklm> wfm
11:38:04 <PieroV> Some fonts are also covered by the OS, in case of Windows and Mac. So the Noto fonts are redundant for that case
11:38:38 <PieroV> The reason not to include these fonts is saving some space, but I don't know how much, now (one I can think of is Arabian)
11:38:46 <boklm> ah, should we remove redundant ones?
11:39:01 <PieroV> So far we don't add them
11:39:15 <PieroV> That's the reason for which in my MR Windows has less Noto fonts than Linux
11:40:27 <boklm> I think it's useful to make bundles smaller if it doesn't make thing much more complex
11:40:50 <richard> PieroV: so what's the testing situation look like for us here?
11:41:22 <richard> i would rather not just increase the size of the tb installer naively
11:41:52 <richard> since 4mb * 32 locales * 5 skus (not counting android)
11:41:53 <PieroV> Thorin has some nice toys
11:42:20 <richard> is a non-trivial amount of data
11:42:22 <PieroV> They're available to add scripts, if we believe they're missing. So far there are 30-40 scripts we are missing, but Noto contains 170 fonts
11:42:54 <PieroV> richard: well, the solution is easy: we should stop doing single-lang packages
11:43:08 <richard> haha i mean you're not wrong
11:43:35 <richard> maybe that's something we should aim for in the 12.0 release
11:43:36 <boklm> yes, that's something we should do at some point
11:43:48 <boklm> it will make a lot of things easier
11:43:50 <PieroV> It would also make build much faster
11:43:55 <richard> given that we'll be rich in developers soon
11:43:58 <richard> (and signing)
11:45:28 <PieroV> anyway, we could also set a threshold for scripts we want to support based on some metrics
11:46:39 <PieroV> (and another one to possibly update could be STIX, to STIX Two, but I haven't checked the advantages, yet)
11:47:44 <richard> does thorin's nice toys give us an idea of how many scripts are missing?
11:48:16 <PieroV> Yes and no: we're missing about 30-35, according to fontscripts.html, but Noto supports many more
11:48:28 <PieroV> These 30 are 1MB uncompressed
11:49:36 <richard> I'm somewhat inclined to say yolo and just include the fonts
11:51:41 <richard> if it's easy see if we can prune the list to something that makes sense for each of our platforms
11:52:05 <richard> if it's not easy yolo put them all in and pinky promise we'll make progress on single-lang packages
11:52:15 <richard> er multi-lang packages*
11:52:42 <PieroV> sounds good to me
11:53:15 <richard> ok, anything else?
11:53:37 <PieroV> I'm available also at a later time if you want to try to reschedule this meeting
11:53:50 <boklm> richard: are you planning to do the 11.0.15 signing, or should I do it?
11:54:48 <msim> for the next 2 weeks i can go 2 hours later for the meeting, from the 11th jul onwards i can do 1 hour later than now
11:54:57 <msim> ^re what PieroV said
11:55:46 <richard> boklm: what's the current state of Android signing?
11:56:03 <richard> just what sysrqb sent us?
11:56:33 <richard> well regardless, I'm happy to take the 11.0.15 signing this week
11:56:36 <boklm> richard: I haven't looked at it yet, so maybe we can ask GeKo to do the signing for the stable, and I can try signing the alpha
11:56:52 <boklm> (for android)
11:57:18 <richard> ok, that sounds like a good plan to me
11:57:38 <boklm> richard: ok. and tomorrow we should see if the windows issue is fixed.
11:57:47 <richard> fingers crossed
11:58:50 <richard> we should spec out a new signing machine/signing infrastructure setup in the near future the all the reasons highlighted in your mail
11:59:08 <boklm> ok
11:59:09 <richard> particularly having a backup/being able to do upgrades in precisely this situation
12:00:25 <richard> ok wow where's the time gone
12:00:36 <richard> i think we covered everything
12:00:40 <richard> see you all on irc
12:00:42 <richard> 3endmeeting
12:00:45 <PieroV> thanks all!
12:00:46 <richard> ahem
12:00:48 <richard> #endmeeting