#tor-meeting log

14:59:35 <richard> #startmeeting Tor Browser Weekly Meeting 20220-10-03
14:59:35 <MeetBot> Meeting started Mon Oct  3 14:59:35 2022 UTC.  The chair is richard. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:59:35 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:59:36 <richard> o/
14:59:40 <boklm> o/
14:59:54 <richard> good morning afternoon and evening! the pad is here: https://pad.riseup.net/p/tor-tbb-keep
15:00:07 <dan_b> o/
15:00:49 <Jeremy_Rand_36C3[m]> Pad onion down for anyone else, or is that just my Tor connection being flaky?
15:01:01 <PieroV> I'm with Firefox and it works
15:01:09 <Jeremy_Rand_36C3[m]> (I filled in my info 10 minutes ago before it went down, so doesn't really matter I guess)
15:01:24 <boklm> it was working a few minutes ago but not anymore, and then working again now
15:01:42 * Jeremy_Rand_36C3[m] shrugs
15:01:57 <Jeremy_Rand_36C3[m]> Indeed, just came back
15:11:20 <richard> ok looks like we have some things to talk about
15:12:14 <richard> boklm: I answered on the pad but I have intermittent access to an arm macto verify the new macOS builds
15:12:22 <boklm> ok, thanks
15:12:28 <richard> are we shipping a single x86_64+aarch64 bundle then?
15:12:32 <boklm> yes
15:12:42 <PieroV> \o/
15:12:46 <richard> ok i can also verify in an x86_64 vm
15:12:49 <richard> that's super exciting
15:13:00 <boklm> so we need to check that's it's working on both
15:13:04 <richard> I know donuts has been anxios for those :D
15:13:19 <donuts> indeed, very exciting :D
15:13:41 <richard> do you have testbuilds uploaded anywhere? otherwise i can fire that off after this meeting
15:13:50 <boklm> yes, I uploaded a testbuild
15:14:05 <richard> ah ok probably on the ticket
15:14:06 <richard> ok great
15:14:10 <boklm> https://people.torproject.org/~boklm/builds/macos-aarch64-testbuild1/
15:14:20 <richard> donuts^
15:14:35 <donuts> ty ty
15:14:54 <boklm> however it's not codesigned, so maybe there is something to do to be able to run it
15:15:16 <PieroV> Right click -> open instead of double click
15:15:22 <richard> yes, you typically need to right click->open and then hit yes trhough the warning prompt
15:15:32 <PieroV> (but I might have done something to become dev to do so)
15:15:32 <richard> then you can usualy open without having to do that after it's allow listed
15:16:11 <richard> ok onto the next thing
15:16:23 <donuts> "The application “Tor Browser” can’t be opened."
15:16:25 <donuts> hrmmmm
15:16:38 <richard> PieroV: to my knowledge esr91 is dead long live esr102 re security patches
15:16:51 <PieroV> oh, okay
15:17:01 <richard> why do you ask?
15:17:06 <PieroV> I was wondering if they still did something, e.g. for some Linux distros
15:17:55 <richard> tjr would know the real answer to this
15:17:57 <Jeremy_Rand_36C3[m]> PieroV: FWIW Debian is on 102 already.  No idea about CentOS.  I think those are the only ESR-based distros Mozilla would be likely to bend over backwards for?
15:18:08 <PieroV> So, do we need to go through each commit of 102.2 -> 102.3 to see what needs to be backported?
15:18:43 <PieroV> Jeremy_Rand_36C3[m]: I see, if they did it also for us it would be great :D
15:18:46 <richard> i only did this for the CVE bugs
15:19:30 <richard> (and a simlar process for android on alpha)
15:19:48 <Jeremy_Rand_36C3[m]> PieroV: that would be a nice, happy, uplifting AU fanfic :P
15:20:09 <boklm> https://www.mozilla.org/en-US/security/advisories/mfsa2022-41/ has the list of bug numbers
15:20:11 <PieroV> (what's AU in this context?)
15:20:32 <Jeremy_Rand_36C3[m]> ("alternate universe", it's a fan fiction term for fiction that doesn't conform to canon)
15:20:32 <richard> PieroV: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41310
15:20:49 <PieroV> richard: I can volunteer for the stable rebase
15:21:22 <PieroV> oh, right, no rebase needed
15:21:32 <PieroV> Well, to anything related to the release
15:22:09 <richard> PieroV: that would be great, and I can pick up anything left over tomorrow
15:22:30 <PieroV> wfm
15:22:39 <richard> desktop has the fixes reviewed and backported, just need to merge henry's YEC patches
15:22:53 <PieroV> oh, I think they said they need help with the font
15:22:55 <richard> alsmith et al don't seem to care about a particular time for the campaign to go live
15:23:04 <PieroV> (in the pad, not sure it was for the last week)
15:23:07 <richard> so long as it's on the the given day in the tickets
15:23:25 <richard> that was last week i believe
15:23:41 <richard> they ended up doing the same base64 blob technique from last year
15:24:49 <richard> stable for android is going to be more involved since we want to migrate to 102 for it (dan_b is in the middle of rebasing his YEC patch to 102 so we may be waiting on that until tomorrow as well)
15:25:30 <dan_b> so geckoview-102.3.0esr-12.0-1 or 102.2?
15:25:46 <PieroV> The former, I'd say
15:25:54 <dan_b> ok
15:25:55 <richard> yes
15:26:15 <ma1> will it be "geckoview-xxx" or "tor-browser-xxx"?
15:26:24 <richard> the current alpha (maybe sans any fresh patches unique to the 12.0a3 release)
15:26:28 <richard> for stable still geckoview
15:27:26 <richard> jeremy: re cloudflare i have no contacts but I'll ping some people who might
15:27:46 <dan_b> I think my geckoview was on 102.2 so updating to 102.3 now
15:28:10 <Jeremy_Rand_36C3[m]> richard: OK.  If this is intentional malice on CF's end (i.e. they don't want to support Nightly users) then there's not much we can do, but I'm guessing it's accidental (lack of coordination between Tor and CF)
15:28:11 <dan_b> but I was still seeing that problem in android-components I'd see last month where it fails to compile with being unable to find torSecurityLevels
15:28:15 <dan_b> anyone seen that?
15:28:47 <PieroV> dan_b: you might try to set .3 on the TB version, and you should switch channel either to beta or to nightly
15:29:00 <PieroV> (ma1 found this, I didn't know because we always had the beta channel in the past)
15:29:21 <Jeremy_Rand_36C3[m]> richard: CF has been sufficiently unpleasant for me since Nightly moved to ESR102 (I run Nightly in production on one machine) that I've had to revert that machine to TBB stable in order to get work done without constantly hitting CAPTCHAs
15:29:21 <boklm> Jeremy_Rand_36C3[m]: yes, it usually happens when we switch esr version, so I think they need to update something on their side
15:29:38 <PieroV> (err, the .3 in the GV version, but you should that only on local builds, I think)
15:29:55 <richard> I presume this also happens in alpha then?
15:29:59 <Jeremy_Rand_36C3[m]> boklm: right, that's my guess -- it would be desirable if there were some contact wherein we could give CF a heads up when Nightly switches ESR versions
15:30:00 <dan_b> i've been running it with -with-tor-browser-version=12.0a1
15:30:16 <Jeremy_Rand_36C3[m]> richard: I don't run Alpha so I'm not sure but I assume so
15:30:38 <richard> can't imagine why it wouldn't be vOv
15:31:56 <dan_b> android-components only has ac versions, of which i'm using android-components-102.0.14-12.0-1
15:32:10 <PieroV> dan_b: no, it has also GV version embedded
15:32:30 <PieroV> android-components/buildSrc/src/main/java/Gecko.kt
15:32:52 <dan_b> 0_o
15:33:15 <ma1> /**
15:33:15 <ma1> * GeckoView channel
15:33:15 <ma1> */
15:33:15 <ma1> -    val channel = GeckoChannel.RELEASE
15:33:15 <ma1> +    val channel = GeckoChannel.NIGHTLY //.RELEASE
15:33:17 <ma1> }
15:33:32 <dan_b> i see. ok, so change 102.0.20220705093820 to 102.3.20220705093820 ??
15:33:39 <PieroV> Yes, and then what ma1 wrote
15:33:45 <dan_b> oh and to NIGHTLY
15:33:50 <ma1> yep
15:33:56 <dan_b> wow, cool ok thanks
15:36:47 <richard> PieroV: do you have any intuition of the relative difficulty of moving torbutton vs multi-locale bundles?
15:37:27 <PieroV> richard: there's the issue about moving our patches to the Rust implementation of Fluent
15:37:45 <PieroV> It's another reason to get new identity moved asap
15:38:08 <PieroV> Apart from that everything should be okay with old l10n mechanism
15:38:20 <richard> ahhh, is then that localization migration (and so the torbutton migration) a pre-req for multi-locale bundles?
15:39:06 <PieroV> not really, it's in general the main problem I see with l10n
15:39:23 <PieroV> Which isn't strictly related to multi-locale.
15:40:03 <richard> hm, so basically i want to make sure we have multi-locale bundles for 12.0a4
15:40:11 <PieroV> Oh, maybe I haven't understood your question
15:40:22 <PieroV> The difficulty of moving torbutton is very high, compared to the multi-locale
15:40:42 <richard> yeah so that's sort of my worry
15:40:45 <PieroV> multi-locale could be as easy as flipping the pref in tor-browser-build
15:40:59 <PieroV> And +1 for doing it for 12.0a4
15:41:14 <richard> ok, can you prioritize multi-locale over the torbutton migration then
15:41:20 <Jeremy_Rand_36C3[m]> multi-locale is still a blocker for ARM and POWER ports, yes?
15:41:28 <PieroV> Well, actually +1 for doing it asap, so that we can test it in nightly
15:41:32 <Jeremy_Rand_36C3[m]> (Just making sure I haven't missed a memo somewhere)
15:41:56 <boklm> I think we'll need to do something to handle updates so that users from single locale get update to multi-locales bundle
15:42:15 <richard> boklm: agreed
15:43:03 <richard> PieroV: there's a recent tor-browser-build patch which touches that update logic I can point you to later
15:45:56 <ma1> PieroV, what's the torbutton migrattion issue? I'd like to take a look
15:46:13 <PieroV> ma1: we have to do the same we've done for tor-launcher to torbutton
15:46:24 <PieroV> I.e., take the code, refactor it, and move it to tor-browser.git
15:46:39 <richard> donuts: when do you think we'll have an icon-set for s131 browser? I think some testbuild of base-browser with the icon swap would be helpful yeah?
15:47:31 <donuts> I said two weeks to the sponsor to get visuals over for review, roughly aiming for the end of Oct to get final assets into your hands
15:48:30 <richard> ok that sounds perfect, i'll follow up on the ticket with precisely the assets needed for the branding swap
15:48:46 <PieroV> I still have a bolded item
15:49:02 <PieroV> That is: the unified GV-desktop branch is ready, and it was easier to do than I expected
15:49:31 <PieroV> So, I don't want to be pushy about it, but could if I could get a review for it soonish I'd rebase the tor-launcher MR on it :)
15:49:44 <boklm> so there is little changes between the two branches?
15:50:11 <donuts> richard: 👍
15:50:12 <PieroV> The bot assigned to boklm, but we could reassign it, if boklm already has a lot on his plate
15:50:28 <PieroV> boklm: the content seems a lot because I've also added the mozconfigs
15:51:06 <PieroV> But apart from that it was fixing a pair of compiling errors (I missed some pieces on the 102 rebase on Java files), fix a moz.configure thing
15:51:47 <PieroV> and finally moving the backend of Securitylevel to include it also when compiling for Androdi
15:53:34 <boklm> I can have a loot at it tomorrow, unless someone wants to take it
15:53:58 <richard> the soonest I could look at it is tomorrow as well
15:54:30 <ma1> If you want someone's earlier I could take a shoot at it PieroV
15:54:56 <PieroV> Thanks! Tomorrow or even on the next days works great for me :)
15:55:29 <PieroV> (but I think that a local build would be better to test it, I haven't prepared the tor-browser-build MR, but I should prepare one, too, now that I think of it)
15:56:03 <ma1> So you're keeping it as a draft until ready?
15:56:21 <PieroV> No, it's ready to be tested with a local build
15:57:39 <richard> ok i think that's everything
15:57:44 <boklm> will it require a lot of tor-browser-build changes, or is it just changing the branch name?
15:57:59 <PieroV> boklm: the branch name and add a JAVA_HOME variable, if we don't have one already
15:59:13 <richard> ok that's our time
15:59:14 <richard> #endmeeting