#tor-meeting log

18:04:55 <donuts> #startmeeting Tor Browser Release Meeting 2022-12-12
18:04:55 <MeetBot> Meeting started Mon Dec 12 18:04:55 2022 UTC.  The chair is donuts. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:04:55 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:05:26 <donuts> well now it's started :)
18:05:40 <donuts> congratulations on last week's release everyone \o/
18:05:49 <PieroV> Thanks! Congrats team :)
18:06:01 <PieroV> And everyone who helped :)
18:06:24 <donuts> do we want to talk about 12.0 now, or start with future releases like we normally do?
18:06:41 <richard> best to stick to the script i think
18:06:52 <PieroV> I've added retrospective, but I wasn't sure we needed to talk about it :)
18:07:14 <donuts> we talked about feedback/bugs earlier, so we can open up the floor for process points later
18:07:24 <donuts> however let's do 12.0.1 first
18:07:41 <donuts> "Prepared, but waiting for Android CVEs"?
18:07:52 <PieroV> I've written that, not 100% sure it's correct
18:08:09 <PieroV> But CVE/security bugfixes are coming out tomorrow/Wed
18:08:20 <richard> yep
18:08:22 <PieroV> And that's something that is going to happen forever with Android now
18:08:32 <PieroV> (hence the second discussion point)
18:08:32 <richard> we will need another browser tag for ma1's DnD fixes
18:08:46 <richard> and but it's a mostly simple minor update
18:08:49 <donuts> yeah, what will the DnD fixes in that release be specifically (ma1?)?
18:09:25 <ma1> I've just pushed a MR which makes the bookmarks and the dnd navigation work again
18:09:39 <donuts> awesome! dnd navigation?
18:09:46 <richard> drag and drop*
18:10:10 <richard> oh dragging to the tab bar
18:10:19 <donuts> aha got it, from the canvas/page?
18:10:20 <richard> to create a new tab (right?)
18:10:24 <ma1> yeah
18:10:30 <richard> yeah from the content window
18:10:32 <donuts> whaaaaat
18:10:39 <donuts> nice!
18:10:58 <ma1> also on the URL bar. And on the bookmark bar to create bookmarks. And onto the places windows/panels. And so on.
18:11:11 <donuts> that's fantastic, I'm super happy with that
18:11:18 <ma1> The only thing which should be blocked ATM is dropping in another app
18:11:35 <donuts> we may want to consider some visual UX to explain why you can't dnd things _out_ of tor browser at some point, maybe
18:11:35 <donuts> yeah
18:11:36 <ma1> (which is what we wanted in the first place)
18:11:36 <richard> there's still some outstanding commetns on that MR last I checked, but i suspect it'l be ready for tomorrow/the day after
18:11:44 <donuts> but that's less urgent
18:11:50 <ma1> richard, I suspect I've fixed all that 2 minutes ago
18:12:00 <ma1> (including dnd within the same window)
18:12:02 <richard> nice nice
18:12:13 <PieroV> ma1: other apps, or other TBB windows?
18:12:23 <donuts> ah good question
18:12:25 <ma1> other apps
18:12:34 <donuts> so does window to window work?
18:12:35 <richard> the letterboxing improvements are v nice too, but i want to wait until thorin has had a chance to break it before we backport to stable
18:13:05 <ma1> PieroV, let me check
18:13:47 <ma1> no, not window to window. Just inside the same window, or onto the UI
18:14:04 <donuts> okay good to know
18:14:12 <PieroV> Which is goodish since that might cause the leak
18:14:23 <donuts> yeah, if it's dragged over the desktop?
18:14:35 <PieroV> (I was also suggesting that we could block only on Linux if we're sure macOS and Windows don't start the DNS query)
18:15:05 <PieroV> donuts: gk said when it's moved outside a TBB window
18:15:09 <richard> I would not count on that being stable between macOS/windows releases
18:15:10 <PieroV> But I couldn't reproduce
18:15:18 <donuts> pierov: right
18:15:24 <PieroV> richard: but at least it's more testable
18:15:33 <PieroV> but we can stay on the safe side, too
18:15:45 <richard> yeah i think i'd rather stay on the safe side there
18:15:56 <richard> windows at least already has a history of doing dns requests when you wouldn't expect it to
18:16:02 <donuts> so we'll continue applying the same level of protections to all?
18:16:23 <richard> yeah
18:16:24 <PieroV> Also, I was suggesting that we could mask/encrypt URLs so that we don't leak when dragging but maybe we could support drag and drop between windows in this way
18:16:34 <PieroV> Not sure it's a good idea though, but we can try in the future
18:17:09 <richard> i saw that in the backlog, and actually think that's a pretty good idea but would def require some tlc
18:17:17 <richard> around both the crypto and the UX
18:17:47 <PieroV> tlc being? :)
18:17:52 <donuts> tender loving care :)
18:17:55 <richard> tender locing care
18:18:01 <richard> loving*
18:18:06 <donuts> it's a great idea though
18:18:31 <donuts> I wonder to what degree our user complaints will decrease with intra-window dnd though, versus between-window
18:18:32 <PieroV> maybe we could open an issue to follow
18:18:57 <donuts> yep sounds good to me
18:18:59 <richard> i suspect between window will be noticed and missed
18:19:22 <richard> yeah wfm
18:19:50 <donuts> nice, awesome progress on this issue and some cool ideas too
18:20:19 <donuts> anything else we need to chat about for 12.0.1?
18:20:24 <PieroV> Well, yes :)
18:20:30 <PieroV> The main thing is still here
18:20:38 <PieroV> Android is going to block stable releases
18:20:45 <richard> yes
18:20:52 <PieroV> We can tag, but we might need to tag again
18:21:04 <richard> I think i can poke tjr about setting up some way for us to get access to those before the become public
18:22:07 <richard> i already automatically have access to the bugzilla issues, but the problem is that the android pieces all live in different repos and may not use the associated bugzilla numbers in their commit messages
18:22:23 <PieroV> But what should we do until that becomes a possibility, if it ever does?
18:22:35 <PieroV> I fear some bug tracking now lives on Jira
18:22:42 <PieroV> Especially for Android
18:23:12 <PieroV> I had a suggestion a few days ago
18:23:18 <richard> tbh i don't see a technical solution here vOv
18:23:21 <richard> oh?
18:23:30 <PieroV> And it's: we always release desktop a few days earlier than Android
18:23:52 <PieroV> But we always to the combined release, without doing only desktop or only Android unless strictly needed
18:24:28 <PieroV> We cherry-pick at head, and move to the beginning of the patchset at the next rebase
18:24:42 <PieroV> be it a new ESR release, or a -2 rebase that we do for any reason
18:24:58 <PieroV> I see only this solution, from a practical point of view
18:25:03 <PieroV> At least for now
18:25:40 <PieroV> Opinions?
18:25:47 <richard> i'm not sure i'm following
18:26:01 <PieroV> We continue releasing desktop as always
18:26:05 <richard> right right
18:26:08 <PieroV> And we publish Android a few days later
18:26:19 <PieroV> With a build2 tag
18:26:27 <PieroV> But under the same version
18:27:07 <richard> ah hm
18:27:28 <PieroV> And if there isn't anything to patch, we just build build1 later
18:28:25 <richard> that's fine, but they would most likely require different version numbers
18:29:16 <PieroV> Why?
18:30:18 <richard> well actually, i guess it could work
18:31:50 <ma1> In the meanwhile I've fixed cross-window drag & drop too :)
18:31:53 <richard> i suspect wed' need to tweak the signing/publishing scripts slightly to handle adding new files to the dist directories
18:32:19 <donuts> ma1: whaaa? how?
18:32:38 <richard> ok, let's try it for 12.0.2 assuming i don't social engineer my way to getting the CVEs early
18:32:49 <PieroV> wfm
18:33:26 <ma1> I've created a tor-browser custom data flavor to pass url lists inside the browser without leaking them out.
18:33:26 <richard> do you all think it would be helpful to have a 12.0 retrospective next week?
18:33:31 <donuts> so desktop first, android later, same version number?
18:33:37 <richard> donuts: yeah
18:33:40 <donuts> richard: yeah we could do it as a proper meeting, with audio
18:33:42 <donuts> might be nicer
18:33:47 <PieroV> Yes, that's my proposal for now
18:33:47 <richard> yeah for sure
18:34:08 <donuts> awesome, I'm happy with that
18:34:53 <PieroV> Maybe we should drop blog posts
18:35:05 <PieroV> Like richard propsed a while ago
18:35:18 <PieroV> So we don't pollute blog.torproject.org with release posts :D
18:35:39 <donuts> I'm going to try and squeeze in a release post tempalte into the /download redesign work
18:35:40 <richard> we had the entire first page of blog posts at one point in november iirc
18:35:46 <donuts> something more bare-bones
18:35:54 <donuts> we can still do full blog posts for major releases though
18:36:03 <PieroV> Yes, agree with that
18:36:37 <donuts> but yeah I agree that long term these probably shouldn't be blog posts
18:36:51 <richard> tweets? :p
18:36:54 <richard> or toots
18:37:00 <donuts> especially if we're gonna double the fun with this release plan
18:37:14 <donuts> iirc network posts straight to the forum now
18:37:19 <donuts> although arti gets blog posts still
18:37:35 <PieroV> and to the mailing list, I think
18:37:39 <donuts> I'd like to have something more visual that TB can open in a new tab after it updates though
18:37:40 <richard> do we have any sense/metrics of engagement on those posts?
18:37:43 <richard> does anyone read them?
18:37:44 <donuts> or we can link to from about:tor
18:37:57 <richard> donuts: I do like that idea
18:38:33 <donuts> maybe this could be a TB 12.5 thing
18:39:04 <donuts> richard: re engagement, just forum views/comments
18:39:13 <donuts> since they get crossposted there automagically
18:39:22 <PieroV> donuts: I think we have some patch to prevent a new page from being opened
18:39:35 <PieroV> I'd be happy to drop it, and richard probably happier when it comes to delete code :D
18:39:45 <donuts> pierov: oh? why does that exist?
18:40:00 <PieroV> I've discovered last week or a pair of weeks ago
18:40:02 <PieroV> Don't remember
18:40:07 <donuts> hrm, curious
18:40:14 <PieroV> But it's nested in the torbutton + about:tor implementation
18:40:18 <PieroV> Lots of stuff there :(
18:40:36 <PieroV> Lots to unroll, cleanup, refactor, etc
18:41:30 <donuts> so long term goal: nice release post template under /download that TB points to after updating, short term goal: keep posting on the blog or we can consider going straight to the forum for minor releases?
18:42:33 <richard> let's not worry about new posting strategy until the new year and keep posting on the blog for this year
18:42:45 <donuts> yeah, for sure
18:43:19 <donuts> anything else to discuss today then?
18:43:36 <PieroV> we've received a MR just now
18:43:41 <PieroV> From the gentoo user :)
18:43:52 <PieroV> I think we can get it on 12.0, too
18:44:00 <richard> say what you will about linux users at least they know how to make a merge request :3
18:44:02 <PieroV> 12.0.1
18:44:11 <PieroV> ikr? :)
18:44:20 <richard> bless them
18:44:29 <donuts> they've adapted to survive to their environment
18:44:51 <donuts> >:D
18:45:28 <richard> lol
18:46:21 <PieroV> I don't have anything to add then
18:46:25 <PieroV> We can call it here for me
18:46:33 <richard> wfm
18:47:19 <donuts> #endmeeting