#tor-meeting log

14:58:32 <richard> #startmeeting Tor Browser Weekly Meeting 2023-01-30
14:58:32 <MeetBot> Meeting started Mon Jan 30 14:58:32 2023 UTC.  The chair is richard. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:58:32 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:58:39 <richard> meeting pad: https://pad.riseup.net/p/tor-tbb-keep
14:59:09 <ma1> o/
14:59:15 <msim> o/
14:59:19 <PieroV> o/
14:59:26 <richard> good morning afternoon and evening
15:01:30 <richard> i'm still catching up on everything that happened last week, but from waht I can tell there doesn't seem to be anything urgently in need of my attention
15:01:55 <richard> i'm currently building/will be signing what will be our first privacy browser build for s131
15:02:25 <msim> \o/
15:02:44 <dan_b> coool!
15:02:51 <richard> and I'm a bit excited to see msim's patchset in (hopefully) the next alpha
15:03:00 <richard> assuming we can iron out the rough edges before then
15:03:17 <msim> many, many, rough edges :p
15:03:31 <richard> we should get tags around February 9th so should be plenty of buffer time
15:04:33 <richard> i don't have any further discussion points, PieroV did you watn to cover the point that didn't get covered last week re Android addons?
15:05:34 <PieroV> So, if I understand what happens, you cannot install addons on Android, unless they're listed in the file we ship
15:05:40 <PieroV> But we ship only a few addons
15:05:57 <PieroV> Installation of the other ones fails with a very generic error message
15:06:14 <PieroV> I don't know if we really want TBA to be that walled
15:06:41 <ma1> Firefox too shortlists their installable add-ons to a set of recommended ones, because Fenix compatibility is not trivial.
15:07:05 <PieroV> Yes, but that's another kind of error
15:07:21 <PieroV> I'm speaking of addons that work on Firefox for Android, but not on TBA
15:07:34 <PieroV> If an addon doesn't work you get an error on AMO
15:07:51 <PieroV> (like "your Firefox version/platform isn't compatible" or something similar)
15:08:06 <PieroV> But some addons that pass this step on Firefox, then have the generic error on TBA
15:09:36 <ma1> Right, the first one is from AMO's server-side compatibility data, the second one is client-side from the list of installable add-ons.
15:10:08 <ma1> (I guess it's generic because you're not supposed to get there in Firefox's UX provisions)
15:11:24 <richard> well if we do want to be that walled the UX should be fixed regardless
15:12:20 <richard> iirc it currently shows a list of recommended addons on the addon page
15:13:09 <PieroV> Yes, and those should be the only ones that can be installed at the moment, too
15:13:36 <PieroV> But it's a file we grab from Moz, so it isn't even that meaningful for us
15:13:50 <ma1> So here we're deciding whether allow users to shoot themselves in the foot with broken add-ons (and possibly handling unexpected errors with a better UX) or keep the curated list from Mozilla, correct?
15:13:53 <PieroV> And as a result we're being walled for nothing
15:14:50 <PieroV> The bad UX is already there
15:14:56 <PieroV> Even if we keep the curated list from Moz only
15:15:04 <PieroV> (is the curated list 11 addons only?)
15:15:49 <ma1> Yes, very short. Why is the list not meaningful for us? That's the list of Add-ons which have been verified compatible with Android by AMO's staff.
15:16:21 <ma1> (I mean there are add-ons which aren't good for the TB, as a subset, if that's what you mean)
15:16:58 <PieroV> I mean that we don't double check that list
15:17:21 <PieroV> We should at least remove any visible recommended flag, since we're not recommending anything
15:17:35 <richard> yeah honestly there seems very little in that list (that shows up in my recomendeds anyway) that we would want to people install
15:17:37 <ma1> PieroV, that's true. It should just be "available add-ons"
15:17:44 <richard> ^yeah that
15:18:24 <PieroV> Anyway, if you go to amo, you see for example "Ghostery" as recommended, but it won't install because of the error
15:18:28 <PieroV> of the generic error
15:19:03 <ma1> Actually I don't even think you can install from AMO in fenix.
15:19:06 <PieroV> (I don't know that particular addon, just one that appears as recommended but isn't listed on our cache either)
15:19:38 <PieroV> Installing uBlock from AMO seems to work
15:20:00 <ma1> Mmm, it turns out you can, actually (just checked). It used not to be the case iirc.
15:20:56 <PieroV> Anyway, I think that 1000 years of cache validity isn't a great value
15:21:04 <richard> :D
15:21:36 <ma1> and fenix nightly has a mean to install any addons, so we could go with the shotgun and remove the recommended stuff all together :) https://blog.mozilla.org/addons/2020/09/29/expanded-extension-support-in-firefox-for-android-nightly/
15:22:12 <ma1> oh no, it seems rather convuluted and involving lists, anyway :(
15:22:13 <PieroV> We could add a warning about extensions
15:22:33 <PieroV> After you accept the permissions
15:26:31 <ma1> So the plan would be 1) patching the addons manager to skip any restriction except the extension being signed by AMO; 2) Adding a footgun waring on installation of any extension?
15:27:02 <PieroV> Uhm, no, my plan we simpler:
15:27:06 <ma1> (and of course removing any "recommended" label, but that should be done anyway)?
15:27:20 <PieroV> - remove our patches and switch to Firefox's behavior
15:27:32 <PieroV> - remove the recommended label, and change it with something like "available"
15:27:54 <PieroV> - maybe add a warning about installing extensions
15:28:16 <richard> i'm not sure I agree here
15:28:27 <richard> esp if torvpn is going to be a thing
15:28:49 <PieroV> Agree with what?
15:29:05 <richard> users that want to use tor for say censorship circumvention and don't care as much about the privacy/security implications could use vanilla firefox or w/e  with extensions as they see fit
15:29:33 <richard> i'm saying maybe we should just disable extensions altogether in TBA
15:29:58 <richard> well in the short term we should update the UX so at least it's not lying to users (re recommended vs available)
15:30:40 <PieroV> We have an issue for hiding recommended, we could update it: tor-browser#40502.
15:30:59 <richard> but letting users install extensions does seem like a potential privacy/security risk for people in say Iran etc
15:33:28 <dan_b> is the risk much different for desktop? still can have addons with phone home on clearnet
15:34:29 <richard> unsure tbh
15:34:48 <richard> well i don't have a solution, but we should perhaps think before blanket enabling all extensions
15:34:55 <richard> just becaue we *can*
15:35:26 <ma1> Well, for sure we could immediately relabel "Recommended" to "Available" and be in a much better place.
15:35:37 <richard> yeah agreed on that point^
15:36:19 <ma1> (maybe the warning foreword abount potential dangers of extensions could be directly under the "Available" header)
15:37:04 <ma1> so we 1) warn the user; 2) push the list further down as a further UI deterrence.
15:38:58 <richard> sounds like a good plan
15:39:29 <PieroV> I think we should also elaborate on what Dan says, in the future
15:39:47 <PieroV> I.e., check differences between desktop and Android
15:39:55 <richard> yes
15:40:01 <ma1> +1
15:40:10 <PieroV> Users are never happy with us gating things
15:40:24 <PieroV> At least we should be ready to explain
15:40:48 <dan_b> ux for wording?
15:40:56 <richard> +1
15:41:16 <ma1> ^ donuts ?
15:44:27 <richard> well we can worry about it on the ticket
15:44:40 <richard> assuming there is/will be one :D
15:45:42 <donuts> If you think UX is needed rather than just turning the recommendations off, feel free to assign the ticket over to me
15:46:00 <richard> is there anyhing else to discuss today?
15:46:03 <richard> otherwise i'm happy to call it
15:46:09 <donuts> however I've got to prioritize S30 fixes atm (and nicob's busy with S131), so it'll be bottom of the pile
15:46:14 <PieroV> I think we need to cherry-pick a bug from Moz
15:46:16 <donuts> (as with all unsponsored tickets atm)
15:46:17 <msim> i have a quick question
15:46:24 <richard> msim: gogogo
15:46:30 <msim> "quick" as in i haven't been trying to solve it for a few days ;D
15:46:32 <msim> so
15:46:46 <msim> current status is getting mingw builds working on a windows host (and has been for far too long now)
15:47:12 <msim> the current reason builds are failing is widl fails to find dlls/tlbs that *exist in the search paths given as arguments*
15:47:29 <msim> at first i thought path issue
15:47:41 <msim> but then when i copy and paste the command that mach executes into a shell, it works fine
15:47:57 <msim> as in, widl finds the library fine when it's executed from a command line, but fails to find it when executed from mach
15:47:59 <msim> https://share.riseup.net/#a7EPbKwNkGfkymbf552HNg
15:48:21 <msim> first command is what mach executes
15:48:38 <msim> midl.py then actually invokes widl
15:48:50 <msim> and i'm completely at a loss here
15:49:42 <msim> does anyone have any ideas as to why this happens? maybe python virtual envs have some weird footguns?
15:50:00 <richard> hm
15:50:57 <PieroV> I'd check the args list better
15:51:06 <PieroV> Maybe it isn't parsed as you'd expect
15:51:31 <msim> https://share.riseup.net/#KSrKI5AbHj9H3nKPBLdcfw
15:51:31 <richard> my best guess would be different environet vars
15:51:33 <msim> ^full mach run
15:51:36 <PieroV> (like print the args list passed to subprocess, in addition to "Executing: C:/...."
15:51:55 <msim> ah good idea
15:52:05 <msim> also, should clarify, the "missing" files are in `/c/Users/msim/Downloads/gecko-toolchain/msys2/mingw64/include/`
15:52:32 <msim> PieroV: ty :)
15:52:40 <PieroV> And then also check the env vars, maybe replace the exe with a small launcher that dumps the vars too
15:52:53 <PieroV> In case you defined some in your machine to use Mingw
15:52:55 <richard> ^ that's a good plan as well
15:53:04 <PieroV> Just in case mach does a cleanup
15:53:05 <msim> PieroV: wdym replace the exe?
15:53:31 <msim> like just drop an exe in place of widl that dumps environment?
15:53:32 <PieroV> Replace C:/Users/msim/Downloads/gecko-toolchain/msys2/mingw64/bin/widl.exe with a console app that print all the environment variables first
15:53:34 <richard> replace widl,exe that first prints out env vars and then invokes widle.real.exe for exampe
15:53:36 <msim> ah right
15:53:40 <msim> yea good idea
15:53:41 <PieroV> What richard says
15:54:00 <PieroV> (before stopping the bot I have another quick topic)
15:54:05 <richard> mk
15:54:44 <PieroV> I've updated to Python 3.11 (well Debian has) and the build is broken https://bugzilla.mozilla.org/show_bug.cgi?id=1769631
15:55:07 <PieroV> But there's already a fix that is landing 102.8, but we'll need to cherry-pick first
15:55:11 <richard> ooh nice
15:55:39 <richard> seems like a relatively small patch
15:55:42 <richard> https://hg.mozilla.org/releases/mozilla-esr102/rev/1345ee1bfd75
15:55:49 <PieroV> (just be aware, in case someone else gets the same error with Python 3.11)
15:56:50 <richard> i can backport that just to avoid weirdness for anyone on debian
15:57:25 <richard> alright lets end it here then
15:57:26 <richard> o/
15:57:29 <msim> o/
15:57:31 <richard> have a good week everyone
15:57:32 <ma1> o/
15:57:37 <richard> #endmeeting