14:58:40 <richard> #startmeeting Tor Browser Weekly meeting 2023-03-06
14:58:40 <MeetBot> Meeting started Mon Mar 6 14:58:40 2023 UTC. The chair is richard. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:58:40 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:58:47 <boklm> hi
14:58:49 <PieroV> o/
14:58:50 <gaba> hi!
14:58:52 <richard> it's browser time
14:58:53 <richard> https://pad.riseup.net/p/tor-tbb-keep
14:58:56 <ma1> hi
15:00:01 <dan_b> o/
15:00:08 <richard> hello hello everyone
15:00:13 <Jeremy_Rand_36C3[m]> Hi!
15:00:26 <dan_b> shouldn't it be more like "it's browsing time"?
15:00:58 <richard> mighty morphin browsin' rangers?
15:01:07 <richard> anyway
15:01:12 <dan_b> totally
15:01:34 <Jeremy_Rand_36C3[m]> "Monday Marcho/ 06"? lol
15:01:48 <richard> window focus is hard
15:01:56 <Jeremy_Rand_36C3[m]> I know right?
15:03:21 <richard> ok i've no major points today
15:03:42 <richard> but first up, our new signing machines are getting plugged in this week!
15:04:08 <richard> after a comedy of bad/mismatched schedules since limerick
15:04:54 <richard> we've an issue tracking the work in gitlab but i expect this will be mostly a me and boklm thing to worry about
15:05:39 <richard> somewhat tangential to that, our windows code signing is expiring in May, so in the midst of all the signing machine migration we'll need to setup a new one
15:06:42 <richard> henry-x and dan_b: can you each give a high-level update on your s30/s96 UX work, any blockers, etc?
15:06:50 <dan_b> i can go
15:07:17 <dan_b> still working on the "prioritize onion" popup fixes. learned a lot, i think with henry-x's feedback this morning i have a good path forward
15:07:33 <dan_b> after that I still have a good bundle assigned to me last i checked. hopefully most should go a lot faster
15:08:09 <dan_b> also unrelated, my home network stopped responding so I can't log on to my mac to test mac stuff. trying to arrange a friend to go by and trouble shoot
15:08:37 <PieroV> typical computers >:[
15:09:00 <dan_b> if your worried about timing of issues, let me know if you want me to pause the prioritize onion popup work and see if i can blow through some of hte other tasks quickly to derisk?
15:09:17 <dan_b> or am good to keep digging through this one
15:09:21 <richard> donuts: are you here by any chance?
15:10:06 <donuts> yep!
15:10:10 <richard> hey!
15:10:25 <donuts> hello :)
15:10:25 <richard> do we have a set date for when we need s30/96 builds for user testing?
15:10:46 <donuts> For S30, the usability testing begins this month
15:11:08 <donuts> I think it's march 16th, but I can check the ticket
15:11:39 <dan_b> oh that's informative. I def vote to temp pause this and see if I can iddentify and clear some easier issues first?
15:11:56 <richard> ok, and does that cover all of the UX updates we've been making or only a subset?
15:12:00 <henry-x> For me, I was thinking about the html structure for tor-browser#41600 . There's some limited interactivity in the popup, like the "Copy (onion) address" button, so I'll have to figure out how that is going to work with a keyboard
15:12:18 <donuts> okay the schedule currently has usability testing for Tor Browser on the 17th and 18th
15:12:29 <richard> ok
15:12:32 <donuts> richard: as many as possible please
15:12:43 <henry-x> 17th of what?
15:12:47 <donuts> March
15:13:00 <donuts> for S96, we don't need any specific fixes done (it can be tested as is)
15:13:24 <henry-x> ok, I'll work a bit less on the fluent/weblate stuff then
15:13:42 <donuts> anything that doesn't make it into usability testing in Ecuador in March can be pushed to Mexico in April
15:14:00 <richard> ok, if eitherof you have any s131 tasks y'all aren't actively working on please unassign yourself and we can redistribute
15:14:03 <donuts> but yep S30 fixes are top top priority :)
15:14:52 <henry-x> Re the usability test, is it just going to be the alpha/nightly build? Or are we doing a separate build for it?
15:14:54 <donuts> we can also test nightly builds this month, if that makes things slightly easier
15:14:59 <donuts> aha, snap
15:15:05 <donuts> the original plan was to test alphas
15:15:19 <donuts> but it's a moderated test, so the facilitator can have a nightly installed instead
15:15:33 <richard> do you know what platform they would need?
15:15:46 <richard> well basically if there are no M1 macs that makes nightly a lot easier
15:15:54 <richard> otherwise we'd need to codesing for macOS
15:16:07 <donuts> Nah has both an M1 machine and a Linux machine, I think they're planning on taking the latter though
15:16:38 <richard> ok we're almost certainly going to be doing the testing in nightly then
15:16:41 <richard> looking at the release calendar
15:17:53 <donuts> that's totally fine
15:18:07 <richard> ok that leaves the remaining s131 things
15:18:57 <donuts> thanks everyone ^^
15:19:06 <richard> the remaining work falls into 4ish categories: about:preferences cleanup/remaining firefox feature removal, updater stuffs, webrtc, and *bug fixes*
15:20:10 <richard> and we have an ESR update coming at the end of this week
15:20:48 <richard> dan_b: I think you have the about:preferences cleanup ticket assigned to you, can you pick that up PieroV?
15:20:57 <dan_b> i do
15:21:05 <dan_b> its in MR stage but it's paused on UX feedback
15:21:20 <donuts> mmm which ticket's that?
15:21:21 <PieroV> richard: nope, that one is for Tor Browser
15:21:24 <PieroV> And needs UX
15:21:56 <richard> oh awesome, i must have missed that
15:21:59 <dan_b> tor-browser!538
15:22:01 * richard skimming
15:22:10 <dan_b> for tor-browser#40656
15:22:17 <donuts> oh yes, we won't get anywhere near that until TB 13.0
15:22:26 <donuts> but it definitely does need UX
15:22:32 <PieroV> TL;DR: if we just hide the options we risk of getting very inconsistent UX
15:22:40 <dan_b> and also i think the corresponding privacy-browser#34
15:23:51 <richard> less so in privacy-browser tho right?
15:24:06 <PieroV> Yes, but still UX dependent
15:24:33 <PieroV> We provided a list of stuff, but I think it's never been reviewed?
15:24:43 <ma1> PieroV, do you mean that we should track were in the UI these preferences are observed and hide / lock the controls?
15:24:52 <ma1> w/were/where
15:25:07 <donuts> yep, plus I think it could use some design work rather than just removing preferences wholesale
15:25:20 <PieroV> ma1: if we hide options that were visible, what do we do about users that customized them?
15:25:31 <donuts> however the UX Team have three sponsors ending this/next month (and another potentially in Q3) so anything that's not explicitly spelled out in a contract is going to be later in the year from us, I'm afraid
15:25:39 <donuts> *this/next quarter
15:25:40 <PieroV> We should let them know that we've removed them, or it might be confusing
15:25:56 <ma1> right
15:26:02 <PieroV> And if we don't restore their defaults, how do we provide a way to do that?
15:26:12 <PieroV> Not all features are equal, though
15:26:18 <PieroV> The most scary one is password management
15:27:22 <donuts> yeah, this is potentially a rabbit whole and it needs thought through properly
15:27:26 <ma1> It seems we'll need a migration wizard
15:27:30 <donuts> *rabbit hole
15:28:39 <donuts> so, can we roadmap:future this for Q3/Q4?
15:28:56 <PieroV> I think so for Tor Browser
15:29:10 <PieroV> For S131 a better option would be remove first, and in case add back later
15:29:19 <PieroV> To avoid a similar need for a migration
15:29:23 <richard> we need a removal plan for s131 for the initial release
15:29:25 <PieroV> However, I think that the updater is top priority
15:29:27 <richard> yeah that^
15:29:44 <donuts> right, so just remove them from the privacy browser for the time being?
15:29:57 <richard> yeah
15:30:08 <donuts> cool, makes sense
15:30:59 <richard> donuts: should we just starting ripping things out then and then come back to UX for freedback once it 'works'?
15:31:33 <donuts> richard: yeah that sounds like a plan ^^
15:31:39 <richard> ack
15:31:50 <dan_b> right now I have pb#34 assigned to me cus I had the tor-browser issue (with details) and MR
15:32:32 <richard> ok, let's let PieroV take those from you in the meantime
15:32:45 <dan_b> cool will assign
15:33:42 <richard> next up is the updater: we have endpoints so it *should* be a matter of updating the relevant browser pieces, and setting up a pipeline w/ s131 about deploying MARs
15:34:21 <richard> I'll see about getting these pieces up and running over the next weeks. if all goes well we'll be able to update the last alpha to the initial stable
15:34:25 <PieroV> I had to deal with the updater patch, alas, with the macro cleanup
15:34:51 <boklm> do we need something from the updater patch in privacybrowser?
15:35:05 <PieroV> Having the data directory outside the browser simplifies a couple of things that were handled in these patches
15:35:12 <richard> well we'll have several more builds to iron out any problems
15:35:28 <PieroV> But I think we'll need to investigate what actually the updater patches do
15:35:39 <PieroV> And have them interact with the portable mode flag, if needed
15:35:55 <PieroV> Because we also customize the path where updates are saved
15:36:34 <PieroV> I think the symlink stuff won't be needed
15:36:49 <PieroV> (well, IIRC, it could be deleted from Tor Browser, too)
15:37:01 <PieroV> MAR signing might be needed
15:40:10 <richard> ok sounds like i need to coallate/track all of these things, will do that after this meeting
15:40:19 <richard> finally the last bit is webrtc
15:40:41 <PieroV> Enabled and working on Linux and macOS
15:40:46 <richard> i pinged msim, seems like his hardware issues have been resolved and should be updating his MR this week
15:41:07 <richard> but if it gets to abotu wednesday and we haven't any progress on it then we can just do the relevant squash/rebase ourselves
15:41:26 <richard> I'd like to get it enabled for windows for this week's build
15:41:41 <richard> and can also confirm it's working in Linux, been using it for BBB without issues :)
15:41:58 <richard> and ma1 you have the IP leak audit check related to that as well
15:42:26 <ma1> webrtc, you mean? It was among my priorities this week
15:42:40 <richard> ma1: yep :)
15:43:11 <richard> and with that does anyone else have anything else to discuss/announce/etc?
15:43:24 <Jeremy_Rand_36C3[m]> Couple of minor things
15:43:51 <Jeremy_Rand_36C3[m]> (1) It sounds like gaba is back? Would be cool to figure out scheduling a Tor Demo Day.
15:44:16 <richard> ok if I've missed/glossed over anything re s131 we can chat later on IRC
15:44:27 <richard> go for it jeremy
15:44:37 <richard> and yes it seems like gaba is back from some time off
15:45:01 <Jeremy_Rand_36C3[m]> (2) I get the impression that all the Browser Team people are super busy this month; any idea how soon boklm will likely be able to review the openssl/linux-arm MR I sent in yesterday?
15:45:14 <boklm> I'm planning to look at it this week
15:45:21 <Jeremy_Rand_36C3[m]> boklm: ok great, thanks
15:45:45 <PieroV> Jeremy_Rand_36C3[m]: actually a few days ago I
15:45:55 <PieroV> asked a slightly related thing
15:46:07 <PieroV> Maybe you know something, too :)
15:46:26 <PieroV> If I understand correctly, tor could use NSS instead of OpenSSL
15:46:50 <Jeremy_Rand_36C3[m]> gaba: FYI Robert Min has SOCKSification working in a demoable state, so doing a Tor Demo Day this month should work for us
15:47:03 <gaba> great! i will check on when it can work
15:47:07 <Jeremy_Rand_36C3[m]> PieroV: ah yes, I saw you mentioned that but didn't have a chance to reply.
15:48:04 <Jeremy_Rand_36C3[m]> PieroV: NSS and OpenSSL have slightly different feature sets, are we confident that Tor's NSS support is on par feature wise with OpenSSL? I know OpenSSL supports Ed25519 certs while NSS doesn't, for example.
15:48:26 <PieroV> Oh, okay, that makes sense
15:49:00 <Jeremy_Rand_36C3[m]> PieroV: seems like the Network Team would probably know something about that
15:49:31 <Jeremy_Rand_36C3[m]> That said, if it �is� on par feature-wise, it seems like a good way to shave off some bytes from the binary
15:49:43 <Jeremy_Rand_36C3[m]> So certainly seems worth investigating
15:51:27 <richard> ok
15:51:34 <Jeremy_Rand_36C3[m]> PieroV: also note that NSS has a different TLS fingerprint from OpenSSL, but (1) I suspect PT makes that irrelevant, and (2) NSS is probably less censored than OpenSSL since NSS is what Firefox and Chromium use
15:51:59 <PieroV> That's very interesting, thanks!
15:52:27 <Jeremy_Rand_36C3[m]> But maybe having both OpenSSL and NSS based Tor in production usage at the same time is an anonymity set risk?
15:52:31 <Jeremy_Rand_36C3[m]> Not sure.
15:53:01 <richard> jeremy: depends, tor-brwoser desktop users tend to update to latest pretty quickly
15:53:20 <richard> so the window where we'd have two anonymity sets is fairly short
15:53:33 <Jeremy_Rand_36C3[m]> richard: right, but a lot of users are on system Tor, which will probably stay with OpenSSL unless we tell OS distros to switch
15:53:51 <Jeremy_Rand_36C3[m]> e.g. Tails and Whonix users
15:54:02 <richard> truue
15:54:10 <richard> well anyway
15:54:27 <Jeremy_Rand_36C3[m]> Anyway it definitely seems worth looking into
15:54:28 <richard> we can continue these chatters in IRC
15:54:41 <Jeremy_Rand_36C3[m]> Yep. Nothing else from my end for the meeting.
15:54:44 <richard> so let's #endmeeting and give you all 5 minutes before your next one :D
15:54:47 <richard> #endmeeting