#tor-meeting log

14:58:11 <PieroV> #startmeeting Tor Browser Weekly Meeting 2023-10-02
14:58:11 <MeetBot> Meeting started Mon Oct  2 14:58:11 2023 UTC.  The chair is PieroV. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:58:11 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:58:36 <PieroV> Hi everyone! Since richard is afk I'm going to facilitate this meeting :)
14:58:46 <PieroV> Our pad as usual: https://pad.riseup.net/p/tor-tbb-keep
14:58:48 <ma1> o/ PieroV & thank you!
14:58:58 <Jeremy_Rand_36C3[m]> Hi!
14:59:05 <jagtalon> o/
14:59:31 <donuts> o/
15:00:00 <Jeremy_Rand_36C3[m]> hmm, Riseup pad onion seems unresponsive for me
15:00:08 <Jeremy_Rand_36C3[m]> Might be a local issue here, my Internet has been spotty today
15:00:25 * Jeremy_Rand_36C3[m] doesn't really have anything particularly important to add to the pad anyway
15:02:11 <jagtalon> Jeremy_Rand_36C3[m]: Riseup onion seems to work for me!
15:02:56 <dan_b> o/
15:03:56 <Jeremy_Rand_36C3[m]> jagtalon: thanks for triangulating. Yeah gonna guess it's just awful Internet here.
15:04:14 <PieroV> I think we can start
15:05:10 <PieroV> Last weekend we released 13.0a6, it contained a lot of the blockers for 13.0
15:05:49 <dan_b> Its 1 of two Oct holiday Mondays for me, so I'm off today, just dropping by to update the pad and make sure there's nothing urgent? Otherwise I'm on YEC for Android tomorrow :)
15:06:03 <PieroV> So, should we release a 13.0a7 or are we ready for 13.0? I think their email forgot an important one because it went on future
15:06:19 <PieroV> And it's the Android API level
15:06:44 <PieroV> dan_b: maybe clairehurst can answer for that in case you want to go :)
15:06:47 <donuts> what's the situation with that?
15:07:03 <dan_b> Ah, have we bumped that in the dependency it was lower in?
15:07:08 <PieroV> We asked for an extension, and the new deadline is November 1
15:07:13 <boklm> do we have a ticket for the android api level?
15:07:18 <PieroV> Yes, we have it
15:07:35 <PieroV> tor-browser#42028
15:07:38 <boklm> thanks
15:07:54 <PieroV> My opinion is that we should try to launch 13.0 with it already fixed
15:07:54 <donuts> And this is a blocker for 13.0?
15:08:32 <PieroV> If we don't fix it for 13.0, we'll need to have it fixed in 13.0.1
15:08:57 <donuts> right
15:09:01 <clairehurst> PieroV: I think we need the updated icons, which should be done soon. Let me make sure there isn't anything else
15:09:11 <PieroV> The team is going to have an in-person meeting in the week of October 23
15:09:15 <dan_b> clairehurst: I think there is a tool to run on an .apk to tell you which dep of it is causing API level to be lowered?
15:09:39 <dan_b> Pretty sure I remember doing that once
15:09:50 <donuts> I have two other potential blockers for 13.0 as well
15:09:54 <clairehurst> Oh neat! That's going to be super helpful dan_b
15:10:22 <dan_b> Ah was hoping you knew off hand. Ok Im pretty sure I have it installed so I'll try and dig it up
15:10:33 <PieroV> Since we're having the in-person meeting, the deadline of November 1 isn't great
15:10:49 <clairehurst> Yeah I haven't encountered that particular issue before
15:11:03 <PieroV> And it'd be better to try to fix sooner rather than later
15:11:24 <clairehurst> I can jump on that right after updating the icons
15:11:33 <PieroV> Awesome, thank you very much!
15:11:54 <PieroV> Apart from that and the icons, there aren't too many blockers from richard's email
15:12:22 <PieroV> A review of my pref review as anticipated last week (tor-browser#41496)
15:12:58 <PieroV> And a check for unwanted connections in Mullvad Browser, but Mullvad QA might check on that, we'll have to coordinate on that
15:13:04 <dan_b> ah i was using `apkanalyzer manifest permissions` to find what dep was adding a permission
15:13:38 <PieroV> donuts: what are your blockers?
15:14:00 <donuts> sorry you've caught me in the middle of switching computers
15:14:06 <donuts> 1 sec while i bring the pad back up
15:15:00 <donuts> tor-browser#41581 seems to have been closed without a fix for TB
15:15:18 <donuts> so as of 13.0a6, noscript is still visible in the extensions toolbar menu
15:15:26 <clairehurst> I also want to get https://gitlab.torproject.org/tpo/applications/firefox-android/-/merge_requests/23 merged for tor-browser#42121, which I should be able to have ready by EOD
15:16:01 <donuts> and secondly, richard was also going to chat to the network team last week about whether or not conflux is going to cause strange behavior for the circuit display on release
15:16:15 <donuts> although I don't know what the outcome of that discussion was – maybe someone here knows?
15:16:24 <PieroV> I saw some messages in #tor-dev
15:16:38 <PieroV> Basically the behavior should be compatible with what we do
15:16:45 <PieroV> But we won't display anything special for conflux
15:16:59 <donuts> So will users see the first leg of the circuit, for example?
15:17:14 <PieroV> One of the two circuits should always be bound to the SOCKS username+password from what I understood of those messages
15:17:20 <PieroV> So, we're going to display that circuit
15:17:23 <donuts> ah right okay
15:17:49 <donuts> how do we feel about that? good enough for release?
15:18:46 <ma1> If we want special UI treatment for conflux, I guess it's a lot of work - realistically for 13.5 or beyond anyway, right?
15:18:56 <PieroV> I don't know if Tor is signaling the other conflux circuit in some way
15:19:13 <ma1> (and coordination with the network team indeed)
15:19:19 <donuts> right
15:19:34 <Jeremy_Rand_36C3[m]> I'm guessing the Conflux signaling will change anyway with the Arti transition?
15:19:52 <PieroV> Well, all the signaling will :)
15:19:52 <Jeremy_Rand_36C3[m]> So maybe not worth writing a bunch of control port code for this before the transition?
15:19:58 <Jeremy_Rand_36C3[m]> right
15:20:02 <ma1> we will probably need to ask for it, I don't think this detail level it's a priority for the Arti team
15:20:13 <PieroV> I hope the refactor of the control port will make it easy to do it in case
15:20:31 <Jeremy_Rand_36C3[m]> hence my inclination to only do it once rather than twice :)
15:20:31 <donuts> okay sounds like we're "good enough" for 13.0
15:20:39 <ma1> +1
15:20:58 <donuts> back to my first blocker, richard didn't like my initial suggestion for tor-browser#41581
15:20:59 <PieroV> clairehurst: is the change you'd like to do risky?
15:21:07 <PieroV> Oh, sorry donuts, go ahead
15:21:16 <donuts> does anyone have any alternative suggestions?
15:21:50 <donuts> the risk is that users will try to configure noscript directly since it's relatively easy to access via the toolbar, instead of going through the security level toolbar button
15:22:08 <donuts> we could disable the unified extensions toolbar menu completely, I suppose
15:22:24 <PieroV> I wonder if richard's point was wrong, actually
15:22:48 <clairehurst> PieroV: for tor-browser#42121? No I don't think its risky
15:23:06 <clairehurst> Should just be removing a few UI elements
15:23:50 <donuts> pierov: I've reopened the issue, can I assign it to you to look into?
15:24:00 <PieroV> donuts: "accessing the NoScript extension impossible without adding some other extension." - I'm not sure about what this means
15:24:09 <PieroV> You can access it from about:addons
15:24:21 <donuts> yep, exactly
15:24:53 <dan_b> Pierov: so I just looked. in code we have compileSdkVersion and targetSdkVersion at 33 and I dont see a big red error on the android alpha in the play console? or is that cus we asked for an extension?
15:25:27 <PieroV> clairehurst: I think we should maybe run a tor-browser-build build to test it anyway, just to test it in some way
15:25:40 <PieroV> AFAIK, Android nightly builds are still broken :/
15:26:03 <PieroV> donuts: yes, I can have a look, maybe I'll also ask ma1 what he thinks
15:26:06 <boklm> in projects/tor-onion-proxy-library/gradle.patch I see a `targetSdkVersion 29`
15:26:09 <PieroV> dan_b: I still see the error
15:26:12 <clairehurst> Sounds good. Also want tor-browser#42133, which is also basically done (just need to make it into a fixup commit)
15:26:14 <donuts> pierov: ack, thank you
15:26:17 <dan_b> pierov: looking further at the play console for hte alpha, it confirms our app is tarket sdk 33
15:26:18 <dan_b> where?
15:26:27 <PieroV> boklm: I agree that this might be the problem
15:26:35 <dan_b> i see if on tor browser
15:26:48 <PieroV> Oh, I might have checked tor browser
15:26:49 <dan_b> but if you back out to "all apps" and pick "tor browser alpha" i dont see it
15:26:51 <PieroV> Let me check again
15:27:52 <PieroV> I see it fixed now, you're right \o/
15:28:03 <PieroV> I'm not sure what we did, but it's great!
15:28:23 <dan_b> yep, so we can close that blocker 🙂
15:28:33 <jagtalon> regarding tor nightly, let me know what i can do like sending detailed adb logs
15:28:36 <PieroV> I wonder if the warning was generated on an old 12.5aX
15:29:32 <PieroV> The first 13.0 Android alpha was 13.0a2, released on August 12 (at least on the blog)
15:29:56 <ma1> donuts, two things though: 1) NoScript is still hidden in the toolbar, even if one click on the puzzle icon away instead of right-click -> "Customize" (not very ergonomical anyway, unless user decide to actually pin it, which requires another two clicks) 2) any change made from that menu is temporary as long as we're in private mode (always)
15:29:59 <dan_b> i just think we skipped 13.0a1 for android
15:30:32 <dan_b> but yeah maybe someone accidently put a 12.5 up? dunno. or just left the old 12.5 alpha up and then it got flagged wit the error
15:31:03 <PieroV> Yes, we did. I see the warning generated on August 18, so a few days after 13.0a2, but the old screenshot says date sent August 11, so the day before 13.0a2
15:31:30 <dan_b> weird
15:31:48 <donuts> ma1: not sure whether that extra click will be enough of a deterrent, however I really can't say until we start getting user feedback
15:31:51 <dan_b> well, its gone now so 🤷‍♀️ and woo
15:31:59 <donuts> I'm sure curious users will notice the new icon in the toolbar relatively quickly
15:32:37 <donuts> So, perhaps to be safe, we should hide it from the toolbar menu entirely
15:32:42 <Jeremy_Rand_36C3[m]> donuts: what exactly is the concern about users configuring NoScript manually?
15:32:56 <Jeremy_Rand_36C3[m]> donuts: I suspect there may be cases where doing so is safe
15:33:23 <donuts> Jeremy_Rand_36C3[m]: we would prefer users to interact with the predefined security level options instead
15:33:48 <Jeremy_Rand_36C3[m]> donuts: I'm not certain that's always the right approach. Qubes DispVM's where only a single website is accessed seem like a possibly safe place to deliberately enable only the bare minimum to get a site to work.
15:34:27 <Jeremy_Rand_36C3[m]> Not saying that's definitely the case, but it seems plausible
15:35:02 <donuts> Jeremy_Rand_36C3[m]: it's plausible, however power users can continue to interact with noscript via about:addons without the risk of general users getting in a tangle
15:35:07 <Jeremy_Rand_36C3[m]> (I don't want to derail the discussion, just wanted to make sure this is considered)
15:35:24 <Jeremy_Rand_36C3[m]> donuts: going to about:addons in a DispVM seems like a lot of extra click work
15:36:46 <henry-x> I get what donuts is saying
15:36:51 <donuts> this seems niche to me
15:37:05 <donuts> a general user who breaks their security level is going to be confused
15:37:11 <henry-x> Its not like we used to show it, and now it would annoy people to no longer have it
15:37:25 <donuts> also, many general users won't even know noscript is installed at all
15:38:10 <Jeremy_Rand_36C3[m]> donuts: as someone who uses DispVM's routinely, I'm not convinced it's a niche use case. That said, handling the UX for this in a robust way is probably more effort than either no change or disabling the UI, so short term I'm fine with deferring this, until we can evaluate something better
15:39:10 <PieroV> If we hide the icon, can power users show it again?
15:39:18 <PieroV> So, they can interact without the extra clicks
15:39:21 <donuts> Yeah, that's one risk to this approach
15:39:48 <donuts> ideally power users should still be able to add noscript to the toolbar itself
15:40:28 <Jeremy_Rand_36C3[m]> PieroV: there are issues with changing settings in a DispVM template, but probably those issues are Whonix's problem, not ours
15:41:13 <henry-x> PieroV: I could work on this since I've tinkered in the area before and I'm only working on minor things this week
15:41:23 <Jeremy_Rand_36C3[m]> (well, I mean, maybe we should coordinate with Whonix on finding a way to solve that better -- but it's not something we can deal with on our own)
15:41:34 <PieroV> henry-x: ack, feel free to take the issue then :)
15:41:36 <PieroV> Thanks
15:42:01 <PieroV> Jeremy_Rand_36C3[m]: I think Tails achieves custom config via user.js
15:42:01 <donuts> thanks henry-x!
15:43:10 <Jeremy_Rand_36C3[m]> PieroV: yeah, IIRC they can do that because they package Tor Browser themselves as a deb; Whonix fetches the official Tor Browser binaries, and the specific way they do that makes the approach you describe nontrivial. But yes, we should encourage them to improve that.
15:43:49 * Jeremy_Rand_36C3[m] has been meaning to talk to the Whonix guys about exactly that issue for quite a while, but ENOTIME
15:44:03 <PieroV> ack
15:44:21 <PieroV> So, with what we said at this meeting, should we do these final changes without another alpha?
15:45:08 <PieroV> We still have 3 or 4 items we want to fix, so Wed as a date for 13.0 might not work anymore
15:45:36 <Jeremy_Rand_36C3[m]> I'm very nervous about deploying changes like this without another alpha, but maybe OK to make it a shorter-lived alpha than usual? (Or maybe I'm just being overly cautious and it's fine to release)
15:46:28 <donuts> Yeah Wed feels very tight
15:46:44 <donuts> if we release another alpha, what would the new date for 13.0 stable be?
15:46:45 <PieroV> I think we can use nightly to test, or ad-hoc builds for Android
15:47:36 <PieroV> donuts: it depends on how much time we want to take to test or to wait for last minute feedback
15:47:54 <dan_b> did richard's fix last week changing the nightly channel fix the nightly builds for andoird or are they *still* crashing?
15:48:07 <donuts> pierov: how much testing will android require after the API change?
15:48:17 <PieroV> donuts: it seems the error disappeared
15:48:28 <PieroV> I got confused and checked the stable dashboard
15:48:35 <dan_b> yeah 13.0 has been 33 the whole time, we inherited that from moz
15:48:44 <PieroV> + some timings problems from Google
15:48:55 <PieroV> They generated the warning on Aug 11, but notified us on Aug 18
15:49:05 <dan_b> playconsole... sluggish
15:49:10 <PieroV> In the meantime, we published the first 13.0 alpha for Android (on Aug 12)
15:49:18 <dan_b> which is what you want when it gives you tight deadlines...
15:49:25 <jagtalon> dan_b: oh there's a fix for nightly on android? i haven't tested!
15:49:50 <PieroV> jagtalon: dan_b: I think richard's fix was for single-arch (currently only testbuilds) alpha builds
15:50:15 <dan_b> https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_requests/820/diffs
15:50:56 <dan_b> jagtalon: you can give it a quick try, i'm unsure. it built for me locally
15:51:08 <PieroV> I don't think it fixes nightlies, it changes only alphas
15:51:25 <dan_b> aah yes it's just into main for tbb
15:51:34 <jagtalon> ah alrighty
15:51:47 <dan_b> but once we promote 13.0 😄 should be good
15:52:44 <PieroV> So, I think we can push 13.0 to the beginning of the next week
15:52:55 <dan_b> sounds fine to me 🙂
15:52:59 <PieroV> I can prepare it later this week and we can build it over the weekend
15:53:05 <boklm> should we still do an alpha this week?
15:53:21 <PieroV> If nothing is on fire on Monday, we can start releasing
15:53:44 <donuts> okay, sounds sensible to me
15:53:54 <PieroV> boklm: that is the remaining question. donuts, what do you think?
15:54:28 <boklm> or is testing the changes in nightly enough?
15:54:29 <donuts> I don't think we'd get any alpha tester feedback in such a short window anyway
15:54:35 <donuts> so testing nightly may be sufficient
15:54:40 <PieroV> wfm
15:54:45 <clairehurst> dan_b: So we don't need to upgrade to 33 then, since we're already there?
15:54:50 <dan_b> yep!
15:54:51 <donuts> however I'm not sure about android
15:55:02 <donuts> as I don't really understand the potential impact of the API issue
15:55:04 <clairehurst> Cool! Can we close the story then?
15:55:19 <dan_b> clairehurst: i'll look at your MRs first thing tomorrow morning
15:55:21 <PieroV> donuts: the API issue should not really be an issue anymore
15:55:26 <donuts> pierov: ack okay
15:55:32 <donuts> no alpha necessary then
15:55:33 <PieroV> But only delay from the play console
15:55:47 <PieroV> Okay! Does anyone has anything else?
15:55:54 <PieroV> (but we're close to the hour)
15:55:57 <boklm> nothing from me
15:55:57 <jagtalon> are we doing a qa day this week? sorry i might have missed that
15:56:26 <PieroV> jagtalon: that might be a very good idea
15:56:36 <PieroV> Maybe we wait for the last changes and then do it
15:56:44 <donuts> 👍
15:56:45 <Jeremy_Rand_36C3[m]> I have 2 things that I was going to bring up, but they can wait till next week
15:57:02 <jagtalon> great yeah please ping when ready to test!
15:57:11 <Jeremy_Rand_36C3[m]> They're not urgent
15:57:16 <PieroV> Okay Jeremy
15:57:16 <donuts> yeah jagtalon and I need to leave for our next meeting :)
15:57:27 <PieroV> Closing the meeting then!
15:57:29 <PieroV> #endmeeting