#tor-meeting log

15:58:25 <onyinyang> #startmeeting tor anti-censorship meeting
15:58:25 <MeetBot> Meeting started Thu Mar  7 15:58:25 2024 UTC.  The chair is onyinyang. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:58:25 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:58:25 <onyinyang> hello everyone!
15:58:25 <onyinyang> here is our meeting pad: [https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469](https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469)
15:58:31 <shelikhoo> Hi!
15:58:33 <cohosh> hi
15:59:01 <shelikhoo> I was a little confused whether I should be one holding the meeting for a moment...
15:59:06 <meskio> hello
16:01:32 <onyinyang> ok, it seems that the only announcement is the Ireland constitution amendment referendum tomorrow
16:01:43 <onyinyang> let's move on to the discussion
16:01:54 <onyinyang> Is there any follow up from last weeks items to discuss?
16:02:45 <shelikhoo> nothing from me
16:02:46 <meskio> not from my side
16:02:59 <meskio> any news on the AWS side?
16:03:17 <cohosh> it looks like i'll have to rotate the credential at the very least
16:03:32 <meskio> my friend just told me: explain the humans behind what you are doing, it should be fine
16:03:33 <cohosh> i'm stalling right now until we get some of those fixes merged
16:03:51 <meskio> I think I'm on the review on a merge related
16:04:05 <meskio> I'll try to look at it on monday, but feel free to jump on it if you want it before
16:04:09 <cohosh> i've done that :/ they keep coming back and saying they won't proceed with discussions until i create new access keys
16:04:33 <meskio> I see :(
16:05:59 <meskio> nothing more on this for me
16:06:52 <onyinyang> ok, let's move on to the new discussion points
16:07:03 <onyinyang> the first is: should we deprecate docker-snowflake-proxy?
16:07:10 <meskio> I created that one
16:07:18 <meskio> now we have two dockerfiles for snowflake
16:07:27 <meskio> one in the snowflake repo and another in the docker-snowflake-repo
16:07:36 <meskio> can we deprecated the docker-snowflake-repo?
16:08:13 <cohosh> sounds fine to me, but will we still push to dockerhub?
16:08:29 <meskio> yes, that is the following question
16:08:37 <meskio> we should integrate that with the release process
16:08:49 <meskio> is there any documentation to update?
16:08:57 <meskio> or how can we make it easy for whoever does the release
16:09:16 <meskio> I was pushing the snowflake-proxy docker image myself, but I'm not usually the one doing the release
16:09:28 <meskio> so basically I'm proposing to move that reponsibility...
16:09:31 <meskio> ;P
16:10:13 <cohosh> the Makefile from the docker-snowflake-proxy repo has a "release" command
16:10:43 <meskio> yes, it does some crossbuild, I guess we'll need to move that into the snowflake repo
16:10:48 <meskio> as well as the docker-compose.yml
16:11:03 <meskio> or integrate it in the CI, I haven't look into how the CI integration works
16:11:16 <shelikhoo> I think the CI kind of already works
16:11:23 <shelikhoo> I reviewed that merge request
16:11:28 <meskio> I see the CI does crossbuild, so probably we don't need that, if we are ok trusting the CI
16:11:46 <shelikhoo> we do need to ask user to move to the new container repo url
16:12:03 <meskio> can't we push that image also to dockerhub?
16:12:16 <meskio> sure, we can recommend our own repo, but there should be a transition...
16:12:17 <shelikhoo> as the CI is pushing to tor gitlab's built-in container registry
16:12:32 <shelikhoo> it should be possible to push to docker hub
16:12:41 <shelikhoo> we just need to change the configuration
16:12:44 <shelikhoo> I believe
16:14:17 <meskio> ok, I hear positive feedback, but it looks like there are detiles to iron out and some organizing work needed here
16:14:43 <meskio> I'll create an issue for this and we can explore it there
16:15:01 <meskio> shelikhoo: do you want to take care of that issue? or should I do it? I'm ok anyway
16:15:17 <shelikhoo> I will take care of this!
16:15:31 <meskio> great, I'll open it and assign it to you
16:15:34 <shelikhoo> yes!
16:16:22 <onyinyang> ok nice :)
16:16:30 <onyinyang> Let's move on to the second discussion point
16:16:37 <onyinyang> Fastly domain fronting updates
16:16:44 <onyinyang> I guess this is from cohosh
16:17:13 <cohosh> there was an emergency release of tor browser this week: https://blog.torproject.org/new-release-tor-browser-13011/
16:17:27 <cohosh> that contains the moat configuration fixes and snowflake builtin bridge updates
16:18:05 <cohosh> in response to the certificate renewal for the fastly front domain we were using that caused it to stop working for domain fronting
16:19:09 <cohosh> ggus also made some changes to the connect assist settings: https://gitlab.torproject.org/tpo/anti-censorship/rdsys-admin/-/commit/4d979dbb1e3f2457242fbfb30fad84f9ecfa61a9
16:19:49 <shelikhoo> nice!
16:19:52 <dcf1> here are some quick graphs
16:19:58 <dcf1> users: https://share.riseup.net/#Jc67Jgp5NuGN88RQOkMoxQ
16:20:04 <dcf1> bandwidth: https://share.riseup.net/#D32U2jD0TvVC4iHQimzqWg
16:20:19 <dcf1> interesting that once again, snowflake-02 was relatively more affected than snowflake-01
16:20:53 <cohosh> that might be explained by the orbot situation
16:21:00 <dcf1> something that's different this time, compared to sep 2024, is now Orbot 17 is out by default for everyone (including Play Store), which is the first time some users have had the option to use snowflake-02
16:21:18 <cohosh> they weren't using foursquare as the front for their builtin bridges
16:22:54 <cohosh> oh hm, i'm still seeing the old version when i visit the page: https://play.google.com/store/apps/details?id=org.torproject.android
16:24:05 <dcf1> ohw weird, me too, I swear a few days ago I checked and it was updated too Feb 2024
16:24:50 <cohosh> i know the play store allows you to slowly roll out releases to a subset of users, maybe it is done based on location
16:25:10 <dcf1> I even documented it in the comments: https://github.com/turfed/snowflake-paper/commit/d87a723738ea011c01a324a2173ff90699030390#diff-1858595241d3726f2315a93fbf2651adfbeb0b408ceb2a8333408b7eaa1c469dL2074
16:25:32 <dcf1> Okay, so even Orbot 17 may not have been fully out.
16:28:05 <cohosh> but i think the play store version is still using cdn.sstatic.net as the front which definitely won't work: https://github.com/guardianproject/orbot/blob/16.6.4-RC-1-tor.0.4.7.11/orbotservice/src/main/assets/fronts
16:29:53 <cohosh> meaning no current snowflake users are using the play store version anyway, that would definitely cause the graphs to look different
16:30:24 <dcf1> these graphs show a few more days: https://share.riseup.net/#e81-IXjlEe7xyCdLrm3nVw https://share.riseup.net/#4aD1E__f7sy3pztKYqur2A
16:30:37 <dcf1> I'm not sure, myabe that old version had ampcache
16:30:47 <cohosh> oh good point
16:31:38 <cohosh> actually i see an azure front in that file so maybe there are users of that
16:32:45 <cohosh> these graphs dont look as bad as i feared
16:34:35 <cohosh> the main todo item left on this is to update the ooni tests
16:35:16 <shelikhoo> In theory we could let snowflake to just always use circumvention setting
16:35:43 <shelikhoo> or have a channel to update all these configuration
16:35:43 <cohosh> and there are still some configurations out there with fastly fronts that will need to be updated eventually, but i don't think any of them are single points of failure except for maybe orbot's connect assist setting
16:36:21 <meskio> circumvention settings is also failing if domainfront fails
16:36:29 <cohosh> shelikhoo: i think that's the purpose behind https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41541
16:37:12 <cohosh> i opened an issue to allow for multiple domain fronting configurations for the moat update channel: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42436
16:37:18 <cohosh> which is our single point of failure
16:38:22 <shelikhoo> in the future we could just take over all these and bundle these functionality into the signaling library
16:39:08 <cohosh> yeah, that will be nice to have
16:39:12 <shelikhoo> yeah
16:39:28 <cohosh> i just opened this as a temporary measure since this has happened to us twice now in the last year
16:39:39 <cohosh> last 6 months even
16:41:41 <meskio> makes sense, it will take time to have a signaling library
16:43:31 <cohosh> i don't think i have anything else, are there any projects we forgot to update?
16:43:58 <cohosh> thanks ggus and dcf1 for posting the recovery guides on the forum and the bbs btw
16:45:14 <onyinyang> ok I guess that's it for the discussion for now
16:45:25 <shelikhoo> hehe! thanks ggus and dcf1!
16:46:06 <onyinyang> dcf1 shared a snowflake operations update for February in the Interesting links
16:46:13 <onyinyang> https://opencollective.com/censorship-circumvention/projects/snowflake-daily-operations/updates/2024-february-update
16:46:46 <onyinyang> Is there anything you'd like to say about this dcf1?
16:46:53 <dcf1> nope
16:46:59 <onyinyang> ok cool
16:47:10 <onyinyang> does anyone have anything else to discuss today?
16:47:12 <shelikhoo> I remember open collective is closing
16:47:27 <shelikhoo> is this something impacting your operation?
16:47:53 <shelikhoo> https://opencollective.com/foundation/updates/announcement-we-are-dissolving-open-collective-foundation-at-the-end-of-this-year
16:47:58 <onyinyang> oh, that sucks :(
16:48:05 <dcf1> no, that's something completely different. the naming is confiusing but it's not open collective that's closing, just one of their fiscal hosts that we were not using
16:48:22 <shelikhoo> oh! nice! that's a relief!
16:48:36 <meskio> nice
16:48:49 <shelikhoo> eof from me
16:49:32 <onyinyang> ok, let's end the meeting then!
16:49:34 <onyinyang> #endmeeting