#tor-meeting log

15:17:41 <richard> #startmeeting Tor Browser Weekly Meeting 2024-04-15
15:17:41 <MeetBot> Meeting started Mon Apr 15 15:17:41 2024 UTC.  The chair is richard. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:17:41 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:19:25 <bellatchau> o/
15:19:56 <richard> sorry flaky internet this am it would seem >:[
15:20:16 <clairehurst> o/
15:20:25 <boklm> o/
15:21:04 <richard> anyway, it's a release week once more; this week we should be releasing (iirc) 13.0.14
15:21:22 <PieroV> Yes, we have to decide how to deal with Android
15:21:37 <PieroV> Whether we want to backport the release date immediately or create another empty commit
15:21:39 <richard> and there's a release meeting on the calendar today for 1800 if you have patches and/or need to coordinate getting them into alpha next week
15:22:04 <PieroV> In both cases we'll need an update to tor-browser-build
15:22:21 <richard> iirc i think i thought backporting the release date patch was a good idea
15:22:23 <PieroV> richard: are we having the 1800 meeting even though donuts is afk?
15:22:34 <richard> ah just saw that emil
15:22:49 <richard> hmmm ok let's push it to tentatively 1800 tomorrow
15:23:11 <richard> oh and some good news, hot off the presses
15:23:23 <bellatchau> :) woot woot
15:23:55 <richard> our pending windows firefox dev has accepted their offer and so we should be beginning the on-boarding process in the near future
15:24:06 <PieroV> \o/
15:24:08 <dan_b> woo
15:24:10 <ma1> \o/
15:24:14 <boklm> \o/
15:24:38 <richard> i'm super excited introduce them and their background, i think everyone will be quite pleased :)
15:24:41 <richard> but that will have to wait
15:25:06 <boklm> release date patch has not been tested in an alpha release yet, but doesn't look like a big risk so should be fine to backport
15:26:10 <richard> i guess get all your risky patches in now before we have a qa engineer to furrow their brow at us :3
15:26:31 <ma1> lol
15:26:41 <richard> ah boklm, that reminds me (and you have seen the request in the backlog already)
15:26:59 <richard> but are you free to sign the alpha next week to verify your dmg patch?
15:27:03 <boklm> yes, I can sign the alpha this week
15:27:20 <boklm> is it this week or next?
15:27:22 <PieroV> Can we wait a few days for the alpha?
15:27:30 <PieroV> I'd like to get the TorConnect improvements in
15:27:34 <boklm> I can next week too
15:27:42 <PieroV> (need to get the final approval in firefox-android!78)
15:28:16 <richard> boklm: ok great thank you
15:28:35 <richard> i'll do stable tomorrow this week
15:28:44 <richard> this week*
15:29:08 <richard> ok apart from that I'm out of announcements, so happy ot move on to discussion points!
15:29:48 <PieroV> I have a half announcement-half discussion
15:29:55 <PieroV> I think it'd be time to check for what can be uplifted
15:30:17 <PieroV> We have a couple of months to get stuff in before 128 goes beta
15:30:59 <bellatchau> ps: could we use the release meeting to talk about the onboarding of new dev ? or setup another time...I have a couple of ideas I would like everyones input
15:31:17 <bellatchau> coudl be in the future weeks...btw
15:31:35 <richard> bellatchau: I'm happy to add to thsi meeting's agenda if you like
15:32:23 <bellatchau> yeah, sure
15:33:06 <ma1> I've got in my todo-list putting betterboxing stuff in good order for uplifting in the next ~2 weeks, so when tjr is back can halp landing.
15:33:38 <PieroV> ack, thanks ma1!
15:34:16 <ma1> speaking of which, do we want to try uplifting the UI prefs part as well (does it make sense / have chance to success)?
15:34:29 <PieroV> I think we could start a conversation
15:34:42 <richard> agreed
15:34:56 <richard> uplifting all the things is the goal so we'll take what we can get :D
15:35:14 <ma1> ack
15:35:32 <PieroV> I also have a discussion point
15:35:44 <richard> mmhm
15:35:53 <PieroV> So, fonts is basic fingerprinting. Dropping the line-height patch changes a few metrics
15:35:59 <PieroV> * changed
15:36:46 <PieroV> We have also a few others font changes (adding a couple of fonts on macOS - Arial black and arial narrow iirc) and adding aliases to MS fonts (Arial, Courier, Times New Roman) on Linux
15:37:02 <PieroV> We decided to wait for 14.0 for the other changes, but as a matter of fact we haven't been consistent
15:37:34 <PieroV> Should we restore the line-height patch and defer its removal to 14.0, do also the other changes now, or what else?
15:37:55 <PieroV> The fingerprint between 13.0 and 13.5 will be likely different in any case...
15:38:59 <richard> so iirc there was a question of whether we should backport/removing some font fingerprint patch that didn't actually matter in terms of protections, but did alter the fingerprint yes?
15:39:29 <richard> I suppose this is another point for the design doc
15:39:34 <PieroV> Yes
15:40:02 <richard> but i think in general we should be minimizing the fingerprintable differences between minor versions on the stable train
15:40:07 <PieroV> (I remember that there's at least another quite trivial way to tell 13.0 from 13.5)
15:40:34 <richard> especially if said changes don't alter how fingerprintable the feature is, but instead changes the fingerprint (but leaves entropy the same)
15:40:57 <richard> yeah I think differences between major versions is *fine*
15:41:23 <richard> it's unreasonable to expect to maintain a set of quirks or w/e make major versions indistinguishable
15:42:24 <richard> so yeah i would say defer removal in this particular case
15:42:54 <PieroV> So, defer from 13.5 to 14.0
15:43:13 <PieroV> If we don't have a 14.0a1 rel prep we should create one :)
15:43:55 <richard> lol true
15:44:11 <richard> maybe we need a releaes prep issue special for the first major release
15:44:26 <richard> but anyway
15:44:55 <richard> wait a sec i've an off by 0.5 error
15:44:56 <PieroV> I think I'm done with my points
15:45:21 <PieroV> ? So, let's drop it from 13.5 already?
15:45:21 <richard> I thought we were opting ou tof backporting to the 13.0 series and leaving it in 13.5?
15:45:47 <PieroV> No, we were talking about 13.5 or waiting for 14.0
15:46:16 <richard> were you worried about the fingerprint changing within the 13.5 alpha series?
15:46:40 <PieroV> No, it's trivial fingerprinting, compared to non-trivial fingerprinting
15:47:08 <richard> well ok, what area the arguments for not improving the situation in 13.5 alpha?
15:47:44 <PieroV> That even stupid scripts will detect this change
15:48:25 <PieroV> (I don't know if so far we've done other changes that all FP scripts are checking)
15:48:32 <richard> right, but it's alpha
15:49:20 <PieroV> It's for 13.0 vs 13.5
15:49:30 <PieroV> Not for alpha minors
15:49:56 <PieroV> But it works for me also to do it for 13.5 already
15:50:55 <richard> ahhh, because 13.0 -> 13.5 is not an ESR transition, but 13.5 -> 14.0 is
15:51:07 <PieroV> Yes
15:51:18 <richard> so 13.5 -> 14.0 will already have major changes so it's easier to launder our changes as well
15:52:01 <PieroV> Yes, 14.0 will be detectable with navigator.userAgent :D
15:52:25 <richard> dang ok, i need to think about this and maybe chat offline
15:52:30 <PieroV> wfm
15:54:39 <richard> so to summarize for the log: adding major changes on the off-ESR versions of Tor Browser/Mullvad Browser will make split those two user groups into clear buckets when they otherwise wouldn't, since the base firefox version is the same; waiting until the major ESR version (whose users are trivial to distinguish by user-agent) works around this issue
15:55:05 <richard> we've never really been in a position to have the luxury of timing patches to minimise this possibilit risk before
15:55:14 <richard> possible risk*
15:55:16 <richard> ok
15:55:23 <richard> anymore discussion points?
15:55:43 <PieroV> Not from me
15:56:06 <boklm> not from me
15:56:34 <ma1> I'm good
15:56:50 <richard> ok
15:57:07 <richard> sorry about that little fingerprinting diversion, but we got there in the end
15:57:13 <richard> have a good week everyone o/
15:57:16 <richard> #endmeeting