18:01:31 <mikeperry> #startmeeting tbb-dev
18:01:31 <MeetBot> Meeting started Tue Apr  7 18:01:31 2015 UTC.  The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:31 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:02:04 <arthuredelstein> hi all
18:02:33 <boklm> hi
18:02:37 <GeKo> hi
18:02:45 <mikeperry> hello everyone. we're holding the TBB meeting in #tor-project today because of a conflict with the Tor patch workshop. Our normal meeting times are Mondays at 18:00 UTC in #tor-dev
18:04:05 <mikeperry> I am somewhat disorganized because of relocating the meeting. if anyone else is ready to go first, feel free
18:04:36 <GeKo> here is what I did:
18:05:18 <GeKo> I worked on #10761, #15526, #4100, #15555, #15599 and #15493 for 4.5
18:05:57 <GeKo> and thought a bit/tested some things for #15578/#15551
18:06:28 <GeKo> wrt #15526: the good thing is that it is not exploitable according to Mozilla
18:06:53 <GeKo> backporting the fix is tricky as it is large and Mozilla is not planning to do that
18:07:19 <GeKo> rather there will be a special patch for the esr31 branch, I have no ETA yet
18:08:22 <GeKo> this week is a bit tricky for me due to long-planned things I can't postpone but I definitely want to get #4100 fixed
18:08:34 <arma3> don't mean to butt in here but: can somebody tell me tor browser's plan for the latest tor stable release? the current plan is maybe to wait until the next tor browser esr stable and just include it there?
18:09:00 <GeKo> not sure what else I get to
18:09:30 <GeKo> arma3: we plan to discuss the release strategy but are currently building at least a stable 4.0.7
18:09:43 <arma3> currently building meaning, might release once it's built?
18:09:55 <GeKo> yes
18:10:02 <arma3> when is 4.0.7 scheduled for otherwise (if you choose not to do it for this tor fix)
18:10:56 <GeKo> well, the next stable was supposed to be 4.5 which we could do next-weekish earliest
18:11:19 <GeKo> but I guess a 4.0.7 rather soon might be a smart idea
18:11:42 <arma3> ok. thank you. now back to your regularly scheduled meeting.
18:12:06 <GeKo> fwiw I am done with my status reporting
18:13:20 * arthuredelstein can go
18:13:34 <arthuredelstein> Last week I worked on #15510, #13670, #15562, #14429/#7256, https://bugzilla.mozilla.org/show_bug.cgi?id=418986 and started on #15502, and I posted tickets #15563, #15564, and #15569.
18:14:40 <arthuredelstein> Regarding #14429, I'm getting pretty close to a cleaned-up version that will hopefully address many of the bugs that have been reported and be less irritating to users. This version uses a combination of zooming and window resizing to try to be minimally disruptive.
18:15:02 <arthuredelstein> That's all for me
18:17:03 <mikeperry> ok, I can go now
18:17:28 <mikeperry> Last week, I handled publishing the releases with Georg, wrote the TBB status report, and moved tickets to this month's tag. I also replied to the privacy and security questionaire at https://github.com/mikewest/spec-questionnaire/issues/6.
18:17:42 <mikeperry> This week, it looks like we are going to need to do a 4.0.7 release for a Tor crash bug. It's my current estimate that it is not severe enough to warrant another 4.5-alpha release.
18:17:52 <mikeperry> If we wanted to rush a 4.5-stable to include the Tor update, I think a minimum set of tickets for 4.5-stable is to disable the resizing code, and aim to fix #4100, #15606 and maybe #15514. I don't think rushing is wise, though.
18:18:22 <mikeperry> Speaking of #15514, it looks like Giorgio just added mediasource: to the whitelist in NoScript. I've tried to ask him for clarifications behind all of the stuff in the whitelist (esp resource: urls, which seems like it may have allowed one of the Pwn2Own exploits to bypass NoScript), but answers have been non-specific. :/
18:18:55 <Yawning> I have a dumb question, and a not-so-dumb question
18:19:34 <mikeperry> resource: in particular seems needed by pdf.js, and is not properly handled by the cascading permissions
18:20:10 <mikeperry> why chrome:, blob:, and only a subset but not all about: pages remain enabled are still a mystery
18:20:26 <Yawning> since dcf hasn't told me shit regarding if he'll merge my goptlib patch or not, I'm getting close to just rage implementing socks5 in obfs4proxy and not using goptlib's, I though I'd have more time for 4.5 to get the stuff in, but it seem slike y'all are expediting that.  Is end of the week early enough? (the dumb question)
18:21:17 <Yawning> what's the bug number for noscript's XSS protection totally breaking "highlight text - rightclick - search"? (the kind of dumb question)
18:22:29 <mikeperry> I don't think there is one?
18:22:31 <GeKo> Yawning: for the latter: there is no ticket yet afaict
18:22:53 <Yawning> :/
18:23:02 <Yawning> am I the only one that tries to use that?
18:23:10 <Yawning> (is it my config that's broken?)
18:23:20 <GeKo> no, I get the same issue
18:23:26 <mikeperry> wrt goptlib, I think the best move is to give us a patch that applies, or a new git remote w/ signed git tag to use
18:24:00 <Yawning> well, it'd be a new obfs4proxy tag
18:24:13 <Yawning> since at this point I'm basically giving up on fixing goptlib
18:25:21 <GeKo> that's fine, too
18:26:05 <mikeperry> if goptlib is the right place for it (and it seems like it, if you could get it merged?) then I'd rather see a fork of goptlib and use that than a ragehack in obfs4proxy
18:26:10 <Yawning> end of the week ok?
18:26:39 <Yawning> oh, is a random fork with a tag signed with my pgp key ok?
18:26:52 <mikeperry> I think we're not going to rush 4.5-stable for this Tor release, unless someone disagrees, so you should have longer
18:26:53 <Yawning> like goptlib-socks5-hax or whatever
18:26:59 <Yawning> ok
18:27:09 <Yawning> I'll bug dcf again instead of rage hacking
18:27:16 <Yawning> or rage forking
18:27:56 <mikeperry> Yawning: ok, but between the two, I prefer rage forking, esp if this support really should be in goptlib
18:28:13 <Yawning> ok
18:28:24 <Yawning> cept I also want the debian packages to have socks5 support
18:28:25 <Yawning> :/
18:28:40 <Yawning> and getting goptlib-ragefork into debian won't happen
18:30:24 <mikeperry> wrt a target merge deadline date for 4.5-stable, I am currently thinking somewhere around Apr 15-Apr 20th
18:30:58 <GeKo> sounds good
18:31:45 <Yawning> xxx420yoloswagblazeitxxx?
18:32:07 <GeKo> ha
18:33:02 * boklm can go
18:33:06 <RelyOn> Hello
18:33:21 <boklm> Last week I started working on extending the people.tpo/~user/builds/tbb-qa.yml file, to allow selecting a series of tor-browser commits to build and run unit tests on
18:33:30 <boklm> I also tried doing an automated rebase of patches from branch tor-browser-31.6.0esr-4.5-1 on gecko-dev master: http://test-reports.tbb.torproject.org/reports/r/rebase-1-ff924f41b59068793d0785229619c33a2baa10ff/browser-rebase.html
18:33:37 <boklm> This week I'm planning to continue on extending the tbb-qa.yml file, and patch the update_responses script to allow the 4.5 soft launch
18:35:37 <mikeperry> yikes, that's a lot of bitrot
18:37:11 <boklm> yes, many patches that need manual rebase
18:38:07 <mikeperry> ok, so on the immediate horizon, arthuredelstein: when you're ready with the improved #14429, can you post an xpi on people? or give me a commit and I can do so?
18:38:37 <arthuredelstein> will do
18:39:48 <mikeperry> I think we should also look over https://trac.torproject.org/projects/tor/query?keywords=~tbb-4.5-alpha&status=!closed and consider untagging some things, and making sure the rest are assigned
18:41:14 <GeKo> I think #15555 can get untagged. it might not be severe enough given our timeframe
18:41:44 <mikeperry> I'm concerned that #15502, #15555, and #15599 are going to be deeper rabbit holes than we'd like.. though #15502 can be a quick hack, it may still break some things
18:42:02 <GeKo> I am not sure about #15599 yet but, yes
18:42:11 <GeKo> I think the same
18:42:55 <GeKo> wrt 15502 cutting that out might be quite fast, no?
18:43:40 <mikeperry> yes, but with unknown amounts of damage. Giorgio said he believed facebook and twitter used blob: URIs for image upload
18:43:58 <GeKo> ugh
18:44:10 <mikeperry> but that was his explaination for whitelisting it, which meant that they were shoving scripts in the thing... :/
18:44:33 <GeKo> ughugh
18:44:38 <Yawning> D:
18:46:09 <mikeperry> I could see making a pref for this and making blon: URI suport off by default, and making a note in the release notes about it, and see if anyone complains
18:46:10 <arthuredelstein> Something I was trying to understand is whether blob URIs are dangerous only in the URL bar, or elsewhere
18:46:43 <mikeperry> I was able to create one and source it from an iframe
18:46:52 <mikeperry> https://people.torproject.org/~mikeperry/transient/tests/blob-iframe.html
18:47:42 <arthuredelstein> That seems like a bug in NoScript to me.
18:48:33 <GeKo> mikeperry: I think we should try to go the pref road then, disable that by default and explain that to users
18:48:38 <mikeperry> Giorgio thinks that because an allowed origin is the only thing that can create blob uris, by transitivity they should also be allowed
18:49:52 <arthuredelstein> I see. I guess the ideal solution for us is to isolation by first party domain, then. Or am I thinking about it wrong?
18:50:02 <arthuredelstein> s/isolation/isolate
18:50:25 <GeKo> I think you are right.
18:50:28 <mikeperry> yes
18:52:02 <arthuredelstein> I can investigate how complicated that looks and report on the ticket.
18:52:51 <arthuredelstein> If it's too complicated, we can go for a pref to disable blob URIs instead.
18:53:47 <mikeperry> ok
19:00:25 <mikeperry> I think we're mostly in good shape then? anything else?
19:01:14 <GeKo> I was wondering about the W3C feedback
19:01:35 <GeKo> I had feedback to the fingerprinting thing long on my ToDo list but never got to it :(
19:01:55 <GeKo> do we want to collect a single thing before we send something to nick doty?
19:02:00 <mikeperry> I added a note to the TBb design doc update tickt to give Nick Doty the URL again when it is updated
19:02:15 <mikeperry> along with some comments for the fingerprinting quidance doc
19:02:20 <GeKo> yeah
19:02:51 <GeKo> should I post my things in the ticket then? or via an email to tbb-dev? or..?
19:03:31 <mikeperry> the W3C ticket update looks like it needs a laundry list of shit that we've changed, and what is still broken but how we would change it
19:04:17 <mikeperry> either I guess?
19:04:50 <GeKo> ok.
19:08:03 <GeKo> mikeperry: I think I'd like to investigate #15599 a bit further in order to understand it's impact before dropping it definitely from the 4.5 roadmap
19:08:26 <mikeperry> ok
19:10:36 <mikeperry> anything else?
19:11:27 <mikeperry> #endmeeting *baf*