18:01:31 #startmeeting tbb-dev 18:01:31 Meeting started Tue Apr 7 18:01:31 2015 UTC. The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:31 Useful Commands: #action #agreed #help #info #idea #link #topic. 18:02:04 hi all 18:02:33 hi 18:02:37 hi 18:02:45 hello everyone. we're holding the TBB meeting in #tor-project today because of a conflict with the Tor patch workshop. Our normal meeting times are Mondays at 18:00 UTC in #tor-dev 18:04:05 I am somewhat disorganized because of relocating the meeting. if anyone else is ready to go first, feel free 18:04:36 here is what I did: 18:05:18 I worked on #10761, #15526, #4100, #15555, #15599 and #15493 for 4.5 18:05:57 and thought a bit/tested some things for #15578/#15551 18:06:28 wrt #15526: the good thing is that it is not exploitable according to Mozilla 18:06:53 backporting the fix is tricky as it is large and Mozilla is not planning to do that 18:07:19 rather there will be a special patch for the esr31 branch, I have no ETA yet 18:08:22 this week is a bit tricky for me due to long-planned things I can't postpone but I definitely want to get #4100 fixed 18:08:34 don't mean to butt in here but: can somebody tell me tor browser's plan for the latest tor stable release? the current plan is maybe to wait until the next tor browser esr stable and just include it there? 18:09:00 not sure what else I get to 18:09:30 arma3: we plan to discuss the release strategy but are currently building at least a stable 4.0.7 18:09:43 currently building meaning, might release once it's built? 18:09:55 yes 18:10:02 when is 4.0.7 scheduled for otherwise (if you choose not to do it for this tor fix) 18:10:56 well, the next stable was supposed to be 4.5 which we could do next-weekish earliest 18:11:19 but I guess a 4.0.7 rather soon might be a smart idea 18:11:42 ok. thank you. now back to your regularly scheduled meeting. 18:12:06 fwiw I am done with my status reporting 18:13:20 * arthuredelstein can go 18:13:34 Last week I worked on #15510, #13670, #15562, #14429/#7256, https://bugzilla.mozilla.org/show_bug.cgi?id=418986 and started on #15502, and I posted tickets #15563, #15564, and #15569. 18:14:40 Regarding #14429, I'm getting pretty close to a cleaned-up version that will hopefully address many of the bugs that have been reported and be less irritating to users. This version uses a combination of zooming and window resizing to try to be minimally disruptive. 18:15:02 That's all for me 18:17:03 ok, I can go now 18:17:28 Last week, I handled publishing the releases with Georg, wrote the TBB status report, and moved tickets to this month's tag. I also replied to the privacy and security questionaire at https://github.com/mikewest/spec-questionnaire/issues/6. 18:17:42 This week, it looks like we are going to need to do a 4.0.7 release for a Tor crash bug. It's my current estimate that it is not severe enough to warrant another 4.5-alpha release. 18:17:52 If we wanted to rush a 4.5-stable to include the Tor update, I think a minimum set of tickets for 4.5-stable is to disable the resizing code, and aim to fix #4100, #15606 and maybe #15514. I don't think rushing is wise, though. 18:18:22 Speaking of #15514, it looks like Giorgio just added mediasource: to the whitelist in NoScript. I've tried to ask him for clarifications behind all of the stuff in the whitelist (esp resource: urls, which seems like it may have allowed one of the Pwn2Own exploits to bypass NoScript), but answers have been non-specific. :/ 18:18:55 I have a dumb question, and a not-so-dumb question 18:19:34 resource: in particular seems needed by pdf.js, and is not properly handled by the cascading permissions 18:20:10 why chrome:, blob:, and only a subset but not all about: pages remain enabled are still a mystery 18:20:26 since dcf hasn't told me shit regarding if he'll merge my goptlib patch or not, I'm getting close to just rage implementing socks5 in obfs4proxy and not using goptlib's, I though I'd have more time for 4.5 to get the stuff in, but it seem slike y'all are expediting that. Is end of the week early enough? (the dumb question) 18:21:17 what's the bug number for noscript's XSS protection totally breaking "highlight text - rightclick - search"? (the kind of dumb question) 18:22:29 I don't think there is one? 18:22:31 Yawning: for the latter: there is no ticket yet afaict 18:22:53 :/ 18:23:02 am I the only one that tries to use that? 18:23:10 (is it my config that's broken?) 18:23:20 no, I get the same issue 18:23:26 wrt goptlib, I think the best move is to give us a patch that applies, or a new git remote w/ signed git tag to use 18:24:00 well, it'd be a new obfs4proxy tag 18:24:13 since at this point I'm basically giving up on fixing goptlib 18:25:21 that's fine, too 18:26:05 if goptlib is the right place for it (and it seems like it, if you could get it merged?) then I'd rather see a fork of goptlib and use that than a ragehack in obfs4proxy 18:26:10 end of the week ok? 18:26:39 oh, is a random fork with a tag signed with my pgp key ok? 18:26:52 I think we're not going to rush 4.5-stable for this Tor release, unless someone disagrees, so you should have longer 18:26:53 like goptlib-socks5-hax or whatever 18:26:59 ok 18:27:09 I'll bug dcf again instead of rage hacking 18:27:16 or rage forking 18:27:56 Yawning: ok, but between the two, I prefer rage forking, esp if this support really should be in goptlib 18:28:13 ok 18:28:24 cept I also want the debian packages to have socks5 support 18:28:25 :/ 18:28:40 and getting goptlib-ragefork into debian won't happen 18:30:24 wrt a target merge deadline date for 4.5-stable, I am currently thinking somewhere around Apr 15-Apr 20th 18:30:58 sounds good 18:31:45 xxx420yoloswagblazeitxxx? 18:32:07 ha 18:33:02 * boklm can go 18:33:06 Hello 18:33:21 Last week I started working on extending the people.tpo/~user/builds/tbb-qa.yml file, to allow selecting a series of tor-browser commits to build and run unit tests on 18:33:30 I also tried doing an automated rebase of patches from branch tor-browser-31.6.0esr-4.5-1 on gecko-dev master: http://test-reports.tbb.torproject.org/reports/r/rebase-1-ff924f41b59068793d0785229619c33a2baa10ff/browser-rebase.html 18:33:37 This week I'm planning to continue on extending the tbb-qa.yml file, and patch the update_responses script to allow the 4.5 soft launch 18:35:37 yikes, that's a lot of bitrot 18:37:11 yes, many patches that need manual rebase 18:38:07 ok, so on the immediate horizon, arthuredelstein: when you're ready with the improved #14429, can you post an xpi on people? or give me a commit and I can do so? 18:38:37 will do 18:39:48 I think we should also look over https://trac.torproject.org/projects/tor/query?keywords=~tbb-4.5-alpha&status=!closed and consider untagging some things, and making sure the rest are assigned 18:41:14 I think #15555 can get untagged. it might not be severe enough given our timeframe 18:41:44 I'm concerned that #15502, #15555, and #15599 are going to be deeper rabbit holes than we'd like.. though #15502 can be a quick hack, it may still break some things 18:42:02 I am not sure about #15599 yet but, yes 18:42:11 I think the same 18:42:55 wrt 15502 cutting that out might be quite fast, no? 18:43:40 yes, but with unknown amounts of damage. Giorgio said he believed facebook and twitter used blob: URIs for image upload 18:43:58 ugh 18:44:10 but that was his explaination for whitelisting it, which meant that they were shoving scripts in the thing... :/ 18:44:33 ughugh 18:44:38 D: 18:46:09 I could see making a pref for this and making blon: URI suport off by default, and making a note in the release notes about it, and see if anyone complains 18:46:10 Something I was trying to understand is whether blob URIs are dangerous only in the URL bar, or elsewhere 18:46:43 I was able to create one and source it from an iframe 18:46:52 https://people.torproject.org/~mikeperry/transient/tests/blob-iframe.html 18:47:42 That seems like a bug in NoScript to me. 18:48:33 mikeperry: I think we should try to go the pref road then, disable that by default and explain that to users 18:48:38 Giorgio thinks that because an allowed origin is the only thing that can create blob uris, by transitivity they should also be allowed 18:49:52 I see. I guess the ideal solution for us is to isolation by first party domain, then. Or am I thinking about it wrong? 18:50:02 s/isolation/isolate 18:50:25 I think you are right. 18:50:28 yes 18:52:02 I can investigate how complicated that looks and report on the ticket. 18:52:51 If it's too complicated, we can go for a pref to disable blob URIs instead. 18:53:47 ok 19:00:25 I think we're mostly in good shape then? anything else? 19:01:14 I was wondering about the W3C feedback 19:01:35 I had feedback to the fingerprinting thing long on my ToDo list but never got to it :( 19:01:55 do we want to collect a single thing before we send something to nick doty? 19:02:00 I added a note to the TBb design doc update tickt to give Nick Doty the URL again when it is updated 19:02:15 along with some comments for the fingerprinting quidance doc 19:02:20 yeah 19:02:51 should I post my things in the ticket then? or via an email to tbb-dev? or..? 19:03:31 the W3C ticket update looks like it needs a laundry list of shit that we've changed, and what is still broken but how we would change it 19:04:17 either I guess? 19:04:50 ok. 19:08:03 mikeperry: I think I'd like to investigate #15599 a bit further in order to understand it's impact before dropping it definitely from the 4.5 roadmap 19:08:26 ok 19:10:36 anything else? 19:11:27 #endmeeting *baf*