18:01:56 <mikeperry> #startmeeting app-dev 18:01:56 <MeetBot> Meeting started Mon Aug 10 18:01:56 2015 UTC. The chair is mikeperry. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:56 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 18:02:33 <Yawning> #16756 needs mikeperry input at his highness' convenience. 18:02:58 <mikeperry> ok, will take a look 18:03:09 <Yawning> ty <3 18:03:11 <mikeperry> let's get started with the applications meeting reportbacks though 18:03:18 <mikeperry> Last week, I wrote our status report, triaged the last set of tbb-5.0 tickets, reviewed and merged the final couple tickets, wrote a fix for #16730, attended to some meetings, and dealt with the 5.0 builds over the weekend. 18:03:38 <mikeperry> This week, my plan is to get the releases out and watch for regressions. Barring any catastrophies, I will go over the backlog, and try to plan some kind of vacation (which I sorely need). 18:04:14 <mikeperry> I think that's it for me for now. I'm sure this week will have enough surprises in store to keep me busy 18:07:26 * ilv can go next 18:07:42 <ilv> Last week I sent my status report for SoP (Enhance GetTor), and started to work on enabling GetTor to send links to download Tor Browser in more locales (currently just en-US) 18:08:36 <ilv> This week I'll be working on getting the XMPP bot ready (I'll also research if it's possible to add otr) 18:09:14 <mikeperry> ilv: awesome 18:09:21 <ilv> That's it for me 18:09:38 <ilv> mikeperry: thanks :) 18:10:04 <mikeperry> ilv: one of the thing I am hoping is easier for TBB 5.5-alpha is a multi-lingual version (#12967) 18:10:14 <mikeperry> that might make gettor easier to use, perhaps? 18:10:25 <ilv> definitely! 18:11:17 <mikeperry> not sure what the timeline on that will be 18:11:44 <mikeperry> I need to go over our roadmap and backlog and figure out the post-5.0 schedule still 18:12:28 <ilv> I see, ok 18:12:44 * n8fr8 team orfox has a quick report 18:12:53 <GeKo> I think it makes sense to plan this with the hardened build series 18:12:54 <n8fr8> amoghbl1 and I are still progressing on torbutton for orfox/android, but from what I did last week, it seems promising. Mozilla mobile add-on tooling/SDK has vastly improved since I last looked at it, and it seems we hopefully might be able to make the core TorButton code "mobile enabled" instead of forking... 18:13:42 <mikeperry> wow 18:13:45 <n8fr8> also the mozilla exploit from last week does not affect Firefox on Android 18:13:56 <mikeperry> what are you going to do about all of the toggle cruft in torbutton? :) 18:14:03 <n8fr8> (different downloader/PDF code) 18:14:22 * ilv feels safe :) 18:14:23 <n8fr8> we will see! 18:14:50 <mikeperry> yeah, we are trying to rush 5.0 out for that bug. 4.5 wasn't targeted in the wild, but 5.0a users might be vulnerable at the lower security levels :/ 18:15:21 <mikeperry> unfortunately, the need to switch to FF38-esr also right now has tied our hands. it's been a stressful weekend just getting everything ready :( 18:15:58 <n8fr8> well, at least with orfox being based on TB5/esr38 it seems we are all well aligned, which was one of our goals from the spain meeting 18:16:38 <n8fr8> that is all for now! 18:18:51 <mcs> Is it time to clean up more of the toggle cruft? 18:19:06 <GeKo> it's always that time :) 18:19:16 <mikeperry> yes, we should probably remove much of it in the 5.5 series 18:19:27 <mikeperry> that's actually on the roadmap already :) 18:19:51 <mcs> Maybe a better question is "which one of us owns that task?" 18:20:25 <mcs> anyway, I do not want to distract from the standup report portion of the meeting. 18:20:28 <mikeperry> right now it looks like arthur and you (if you want it) 18:21:08 <mcs> OK. Kathy and I will talk to Arthur about it. 18:21:21 <arthured1lstein> Sounds good :) 18:22:35 * mcs can go next 18:22:45 <mcs> Last week, Kathy and I created patches for #16715 (merged by mikeperry for TB 5.0; thanks!) 18:22:51 <mcs> We also fixed #16731 (reviewed and merged by GeKo for TB 5.0; thanks!) 18:22:59 <mcs> We also filed #16735 and did a little work on it but are now waiting to make contact with Jeremy Todaro (the original creator of the HTML page that became about:tor). 18:23:07 <mcs> We spent some time creating a patch for #16722 but mikeperry and GeKo came up with a better fix. 18:23:14 <mcs> We started looking at #13512 again after a long break and will work on it more this week. 18:23:20 <mcs> Today we reviewed the revised patch for Mozilla #232227 (System colors for form elements used when browser.display.use_system_colors is set to false). 18:23:28 <mcs> This week we also plan to work on #16753 and of course we will help with any TB 5.0 and 5.5 alpha issues that come up. 18:23:33 <mcs> That's all for us. 18:24:39 <GeKo> here is what i did: 18:25:09 <GeKo> I spent some time preparing stuff for 5.0 and 5.5a1 18:25:19 <GeKo> I worked on the tiles bug #16722 18:25:46 <GeKo> today I fought with signing our stable release which should be done now 18:26:07 <GeKo> and I updated our HACKING document with a section about bisecting Tor Browser things 18:26:57 <GeKo> this week we have two releases and I somehow hope to turn back to my two longstanding bugs, #15538 and #15578 18:27:04 <GeKo> that's it for now 18:29:04 <mikeperry> mcs: we should perhaps file a bug to track https://trac.torproject.org/projects/tor/ticket/16715#comment:5? or do you want to track it on Mozilla's side? 18:30:00 <mcs> mikeperry: Either way. We should file a bug in one place or the other or both. 18:30:43 <arthuredelstein> Probably on bugzilla.mozilla.org makes more sense. 18:31:19 <mcs> arthuredelstein: You are right. Should I file a Bugzilla bug or do you want to? 18:31:21 <arthuredelstein> I'm happy to post it. We can add it to https://docs.google.com/spreadsheets/d/1rF4Gah_OEequYDfPedoQu3oETM5Gj4NagxDuKQG-IOk/ as well 18:31:26 <mcs> thanks! 18:32:20 * arthuredelstein can go 18:32:29 <arthuredelstein> Last week I worked on improving our font fingerprinting patches, #13313 and #16672. 18:32:39 <arthuredelstein> Mainly I tried, in this iteration, to make the whitelisting/bundling of fonts as user-friendly as possible, by favoring aesthetics over strict fingerprinting perfection. 18:32:44 <arthuredelstein> So I whitelisted various OS fonts on Mac and Windows, and I bundled some better-looking fonts for Linux. 18:32:55 <arthuredelstein> I also worked on our Keyboard Event fingerprinting patch (#15646). This corrected some issues with Alt keys and the backspace key. 18:33:00 <arthuredelstein> And I upstreamed a patch to Firefox https://bugzilla.mozilla.org/1173171, which corresponds to our #14455. 18:33:04 <arthuredelstein> This week I will work on further refining font defenses. 18:33:10 <arthuredelstein> The main difficulty right now is getting font fingerprints to be the same on various linux flavors. 18:33:14 <arthuredelstein> I may also work on improving keyboard anti-fingerprinting, and possibly #14429. I may also work on more upstreaming to Firefox. 18:33:29 <arthuredelstein> That's it for me. 18:35:23 * boklm can go next 18:35:36 <boklm> This week I fixed some issues in the test suite: https://lists.torproject.org/pipermail/tor-qa/2015-August/000667.html 18:35:39 <boklm> I investigated and fixed #16311 (but still need to open a mozilla bug for it) 18:35:42 <mikeperry> arthuredelstein: re #16672, it is really weird that dcf1's bundles successfully disabled antialiasing and subpixel rendering, but ours do not. it might be worth trying to debug/take apart his old bundles, if the debug symbols still work 18:35:49 <boklm> I launched some tbb builds (5.0-build3 is matching, 5.5 is still building at the moment) 18:36:01 <boklm> I tried a patch to fix an "error: unused variable 'rv'" on Try (but it did not build because of #16497): https://github.com/boklm/gecko-dev/commit/391cbecbccf89deb6d83817eb5bfb14b896af324 18:36:15 <boklm> This week I'm planning to rebase on 38.2.0 / sync / submit to Try my split branch repo 18:36:24 <boklm> Open a mozilla bug for #16311. I will also be going to CCCamp. 18:36:24 <arthuredelstein> mikeperry: Yes, good point. I think that's probably my next step. 18:36:42 <boklm> That's it for me. 18:36:48 <mikeperry> cool, thanks boklm 18:37:01 <mikeperry> we should also go through the list of DOM objects you found on tor-qa 18:37:12 <GeKo> boklm: o already opened one for #16311 let me look where it is 18:37:17 <GeKo> *I 18:37:19 <boklm> ah ok 18:37:46 <mikeperry> some of these should have been disabled by pref. I wonder if they are present but empty or something. we should check that 18:38:17 <boklm> mikeperry: should we open a ticket for that ? 18:38:39 <mikeperry> yes, probably 18:40:28 <arthuredelstein> (I forgot to mention that I will be on vacation and afk August 17-24.) 18:42:03 <arlolra> boklm: did you see emails from sukhe? 18:42:16 <Yawning> (are ze reports done?) 18:42:47 <boklm> arlolra: ah yes, I need to answer to that 18:43:09 <mikeperry> arlolra: aha! welcome. is sukhe here too? how goes tor messenger? 18:44:19 <arlolra> doesn't look like he is 18:44:46 <arlolra> mikeperry: we've got a blog post all queued up, just smoothing out some build issues 18:45:20 <arlolra> is there documentation somewhere on TB's updater? how it differs from mozilla's default and whatnot 18:46:26 <GeKo> not really 18:46:33 <mikeperry> hrm, unfortunately no 18:47:00 <mcs> arlolra: I don't think there is much documentation. You could look at our patches or ask questiions or course ;( 18:47:21 <arlolra> ok, will do. thanks 18:49:27 <mikeperry> arlolra: boklm should also be able to help with the server-side updater bits, of course 18:50:24 <mikeperry> ok, anyone else? Yawning did you have something more? 18:50:27 <arlolra> great 18:50:31 <Yawning> yeah 18:50:51 <Yawning> I'm willing to buy someone a boottle of alcohol of their choice (within reason) 18:50:57 <Yawning> to get #10140 fixed 18:51:27 <Yawning> I'd do it myself but gitian at this point would be bad for my mental health 18:51:40 <Yawning> and what remains of my liver function 18:52:04 <mikeperry> is that still blocked on the weird mac special case for the langpack? 18:52:09 <Yawning> (I've been talking to the people that gave us the locale data so I can get it updated or do the updates if I need) 18:52:14 <GeKo> i think so 18:52:15 <Yawning> as of 17 months ago 18:52:18 <Yawning> apparently 18:52:25 <Yawning> OSX is incredibly popular here 18:52:33 <Yawning> (as is IOS) 18:52:47 <mikeperry> we can just hack that as a special case 18:52:48 <Yawning> but I don't have hardware for it, so I can't tell ifv it's required or not 18:53:20 <Yawning> mmk 18:53:27 <mikeperry> if you remind us again next week, its more likely to get done. it shouldn't be too hard, but now is a bad time for us to be introducing bloody hacks into gitian, in case something happens with this release again 18:53:30 <Yawning> sorry to be kind of insistent about this 18:53:35 <Yawning> yeah I understand 18:53:40 <Yawning> I'll remind y'all thanks 18:54:08 <Yawning> (the freedom situation here is deterioating, so, kind of want this sinc eit's more needed heh) 18:54:46 <Yawning> I can go over the locale data at some point as well 18:55:59 <arthuredelstein> How expensive is it to add more languages in general? Would it be feasible to add 10 more? 18:56:51 <GeKo> well, it depends. ideally we would do the same as Mozilla I think 18:57:13 <arthuredelstein> Here's the list. It's long: https://www.mozilla.org/en-US/firefox/all/ 18:57:43 <mikeperry> it requires an insane amount of disk space to do it the way Mozilla does. I think we should have a top 10 and then everything else in #12967 18:58:10 <mikeperry> not just disk space even.. also build transfew time 18:58:15 <GeKo> yes. probably 18:58:28 <mikeperry> I spend hours copying TB builds between systems as-is :( 18:58:45 <GeKo> you are not alone :) 18:59:19 <arthuredelstein> Is that because it's airgapped? 18:59:43 * Yawning bites tounge 18:59:50 <mikeperry> well, my problem is the build machine is not on the same network as tpo 19:00:02 <mikeperry> so just the rsync takes hours 19:00:46 <Yawning> Is it because your wifi thing catches on fire tryign to push bits? 19:00:46 <mcs> mikeperry: How many TB builds do we want, ideally? One for each of our "top 10" languages and an 11th for all of the other languages? Or just one (per platform)? 19:00:47 <mikeperry> there's another copy step from people.tpo to dist, and that takes several minutes 19:00:49 <Yawning> :P 19:01:07 <mikeperry> mcs: I guess it depends on the size of that universal bundle 19:01:12 <mcs> fair enough 19:01:22 <mikeperry> I am a bit worried that with all fonts and 82 langpacks, we may be looking at a 100MB TBB 19:01:43 <Yawning> I *think* out of our userbase by country the only language that isn't supported well is ja_JP 19:01:46 <Yawning> might be wrong 19:01:56 <Yawning> (out of the top X that is) 19:02:04 <GeKo> you could be right here 19:02:58 <arthuredelstein> Seems like Hindi and Urdu might be potentially good top-X languages to include. 19:03:51 <Yawning> devanagari shouldn't require crazy fonts 19:04:19 <mikeperry> in the past certain sponsors have paid us to carry particular languages. I think they probably assumed they could pay us to do that once and we'd do it forever. pretty sure we're not bound to carry any languages at the moment, so we can probably do the samrt/strategic thing we want here 19:05:52 <arthuredelstein> Is there any way we could build/copy TBB on a fast VPS, in parallel? 19:06:19 <arthuredelstein> Seems like it could lessen the build pain in general. 19:06:24 <mikeperry> I am thinking the smart thing is custom bundles for popular locales (or locales we think *should be popular, if only we supported them as first-class bundles, and then a universal bundle for the remainder of officially supported Firefox locales) 19:07:33 <arthuredelstein> Does Mozilla bundle extra fonts for weird languages? Because the #13313 bundling already includes fonts for virtually every living language. 19:07:38 <Yawning> (Note Urdu doesn't use devanagari, no idea how complicated the Urdu one is) 19:07:54 <arthuredelstein> (Urdu uses Arabic/Persian script -- no problem.) 19:07:55 <mikeperry> we could probably easily split out mac, win and linux and do them in parallel, if LXC support were more dependable 19:08:17 <Yawning> arthuredelstein: TIL, thanks. 19:08:20 <Yawning> ^_^ 19:08:31 <mikeperry> beyond that, probably had to parallelize without switching out gitian for something else 19:08:38 <Lever> yesterday i stated my problem and no one answer me 19:08:43 <Lever> http://www.imgdumper.nl/uploads8/55c7b730b91dd/55c7b730a12f1-Tor.png 19:08:50 <Lever> http://www.imgdumper.nl/uploads8/55c7b80e06e9d/55c7b80deb6b8-TorII.png 19:09:10 <Yawning> arthuredelstein: I guess the only real mess is CJKV and Unihan related these days 19:10:11 <arthuredelstein> Yawning: Yeah -- unihan is a real pity. 19:10:39 <mikeperry> ok, any more application development-related questions/discussion? 19:11:09 <ilv> I have a question, how is RecommendedTBBVersions updated? 19:11:26 <ilv> the question related to this #16551 19:11:28 <Yawning> I assume it's better to wait on the build system madness to be fixed before soliciting localization for messenger 19:11:39 <mikeperry> GeKo: did you prep 5.0 and 5.5 in your build dir, or just 5.0? 19:11:56 <Yawning> If it's something that should be done now, i can ask the people if they want to do it 19:12:29 <GeKo> mikeperry: 5.0. I'll do 5.5 tomorrow 19:12:54 <GeKo> but I sent a message to tor-qa for testing it 19:13:10 <GeKo> (you might want to sign your sha256 sums files) 19:13:28 <mikeperry> GeKo: ok, shall I write the blog post and push 5.0 out then today? 19:14:22 <GeKo> i think we can give it one more day testing given that the exploit was not working in esr31 based browsers 19:15:00 <GeKo> that said a blog post draft would be nice :) 19:15:14 <mikeperry> the exploit is being updated. they added a mac target apparently. not sure if they added a ff31 target yet :/ 19:15:33 <GeKo> interesting. 19:16:07 <mikeperry> the clock is probaby also ticking before someone picks it up and does that work independently :/ 19:16:34 <GeKo> yeah, it got popular it seems. 19:17:08 <mikeperry> I emailed dan+security group with some questions about the exploit wrt NoScript, disabling pdf.js, and future e10s sandboxing, so we can mention in the blog post some details about the security slider and future sandboxing work, etc 19:17:49 <GeKo> good idea 19:18:56 <GeKo> so, if you feel like we should release today due to the exploit then go for it 19:19:17 <GeKo> i am leaning towards giving it another day test coverage 19:19:26 <GeKo> trusting mozilla engineers here 19:21:22 <mikeperry> well, they never did say that esr31 was 100% not vulnerable, right? they just said the particular exploit in the wild failed against 31 for some reason 19:23:39 <GeKo> yes. i read it that way that if they thought esr31 could get exploited there too (within one week) they'd released a checmspill for it as well 19:23:51 <GeKo> *chemspill 19:24:21 <GeKo> but that is speculation on my side I admit as I don't have access to the bugs 19:25:59 <GeKo> "we determined that the vulnerability isn't present in the current 31 19:26:00 <GeKo> ESR." 19:26:26 <GeKo> that's what the firefox release manager says at least 19:28:55 <mikeperry> hrmm.. so much confusion. that's not exactly what I remember hearing, but who knows. 19:29:33 <mikeperry> " 19:29:35 <mikeperry> Brian: Good question. I hope we can make that clear at least in this bug. The exploit we were addressing did not work in 31. So, no, we didn't patch 31.8.0 ESR." 19:29:46 <mikeperry> https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c33 19:30:03 <mikeperry> but https://bugzilla.mozilla.org/show_bug.cgi?id=1178058 is still secret 19:30:16 <GeKo> the quote i made is from the enterprise mailing list 19:31:10 <GeKo> in the second mail by Liz Henry in the ESR 38.1.1 released thread 19:31:35 <mikeperry> so we maybe dodged a bullet. but that also means that the thing we should be hurrying on is 5.5a1, I suppose. I guess we need to be sure to get both out by tomorrow then 19:31:54 <GeKo> yes that was my thinking 19:33:01 <mcs> Why the rush for 5.5a1? I am missing some important info. 19:33:36 <mikeperry> because 5.a4 and 5.a3 were based on FF38-esr, which definitely is vulnerable to the exploit 19:33:45 <mikeperry> so the alpha channel TBB users are vulnerable 19:34:08 <mcs> But we could upgrade them to 5.0 (non-alpha) 19:34:35 <GeKo> hmm 19:34:36 <mikeperry> now, I bet the exploit will still fail against TBB as-is, because of our alteration of $HOME and the bundle dir 19:35:07 <mcs> But someone might adapt the exploit to target TBB 19:35:29 <mikeperry> we didn't make incrementals for 5.0a4->5.0, since we made 5.5a1 instead.. I supose we could have considered that pushing everyone to 5.0 would be faster :/ 19:35:45 <mcs> Anyway, it sounds like (depending on testing), 5.5a1 may be ready to go soon 19:35:46 <mikeperry> little late now, I think. it won't be faster at this point 19:35:49 <mcs> right 19:39:03 <mikeperry> ok, well, I will draft blog posts for 5.0 and 5.5 as soon as I hear from dan about a best guess wrt the security slider stopping it in 5.0a4 19:39:57 <GeKo> if I look at the exploit or what people claim to be it is it needs JS 19:40:13 <GeKo> so setting the slider to high would stop it 19:43:37 <mikeperry> ok, that sounds good then 19:43:54 <mikeperry> anything else? 19:45:27 <mikeperry> (medium-high should *probably* be OK, too, since I bet the types of sites that have https on them don't deal with sketchy ad networks like this, but that is less certain) 19:45:48 <mikeperry> anyways, I am going to call the meeting. thanks everyone! 19:45:52 <mikeperry> #endmeeting *baf*