#tor-dev log

19:00:12 <GeKo> #startmeeting tor-browser-dev
19:00:12 <MeetBot> Meeting started Mon Jan 18 19:00:12 2016 UTC.  The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:12 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:00:31 <GeKo> welcome to our weekly tor browser meeting
19:00:44 <GeKo> who wants to go first today for the status updates?
19:01:58 <arthuredelstein> hi everyone
19:02:10 <arthuredelstein> I can go if nobody else wants to ;)
19:02:26 <arthuredelstein> This week I finished patches for #17965.
19:02:34 <arthuredelstein> And I opened #18087.
19:02:46 <arthuredelstein> I wrote a patch for #18030.
19:02:54 <arthuredelstein> I worked on some manual tests for the font fingerprinting patch.
19:03:09 <arthuredelstein> And I had a preliminary look at Kathy and Mark's patch for #18019.
19:03:20 <arthuredelstein> This week I will post my font fingerprinting test results,
19:03:26 <arthuredelstein> finish reviewing #18019,
19:03:31 <arthuredelstein> and write a revised patch for #17790.
19:03:41 <arthuredelstein> If there's time I will work on rebasing patches to ESR45.
19:04:08 <arthuredelstein> that's it for me
19:05:00 <GeKo> could you get those fingerprinting test results assembled by tomorrow/wednesday?
19:05:25 <GeKo> that's probably when we finally need to decide what to do with the font fingerprinting defense
19:06:31 <arthuredelstein> Yes, I think by Wednesday should be doable
19:06:56 <arthuredelstein> Is there a specific thing you are concerned about regarding the font defense?
19:08:27 <GeKo> not a specific thing. i'd like to make sure that it works against the different attacks out there
19:08:38 <GeKo> on all platforms we support
19:09:22 <arthuredelstein> OK. The main attack it defends against currently is font enumeration, which is what my test is checking.
19:09:36 <GeKo> i am particularly interested how we handle dcf's idea
19:10:10 <huseby> what's the main font defense?  reporting the fonts found on windows xp?
19:10:19 <huseby> or some subset of fonts taht everybody has?
19:11:27 <Yawning> there isn't, because of the stupid fucking UI font issue >.>
19:11:46 <Yawning> sorry, windows makes me really mad
19:11:51 <huseby> (me too)
19:11:59 * huseby can go
19:12:22 <huseby> last week, i finished filing bugs for all of the remaining callsites for the origin attributes work i'm/we're doing
19:12:23 <arthuredelstein> huseby: The font defense (patch from #13133) which we may apply to stable, restricts the allowed fonts for each platform.
19:12:31 <arthuredelstein> Sorry, #13313
19:12:39 <huseby> thx
19:12:44 <arthuredelstein> And bundles some fonts, especially for Linux
19:12:45 <Yawning> problem is, there isn't a common set on certain windows locales that doesn't result in a fucked up UI
19:12:59 <Yawning> because the windows UI font has changed, basically every release
19:13:18 <arthuredelstein> Yawning is correct. So we whitelist all needed UI fonts for now.
19:13:18 <huseby> we're going through the process of writing patches for all of the callsites that create codebase principals
19:14:54 <huseby> making sure that the origin attributes are handled correctly
19:15:02 <huseby> making user contexts work properly
19:15:16 <huseby> which will also make 1st/3rd party isolation work correctly when we uplift the patches from tor
19:15:30 <huseby> that's it for me.
19:15:58 <arthuredelstein> GeKo: Which of dcf's ideas do you mean?
19:17:36 <GeKo> the font glyph paper 2015
19:17:54 <GeKo> Fingerprinting Web Users through Font Metrics
19:18:58 <GeKo> okay, here is what i did last week:
19:19:36 <GeKo> i mainly tried to collect things for 5.5 some succesfully some not
19:20:22 <GeKo> in the latter category were #11506 and #13893
19:20:46 <GeKo> the latter was quite a timesink but we know now that EMET does not like mingw-w64 optimized code
19:21:12 <GeKo> i've written jacek an email and hope he is able to help us with this one and #9145
19:21:40 <GeKo> i've reviewed and merged some smaller patches
19:21:58 <GeKo> and am almost ready to post one for #18008
19:22:12 <GeKo> i am currently testing it and this should go into 5.5 as well
19:22:47 <GeKo> then i try to get #16322 into it as well
19:23:31 <GeKo> apart from that i am probably busy with reviews for 5.5 and 6.0a1 + the usual release related stuff
19:23:38 <GeKo> that's it for me
19:24:17 * mcs will go next
19:24:29 <mcs> Last week, Kathy and I created patches for #17917, #18019, and #18064.
19:24:41 <mcs> We reviewed patches for #18017 and #17428.
19:24:50 <mcs> We triaged some Tor Browser bugs (the Trac “inflow” seems high lately).
19:24:56 <mcs> We also posted our patch for #11773 (too late for TB 5.5 though).
19:25:02 <mcs> We added a comment to the following Mozilla bug where they are thinking about just using plain HTTP to retrieve the updater XML manifest file in Firefox:
19:25:07 <mcs> https://bugzilla.mozilla.org/show_bug.cgi?id=1239545
19:25:12 <mcs> mikeperry added some even better comments to that bug report.
19:25:16 <mcs> This week we will continue working on TB 5.5 issues and help get everything done for the release.
19:25:21 <mcs> That’s all for us.
19:26:19 <mcs> GeKo: Let us know if there is anything we need to do to help with #18008
19:26:24 <GeKo> mcs: if you could have a look at #17965 this week that would rock
19:26:27 <GeKo> i'll do
19:26:46 <GeKo> this way we could test that isolation in 6.0a1
19:27:59 <mcs> We can take a look, but do we need to make a 6.0a1 release right away?
19:28:50 <GeKo> you mean using 5.5 for alpha as well?
19:29:32 <GeKo> we probably already have stuff that won't make it into 5.5 we might want to test
19:29:37 <mcs> I mean alpha channel users would get the same TB 5.5 stable bits as release channel users for a little while. Maybe that is confusing to alpha testers?
19:29:44 <mcs> OK; makes sense.
19:29:50 <mcs> Just thought I would ask ;)
19:30:14 <GeKo> like #11773
19:30:42 <mcs> It would be good to get #11773 merged so localizatiion can start for new strings.
19:30:55 <GeKo> its on my ToDo list for tomorrow
19:31:02 <GeKo> it's even
19:31:04 <mcs> Thanks.
19:32:01 <GeKo> so, yes, i think 6.0a1 makes sense and then having such a big thing like #17965 in it would be good
19:32:22 <mcs> We will review the #17965 patches.
19:32:48 <GeKo> thanks
19:33:06 <arthuredelstein> thanks! :)
19:36:12 <GeKo> who else is here? do we have a boklm?
19:36:17 * boklm will go next
19:36:22 <GeKo> ah
19:36:30 <boklm> This week I fixed #17325 and #17128. I made a build with #15578 patches and tried it on Centos6.
19:36:34 <boklm> This week I'm planning to work on #16009, help with #15578 and the release.
19:36:50 <boklm> That's it for me.
19:39:18 <GeKo> boklm: do you think you could do the release things for the alpha from the signed bundles on people-tpo on?
19:39:33 <GeKo> meaning i upload them to people-tpo and you would do the remaining things?
19:39:54 <boklm> GeKo: ok
19:39:55 <GeKo> long-term plan here is to share the release load a bit and avoid me being a new bottleneck
19:40:03 <GeKo> (and avoid roping mikeperry in again)
19:40:06 <GeKo> cool
19:40:28 <boklm> GeKo: for the 6.0a1 ?
19:40:44 <GeKo> yes and the hardened one
19:40:49 <boklm> ok
19:41:07 <GeKo> i'll be around in case issues pop up or you have questions
19:42:04 <GeKo> alright, do we have anything else to discuss or is anyone else here for the meeting?
19:43:30 <arthuredelstein> GeKo: It might be useful for me to discuss fonts with you a little further, either before or after the end of the meeting (if you have time).
19:44:36 <GeKo> yeah, after the meeting sounds fine
19:44:43 <arthuredelstein> cool
19:46:27 <GeKo> thanks everybody then *baf*
19:46:31 <GeKo> #endmeeting