#tor-meeting log

18:01:00 <GeKo> #startmeeting tor-browser
18:01:00 <MeetBot> Meeting started Mon Jun 18 18:01:00 2018 UTC.  The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:00 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:01:07 <GeKo> hi all!
18:01:09 <boklm> hi!
18:01:14 <sisbell> hello
18:01:15 <antonela> o/
18:01:15 <GeKo> oh, richard's guest trick
18:01:18 <sysrqb> pospeselr: better :)
18:01:25 <pospeselr> s/trick/bug/g
18:01:54 <GeKo> alright, we are suppposed to have two new folks at the meeting today! exciting!
18:02:04 <GeKo> sisbell: welcome!
18:02:11 <pospeselr> oooh, new friends :)
18:02:23 <GeKo> sisbell will help with the android side of tor browser
18:02:27 <sukhe> sisbell: welcome!
18:02:31 <boklm> sisbell: welcome!
18:02:32 <sysrqb> yay!
18:02:34 <igt0> hi! sisbell welcome!
18:02:46 <sisbell> thanks everyone
18:03:17 <mcs> welcome!
18:03:34 <sysrqb> (who's the other folk?)
18:03:37 <GeKo> the other one is anny gakhokidze from mozilla
18:03:44 <sysrqb> ah
18:03:52 <antonela> sisbell: welcome!
18:03:56 <GeKo> at least they wanted to make it but maybe not to the irc part
18:04:03 <GeKo> anyway, let's get started
18:04:15 <GeKo> as usual our meeting pad is at https://storm.torproject.org/shared/tHoN4Ii7rLSjPE0OP4gydX4cMGadsXmRQNc-6lwru0N
18:04:28 <GeKo> please add what you were up to last week and what you plan to do this week
18:04:39 <GeKo> if there is stuff you want to discuss, mark it bold
18:05:01 <GeKo> or put it under the Discussion section
18:05:42 <arthuredelstein> sisbell: hi! Welcome :)
18:06:43 <GeKo> mcs: originally i wanted to look myself at #26381 but i might not have enough time for that until we start building, so, yes, please look at it
18:07:03 <mcs> GeKo: OK
18:08:25 <GeKo> pospeselr: noted, i'll take a look and we can sync after the meeting i guess
18:08:56 <GeKo> generally, grabbing tickets with ff60-esr and prio high is a safe bet
18:09:03 <pospeselr> alright I'll find myself one then!
18:09:43 <GeKo> pospeselr: oh, there is still the moz bug open about /proc requirements i think
18:09:55 <GeKo> i guess you need to decide whether you really want to have asecond review
18:10:14 <GeKo> or whether you are fine with jld's and set the checkin-needed keyword
18:10:22 <GeKo> (i think the latter is a good approach)
18:10:34 <GeKo> oh, you actually got both, nvm then
18:10:56 <GeKo> so, just setting the "checkin-needed" keyword is what you want
18:11:06 <GeKo> (probably after checking that you patch did not bitrot)
18:11:09 <GeKo> *your
18:11:46 <GeKo> arthuredelstein: do you feel we can merge #26128
18:11:46 <pospeselr> alright I'll see if it still applies
18:11:47 <GeKo> ?
18:11:59 <GeKo> or is there some follow-up needed?
18:12:03 <pospeselr> then I need to change a flag somewhere?
18:12:29 <GeKo> no, just adding the "checkin-needed" keyword.
18:12:43 <GeKo> then abot picks this up and autolands your patch
18:12:48 <pospeselr> ah I see
18:12:53 <pospeselr> did not know that
18:13:15 <GeKo> yeah, it's s different workflow...
18:13:43 <arthuredelstein> GeKo: I think the current 26128 patch is probably OK for an alpha. There are a couple of issues I'm aware of: (1) using as "http:" as a site causes what appear to be harmless CSP warnings and (2) Any custom per-site settings will be lost whenever the user changes the global security setting. Both of these problems probably require NoScript patches but maybe aren't too serious
18:14:23 <GeKo> sounds okay to me too.
18:14:38 <GeKo> i can merge the patch after the meeting
18:14:46 <GeKo> could you open follow-up tickets?
18:14:59 <arthuredelstein> sure, will do
18:15:02 <GeKo> thx
18:15:50 <GeKo> igt0: how did your torbutton testing go?
18:16:09 <GeKo> i see you had it on your plate for this week but not for next week anymore
18:16:59 <GeKo> are there some things we need to redo for mobile?
18:17:59 <igt0> GeKo, after our changes to FF60, it is working. However I embedded it inside FF. Because of the issues are discussed before. (the extension loader for mobile is different from the desktop one)
18:18:48 <GeKo> great
18:19:40 <GeKo> igt0: what's your plan for that?
18:19:57 <GeKo> i.e. should that be in the first alpha for tor browser for mobile?
18:20:21 <GeKo> in order to allow first-party domain isolation for instance?
18:20:51 <sysrqb> igt0: i think i have a solution for the extensions (and by that, i mean we can continue using Orfox's solution - using a distribution directory)
18:20:57 <igt0> GeKo, yep there are few things that are important.
18:23:14 <GeKo> sysrqb: igt0: could you coordinate and work on the respective patches
18:23:41 <GeKo> we might want to have this early in our tree i think because it might be a change we want to test thoroughly
18:24:08 <sysrqb> GeKo: yes
18:24:12 <igt0> okey dokey
18:24:18 <GeKo> great, thx
18:24:29 <GeKo> so discussion time
18:24:52 <GeKo> 1) we can use the "status: " messages the network-team is using in #tor-dev
18:25:16 <GeKo> i heard from a bunch of people that this is something we want
18:25:28 <GeKo> so, let's start with it and keep us better updated
18:25:45 <pospeselr> ok
18:25:46 <sukhe> sounds good
18:25:55 <GeKo> 2) a related point
18:26:10 <pospeselr> wasn't there a site or something that puts them all in one place, or did I dream that?
18:26:15 <sysrqb> are most of us using irssi or are there other clients that we should support?
18:26:31 <GeKo> pospeselr: there is a bot that is capturing stuff
18:26:38 <sysrqb> (regarding ahf's irssi-plug-in)
18:26:44 <GeKo> ahf wrote an irssi script that folks can use
18:26:44 <pospeselr> I use Pidgin, but I can easily switch
18:26:51 <sysrqb> ah, there s a bot?
18:27:13 <GeKo> well, i had ahf's thing in mind
18:27:19 <sysrqb> okay
18:27:26 <GeKo> probably mislabeled as bot
18:27:42 <GeKo> okay, the second item:
18:27:55 <GeKo> this is mostly a reminder
18:28:05 <sysrqb> i know nick opened a ticket for creating  service for tracking this
18:28:06 <sysrqb> that it seems like that will not be available very soon
18:28:06 <sysrqb> (sorry, lag)
18:28:19 <GeKo> if you come a cross a bug you need longer to fix, please file it on trac anyway
18:28:26 <GeKo> and work further on it afterwards
18:28:39 <GeKo> that helps finding workaround and fixes faster
18:28:57 <sukhe> related: should we assign to individuals instead of say tbb-team?
18:29:09 <sukhe> I was not sure if I should remove tbb-team from the assigned list
18:29:25 <GeKo> i am fine with that
18:29:30 <sukhe> ok
18:29:30 <GeKo> and know pospeselr is doing that
18:29:42 <GeKo> but if you do so, please add tbb-team to the cc list
18:30:02 <GeKo> because there are folks that filter their important bugs via the tbb-team owner
18:30:12 <mcs> GeKo: what do you mean by “if you come a cross a bug you need longer to fix, please file it on trac anyway”
18:30:16 <GeKo> and they would lose bug updates
18:30:26 <mcs> Do you mean “please make sure everything has a trac ticket”?
18:30:34 <mcs> (every known issue)
18:30:56 <GeKo> i want to avoid that we start working on bugs, say for days or weeks
18:31:08 <GeKo> which are not filed yet and then file them when a patch is ready
18:31:22 <mcs> GeKo: Got it.
18:31:38 <boklm> (adding tbb-team to the cc list also allows receiving updates through the tbb-bugs mailing list)
18:31:40 <GeKo> because that's a potential waste of dev time as we are working around the globe and find fixes faster together
18:31:54 <GeKo> boklm: yeah that
18:32:24 <GeKo> igt0: re your points
18:32:32 <mcs> Taking ownership while actively working on a ticket seems like a good idea too (and something I sometimes forget to do).
18:32:44 <GeKo> agreed
18:33:01 <GeKo> and i am fine supporting different approaches or converging on one
18:33:05 <sukhe> yeah, that is why I thought we should assign instead of just being on the CC since assign is more explicit
18:33:18 <GeKo> right now there are folks using a keyword like GeorgKoppen201806
18:33:34 <GeKo> or one directly assigns the ticket to oneself
18:33:40 <GeKo> either way works for me at least
18:34:09 <GeKo> igt0: okay, so service workers are disabled in esr60
18:34:29 <GeKo> so we are still good here because dealing with that one will be a nightmare
18:34:42 <GeKo> but eventually we need to take that hit
18:34:54 <GeKo> we have a ticket on trac but i have not looked that deep yet
18:35:35 <GeKo> #15563
18:35:45 <igt0> okey, it is because google is pushing hard PWA on mobile now. So we are going to see more and more sites using it.
18:36:02 <GeKo> yep
18:36:16 <GeKo> re orbot
18:36:30 <GeKo> that's still the guardion project doing so
18:36:39 <GeKo> we are no in charge for the browser side only
18:37:08 <GeKo> sysrqb: so, re tor browser for android based on esr60
18:37:14 <GeKo> what do other folks thinkg?
18:37:16 <GeKo> *think
18:37:27 <GeKo> are we good with that idea?
18:38:22 <sysrqb> when arthuredelstein and i spoke at the all-hands, this seemed like the best idea
18:38:27 <mcs> It is confusing to me to call is esr60 since there is no such thing from Mozilla… or am I confused?
18:38:46 <sysrqb> and isabela agreed, but i want to make sure we are all in agreement 9as much as possible)
18:38:56 <sysrqb> mcs: that is true
18:39:08 <mcs> Is it really “Firefox for Android 60 with security patches that we (Tor Browser tean) notices?"
18:39:20 <GeKo> yes
18:39:20 <sysrqb> that's probably closer to the truth
18:39:24 <mcs> I think the idea is good as long as we can be “in the loop” with Mozilla for potential fixes.
18:39:43 <arthuredelstein> we would need to use the esr60 branch, not the regular 60 branch
18:40:04 <arthuredelstein> to get backported security fixes
18:40:06 <GeKo> yes, this worked out more or less in the past but there is room for improvement
18:40:16 <igt0> So, For the amount of people we have, it is great, my concern is when FF updates the android SDK and we don't.
18:40:22 <GeKo> (the "in the loop" part)
18:40:42 <GeKo> igt0: they won't for esr60
18:41:07 <GeKo> but i can feel your pain :)
18:41:28 <igt0> I mean, if they update in the next versions and we need it for fix a sec bug.
18:41:32 <sysrqb> i think it's unlikely they will move to a newer SDK version and break backporting
18:41:35 <GeKo> so, i guess the best we can do is catch the problematic things on mozilla-central
18:41:36 <sysrqb> but it is a risk
18:41:39 <mcs> igt0: Is your concern that newer patches will require a newer Android SDK? or something else? (I know very little about all things Android)
18:41:51 <GeKo> and then start early backporting and testing
18:41:56 <igt0> mcs, yes
18:42:24 <mcs> I can see how that could be messy. But there is risk no matter what we do :)
18:42:30 <GeKo> sysrqb: i think we should try it
18:42:36 <sysrqb> okay
18:42:39 <GeKo> and we are still in the alpha cycle for a while
18:42:57 <igt0> yep, I am +1 for using esr60, though.
18:43:01 <GeKo> so we can get used to it to a good workflow that tries to minimize disruption and surprises
18:43:04 <sysrqb> true, we have a few months for testing this plan
18:43:35 <GeKo> great, that takes one of my concerns away
18:43:39 <arthuredelstein> If there are any mobile-specific security fixes, I wonder if we could convince Mozilla to backport them to esr60
18:44:01 <GeKo> i doubt that
18:44:08 <arthuredelstein> It seems like a reasonable request under the goal of "help Tor Browser"
18:44:11 <GeKo> i mean they won't even have infra to test that
18:44:12 <arthuredelstein> similar to uplift
18:44:40 <arthuredelstein> oh, because there is no taskcluster build for mobile esr?
18:44:42 <GeKo> and they won't want to ship a patch where they don't know the impact
18:44:44 <GeKo> yes
18:44:58 <GeKo> so, it's not just a matter of backporting
18:45:18 <GeKo> well, sure we could try asking but i am skeptical tbh
18:45:51 <GeKo> alright, release preparations
18:46:08 <GeKo> so, for the stable i need somone looking at #26221
18:46:22 <arthuredelstein> (I'm thinking given that fennec development has slowed it might not be such a large request. But I'm not sure who to ask.)
18:46:50 <GeKo> there will be another review needed for another crash bug fix backport
18:46:59 <GeKo> i'll ping people if needed
18:47:16 <GeKo> who wants to help with building the stable?
18:47:35 <arthuredelstein> I'm available to help
18:47:45 <GeKo> great, thanks
18:48:18 <GeKo> so, i hope we have evertyhing ready for starting the build on wed latest thu
18:48:23 <GeKo> now the alpha
18:48:37 <GeKo> i think we are in good shape toochain-wise
18:48:51 <GeKo> and our three blockers from last time shouls be good as well
18:49:03 <GeKo> so the plan is to start building the next alpha based on esr60
18:49:22 <GeKo> now, what ux features should we try to still squeeze in?
18:49:47 <boklm> what was the 3) from last time?
18:50:02 <GeKo> we'll get the new circuit display, and the .onion padlock indicator
18:50:04 <antonela> i added bullet points there, basically circuit display and onion padlock indicator
18:50:11 <antonela> I was trying to pushing it out because we all wanted it for the alpha but we need to continue working on it. So, i'm afraid we will not have onboarding for alpha release, but we will working on it to have the best version for stable.
18:50:27 <GeKo> boklm: a patch for the proxy bypass bug that we needed a new patch for esr60 for
18:50:35 <boklm> ah ok, thanks
18:50:36 <GeKo> it seems we'll get a last minute one
18:50:37 <antonela> that said, our research coordinator starts this week so we will collect alpha's issues/feedback and work together with the community team on it
18:51:02 <GeKo> antonela: sounds good
18:51:23 <GeKo> do you think we could get a new set of icons replacing the tor browser icon for the alpha?
18:51:43 <antonela> good question, i think my last version needs review
18:51:46 <GeKo> or do you want to have all this landed in one alpha
18:51:54 <GeKo> ?
18:52:13 <antonela> the brand update is something i'd like to have
18:52:33 <antonela> but wondering how deep i can work on it during colombia
18:52:45 <arthuredelstein> I will try and finish #26321 and #26322 this week (minor fixups for circuit display)
18:52:52 <GeKo> great
18:52:54 <antonela> cool, thanks arthur
18:53:06 <GeKo> antonela: so, this would be #25693?
18:53:31 <GeKo> or #25702?
18:53:45 <antonela> the second one
18:53:58 <antonela> the first one is almost done, we are using entire Photon UI for this release
18:54:10 <antonela> all the ui/ux improvements were based on it
18:54:28 <antonela> so basically what is missing is the brand update, which is closer to @25702
18:54:32 <antonela> oops #
18:55:17 <antonela> also, during all hands, the design team at firefox shared with me their Sketch design files (similar to give you access to a repo ha) so will make all browser related work easier and faster \o/
18:55:30 <GeKo> \o/
18:55:56 <GeKo> antonela: so, what do you propose? we have time, say, until thursday to include stuff
18:56:53 <antonela> cool, i'll work on the icons this week and probably we will have it then
18:57:07 <GeKo> nice
18:57:11 <antonela> thursday eod?
18:57:23 <GeKo> in our tor-browser repo yes
18:57:27 <antonela> perfect
18:57:40 <GeKo> okay, sandboxing
18:58:00 <GeKo> i heard there was quite some discussion around that at the all hands meeting
18:58:24 <arthuredelstein> yes!
18:58:27 <GeKo> sysrqb: i wonder whether we should essentially have an extra meeting just for that item with some more stakeholders if needed
18:58:46 <sysrqb> GeKo: that's probably a good idea, yes
18:58:50 <GeKo> and meanwhile you update your plan and we can resume discussin it
18:58:54 <GeKo> or better
18:59:09 <GeKo> you update it and we have the meeting afterwards
18:59:21 <sysrqb> sounds good
18:59:31 <GeKo> using it as a blueprint or possible approach to discuss
18:59:39 <sysrqb> yeah
19:00:02 <GeKo> fwiw, i am a huge fan of this separate launcher idea just did not have the time to drive this
19:00:09 <GeKo> so, i am excited :)
19:00:19 <sysrqb> let's see what we can do :)
19:00:24 <GeKo> and let's use the momentum we have
19:00:44 <GeKo> great
19:00:58 <GeKo> does that sound like a good plan to everyone?
19:01:20 <arthuredelstein> sounds good to me!
19:02:08 <GeKo> arthuredelstein: sysrqb: do you have the feeling it would be worthwhile inviting moz sandboxing folks to mexico?
19:02:24 <GeKo> so far i was reluctant because i felt it would waste their time
19:02:32 <GeKo> as we were not ready yet
19:02:37 <GeKo> dealing with other stuff
19:03:09 <GeKo> but i guess after we got 8.0 out there is still some time to work harder on sandboxing plans/ideas
19:03:14 <GeKo> that  might change that...
19:03:26 <arthuredelstein> I think tjr invited somebody already possibly
19:04:17 <GeKo> okay, i'll check with him but what's your feeling here?
19:04:30 <sysrqb> yes, it would likely be a good diea
19:04:31 <sysrqb> i tink tom invited jim (his manager)
19:04:32 <sysrqb> i dont remember who else was invited from that team
19:05:12 <GeKo> okay, i'll coordinate with him and let jon know then, thanks
19:05:15 <arthuredelstein> I guess I'm not sure given that what we want to do is perhaps somewhat orthogonal to what Mozilla wants to do.
19:05:42 <GeKo> yes that's been one of my main concerns
19:06:02 <sysrqb> my thinking is maybe they make progress on their sandboxing within the next 3 months, and we can benfit from that
19:06:05 <sysrqb> (knowlege/experience/...)
19:06:14 <arthuredelstein> What's probably a good idea is whoever works on the sandbox stays in close contact with members of the Mozilla team
19:06:16 <sysrqb> *benefit
19:06:32 <GeKo> agreed to both
19:06:49 <GeKo> okay, final point then i guess, next meeting
19:06:55 <sysrqb> arthuredelstein: true, 
19:07:09 <GeKo> i'll be travelling next monday evening UTC and parts of tuesday
19:07:15 <GeKo> so i can't make the monday meeting
19:07:23 <GeKo> could we move it to tuesday instead?
19:07:33 <GeKo> same time, same place?
19:07:40 <sysrqb> works for me
19:07:41 <mcs> GeKo: Tuesday is OK for me.
19:07:57 <boklm> Tuesday works for me
19:08:04 <arthuredelstein> me too
19:08:08 <igt0> it works for me
19:08:27 <sysrqb> sisbell: (next tor browser meeting next tuesday same time, instead of next monday)
19:08:36 <sysrqb> works for you?
19:08:42 <sisbell> that works
19:08:46 <GeKo> great
19:09:03 <GeKo> alright, do we have anything else for today?
19:09:15 <GeKo> (apart from "sorry for the long meeting")
19:09:47 <GeKo> okay, does not seem to be th case
19:09:53 <GeKo> sorry for the long meeting
19:09:56 <sukhe> (ok for me as well)
19:10:01 <GeKo> *baf*
19:10:08 <GeKo> #endmeeting