17:59:51 <GeKo> #startmeeting tor browser 8/20/2018 17:59:51 <MeetBot> Meeting started Mon Aug 20 17:59:51 2018 UTC. The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:59:51 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 18:00:02 <boklm> hi! 18:00:03 <GeKo> hello everyone! 18:00:20 <GeKo> https://storm.torproject.org/shared/tHoN4Ii7rLSjPE0OP4gydX4cMGadsXmRQNc-6lwru0N is the url in our pad 18:00:23 <sysrqb> o/ 18:00:29 <GeKo> (works best in the shiny new 8.0a10) 18:00:47 <GeKo> please enter your items and mark those bold you want to talk about 18:00:54 <sisbell> hello 18:01:11 <mcs> hi 18:02:19 <sukhe> hi 18:03:14 <igt0> howdy 18:04:39 <GeKo> okay, let's get started 18:05:03 <GeKo> it seems 8.0a10 is out, yay! 18:05:14 <antonela> *____* 18:05:20 <GeKo> a bit later than i hoped but still within the week 18:05:42 <GeKo> we have roughly two week to get the remaining things done 18:05:55 <GeKo> or better: to get all the things done we think that need to be in Tor Browser 8.0 18:06:24 <GeKo> i guess we should do some planning for that 18:06:48 <GeKo> my current plan is to get the network code review finally done, i am already late 18:06:52 <GeKo> and then doing reviews 18:07:06 <GeKo> i doubt i'll get to much more :( 18:07:32 <GeKo> mcs/brade: i guess you'll be working on the remaining onboarding/ux items? 18:07:36 <sukhe> what's the timeline for the stable release? 18:07:58 <GeKo> not sure what you mean but we need a release on 9/5 18:08:45 <sukhe> (that answers it) 18:08:54 <GeKo> boklm: unless there is higher prio stuff i think we should get our testsuites finally running again 18:08:55 <mcs> yes, we are working on onboarding (circuit display). 18:09:11 <mcs> and whatever follow up is needed for the new user onboarding. 18:09:22 <boklm> ok 18:10:27 <GeKo> we have annyoing noscript related issues 18:10:33 <GeKo> *annoying 18:11:51 <GeKo> pospeselr: i guess you could keep those on your radar (#26506, #26520) 18:12:08 <pospeselr> oh man awesome 18:12:27 <GeKo> ideally, we'd squash them with a single patch 18:12:28 <pospeselr> do they have higher priority than the localizized build issue? 18:12:32 <GeKo> a oneliner :) 18:12:53 <pospeselr> well ideally they'd already be fixed ;) 18:13:08 <GeKo> #26520 is not as high 18:13:28 <GeKo> but no working noscript in windows is not good :( 18:13:50 <GeKo> it seems some regression on noscript but probably easier to fix than the one your a looking at right now 18:14:20 <GeKo> and we might be able to push giorgio a bit to fix it for us once we can put our finger closer to where the issue might be 18:14:31 <pospeselr> ok! 18:15:23 <GeKo> arthuredelstein: you meantioned you'd ask a mozi engineer for help with optimistic socks? 18:15:31 <GeKo> did that happen? 18:15:35 <GeKo> *mentioned 18:17:17 <GeKo> pospeselr: fwiw: what happened with #26450? 18:17:25 <GeKo> err 18:17:41 <GeKo> #26540 18:17:54 <GeKo> is that in needs_review again? 18:17:56 <pospeselr> that's sitting on the back burner 18:18:02 <GeKo> kk 18:18:09 <pospeselr> as it didnt seem as high priority as other things :p 18:18:19 <GeKo> yeah, that's right 18:18:38 <GeKo> i just feared i missed the call for another review as you added new patches after my initial pass 18:18:51 <pospeselr> nope you're good 18:18:52 <arthuredelstein> arthuredelstein: No, I didn't do that yet. But I will ask this week 18:19:13 <arthuredelstein> Er, GeKo: ^ 18:19:41 <GeKo> arthuredelstein: we won't have the chance to get this fixed and properly tested for 8.0, thus this is an item for after 8.0 is out 18:19:52 <GeKo> so, no high prio right now, alas 18:19:55 <arthuredelstein> OK 18:20:32 <GeKo> i think going ahead with ff60-esr is a good idea as you planned 18:20:45 <GeKo> there is not much time left and so many things to check :( 18:20:48 <isabela> ! 18:21:04 <GeKo> o/ 18:21:08 <isabela> !!!!!!!(congrats on the release folks)!!!!!!! 18:21:15 <isabela> (/me interviewing a candidate for grant writer) 18:21:17 <isabela> :) 18:21:44 <GeKo> igt0: sysrqb: sisbell: should we meet-up this week to think about the post-first-alpha work? 18:21:48 <GeKo> (after the release) 18:22:03 <sysrqb> yeah, i think that's a good idea 18:22:05 <GeKo> or next week? 18:22:16 <GeKo> although my schedule next week looks not that good 18:22:21 <igt0> +1 18:22:24 <igt0> maybe end of the week? 18:22:30 <arthuredelstein> GeKo: yup, will do 18:22:31 <GeKo> yeah 18:22:37 <sisbell> sure that works 18:22:44 <GeKo> i'll ping you later 18:22:44 <sysrqb> yeah, if we release within the next day or two, then we can meet end of this week 18:22:45 <GeKo> great 18:23:33 <GeKo> then a general reminder to all of you: please use the status updates at least once a day, so that we all are aware what the team is working on 18:23:43 * GeKo status: fixing all the things 18:23:57 <GeKo> can be more verbose of course :) 18:24:32 <GeKo> that's it from my side. who else has anything to talk about? 18:24:55 <GeKo> rustconf folks: how did it go? anything worth mentioning? 18:25:24 <sukhe> I have a quick question, if I may but I will wait for your question 18:25:30 <pospeselr> nothing immediately applicable to tor-browser 18:25:39 <pospeselr> but i'm all for doing a potential tor-launcher in rust 18:25:40 <sisbell> mozilla is looking at moving to mentat for common storage in the browser 18:26:09 <pospeselr> having learned a bit about the language and what-not 18:26:33 <arthuredelstein> pospeselr: Is there a UI framework that might be suitable? 18:27:43 <pospeselr> not that I know of, but it seems there are tools for generating rust bindings from C 18:27:57 <GeKo> yes 18:28:11 <pospeselr> and there is a gtk3 crate it would seem 18:28:14 <pospeselr> https://github.com/gtk-rs/gtk 18:28:58 <sysrqb> yeah, i think we're still stuck with the same options available for C++, in general 18:29:12 <mcs> Choosing the best UI framework (given all of the inevitable tradeoffs) seems like a key decision. 18:29:25 <GeKo> i agre 18:29:28 <GeKo> e 18:30:06 <GeKo> i guess that could be easily a session for mexico 18:30:08 <mcs> Another option is to write 4 things and share as much of the non-UI code as possible (Android, gtk3, macOS Cocoa, something-for-Windows). 18:30:25 <GeKo> yup 18:30:25 <sukhe> isn't that a lot of work :) 18:30:30 <mcs> Yup :) 18:30:46 <mcs> And a lot of maintenance. 18:30:58 <sukhe> yeah no doubt 18:31:05 * GeKo backs slowly off and hands the mic to sukhe for his question 18:31:37 <sukhe> just a quick one and I am sorry if this was discussed before: do all tickets marked ff60-esr make it to TB 8.0, or do we try ot? 18:31:40 <sukhe> *to 18:32:07 <GeKo> i'd hoped they would but that keyword only marks tickets that are affecting esr60 18:32:34 <sukhe> ok 18:32:36 <GeKo> ideally there were non after tor browser 8 gets out but that will only happen with a miracle 18:33:31 <GeKo> sisbell: i was wondering whether we should switch our focus a bit for the tor-browser-build integration 18:33:52 <GeKo> while we ultimately want to have reproducible builds for one of the next alphas 18:34:24 <GeKo> there is value in getting the tor browser for mobile build integrated earlier: for nightly builds 18:34:37 <sisbell> Geko: in that case, I'll shift to the comments in the issue and get those fixed 18:34:44 <GeKo> there reproducibility is not so important 18:35:01 <GeKo> well, we eventually need it :) 18:35:18 <GeKo> it's just that not having any builds blocks other stuff 18:35:26 <GeKo> what do you think? 18:35:58 <sisbell> Geko: sure I'll shift to getting the remaining fixes in the integrated build 18:36:28 <GeKo> okay, sounds good. 18:36:35 <sisbell> I'll do the reproducible investigation after 18:37:04 <GeKo> discussion time i guess? 18:37:32 <GeKo> arthuredelstein: you are up 18:38:31 <arthuredelstein> timhuang at Mozilla is working hard at a viewport size patch for privacy.resistFingerprinting 18:38:58 <arthuredelstein> The Mozilla team is interested in whether we are going to want to backport this patch to TBB 8.0 once it's ready 18:39:12 <arthuredelstein> Basically if it's something we're in favor of. 18:39:51 <GeKo> for those who weren't at the meeting could you explain what they want to do? 18:39:54 <arthuredelstein> I will post the demo video in tor-internal 18:40:37 <arthuredelstein> the idea is the quantize the viewport size as the user resizes or maximizes the window 18:40:46 <GeKo> i think it is not unreasonable to have this tested in an alpha in the 8.5 series 18:41:00 <GeKo> and come back with feedback 18:41:03 <arthuredelstein> So that users alway get protection from viewport-dimension fingerprinting 18:41:12 <arthuredelstein> That sounds like a reasonable plan to me 18:41:27 <arthuredelstein> I think the main question is, does the current protection or this proposed protection annoy users less? 18:41:54 <GeKo> that#s one of the important ones, yes 18:41:57 <arthuredelstein> Many users would like to maximize their window, so I think this may help. But we definitely need feedback because both behaviors are weird 18:42:30 <arthuredelstein> GeKo: Do you have other questions you would like the Mozilla folks or us to be considering right now? 18:42:53 <arthuredelstein> on this feature? 18:43:52 <GeKo> i need to look at the bug to understand where in the discussion we are 18:43:57 <GeKo> i'll let you know 18:44:26 <arthuredelstein> ok, thanks! 18:44:55 <GeKo> igt0: you are up! 18:45:51 <igt0> hi, so Android apps are fullscreen, thus an attacker can use the css media queries to identify the device screen size 18:46:39 <igt0> I know we have a bug about it, however I am not sure fixing the screen size like we do for desktop is the right fix. 18:46:53 <igt0> It could break a bunch of sites or make the user experience painful. 18:47:00 <arthuredelstein> igt0: How would it break sites? 18:47:26 <igt0> arthuredelstein, many sites use css media queries to render one thing or not (responsive web sites) 18:48:02 <igt0> for tablets for example 18:48:32 <igt0> if we make the screen size small, it would render the site for mobile screens instead of tablet screens 18:49:13 <GeKo> (fwiw: the bug is #27083) 18:49:58 <arthuredelstein> igt0: I guess it depends on how much you reduce the window dimensions. If you only reduce them by a fairly small percentage, then the effect isn't that big. 18:50:16 <arthuredelstein> At least if I understand correctly 18:50:20 <igt0> arthuredelstein, well .. android is tough hahaha. There are tablets where the screen size is close to the mobile 18:51:03 <sysrqb> yeah, that was what i was thinking. maybe we can round within 20x20 (or similar) 18:51:18 <GeKo> yup 18:51:22 <igt0> maybe reducing *randomly* to a small percentage? 18:51:47 <arthuredelstein> I don't think random reduction gives any advantage over a fixed reduction, and may be worse 18:52:37 <GeKo> worth exploring the possible options and drawbacks in the ticket it hink 18:52:41 <GeKo> *i think 18:52:53 <arthuredelstein> Something we discussed in bugzil.la/1407366 is reducing the step size for small screens 18:53:04 <arthuredelstein> with a larger step size for large screens 18:53:11 <arthuredelstein> might be applicable on Android too I suppose 18:53:27 <GeKo> but i don't see a general problem with the approach right now, even thuogh we might adapt it a bit 18:53:38 <GeKo> yes 18:55:24 <GeKo> igt0: does that work for you? 18:55:28 <igt0> GeKo, yep! 18:55:33 <GeKo> great 18:56:09 <GeKo> as a reminder to those of you who have not alison's mail yet: please get back to her with suggestions about possible sessions 18:56:31 <GeKo> i remember we had already collected ideas in the past 18:57:32 <GeKo> like ux changes in tor browser 8 18:57:39 <GeKo> or browser pirvacy testing 18:57:43 <GeKo> but i guess there is more 18:57:55 <GeKo> t0mmy: hey are you here? 18:58:32 <t0mmy> I am! 18:58:43 <GeKo> great, you are up! 18:59:02 <t0mmy> Cool! 19:00:01 <t0mmy> So I was approached by an Irish business magazine to write a piece on Tor for small businesses -- I know that we have https://www.torproject.org/about/torusers.html.en, but I was wondering what the best approach for "Tor for small businesses" is 19:00:29 <t0mmy> By "best approach" I mean, are there use cases I'm not thinking about beyond privately browsing the web, network security, and so on. 19:01:44 <sysrqb> onion services can provide better access control for internal services, onionshare for sharing company documents? 19:02:23 <sysrqb> "monitor your competition without them knowing" :) 19:02:44 <sysrqb> *competitor's website, maybe 19:03:10 <GeKo> on a different angle: i wonder if using tor browser or offering it to employees shows that the company really cares about them 19:03:11 <t0mmy> +1 on both of those, I hadn't thought of internally sharing company docs 19:03:45 <GeKo> like value them as individuals showing that their privacy is important 19:03:59 <t0mmy> GeKo also true, good privacy hygiene, or whatever it's called these days 19:05:13 <t0mmy> anything else? I'm cognizant that your time is valuable and I don't want to take too much of it. =) 19:05:37 <t0mmy> (And thank you, sysrqb and GeKo!) 19:05:37 <GeKo> that's the only item i came up with apart from the ones mentioned on the website 19:05:47 <GeKo> i guess asking stephw can't hurt :) 19:05:51 <GeKo> sure yw 19:06:02 <t0mmy> GeKo yep, working with her on the draft =) 19:06:05 <GeKo> alright, do we have anything else for today? 19:06:12 <t0mmy> Alright, thanks for letting me nab a few mins of your time! 19:07:16 <GeKo> okay, we are done then, thanks all! *baf* 19:07:22 <GeKo> #endmeeting