#tor-meeting log

17:59:51 <GeKo> #startmeeting tor browser 8/20/2018
17:59:51 <MeetBot> Meeting started Mon Aug 20 17:59:51 2018 UTC.  The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:59:51 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:00:02 <boklm> hi!
18:00:03 <GeKo> hello everyone!
18:00:20 <GeKo> https://storm.torproject.org/shared/tHoN4Ii7rLSjPE0OP4gydX4cMGadsXmRQNc-6lwru0N is the url in our pad
18:00:23 <sysrqb> o/
18:00:29 <GeKo> (works best in the shiny new 8.0a10)
18:00:47 <GeKo> please enter your items and mark those bold you want to talk about
18:00:54 <sisbell> hello
18:01:11 <mcs> hi
18:02:19 <sukhe> hi
18:03:14 <igt0> howdy
18:04:39 <GeKo> okay, let's get started
18:05:03 <GeKo> it seems 8.0a10 is out, yay!
18:05:14 <antonela> *____*
18:05:20 <GeKo> a bit later than i hoped but still within the week
18:05:42 <GeKo> we have roughly two week to get the remaining things done
18:05:55 <GeKo> or better: to get all the things done we think that need to be in Tor Browser 8.0
18:06:24 <GeKo> i guess we should do some planning for that
18:06:48 <GeKo> my current plan is to get the network code review finally done, i am already late
18:06:52 <GeKo> and then doing reviews
18:07:06 <GeKo> i doubt i'll get to much more :(
18:07:32 <GeKo> mcs/brade: i guess you'll be working on the remaining onboarding/ux items?
18:07:36 <sukhe> what's the timeline for the stable release?
18:07:58 <GeKo> not sure what you mean but we need a release on 9/5
18:08:45 <sukhe> (that answers it)
18:08:54 <GeKo> boklm: unless there is higher prio stuff i think we should get our testsuites finally running again
18:08:55 <mcs> yes, we are working on onboarding (circuit display).
18:09:11 <mcs> and whatever follow up is needed for the new user onboarding.
18:09:22 <boklm> ok
18:10:27 <GeKo> we have annyoing noscript related issues
18:10:33 <GeKo> *annoying
18:11:51 <GeKo> pospeselr: i guess you could keep those on your radar (#26506, #26520)
18:12:08 <pospeselr> oh man awesome
18:12:27 <GeKo> ideally, we'd squash them with a single patch
18:12:28 <pospeselr> do they have higher priority than the localizized build issue?
18:12:32 <GeKo> a oneliner :)
18:12:53 <pospeselr> well ideally they'd already be fixed ;)
18:13:08 <GeKo> #26520 is not as high
18:13:28 <GeKo> but no working noscript in windows is not good :(
18:13:50 <GeKo> it seems some regression on noscript but probably easier to fix than the one your a looking at right now
18:14:20 <GeKo> and we might be able to push giorgio a bit to fix it for us once we can put our finger closer to where the issue might be
18:14:31 <pospeselr> ok!
18:15:23 <GeKo> arthuredelstein: you meantioned you'd ask a mozi engineer for help with optimistic socks?
18:15:31 <GeKo> did that happen?
18:15:35 <GeKo> *mentioned
18:17:17 <GeKo> pospeselr: fwiw: what happened with #26450?
18:17:25 <GeKo> err
18:17:41 <GeKo> #26540
18:17:54 <GeKo> is that in needs_review again?
18:17:56 <pospeselr> that's sitting on the back burner
18:18:02 <GeKo> kk
18:18:09 <pospeselr> as it didnt seem as high priority as other things :p
18:18:19 <GeKo> yeah, that's right
18:18:38 <GeKo> i just feared i missed the call for another review as you added new patches after my initial pass
18:18:51 <pospeselr> nope you're good
18:18:52 <arthuredelstein> arthuredelstein: No, I didn't do that yet. But I will ask this week
18:19:13 <arthuredelstein> Er, GeKo: ^
18:19:41 <GeKo> arthuredelstein: we won't have the chance to get this fixed and properly tested for 8.0, thus this is an item for after 8.0 is out
18:19:52 <GeKo> so, no high prio right now, alas
18:19:55 <arthuredelstein> OK
18:20:32 <GeKo> i think going ahead with ff60-esr is a good idea as you planned
18:20:45 <GeKo> there is not much time left and so many things to check :(
18:20:48 <isabela> !
18:21:04 <GeKo> o/
18:21:08 <isabela> !!!!!!!(congrats on the release folks)!!!!!!!
18:21:15 <isabela> (/me interviewing a candidate for grant writer)
18:21:17 <isabela> :)
18:21:44 <GeKo> igt0: sysrqb: sisbell: should we meet-up this week to think about the post-first-alpha work?
18:21:48 <GeKo> (after the release)
18:22:03 <sysrqb> yeah, i think that's a good idea
18:22:05 <GeKo> or next week?
18:22:16 <GeKo> although my schedule next week looks not that good
18:22:21 <igt0> +1
18:22:24 <igt0> maybe end of the week?
18:22:30 <arthuredelstein> GeKo: yup, will do
18:22:31 <GeKo> yeah
18:22:37 <sisbell> sure that works
18:22:44 <GeKo> i'll ping you later
18:22:44 <sysrqb> yeah, if we release within the next day or two, then we can meet end of this week
18:22:45 <GeKo> great
18:23:33 <GeKo> then a general reminder to all of you: please use the status updates at least once a day, so that we all are aware what the team is working on
18:23:43 * GeKo status: fixing all the things
18:23:57 <GeKo> can be more verbose  of course :)
18:24:32 <GeKo> that's it from my side. who else has anything to talk about?
18:24:55 <GeKo> rustconf folks: how did it go? anything worth mentioning?
18:25:24 <sukhe> I have a quick question, if I may but I will wait for your question
18:25:30 <pospeselr> nothing immediately applicable to tor-browser
18:25:39 <pospeselr> but i'm all for doing a potential tor-launcher in rust
18:25:40 <sisbell> mozilla is looking at moving to mentat for common storage in the browser
18:26:09 <pospeselr> having learned a bit about the language and what-not
18:26:33 <arthuredelstein> pospeselr: Is there a UI framework that might be suitable?
18:27:43 <pospeselr> not that I know of, but it seems there are tools for generating rust bindings from C
18:27:57 <GeKo> yes
18:28:11 <pospeselr> and there is a gtk3 crate it would seem
18:28:14 <pospeselr> https://github.com/gtk-rs/gtk
18:28:58 <sysrqb> yeah, i think we're still stuck with the same options available for C++, in general
18:29:12 <mcs> Choosing the best UI framework (given all of the inevitable tradeoffs) seems like a key decision.
18:29:25 <GeKo> i agre
18:29:28 <GeKo> e
18:30:06 <GeKo> i guess that could be easily a session for mexico
18:30:08 <mcs> Another option is to write 4 things and share as much of the non-UI code as possible (Android, gtk3, macOS Cocoa, something-for-Windows).
18:30:25 <GeKo> yup
18:30:25 <sukhe> isn't that a lot of work :)
18:30:30 <mcs> Yup :)
18:30:46 <mcs> And a lot of maintenance.
18:30:58 <sukhe> yeah no doubt
18:31:05 * GeKo backs slowly off and hands the mic to sukhe for his question
18:31:37 <sukhe> just a quick one and I am sorry if this was discussed before: do all tickets marked ff60-esr make it to TB 8.0, or do we try ot?
18:31:40 <sukhe> *to
18:32:07 <GeKo> i'd hoped they would but that keyword only marks tickets that are affecting esr60
18:32:34 <sukhe> ok
18:32:36 <GeKo> ideally there were non after tor browser 8 gets out but that will only happen with a miracle
18:33:31 <GeKo> sisbell: i was wondering whether we should switch our focus a bit for the tor-browser-build integration
18:33:52 <GeKo> while we ultimately want to have reproducible builds for one of the next alphas
18:34:24 <GeKo> there is value in getting the tor browser for mobile build integrated earlier: for nightly builds
18:34:37 <sisbell> Geko: in that case, I'll shift to the comments in the issue and get those fixed
18:34:44 <GeKo> there reproducibility is not so important
18:35:01 <GeKo> well, we eventually need it :)
18:35:18 <GeKo> it's just that not having any builds blocks other stuff
18:35:26 <GeKo> what do you think?
18:35:58 <sisbell> Geko: sure I'll shift to getting the remaining fixes in the integrated build
18:36:28 <GeKo> okay, sounds good.
18:36:35 <sisbell> I'll do the reproducible investigation after
18:37:04 <GeKo> discussion time i guess?
18:37:32 <GeKo> arthuredelstein: you are up
18:38:31 <arthuredelstein> timhuang at Mozilla is working hard at a viewport size patch for privacy.resistFingerprinting
18:38:58 <arthuredelstein> The Mozilla team is interested in whether we are going to want to backport this patch to TBB 8.0 once it's ready
18:39:12 <arthuredelstein> Basically if it's something we're in favor of.
18:39:51 <GeKo> for those who weren't at the meeting could you explain what they want to do?
18:39:54 <arthuredelstein> I will post the demo video in tor-internal
18:40:37 <arthuredelstein> the idea is the quantize the viewport size as the user resizes or maximizes the window
18:40:46 <GeKo> i think it is not unreasonable to have this tested in an alpha in the 8.5 series
18:41:00 <GeKo> and come back with feedback
18:41:03 <arthuredelstein> So that users alway get protection from viewport-dimension fingerprinting
18:41:12 <arthuredelstein> That sounds like a reasonable plan to me
18:41:27 <arthuredelstein> I think the main question is, does the current protection or this proposed protection annoy users less?
18:41:54 <GeKo> that#s one of the important ones, yes
18:41:57 <arthuredelstein> Many users would like to maximize their window, so I think this may help. But we definitely need feedback because both behaviors are weird
18:42:30 <arthuredelstein> GeKo: Do you have other questions you would like the Mozilla folks or us to be considering right now?
18:42:53 <arthuredelstein> on this feature?
18:43:52 <GeKo> i need to look at the bug to understand where in the discussion we are
18:43:57 <GeKo> i'll let you know
18:44:26 <arthuredelstein> ok, thanks!
18:44:55 <GeKo> igt0: you are up!
18:45:51 <igt0> hi, so Android apps are fullscreen, thus an attacker can use the css media queries to identify the device screen size
18:46:39 <igt0> I know we have a bug about it, however I am not sure fixing the screen size like we do for desktop is the right fix.
18:46:53 <igt0> It could break a bunch of sites or make the user experience painful.
18:47:00 <arthuredelstein> igt0: How would it break sites?
18:47:26 <igt0> arthuredelstein, many sites use css media queries to render one thing or not (responsive web sites)
18:48:02 <igt0> for tablets for example
18:48:32 <igt0> if we make the screen size small, it would render the site for mobile screens instead of tablet screens
18:49:13 <GeKo> (fwiw: the bug is #27083)
18:49:58 <arthuredelstein> igt0: I guess it depends on how much you reduce the window dimensions. If you only reduce them by a fairly small percentage, then the effect isn't that big.
18:50:16 <arthuredelstein> At least if I understand correctly
18:50:20 <igt0> arthuredelstein, well .. android is tough hahaha. There are tablets where the screen size is close to the mobile
18:51:03 <sysrqb> yeah, that was what i was thinking. maybe we can round within 20x20 (or similar)
18:51:18 <GeKo> yup
18:51:22 <igt0> maybe reducing *randomly* to a small percentage?
18:51:47 <arthuredelstein> I don't think random reduction gives any advantage over a fixed reduction, and may be worse
18:52:37 <GeKo> worth exploring the possible options and drawbacks in the ticket it hink
18:52:41 <GeKo> *i think
18:52:53 <arthuredelstein> Something we discussed in bugzil.la/1407366 is reducing the step size for small screens
18:53:04 <arthuredelstein> with a larger step size for large screens
18:53:11 <arthuredelstein> might be applicable on Android too I suppose
18:53:27 <GeKo> but i don't see a general problem with the approach right now, even thuogh we might adapt it a bit
18:53:38 <GeKo> yes
18:55:24 <GeKo> igt0: does that work for you?
18:55:28 <igt0> GeKo, yep!
18:55:33 <GeKo> great
18:56:09 <GeKo> as a reminder to those of you who have not alison's mail yet: please get back to her with suggestions about possible sessions
18:56:31 <GeKo> i remember we had already collected ideas in the past
18:57:32 <GeKo> like ux changes in tor browser 8
18:57:39 <GeKo> or browser pirvacy testing
18:57:43 <GeKo> but i guess there is more
18:57:55 <GeKo> t0mmy: hey are you here?
18:58:32 <t0mmy> I am!
18:58:43 <GeKo> great, you are up!
18:59:02 <t0mmy> Cool!
19:00:01 <t0mmy> So I was approached by an Irish business magazine to write a piece on Tor for small businesses -- I know that we have https://www.torproject.org/about/torusers.html.en, but I was wondering what the best approach for "Tor for small businesses" is
19:00:29 <t0mmy> By "best approach" I mean, are there use cases I'm not thinking about beyond privately browsing the web, network security, and so on.
19:01:44 <sysrqb> onion services can provide better access control for internal services, onionshare for sharing company documents?
19:02:23 <sysrqb> "monitor your competition without them knowing" :)
19:02:44 <sysrqb> *competitor's website, maybe
19:03:10 <GeKo> on a different angle: i wonder if using tor browser or offering it to employees shows that the company really cares about them
19:03:11 <t0mmy> +1 on both of those, I hadn't thought of internally sharing company docs
19:03:45 <GeKo> like value them as individuals showing that their privacy is important
19:03:59 <t0mmy> GeKo also true, good privacy hygiene, or whatever it's called these days
19:05:13 <t0mmy> anything else? I'm cognizant that your time is valuable and I don't want to take too much of it. =)
19:05:37 <t0mmy> (And thank you, sysrqb and GeKo!)
19:05:37 <GeKo> that's the only item i came up with apart from the ones mentioned on the website
19:05:47 <GeKo> i guess asking stephw can't hurt :)
19:05:51 <GeKo> sure yw
19:06:02 <t0mmy> GeKo yep, working with her on the draft =)
19:06:05 <GeKo> alright, do we have anything else for today?
19:06:12 <t0mmy> Alright, thanks for letting me nab a few mins of your time!
19:07:16 <GeKo> okay, we are done then, thanks all! *baf*
19:07:22 <GeKo> #endmeeting