17:00:14 <phw> #startmeeting anti-censorship weekly checkin 2019-08-22 17:00:14 <MeetBot> Meeting started Thu Aug 22 17:00:14 2019 UTC. The chair is phw. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:14 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 17:00:18 <phw> hi everyone 17:00:25 <dcf1> hi 17:00:32 <phw> our meeting pad is available here: https://pad.riseup.net/p/tor-censorship-2019-keep 17:00:40 <gaba> hi 17:01:00 <catalyst> hi 17:02:24 <phw> our first discussion item is a mailing list post on tor-relays@: https://lists.torproject.org/pipermail/tor-relays/2019-August/017647.html a relay was dealing with a lot of connections from iranian addresses iiuc 17:02:53 <phw> i have no idea what this might be all about. maybe related to #30636? 17:03:45 <phw> but maybe anyone else has a guess? 17:04:32 <dcf1> IR user numbers are much elevated since the baseline a few months ago, but pretty steady the last 2 months. 17:04:35 <dcf1> https://people.torproject.org/~dcf/metrics-country.html?start=2019-05-01&country=ir 17:06:20 <dcf1> I hadn't heard about this, but I don't see any clear connection to censorship, except that it was Iranian(?) IPs connecting to an exit(?) relay. 17:06:40 <phw> yes, that was my thought too 17:07:13 <phw> anyway, let's move on. i was just curious if anyone could make more of this post. 17:07:43 <phw> we have the gettor roadmap: https://dip.torproject.org/torproject/anti-censorship/gettor/-/boards 17:07:47 * phw wonders if hiro is here 17:08:31 <gaba> hiro: you had some plans for next steps for gettor 17:08:50 <phw> i think the tor browser copies in github/gitlab are outdated 17:09:07 <gaba> phw: what do you mean? 17:09:30 <phw> the links that gettor sends you over email are outdated. it should give you the latest tor browser copies but it doesn't. 17:09:31 <dcf1> I heard that as well. Someone at FOCI said they had set up their own Tor Browser distribution on GitHub to work around tpo's being outdated. 17:09:43 <gaba> ah, yes 17:10:00 <phw> this shouldn't be too hard to automate, i would think. if only we had enough time to work on it :/ 17:11:05 * gaba is looking for a ticket about tor browser outdated in gettor links 17:11:12 <dcf1> https://github.com/TheTorProject/gettorbrowser links to 8.0.2 17:12:11 <phw> also, we really really need some basic documentation. i started https://trac.torproject.org/projects/tor/wiki/org/teams/AntiCensorshipTeam/GetTorSurvivalGuide 17:12:16 <dcf1> which is from last October https://blog.torproject.org/new-release-tor-browser-802 17:13:17 <gaba> can any of you create a ticket for the links being outdated? 17:13:25 <phw> will do, gaba 17:13:30 <gaba> thanks! 17:13:41 <phw> anyway, let's talk more if hiro shows up and continue in the meanwhile 17:13:46 <gaba> It seems that updating that and automatizing should be a prioirity 17:13:49 <gaba> yes 17:13:58 <hiro> I was here sorry updating the pad 17:14:10 <phw> hi hiro! 17:14:21 <hiro> yes the links got outdated when the recommended browser version changed 17:14:25 <hiro> I have to fix that 17:14:31 <hiro> I have it for this week 17:14:44 <hiro> it is automated via gitlab pipeline pushing to github and gitlab 17:15:13 <phw> hiro: oh, the updating process already is automated? 17:15:16 <hiro> yes 17:15:20 <phw> neat 17:15:33 <hiro> everyday there is a CI checking the browser version 17:15:36 <hiro> and updating the files 17:15:46 <hiro> problem is it's broken atm 17:16:20 <phw> how can we help fixing it? 17:16:43 <hiro> I have it for today 17:16:45 <hiro> to fix it 17:17:03 <hiro> I will nevertheless give you access to the repository where the pipeline lives 17:17:13 <hiro> I think atm only me and dgoulet have access 17:18:07 <hiro> becaue dgoulet set up that gitlab account 17:18:44 <hiro> anyways today it will be fixed 17:19:14 <phw> cool, thanks hiro 17:19:21 <gaba> anything else that is urgent related to gettor? 17:19:22 <phw> anything else that's critical in gettor? 17:19:26 <gaba> hehe 17:19:45 <hiro> I think this and documenting everything 17:19:50 <hiro> also having a better deploy method 17:20:03 <hiro> this is the ci: https://gitlab.com/thetorproject/gettorbrowser/blob/master/.gitlab-ci.yml 17:20:10 <phw> documentation would be very helpful because it allows others to take over and contribute without relying so much on hiro 17:20:35 <gaba> hiro: do we have tickets in trac for deployment? if we don't please create one and we link it to the roadmap for next week 17:20:40 <clash> I'm just reading but is there a way to utilize webhooks here? 17:20:54 <hiro> webhooks from gitlab? 17:20:59 <clash> whenever there's a new TB release Gettor gets the new builds 17:21:20 <hiro> I am using ci in gitlab 17:21:29 <clash> oh 17:21:48 <clash> are there webhooks wherever the original builds are hosted? 17:21:59 <hiro> on dist.tpo 17:22:10 <hiro> it's just files listed on apache 17:22:24 <phw> how about we continue with the roadmap once we have addressed the critical issues in gettor? 17:22:28 <hiro> for reference clash: https://gitlab.com/thetorproject/gettorbrowser/blob/master/.gitlab-ci.yml 17:22:30 <phw> what do you think gaba? 17:22:42 <gaba> phw: yes, sounds good 17:23:03 <gaba> I just updated with the work hiro is planning for next week 17:24:15 <phw> let's move on to release engineering. here's how it works for bridgedb: 17:24:55 <phw> we're using semantic versioning for bridgedb's version number and this git development model: https://nvie.com/posts/a-successful-git-branching-model/ 17:25:06 <phw> every now and then, when i have time, we're releasing a new bridgedb version 17:25:31 <phw> that's about it. we get away with this rather informal process because we are running the only bridgedb deployment ;) 17:26:12 <phw> gaba: you were thinking about topics like planned releases, right? 17:26:35 <phw> i'm trying to understand what we should be doing that we aren't doing already. 17:26:39 <gaba> yes. I was wondering if there is any release that should be better if planned. 17:26:56 <gaba> would* 17:27:33 <gaba> gettor is in a similar situation than bridgedb 17:27:34 <phw> do you mean by that "we have a new release every month" or "we anticipate feature X to release on Y"? 17:28:07 <gaba> That we put features/bug-fixing/changes together to release all at the same time (depending on minor or major changes) 17:28:33 <gaba> how is working with snowflake? 17:28:59 <gaba> phw: if we are ok this way and we do not need to change to a schedule then is fine with me. 17:30:09 <dcf1> With snowflake we have been making releases only as needed, for example pushing new proxy code to the website and making new webextension uploads whenever we need new proxy behavior 17:30:10 <phw> basically, that's what we are doing with bridgedb because of https://nvie.com/posts/a-successful-git-branching-model/. i'm a fan of this method. basically, the master branch only has releases while the development branch is for, well, development. new features and bug fixes branch off of the development branch and are eventually merged back into the master branch. 17:30:25 <dcf1> or upgrading the client in Tor Browser whenever we need new client behavior 17:31:14 <gaba> yes. I like having the develop branch as the source and not master. 17:31:35 <gaba> ok. thanks 17:32:16 <phw> i'm all for getting more organised but i'm not sure if i see a problem here that needs solving. 17:32:31 <gaba> yes, it seems we are fine and we do not need anything else on planning here. 17:32:49 <phw> do you see a need to improve things on snowflake's side dcf1? 17:33:30 <dcf1> The only thing is we're disorganized when it comes to updating all the channels, e.g. with publishing a new webextension and also updating the hosted proxy at snowflake.torproject.org. 17:33:56 <dcf1> But we don't really have critical dependencies that *require* close coordination. 17:35:15 <dcf1> Example is https://trac.torproject.org/projects/tor/ticket/31250#comment:12, which is still open because I don't know if Cupcake has updated yet. 17:36:26 <phw> a somewhat related thought: bridgedb could really use a staging server. many bugs only manifest once they're in production and messing with our production server is a very sloppy way of debugging. 17:37:12 <phw> but i guess that's more quality assurance and less release engineering 17:37:40 <gaba> yes, still important. Let's check with anarcat on how to get one 17:37:52 <anarcat> hum? 17:38:21 <hiro> hey phw gaba isn't bridge db on a special server? 17:38:31 <phw> hiro: it's on polyanthum 17:38:36 <hiro> w special I mean a bare metal that has specifc requirements? 17:38:42 <phw> oh, that i don't know. 17:38:47 <gaba> dcf1: not sure what we would be next step with #31250. Is this something about coordinating with somebody else not here? 17:39:30 <hiro> also bridgedb gets bridges from the bridges authority do you plan to have a staging w real bridges or just test addresses? 17:39:31 <dcf1> gaba: nothing we need to talk about now. It's mostly solved. Just need to confirm with saint whether it's happened in Cupcake yet or not. 17:39:54 <gaba> ok 17:39:58 <hiro> I can help you setup this as when I setup the azure meek I did some testing with a bridgedb instance 17:40:35 <phw> hiro: i may be naive, but a second bridgedb instance on the same machine may be helpful. i don't want it to be used by people, but i want it to operate on the same bridges as the live instance. 17:41:10 <anarcat> worst that can happen, on the same machine, is it takes the machine down because of resource usage 17:41:14 <anarcat> or that operators confuse the two 17:41:21 <hiro> yes! 17:42:04 <phw> if it's on the same machine, i would want it at, say, bridges.tp.o/staging/. operators wouldn't be exposed to it unless they are actively looking for it. 17:42:27 <phw> anyway, let's file a ticket and continue there, ok? 17:42:36 <hiro> ok 17:42:41 <anarcat> i won't see it until sept 3rd, btw 17:42:41 <phw> thanks hiro and anarcat 17:42:47 <anarcat> i'm on vacation for a bit 17:42:52 <hiro> enjoy vacas! 17:42:53 <anarcat> but weasel's around 17:42:54 <phw> it's not urgent 17:43:25 <phw> ok, next point on our discussion list is snowflake localisation! 17:43:41 <phw> you should all know that snowflake means schneeflocke in german 17:43:42 <dcf1> *localization 17:43:47 <phw> :) 17:44:25 <antonela> copo de nieve 17:44:32 <gaba> it is not in the roadmap but emmapeel worked on it and now it is ready :) 17:45:01 * phw has approximately 0 experience with locali[zs]ation 17:45:08 <antonela> thanks emmapeel! 17:45:32 <gaba> We do not have to do it now but it would be good to include it in the roadmap for s28 work with snowflake 17:46:15 <phw> sounds good to me. i hope somebody can figure out how to make use of translations :) 17:46:54 <phw> ok, last point is bridgedb's anti-bot mechanism. i wanted to catch you up on what we've done so far 17:47:19 <phw> we recently deployed #31252 in an effort to make it harder for bots to fetch bridges 17:48:32 <phw> i recently set up a decoy bridge that is handed out to requests that are coming from bots. the only purpose of this decoy bridge is to try and find out what our adversaries are doing with it 17:48:55 <phw> remember that bridgedb sees tons of automated requests that are surprisingly good at solving our captcha 17:49:17 <phw> i had a brief look at the logs of my default bridge and almost all connections are coming from china 17:49:46 <dcf1> "default" as in default Tor Browser bridge? not the decoy you mentioned? 17:49:47 <phw> our vps in china cannot connect to my decoy bridge either. 17:49:57 <phw> sorry, s/default/decoy/ 17:50:16 <dcf1> The decoy is only given to suspected bots? 17:50:16 <phw> (the decoy bridge is private and doesn't report itself to the bridge authority) 17:51:19 <phw> that's it. i thought it's an interesting finding worth sharing. 17:51:19 <dcf1> I wonder why it would be made inaccessible and also connected to from addresses in China. 17:51:48 <phw> dcf1: my guess is that the bridgedb crawler is run by gfw engineers. 17:51:49 <hiro> maybe the bots are a way to discover bridges 17:52:31 <phw> i suspect that the decoy bridge ended up on the same "probing list" as all the other bridges that the gfw discovered by doing dpi 17:52:47 <dcf1> that would make sense 17:54:03 <phw> now that i think about it: i remember seeing connections to my bridge's obfs4 port. i wonder if they have a probing module for obfs4 but don't have a "detection module" for it 17:54:34 <phw> i'm happy to share the pcaps if anyone wants to have a closer look 17:55:43 <phw> ok, we're almost done for today. shall we move on to the "needs help with" part? 17:56:11 <dcf1> #31460 is a problem, yes. 17:56:15 <phw> i see that dcf1 already commented on #31460. that was a bug report from serna 17:57:10 <phw> i'll take the liberty of making cohosh the reviewer for #17626 17:58:18 <phw> arlo needs a review for #30310 17:58:38 <dcf1> It's one of the tickets I need to catch up on. 17:58:38 <phw> and dcf1 for #31454 17:59:42 <dcf1> I will do it if no one else does within a week. 17:59:47 <phw> i'll do #31454 with cohosh's help. i just updated to go 1.12.9 to re-deploy bridges.tp.o/scan/ 18:00:02 <gaba> #30310 was for august but it has #31384 as a child. That last one may need to be for september. 18:00:58 <phw> i think we're done for today. anything left? 18:01:29 <phw> #endmeeting