#tor-meeting log

17:59:07 <sysrqb> #startmeeting Tor Browser meeting 19 October 2020
17:59:07 <MeetBot> Meeting started Mon Oct 19 17:59:07 2020 UTC.  The chair is sysrqb. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:59:07 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
17:59:24 <acat> o/
18:00:37 <sysrqb> https://pad.riseup.net/p/tor-tbb-2020-keep is the pad
18:01:52 <gaba> hi!
18:02:01 <Jeremy_Rand_Talos> hello!
18:02:07 <GeKo> hey!
18:03:19 <Jeremy_Rand_Talos> TBB Release meeting schedule looks off; Oct 19 is a Monday (today, even)
18:03:33 * sysrqb went through ~150 moderated blog comments
18:04:11 <sysrqb> we're nearly at 0 comments on Tor Browser blog posts
18:04:53 <sysrqb> there are two requests on the 10.0a8 blog post that we should put somehwere on our 10.0 radar
18:10:02 * Jeremy_Rand_Talos wonders whether Riseup's pad is having issues or if I just got assigned a crappy Tor circuit
18:11:19 <gaba> i think it is having issues
18:12:14 <Jeremy_Rand_Talos> ok then
18:12:25 * Jeremy_Rand_Talos waits patiently for it to come back online
18:13:40 <gaba> are people updating their statuses? what do we have for today on discussion?
18:13:41 <sysrqb> okay, let's get started
18:13:54 <sysrqb> I was :)
18:13:57 <gaba> the problem of the riseup pad is with the onion service
18:13:58 <gaba> ok
18:15:01 <sysrqb> We have 10.0.2 and 10.5a2 being releaesd this week
18:16:15 <sysrqb> I went through the backlog of blog comments from 10, 10.0.1, and 10.5a1 releases
18:16:36 <sysrqb> there weren't many surprising bugs reported
18:17:21 <sysrqb> but i'll open some tickets and we can investigate them
18:17:33 <gaba> are you using the milestone 10.0 for the release?
18:17:43 <gaba> https://gitlab.torproject.org/groups/tpo/applications/-/milestones/1
18:18:11 <sysrqb> for example: https://blog.torproject.org/comment/289871#comment-289871
18:18:36 <sysrqb> yes, we are putting all tickets that should be included in 10.0 into the Tor Browser 10.0 milestone
18:19:12 <sysrqb> that includes tickets that should go into a 10.0 release, but not necessarily the next 10.0.x version
18:19:53 <sysrqb> and another comment we should look at: https://blog.torproject.org/comment/289743#comment-289743
18:20:30 <sysrqb> but, overlal, most of the comments were about youtube not working in Tor Browser 10 and 10.5a1
18:20:48 <sysrqb> and re-enabling javascript.enabled on Safer
18:22:05 <gaba> right
18:22:21 <sysrqb> As for Android, the two comments we should consider fixing are
18:22:35 <sysrqb> 1) missing Quit button
18:22:57 <sysrqb> 2) a comment that third-party cookies are enabled
18:23:03 <GeKo> i've tried playing videos with a win32 bundle
18:23:05 <sysrqb> 3) locale leak
18:23:14 <sysrqb> (three comments...)
18:23:21 <GeKo> because i got contacted by our resident cypherpunk who was quite upset about it
18:23:51 <GeKo> i could not repro (easily) because youtube and other video platforms work fine
18:24:10 <GeKo> and i don't really understand why the 32bit part plays a role here
18:24:23 <GeKo> given that the cache is not bound to the bitness
18:24:37 <GeKo> anyway...
18:25:11 <sysrqb> okay, that's good you couldn't repro
18:25:11 <acat> but is it a 32 bit windows too?
18:25:24 <sysrqb> thanks for looking at it
18:26:31 <GeKo> acat: nope
18:26:37 <sysrqb> it could be an issue due to 32-bit and a small amount of memory, maybe?
18:26:38 <GeKo> but still
18:28:39 <sysrqb> in any case, i'll open a ticket for it and may be someone can find a 32-bit windows system and test it
18:28:53 <sysrqb> we only have one comment about this over the last two months
18:29:03 <sysrqb> and none during the alpha testing period
18:29:13 <sysrqb> so it isn't affecting many people
18:29:26 <GeKo> yeah
18:29:34 <sysrqb> considering we received ~50 comments about youtube not working
18:29:35 <GeKo> i am not too worried about it
18:30:40 <acat> should be possible to test with one of the x86 images from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
18:30:48 <sysrqb> and for android, we're already working on the locale leak by not including all system locales
18:31:11 <acat> yeah, i should open a ticket for that
18:31:16 <sysrqb> acat: ah, great, i forgot they provide an x86 image, too
18:31:27 <sysrqb> i have a 64-bit image locally here
18:32:48 <sysrqb> as the for the missing Quit button
18:33:00 <sysrqb> if users are looking for that, then we can expose it easily
18:33:21 <sysrqb> i can create a patch for that after this meeting
18:33:39 <sysrqb> the comment about third-party cookies is interesting
18:33:53 <sysrqb> i guess that is a result of disabling tracking protection
18:34:08 <sysrqb> and the resulting default cookie policy
18:34:40 <sysrqb> so that is unfortunate, if it's true
18:34:43 <gaba> hey! you are all seeing feedback from comments. Let's include ggus in this conversations so we can get feedback across the board
18:35:01 <gaba> frontdesk and social media
18:35:12 <sysrqb> that's a good idea, yes
18:35:36 <gaba> and let's see how is the best way to bring the feedback from ggus into this work
18:35:47 <GeKo> sysrqb: you mean the cookie value we set is not obeyed for mobile?
18:35:50 <gaba> i think he has been filling in issues
18:36:32 <sysrqb> GeKo: yes, the cookie value set in GV, that is my assumption
18:37:24 <sysrqb> i need to dig into the code and see what is happening
18:38:33 <sysrqb> we only flipped the default tracking protection value, so it defaults to off
18:38:54 <GeKo> yeah
18:39:05 <GeKo> in theoriy this should be fine, though
18:39:19 <GeKo> as cookies are part of first party isolation
18:39:21 <sysrqb> right, that was my/our hope
18:39:40 <GeKo> the tricky thing is, though, that mozilla saw *more* breakage that way
18:39:47 <acat> oh
18:39:52 <GeKo> than by outright disabling 3rd party cookies
18:39:54 <GeKo> yeah
18:40:10 <GeKo> sites have worked around third party cookie blocking
18:40:11 <acat> that sounds counterintuitive
18:40:15 <GeKo> no
18:40:35 <GeKo> but they assume once the cookies are available they work as intended
18:40:46 <GeKo> well, yes, sort of counterintuitive
18:40:53 <acat> i see
18:40:54 <GeKo> but it kind of makes sense as well :)
18:41:25 <sysrqb> yes
18:41:50 <sysrqb> in any case, i think we should look at this before releasing 10.0a9
18:41:52 <GeKo> but still worth investigating
18:42:50 <sysrqb> this will delay releasing that version
18:42:58 <GeKo> we need to fix another thing
18:43:06 <GeKo> i got pinged by mozilla folks
18:43:19 <GeKo> and they see telemetry pings from us in their logs
18:43:28 <GeKo> so that is *not* disabled for some reason
18:43:37 <sysrqb> from Fenix or desktop or both?
18:43:42 <GeKo> fenix
18:43:54 <sysrqb> hrm
18:43:56 <GeKo> it's like 5000 last week
18:44:10 <sysrqb> go glean is still making connections
18:44:12 <sysrqb> *so
18:44:19 <GeKo> well, yes
18:44:31 <acat> are we sure it's glean?
18:44:33 <GeKo> i'll file a ticket after the meeting with all the info i got
18:44:35 <GeKo> yes
18:45:10 <GeKo> we should have disabled it with out patch
18:45:17 <GeKo> but i need to look closer where the bug is
18:45:31 <GeKo> *to figure out where the bug is
18:45:56 <sysrqb> thanks
18:46:03 <GeKo> *our
18:47:37 <sysrqb> let's see if we can get 10.0a9 tagged before this weekend
18:47:48 <sysrqb> with fixing the bugs we've discussed
18:49:58 <sysrqb> so on our list of bugs are: 1) telemetry, 2) locale leak, 3) Quit button, 4) TorService stopping, 5) 3rd party cookies
18:50:23 <sysrqb> oh, and EOY campaign for the home screen
18:50:51 <GeKo> yep
18:50:54 <sysrqb> Is that list missing any must-do bugs?
18:51:24 <GeKo> we should have a clear understanding for the password and history upgrade issue
18:51:34 <acat> yes
18:51:38 <GeKo> but it's not a hard blocker for tagging the alpha
18:51:43 <acat> and migrate the security slider
18:51:51 <acat> (if possible)
18:51:52 <GeKo> given that alpha users are already past that threshold
18:51:57 <sysrqb> yes
18:52:13 <acat> ah true, not blocker for the alpha
18:52:17 <GeKo> however, it might be worth testing any code that results out of that investigation in that alpha
18:52:23 <GeKo> so...
18:52:55 <sysrqb> yes
18:53:08 <sysrqb> there are likely some alpha users who did not yet upgrade
18:53:15 <sysrqb> so any migration changes will still affect them
18:53:21 <GeKo> true
18:53:33 <sysrqb> but i expect most already upgraded
18:53:44 <sysrqb> so we won't get much testing from them
18:53:53 <GeKo> what about our f-droid users?
18:53:58 <sysrqb> so..we should test it ourselves
18:54:16 <sysrqb> i need to ping hans
18:54:26 <GeKo> so they did not get upgraded yet
18:55:33 <sysrqb> yeah, I didn't tell Hans about 10.0a8, so that update didn't happen
18:55:49 <sysrqb> and maybe we should wait until 10.0a9
18:55:56 <sysrqb> and then those users can test the migration
18:56:45 <sysrqb> is that a crazy idea?
18:57:08 <GeKo> wfm
18:57:19 <acat> +1
18:57:25 <sysrqb> okay,great
18:57:27 <sysrqb> we have a plan
18:57:33 <GeKo> again :)
18:57:42 <sysrqb> :)
18:57:44 <sysrqb> one week at a time
18:58:04 <sysrqb> okay
18:58:07 <sysrqb> thanks everyone
18:58:15 <sysrqb> have a good week
18:58:19 <GeKo> o/
18:58:21 <sysrqb> o/
18:58:26 <sysrqb> #endmeeting