#tor-meeting log

15:00:36 <richard> #startmeeting Tor Browser Weekly Meeting 2022-03-07
15:00:36 <MeetBot> Meeting started Mon Mar  7 15:00:36 2022 UTC.  The chair is richard. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:36 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:00:57 <richard> it's that time again
15:01:00 <richard> meeting pad: https://pad.riseup.net/p/tor-tbb-keep
15:01:15 <aguestus1> o/
15:01:28 <richard> hmmm
15:01:51 <aguestus1> hrmm...
15:02:22 <donuts> sus
15:02:28 <sysrqb> o/
15:02:31 <aguestuser> allo
15:04:07 <Jeremy_Rand_Talos_> richard, is "March 21" a typo in your section of the pad?
15:04:28 <richard> nope, just really planning ahead lol
15:05:45 <Jeremy_Rand_Talos_> alright then, forget I asked :)
15:06:40 <Jeremy_Rand_Talos_> same question for donuts's March 28?
15:07:03 <donuts> fixed :)
15:07:05 <donuts> brain fog
15:07:10 <Jeremy_Rand_Talos_> cheers :)
15:07:25 <Jeremy_Rand_Talos_> 'tis the season for brain fog, alas
15:09:01 <richard> ok let's get this party started
15:09:15 <richard> donuts go ahead
15:09:54 <donuts> mig5 has reported the v3 onion auth dialog is broken as of 11.0.6
15:09:56 <donuts> https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40802
15:10:07 <donuts> could we get an emergency fix for that?
15:10:31 <richard> that seems pretty high priority
15:10:55 <donuts> yeah, authenticated onionshare services are currently broken as a result :/
15:11:25 <donuts> I saw the ticket come in, labelled it, then promptly forgot about it until I was reminded yesterday
15:11:29 <PieroV> should we delay 11.0.7 again?
15:11:48 <richard> pierov: do you have free cycles to look into this this week?
15:12:04 <PieroV> yeah, I'm not working on high priority stuff right now
15:12:17 <richard> alright, prioritize the onion auth issue then
15:12:27 <PieroV> on stable or alpha, first?
15:12:28 <Jeremy_Rand_Talos_> 11.0.7 has security fixes for in-the-wild vulns, IIRC?
15:12:35 <richard> and your q leads into the next question
15:12:46 <richard> yeah 11.0.7 has emergency fixes for a sandbox escape exploit
15:12:50 <richard> as does 11.5a6
15:12:53 <richard> so w need to get those out asap
15:13:03 <donuts> i'm kind of surprised we haven't had more reports about this though
15:13:12 <donuts> what's the target date for 11.0.7?
15:13:22 <PieroV> it was Friday :)
15:13:24 <richard> I'm happy putting out 11.0.8 and 11.5a7/8 release asap
15:13:33 <richard> donuts: target release date is tomorrow
15:13:41 <donuts> got it
15:13:51 <Jeremy_Rand_Talos_> yeah, so my vote is that the security patches need to go out immediately, even if that means the OnionShare fix is delayed
15:13:55 <richard> but it's going out today barring some unforeseen circumcstance
15:14:07 <richard> and 11.5a6 shortly after despite it being a week early :3
15:14:25 <donuts> if we could get the fix into alpha that would be useful for onionshare, at least
15:14:38 <PieroV> what about Android? I think 96 doesn't have a patch (at least it didn't last Friday)
15:15:26 <aguestuser> from what i could follow, the upstream moz patches were on top of v97?
15:15:37 <aguestuser> (which we don't have)
15:15:41 <PieroV> yeah, I saw that 97 has the patches
15:16:12 <boklm> maybe we can check if that's something easy to backport
15:16:14 <richard> and 98 onward isn't affected by accident right?
15:16:16 <sysrqb> you can try backporting
15:16:19 <aguestuser> v98 releases tomorrow. absent this, i was planning starting to rebase onto v98 today-ish
15:16:31 <Jeremy_Rand_Talos_> donuts, I used OnionShare last week and it worked fine.  I was doing it in Whonix; is it possible that the bug is more subtle and only affects some setups?
15:17:33 <Jeremy_Rand_Talos_> If so that would explain why not many reports have come in
15:17:41 <donuts> Jeremy_Rand_Talos_: that's interesting, so you could authenticate fine?
15:17:50 <sysrqb> aguestuser: you may want to start working on 99 instead of 98 - you're not likely to release a version based on 98 within the next month
15:17:51 <PieroV> aguestuser: are you doing the geckoview rebase as well? I saw you wrote only fenix
15:17:56 <sysrqb> (if we're being honest)
15:18:05 <sysrqb> and that puts you back on track
15:18:08 <donuts> I can't actually open onionshare atm to test, it instacrashes :/
15:18:26 <donuts> if anyone has an authenticated link feel free to send it to me though
15:18:39 <aguestuser> sysrqb: i PieroV i put in discussion i could use an assist on GV layer
15:18:45 <aguestuser> grr
15:18:49 <aguestuser> sorry PieroV --^
15:18:51 <donuts> we should have a test-site for this somewhere
15:18:58 <Jeremy_Rand_Talos_> donuts, yes.  Tor Browser prompted me for the key, I entered it, for some reason TB said it couldn't communicate with the Tor daemon, but then 1 second later it connected fine.
15:19:13 <Jeremy_Rand_Talos_> I assumed that the false error was a Whonix onion-grater artifact
15:19:19 <donuts> Jeremy_Rand_Talos_: got it! strange
15:19:54 <richard> hm, perhaps some sort of async/timing issue
15:20:08 <donuts> mig5's ticket indicates it's the dialogue itself that's broken
15:20:22 <richard> anyway PieroV please investigate
15:20:25 <aguestuser> sysrqb: re working on 99 -- i am confused. how can i do that? if it's not released for another motnth?
15:20:44 <aguestuser> we can take this offline
15:20:49 <PieroV> richard: okay, could somebody please give me an authenticated site to test?
15:20:59 <aguestuser> (since it seems like a longer thing to explain)
15:21:00 <sysrqb> aguestuser: sure, sounds good :)
15:21:08 <PieroV> (in another channel if you don't want to put them here)
15:21:16 <richard> PieroV: iirc you can use OnionShare to do this
15:21:42 <PieroV> okay, I'll try with it
15:22:20 <aguestuser> richard: have q's about pathching chemspill but am unsure whether it is okay to ask them in this public channel...
15:22:52 <richard> it's public now as of Saturday so go ahead
15:23:08 <Jeremy_Rand_Talos_> PieroV, note that the version of OnionShare packaged in Debian doesn't use authentication, you need the latest release to test properly
15:23:57 <richard> donuts: well I thought maybe given the early alpha release I'd have some free time this week for ticket triage, but now looking less free; but if you want to schedule some ticket triage grinding I'm down
15:24:01 <PieroV> Jeremy_Rand_Talos_: thanks for the tip :)
15:24:02 <aguestuser> okay, so the patches tjr linked (IRRC) were on desktop
15:24:12 <richard> mmhm
15:24:18 <donuts> wait this week or next week richard?
15:24:35 <richard> donuts: original next week but maybe later this week?
15:24:39 <richard> maybe too optimistic vOv
15:24:44 <sysrqb> aguestuser: on desktop or in mozilla-{release,esr91}?
15:24:57 <aguestuser> or i suppose: in general -- if i were to take the assignment "go backport these patches to v96" right now. i would not really know where to begin. (or it would take me a while)
15:25:04 <PieroV> aguestuser: I think that dom/xslt/xslt/txMozillaXSLTProcessor.cpp is also for Android
15:25:11 <aguestuser> kk
15:25:16 <donuts> richard: ah hrm okay let me see how my week goes, maybe we could also chip away at it by setting aside a day each week too?
15:25:24 <aguestuser> so it's just a matter of cherry-picking those commits
15:25:30 <PieroV> aguestuser: this is the patch https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/6beb82040a9a45e07c5f2d35b9a5d0237f405a95
15:25:38 <sysrqb> aguestuser: just remember the distinction between geckoview and desktop is not very large
15:25:39 <PieroV> yep, I think it may just work
15:25:41 <richard> alright that could work, let's coordinate offline
15:26:00 <richard> aguestuser: yep pretty much
15:26:01 <PieroV> aguestuser: this is the second patch: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/91bef72e8431dca80c8dfd73cb438c9d8ccb8021
15:27:02 <aguestuser> k, so then would we be trying to include android in the next release? or do a release a day or so after what you all are rolling out today for desktop?
15:28:13 <richard> i think it would need to be its own release
15:28:38 <richard> stable is already built+uploaded (or in progress, boklm?) and alpha is building/built
15:28:49 <boklm> yes, too late for 11.0.7
15:29:19 <boklm> (it's not uploaded yet, but it's in the process of being signed)
15:29:24 <aguestuser> so then (since it's a security patch), i'm guessing we want to try to backport to both alpha and stable for android? and put out those this week too?
15:30:18 <sysrqb> yes
15:30:37 <sysrqb> (for lack of a better answer)
15:30:43 <aguestuser> k
15:32:05 <boklm> if we do a 11.0.8 for fixing the authenticated onion site issue, maybe we could do a release for both desktop and android at the same time
15:32:18 <boklm> but it depends if both are ready at the same time
15:32:41 <richard> boklm: that sounds reasonable to me
15:32:55 <sysrqb> +1
15:34:26 <richard> ok, so what's the deal with tor-browser-build#40433 ?
15:34:47 <PieroV> this was intended for last Android release
15:35:07 <PieroV> but we delayed because we encountered some problems with a library built with Clang
15:35:29 <PieroV> I mean a LLVM/Clang library, not a library build using Clang as a compiler
15:35:55 <PieroV> Mozilla already switched to Clang 13.0.0 if I understood correctly, so we should/would like to do the same asap
15:36:08 <PieroV> but I wanted to know how soon is soon
15:36:46 <richard> I don't have any intuition for how urgent this is
15:37:01 <richard> sysrqb, boklm, etc: any thoughts to add?
15:37:03 <boklm> I think we want to switch before building with 12.0.0 is broken, which is unknown when it will happen
15:37:58 <sysrqb> given we can build moz96 with clang12, and we haven't seen obvious breakage
15:38:27 <richard> ah ok, then I would put it in parallel urgency with (or a bit less urgent than) the https-everywhere work
15:38:30 <sysrqb> we can likely release a stable version using clang12
15:38:37 <aguestuser> also: we are about to jump to moz99
15:38:46 <Jeremy_Rand_Talos_> Also at least in theory, "broken in 12.0.0" might or might not mean a build-time error; worst case is a silent security bug caused by a Clang bug that was fixed in a newer release
15:39:29 <PieroV> richard: okay, I'll work on it after HTTPS-E (and I'll work on the onionshare before HTTPS-E)
15:39:42 <richard> sounds perfect :)
15:39:44 <sysrqb> Jeremy_Rand_Talos_: yeah, that is a risk
15:40:23 <richard> ok austin, you're block of stuffs now
15:40:31 <richard> aguestuser^
15:40:52 <aguestuser> nw :)
15:41:18 <aguestuser> topline was wanted to flag that firefox release is tomorrow, so wanted to get an early start on rebasing onto new fenix version
15:41:20 <aguestuser> which will be v99! (sorry for earlier confusion)
15:41:30 <aguestuser> and i could use an assist on the geckoview layer
15:41:52 <aguestuser> (which is blocking b/c i can't test the fixes to layers above that in an apk w/o it.)
15:42:22 <richard> i'm relativley meeting free this week, so i'd be happy to assist where I can here
15:42:24 <aguestuser> also wanted to check in to make sure it's okay to just skip versions 97, 98
15:42:42 <richard> sounds like it given sysrqb's suggestion
15:42:48 <aguestuser> and flag that the rebases might be harrier b/c we are doing this
15:43:11 <aguestuser> (right, q2 obsoleted by beginning of meeting ;))
15:43:30 <richard> alright
15:43:31 <aguestuser> cool, okay, so q1 resolved -- richard will help. thanks! :)
15:43:55 <aguestuser> second is: we are behind on network audits and i really can't do them on my own (tried last week and hit a wall)
15:44:12 <aguestuser> so that also reduces to an ask for assist
15:44:40 <sysrqb> that seems to be on me
15:44:50 <aguestuser> also: perhaps elevating to a broader question -- is it realistic to assume we will catch back up at present pace?
15:44:58 <aguestuser> and if not -- what do we do?
15:45:33 <richard> so what's the issue here w/ network audits?
15:45:48 <richard> the problem here being that we're on the faster release train, not the incremental ESR on android
15:45:53 <sysrqb> aguestuser: do you mean catch back up w.r.t. network audits or releases?
15:45:55 <richard> so there's tons of non-security nonsense that needs to be audited?
15:46:00 <aguestuser> network audits
15:46:05 <aguestuser> richard: yes
15:46:21 <sysrqb> aguestuser: ah, yes, we'll definitely catch up
15:46:52 <aguestuser> k. so then it's just a matter of blocking off more time?
15:47:02 <aguestuser> richard: blocker is that yes, it's very tedious and mostly you don't find anything
15:47:04 <sysrqb> but that raises another interesting/relevant question
15:47:16 <aguestuser> for me it's also that when i try to do it alone i don't have an intuition yet for what is actually a problem
15:47:21 <aguestuser> (particularly deeper in the stack)
15:47:27 <sysrqb> richard: carving out some dedicated/scheduled time to look at closed MOzilla tickets might be a good idea
15:47:47 <sysrqb> possibly a rotating role of some sort
15:47:55 <sysrqb> or pairs of people
15:48:39 <sysrqb> that's the most tedious part of the network audit with 1-2000 tickets per release
15:48:40 <richard> sysrqb: how many tickets are usually between major android releases?/
15:48:42 <PieroV> I wouldn't know how to take it as well the first time, but I can learn :)
15:48:59 <richard> eg I know between the *major8 esr desktop releases there's something like a ocuple thousand tickets to go through
15:49:03 <sysrqb> *1000-2000
15:49:27 <sysrqb> yeah, between esrs there are usually ~20 000
15:49:51 <richard> so we effectively need to triage 2k mozilla tickets a month
15:50:12 <aguestuser> and we are currently trying to get caught up with network audits and closed tickets for *v94*
15:50:14 <sysrqb> yes. it's actually a bit less than that, and better if we look weekly
15:50:21 <aguestuser> as we contemplate rebasing onto v99
15:50:48 <sysrqb> there are usually a chunk of tickets we can skip/ignore, so usually we're skimming/reviewing ~800-1200
15:50:55 <sysrqb> per release
15:51:23 <richard> ok that isn't actually too bad given my experience w/ esr ticket review
15:51:39 <richard> you only tend to look at a handful
15:51:45 <sysrqb> yeah
15:51:57 <richard> alright quick off the cuff proposal time
15:51:58 <aguestuser> but to get back up to "even" (w/ 99) we have to do 8 releases
15:51:59 <sysrqb> so it could be 15-30 minutes per week, if we actually keep up with it
15:52:08 <sysrqb> right
15:52:10 <aguestuser> which i think is part of why we're behind right now
15:52:16 <aguestuser> b/c the weight of that feels overwhelming
15:52:19 <aguestuser> (to me anyway! :))
15:52:30 <sysrqb> aguestuser: eh, just gotta chip away at it :)
15:52:35 <richard> yeah no and it's an easy task to ignore when you have 'real' work to do
15:52:37 <sysrqb> take it one step at a time
15:53:09 <aguestuser> also: i can't chip away it myself. so that feels overwhelming too
15:53:19 <sysrqb> that's fair
15:53:27 <aguestuser> but: we are all talking about it now, so that's nice. :)
15:53:58 <richard> ok why don't we plan on having a rotating role of mozilla Android ticket triage
15:54:20 <richard> so one person doesn't get burned out having to do it each month
15:55:01 <aguestuser> that sonds like a good idea!
15:55:02 <richard> we start out with 2 people doing different batches of tickets (one on 96 one on 97), so that we eventually catch up on the backlog
15:55:03 <PieroV> works for me
15:55:23 <richard> then once we're all caught up we move it down to 1 person on the next batch of tickets
15:55:23 <aguestuser> i would find a clear written rubric for what we're looking for very helpful
15:55:30 <aguestuser> and examples of past "hits"
15:55:42 <aguestuser> (and why)
15:55:45 <richard> ok in that case
15:56:08 <richard> sysrqb: how about we both do the same batch of tickets this first month
15:56:18 <richard> and document *why* we pick out the tickets we do
15:56:31 <aguestuser> (working in pairs might work too! just trying to flag the knowledge gap impedes being able to jump right in)
15:56:42 <richard> and then move to the rotating schedule
15:57:16 <sysrqb> richard: sure, we can try that
15:57:44 <richard> alright we can iron out the details at a future meeting
15:57:47 <richard> ok bridge links/qr codes
15:58:12 <aguestuser> this is not urgent. just curious about when we think we might move from spec-ing the RFC to implementing
15:58:12 <richard> tldr PieroV has a doc written up with a proposed format higher up the pad
15:58:33 <richard> so we're planning on having this in the 40773/4 patch set right?
15:58:45 <richard> so Android won't need it until after
15:58:56 <PieroV> yes, when I have confirmations that it's okay I'll add another fixup to the pile
15:59:08 <richard> but we can roll this discussion over to next week
15:59:10 <PieroV> (we can also discuss that at next S96, I think)
15:59:21 <aguestuser> should i come to next s96?
15:59:40 <richard> sure, that's next Tuesday iirc
15:59:47 <richard> ok have a good week everyone!
15:59:50 <richard> #endmeeting