15:17:41 <richard> #startmeeting Tor Browser Weekly Meeting 2024-04-15 15:17:41 <MeetBot> Meeting started Mon Apr 15 15:17:41 2024 UTC. The chair is richard. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:17:41 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 15:19:25 <bellatchau> o/ 15:19:56 <richard> sorry flaky internet this am it would seem >:[ 15:20:16 <clairehurst> o/ 15:20:25 <boklm> o/ 15:21:04 <richard> anyway, it's a release week once more; this week we should be releasing (iirc) 13.0.14 15:21:22 <PieroV> Yes, we have to decide how to deal with Android 15:21:37 <PieroV> Whether we want to backport the release date immediately or create another empty commit 15:21:39 <richard> and there's a release meeting on the calendar today for 1800 if you have patches and/or need to coordinate getting them into alpha next week 15:22:04 <PieroV> In both cases we'll need an update to tor-browser-build 15:22:21 <richard> iirc i think i thought backporting the release date patch was a good idea 15:22:23 <PieroV> richard: are we having the 1800 meeting even though donuts is afk? 15:22:34 <richard> ah just saw that emil 15:22:49 <richard> hmmm ok let's push it to tentatively 1800 tomorrow 15:23:11 <richard> oh and some good news, hot off the presses 15:23:23 <bellatchau> :) woot woot 15:23:55 <richard> our pending windows firefox dev has accepted their offer and so we should be beginning the on-boarding process in the near future 15:24:06 <PieroV> \o/ 15:24:08 <dan_b> woo 15:24:10 <ma1> \o/ 15:24:14 <boklm> \o/ 15:24:38 <richard> i'm super excited introduce them and their background, i think everyone will be quite pleased :) 15:24:41 <richard> but that will have to wait 15:25:06 <boklm> release date patch has not been tested in an alpha release yet, but doesn't look like a big risk so should be fine to backport 15:26:10 <richard> i guess get all your risky patches in now before we have a qa engineer to furrow their brow at us :3 15:26:31 <ma1> lol 15:26:41 <richard> ah boklm, that reminds me (and you have seen the request in the backlog already) 15:26:59 <richard> but are you free to sign the alpha next week to verify your dmg patch? 15:27:03 <boklm> yes, I can sign the alpha this week 15:27:20 <boklm> is it this week or next? 15:27:22 <PieroV> Can we wait a few days for the alpha? 15:27:30 <PieroV> I'd like to get the TorConnect improvements in 15:27:34 <boklm> I can next week too 15:27:42 <PieroV> (need to get the final approval in firefox-android!78) 15:28:16 <richard> boklm: ok great thank you 15:28:35 <richard> i'll do stable tomorrow this week 15:28:44 <richard> this week* 15:29:08 <richard> ok apart from that I'm out of announcements, so happy ot move on to discussion points! 15:29:48 <PieroV> I have a half announcement-half discussion 15:29:55 <PieroV> I think it'd be time to check for what can be uplifted 15:30:17 <PieroV> We have a couple of months to get stuff in before 128 goes beta 15:30:59 <bellatchau> ps: could we use the release meeting to talk about the onboarding of new dev ? or setup another time...I have a couple of ideas I would like everyones input 15:31:17 <bellatchau> coudl be in the future weeks...btw 15:31:35 <richard> bellatchau: I'm happy to add to thsi meeting's agenda if you like 15:32:23 <bellatchau> yeah, sure 15:33:06 <ma1> I've got in my todo-list putting betterboxing stuff in good order for uplifting in the next ~2 weeks, so when tjr is back can halp landing. 15:33:38 <PieroV> ack, thanks ma1! 15:34:16 <ma1> speaking of which, do we want to try uplifting the UI prefs part as well (does it make sense / have chance to success)? 15:34:29 <PieroV> I think we could start a conversation 15:34:42 <richard> agreed 15:34:56 <richard> uplifting all the things is the goal so we'll take what we can get :D 15:35:14 <ma1> ack 15:35:32 <PieroV> I also have a discussion point 15:35:44 <richard> mmhm 15:35:53 <PieroV> So, fonts is basic fingerprinting. Dropping the line-height patch changes a few metrics 15:35:59 <PieroV> * changed 15:36:46 <PieroV> We have also a few others font changes (adding a couple of fonts on macOS - Arial black and arial narrow iirc) and adding aliases to MS fonts (Arial, Courier, Times New Roman) on Linux 15:37:02 <PieroV> We decided to wait for 14.0 for the other changes, but as a matter of fact we haven't been consistent 15:37:34 <PieroV> Should we restore the line-height patch and defer its removal to 14.0, do also the other changes now, or what else? 15:37:55 <PieroV> The fingerprint between 13.0 and 13.5 will be likely different in any case... 15:38:59 <richard> so iirc there was a question of whether we should backport/removing some font fingerprint patch that didn't actually matter in terms of protections, but did alter the fingerprint yes? 15:39:29 <richard> I suppose this is another point for the design doc 15:39:34 <PieroV> Yes 15:40:02 <richard> but i think in general we should be minimizing the fingerprintable differences between minor versions on the stable train 15:40:07 <PieroV> (I remember that there's at least another quite trivial way to tell 13.0 from 13.5) 15:40:34 <richard> especially if said changes don't alter how fingerprintable the feature is, but instead changes the fingerprint (but leaves entropy the same) 15:40:57 <richard> yeah I think differences between major versions is *fine* 15:41:23 <richard> it's unreasonable to expect to maintain a set of quirks or w/e make major versions indistinguishable 15:42:24 <richard> so yeah i would say defer removal in this particular case 15:42:54 <PieroV> So, defer from 13.5 to 14.0 15:43:13 <PieroV> If we don't have a 14.0a1 rel prep we should create one :) 15:43:55 <richard> lol true 15:44:11 <richard> maybe we need a releaes prep issue special for the first major release 15:44:26 <richard> but anyway 15:44:55 <richard> wait a sec i've an off by 0.5 error 15:44:56 <PieroV> I think I'm done with my points 15:45:21 <PieroV> ? So, let's drop it from 13.5 already? 15:45:21 <richard> I thought we were opting ou tof backporting to the 13.0 series and leaving it in 13.5? 15:45:47 <PieroV> No, we were talking about 13.5 or waiting for 14.0 15:46:16 <richard> were you worried about the fingerprint changing within the 13.5 alpha series? 15:46:40 <PieroV> No, it's trivial fingerprinting, compared to non-trivial fingerprinting 15:47:08 <richard> well ok, what area the arguments for not improving the situation in 13.5 alpha? 15:47:44 <PieroV> That even stupid scripts will detect this change 15:48:25 <PieroV> (I don't know if so far we've done other changes that all FP scripts are checking) 15:48:32 <richard> right, but it's alpha 15:49:20 <PieroV> It's for 13.0 vs 13.5 15:49:30 <PieroV> Not for alpha minors 15:49:56 <PieroV> But it works for me also to do it for 13.5 already 15:50:55 <richard> ahhh, because 13.0 -> 13.5 is not an ESR transition, but 13.5 -> 14.0 is 15:51:07 <PieroV> Yes 15:51:18 <richard> so 13.5 -> 14.0 will already have major changes so it's easier to launder our changes as well 15:52:01 <PieroV> Yes, 14.0 will be detectable with navigator.userAgent :D 15:52:25 <richard> dang ok, i need to think about this and maybe chat offline 15:52:30 <PieroV> wfm 15:54:39 <richard> so to summarize for the log: adding major changes on the off-ESR versions of Tor Browser/Mullvad Browser will make split those two user groups into clear buckets when they otherwise wouldn't, since the base firefox version is the same; waiting until the major ESR version (whose users are trivial to distinguish by user-agent) works around this issue 15:55:05 <richard> we've never really been in a position to have the luxury of timing patches to minimise this possibilit risk before 15:55:14 <richard> possible risk* 15:55:16 <richard> ok 15:55:23 <richard> anymore discussion points? 15:55:43 <PieroV> Not from me 15:56:06 <boklm> not from me 15:56:34 <ma1> I'm good 15:56:50 <richard> ok 15:57:07 <richard> sorry about that little fingerprinting diversion, but we got there in the end 15:57:13 <richard> have a good week everyone o/ 15:57:16 <richard> #endmeeting