15:00:59 <morganava> #startmeeting Tor Browser Weekly Meeting 2024-08-12 15:00:59 <MeetBot> Meeting started Mon Aug 12 15:00:59 2024 UTC. The chair is morganava. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:59 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 15:01:00 <bellatchau> o/ 15:01:14 <morganava> guys you'll never guess where the pad is this week 15:01:16 <morganava> its right here -> https://pad.riseup.net/p/tor-tbb-keep 15:01:22 <jwilde> o/ 15:01:31 <morganava> as usual please update your section with todos/todones 15:01:37 <morganava> and add any discussion points for this week 15:01:54 <Jeremy_Rand_Lab19[m]> Hi! 15:02:16 <morganava> my goal this week is to complete my remaining bugzilla triages and prep/sign/publish 13.5a2 15:02:27 <morganava> *hopefully* we wont' run into any fun with signing Android this week 15:02:30 <Jeremy_Rand_Lab19[m]> Apologies for missing the last few meetings, some meatspace drama (U.S. health care system sucks) derailed me 15:02:32 <morganava> but we'll see 15:02:43 <Jeremy_Rand_Lab19[m]> Happy to be back 15:02:46 <morganava> jeremy: what problems in the american healthcare system how can this beeee 15:03:03 <PieroV> 13.5a2? 15:03:09 <morganava> er 15:03:10 <morganava> 14.0a2 15:03:13 <PieroV> 14.0a2 I assume :) 15:03:14 <morganava> i know what release we're on 15:03:19 <Jeremy_Rand_Lab19[m]> morganava: yeah, combine the ridiculous US health care system with the ridiculous nature of patent trolls, and you get my drama 15:03:22 <morganava> for some reason the current version keeps goinng up 15:03:24 <PieroV> Probably you got confused with 13.5.2 15:03:30 <morganava> yesss 15:04:06 <morganava> speaking of triage, i think 127 is the only one that has not been triaged yet (at least as of last Thursday) 15:04:25 <dan_b> that sounds like a me one 15:04:27 <morganava> iirc the assignees there are myself, dan_b and jwilde 15:04:32 <dan_b> yep 15:04:43 <morganava> evetything else has had at least 2 pairs of eyeballs looking at it 15:04:59 <morganava> which honestly is kind of neat, thx everyone for helping with the paperwork :) 15:05:06 <dan_b> so yeah, i just have a few last tests to fix this morning in 128 android rebase, then wait for claire's comments (i think i just saw some in email) address those, one final rebase to 128.1, and it's ready 15:05:38 <morganava> dan_b: 👏👏👏 15:06:24 <morganava> if folks have any downtime, it may be good to look and see what issues your colleagues created triage issues for to get a broader view of the type s of things we may care about (all linked from the parent issues in tor-browser-sepc) 15:07:33 <morganava> oh and thx to everyone that helped get macOS signing working last week \o/ 15:08:54 <morganava> and speaking of accomplishments, micah has taken charge of reviving 'onion-news' and i've been bubbling up cool stuff folks have been doing 15:09:54 <dan_b> yes, the first one was cool and just packed with stuff everyone else has been doing 👍 15:09:56 <morganava> so if there's anything cool y'all have been working on, problems fixed, etc, etc that is worth a headline for the rest of the org to see plz let me know and I'll pass it along (but I am trying to notice and note the good stuff that is happening) 15:10:16 <morganava> or just ping him directly, i ain't no gatekeeper 15:10:33 <morganava> alright, onto discussion points! 15:10:35 <morganava> (do we have any?) 15:10:45 <PieroV> I think the work on the pipelines would be good for the news 15:10:48 * Jeremy_Rand_Lab19[m] has one 15:11:02 <PieroV> To explain that we finally found why GitLab was always tired 15:11:08 <morganava> jeremy: cloudflare has been notified of the useragent change 15:11:09 <PieroV> And the challenges we have to face :( 15:11:35 <Jeremy_Rand_Lab19[m]> alright thanks morganava . Wonder why I'm seeing lots of CAPTCHAs then... :/ 15:12:14 <PieroV> Jeremy_Rand_Lab19[m]: I'm seeing more also with stable and with MB 15:12:27 <Jeremy_Rand_Lab19[m]> ah interesting 15:12:29 <PieroV> (MB on my connection, not on Tor, neither Mullvad VPN) 15:13:20 <Jeremy_Rand_Lab19[m]> guess I get to return to my old pastime of complaining to website operators who use Cloudflare 15:13:37 <morganava> so we told them in June to update to `Mozilla/5.0 (Windows NT 10.0; rv:128.0) Gecko/20100101 Firefox/128.0` 15:13:56 <PieroV> Yeah, I found also some invidio.us instances use CloudFlare :| 15:13:56 <morganava> jeremy: if you can draft some short report w/ repro steps I can pass it along 15:14:15 <Jeremy_Rand_Lab19[m]> morganava: I *assume* they understand that other parts of the browser fingerprint will change with the ESR transition, not just the user agent? 15:14:45 <Jeremy_Rand_Lab19[m]> But I wonder if they've actually bothered to fix their fingerprinting scripts for this 15:14:49 <morganava> one would presume so, but as far as I know the useragent should trump the rest of it 15:14:59 <morganava> otherwise what would be the point 15:15:21 <Jeremy_Rand_Lab19[m]> anyway noted, I'll take notes on which sites show the issue and let you know 15:15:41 <morganava> but like i said, if there are reproducible issues we can ~complain~ submit our feedback 15:15:58 <Jeremy_Rand_Lab19[m]> morganava: UA probably won't trump it, CF needs to update the fingerprint whitelist (which maybe they did, maybe not) 15:17:00 <Jeremy_Rand_Lab19[m]> If getting around CF CAPTCHAs were as easy as telling curl to use TB's UA, that'd be a nice universe I'd like to live in 15:17:15 <morganava> lol 15:17:23 <Jeremy_Rand_Lab19[m]> oh whoops you disconnected 15:17:35 <Jeremy_Rand_Lab19[m]> not sure if you saw my message before you dropped "UA probably won't trump it, CF needs to update the fingerprint whitelist (which maybe they did, maybe not)" 15:17:36 <PieroV> Jeremy_Rand_Lab19[m]: I'm kinda sure they also use TLS information 15:18:25 <PieroV> Maybe you can implement a curl with neko :D 15:18:27 <morganava> well as i said, give me repro steps and i can pass them along 15:19:14 <Jeremy_Rand_Lab19[m]> PieroV: they definitely use TLS ClientHello fingerprinting, but I think they also do some stuff with JavaScript depending on what security level the website operator set in the CF control panel 15:19:23 <Jeremy_Rand_Lab19[m]> PieroV: I actually did once make a TLS intercepting proxy that rewrote the ClientHello and HTTP headers to get around CF's fingerprinting 15:19:24 <Jeremy_Rand_Lab19[m]> But it wasn't stable enough to release 15:19:27 <Jeremy_Rand_Lab19[m]> anyways 15:19:29 <Jeremy_Rand_Lab19[m]> yes will give you details once I can check which sites have the issue 15:19:38 <Jeremy_Rand_Lab19[m]> next topic please? 15:19:39 <morganava> alright great! 15:19:41 <morganava> anything else from folks? anyone blockers? 15:19:51 <morganava> help needed? 15:20:04 * PieroV switched to the audit results 15:20:12 <PieroV> I'm going in order 15:20:29 <PieroV> But let me know if you found some issues for me you think are particularly urgent 15:20:47 <PieroV> Like 14.0a2 urgent (e.g., the regional locale thing) 15:21:36 <morganava> yes.. evaluating the priority of the review issues is on my todo list this week 15:25:11 <morganava> alright i will presume your silencce impliles nothign else to chat about 15:25:26 * Jeremy_Rand_Lab19[m] has nothing 15:25:32 * PieroV neither 15:25:32 <morganava> have a good week everyone o/ 15:25:41 <Jeremy_Rand_Lab19[m]> thanks! 15:25:46 <morganava> #endmeeting