#tor-meeting log

16:01:07 <onyinyang> #startmeeting tor anti-censorship meeting
16:01:07 <MeetBot> Meeting started Thu Dec  5 16:01:07 2024 UTC.  The chair is onyinyang. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:01:07 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
16:01:07 <onyinyang> hello everyone!
16:01:07 <onyinyang> here is our meeting pad: [https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469](https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469)
16:01:12 <meskio> hello
16:01:12 <theodorsm> Hi!
16:01:14 <nipaton> hi!
16:01:29 <shelikhoo> hi~hi~
16:02:02 <cohosh> hi
16:02:34 <WofWca[m]> 🫡
16:03:10 <gaba> hi
16:08:14 <onyinyang> I'm a bit confused about the discussion section of the pad. I think maybe everything is new despite the labels having different dates?
16:08:28 <onyinyang> ah no
16:08:39 <onyinyang> sorry I see in the notes from last week, so just the December 5 section
16:08:50 <onyinyang> let's start with the first item
16:08:56 <onyinyang> Creating container mirror for anti-cenosorship projects to deal with docker hub restriction
16:08:59 <shelikhoo> it is from me
16:09:30 <shelikhoo> we are currently observing a lot of failure from CI as a result of docker hub restriction that cannot be removed with retry
16:09:56 <shelikhoo> I think it makes sense for us to create an mirror for some of images we are using to avoid this kind of failures
16:10:31 <shelikhoo> there is currently 2 image from snowflake that requires such a mirror to be best of my knowledge
16:11:09 <shelikhoo> is there any suggestions about additional packages that would be needed to be included in this mirror?
16:11:11 <cohosh> are other teams running into the same issue?
16:11:47 <meskio> AFAIK other teams use TPA's base images, but the ones that are giving us problems are to specific for there
16:12:17 <meskio> go-1.21 and manifest-tool
16:12:43 <meskio> (I think were those)
16:13:32 <meskio> what shelikhoo and me discussed was to make the mirror in gitlab, creating a repo with a CI copying the images from dockerhub to the repor registry
16:13:38 <meskio> so it doesn't imply running a new service
16:14:21 <cohosh> nice
16:15:15 <shelikhoo> okay eof from me
16:15:23 <onyinyang> great
16:15:25 <meskio> sounds good, let's do it
16:15:38 <onyinyang> the next item is WIP MR: Add covert-dtls to proxy and client
16:15:42 <theodorsm> Thats from me
16:15:59 <theodorsm> Finally added covert-dtls to Snowflake after the pion upgrade
16:16:24 <theodorsm> Had to add it to both the client and the proxy as both can become the Client in the DTLS handshake
16:17:03 <cohosh> very cool theodorsm!
16:17:36 <theodorsm> Got great feedback from @WofWca[m] and @shelikhoo, will work on implementing the feedback
16:17:44 <meskio> great work there
16:17:48 <theodorsm> tnx!
16:17:53 <shelikhoo> hehe!
16:17:54 <onyinyang> amazing!
16:18:01 <meskio> something that will be needed now that we see snowflake more and more being targeted
16:18:20 <meskio> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/448
16:18:54 <meskio> shelikhoo: you were asking others to look into it, isn't it?
16:19:08 <meskio> I'm not sure I have time to do that in the comming week, cohosh can you have a look?
16:19:40 <shelikhoo> yes, i think it is a major change and would benefit from additional eyes on it
16:20:46 <cohosh> yeah i can look at it
16:20:55 <cohosh> i just made a comment about backwards compatibility
16:21:03 <cohosh> i think it's ok if this isn't backwards compatible
16:21:37 <cohosh> we can do a snowflake v3 update
16:21:49 <WofWca[m]> What about browser proxies?
16:21:53 <theodorsm> I could also downgrade to go 1.21
16:22:11 <cohosh> oh i haven't seen that discussion yet, i was just looking at the API changes
16:22:14 <theodorsm> But passing flags through the NewWebRTCDialerWithEventsAndProxy function will be a braking signature change
16:22:22 <theodorsm> breaking*
16:22:59 <meskio> WofWca[m]: browser proxies use the browser DTLS implementation, I expect censors not wanting to block that one
16:23:02 <WofWca[m]> Oh, this is what you mean. OK, ignore my message
16:23:18 <nipaton> arma and Sky were having problems with their proxies, they were becoming restricted and unused after a while as far as I remember. Was it fixed? I faced no such problems with my linuxmint package.
16:23:43 <cohosh> yeah i was only commenting on changing the function signatures, sorry
16:24:40 <cohosh> nipaton: it looks like this is a potential reliability issue with the probe server
16:24:45 <cohosh> there is an open issue for it
16:25:18 <cohosh> i don't think it's fully fixed, but it seems to only happen sometimes or for some proxies
16:25:47 <nipaton> this is not version dependent? because my proxy from home connection worked fine
16:25:49 <cohosh> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40419
16:26:06 <cohosh> nipaton: i think it's related to the broker upgrade, not the proxy version
16:26:55 <WofWca[m]> And it might be just the old issues, getting noticed just now
16:27:31 <nipaton> ok, I was asking because I assumed they were using latest snowflake version, while mine was definitely the old Debian one
16:28:48 <cohosh> since we don't know the cause of the problem it could be related to that
16:28:48 <theodorsm> cohosh: while I was testing the covert-dtls in Snowflake I used snowbox and needed to add the -allow-proxying-to-private-addresses flag, made a quick PR: https://github.com/cohosh/snowbox/pull/7
16:29:05 <cohosh> theodorsm: oh thanks for letting me know, i haven't been maintaining that
16:29:15 <theodorsm> :)
16:29:21 <cohosh> i'll take a look at that and the snowflake MR after this meeting today :)
16:29:40 <cohosh> theodorsm: this is really exciting work, thanks for doing this
16:30:07 <nipaton> for the record, I run the proxy with ephemeral-ports-range flag, allowing them in ufw
16:30:08 <onyinyang> ok let's move on to the next point
16:30:12 <onyinyang> Sane PollInterval for Orbot? https://github.com/tladesignz/IPtProxy/pull/58
16:30:17 <WofWca[m]> The iPtProxy maintainers are discussing what would be a good PollInterval value for Orbot. I think it should be 120, twice as big as that of browser extension. What do you think?
16:31:17 <meskio> what is the value for the standalone proxy?
16:31:22 <WofWca[m]> 5
16:31:27 <WofWca[m]> By default
16:31:34 <WofWca[m]> (Seconds)
16:31:46 <meskio> I assume being mobile is better to be higher than the standalone
16:31:56 <meskio> but I don't have a good criteria on how high
16:32:04 <cohosh> yeah we for sure want to have them poll less often
16:32:07 <WofWca[m]> So Orbot uses the same right now, 5 seconds
16:32:54 <cohosh> let me quickly check some broker metrics
16:33:00 <shelikhoo> is that a value that can be configured by user?
16:33:13 <WofWca[m]> Not by user
16:33:17 <shelikhoo> okay....
16:33:23 <WofWca[m]> At least not yet
16:34:45 <shelikhoo> yes...
16:35:30 <cohosh> ah i see we don't do proxy poll totals by type
16:35:57 <WofWca[m]> snowflake-ips-standalone 4096 snowflake-ips-webext 71833 snowflake-ips-badge 478 snowflake-ips-iptproxy 101275 snowflake-ips-total 177682
16:36:11 <cohosh> those are totals by unique ip in 24 hours
16:36:28 <WofWca[m]> (Yeah)
16:36:31 <cohosh> i mean the number of total proxy polls
16:36:43 <WofWca[m]> I pasted before I saw your message
16:36:55 <WofWca[m]> So, most proxies are iptproxy
16:37:35 <cohosh> yeah, my gut feeling is that 120 is fine because we have so many proxies now
16:37:50 <cohosh> we more than recovered for the drop in webext proxies
16:37:56 <cohosh> and our pool size was fine then
16:38:36 <WofWca[m]> It would probably be a nice if the interval depended on NAT type, but setting to 120 is a good start, I'd say
16:38:53 <WofWca[m]> OK, so everyone OK with 120?
16:39:14 <shelikhoo> I don't object to it
16:39:29 <cohosh> we have this old issue that would still be nice: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/25598
16:39:36 <shelikhoo> if something goes wrong we can always adjust it...
16:39:56 <cohosh> yeah i think 120 is safe from a proxy pool availability perspective
16:40:31 <cohosh> adjusting is a little hard because orbot release cycles are unpredictable
16:40:50 <WofWca[m]> We should also probably see about it when we resolve the issue where Orbot can't determine NAT type most of the time.
16:41:37 <WofWca[m]> OK, I guess that's it from me.
16:41:47 <onyinyang> ok great
16:41:57 <WofWca[m]> Thanks for your time!
16:42:05 <onyinyang> We only have interesting links remaining
16:42:16 <onyinyang> The first is the call out for webtunnel bridges for Russia
16:43:02 <meskio> there are two blogposts in our blog related to anti-censorsihp this week
16:43:04 <shelikhoo> hehe! nice...
16:43:16 <meskio> BTW the bridge campaign is going well with ~100 new webtunnel bridges in a week
16:43:30 <theodorsm> Cool! %%
16:43:36 <onyinyang> probably most people that follow this meeting/list are already aware of both of this campaign but yeah, we've seen a lot of interest already :D
16:43:48 <onyinyang> *both this campaign and the next item
16:44:23 <meskio> yes, I expect so, but just in case I added it
16:44:39 <onyinyang> the other item is the blog post on the deprecation of bridgedb
16:44:47 <onyinyang> yep yep, thanks meskio
16:45:36 <onyinyang> anything else to discuss?
16:46:02 <meskio> nothing from me
16:46:03 <shelikhoo> eof from me
16:46:18 <WofWca[m]> Nope
16:46:28 <onyinyang> ok thanks everyone :)
16:46:30 <onyinyang> #endmeeting