#tor-meeting2 log

17:30:53 <sysrqb> #startmeeting Tor Browser Team Meeting - 2019 October 28
17:30:53 <MeetBot> Meeting started Mon Oct 28 17:30:53 2019 UTC.  The chair is sysrqb. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:30:53 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
17:31:30 <boklm> hi!
17:31:35 <sysrqb> I hope everyone is having a good Monday
17:31:38 <Jeremy_Rand_Talos> hello!
17:31:49 <sysrqb> Somehow it is the last Monday in October already
17:32:31 <sisbell> hi
17:32:36 <mcs> hi
17:32:38 <brade> hi
17:33:22 <antonela> hello
17:33:30 <pili> hi
17:35:30 <sysrqb> Okay, GeKo do you want to go first?
17:35:39 <GeKo> i can
17:35:58 <GeKo> so, tb 9 is out and it seems to stick, thanks everyone
17:36:10 <GeKo> it's been a bunch of challenging weeks/months
17:36:16 <GeKo> but we made it!
17:36:32 <sysrqb> !
17:36:32 <GeKo> i was busy last week collecting all the issues
17:36:46 <GeKo> i am mostly done and think i got at least all the important bugs filed
17:36:59 <GeKo> you can see what we have with the tbb-9.0-issues keyword
17:37:20 <GeKo> and things we could put (maybe) into 9.0.1 with the tbb-9.0.1-can one
17:37:34 <GeKo> there is not much time left, though
17:37:43 <GeKo> because we want to get out 9.0.1 next monday
17:38:02 <GeKo> so, maybe let's look over the -can issues now and think about what should go in if possible?
17:38:49 <sysrqb> i created a TorBrowser page on Trac, and i moved the ticket queries that were on the Applicatoins team page
17:38:52 <sysrqb> https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser
17:38:55 <GeKo> i think  boklm and i are still trying to find a workwaround for the reproducible builds issues this week
17:39:06 <GeKo> (which is #32052 and #32053)
17:39:15 <GeKo> sysrqb: nice, thanks!
17:39:43 <GeKo> antonela: do we want to have some onboarding fixups?
17:39:54 <GeKo> and what about #32220?
17:40:00 <sysrqb> I'll try keeping the queries up-to-daye each month and release, but feel you all should feel free to update that page if it falls behind
17:40:06 <sysrqb> (on that trac page)
17:40:08 <sisbell> Did we want to get out any Android related bugs for 9.0.1 #30501
17:40:33 <sysrqb> sisbell: not in 9.0.01, probably the alpha
17:40:38 <GeKo> skimming the code changes it seems 9.5a2 material
17:40:41 <sysrqb> *9.0.1
17:40:42 <GeKo> yeah
17:40:47 <sisbell> AH, makes sense its a riskier change
17:40:57 <GeKo> but, yes, this one is due next week as well
17:41:03 <antonela> GeKo: i don't think so - we discussed those tickets during the ux meeting last week, i'll update the tickets but not major changes for .0.1
17:41:22 <GeKo> okay, that includes #32220?
17:41:45 <antonela> no, #32220 can make it
17:41:58 <GeKo> do we have a plan for it?
17:42:09 <antonela> re onboarding, i'm talking about #32119 and #32118
17:42:17 <GeKo> yes
17:42:36 <antonela> for going dark? or any explainer? for what exactly
17:43:27 <GeKo> for not showing a white border when the theme is not the light one
17:43:38 <GeKo> or better for having the border following the theme
17:44:01 <antonela> yes, we have a plan, i also attached some screenshots/trials
17:44:13 <antonela> should we update upstream? or?
17:44:26 <antonela> wondering what tjr thinks about #32220
17:46:07 <GeKo> i think for 9.0.1 we should pick the best option and then we can think about upstream
17:46:16 <antonela> works for me
17:46:25 <GeKo> i have no clear winner, though :)
17:46:47 <GeKo> i am tending to version 2 (withou any borders)
17:46:50 <GeKo> *without
17:47:05 <antonela> is fine, i remember some discussions about taking the dom background color and use it too, i don't know what can be done now and what in the future
17:48:04 <antonela> oki, lets follow up this convo in the ticket? maybe it can make .0.1
17:48:09 <GeKo> it seems the comments on that ticket go to a border, though
17:48:10 <sysrqb> i don't think we should do that, because it will confuse people who try clicking in the margin and can't interact with the webpage
17:48:24 <GeKo> don't do what?
17:48:27 <antonela> sysrqb: good point
17:48:32 <antonela> going with the DOM background
17:48:34 <sysrqb> "do that" use = "use the dom background"
17:48:40 <GeKo> ah
17:48:56 <sysrqb> roger made a comment about this last week
17:49:01 <GeKo> yeah, i think i agree
17:49:10 <sysrqb> and i experienced this too
17:49:24 <sysrqb> when the webpage background was the color of the margin
17:49:42 <GeKo> aha
17:49:43 <GeKo> okay
17:49:50 <mcs> Maybe click or hover should show a message about letterboxing… that might be too much to figure out for 9.0.1 though
17:49:59 <brade> +1
17:50:15 <sysrqb> that could be a nice feature
17:50:17 <pospeselr> we could probably relatively easily set the background color to the firefox chrome color
17:50:18 <GeKo> sysrqb: so you would want to have a separate color independent of the theme?
17:50:31 <GeKo> or what color should we pick?
17:50:37 <pospeselr> to give that indication that it's part of the browser and not hte content
17:51:01 <sysrqb> GeKo: ideally,i think it shoul dbe different than the webpage content background
17:51:14 <sysrqb> maybe the same as the chrome
17:51:22 <sysrqb> but i don't have strong feelings about this
17:51:34 <antonela> im +1 pospeselr's
17:51:35 <GeKo> sounds good
17:51:45 <GeKo> pospeselr: could you give that a try?
17:51:46 <sysrqb> i just remember i tried scrolling the content while the cursor was in the margin and nothing happened
17:51:56 <sysrqb> and i thought the browser was glitching or hung
17:52:00 <GeKo> would be worth for 9.0.1 i think
17:52:05 <GeKo> yeah :(
17:52:25 <pospeselr> maybe give it the same border color as well
17:52:28 <GeKo> acat is working on #32255 (thanks)
17:52:43 <GeKo> sysrqb: you are on #32303?
17:52:52 <sysrqb> pospeselr: sure, give it a try :)
17:52:55 <pospeselr> GeKo can do, which of the myriad letterboxing tickets are we using to track this?
17:53:01 <antonela> GeKo: are we planning to expose this feature opt-out somewhere?
17:53:12 <GeKo> #32220
17:53:27 <GeKo> antonela: we could if we want to
17:53:34 <GeKo> i am not sure yet whether we do
17:54:00 <antonela> oki, will think about it
17:54:03 <GeKo> we usually don't expose options to disable anti-fingerprinting features in the ui
17:54:10 <GeKo> for reasons :)
17:54:18 <antonela> yep, i understand
17:54:24 <GeKo> but letterboxing might be special here
17:54:36 <antonela> is very invasive you know, not such as a tracker tho
17:54:54 * antonela will think about it
17:54:56 <GeKo> yeah, and i feel sorry about underestimating its impact
17:55:06 <GeKo> and our lack of early communications about it
17:55:29 <GeKo> antonela: you could file a ticket if you want and then we could collect thoughts there?
17:55:33 <antonela> yep
17:55:34 <antonela> will do
17:55:59 <sysrqb> GeKo: ah, sorry, i didn't see the question mark. yes, i'm on #32303
17:56:14 <GeKo> okay, are we good with tagged tbb-9.0.1-can work?
17:56:23 <GeKo> other items there should be fair game as well
17:57:12 <GeKo> there are two unaddressed issues which i am not sure about what to do
17:57:25 <GeKo> the first one concerns windows users below windows 10
17:58:08 <GeKo> years ago microsoft shipped an update to windows 7/8/vista users that made those systems compatible with a new runtime environment, ucrt
17:58:39 <GeKo> we don't ship any of those libraries to our users under the assumption that users should have this update from years ago
17:58:59 <GeKo> because if not they might have a horribly outdated windows
17:59:05 <GeKo> with all sorts of holes
17:59:17 <GeKo> and it turns out  that seems to be the case
17:59:23 <GeKo> for some users
17:59:53 <GeKo> not sure if we should fix that by shipping those missing deps
17:59:58 <GeKo> ourselves
18:00:23 <GeKo> or argue that those machines with all those missing security updates are essentially eol and unsupported
18:00:36 <GeKo> the second item is related to general cookie settings
18:00:49 <sysrqb> is this something new with TB 9 or is this an older question?
18:00:50 <mcs> did this situation change with TB 9.0 (vs. 8.5.x)?
18:00:59 <boklm> I'm wondering if we could improve the error message to explain the issue (maybe pointing to a support.tpo entry)
18:01:04 <GeKo> we hide the ui for that now as it is closely tied to tracking protection
18:01:09 <Jeremy_Rand_Talos> GeKo, can we confirm that those users are missing security updates, or maybe they somehow are only missing those libraries?
18:01:30 <GeKo> mcs: sysrqb: 8.5.5 did not require ucrt as it was not using mingw-w64/clang
18:01:31 <pospeselr> (and tbf i believe vista is already eol/unsupported for Firefox)
18:01:39 <sysrqb> ah
18:01:43 <GeKo> yeah
18:01:51 <GeKo> Jeremy_Rand_Talos: that is a good question
18:02:30 <Jeremy_Rand_Talos> Like, it is possible that maybe Microsoft doesn't always ship those libraries to users even when they're installing security updates?
18:02:33 <GeKo> there are folks arguing that some users might have all the sec updates
18:02:37 <sysrqb> do you know if there is a licensing issue with shipping these, as well?
18:02:53 <GeKo> but deliberately did not want to make their system compatible with the ucrt
18:03:16 <GeKo> sysrqb: i don't think so. mozilla is shipping them
18:03:23 <boklm> how big are those files?
18:03:24 <sysrqb> okay
18:03:27 <GeKo> however we would need to keep track of those dlls
18:03:35 <GeKo> and security updates to them etc.
18:03:38 <sysrqb> yeah
18:03:55 <GeKo> boklm: not that big. i think max 2mib
18:04:26 * Jeremy_Rand_Talos notes that Windows Update divides updates into "Important" and "Optional" updates.  What category is this library in?
18:04:56 <GeKo> i've not checked
18:05:21 <Jeremy_Rand_Talos> If by some chance it's categorized as Optional, then that would explain why a lot of users don't have it
18:05:47 <pospeselr> well this blog post seems to outline everything: https://devblogs.microsoft.com/cppblog/introducing-the-universal-crt/
18:05:48 <GeKo> i am not sure about a lot, but, yes, it's a noticable amount
18:06:01 <pospeselr> surrounding deployment of ucrt
18:06:24 <Jeremy_Rand_Talos> Even if it's categorized as Important, if MS doesn't label it as a security update, then some users may have legitimately chosen to exclude it while still installing sec updates
18:06:54 <pospeselr> we *could* statically link against libucrt.lib
18:07:45 <pospeselr> that way we'd only have 1 scenario to worry about, at the expense of presumably larger binary size than we have now (though presumably smaller than if we ship the dlls)
18:09:20 <sysrqb> okay, do we have a ticket for this?
18:09:22 <GeKo> hrm, hrm
18:09:37 <sysrqb> I found #23663, which is related, but not the same
18:09:48 <GeKo> no, not yet. i was wondering whether it would be ticket worthy
18:09:53 <GeKo> *tickeetworthy
18:09:58 <GeKo> *ticketworthy
18:10:17 <GeKo> i can file one later if we think that's smart and we want to do something here
18:10:22 <GeKo> i mean
18:10:37 <GeKo> we can just require ucrt and be done, it's our browser :)
18:11:05 <GeKo> okay, the other one
18:11:07 <sysrqb> i am leaning in that direction, but i don't know enough about why Mozilla bundle ucrt
18:11:15 <sysrqb> as to whether we should think harder about it
18:11:22 <sysrqb> but yes, cookies
18:11:28 <GeKo> so
18:11:33 <GeKo> all the options are still there
18:11:48 <GeKo> in the sense that users who want to mess with their settings can still do so
18:12:04 <GeKo> it's just that the general cookie settins are not messable via the ui for now
18:12:13 <GeKo> because that one was tied to tracking protection
18:12:19 <GeKo> which we did not want to show users
18:12:38 <GeKo> now should we say, that's okay?
18:12:58 <GeKo> should we point to our ETP work later next year which probably gives the UI back?
18:13:29 <GeKo> should we try to add a UI for just messing with global cookie defaults?
18:14:56 <sysrqb> is this the per-site cookie settings? i see the old general cookie settings in about:preferences
18:15:07 <GeKo> the pers.ite ones are still there
18:15:20 <GeKo> *per-site ones are still there, which is good
18:15:44 <GeKo> i don't see any old general cookie setings, though :)
18:16:04 <GeKo> like the ones where you can say "enable only third-party cookies"
18:16:13 <GeKo> or "disable all cookies"
18:16:29 <mcs> the UI that controls the network.cookie.cookieBehavior pref, I think
18:16:30 <sysrqb> I get "In permanent private browsing mode, cookies and site data will always be cleared when Tor Browser is closed."
18:16:44 <GeKo> yes
18:16:53 <sysrqb> ah, i see. that setting is gone
18:17:32 <sysrqb> hrm
18:17:44 <GeKo> mcs: yes
18:17:58 <GeKo> i am inclined to say, that's good as we have it now
18:17:59 <sysrqb> how difficult is separating the cookie settings from tracking protection?
18:18:06 <GeKo> dunno
18:18:12 <sysrqb> i guess acat ,you might know?
18:18:22 <sysrqb> or remember
18:18:33 <sysrqb> but it's totally okay if you don't
18:19:03 <antonela> isnt the tracking protection a cookie settings? :)
18:19:09 <acat> i don't think it would be very difficult wrt to UI
18:19:15 <sysrqb> i'm also inclined to not worry about this right now
18:19:20 <acat> and at the end it's just a pref
18:19:43 <GeKo> antonela: it kind of is, yes
18:20:07 <GeKo> but folks are used to click through the UI and change things there
18:20:12 <antonela> yes
18:20:19 <GeKo> i think it's easy to shoot themselves in the foot here
18:20:23 <acat> hmmm actually it might be not so easy wrt to UI as i expected :)
18:20:30 <GeKo> because you stick out by disabling all cookies
18:20:48 <GeKo> which i am not really sorry about our current solution
18:20:57 <GeKo> *which is why
18:21:08 <GeKo> but maybe we like to do something else here
18:21:11 <antonela> i understand
18:21:37 <GeKo> should i file a ticket for it?
18:21:47 <GeKo> or do we think it's okay as we have it for now?
18:21:48 <mcs> I think the cookie issue is similar to the network.proxy… one: advanced users can still use about:config
18:21:50 <sysrqb> okay, we shouldn't forget about this, but i think we can delay working on it until a later time
18:22:25 <sysrqb> mcs: that's kinda awful, but true
18:22:34 <GeKo> i hear "not a ticket" and "a ticket" :)
18:22:40 <antonela> GeKo, i see #30939 related with that
18:22:42 <mcs> +1 (we removed it for reasons; maybe we need to explain why we removed it?)
18:22:58 * Jeremy_Rand_Talos tends to think that footgun features being hidden behind about:config is a feature, not a bug
18:22:59 <GeKo> antonela: it kind of is
18:23:14 <mcs> +1 to deferring working on it until we think about this some more
18:23:42 <GeKo> okay. i'll file a ticket and add our reasonings
18:23:45 <GeKo> thanks all
18:23:52 <GeKo> i skip my other item
18:23:57 <sysrqb> okay
18:24:00 <sysrqb> thanks GeKo
18:24:39 <sysrqb> okay, i'll steal GeKo's last comment and combine it with my second discussion point
18:24:58 <sysrqb> we're planning a 9.0.1 and 9.5a2 release next week
18:25:10 <sysrqb> pospeselr: can you help with the build again?
18:25:25 <pospeselr> yeah sure :)
18:25:31 <sysrqb> thank you
18:25:58 <sysrqb> and hopefully we can get multiple bugs fixed in this release
18:26:21 <sysrqb> any questions or concerns about releasing an update next week?
18:26:41 <sysrqb> good, hearing none.
18:26:46 <GeKo> heh
18:26:55 <sysrqb> there's currently a lack of git admins
18:27:04 <sysrqb> meaning, the current git admins are already overloaded
18:27:27 <sysrqb> and we're thinking that every team should have (at least) one team member who is a git admin
18:27:36 <sysrqb> this should help releave and balance some of the load
18:27:42 <sysrqb> *relieve
18:27:51 <boklm> git admins are the people creating new git repos when someone opens a ticket asking for it?
18:27:52 <sysrqb> i believe none of us are git admin
18:28:00 <sysrqb> boklm: yes, correct
18:28:08 <antonela> boklm: among other things :)
18:28:15 <sysrqb> "Git admins (git{,web,-rw}.torproject.org)"
18:28:21 <sysrqb> those things
18:28:30 <sysrqb> would anyone like to volunteer for this?
18:28:40 * boklm could help with that
18:28:46 <sysrqb> it is not very time consuming
18:28:55 <sysrqb> great, thanks boklm!
18:29:10 <sysrqb> if anyone else would like to volunteer, you can help too
18:29:23 <sysrqb> just let me or GeKo or pili know
18:29:53 <sysrqb> okay, thirds point (which is really the second point)
18:30:15 <sysrqb> we had a post-mortem after we released Tor Browser 8.0 last year
18:30:50 <sysrqb> reflecting on what went well and what went wrong with Tor Browser 9.0 seems like a good and healthy thing to do
18:31:09 <sysrqb> we can talk about this next week, given the current time
18:31:37 <sysrqb> I think i'll send a mail about this, so we can get the conversation started
18:31:49 <sysrqb> but we shoudl decide how we want to have this discussion
18:32:01 <sysrqb> last year, we had it in Mexico, in person
18:32:12 <sysrqb> the next meeting is not for a few more months, it seems
18:32:28 <sysrqb> so we can think about another IRC meeting, or a voice/video chat, or something else
18:32:35 <antonela> i like it :)
18:32:42 <sysrqb> okay, Pili
18:32:53 <sysrqb> i'll let you prioritize your two points :)
18:33:00 <pili> hi
18:33:01 <pili> I'll try to be quick :)
18:33:04 <pili> the first thing is about S27
18:33:15 <pili> we'll have a separate meeting about it this week anyway
18:33:35 <pili> but I lost track of whether we managed to pick this up again after the TB9.0 release
18:33:53 <pili> and whether there will be anything to discuss from the browser side for the october report
18:34:08 <pili> I realise there was not much time after TB9.0 to get started on this
18:34:24 <pili> and brade and mcs have been working on the YE campaign also
18:34:29 <GeKo> i think last week
18:34:41 <GeKo> we thought that acat could help with the onion location part
18:34:57 <pili> that sounds familiar
18:34:58 <pili> ok, I'll copy acat in to S27 meetings
18:35:07 <GeKo> so we have more than one browser part getting worked on at a time
18:35:08 <pili> s/meetings/emails
18:35:15 <pili> yup, perfect
18:35:17 <GeKo> given that next year will be exciting
18:35:20 <acat> i was not sure whether i should start with #21952 this week already
18:35:32 <GeKo> acat: i think next week is cool
18:35:35 <mcs> I don’t think we have much to report for October from the browser side but November looks promising :)
18:35:40 <pili> ok, good! :)
18:35:44 <GeKo> wrapping up things for 9.0.1
18:35:53 <mcs> And acat has been doing the YE campaign work
18:35:56 <pili> ah, ok
18:36:05 <pili> that brings me nicely to my second point then... ;)
18:36:30 <pili> specifically about the different donate links for the different languages, as outlined in the ticket (let me find it)
18:36:57 <pili> while I look for it... acat do you know what I'm talking about and is that something that is possible to do?
18:38:11 <antonela> #30783
18:38:16 <pili> thanks
18:38:57 <pili> actually, I can see looking at the ticket that you're working on the localised links already
18:38:58 <pili> so good... ;)
18:38:59 <acat> so the donate links are already "localized": https://trac.torproject.org/projects/tor/ticket/30783#comment:17
18:39:04 <acat> ye
18:39:05 <acat> s
18:39:14 <pili> thanks :)
18:39:17 <pili> I think that's all I had
18:39:30 <pili> other than checking we're on track for release next monday
18:39:51 <sysrqb> great
18:39:53 <sysrqb> thanks pili
18:40:06 <sysrqb> okay, i think that'll be the end of the meeting
18:40:11 <sysrqb> sorry it ran a little over time
18:40:22 <sysrqb> have a good week everyone
18:40:31 <sysrqb> #endmeeting