#tor-meeting2 log

17:59:23 <sysrqb> #startmeeting Tor Browser Team Meeting 23 March 2020
17:59:23 <MeetBot> Meeting started Mon Mar 23 17:59:23 2020 UTC.  The chair is sysrqb. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:59:23 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
17:59:25 <brade> o/
17:59:29 <acat> o/
17:59:38 <Jeremy_Rand_Talos> hi!
17:59:39 <pili> hi
17:59:46 <boklm> hi
17:59:47 * antonela fills the tea cup
17:59:48 <sysrqb> whoops. I wanted to delete most of that line.
17:59:53 <sysrqb> hello, hello
18:00:22 <sisbell> hi
18:00:32 <pospeselr> o/
18:01:42 <mcs> hi
18:06:03 <sysrqb> okay, let's see
18:06:05 <sysrqb> what we have
18:07:40 <sysrqb> i don't see any bolded items
18:07:55 <sysrqb> so i guess we'll jump directly into Discussions
18:08:29 <sysrqb> related to the first item
18:08:48 <sysrqb> we now have partial funding for migrating onto firefox rapid release
18:08:53 <sysrqb> which is a relief
18:09:02 <sysrqb> that is now sponsor 58
18:09:34 <sysrqb> and, with that, please tag any Fenix related tickets with sponsor58
18:09:58 <sysrqb> and any tickets related to migrating our core patches to rapid release as sponsor58
18:10:08 <sysrqb> we don't have any funding for the desktop-specific work
18:10:52 <sysrqb> so anything related to desktop UI, or automatic updater, etc. are not covered by s58
18:11:50 <sysrqb> i don't think we have any tickets like this, yet. but we may create them as this project progresses
18:12:03 <sysrqb> make sense?
18:12:31 <pospeselr> 👍
18:12:48 <pili> we could tag the as sponsor58-can
18:13:07 <sysrqb> i think pili is outlining everything covered by s58 on the Sponsor58 wiki page
18:13:16 <pili> because it would still be nice to track what the full scope of the project would have been
18:13:17 <pili> but that's optional ;)
18:13:18 <pili> yup
18:13:18 <sysrqb> so that should help when deciding if something is covered or not
18:13:30 <sysrqb> and, if you are in doubt, ask :)
18:13:57 <sysrqb> yeah, tagging it as -can is a good idea
18:14:13 <sysrqb> there is still a chance we may get funding from a different funder for the desktop-specific work
18:14:29 <sysrqb> but i'm not expecting that will happen, at this point
18:14:56 <sysrqb> (we don't have one in the pipeline right now, so it seems unlikely)
18:15:44 <sysrqb> okay, item 2 is about pili's email regarding scheduling a retrospective
18:15:55 <sysrqb> if you got the email, and you didn't fill out the doodle, please do that
18:16:09 <pili> I think we had planned it for the end of this month/beginning of next
18:16:09 <sysrqb> item 3. pili, you're up :)
18:16:14 <pili> yup
18:16:19 <sysrqb> yes, that was the original plan
18:16:21 <pili> we are having a docshackathon this week
18:16:24 <sysrqb> (thanks)
18:16:32 <pili> run by the community team
18:17:17 <pili> and it occurred to me that some of you may know of documentation that is missing from the Tor Browser manual
18:17:18 <pili> if so, please let me know and I'll create a ticket and tag it "docshackathon"
18:17:19 <pili> or feel free to do it yourselves :)
18:17:38 <sysrqb> neat
18:18:05 <sysrqb> does this docshackathon only cover the tor browser manual?
18:18:18 <sysrqb> or can we include other missing/out-dated docs?
18:18:34 <sysrqb> maybe on support.tpo or another site?
18:19:01 <ggus> sysrqb: hey, we're covering all the websites that we have user documentation
18:19:04 <sysrqb> i don't have any specific in mind right now
18:19:09 <sysrqb> ggus: hey :)
18:19:13 <ggus> support.pto, community.tpo, tb-manual.tpo :)
18:19:15 <sysrqb> ggus: okay, great
18:19:20 <sysrqb> thanks!
18:20:05 <sysrqb> any questions about this?
18:21:00 * sysrqb assumes not
18:21:15 <sysrqb> i added one final item about release management
18:21:26 <ggus> in tbb, Help > About Tor Browser we have some links that i'd like to change. should i open tickets for this in trac?
18:21:38 <sysrqb> ggus: yes please!
18:21:46 <ggus> eg, the link to relay is pointing to 2019.www...
18:21:48 <ggus> ok!
18:22:06 <sysrqb> yep
18:22:25 <Jeremy_Rand_Talos> pili, is it desired to have me at the retrospective?  (I don't see any emails about it, but the mail server I use is having trouble lately, so not sure if that's because I'm not expected to attend or if an email got dropped...)
18:22:50 <Jeremy_Rand_Talos> (I won't be annoyed if I'm not supposed to attend, just wasn't sure)
18:23:16 <pili> hey Jeremy_Rand_Talos I was thinking it would be just the Tor Browser team for this one :)
18:23:27 <Jeremy_Rand_Talos> pili, ok, sounds good.  :)
18:23:29 <pili> I only sent it to employees
18:23:30 <sysrqb> Jeremy_Rand_Talos: i think we'll limit this to people working on Tor Project sponsored work for now
18:23:32 <mcs> ggus: you could add some more to #33671 if the fixes are simple
18:23:46 <pili> yup, sysrqb put it much better than me :D
18:23:58 <Jeremy_Rand_Talos> Thanks sysrqb
18:24:10 <mcs> ggus: never mind; you said About Tor Browser not about:tor
18:24:33 <mcs> so new ticket probably
18:25:12 <sysrqb> Release Management: i'd like to review our release process a few times each year, maybe quarterly
18:25:27 <sysrqb> primarily to make sure everyone is happy with their roles
18:25:57 <sysrqb> and rotate if that is good for team health
18:26:16 <sysrqb> this isn't a disucssion we need to have right now
18:26:57 <sysrqb> but i think we can distribute the load better/differently
18:27:30 <mcs> sounds like a good discussion to have. and improving the process to reduce pain is an ongoing effort I suppose
18:27:39 <boklm> yes
18:28:18 <sysrqb> let's take a few minutes now and discuss it
18:28:37 <sysrqb> i don't want to assume this meeting will always take 1 hour
18:28:51 <sysrqb> but we have "some time"
18:29:11 <sysrqb> currently boklm  and pospeselr are building the releases
18:29:40 <sysrqb> I am doing most of the signing, and boklm is running the gpg signing piece
18:30:08 <sisbell> I can help out if ppl are overloaded
18:30:11 <sysrqb> then i'm uploading the packages to the webservers, and boklm or I write the blog post
18:30:32 <boklm> in the past, we did separate the signing and publish steps more (usually GeKo was doing the signing, an I was doing the publishing)
18:30:34 <sysrqb> the signing pieces and webserver prices are resrticted to boklm or myself
18:31:09 <sysrqb> s/prices/pieces/
18:31:11 <pospeselr> building is not terribly distracting for me
18:31:28 <pili> what is the effort involved in building releases for people? :)
18:31:46 <sysrqb> oh, and boklm or i tag the various git repos
18:31:49 <pili> if we're talking in terms of points? (1 point = 1 day = 8hrs)
18:32:06 <pospeselr> though historically there's been blocks of time needed for attention when build tooling changes (looking at you runc)
18:32:09 <pili> because we should build this into our capacity planning
18:32:36 <pili> and to me it feels like it can be quite labour intensive when we're trying to get a release out
18:32:45 <pospeselr> pili: building and signing when everything works is a fraction of a point for me
18:33:14 <sysrqb> over an entire release, it takes roughly 1 pt for me, right now
18:33:17 <pili> pospeselr: right, I wonder about the cost of context switching and checking if/when the build/signing process has worked?
18:33:19 <pospeselr> so if there's more there I can do I have some points available
18:33:24 <sysrqb> but we can reduce that
18:33:28 <pili> but I don't know the exact process everyone follows :)
18:33:47 * acat can also help if needed (e.g. building or something else)
18:33:47 <sysrqb> let's start at the beginning
18:34:27 <sysrqb> i'm fine with keeping the preparations and git tagging/signing taks
18:34:31 <sysrqb> tasks
18:35:05 <sysrqb> boklm: pospeselr: do you want to keep the building or would either of you like to hand that off to someone else?
18:35:15 <boklm> I can continue building
18:35:47 <pospeselr> I can keep building
18:36:28 <sysrqb> okay. thanks
18:37:14 <sysrqb> boklm: would you prefer taking the publishing tasks again?
18:37:35 <sysrqb> i wanted to do them, for a few releases, so i understood what they involved
18:38:02 <sysrqb> someone else can create the blog posts, too
18:38:46 <antonela> i can help with the blogpost, but boklm has been doing an awesome job
18:39:08 <boklm> yes, I could do the publishing task again, and you can also do it some of the time if you want
18:40:29 <sysrqb> do you want to create the blogpost, as well?
18:40:42 <sysrqb> someone else on the team can help with that, too
18:40:49 <boklm> antonela can help with the blog post
18:41:19 <antonela> yep i can :)
18:41:34 <sysrqb> great
18:42:01 <pospeselr> i'd be willing to help as well if you need more eyes :)
18:42:29 * antonela noted pospeselr as a reviewer :)
18:42:45 <boklm> maybe we can check for each release who will do each task?
18:42:45 <sysrqb> i think anyone can help, as long as you have a blog account
18:43:10 <sysrqb> boklm: yes, i'll add a note about that
18:43:30 <sysrqb> we can discuss during the weekly meeting before we start building
18:43:45 <mcs> do we have a single point of failure for any task? signing?
18:44:06 <sysrqb> yes, currently for signing, i am the only person who can sign macOS packages
18:44:10 <mcs> (contingency planning is on my mind lately)
18:44:18 <mcs> OK. don’t get sick please :)
18:44:25 <pospeselr> what's the limiting factor for macOS packages?
18:44:34 <sysrqb> i'm mostly a spof for android signing, although GeKo technically has that ability, too
18:44:42 <sysrqb> pospeselr: sigh. :)
18:44:50 <sysrqb> so.
18:45:26 <sysrqb> beginning last year, macOS packages must be signed+timestamped+notarized+stapled
18:45:43 <sysrqb> previously, packages were only signed, and this could be accomplished offline
18:45:48 <sysrqb> without need for an internet conection
18:45:53 <sysrqb> *connection
18:46:20 <sysrqb> now signing+timestamping are coupled and the computer must have an internet connection when signing takes place
18:46:52 <sysrqb> our signing infrastructure is offline, so the mac computer we previously used for macOS signing does not current work
18:47:20 <sysrqb> i have a macOS computer which i am currently using for signing
18:47:39 <sysrqb> this was a stop-gap measure GeKo used, and he handed it off to me :)
18:48:15 <sysrqb> on this topic, I've made progress in getting our "offline" signing machine working for our needs
18:48:57 <sysrqb> and, maybe, within the next week or two we can use that for signing, instead of the computer I have
18:49:05 <GeKo> what is missing still?
18:49:14 <sysrqb> when that happens, boklm and GeKo would both have access to it for remote signing
18:49:43 <sysrqb> GeKo: i believe the last piece is fully unlocking the keychain
18:50:18 <sysrqb> the gui prompt for the keychain passphrase when you run codesign is different than `security unlock-keychain`
18:50:45 <GeKo> that's true
18:51:02 <GeKo> so you need the right incantation for unlocking it?
18:51:07 <sysrqb> yes
18:51:08 <sysrqb> or
18:51:28 <GeKo> it think it will be in the history of the macos machine
18:51:36 <GeKo> if you look long enough back
18:51:43 <sysrqb> if we temporarily enable vnc on the computer and sign the packages over vnc and using the gui prompt
18:51:51 <GeKo> nah
18:52:10 <sysrqb> i didn't think you would like that option
18:52:16 <GeKo> :)
18:52:19 <sysrqb> i looked in the history
18:52:24 <sysrqb> but maybe there is another command i missed
18:52:32 <sysrqb> i'll look and ask you if i don't see it
18:52:40 <GeKo> okay, yeah
18:52:53 <GeKo> ping me and we can figure this out
18:52:57 <sysrqb> cool
18:53:03 <GeKo> i think i have notes about the commands somewhere, too
18:53:06 <mcs> I don’t know the details of what you need to fix, but this might be relevant: https://stackoverflow.com/questions/39868578/
18:53:07 <sysrqb> i think this is the last blocker
18:53:51 <mcs> (that stack overflow Q+A is about importing keys but maybe the problem we need to solve is similar)
18:54:06 <sysrqb> mcs: thanks i'll read through it
18:54:57 <sysrqb> i found a different stackoverflow which sounded related, too
18:55:01 <sysrqb> https://stackoverflow.com/questions/20205162/user-interaction-is-not-allowed-trying-to-sign-an-osx-app-using-codesign
18:55:12 <sysrqb> hrm. no
18:55:17 <sysrqb> https://stackoverflow.com/a/52115968
18:55:18 <sysrqb> yes
18:55:33 <sysrqb> but i didn't get it working after following that, either
18:56:05 <sysrqb> but I'll look at this with GeKo
18:56:12 <mcs> Apple has a way of making things difficult. Anyway, it sounds like you are working on these spof areas already.
18:56:20 <sysrqb> and i'll update the ticket when we know more
18:56:56 <sysrqb> #32173
18:57:15 <sysrqb> yeah, we're slowly trying to reduce/eliminate single points of failure
18:57:49 <sysrqb> oh, Google Play access and uploading new apks is another one
18:58:02 <sysrqb> i need to give someone else access to that, too
18:58:25 <sysrqb> okay, i think that covers this topic
18:58:27 <sisbell> If there is any android related taks related to release, I can help out.
18:58:33 <sisbell> just ping me
18:58:48 <sysrqb> sisbell: thanks
18:59:15 <sysrqb> i'll close this meeting on that note
18:59:18 <sysrqb> thanks everyone
18:59:24 <sysrqb> #endmeeting