[tor-project] Tor Browser team meeting notes, 12 Nov 2018

Georg Koppen gk at torproject.org
Tue Nov 13 11:18:00 UTC 2018


Hi!

Below are our weekly Tor Browser team meeting notes. The chat log can be
found at

http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-11-12-18.58.log.txt

and our pad entries are/were:

Discussion:
    - Tor Browser in the Snap Store? (see Iain's mail) [GeKo will reply
to it on Tue or Wed]
    - upcoming 1:1s
    - Team responsibilities restructuring
      - things to take over from Arthur:
        - annual rebase
        - maintaining circuit display UI
        - optimistic SOCKS (if I don't finish it)
        - adding locales
        - Mozilla uplift coordination
      - things Arthur will continue to maintain:
        - torpat.ch
        - arthuredelstein.net/exits
        - permissions FPI uplift (with Mozilla)
        - IRC presence


GeKo:
    Last week:
        -Jacek worked on the Windows accessibility issue, patches are up
for review/merged, see:
https://bugzilla.mozilla.org/show_bug.cgi?id=1430149 and we probably can
soon be testing them in our nightly builds
        -reviews (#25013, #28260, #27443, #26540, #22343)
        -worked on #27443 and #26483 (alas no time for the design doc
update #25021)
        -helped with proposals
        -helped with the anti censorship position interviews
        -security controls redesign
    This Week:
        -More work to get TBA-a2 into shape (reviews, help with #27443,
#26483 and other related bugs)
        -another round of looking into doc for #3600
        -look again over the cubeb - audio files disk leak  and reply to
Mozilla dev mail
        -write mail regarding Tor Browser snap
        -hopefully getting back to updating the Tor Browser design doc
(#25012)


mcs and brade:
  Note: We will be away from work Tuesday, November 20 - Friday,
November 23.
  Last week:
    - Finished #22074 (Review Firefox Developer Docs and Undocumented
bugs since FF52esr).
    - Reviewed #28039 (Tor Browser log is not shown anymore in terminal
since Tor Browser 8.5a2).
    - Reviewed #22343 (Save as... in the context menu results in using
the catch-all circuit).
  This week:
    - #27239 (TB team feedback on jump-to-80% work)
    - #28196 (about:preferences#general is not properly translated anymore)


tjr:
  *  MinGW
      - Landed sandbox support on -central. x86/x64 builds on -central
should be consistently runnable.
      - Working on getting mingw-clang tests running on -central
https://bugzilla.mozilla.org/show_bug.cgi?id=1475994
      - Uplifted a bunch of mingw-clang patches to esr60. Intend to
figure out what else besides this we need to uplift and get it done.
      - Have a esr60 build of mingw-clang successfully building. Haven't
tested if it runs yet.
      - Intend to harass people about uplifting nss patches to esr60,
which would unblock uplifting the build jobs
      - Nothing is stopping us at this point to start bringing the
mingw-clang toolchain into rbm; I'm just intimidated to start trying to
do it.
      - Keeping an eye on the accessibility stuff!
https://bugzilla.mozilla.org/show_bug.cgi?id=1430149
  *  Fuzzyfox
      - It's in Nightly. It would probably be easy enough to backport to
esr60.
      - We had someone test it manually a bunch, and they found only one
minor issue. https://bugzilla.mozilla.org/show_bug.cgi?id=1506295
      - That said, I am less certain it is worry-free. I wanted to do
some performance debugging locally.
      - We also don't know what level of security assurance it gives us
at different levels, and how it compares with Tor's 100ms choice right now.
  *  Emailed kinetik about cubeb audio files
(https://trac.torproject.org/projects/tor/ticket/28373)
      - Got a response that there are temp files. I didn't fully
understand his other replies.
      - Does anyone at Tor have the bandwidth to drive this
conversation, or should I try to? [GeKo: I will get back to that one
this week]
  *  TB 8 Retrospective Followup - please help me
      - Tor disables the web extensions process on <platforms>. The
tickets/reasons for this are <?>
        - [GeKo: In ESR60 this is only available on Windows (IIRC the
feature landed for macOS and Linux in Firefox >= 61; The reason for this
is that this breaks Torbutton/NoScript communication needed for our
security slider, see: https://trac.torproject.org/projects/tor/ticket/27411]
        - [tjr] Okay, so it seems like the path forward for this is just
integration them into the browser? Is relying on that for the next ESR a
safe approach, or should I investigate these prefs and ensure they keep
working in the next ESR just in case we need them?
      - I'm going to talk to #build folks about the rust stuff,
continuing the conversation in
https://bugzilla.mozilla.org/show_bug.cgi?id=1376621 and trying to build
consensus among them on a path forward. I intend to propose this issue
to the Tor Uplift Team (Ethan) as a 'must complete' by the next ESR.
      - I think it'd be good to get feedback from Mozilla on the
strategy to import torbutton/torlauncher into the browser codebase. I am
in a holding pattern for that waiting for tor browser proposals to be
written.
      - I need to think about how to better communicate open mozilla
bugs as we approach next ESR
      - I have been writing a WinDbg guide for trac for debugging
mingw-clang builds with WinDbg
  *  Other: I am considering writing a tbb-dev proposal to increase the
max content processes from 4 to 999. This would increase memory
consumption, especially for users with a lot of tabs. It would provide
some small level of tab isolation at the process level, but only for new
tabs opened, not tabs reused. The security gain contains a lot of "Well
if the user does this, things are kinda better, but if they do this
they're no better." So not sure if it's useful, the main draw is that
it's a 4 character patch, so easy to do, just difficult to decide one.


igt0:
    Last week:
        - First set of patches to #25013 (torbutton within torbrowser)
        - Rebased #27111 (about:tor on mobile)
    This week:
        - Finish #25013(add the necessary bits of code in tor browser)
        - Add banner on tor browser(#28093)
        - More TBA alpha2 stuff


pospeselr:

    Last week:

    - Final patch for #26540 (pdfjs circuit isolation)

    - #3600 work ( doc could use some eyes:
https://storm.torproject.org/shared/Kw99Ow0ExZFFC6FKD5CeryfVFAoAL9Z_iEVlflI0fiL
): [GeKo: I'll give it another look this week]

    - Some more work on the brainstorming/design doc, circling in on a
'mix and match' solution here

    - Still some open questions here regarding user experience related
to OAuth and cookie keying:

    - If you use an OAuth provider (say oauth.com) via foo.com, should
the session cookie related to oauth.com be valid for other sites using
that provider, or should that cookie be double-keyed to
foo.com|oauth.com? My intuition is that oauth.com should not be treated
as a first party in such a scenario.

    - Mozilla's Ehsan Akhgari has pointed me to some patches added in
Firefox 64 that appear to be necessary for this work (determining
whether domains have been interacted with by a user)

    - A bit of Athens travel planning

    This week:

    - Uplift #26540

    - filed bug https://bugzilla.mozilla.org/show_bug.cgi?id=1506693

    - Investigate per-sku app icons

    - Backporting user interaction patches from Firefox 64, adding
debugging hooks for the various redirect entry points needed regardless
of final solution here


sysrqb:
    Last week:
        TBA+Orbot - #28051
        A little S19 interview work
        rust audit
        TBA+tor-browser-build
    This week:
        Finish TBA+Orbot - #28051
        TBA localization
        Review #26690 - TBA onion-padlock
        Review #25013 - move Torbutton into tor-browser


boklm:
    Last week:
        - made two builds with `-Wl,-t` for #26148 (binutils update) and
started looking at logs
        - updated and tested patches for #27265 (In some cases, rbm will
download files in the wrong project directory) and #27045 (Add option
for firefox incremental builds)
        - made patch for #28260 (Use Rust 1.28.0 to build Tor), with
help from gk.
    This week:
        - look at the logs from `-Wl,-t` to try to understand the issue
from #26148
        - work on bringing back the testsuite


sisbell:
  Last week:
   - # 27443 Firefox for Android - add test dependencies for gradle,
testing various ndk versions, rust versions and API levels
   - # 28144 Update tor-browser for Android - Add extensions and
repackage and debug sign apk, verified apk runs on device
 This Week:
   -  # 28144 Add makefile for Android
   -  # 27443 Investigate rust deltas between 1.26/1.28 [GeKo will find
out the patch that fixes this for 1.28 and sisbell meanwhile tries to
get #27977 in shape]


pili:
    Last week:

    - DRL Proposal

    This week:

    - Carry on roadmapping...

    - OTF Engineering lab follow up

    - Tor Browser Release meeting this week! (just an announcement :) )
[19:00 UTC :) ]


arthuredelstein:
  Last week:
    - Refactored/simplified patch for https://bugzil.la/1330467 (FPI for
permissions); will post soon
    - Investigated https://trac.torproject.org/26498 (bn-BD not
displayed in title bars)
    - Revised https://trac.torproject.org/22343 (Save As... FPI)
    - Started working again on https://trac.torproject.org/25555
(Optimistic SOCKS)
    - Revised https://trac.torproject.org/28187 (Change Tor Circuit
display icon to an onion)
  This week/next week
    - Try to get something working for #25555
    - See if it's possible to fix #26498


antonela:
    Last week:
    - Security Settings
    - Tor Browser Icon survey ended -
https://trac.torproject.org/projects/tor/ticket/25702#comment:8 -  when
can we have it packed? [GeKo: not sure yet as we are not used to have
three different icons for our release channels; pospeselr will look into
the changes we'd this week]
    This week:
    - Moar Security Settings
    - Leading Orfox users to Tor Browser Android (27399)
    - Design TBA+Orbot configuration UI/UX (28329)


Georg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20181113/19a76271/attachment-0001.sig>


More information about the tor-project mailing list