[tor-project] Notes from the Tor Browser meeting, Oct 22 2018

Georg Koppen gk at torproject.org
Tue Oct 23 06:15:00 UTC 2018 

Hi!

We had another weekly Tor Browser meeting yesterday. For those
interested in the chat backlog, see:

http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-10-22-18.00.log.txt

The items from our pad are:

Discussion:
    - [tjr] TBB 8 Retrospective. Proposed Times:
         - Tuesday: 3 PM UTC
         - Thu/Fri 2:30 PM UTC
         - Either this week or next; same times. (GeKo: Next week Tue 3
PM UTC sounds good)
         - Ideally would like to get georg, boklm, arthur and anyone
else interested


tjr
 - Regrets for missing last weeks meeting and saying nothing
 - Tickets I think we can close:
     https://trac.torproject.org/projects/tor/ticket/13410 (Disable
self-signed certificate warnings when visiting .onion sites) [GeKo: I
don't think we tackled that issue]
     https://trac.torproject.org/projects/tor/ticket/22162 We did this,
right? (Review speculative connections)  [GeKo: I don't think we got to
that yet]
 - I want to start filing sandbox tickets.
   - Specifically: If an attacker's goal is to identify a user outside
Tor, by stealing a persistent identifier and causing a proxy bypass, and
they can accomplish these goals inside the Content Process, I see no
reason to spend efforts on sandboxing the parent first.  (Excepting
promoting architectural decisions that will make it easier to do the
Parent later.)
   - So I want to file tickets about issues we need to fix in the
content process to block the attacker.
   - First examples: PTCPSocket and PUDPSocket IPC methods look  like
they would allow this; although I haven't tested
 - Maybe landing fuzzyfox this week?
 - mingw-clang
   - Landed pdb support, and it works! symbolized stack traces, yay!
   - Got --enable-sandbox to compile with help from Martin
   - Working on why build doesn't run:
https://bugzilla.mozilla.org/show_bug.cgi?id=1497895
   - Also doing various build cleanup stuff:
https://bugzilla.mozilla.org/show_bug.cgi?id=1500802 and children;
https://bugzilla.mozilla.org/show_bug.cgi?id=1500102


mcs and brade:
  Last week
    - Finished #26263 (browser app icon positioned incorrectly in macOS
DMG installer window).
       - With the same patch, we also fixed #25151 (Update Tor Browser
branding on installation).
    - Helped with #28039 (Tor Browser log is not shown anymore in
terminal since Tor Browser 8.5a2).
    - Reviewed the team roadmap, especially our tasks.
  Upcoming:
    - We will be on vacation Tuesday, October 23 - Wednesday, October 31.


sysrqb:
    Last week:
        Reviewed #26690 (Padlock icon for TBA)
        Reviewed #27111 (about:tor for TBA)
        Began creating a patch for #24920 (TBA should only  have Private
Tabs)
        Continued Rust audit (#27616)
        Investigated #27431/#28125 (TBA DNS leak)
        S19 text
    This week:
        Create branch for patching #28125 (TBA DNS leak)
        Finish rust audit - #27616
        At funder's meeting this week


pili:

    Last week:

    Sponsor19 report brainstorming

    Tor Browser Release meeting

    This week:

    Looking to label tickets with Sponsors

    Evaluating best ways to track roadmap items, spreadsheet, other...

    Orfox issues - are we tracking all the relevant issues sent over by
Fabiola from Guardian Project? How are they identified?

    [sysrqb: No, and unfortunately we're mostly ignoring Orfox
currently. We should follow up on those issues and decide on a plan for
Orfox]


GeKo:
    Last week:
        -release prep
        -reviews
        -worked on #26475, Tor Browser design doc update (#25021),
#28039, and #28075
        -meetings and syncs
        -ticket triage (there is no Applications/Torbutton anymore,
please use Applications/Tor Browser + keyword `tbb-torbutton, similar
things will happen this week with Applications/Tor bundles/installation:
it will DIE; please use Applications/Tor Browser + keyword `tbb-rbm` if
really needed)
    This week:
        -release help
        -more work Tor Browser design doc update
        -die, Applications/Tor bundles/installation, die (#20648)
        -looking into singe-locale language repacks (#27466)
        -mail to Apple about their experiences with redirect isolation


sisbell:
  Last week:
    - # 27441 Debian image to use stretch (ready to merge)
    - # 26696 Platform def in rbm,conf (ready to merge)
    - # 26976 hardening wrapper - closed (don’t need to fix)
    - # 26975 Mobile branding (fixed/closed)
    - # 26697 Android toolchain - removed gradle dependencies (now in
Firefox project)
    - # 27443 Firefox for Android - applied boklm patch for a script to
download and package artifacts
  This Week:
    - Investigate if patches (or parts of patches) needed with latest setup
    - Investigate if sdk 23 still needed with latest Firefox code

        [sysrqb: we should be targeting 26, so I don't think we need 23
for anything(?)]


arthuredelstein:

    Last week:

    Patches for:

     #26498 (Fix bn-BD and es-AR locale for Tor Browser)

     #28082 (Add 4 more Tor Browser locales)

     #28111 (For about:tor, use a Tor Browser icon in identity box)

     #22343 (Save as... in the context menu results in using the
catch-all circuit)

     #28093 (2018 Tor Browser Android donation banner)

    Worked on:

    https://bugzilla.mozilla.org/show_bug.cgi?id=1330467 (When
"privacy.firstparty.isolate" is true, double-key permissions to origin +
firstPartyDomain)

    S19 text

    This week:

    Keep trying to finish permissions FPI

    Help to look at redirect FPI approaches

    Help with TBA donation banner? (#28093) (GeKo: igt0 put this on his
plate and is coordinating with antonela in case there are assets that
need to get adapted)


boklm:
    Last week:
        - helped with building the new releases
        - reviewed and tested patches for:
            - #21704 (Abort install if CPU is missing SSE2 support)
            - #26475 (ESR60-based Tor Browser bundles are not built
reproducibly with Stylo enabled using rustc > 1.25.0)
        - reviewed patches for #26693 (Integrate Tor Browser for Android
into tor-browser-build)
        - made patch for #27438 (Android Gradle Build Downloads)
        - started looking at #28117 (Some URLs can't be downloaded with
LC_ALL=C)
        - worked on tor browser testsuite setup (#26149)
    This week:
        - help publish the new releases
        - enable running testsuite on nightly builds (#26149)
        - check if more updates are needed for #25030


pospeselr:
    Last week:
        - #3600 work (redirect cookies)

            - began work on design doc (turns out this is a really hard
problem)

      - fixed a few bugs in tbblogger

    This week:
        - #finish design doc edits and post on storm
        - #3600


igt0:
   Last week:
      - #25013 (Sent a patch and tested on android and desktop with
different locales)
      -  Reviewed and tested #28104
   This week:
      - More work on #25013
     - Update #26690 (padlock icon for tba)
     - Update #27111 (about:tor button for tba)


Georg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20181023/02d93677/attachment.sig>

More information about the tor-project mailing list