[tor-project] Tor Browser Team Meeting Notes, 02 March 2020
Matthew Finkel
sysrqb at torproject.org
Mon Mar 9 20:50:44 UTC 2020
Hi everyone,
We held our weekly meeting on 2 March. The meeting logs are available
at:
http://meetbot.debian.net/tor-meeting2/2020/tor-meeting2.2020-03-02-18.29.log.txt
During this meeting we briefly discussed #13410 and how Alec Muffett's
S.O.O.C. proposal [SOOC] overlaps with the goal of this ticket. We
didn't make any decisions about this topic, however.
[SOOC] https://github.com/alecmuffett/onion-dv-certificate-proposal/blob/master/text/draft-muffett-same-origin-onion-certificates.txt
Team progress and discussion notes
==================================
Discussion:
GeKo:
Last week:
-I worked mainly on RLBox backports
* I have the Linux version up for review (see: #32380 and #32389)
* I got the macOS version ready for review, too (see: #33481, #33487, #33410)
This week:
-finally getting back to design doc update
-maybe working on RLBox reproducibility (#33488) tjr: I recall glandium and/or you had ideas for https://bugzilla.mozilla.org/show_bug.cgi?id=1612035, no? Now would be a good time to add those. :)
mcs and brade:
Last week:
- Reviewed #32645 patch (Update URL bar onion indicators).
- Worked on onion service error strings (#33035).
- Investigated and closed #31984 (partial update: unable to remove directory: tobedeleted).
- Worked on small issues for #19251 (onion services error page).
- Reviewed February Sponsor 27 report.
- Worked on peer feedback for TPI Feedback Cycle 2020-1.
This week/upcoming:
- Review latest #32645 patch (Update URL bar onion indicators).
- Finish and post patches for #19251 (onion services error page).
- Revisit #32418 (Torbrowser tells on every start, that it can't update).
- Finish and submit self, peer, and team lead feedback.
- Start to review #28005 (Officially support onions in HTTPS-Everywhere).
pospeselr:
Last week:
- patch out for #13410
- put out for code review on Mozilla
- consensus among folks who know things about certs (dkeeler, alecmuffet, arma) is seems to be that what we're trying to do here is a bad idea and needs to be more restrictive
- dkeeler pointed me to alecmuffet's SOOC cert spec ( https://github.com/alecmuffett/onion-dv-certificate-proposal/blob/master/text/draft-muffett-same-origin-onion-certificates.txt ) as well a short summary of the discussions alec has apparently already had with the Mozilla folks
- alecmuffet pointed me to a doc containing the discussions about the spec as well as how to properly implement in firefox
- tldr; removing the chain-of-trust check for onions is not sufficient, but I have a high level understanding of the 'right' way to do this:
- implement sections 1.1 through 1.6 of the SOOC spec in a new 'TrustDomain' in Firefox that is used for onions
- final update for #32645 fixing some icon scaling issues
This week:
- peer feedback
- release notes review
- #13410 updates?
so to implement 1.1 through 1.6 the suggested mozilla way should mostly just be engineering/programming work with very little investigation, but it's still a sizable chunk of time (I'd estimate ~1-2 weeks?)
[discuss] do we want to go through the effort of redoing this for S27, or should we just take what we have now, stick it behind a only-enabled-in-alpha pref and come back to this when we have less time pressure?
- braindump on ticket, maybe start prototyping this
boklm:
Last week:
- Some reviews: #32437, #32436, #33216, #32992, #32991, #28766, #28765, #33215
- Helped with gpg signing new alpha
- Looked at #32650 (Check translations for bogus characters)
- Started looking at testsuite setup
- Looked at blog comments
This week:
- Waiting for someone to review/merge #33402 and #33403 to check if nightly updates are working
- Work on testsuite setup
- More reviews
- Submit feedback
sysrqb:
Last week:
Progress on getting macOS signing/notarization on the hosted signing machine
Investigated CSS font-embedding on Safest security level
Spent some time on the OTF grant
Responded to Jeremy
Looked at some possible paths for TLS cert warnings
This week:
Releasing 9.5a6
Code reviews
Create a rough roadmap for the next one-two months (with Pili)
Review S27 summary
...
sisbell:
Last Week:
- Android for Tor - a number of updates, testing. Following merged: #33216, #33215, #32992, #32991. Left with getting OpenSSL, Libevent and Tor project changes approved and merged.
- #32476: JNI got build working in tbb
- Fenix investigations around dependencies and latest gradle
This Week:
- Respond and fixes based on reviews to #28764, #28765, #28766 (Tor)
- #28765: LibEvent: make small change to handle all platforms
- Upgrade tor binaries to 4.x in tor-android-services
- #32476 - integrate and test with TOPL, open branch for review
acat:
Last week:
- Rebase Tor Browser patches onto mozilla-central.
This week:
- Fix/polish a few remaining things of the mozilla-central patches rebase and create ticket for review.
- Write feedback.
- Revise #21952 (Onion-Location) to support meta tags.
- Investigate #33342 (Disconnect search addon causes error at startup)
pili:
Last week:
- S27 February report
- S27 release planning
- GSoC wrangling
This week:
- Browser team February report
- Start of month housekeeping
- More GSoC wrangling
- Work on developer portal
- Tor Browser Release meeting this week
Jeremy Rand:
Last week:
- Posted on tor-talk asking for feedback on Namecoin integration in Nightly.
- Looks like that thread attracted the attention of a journalist: https://linuxreviews.org/The_Nightly_Tor_Browser_Build_Has_Support_For_Namecoin_Domain_Names
- More progress on the linux-arm port of Tor Browser... figured out why the Firefox build was failing with assembler errors; managed to get a working Tor Browser binary built in rbm.
This week:
- Await feedback on tor-talk thread.
- Maybe more linux-arm port stuff.
- File ticket about Namecoin TLS support.
==================================
Thanks,
Matt
More information about the tor-project
mailing list