[tor-project] PieroV's Monthly Status Report, August 2024

Pier Angelo Vendrame pierov at torproject.org
Mon Sep 2 11:43:54 UTC 2024


Hi everyone!
Here is my status report for August 2024.

I spent this month almost only on tasks linked with the transition from 
Firefox ESR115 to ESR128.
At the beginning of the month, I reviewed Dan's Android rebase.
Then, after it landed, I checked for new reproducibility problems. I 
found only one with the license files [0]. The oss-license-plugin wasn't 
updated upstream this year, so it must be linked with other toolchain 
updates (including Java from 11 to 17 and Gradle).
The solution [1] was to build and use a patched plugin that uses 
`TreeSet` instead of a `HashSet`.
Sadly, the APK sizes grew a lot between 115 and 128. For this reason, we 
couldn't publish 14.0a2 and 14.0a3 on the Play Store for the x86 and 
x86-64 architectures [2].
During this month, Claire, cohosh from the AC team, and I spent some 
time investigating this. 14.0a4 should fit at least for Android x86-64. 
For Android x86, we might have to shave another 100-200kB if we 
understood how this threshold works.

Another issue I worked on was a leak of regional locale data with the 
`Intl` API. During the rebase, we had to start specifying `RFPTarget`s, 
and I chose the only one handled differently without realizing it.
This was a reminder of how important it is to upstream our patches 
whenever possible.
I started the process for this one two years ago [3], but then it didn't 
land because it would have applied also to the browser UI.
After finding a new fix that worked for us, I added a proposal to the 
upstream bug on a possible approach that might also work for Firefox.

Another bug worth mentioning was a problem with mixed content in Onion 
Services [4]. The fix eventually was easy [5], but it took me quite a 
while to understand what was going on because it involved debugging 
between parent and content processes.
Also, it was a great occasion to improve the Onion Sites I implemented 
for testing [6] and the documentation around them. While doing so, I 
accidentally learned that we accept self-signed certificates only if 
they specify subject alternative names. This new knowledge allowed me to 
quickly answer another issue [7] without further investigation.

Finally, Mozilla is releasing Firefox 115.15 tomorrow, which is expected 
to be the last update for the 115 series [8].
However, it's also the last version supporting Windows 7. While we agree 
that people shouldn't use unsupported operating systems, we know some of 
our users don't have another choice.
So, if eventually Mozilla decides to extend the support for Firefox 115, 
we might end up extending Tor Browser 13.5's life as well [9].
One of our updater changes is to check for the minimum requirements on 
the client side to avoid sending the OS version to our update servers.
So, this month, I also simulated providing several updates to Firefox: 
one compatible with Windows >= 7 and one with Windows >= 10.
Sadly, the updater didn't handle this case as expected, and I needed to 
create a patch. We will need some additional deployment steps if we 
actually provide the alternative update path.
In this case, we will also drop the hash check on the update files (it's 
redundant since they are already signed) [10].

Cheers,
Pier

[0] 
https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41211
[1] 
https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_requests/1016
[2] 
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42607
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1746668
[4] 
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43013
[5] 
https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/1116/diffs
[6] 
https://gitlab.torproject.org/tpo/applications/wiki/-/wikis/Development-Information/BadSSL-But-Onion
[7] 
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42887
[8] https://whattrainisitnow.com/release/?version=esr
[9] 
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42747
[10] 
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42737



More information about the tor-project mailing list