April 2017 - tor-project - lists.torproject.org

March 2017 Report for the Tor Browser Team
by Georg Koppen 05 Apr '17

05 Apr '17

Hi all! In March we made three releases, Tor Browser 6.5.1[1], 7.0a2[2], and 7.0a2-hardened[3]. Tor Browser 6.5.1 was the first point release in the 6.5 series fixing mainly regressions we found after 6.5 got out and containing version bumps to a variety of our components to close security holes. We needed to put some effort into creating a new patch for our W^X JIT implementation as the backported patch we used got broken by a security fix. The alpha and the hardened releases shipped tor 0.3.0.4-rc but included otherwise nearly the same changes as the stable one. Besides work related to our releases we focused mainly on making our build system faster and more scalable[4], and on moving to Firefox ESR 52[6]. We organized our tickets in a way that blockers for our switch to ESR 52 in our nightly builds were easily visible by using the keyword `tbb-7.0-must-nightly`. We solved all of them and are about to start nightly builds with a browser based on ESR 52. Bundles should be available from tomorrow on.[6] We made further progress on our build system improvements as well and nightly builds using rbm, our new reproducible builds manager, should be available this month, too.[7] The full list of tickets closed by the Tor Browser team in March is accessible using the TorBrowserTeam201703 tag in our bug tracker[8]. In April we plan to get a set of new releases out (6.5.2, 7.0a3, and 7.0a3-hardened) and focus on getting the alpha series into a stable shape. We have created special keywords to track both the work needed for the alpha and the work to get it stablilized while retaining all the properties outlined in our design documentation. Those keywords are: `tbb-7.0-must-alpha` and `tbb-7.0-must`. If there is time left we plan to work further on making our build system faster and more scalable. We intend to set up regular nightly builds which would allow us to quantify the build time improvements we expect from the new build infrastructure.[9] All tickets on our radar for this month can be seen with the TorBrowserTeam201704 tag in our bug tracker.[10] Georg [1] https://blog.torproject.org/blog/tor-browser-651-released [2] https://blog.torproject.org/blog/tor-browser-70a2-released [3] https://blog.torproject.org/blog/tor-browser-70a2-hardened-released [4] https://trac.torproject.org/projects/tor/ticket/17379 [5] https://trac.torproject.org/projects/tor/query?keywords=~ff52-esr [6] https://people.torproject.org/~linus/builds/ [7] See https://trac.torproject.org/projects/tor/ticket/17379 and child tickets [8] https://trac.torproject.org/projects/tor/query?status=closed&keywords=~TorB… [9] https://trac.torproject.org/projects/tor/ticket/21286 [10] https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam2017…

1 0

Damian's Status Report - March 2017
by Damian Johnson 04 Apr '17

04 Apr '17

Hi all! My status report this month includes a few trip photos so think I'll just provide a link this time... http://blog.atagar.com/march2017/ Cheers! -Damian

1 0

UX Team Summary (March 2017)
by Linda Naeun Lee 04 Apr '17

04 Apr '17

Hello all, Here's what we've been up to in March. ᕦ(^o^)ᕤ 1: Performed user tests on the mobile security slider [1]. We redesigned the security slider for mobile devices, and in the process, altered the settings and text. From testing, we found out that people expected the slider to operate differently (some dragged the slider, some clicked at discrete points, some people clicked on the words below the slider), and we've used this feedback make sure that all of these interactions have a response. Participants read all of the text in the interface and felt better about the new naming convention, but more improvements could be made to correctly communicate what these settings are for. 2: Designed the portals for torproject.org [2], especially the support page [3]. We've designed the support page, and are now working on the content that will go on the page. Alison and Colin are writing up frequently asked questions and their respective answers to those questions. We're going to focus heavily on assisting with the download and installation process by OS, and cover the most commonly asked questions sent to help@tpo. Brainstorming at the dev meeting clarified what purposes the other portals can serve as well. 3: Brainstormed improving tor launcher, browser fonts, and security slider for tor browser. All of these were a result of dev meeting goodness. We plan to make design changes to tor launcher to make it easy to use (we should do this now), then work on automating the connection process by pinging relays and bridges to see which ones are reachable (proposal almost finalized), and eventually work on a meek-fronted scheme that interacts with bridgeDB for safe connections (proposal pending). We are unsure how the browser fonts affect the end users, and if it bugs them enough for them to switch. We also noted that the security slider is hard to adjust, and is global, which makes user usually default to the lowest security setting required by any of the sites they regularly frequent. 4: Attended rightscon and interacted with human rights activists, policymakers, and funders [4]. I, Linda, attended this event, and found it quite energizing. It's not everyday that you can interact with at-risk users from all over the world. I also learned a lot, which I liked. 5: Made tor-official images and banners [5]. Elio made some pretty nice looking images! We plan to use them eventually, when tpo.org is redesigned. [1] https://trac.torproject.org/projects/tor/wiki/doc/UX/OrfoxSecuritySlider#Te… [2] https://trac.torproject.org/projects/tor/wiki/doc/UX/TorProjectWebsite [3] https://trac.torproject.org/projects/tor/wiki/doc/UX/SupportPage [4] https://www.rightscon.org/program/ [5] https://github.com/uracreative/tor-assets ٩(◕‿◕)۶, Linda -- Current Key: https://pgp.mit.edu/pks/lookup?search=lindanaeunlee GPG Fingerprint: FA0A C9BE 2881 B347 9F4F C0D7 BE70 F826 5ED2 8FA2

1 0

3 Apr 2017 network team meeting: status reports and meetbot notes
by Nick Mathewson 04 Apr '17

04 Apr '17

Hi! I'm trying to be a little more proactive in sending out links to our meetbot logs for the network team. We're also trying a new format where we put our status reports on a pad in parallel and talk about them during the meeting. So I'm going to paste from the pad into this mail, and include a link to the meetbot log at the end of the mail. If you want to ask us about something you see here, please use a public mailing list: sending emails to individual developers is a tiny bit creepy sometimes. ================================================== Weekly network team meeting 3 April 2017 New format! To discuss: * Rotating roles * This pad format * putting out 0.3.0 -- anything else? * New dirauth in 030 stable? * GSoC * We didn't triage 0.3.1 in Amsterdam. =================================================== username: last week: * * this week: * * nickm: last week: * got back from amsterdam; that went well, both in terms of work done and in negative d(drama)/dt * Resurrected calltool, my assembly-reading objdump-parsing callgraph generator. Needs more work; output still isn't right. available at https://gitweb.torproject.org/user/nickm/calltool.git/ . output is not to be trusted yet. * a couple of small cleanup patches (remove tor-checkkey, use openssl includes less) * general consensus diff backend hacking (sponsor4) * lots of talking about crypto, followups, etc this week: * I'm hoping to put out 0.3.0.5-rc. Help? * I'm hoping to start merging mikeperry's netflow patches. Help? * Gotta go through all our notes from the meeting and see what turns into a to-do item. * Going to see how far I can get on the consensus diff implementation. It would be cool to have it working by some time next week, but that's ambitious. * We've got to look at gsoc applications; they're due today. * Enjoy the lovely boston weather. asn: last week: - returned from amsterdam - wrote a blog post about UX of onion addresses. hopefully publishing today. - started looking into ed25519 blinding stuff. - replied to some of the email backlog. this week: - figure out what to do with ed25519 key clamping and AONT construction - review ed25519 blinding code. update spec. add docs. - maybe start thinking about cpath crypto API for prop224. not sure if i will have time. pastly: 1. Finishing up work on getting my kist code ready to be reviewed by my employer so I can share it with Tor to get feedback. As part of that, I'm planning on implementing run-time switching between schedulers with function pointers. For example, scheduler_run would be a function pointer to scheduler_run_vanilla or scheduler_run_kist based on the UseKIST torrc option. Changing UseKIST and reloading Tor would just update pointers and clean up memory if necessary. Does that sound like a mergable idea? (yes, sure, assuming it's clean :) -NM) 2. I saw that the network team is working on a new responsibility rotation, including front-line support in #tor. First, I'd like to volunteer to help with front-line support. (sounds good! we should all take turns. -NM) Second, I think +R should be removed from #tor, at least when I am actively online. We get roughly zero spam right now, but we also get very little support requests. I think this is relevant to this meeting if network team is wanting to get more active on the front-line. (not a network-team call afaik -NM) catalyst: last week: * returned from AMS * polished my 13790 patch * started looking at 0.3.1.x milestone bugs this week: * find a few 0.3.1.x milestone bugs to work on ("revision_stalled" etc. where the user has been unresponsive about revisions) * learn more about PT and anti-censorship Sebastian: Rust team founded with Alex and Chelsea Lots of Rust hacking We can link Rust now :) Started a consdiff implementation. No unsafe code, 50% performance of C impl without tweaks (C is somewhat optimized) dgoulet: last week: - Amsterdam was very productive for me. Worked a bunch with asn on prop224 implementation. Came back quite unhealthy so I'm working through that. I've emptied my email stack for now. I still have quite the TODO (network team related and other Tor things) so I'll try to go over it this afternoon. - Bad relay world is moving with some discussions and soon blog post. this week: - I'm planning this week to finalize #20657 once and for all then go crazy on testing and fuzzing (for which I had a good workshop in AMS, thanks nickm!) haxxpop: last week: * Rewrite the get_responsible_hsdirs according to the comments of dgoulet and asn https://github.com/haxxpop/tor/pull/3/commits this week: * I will refactor that get_responsible_hsdirs if there are more comments from the team * Maybe find some other prop224 stuff to do ahf: since last meeting: - Worked on prop#278 issues: #21667 + #21662 + #21663. - Implemented proposal #274 in issue #21641. - Helped review #21643, #21645, and #21651. - Looked into a PT regression I caused in #21757 and thereafter investigated if the regression would impact tor-fw-helper. Looked into how tor-fw-helper worked, what it is, and if there was still a need for the tool. Discussed deprecation strategy with Nick. - Looked into our old IPv6 roadmap, issues related to IPv6 code as preparation for the Amsterdam meeting and GSoC proposal. - Went to Amsterdam, met and talked to a lot of new people. - Hosted a sponsor 4 session with Karsten (metrics team) + Nathan (guardian project). - Joined Sebastian and Chelsea's work on Rust porting. Read up on Rust. this week: - Finishing prop#278 related issues: currently working on splitting them up into reviewable patches that fits the relevant issues. - Walk over my Amsterdam notes for different ideas and projects. - Look into next steps for Sponsor#4 tasks. - Need to talk to Karsten about the possible impact some of the sponsor4 stuff might have to the metrics team. (happy to talk, possibly after the meeting/tomorrow! -karsten) isis: since last meeting: - wrote more of the paper/design spec that is due for my OTF deliverable (#10 on https://people.torproject.org/~isis/otf-etfp-sow.pdf) - took two days off last week since the dev meeting went over the weekend - read a bunch of appengine documentation to get the meek reflector for bridgedb working - sketched out some UX stuff for the distributor and the API that will be available to TB - several talks with different rustlang developers who are excited and want to know what we want out of rust this week: - still cruching a bit to finish the OTF deliverables by the 22nd, so more of the same work Mike: Last week: * I spoke at IETF * Recovered from AMS * Finishing up the Firefox code review. About 1 more day of work. This week: * Resume working on Prop#254 * Do some followup from AMS * More Meetings yawning: this week: * Maybe poke at my optimized lattice crypto code some more. Isabela: Last week: Worked on user growth strategy update - hope to share it by eow Worked on final report for ISC Tried to catch on AMS meetings notes This week: Get user growth strategy update done catch up with the team on follow ups from the meeting work on March report for sponsor4 =============================== Meetbot logs from the IRC meeting: http://meetbot.debian.net/tor-dev/2017/tor-dev.2017-04-03-17.00.html -- Nick

1 0

March 2017 report for the metrics team
by Karsten Loesing 03 Apr '17

03 Apr '17

Hello Tor, hello world! Below you'll find the highlights of Tor metrics team work done in March 2017. On behalf of the Tor metrics team, Karsten Published a blog post on recent improvements [1] to the Atlas web application [2], including improved error handling, UX improvements, and standards compliance. [1] https://blog.torproject.org/blog/atlas-recent-improvements [2] https://atlas.torproject.org/ Created a project page for metrics-lib on Tor Metrics [3] with a set of easy tutorials and the most recent JavaDocs. [3] https://metrics.torproject.org/metrics-lib.html Moved specification pages for CollecTor [4] and Onionoo [5] to Tor Metrics with the longer-term goal to bring all user contents related to Tor metrics together on a single website. [4] https://metrics.torproject.org/collector.html [5] https://metrics.torproject.org/onionoo.html Met with several folks not directly involved in the metrics team at the Tor meeting in Amsterdam and sketched out how we could improve directory-request statistics, what metrics and measurements could look like in 5 years [6], and what the metrics team and the OONI team could collaborate on in the nearer future [7]. [6] https://trac.torproject.org/projects/tor/wiki/org/meetings/2017Amsterdam/No… [7] https://trac.torproject.org/projects/tor/wiki/org/meetings/2017Amsterdam/No… Wrote down a set of objectives and key results for the metrics team to work on in Q2 2017 [8]. [8] https://trac.torproject.org/projects/tor/wiki/org/teams/MetricsTeam#Objecti…

1 0