- tor-project - lists.torproject.org

Tor Browser Release Meeting this week
by Pili Guerra 07 May '19

07 May '19

Hi everyone, Bi-weekly reminder that we will be having our Tor Browser Release meeting this week on Wednesday 8th May at 18UTC on #tor-meeting. Thanks! Pili — Project Manager: Tor Browser, UX and Community teams pili at torproject dot org gpg 3E7F A89E 2459 B6CC A62F 56B8 C6CB 772E F096 9C45

1 0

Tor Browser team meeting notes 6 May 2019
by Georg Koppen 07 May '19

07 May '19

Hi! We had another weekly Tor Browser meeting yesterday. The IRC log can be found at http://meetbot.debian.net/tor-meeting2/2019/tor-meeting2.2019-05-06-17.31.l… The contents of the meeting pad are pasted below for you convenience: Discussion: - Should we whitelist NoScript for extension signing like we do for the other bundled extensions? We should think about how to avoid similar problems to armagadd-on 2.0 (#30388) in the future, specifically not having a bundled extension stop working (mcs) - esr68 transition work (GeKo: we plan to start soon with picking up toolchain work and rebasing browser patches (+ getting Torbutton integrated in the browser) - 8.5 release work (GeKo: due to armagadd-on 2.0 we'll postpone the 8.5 release and won't ship it with the 60.7.0esr security release; eta is a week later) mcs and brade: Last week: - #30000 (Integrating client-side authorization to onion services v3). - experimented with Arthur's old patch from 14389#comment:15. - discussed requirements with Network Team members. - Helped a tiny bit for #30388 (NoScript and all user-installed add-ons got deactivated!). This week: - Revisit #29627 (Moat: add support for obfsproxy's meek_lite). - #30000 (Integrating client-side authorization to onion services v3). - Think more about control port event vs. SOCKS or HTTP CONNECT error code and respond in #14389. - Review UX proposal in #30237 and respond. - Finalize travel plans for the Stockholm meeting. tjr - Backported letterboxing to esr60 pospeselr: Last week: - widl updates for #27503: - last week's refactor patch broke typequalifier/type associations (ie does const go with the pointer or the pointee) but got passed that this weekend and am closing in on fix for wine:47035, knowing what I know now, the remaining two bugs (47050 and 47041) are easy in comparison - simply dropping in midl built bits onto the mingw build doesn't work, as the generated headers have incompatible types (though this approach might make sense for dropping in fixed widl built bits rather than patching widl in mingw) - armagadd-on 2.0 fun (#30388) GeKo: Last wek: - many reviews (#30280, #29981, #30325, #30214, #30371, #29045, #30375, - 8.5 release prep - tested letterboxing patches (#30373) - then I got drowned in armagadd-on 2.0 work (#30388) This week: - remaining armagadd-on 2.0 work - preparing Tor Browser releases based on Firefox 60.7.0esr - reviews - finish monthly team admin work - feedback mails - back to toolchain work for esr68 boklm: Last week: - disabled or fixed some of the failing tests - made some patches for #30325 (Remove bison from default packages where it is not needed) and #29981 (Add yasm to the list of dependencies for android builds) - reviewed #29319 (Remove FTE support for Windows), #29307 (Use Stretch for cross-compiling for Windows), #29731 (Remove faketime for Windows builds) - made travel plans for the Stockholm meeting - helped with build of the emergency release (#30388) This week: - publishing of new releases - finish disabling all failing testsuite tests - start looking at #28672 (Android reproducible build of Snowflake) pili: Last week: - S27 - more roadmapping - first report sent - S9 workplan - Google Season of Docs organization This week: - dev meeting session planning - antonela Last week: - #30237 This week: - Reading stuffs about #30029 - #30024 - sync with pospeselr to touch base about security settings per tab (note: not needed for now) - sync with sysrqb on TBA release acat Last week: - Worked on mostly on 30304 (Browser locale can be obtained via DTD strings) and a bit on 26607 (verify that subpixel accuracy of window scroll properties does not add fingerprinting risk) This week: - Follow up 30304 on Bugzilla, try to fix breakage on central and try to get it merged. - 26607 sisbell: Last week: - #30166 - custom bridges - verified working with latest code in Browser - #30404 - Remove Orbot Project from browser build (in review) - #30162 - Tor Bootstrap Process stuck. Made improvements. Still issue of connecting while existing tor process is shutting down (this is recoverable). Looking into a few different solutions for fix. This Week: - #30162 tor bootstrap - Working on mirror for TOPL - Fix for multiple tor control ports open sysrqb: Last week: Release prep (#30239, #30214, #30215, #29982, #30069, #30136, #29757, #30371) This week: Fighting with nitrokey and APK signing (#26536) More release prep and reviewing tbb-8.5-must tickets Georg

1 0

Sponsor 27: Onion Services Meeting this week
by Pili Guerra 06 May '19

06 May '19

Hi everyone, This is a reminder that we’ll be meeting this Tuesday at 15UTC on #tor-meeting for our bi-weekly sync on the Onion Services project. Thanks! Pili — Project Manager: Tor Browser, UX and Community teams pili at torproject dot org gpg 3E7F A89E 2459 B6CC A62F 56B8 C6CB 772E F096 9C45

1 0

Notes from May 2 2019 Vegas team meeting
by Karsten Loesing 03 May '19

03 May '19

Notes for May 2 2019 meeting: Nick: 1) Coding, hacking, time is moving forward. 2) spoke at MIT 6.858 about Tor; got some student interest Steph: 1) We have a small fundraiser happening in NYC May 14 with help of a volunteer. I got our eventbrite page set up, and it is being shared among the cryptocurrency community in town for Ethereum Summit. https://www.eventbrite.com/e/building-private-censorship-resistant-tech-a-c… 2) Talking with Blockchain Association of Africa tomorrow — they want to explore a partnership 3) Newsletter went out this week 4) Published Google Season of Docs post Sarah: 1) We continue to bring in more cryptocurrency donations. We are up to over $54k since 3/1. 2) Newsletter to sponsors will go out today, pending Isa’s final approval. 3) Hoping monthly donor page will go live today or tomorrow and I’ll send out invite to ~1,000 people who have given in the recent past. 4) Changes to DRL proposal for the anti-censorship team were submitted. 5) Drafting letter to for-profits explaining the ways in which they can help Tor. 6) Meeting with Georgia from SimplySecure today to talk about funding opportunities. Antonela: 1) Working on wrapping up OONI Explore for MOSS delivery 2) Working on #30000, OTF 3) Working on #27399, #29955 TBA 4) Writing peer-reviews 5) Coordinating user research reporting with Caroline for Q1, travels for Q2, Nah reporting from Colombia 6) Synced with SimplySecure about NoScript redesign 7) Will meet with OKThanks about tpi/tpo brand future 8) Made a visual proposal for the Defenders of Privacy campaign 9) Worked on [Donate Now] changes on tpo.org 10) Writing a recap about the L10n lab design summit we ran before IFF Mike: 1) tor-scalability meeting work 2) Finishing up Sponsor2 for Tor 0.4.1 Karsten: 1) Have a working CollecTor branch that archives bandwidth files. Still needs review and should be deployed in ~1.5 weeks from now. 2) Discussed a couple of OnionPerf improvements that will provide more detailed results from existing measurements, including better error codes and partial completion timestamps. Georg: 1) We plan to release Tor Browser 8.5 in the coming days if all goes well 2) More coordination with HackerOne about our bug bounty program 3) Feedback mails 4) Roger: what's up with your tor-security list considerations? [I think we should either remove me from the list, or strip the encryption part of the list. I find it unmanageable with the spam and my gpg set up, so I don't read it. -RD] isabela: 1) preparing for Board meeting on Friday (may 3) 2) preparing for meeting with MDF on Friday (may 3) 3) reviewed grant proposals and all copy related to our launch of the monthly donors program 4) working on a 'vintage sale' type of promotion for folks who haven't donated yet to Tor (old swags spring clean) 5) waiting list invites for dev meeting are late - but they will be sent out soon Gaba: 1) looking at the call for researchers from moz to work on performance at Tor 2) s27 report 3) following wrap up work at ooni 4) trying to setup monthly retrospective at the network team Roger: 1) Finishing up usenix security reviews and shepherding (this week was the PC meeting). That saga finally finishes this week. (I declined my invite for next year.) 2) I submitted a defcon talk, which involves encouraging Cecylia and Philipp to make some solid usability progress on pluggable transport things by August. 3) I started encouraging us to post a blog post about the Mozilla performance research grants, but somebody still needs to move that forward. [coordinating with steph --gaba] 4) It looks like all three of the us (me, Cecylia, Philipp) will be going to the RACE kickoff meeting. I figure that's our best chance of figuring out what RACE is, and influencing it into being most useful to us. 5) I'm going to answer an NYU ITP guest lecture invite for Monday night, with yes. If anybody in NYC area wants to join, let me know! [i'm interested -steph] Sue: 1) General accounting processes Erin: 1) Finishing up with OONI dev recruiting 2) general HR stuff Pili: 1) S9 Phase 3 Workplan 2) Google Season of Docs - We got accepted! - Started answering a few GSoD enquiries Arturo: 1) Working hard on OONI Explorer 2) Working towards OONI Probe mobile 2.1.0 release with measurement upload support

1 0

March 2019 Tor User Feedback Report
by wayward 01 May '19

01 May '19

Hey, team! Welcome to the March 2019 user feedback report! For more information on what users and community members were talking about this month, check out the February/March 2019 User Feedback pad [1]. Feedback in March was largely focused on the website redesign. Most notably, users are having a hard time finding things they're looking for, including Tor Browser alpha builds, the expert bundle [2], and signature files. I've opened some trac tasks to help us track progress towards making things easier to find, namely signature verification instructions [3] and Tor Browser alpha builds [4]. Otherwise... - Reddit was mostly full of curious users wanting to know more about how to protect their anonymity, both with and without Tor Browser. - User reported bugs found in Tor Browser were mostly bugs we've been tracking for months - not much new there. Now, on to the feedback! Scroll further down to see a summary of Reddit posts, some points from Google Play Store reviews, a list of the most common Stack Exchange tags from the month, and a collection of some notable issues and bugs mentioned by users in March. --- Most common questions on Reddit: - If I do ___ while connected to Tor, will it compromise my anonymity? - What can I do to increase my security? --- TBA Reviews & Feedback on Google Play Store: The average review score is still at 4.2 stars. Some users mentioned that they miss the settings menu in TBA. Connection issues seem to have gone up during the month of March. --- Most common stack exchange tags: tor-browser-bundle: 13 this month configuration: 13 this month connection: 8 this month tails: 7 this month bridge: 6 this month anonymity: 5 this month hidden-services: 5 this month --- Notable bugs, fixes, & issues mentioned by users: - #29872: Searching from about:tor cause a NoScript XSS warning popup - CLOSED - FIXED - #29886: NoScript icon is still visible in context menu after the fix for #25658 landed - OPEN - #28290: Don't allow fingerprinting via navigator.userAgent - OPEN - #27608: TB 8.5a1 failed to check for noscript updates because of missing manifest type - OPEN - #29032: Tor Browser 8.0.4 stops working correctly in Virtualbox on Windows - OPEN - #29807: Tor Browser requires discrete graphics on my Mac - OPEN - NEEDS INFORMATION - #29031: Tor Browser for Android (Alpha) does not accept Torrc Custom Config lines - OPEN --- That's it for the month of March! If you want to know more, please do check out the February/March 2019 User Feedback pad [1] or reach out to me via email (waywardwyrd at riseup dot net) or IRC (wayward). Thanks for reading! - wayward ------ Annotations: 1. https://storm.torproject.org/shared/x1INkZCd4pYQHZ_Y3Vr9_lQxjMj5FjsZ9754h1N… 2. https://trac.torproject.org/projects/tor/ticket/29991 3. https://trac.torproject.org/projects/tor/ticket/30295 4. https://trac.torproject.org/projects/tor/ticket/30298 5. https://trac.torproject.org/projects/tor/ticket/29872 6. https://trac.torproject.org/projects/tor/ticket/29886 7. https://trac.torproject.org/projects/tor/ticket/28290 8. https://trac.torproject.org/projects/tor/ticket/27608 9. https://trac.torproject.org/projects/tor/ticket/29032 10. https://trac.torproject.org/projects/tor/ticket/29807 11. https://trac.torproject.org/projects/tor/ticket/29031

1 0

Network team meeting notes, 29 April 2019
by Nick Mathewson 30 Apr '19

30 Apr '19

Hi all! Our meeting logs are available at https://pad.riseup.net/p/tor-netteam-2019.1-keep . Below are our meeting notes: --------------------- = Network team meeting pad! = This week's team meeting is at Monday 29 April at 1700 UTC on #tor-meeting on OFTC. April schedule: * Monday 29 April at 1700 UTC May schedule: * Monday 6 May at 1700 UTC * Monday 13 May at 1700 UTC * Monday 20 May at 1700 UTC * Monday 27 May at 1700 UTC June schedule: * Tuesday 4 June at 2300 UTC * Monday 10 June at 1700 UTC Welcome to our meeting! First meeting each month: Tuesday at 2300 UTC Other meetings each month: Mondays at 1700 UTC until 3 November 2019, when daylight saving time changes On #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in boldface! 3. Show up to the IRC meeting and say hi! After each week's meetings, the contents of this pad will be sent to tor-project @ lists.torproject.org. After that is done, the pad can be used for the next week. == Previous notes == (Search the list archive for older notes.) 25 Mar: https://lists.torproject.org/pipermail/tor-project/2019-April/002280.html 2 Apr: http://meetbot.debian.net/tor-meeting/2019/tor-meeting.2019-04-02-23.00.html (we forgot to post the notes) 8 Apr: https://lists.torproject.org/pipermail/tor-project/2019-April/002289.html 15 Apr: https://lists.torproject.org/pipermail/tor-project/2019-April/002296.html 23 Apr: https://lists.torproject.org/pipermail/tor-project/2019-April/002308.html == Stuff to do every week = * How are we managing CI failures from last week? See https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CIFailu… * Let's check the 0.4.0 release status page. See https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTor… (This page automatically shows the latest trac ticket status.) * Let's check and update the roadmap. What's done, and what's coming up? We're using a kanban board: https://storm.torproject.org/shared/_mx8PMGOHFBOximocl1gy3COvhLPr6k3Ja7JA1v… Click on 'all boards' and then the network team one. Filter by your name and check the 'in progress' column is correct. * Check reviewer assignments! How reviews from last week worked? Any blocker? Here are the outstanding reviews, oldest first, including sbws https://trac.torproject.org/projects/tor/query?status=needs_review&componen… * Check rotations at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TeamRot… . * See discussion notes below. Any blocker from last week? == Reminders == * Remember to "/me status: foo" at least once daily. * Remember that our current code reviews should be done by end-of-week. * Make sure you are in touch with everybody with whom you are doing work for the next releases. * Remember to fill up the 'actual point' field when you close a ticket. We need those to calculate velocity. * Check other's people call for help in their entries. * Remember to book travel for meeting as soon as possible. The rate lock deadline is 10 May, please ask for approval in advance -- several days before 10 May at the very latest. ------------------------------- ---- 29th April 2019 ------------------------------- == Announcements == - The master branch is now 0.4.1.x; 0.4.0 development will continue in maint-0.4.0. We need to prioritize 0.4.0 fixes and reviews in April, because stable was due on 15 April. == Discussion == Rotation updates: Bug triage - nick to dgoulet The Bug Triage role description and queries is on the wiki at: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TeamRot… nickm says: Not much to pass on here. There weren't a lot of new issues to triage. CI - ahf to asn https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CIFailu… - One issue with Travis appeared on tor.git's master and was solved quickly by Nick. Coverity - ahf to asn One issue appeared. Opened ticket #30328 (CID: 1444769) - we think it might be a false positive, but the Coverity scan site is not working right now. Reached out to them on Twitter to see if it can be fixed. [In other news, coverity scan seems to have TLS issues that are keeping nick's automatic updates from working. If anybody can provide a correct incantation to "curl https://scan.coverity.com/ " in a way that works, that would rock. -nickm] 0.4.0 status: Other discussion: Are we ready for 0.4.0.x-stable? n == Recommended links == "Select male faculty, they said, effectively ran the Institute and were showered with private donations, while women were forced to fire essential staff and were shut out from power." This article is an excellent analysis of the mechanics of power and discrimination: https://www.nytimes.com/2019/04/18/magazine/salk-institute-discrimination-s… On allyship in newsrooms but also in workplaces: https://source.opennews.org/articles/how-be-ally-newsroom/ == Updates == NOTE NEW FORMAT! Name: Week of XYZ (planned): - What you planned for last week. Week of XYZ (actual): - What you did last week. Week of ABC (planned): - What you're planning to do this week. Help with: - Something you may need help with. PLEASE DO NOT BULK-DELETE THE OLD ENTRIES! Leave the "Planned" parts! Leave the parts for last week and this week! gaba: Last week (actual): - s27 This week (planned): - report on s27 for April: https://nc.riseup.net/s/ii5jBiZM7sEKToC - send a mail to the team about setting up monthly retrospectives - send a mail to the team about meeting for discussion on moving out of temporal roles into permanent ones <- I will wait until Teor is back. Help with: - if you are working on a s27 ticket please look at https://nc.riseup.net/s/ii5jBiZM7sEKToC and add it if it is not there. teor: (online for 23 April, then on leave until 21 May) * AFK Nick: Week of 22 (planned): - Review & merge! - Look at 29136 per request from Damian - Look at 30235 per request from Teor - Pending peer review issues - BUG triage. Pick up from Mike - Revise ticket 30091 [unified parsing in control.c] per review - Revise ticket 29223 [abbreviations] per review - More refactoring on control.c, if we can land 30091. - Plan refactoring on config.c - If time permits: More pubsub users - If time permits: ADL prototype. Week of 22 April (actual): - Started refactoring periodic event system. (30293) - Revised 30091 (control.c parsing); got it merge_ready. - Bug triage; not much to do this last week. - Review & Merge: lots. - Planned some pubsub users - Some work on chutney CI issue backlog - Performance improvements for node selection (30291) Week of 29 Apr (planned): - Implement another pubsub user or two - Once 30007 is merge, more control.c refactoring - Review and merge, as required. - Once 30293 is merged, more periodic event refactoring - MIT lecture on Wednesday - Various meetings - 0.4.0 stable release? dgoulet: Week of 22/04 (actual): - Revised #26288 from nickm's review (Authenticated SENDME). - Reviewed and merged a series of ticket (see Timeline). - Investigated #29607 (HS DDoSed). Along with asn, we designed an experiment to reproduce the INTRODUCE2 flood. We can now reliably reproduce and thus test any fixes or/and improvements. - Open #30291 after profiling tor during that particular type of DoS mentionned above. - Had a series of calls with asn to plan and organize s27 roadmap. - Discussion with Mike about the test network for the tor-scaling group. - Discussion with Roger on HS DDoS possible defenses idea. Week of 29/04 (planned): - Continue to work on HS DDoS defenses for s27 (#29999). More specifically, think about #15516 or any other possible defenses we can think of. - Review and merge, the usual. - Do whatever is necessary to get #26288 merged. We are almost there! Mike: Week of 4/23 (planned) - Scalability planning & discussion - write wiki page of experiments; sketch out current research kanban; attend meeting - Book lots of travel (I hope ;) \o/ - Maybe work on needs_revision #28636 items (probably not) - Maybe catch up on code reviews (probably not) Week of 4/23 (actual): - Worked on https://trac.torproject.org/projects/tor/wiki/org/roadmaps/CoreTor/Performa… and https://storm.torproject.org/shared/k0SG5SfFTGGCsR0poyekmpSb-hLfLynJAUERHyM… and tor-scalability agenda - Code review - Ohter meetings Week of 4/30 (planned): - Update experiments page with comments from meeting; write followup mails - Book lots of travel (I hope ;) \o/ - Work on needs_revision #28636 items - Catch up on code reviews catalyst: week of 04/22 (2019-W17) (planned): - reviews - peer feedback (2) - finish up reviewing control-cmd - clean up control-proto (need to coordinate with nickm) week of 04/22 (2019-W17) (actual): - reviews - some comments about #29209 (data hiding in structs) - finished reviewing #30091 control-cmd - #30007 (refactoring control response output) ready for review week of 04/29 (2019-W18) (planned): - reviews - clean up #29976 (rework bootstrap reporting to use pubsub) for review - peer feedback (2) - team leader feedback - more following up on #29209 if needed asn: Week of 04/08 (planned): - Will focus on the #29209 s31 deliverable this week. I hope to have it done by the end of the week, so that I can focus on s27 for the rest of the month. Week of 04/08 (actual): - Pushed #29209 to needs_review. It's basically a limited version of the actual deliverable, where we hide a part of crypt_path_t. Left general thoughts about the task in the ticket. - Worked more on #28634 after Mike's review. Needs some more work before being back in needs_review. - Reviewed #28780 as part of Sponsor2. - Did more triaging and discussion on Sponsor27 - Fixed some bugs we got from hackerone. - Did reviews/merges. Week of 04/15 (planned): - Push #28634 back to needs_review. - Start doing initial Sponsor27 work, and brief up David. - Review/test more leftover WTF-PAD stuff. - Finish up travel arrangements for Stockholm/AllHands ahf (will be traveling at that time and offline): Week of 4/24 (planned): Network team: - Submit patch for #29930 to remove warning when unlink() fails. - Try to reimplement tor_cond_wait() to use a ConditionVariable for #30187 Anti-censorship team: - Walk over WebSocket patches with cohosh and see how the stats collection code fits in for #29207 (and friends) Misc: - Book train to Stockholm - CI+coverity duty: I've seen the coverity issue that showed up today. Week of 4/24 (actually): Network-team: - Submitted patch for #29930. - Wrote a patch for #30187, but it didn't work on my Windows 7 test machine. Going to re-investigate this week. Anti-censorship team: - Working on remaining Snowflake tasks. Misc: - Booked train to Stockholm. - Opened #30328 for Coverity, assigned it to me and will dive into once Coverity works normally again. - Spend a day writing peer reviews. I think following Tim's advice from the ML is a good idea with spreading out a bit. Took longer than I had thought. - Talked with Steph about doing a talk about Tor in Switzerland. - Hacked a bit on a webservice to collect info from Travis and AppVeyor for the CI role. Week of 4/29 (planned) Anti-censorship team: - Finish off all my tasks here and hand them over. Misc: - Continue with writing peer reviews (3/8 remaining). juga: Week of 04/22 (planned): - Depending on which has higher priority, work on #29710 children or #30255 children (it seems this needs more discussion and or proposals) Week of 04/22 (actual): - Commented #30311, #30255 Week of 04/29 (plan); - Add HeaderLine to the bandwidth file specification (#30311) - Add Tor version to the bandwidth file (#30196)

1 0

Tor Browser team meeting notes 29 April 2019
by Georg Koppen 30 Apr '19

30 Apr '19

Hello! Below come the notes from our weekly meeting which we had yesterday at 1730 UTC. The IRC log can be found at: http://meetbot.debian.net/tor-meeting2/2019/tor-meeting2.2019-04-29-17.31.l… and the items from our pad are Discussion: - Tor Browser team meeting slots for the dev meeting? (GeKo: I'll ask for five, 2 roadmapping, 1 retrospective, 1 Tor Browser vision, 1 team capacity) - migration to esr68 (GeKo: we started to think about it; will nail down more detailed plan with action items either next week or the week thereafter) sisbell: Last Week: - #30280 - Wrong SHA-256 - due to use of jcenter which can proxy different artifact repositories. Removed jcenter from dependencies (ready for review). Also removed use of jcenter from TOPL(#109)/android-tor-service(#23) projects (GeKo: are we good with that bug or is there something left that needs to get fixed before review)(sisbell: it's ready for review, no more work) - #30162 - Bootstrap process stuck - implemented fix that takes ownership of tor process so that tor will shut itself down when the control connection dies (TOPL#59). Also implemented a fix for reusing an open tor control connection (TOPL#111). - #30166 - Custom bridges. The content of the textfield for user-defined bridges is overloaded (it acts a filter for pre-defined bridges OR it contains bridge information directly). Introduced fixes to make this work with TOPL(#115) + tor-android-service(#26). - Verified #30162 and #30166 work against an Orbot build. - Self-feedback This week: - Add #30162 and #30166 fixes into tor-android-build. Test and fix any issues. mcs and brade: Last week: - #30000 (Integrating client-side authorization to onion services v3). - experimented with HTTP CONNECT for the browser/tor connection. This week: - #30000 (Integrating client-side authorization to onion services v3). - Finalize travel plans for the Stockholm meeting. - Out of the office Thursday May 2 and Friday May 3. GeKo: Last week: - work in localization/branding land (wrote patches for #30136 and #30069), helped with special characters in Android strings issue (#30054) - reviews (#29981, #30086, #30115, #28369, #30166) - dealing with bug bounty issues - looked into snowflake for android over the weekend (#28672) but that's more involved than a (couple of) weekend activity(-ies), thus 301 -> boklm This week: - getting back to tjr's letterboxing email - preparing 8.5 (GeKo: We still stick to the idea of building 8.5 this week) - more work on tbb-8.5-must/tbb-8.5 items - reviews - start begin-of-the-month admin work acat: Last week: - Revised patch for 30115: NoScript's XSS popup breaks circuit display in some cases - Looked into 26605: investigate window.requestIdleCallback() for possible timing leaks - Looked into 26607: verify that subpixel accuracy of window scroll properties does not add fingerprinting risk - Looked into 30304: Browser locale can be obtained via DTD strings [tjr: what did you find?] acat: Well, it leaks browser locale, yes (I understand there's currently no other known way to get browser locale from website) The suggested approach in https://bugzilla.mozilla.org/show_bug.cgi?id=467035, creating hidden iframe loading the xml and reading localized text works in Tor Browser. The simple fix suggested in bugzilla (reverting https://hg.mozilla.org/mozilla-central/rev/7ace0805c2d3) breaks about:tor, the DTD for localization cannot be read which makes sense, since the reason of that patch is to unbreak addons (legacy, I assume) it would work fine if about:tor was privileged (no URI_SAFE_FOR_UNTRUSTED_CONTENT), but I think we don't want that so I'm still investigating/understanding the relevant code and trying to find the best way of not breaking it I also want to test it in Android, because I suspect the code for handling some about:* pages is not the same there (mobile/android/components/AboutRedirector.js) This week: - Finish 30304 and 26607. - Backlog: 26599, 26602, 26601, https://bugzilla.mozilla.org/show_bug.cgi?id=1461454. boklm: Last week: - Updated patch for #29981 (Add option to build without using containers) - started testing patches for #30325 (Remove bison from the list of default packages on android and osx builds) and #30326 (Remove yasm from the list of dependencies for the firefox android build) - started disabling failing testsuite tests - sent (late) self-feedback This week: - finish disabling all failing testsuite tests - start looking at #28672 (Android reproducible build of Snowflake) - review #29307 (Use Debian Stretch for cross-compiling our Windows builds) and #29319 (Remove FTE support in Windows bundles) - help with 8.5 build/release - afk (holidays) on Wednesday and Thursday tjr - Started/tried backporting letterboxing to 60. Ran into a complex refactor I need to work around, sent an email no response - Someone also filed https://bugzilla.mozilla.org/show_bug.cgi?id=1546832 which is a bit of a problem. I'm not sure if it should block bringing it to TB Nightly. (GeKo: I don't think so) - Started working on mingw build stuff again. - Getting tests running on Try: finding lots of crashes.Indicative of real issues that could crash? Don't know!! antonela: Last week: - #27399, #29955, in progress - #30000, in progress This week: - #27399, #29955, in progress - #30000, in progress https://trac.torproject.org/projects/tor/ticket/30237#comment:1 pili: Last week: - All teams project planning - Submitted google season of docs application This week: - S27 - first report - work estimation and planning - start thinking about dev meeting sessions pospeselr: Last week: - Worked on wine bug #47035 for tor #27503 - got most of the way through this, should have a patch ready for review tomorrowish This week: - See if swapping in pre-built MIDL Accessibility2 related bits fixes our issues here - continued work on widl patches Georg

1 0

Network team meeting notes 23 April 2019
by Nick Mathewson 28 Apr '19

28 Apr '19

Hi! Our meeting transcript is at http://meetbot.debian.net/tor-meeting/2019/tor-meeting.2019-04-23-23.01.html = Network team meeting pad! = This week's team meeting is at Tuesday 23 April at 2300 UTC on #tor-meeting on OFTC. April schedule: * Tuesday 23 April at 2300 UTC (Monday 22 April is the Easter Monday public holiday) * Monday 29 April at 1700 UTC May schedule: * Monday 6 May at 1700 UTC * Monday 13 May at 1700 UTC * Monday 20 May at 1700 UTC * Monday 27 May at 1700 UTC June schedule: * Tuesday 4 June at 2300 UTC * Monday 10 June at 1700 UTC Welcome to our meeting! First meeting each month: Tuesday at 2300 UTC Other meetings each month: Mondays at 1700 UTC until 3 November 2019, when daylight saving time changes On #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in boldface! 3. Show up to the IRC meeting and say hi! After each week's meetings, the contents of this pad will be sent to tor-project @ lists.torproject.org. After that is done, the pad can be used for the next week. == Previous notes == (Search the list archive for older notes.) 25 Mar: https://lists.torproject.org/pipermail/tor-project/2019-April/002280.html 2 Apr: http://meetbot.debian.net/tor-meeting/2019/tor-meeting.2019-04-02-23.00.html (we forgot to post the notes) 8 Apr: https://lists.torproject.org/pipermail/tor-project/2019-April/002289.html 15 Apr: https://lists.torproject.org/pipermail/tor-project/2019-April/002296.html == Stuff to do every week = * How are we managing CI failures from last week? See https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CIFailu… * Let's check the 0.4.0 release status page. See https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTor… (This page automatically shows the latest trac ticket status.) * Let's check and update the roadmap. What's done, and what's coming up? We're using a kanban board: https://storm.torproject.org/shared/_mx8PMGOHFBOximocl1gy3COvhLPr6k3Ja7JA1v… Filter by your name and check the 'in progress' column is correct. * Check reviewer assignments! How reviews from last week worked? Any blocker? Here are the outstanding reviews, oldest first, including sbws https://trac.torproject.org/projects/tor/query?status=needs_review&componen… * Check rotations at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TeamRot… . * See discussion notes below. Any blocker from last week? == Reminders == * Remember to "/me status: foo" at least once daily. * Remember that our current code reviews should be done by end-of-week. * Make sure you are in touch with everybody with whom you are doing work for the next releases. * Remember to fill up the 'actual point' field when you close a ticket. We need those to calculate velocity. * Check other's people call for help in their entries. * Remember to book travel for meeting as soon as possible. The rate lock deadline is 10 May, please ask for approval a few days before 10 May. ------------------------------- ---- 23rd April 2019 ------------------------------- == Announcements == - The master branch is now 0.4.1.x; 0.4.0 development will continue in maint-0.4.0. We need to prioritize 0.4.0 fixes and reviews in April, because stable was due on 15 April. == Discussion == Rotation updates: Bug triage - mikeperry to nick The Bug Triage role description and queries is on the wiki at: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TeamRot… Lessons I learned and unanswered questions during bug triage: WTF is this page? Can I kill it: - https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TicketT… teor says: this page describes how we triage tickets at the start or end of a release. We should update it and maybe rename it. WTF do we do about people using trac-as-support support? I guess - https://trac.torproject.org/projects/tor/ticket/30192#comment:2 Seems about right to me. Can I make binding decisions about what to do about components? Does the next triage ruler get to overturn? ;) - https://trac.torproject.org/projects/tor/ticket/30250#comment:1 IMO killing components isn't part of ticket triage. Looked at Core/Tor tickets opened in last 9 days (since I did this Easter Monday Eve) - Added points to a couple of my tickets that were created in this window. - Everything else created recently had points, but many older than 9 days did not. CI - teor to ahf https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CIFailu… I revised #30001, and it is merge_ready for 0.4.0 and later. This CI ticket was a process failure: it stalled in needs_revision for 2 weeks. How can we improve this process? We are making progress on the stem hangs in #29437. Here are the open tickets: #30235 Tor hangs when asked to change DisableAllSwap over the control port nickm, can you help with tor_mlockall() hangs? We keep getting practracker CI failures when we merge forward code from 0.4.0. Here are some possible fixes: #30051 - Add practracker as a pre-commit and pre-push git hook for frequent coders this ticket is in merge_ready Coverity - teor No new coverity defects this week Coverity doesn't provide instant feedback, so it's harder to discover bugs at review time. Here is a possible fix: #30225 Run clang's scan-build in Tor's CI 0.4.0 status: Mostly done or merge_ready. Should we remove the one remaining ticket from 040-must? #29930 Warning: can't unlink unverified-consensus on Windows meeting says: yes Review status: Stalled reviews - more than 1 week old - what should we do with them? catalyst: #27130 rust dependency updating instructions don't work #29732 Add full-fledged deterministic PRNG support for testing teor: #23588 Write fascist_firewall_choose_address_ls() and use it in hs_get_extend_info_from_lspecs() I will review this ticket before I go away (but after I do my feedback) mikeperry: #30109 Document that MapAddress is automatically strict, but does not handle redirects #30112 Fix outdated comments in dirserv_read_measured_bandwidths() #30147 Fix "high-impact" coverity false-positive warnings outside of tests #30148 Fix infrequent, unlikely memory leak on failure to create keys directory there is a proposal to look for funding to work on mobile onion services (from a partner that may need them) for 2020. It would be a 1 engineer for 1 year and it could include other onion services stuff. Do we look for funding for it? <--- It could be started after April 2020 if we look for funding now. --gaba There is too much information in this pad. This is a process failure. Can we split the pad up into: Everyone must do this task this week / know this thing this week / discuss this issue this week Discussion queue (topics that are important, urgent, and affect most people go at the top) Information list === teor's handover === ==== sbws ==== I am still spending a lot of time on sbws designs and design reviews: Let's use the tor proposals process for sbws: https://lists.torproject.org/pipermail/tor-dev/2019-April/013785.html Let's block all sbws merges until I get back, unless an urgent bug comes up. I don't think adding more load to the team is a good idea right now, so our best option is slowing sbws and other non-funded work. Here are the active sbws tickets: Is it acceptable that SBWS consistently reports 6200 relays, 1000 fewer than Torflow's 7200 universe? https://trac.torproject.org/projects/tor/ticket/29710 Work out why recent_measurements_excluded_few_count=733 and its children. https://trac.torproject.org/projects/tor/ticket/30227 Add additional bandwidth file headers in sbws 1.2, and children. https://trac.torproject.org/projects/tor/ticket/30255 We can make future hand overs easier by assigning two paid staff members to help out with sbws. ==== Mainline Merges ==== Now dgoulet is back, I have stopped doing mainline merges, except for urgent CI fixes: https://lists.torproject.org/pipermail/tor-dev/2019-April/013779.html ==== Backports ==== Let's block most backport merges until I come back. Who will do urgent CI backports? nickm 0.3.5 and later are affected by the stem failures, if we fix the tor_mlockall() bug, we should backport that to 0.3.5 But maybe we should test it first, so that might mean disabling stem in 0.3.5 and 0.4.0? ==== Reviews ==== Please don't put me on reviews until 27 May. (I will be dealing with backlogs when I get back.) I have un-assigned myself from all open tickets where I am the reviewer. ==== Rotations ==== See my rotation handover below. Please don't put me on rotations until 27 May. (I will be dealing with backlogs when I get back.) I can't do bug triage on 29 April, because I'll be away. We don't have rotations for May yet. ==== Roadmap ==== I don't think I will make any progress on PrivCount while I am away. Can we please assign someone else to help me with PrivCount? [Nickm wants to do privcount stuff; anybody else?] === END teor's handover === == Recommended links == "Select male faculty, they said, effectively ran the Institute and were showered with private donations, while women were forced to fire essential staff and were shut out from power." This article is an excellent analysis of the mechanics of power and discrimination: https://www.nytimes.com/2019/04/18/magazine/salk-institute-discrimination-s… On allyship in newsrooms but also in work places: https://source.opennews.org/articles/how-be-ally-newsroom/ == Updates == NOTE NEW FORMAT! Name: Week of XYZ (planned): - What you planned for last week. Week of XYZ (actual): - What you did last week. Week of ABC (planned): - What you're planning to do this week. Help with: - Something you may need help with. PLEASE DO NOT BULK-DELETE THE OLD ENTRIES! Leave the "Planned" parts! Leave the parts for last week and this week! gaba: Last week (actual): - grant strategy meeting - self-feedback - test new nextcould instance This week (planned): - moving s27 tickets into roadmap and timeline for next few months Help with: - teor: (online for 23 April, then on leave until 21 May) Week of 15 Apr (planned): Notes: - I won't be doing reviews or merges until Wednesday or Thursday, so I can get some roadmap coding done. High-Priority: - Diagnose test-stem failures in CI #29437 and children - Post 0.4.0.4-rc backport merges - Any mainline merges - Self-Feedback and maybe Team Lead Feedback Roadmap: - CI with Chutney/Tor: #29729 and children - Other roadmap reviews Other: - Assigned reviews Week of 15 Apr (actual): Notes: - I didn't do reviews or merges until Tuesday. High-Priority: - Diagnose test-stem failures in CI #29437 and children - Post 0.4.0.4-rc backport merges - Self-Feedback Roadmap: - CI with Chutney/Tor: #29729 and children - Other roadmap reviews Other: - Assigned reviews Week of 22 Apr (planned): High-Priority: - Team Lead Feedback - Peer Feedback x 3 - Timesheets for April - I noticed some things when I did feedback, I need to write emails about them Roadmap: - Other roadmap reviews Other: - Assigned reviews - Review #23588: Onion Service v3 IPv6 minimal implementation Optional: - Respond to Mike's scaling email - Update CI for stem and sbws based on chutney's CI - Turn the bug triage queries into a trac page Week of 22 Apr (actual): High-Priority: - Team Lead Feedback - Peer Feedback x 1 Roadmap: - Other roadmap reviews Other: - Rebased #23588 and made practracker happy - Added tickets to the proposal planning pad Help with: - Contact me on Signal if you need me to do anything before I go away. - When I get back, can someone else do #29024 with me? I don't know enough about snowflake. #29024 More integration tests for tor+snowflake, possible in chutney Nick: Week of 15 April (planned): - Short vacation: Today is a state holiday for me; I'll be taking off next Monday instead since that better aligns with other people's holidays. - Short vacation: I'm also taking off from Wednesday through Friday. I'll see personally addressed email and Signal; all lists will go into my "after-vacation" folder. - Review & merge, especially 26288 (authenticated sendme) and 29209 (cpath encapsulation) - Time permitting, either add a pubsub user, or work on an ADL thing. - I want to prioritize working on stuff that would block others. Week of 15 April (actual): - review & merge! - Vacation as planned. - PETS discussions - Finish and circulate list of abbreviations. - Revisions on 28223 (unparseable microdewsc diagnostics) - While on vacation, worked a bit on an experimental Rust thing to implement a trusted module to help out a sandboxed Tor. This is the only way we can realistically have a sandbox going forward. Does this fit into any sponsor? Week of 22 (planned): - Review & merge! - Look at 29136 per request from Damian - Look at 30235 per request from Teor - Pending peer review issues - BUG triage. Pick up from Mike - Revise ticket 30091 [unified parsing in control.c] per review - Revise ticket 29223 [abbreviations] per review - More refactoring on control.c, if we can land 30091. - Plan refactoring on config.c - If time permits: More pubsub users - If time permits: ADL prototype. dgoulet (missing meeting): - AFK. Mike: Week of 4/15 (planned) - Work on child tickets of #28634 - Help asn with/review #28634 machine definitions - Vanguards blog post (pending debian packages) - Book travel Week of 4/15 (actual): - Child tickets of #28634; several now in needs_review - Discussed machine definition plans with asn - Self performance review - Bug triage Week of 4/23 (planned): - Scalability planning & discussion - write wiki page of experiments; sketch out current research kanban; attend meeting - Book lots of travel (I hope ;) \o/ - Maybe work on needs_revision #28636 items (probably not) - Maybe catch up on code reviews (probably not) catalyst: week of 04/08 (2019-W15) (planned): - reviews - finish up control.c protocol splitting (#30007) - get bootpubsub ready to review (#29976) week of 04/08 (2019-W15) (actual): - reviews - travel logistics - preliminary review on control.c command parsing refactor - cleaning up #30007 (control.c protocol splitting) -- rebased on new control-cmd branch; fought with Coccinelle some more week of 04/15 (2019-W16) (planned): - reviews - travel logistics - get #30007 into a reviewable shape - coordinate with nickm on control.c stuff as needed week of 04/15 (2019-W16) (actual): - reviews - travel logistics - self-feedback - reviewed some of control-cmd stuff week of 04/22 (2019-W17) (planned): - reviews - peer feedback (2) - finish up reviewing control-cmd - clean up control-proto (need to coordinate with nickm) asn: Week of 04/08 (planned): - Will focus on the #29209 s31 deliverable this week. I hope to have it done by the end of the week, so that I can focus on s27 for the rest of the month. Week of 04/08 (actual): - Pushed #29209 to needs_review. It's basically a limited version of the actual deliverable, where we hide a part of crypt_path_t. Left general thoughts about the task in the ticket. - Worked more on #28634 after Mike's review. Needs some more work before being back in needs_review. - Reviewed #28780 as part of Sponsor2. - Did more triaging and discussion on Sponsor27 - Fixed some bugs we got from hackerone. - Did reviews/merges. Week of 04/15 (planned): - Push #28634 back to needs_review. - Start doing initial Sponsor27 work, and brief up David. - Review/test more leftover WTF-PAD stuff. - Finish up travel arrangements for Stockholm/AllHands ahf (offline): Week of 4/15 (planned) Anti-censorship team: - Talk with cohosh about #29207/#29206 - Re-read Kat's report #2 and give some feedback. Network team: - Continue with #29930, #29645, and #30187 Misc: - Easter in Denmark coming up: will likely be less online Thursday and Friday this week. Week of 4/15 (actually) Anti-censorship team: - Talked with cohosh about remaining tasks to finish for #29207/#29206. - Send feedback to Kat. Network team: - Confirmed problem for #29930, discussed possibly solutions with Nick today. - Managed to reproduce #29645 in a very flaky manner on my desktop under very heavy load, but cannot figure out what causes it. Misc: - Went to holiday house for easter. - Got hiro setup as co-admin on Gitlab. Week of 4/24 (planned): Network team: - Submit patch for #29930 to remove warning when unlink() fails. - Try to reimplement tor_cond_wait() to use a ConditionVariable for #30187 Anti-censorship team: - Walk over WebSocket patches with cohosh and see how the stats collection code fits in for #29207 (and friends) Misc: - Book train to Stockholm - CI+coverity duty: I've seen the coverity issue that showed up today. juga: Week of 04/22 (plan): - Depending on which has higher priority, work on #29710 children or #30255 children (it seems this needs more discussion and or proposals) Help with: - Question 1: teor or network-team: which on do you think has higher priority, #29710 or #30255? - Question 2: teor or network-team: longclaw's sbws 1.1.0 has been running for more than 1 week, do we want to start running sbws 1.1.0 on basted or should #29710 and/or #30255 be solved first? [Nick will try to answer these questions if teor doesn't.]

1 0

Tails report for March 2019
by sajolida 26 Apr '19

26 Apr '19

https://tails.boum.org/news/report_2019_03/ -- sajolida

1 0

Notes from April 25 2019 Vegas team meeting
by Karsten Loesing 26 Apr '19

26 Apr '19

Notes for Apr 25 2019 meeting: Alison: 1. Tor Meeting planning - How do we feel about this agenda layout (from Tails)? https://trac.torproject.org/projects/tor/wiki/org/meetings/2019Stockholm/Da… - roadmapping - plenaries - soliciting feedback from teams 2. all LFI all the time Pili: 1) Catching up from vacations 2) S27 Roadmapping 3) Submitted Google Season of Docs application \o/ 4) Getting to grips with anticensorship proposal again Steph: 1) interview in mozilla internet health report out yesterday 2) event prep and coordination: def con, NYC fundraiser, swiss uni conference 3) newsletter coming soon 4) met with BPL librarians, may collaborate with FPF on a workshop 5) helping with community portal, reviewing illos and copy 6) experimenting with google nonprofit setup 7) press inquiry from meduza Nick: 1) Back from short break; catching up with code 2) working with gaba and team to make sure we do the most valuable S19 stuff before the contract closes. Georg: 1) back from vacation and catching up on All The Things 2) 8.5a11 got out and we hope to build 8.5 next week 3) dealing with bug bounty paperwork Sarah: 1) Helping with edits to anticensorship proposal that was approved. 2) Setting up back-end process to regularly invite donors to become monthly givers. 3) Applying to King County employee giving program. 4) Creating plan to solicit funds from for-profits. 5) Met with Michael Brennan from Ford. 6) Al submitted a proposal for $100K for general operating funds to Wallace Global Foundation isabela: 1) had a great meeting with Michael Brennan from Ford - will go back there to present my vision in June 2) working on DRL anti-censorship proposal review (we had a call w/ DRL this week too) 3) working on documentation for board meeting 4) reviewed 2 grant proposals to private foundations for general ops fund and comms fund Karsten: 1) Made progress on three new graphs on user-perceived performance: worst-case bandwidth, worst-case latency, more detailed failures and timeouts. 2) Moving forward with adding bandwidth files to Tor Metrics: currently working on metrics-lib parser and CollecTor protocol change. Mike: 1) Preparing for tor-scalability meeting tomorrow. Have initial experiments page with a couple experiments ready to send around today. 2) Sponsor2 work Antonela: 1) Working on #30000 for desktop. 2) Working on #27399, #29955 for TBA release. 3) Working on OONI ux labeled tickets to release Explorer. 4) Worked on torproject.org/download related tickets. 5) Coordinated user research with Nah in Colombia. She is traveling with gus. 6) Syncing with Caroline about reporting and next travels. 7) Worked with Al reviewing O3 for DRL. 8) I'm writing 8 peer-reviews. 9) Meetings and moar meetings this week. Gaba: 1) helping with DRL anti-censorship proposal - now figuring out security code audit (to bridgedb, tor browser?) that will be needed once grant is over (GeKo: I am fine with Tor Browser getting reviewed, (of course!); I think it would be really neat to have someone looking at BridgeDB code, though. Firefox code is getting heavily scrutinized already and the browser is a pretty big project, so the return we get from the audit might be bigger with BridgeDB.) 2) following scalability conversation 3) sponsor 27 4) checking on nextcloud 5) adjusting network team roadmap with nick 6) writing 8 peer reviews. Erin: 1) general HR stuff

1 0