- tor-project - lists.torproject.org

January 2018 report for the metrics team
by Karsten Loesing 07 Feb '18

07 Feb '18

Hello Tor, hello world! Below you'll find the highlights of Tor metrics team work done in January 2018. On behalf of the Tor metrics team, Karsten Gathered first content for specifications for statistical assessment of aggregate data, which is Sponsor 13 deliverable 2 [1]. [1] https://trac.torproject.org/projects/tor/wiki/org/sponsors/Sponsor13 Updated format of the News page on Tor Metrics [2], and added support for displaying ongoing events. [2] https://metrics.torproject.org/news.html Made various improvements to Relay Search, including displaying IPv6 addresses alongside IPv4 addresses in the search results, displaying time zones for data publication times [3], aggregated search by version number [4], and added plotting individual relay counts to the map view [5]. [3] https://bugs.torproject.org/24788 [4] https://bugs.torproject.org/6855 [5] https://atlas.torproject.org/#map_relays Shut down the Compass service [6] after integrating its main functions into Relay Search [7]. [6] https://bugs.torproject.org/24445 [7] https://atlas.torproject.org/#aggregate

1 0

Network team meeting notes, 5 Feb 2018
by Nick Mathewson 06 Feb '18

06 Feb '18

Hi! You can see logs from today's network team meeting at http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-02-05-17.59.html Our notes follow: ===================== Network team meeting pad, 29 January 2018 Not all bits have equal value. --- Carl Sagan, Cosmos (1980) Welcome to our meeting! Mondays at 1800 UTC on #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in boldface! 3. Show up to the IRC meeting and say hi! Note the meeting location: #tor-meeting on OFTC! (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) Meeting notes from previous weeks: * https://lists.torproject.org/pipermail/tor-project/2018-January/001639.html * https://lists.torproject.org/pipermail/tor-project/2018-January/001644.html * https://lists.torproject.org/pipermail/tor-project/2018-January/001647.html Old Announcements: * Let's have some proposal discussions. Isis kicked off the process here: https://lists.torproject.org/pipermail/tor-dev/2017-December/012666.html * On the roadmap spreadsheet: Please take February tasks. (If somebody else has already taken something you want, please talk to them and/or add yourself too.) https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… * 0.3.3.x is in feature-freeze. No new features (except for #24902, which has permission.). * No 0.3.4.x patches will be merged till the window opens on Feb 15. * Please, work on bugfixes! It would be great to have this release release on time. (Planned date is 15 April) * There are tons of tiny 0.3.3.x tickets. Maybe if you can do one of them in <X minutes for some small X, you should just do it? Announcements: * Support for 0.3.0.x ended on 1 Feb. (That leaves 0.2.5, 0.2.9, 0.3.1, 0.3.2, and 0.3.3). 0.2.5 is EOL in May, and 0.3.1 is EOL in July. * There are 7 tickets left in needs_review in review group 31 https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… Please help all your colleagues' tickets get reviewed. * May hackfest has been approved by Shari. dgoulet, teor, and isabela are organising it off-list. See the network-team list for updates. * prop#239 discussion meeting on Thursday 8 February at 21:00-22:00 UTC in #tor-meeting Discussion: * The March pre-meeting hackfest day is Saturday 10 March 2018 We want a single-day pre-planned highly-focused hackfest Let's limit the day to 6 hours and 6 sessions? Here is a pad for topics and coordinators: https://pad.riseup.net/p/JtGrTsynqaYj teor: added IPv6, and komlo's Rust * The all teams meeting day is Sunday 11 March 2018 Current sessions are here: https://ethercalc.org/zil3cf5nm9ge teor: added PrivCount in Tor for network team and metrics teor: * Last week: - Implemented and tested Experimental PrivCount onion service stats - Fixed some more experimental PrivCount bugs - Did not get time to review or revise much Tor code - More reading on floating point, most operations we want are precisely defined by IEEE 754 * This week: - More Experimental PrivCount features - Try to merge the DDoS fixes into Experimental PrivCount - Eventually make a trac user page that lists the tickets I'm working on in priority order - Maybe I will get time to review or revise tickets this next week Roger: Mike, if you're out there, bug 22212 now includes a diagnosis and a branch that fixes it. Mike: Last week: - Worked on making the vanguards repo more usable (wrote a README, added some control port options) - Contacted Matt Wright et al about adaptive padding work - Reviewed the updates to the Tor Browser design doc This week: - Juggling vanguards, adaptive padding, other things - Will comment on #22212 Nick: * Last week: - Administriva, Rome planning, etc - Worked on 24902 merge, many reviews, many bugfixes - And did I mention the bugfixes? - Deprecated 0.3.0 - Tracked down some false positives from clusterfuzz - Tried to work somewhat on 0.3.3 ticket volume. - Release engineering. - Met with mozilla folks to braindump about Tor. Verdict: our specs were more complete than expected; they just needed a better introductory explanation. We should get to this some day now. * This week: - I'll be sitting in on a class on proofs & coq (twice a week, all spring.) - So much release engineering. I am not getting much else done. - If I can, work on any of the stuff that's been stalled as I did release engineering (bugfixes, sponsored work, etc.) dgoulet: * Last week: - Some 033 ticket triage. - Went over tickets in the review-group-31 and some tickets as well I was the owner. - We got the DoS mitigation merged in #24902. - Implemented a geoip client cache OOM handler (#25122) which also was merged. - Another important fix was #24700 got merged. The scheduler bug #25125 got opened after that found by the extra BUG() we added to #24700. - Some bugs appeared after all we've merged: #25128, #25148. * This week: - Continue the 033 review and bug squashing especially with DoS mitigation. - I hope to be able to spend time with #24554 scheduler improvements. - Performance and memory analysis. We still have relays at insane level of RAM and hugging CPU with 032 so I want to spend a bit of time looking at this again. isis: last week: * began scheduling proposal discussion meetings! please vote for times if you're interested in them! * worked on #24986/prop#249 large create cells [dgoulet]: If you have a branch for some initial code, would be good for others to skim it quickly to avoid any big design misunderstanding which would make the whole review process much more tedious (if you want early feedback that is). This is a _big_ job :) okay will do! thanks! i have a bunch of places marked with stuff like "XXX am i supposed to do Y here?" [nickm: We'd love to look at those] * some refactoring work in the process to cleanup common logic related to parsing cells * relearning how to write coccinelle scripts (their docs are… very ungood…) * should create2v_cell_body_t be contained within a var_cell_t or? * conversations with the CC * started trying to shift the Google AppEngine/Cloud/Compute account for moat to TPI ownership so that we can actually fund it and use it * attempted to diagnose a moat issue with it not finding any bridges to give #24432 * contacted a person at Intel about a type 1 spectre static analysis tool this week: * more #24986 * prop#239 meeting on thursday * probably start writing PQ KEX proposal #24990 * try to reschedule meeting with Ian about ntor changes since that meeting never happened ahf Last week Sponsor 8: - Wrote a Coccinelle "patch" [isis: lol, i feel your pain] together with Hello71 for adding type-information to calls to our allocators to track down type-information as part of allocations: example: convert tor_malloc(sizeof(T)) to tor_malloc(sizeof(T), STRINGIFY(T)). - Analyzed padding "holes" in our C struct's after a chat with Tim. Looks like we could save some bytes here and there for some of the objects, but nothing spectacular. I think I wont spend more time here and create a master ticket with the results and flag it as easy. The task is most of the time to "reorder" members. [nickm: I'm in favor of this, but only for objects that we allocate hundreds of. eg, no reason to do this for or_option_t.][ ahf: +1 ] - Debugged a platform "issue" on Android where my 8.1 device switches between 4g and WiFi. Led me to also read about Google's Quic. Misc: - Read the onion NS proposal. - Submitted a patch for #25120. - Sent an email to the network team list about GSoC - does people have anything to add here? - Went to FOSDEM. - Booked Rome traveling. - Did end of month reporting. - This week: Sponsor 8: - Memory optimization - Get back to the baselining of event loop usage that I didn't get around to last week. Misc: - Bug triaging & and update roadmap. - Find some missing data (is on people.tpo which is down right now) for Isa for s8 reporting. catalyst: Last week (2018-W05): - troubleshooting Travis Rust failure (#25127) - CoC and Statment of Values feedback - opened #25120 based on user feedback. looked up some stuff about safer ways to deal with urandom (thanks ahf!). are we comfortable with downgrading that warning without having a "safe" urandom fallback first? - still sick (but recovering) This week (2018-W06): - think about how we want to handle long-standing CI failures (and maybe write up stuff about it) - help with #25127 - look into the urandom safety aspect of #25120, or open a separate new ticket about it isabela: sponosr8 Q4 (was sick last week and couldn't really work on it) - catalyst do you have tickets i should add to the report related to s8-errors keyword [catalyst: i can double-check. it's tickets Sep-Dec 2017 for the Q4 report right? yes] sponsor4 extension is on way - work agreement suggested by nick sent out to isis roadmap in rome - working on a new process for the team that involves homework/prepwork to be done in Feb more in the email list review user feedack from testing in india asn: Last week: - Updated onion auto-redirect proposal: https://lists.torproject.org/pipermail/tor-dev/2018-February/012875.html - Reviewed #24849, #24972, #24976, #23814. - Started writing a rough skeleton implementation of prop#279. Far from the real thing but might help some volunteers get started with the project. - Did some thinking on #24456 (ripping out guardfraction). Seems like a bigger operation than originally thought. This week: - More reviews and helping the team. - Do some thinking on roadmapping for Rome meeting. - Continue writing prop#279 skeleton implementation. - Get in touch with Mike about prop247. Whatchu cooking mike? ln5: - i have a bwscanner instance chugging along (despite some unhandled errors which seem related to lost tcp connections); too early to guess how much work it'd be to turn the resulting data to use in the real network though; seems i'm not the only one who cares about this though -- both juga and tjr seem to be working on this

1 0

Tor Browser team meeting notes, 5 Feb 2018
by Georg Koppen 06 Feb '18

06 Feb '18

Hi! Here are the meeting notes for the Tor Browser meeting which just finished. The transcript can be found at: http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-02-05-18.59.log… And here are the entries from our pad: Monday, February 05, 2018 Discussion: -sessions for the meeting days -next meeting boklm (maybe afk during meeting): Last week: - worked on some patches for: - #25111: Don't compile Yasm on our own anymore for Windows Tor Browser - #24995: include git hash in tor --version - #20892: use sha256sums-signed-build.txt in download_missing_versions - started opening sub-tickets for #18867 (Ship auto-updates for Tor Browser nightly channel) - started doing some rsyncs to upload nightly builds to nightlies.tbb.torproject.org, but rsync from an .onion seems to be too slow to rsync everything in less than a day - was at FOSDEM this weekend - afk most of this monday This week: - fix the https-everywhere test from our testsuite - work on #18867 (Ship auto-updates for Tor Browser nightly channel) - try to fix upload of builds to nightlies.tbb.torproject.org mcs and brade: Last week: - Commented on some of "our" bugs that are listed in Arthur's Uplift Tracker. - Debugged and fixed #25089 (Special characters not escaped in proxy password). - Helped a little with #25099 (Update nightly version number). - Reviewed the fix for #22794 (Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured). - Did some bug triage, e.g., #25064 (Don't record update history). - Did a little work on #23136 (Moat integration): - Discussed backing out the SOCKS optimistic data patch. - Pinged dcf about creating a new meek tag for us. - Pinged isis regarding the problem where BridgeDB is not returning any bridges. Planned for this week: - Review the updated patch for #22794 (Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured). - For #23136 (Moat integration): - Assist Isis as needed with the "no bridges returned" bug. - Request review of Tor Launcher's Moat client implementation. - Review gk's proposal for redesigning the security controls. - Plan Rome travel. - Triage the Tor Launcher bug list (set priorities, close outdated tickets). sysrqb: Last week: - Ran many Try builds using master and TBA branch and corrected failures - I'd like to patch tor-browser.git with some small changes so Try builds are nearly the same as official Tor Browser builds - I don't have much to discuss, but is there a reason for not doing this? - Started `step 0` of Tor Launcher integration - Built a test package, but I still need to test it - Chatted with Arthur about Tor Launcher in TBA and the current Tor Launcher proposal This week: - Update #19675 (Merge Orfox patches into tor-browser) with current status and next steps - Write a design proposal (with igt0) for TBA (in general) - Decide what the minimal viable product should be for shipping TBA - Should we ship with tor-launcher on mobile or should we release a version that still requires Orbot? - Isa, is the UX team working on designs for mobile, like a Tor Launcher flow? igt0: Last week: - Did few updates in the Tor Button Proposal (I still need to add more info about language importer): https://storm.torproject.org/shared/YzB0w-EaaSIeD8jHszY5MiyeGG7s3Br4RcTwc0F… - Update the commit message and rebased with the latest tor button version #25013 - Ported the code from #25013 to the mobile browser(https://github.com/igortoliveira/tor-browser/tree/tor-button-mobile) (it doesn't work yet because the button does not exists, so the gettorbutton method doesn't work) Geko, Arthur: are we going to move the tor circuit to the address bar? (and what about the new identity?) [Arthur says: yes -- this is #24309 and #24918][It's not decided yet what to do with New Identity but it's more a general thing, not site-specific. Thus, I am inclined to not move it to the address bar but have maybe an own button for it on the toolbar given it's importance - GeKo] This week: - Add the tor button icon in the mobile menu so i can keep integrating the tor button extension into Orfox - Add the language importer in the #25013 Geko, mcs: What about the https://trac.torproject.org/projects/tor/ticket/25126 ? do we have a design document or should we make the current page responsive? tjr Still working on Timer Fuzzing, but think I have a real path forward now Sandbox almost uplifted: gk: Can you remind me/refresh me on what the Sandbox Exports thing is? [That's a suggestion I got from bobowen to avoid mingw-related crashes on win32; they said to me that this is a thing that will be deprecated in the future IIRC and that's fine to take a different code path - GeKo] Bug people may be interested in: https://bugzilla.mozilla.org/show_bug.cgi?id=1435780 pospeselr: Last Week: patch for #22794 This Week: Firefox patch uplift Sync with Pari's spreadsheet arthuredelstein: Last week: Worked on uplift https://bugzilla.mozilla.org/show_bug.cgi?id=1433357 https://bugzilla.mozilla.org/show_bug.cgi?id=1432983 https://bugzilla.mozilla.org/show_bug.cgi?id=1432983 https://bugzilla.mozilla.org/show_bug.cgi?id=1432905 https://bugzilla.mozilla.org/show_bug.cgi?id=1433517 https://bugzilla.mozilla.org/1330467 (wrestling with weird bug in rebase) Looked into what locales we can add (#20628). Made some comments about security slider issues Discussed tor-launcher strategy with sysrqb This week Continue uplift Try to fix https://bugzilla.mozilla.org/1330467 Continue rebasing to mozilla-central Yet another revision for Save As bug (#22343) isabela Was sick most of last week. Got the extension for sponsor4 negotiated (also added 2 small tasks, so we could receive remaining funds from this grant) Working on sponsor8 report (late cuz i was sick) - will follow up with mobile team after meeting hopefully meet this wed and catch up on the circuit display work GeKo: Last week: -worked on #21777 and made little progress -wrote a patch for the .onion mixed content blocking -debugged sandbox related crashes on 64bit systems -thought a bit about Vista crashes with 7.5 (#25112) This week: -work harder on #21777 -fix tests for the .onion mixed content blocking and put ticket in needs_review -further debug sandbox related crashes on 64bit systems Georg

1 0

December & January Grants Update
by Tommy Collison 06 Feb '18

06 Feb '18

A bumper two-month update: Grants: - Wrote and submitted a grant to the Rose Foundation's consumer privacy rights fund. - Wrote and submitted a grant to OTF to support a secure email bundle. - Wrote and submitted an interim report for a general operating support grant. - Was part of a grants meeting in December to figure out our 2018 grants strategy. - Was part of another grants meeting in January to figure out our plan for the next two/three months. - Worked with Alison on a letter of inquiry to support our global south work. - Worked on a statement of interest to support our modularization work. - Worked on a statement of interest to support our Tor Browser work. - Worked with Sue, Shari, and Roger to organize and populate our grants repository, so that all our important grant proposals, contracts, reports, and deadlines live in one place. - Planned a grant for onion services. - Planned a research grant with Roger. - Copy-edited various things for different people. - Researched how foundations evaluate grants to try and write better monitoring-and-evaluation sections. - Started to research more sources of funding in places that aren't North America. As a reminder, you can use https://pipeline.torproject.net to tell me about things you're working on. I'm not the one who decides what gets funded, but I can do some financial match-making to find foundations that like to support different sorts of work. Other: - Worked with Steph to publish two more volunteer spotlights: https://blog.torproject.org/aggregation-feed-types/volunteer-spotlight - Worked with Shari, Steph, Alison, and Jon to wrap up our end-of-year crowdfunding campaign, which (thanks to Mozilla's generous match) brought in $420,522.84. How about them onions! - Worked with Shari and Steph to publish our 2017 year-in-review: https://blog.torproject.org/2017-was-big-year-tor - Continued getting my pilot's license as part of my plan to fly to the autumn Tor meeting. TC

1 0

January User issues and bugs spreadsheet
by Parinishtha Yadav 05 Feb '18

05 Feb '18

Hello everyone! Here is the spreadsheet link with issues picked up from the previous month: https://storm.torproject.org/shared/XuN4uMdY0Y6vm6G1vOZs0bx9mmRtq-MpSgKoa6W… (The spreadsheet also contains records of progress on older issues from Nov/Dec'17. Please navigate to the second and third sheet for January'18.) These issues have been picked up from various different sources like IRC, blog comments, stack exchange, reddit and RT. Feel free to reach out to me in case there are any updates/feedback on the issues listed. *A brief overview of the updates and progress on issues from Dec/Nov'17 spreadsheet:* 1. Issues listed that were closed/fixed: * #24511 <https://trac.torproject.org/projects/tor/ticket/24511>: TorBrowser 7.5 a8 takes multiple minutes to connect * #23970 <https://trac.torproject.org/projects/tor/ticket/23970> : Printing to a file is broken with Linux content sandboxing enabled * #24709 <https://trac.torproject.org/projects/tor/ticket/24709> : Tor Browser Error Message 0x80520015 (NS_ERROR_FILE_ACCESS_DENIED) on "New Identity" on Windows * #24052 <https://trac.torproject.org/projects/tor/ticket/24052> : Streamline handling of file:// resources on OS X and Linux * #18947 <https://trac.torproject.org/projects/tor/ticket/18947> : 6.0a5 is not starting on OS X if put into /Applications 2. Issues that remain open/ were reopened: * #23968 <https://trac.torproject.org/projects/tor/ticket/23968> (reopened defect): NoScript icon jumps to the right after update * #23620 <https://trac.torproject.org/projects/tor/ticket/23620> : Tor lies about "Optimistically trying directory fetches again" * #24136 <https://trac.torproject.org/projects/tor/ticket/24136> : After loading file:// URLs clicking on links is broken on OS X and Linux 3. Many of the user queries and commonly asked doubts from Nov/Dec have been included in the Support Portal FAQs by the Community Team. *Themes in the January'18 sheet:* January saw the release of Tor Browser 7.5, 8.0a1 and most of the listed items are bugs around these. There is also some user feedback on UI of the 7.5. Apart from this, some general queries on installing and connecting, video streaming and running relays. Best, Pari

1 0

Notes from February 1 2018 Vegas team meeting
by Karsten Loesing 02 Feb '18

02 Feb '18

Notes for February 1 2018 meeting: Nick: 1) Met with Mozilla folks on Mon/Tue to braindump. Things seemed to have gone well. They seem more comfortable with our design and specs than they were coming into it 2) More stable releases coming soon, probably some time next week. 3) Alphas including DoS mitigation coming soon too, I hope. 4) Trying to sequence fixes for TROVE-2018-001 and TROVE-2018-002 and the ongoing DoS. Georg: 1) Finished another bunch of items from my backlog (design doc update/proposal comments/proposal write-up) 2) Began to think about possible team meetings on the team meetings day in Rome making sure we are aware of requirements by other teams 3) We are starting to focus on our preparations for Firefox 60 ESR Shari: 1) I'm *still* sick. It's definitely slowing me down. :( 2) Hired new CFGO. Her name is Heather, and she starts February 19. She hopes to move to Seattle in March. (She currently lives in Oklahoma.) 3) Trying out bluejeans conference software. Was unimpressed first meeting. (It couldn't detect my camera, and Alison had trouble logging in.) Gonna give it another chance and probably try Chime next (https://aws.amazon.com/chime/) 4) Working with Sue on audit and other financial cleanup. 5) Various edits to funding documents. 6) Talking with Laura at DRL next week about our modularization proposal. 7) Various personnel things. Alison: 1) Lots of great feedback on the meeting mailing list about scheduling. I will send a response with some more ideas from the meeting organizers today or tomorrow. 2) Rightscon tickets...do we have to do anything else on this? 3) Organizing a meeting to talk about the HOPE CFP and other Tor plans there -- Wednesday February 7 at 1600 UTC in #tor-meeting (sending out a reminder email today) 4) CoC conversation is still open; hoping to get open comments resolved by Friday and then ask for co-sponsors. 5) Library Freedom Institute update: today is the deadline for applications and we're getting tons! I'm still looking for a couple more Tor people to do guest lectures (online or in NYC). 6) Preparing for the Tor meetup on February 15th and for a talk at Barnard College that weekend 7) Did you schedule your team meeting days for Rome? Karsten: 1) Evaluated 2017/18 roadmap progress and found that we're pretty much on track (yay!): https://trac.torproject.org/projects/tor/wiki/org/teams/MetricsTeam#Burndow… 2) Compiled first 20 pages of content for Reproducible Metrics deliverable for Sponsor 13. 3) Merged CollecTor's webstats module, but still need to make performance optimizations in order to support bulk imports. 4) Still working on Onionoo's graph issue after relays increased bandwidth reporting interval from 4 to 24 hours. Steph: 1) Published post to encourage news orgs & activists to set up onions, got feedback from several folks (dev and comms). 2) Newsletter went out yesterday 3) Working on relay guide blog post. Edited several other posts. Working with Tommy on upcoming volunteer spotlights. 4) Jon, Tommy, and I are getting segmentation training from GR isabela: 1) super sick and behind on a loooooooooooot of things 2) reviewed SOI modularization and SOI TB desktop - asked tommy to share it with gk too 3) will ping adam for the extension contract (and give him what he needs for that) - emailed isis work agreement copied shari and nick 4) today (and maybe tomorrow but i hope not but i am still super sick so ... who knows) get Q4 sponsor8 report out 5) will be at valencia with ux team doing user testing before rome Mike: 1) Working on guard-discovery defenses and packaging for the vanguard script

1 0

January 2018 Transifex report
by Colin Childs 02 Feb '18

02 Feb '18

Hi everyone, Below is the monthly Transifex report for January, 2018: ### Report Attached are daily, weekly and monthly translation graphs. The Y axis is "source words”. 12.76k source words 1.43k source strings 3,429 collaborators 154 languages 42 Project resources 17 languages at 100% completion (across all 42 project resources): Bengali (Bangladesh) (bn_BD) Catalan (ca) Chinese (China) (zh_CN) Chinese (Taiwan) (zh_TW) Dutch (nl) English (United Kingdom) (en_GB) French (fr) French (Canada) (fr_CA) German (de) Hebrew (he) Indonesian (id) Irish (ga) Italian (it) Norwegian Bokmål (nb) Portuguese (Brazil) (pt_BR) Spanish (es) Turkish (tr) -- Colin Childs Tor Project https://www.torproject.org Twitter: @Phoul

1 0

Notes from network team meeting, 29 Jan 2018
by Alexander Færøy 31 Jan '18

31 Jan '18

Hello! Our meeting IRC logs can be found at: http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-01-29-18.00.html Pad copied below ---------------- Network team meeting pad, 29 January 2018 La lettre N formait sans doute l'initiale du nom de l'énigmatique personnage qui commandait au fond des mers ! --- Jules Verne, _VINGT MILLE LIEUES SOUS LES MERS_ Welcome to our meeting! Mondays at 1800 UTC on #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in boldface! 3. Show up to the IRC meeting and say hi! Note the meeting location: #tor-meeting on OFTC! (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) Meeting notes from previous weeks: * https://lists.torproject.org/pipermail/tor-project/2018-January/001639.html * https://lists.torproject.org/pipermail/tor-project/2018-January/001644.html Old Announcements: - Let's have some proposal discussions. Isis kicked off the process here: https://lists.torproject.org/pipermail/tor-dev/2017-December/012666.html - We are planning a single-day pre-planned highly-focused hackfest before the Rome Tor meeting - teor: pre-Rome hackfest venue is confirmed - komlo: Should there be a Rust update/planning session? What should we prepare/do beforehand to help this be planned/highly-focused? - On the roadmap spreadsheet: Please take February tasks. (If somebody else has already taken something you want, please talk to them and/or add yourself too.) https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… Announcements: * 0.3.3.x is in feature-freeze. No new features (except for #24902, which has permission.). * No 0.3.4.x patches will be merged till the window opens on Feb 15. * Please, work on bugfixes! It would be great to have this release release on time. (Planned date is 15 April) * Support for 0.3.0.x will end on 1 Feb. * There are tons of tiny 0.3.3.x tickets. Maybe if you can do one of them in <X minutes for some small X, you should just do it? * Review group 31 is open! https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… -- please help all your colleagues' tickets get reviewed. Discussion: * There are over 200 open tickets in 0.3.3.x. Some are bugs we should fix. Some we should defer to 0.3.4.x. Some should get tossed into the aether. Suggested process? * We have way too many open tickets left in 0.3.3.x, including ones that are assigned to people. Is this how it should be? Where, if anywhere did we go wrong? How to do better in 0.3.4.x? * There are still tickets left in 0.3.2.x. What shall we do with them? Let's get them done soon. * Looks like 28 May - 1 June 2018 and 4 June - 8 June 2018 are good dates for a hackfest. Which week do we want to do a hackfest? (4 - 8 June is just before Mozilla All-Hands) Which city/country? Does anyone want to help organise it? [teor can do some of the organising] [dgoulet: Replied offering my help][isa can help too] Nick: * Last week: - Released 0.3.3.1-alpha, including review and merge of lots of last-minute patches. - Reviewed #24902 a bunch. - Began big triage on remaining 0.3.3.x tickets. - Grabbed many small 0.3.3.x tickets and did them. - Talked w isis et al about TLS1.3. - Tried OpenSSL 1.1.1's git master branch (openssl is not yet released). Found various bugs. Navigated openssl's contributor license agreement and code review bureaucracy * This week: - Missing Monday and Tuesday: in a meeting with mozilla folks in Boston, brain-dumping all the Tor internals. - More triage on 0.3.3.x and 0.3.4.x. - More bugfixes, review, merging. teor: * Last week: - (experimental) PrivCount bug fixes and client descriptor fetch stubs - Still keeping my relays operating and supporting relay operators - Did not get time to review or revise much Tor code - The test network started running new IPv6 consensus methods 27 & 28 (The microdescs and microdesc consensus changed, nothing crashed) - Read up on general floating point issues, and read Rust's Rand f64 impl - It was a short week for me due to a local public holiday * This week: - Fix some more experimental PrivCount bugs - Implement and test experimental PrivCount onion service stats - Make a trac user page that lists the tickets I'm working on in priority order - Maybe I will get time to review or revise tickets this week asn: [Not sure if I will be present in meeting tonight. Woke up pretty early.] Last week: - More review on #24902. Found some bugs and wrote another unittest for it. - Coded #24896 and it's now on needs_review. Works fine on my HSes. - Did some research stuff. Met with a researcher who is interested in integrating PIR with HSDirs. Helped them out with chutney and gave them a few pointers on the tor codebase. - Opened a few prop224 tickets of bugs I encountered: #24972, #24976, #24977 Also reviewed's nick's patch for #24972. - Opened #24973 which might be yet another way that clients overwhelm the network. This week: - Bug triage and coverity duties. - Work on prop279 (name system proposal). - More prop247 or whatever else needs work/reviewing. dgoulet: * Last week: - Finalized code for #24902. An v4 branch now exists. Been running for at least 5 days now so I think it is getting more and more in a state to be merged upstream. - Small review on #24914 - Opened #24962, a parent ticket for most of our Tor2web DoS issues. And also two child tickets. - Bug found by arma while reviewing #24902, I opened #24975 for it. * This week: - Address reviews on #24902. I expect this to be much less work than last week thus allowing me to put time in other things. - 0.3.3.x bug triage. - Ticket work for which I really need to have them in a better state: #22781, #24554 and #24975. isabela: - got extension from sponsor4 - working on email/agreement to isis, suggested by nick. - sponsor8 Q4 report - reading pwr research on .onion / also planning on digesting our user testing results (probably on thursday/frida) and starting to put together a write up of it - team meeting on March 11 **different from team hackfest on the 10th** - this should be for retrospective, roadmapping etc. [sent email about it] catalyst: Last week (2018-W04): * reviewed #24484 * worked on making us have a better-functioning github repo * our "official" github repo is building on Travis CI now! * CoC review * sick day spent in Urgent Care again (very persistent respiratory infection) This week (2018-W05): * review tickets * CoC and Statement of Values feedback * more github adjustments as needed * draft some text about how people should interact with our github repo * try to get enough uninterrupted time to focus on #24661 Mike: Last week: - Fixed a couple purposed-related warn bugs from the vanguard prototype - Began brainstorming things the controller could do This week: - Write a README for the vanguard controller; make it more usable for 0.3.3 alpha users - Maybe start cleaning up prop247? ahf Last week: Sponsor 8: - Convert DTrace programs to SystemTap to allow more people to use it. - Spend some time getting SystemTap to work on my laptop in Qubes VM's. - Looked into some old discussions from the WebKit community on memory profiling. Misc: - Found and fixed #25026. - Got approval for Rome traveling, aiming for arriving the 7th and leaving the 16th. - Some Torsocks compatibility issue on some Linux'es. Hello71 submitted a patch that includes a fix for this in #24967 (+ some macos issues). - Read up on the prop#279 (naming layer) and especially around using it with catch-all TLD's. This week: Sponsor 8: - Begin initial memory optimization work on smartlist_t usage. - After Tim's suggestion: look into struct padding size. - Collect some baseline information for event loop usage. Misc: - Going to FOSDEM on Friday. Wont be online after 12 UTC until the evening. Limited communications over the weekend. - End of the month reporting. isis last week: - last few bugs in moat #24432 - google shut down access to my appengine account for the moat reflector - implementing prop#249 (#24986) - worked on the TLS 1.3 proposal - organised the steps to getting to a post-quantum secure circuit-layer handshake and made tickets for each #24985 this week: - schedule proposal meetings - more prop#249 work - get moat accounts shifted over to TPO ownership -- Alexander Færøy

1 0

Tor Browser team meeting notes, 29 Jan 2018
by Georg Koppen 30 Jan '18

30 Jan '18

Hi! We had another Tor Browser meeting yesterday in #tor-meeting. Here is the meeting transcript: http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-01-29-18.59.log… And the notes from the pad are: Monday, January 29, 2018 Discussion: - Tor patch uplift plan - Sessions we want to have for the team meeting day GeKo: Last week: 1) Finished design doc update (#21256) 2) Finally finished debugging (#22256) and posted a backported patch for review 3) Dealt with release and post-release work (going over blog comments/new tickets etc.) 4) Continued writing the "Redesign of Tor Browser's security controls"-proposal 5) Some reviews 6) tjr: do you have https://bugzilla.mozilla.org/show_bug.cgi?id=1392604 on your radar too? Or should we try to deal with it for ESR 60? (GeKo: We poke ourselves I guess) This week: 1) More reviews 2) Finish the proposal and post it to tbb-dev for further discussion 3) Get back to work on #21777 (new clang-based toolchain for Windows cross-builds) 4) Get back to get the sandbox running on Windows 64bit (#24197) 5) Work on exempting .onions from mixed content warnings (#23439) 6) Look at tor launcher proposal 7) Monthly team admin stuff tjr: mcs/brade: Can you explain https://trac.torproject.org/projects/tor/ticket/19121 / https://gitweb.torproject.org/tor-browser.git/patch/?id=a4341a6 to me? from mcs: We reinstated a check that Mozilla removed. With the hash check in place, all MAR files that are applied must be "advertised" in the update.xml metadata. Mozilla views this check as unnecessary because all MAR files are signed. We were more comfortable keeping the check in case there is some kind of update attack that we did not think of that removing the check makes possible. gk and mikeperry might have something specific in mind (gk agreed that we should reinstate the check). GeKo: nothing specific, but with that check an attacker has to break more than the signing in at least a bunch of scenarios and given that automatic updates are pretty important to safeguard we felt having two independent systems in place makes more sense. tjr: So we're protecting against an attacker than can a) send the wrong update files b) forge or bypass the mar signatures but can't c) send their own update.xml file (which isn't cryptographicly verified and only contains a list of hashes?) Why could they do (a) but not (c)? Spectre Stuff More timer stuff Lots of JIT stuff landed MinGW Sandbox almost uplifted! (GeKo: I wonder whether we don't need to take care about the SANDBOX_EXPORTS or whether we want to have this uplifted as well) Fixed several mingw build breaks that popped up Wrote a (rudimentary) Binary Transparency auditor for Moz's in-progress BT stuff Arthur, Richard and I quick-triaged ~200 tor bugs Have some followup from this we will talk about in our Tuesday-same-time-as-this meeting All P1 bugs we are trying to get into 60: https://mzl.la/2DyHp6B All P2 bugs we are going to try and get into 61-62: https://mzl.la/2E7hzrH (GeKo: I think I want to work on the remaining .onion mixed content bug and get both pieces upstreamed into ESR 60) tjr: Is that https://bugzilla.mozilla.org/show_bug.cgi?id=1382359 ? I'll P1 it and assign them to you if so (GeKo: yes, that's the bug) mcs and brade: Last week: - Did some testing of Tor Browser 7.5-build3 and 8.0a1-build3 on OSX (focused on the updater). - Looked at icons and branding some more: #10888 (Mozilla trademarks still remain in some about: urls) #24578 (about:tbupdate popup notification formatting error) - Posted a patch for #24159 (Torbutton version check does not deal properly with platform specific checks). - After Isis fixed a server-side problem, we were able to resume work on #23136 (Moat integration). We found a meek client/Tor Browser issue that dcf is helping us solve. We found a problem where BridgeDB is not returning any bridges which Isis will need to help us solve. Planned for this week: - More work on #23136 (Moat integration). - Work with dcf to solve the meek client/Tor Browser SOCKS optimistic data bug. - Assist Isis as needed with the "no bridges returned" bug. - Review and comment on some of "our" bugs that are listed in Arthur's Uplift Tracker. - Triage the Tor Launcher bug list (set priorities, close outdated tickets). igt0: Last Week: - Sent patch moving Tor Button to Tor Browser repository (#25013) - Removed Tor Button from the Tor Browser build (#25013) - Continued work on Integrating Tor Button in the Tor Browser mobile version (#24855) This week: - Work in the (#24855) - I still need to investigate https://bugzilla.mozilla.org/show_bug.cgi?id=1415595 from tjr: While this would be nice, I think the protections provided by fortify source are small enough that it isn't a huge priority. Just my opinion. pospeselr: Last Week: - continued work on #22794 (Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured.) - Jury Duty - met with tjr and arthur re tor uplift This Week: - finish #22794 - begin work on tor uplift patches sysrqb: Last week: Continued working on Orfox patches. - Running mochi, junit, etc tests take a painfully long time - Mochitests fail when the Android App is not the focused UI element - After running the mochitests on a headless server, I finally found why all the UI tests were failing: https://people.torproject.org/~sysrqb/screenshot3.png - Debugged and patched some failing tests Worked a little on TorLauncher on Mobile (thinking about how we should integrate it) Read about HTTP/2 (over the weekend) and started thinking about how we can evaluate it and enable pieces of it Also read about QUIC and started thinking about how Tor can prepare for that This week: Finally finish the Orfox patches and request review Work on a branch tor-browser-build for TBA (Tor Browser for Android) Review Tor Browser uplift patch list tjr: Do you have mozilla try access? Might be useful/faster for unit tests, especially if you have n changes you want to test independently. sysrqb: Nope, but that sounds extremely useful. GeKo mentioned that last week, too, but I don't know how I should go about requesting access (igt0 will probably appreciate having access too) arthur: I got access following these instructions: https://wiki.mozilla.org/ReleaseEngineering/TryServer#Getting_access_to_the… Also I use https://github.com/mozilla/moz-git-tools which allows you to use git to push to the try servers. tjr: Yea, do that and send me the bug you file and I'll nominate you. sysrqb: sweet! thanks! I didn't actually think about looking for a doc about how to do it...will do! boklm: Last week: - published the new releases - finished #6119 (FPCentral) and all sub-tickets - started fixing some testsuite issues This week: - Fix upload of nightly builds to https://nightlies.tbb.torproject.org/ and enable testsuite on nightly builds - Fix testsuite issues to have all tests passing - Start working on #18867 (Ship auto-updates for Tor Browser nightly channel) - Will be afk next monday (but should be there for the meeting) arthuredelstein: Last week: Opened lots of bugzilla tickets Updated torpat.ch Created uplift patches for 1433357, 1433507, 1433509. Working on 1432983 Continued to rebase patches for mozilla-central This week: Uplift, uplift, and away! More rebasing Also want to look at HTTP/2 -- sysrqb: would be useful to chat about this - from sysrqb: ack yes isabela: - working with sponsor4 on extension - we got it, just need new contract to sign etc. also working with network team / isis on organizing their work for finishing this deliverable - sponsor8 report due wed - meeting with arthur and geko on wed 1900utc (confirmed? antonela said that works for her) on circuit display work (GeKo: works for me) (arthur: wfm too) Georg

1 0

Notes from January 25 2018 Vegas team meeting
by Karsten Loesing 26 Jan '18

26 Jan '18

Notes for January 25 2018 meeting: Alison: 1) Code of conduct discussion is progressing well! I hope we can begin voting sometime next week. 2) Coordinating guest lecturers for LFI. 3) Giving a talk at Georgetown this Friday. 4) Tor Meeting stuff. Will send out an email about the open days to the meeting list soon. 5) Who is submitting talks for the HOPE CFP? We should have a coordinating meeting. Georg: 1) Tor Browser 7.5 is out! I am happy with it so far and have been especially happy about the good work we did with the UX-team. Karsten: 1) We'd like to get support with proofreading and editing documentation for Sponsor 13. Very rough estimate is 50,000 words for 30 specifications for reproducing Tor Metrics graphs or tables with 1,000 words each on average and 1 technical report of 20,000 words. Should we contract this out to somebody, ask a friendly Tor person whose first language is English to do this for us, or just do our best at writing? [Answer: Start by asking Tommy, and consider contracting this to somebody else later in the process.] 2) Made a very first step forward towards writing documentation for Sponsor 13. 3) CollecTor module to sanitize Tor web server logs almost complete. Last tests are running, might get this done by end of this month. 4) Can I create EC2 accounts for iwakeh and irl to do resource-intensive metrics tasks? We once had a that Tor employees/contractors could have such accounts as long as they keep their usage below 30$/month. But that policy is 2.5 years old and predates Shari's time at Tor. Is it still a good policy? [Answer: yes, do it if it's appropriate and really that cheap.] Nick: 1) Putting out an alpha today; another alpha to follow in 5-14 days. 2) Deferring more stable releases until we can get dgoulet's #24902 anti-dos code tested in an alpha. 3) Meeting with Mozilla folks on Monday/Tuesday to brain-dump about Tor internals. Probably will have limited net presence. 4) Scrambling to get 0.3.3.x freeze period to go well. Mike: 1) Continuing work on guard discovery defenses. Arturo: 1) We are releasing a new version of the OONI Probe app, that definitively changes the name from ooniprobe to OONI Probe 2) Made a lot of progress in terms of implementing the revamped OONI Explorer 3) We have established a new partnership with Tuwindi Foundation (Mali), see: https://twitter.com/OpenObservatory/status/956167750874992645 4) Migrating our database and improving the latency of OONI Explorer and API is moving forward well 5) Thanks to the localisation lab and many community members some new strings for OONI Probe have been translated to 10 languages. 6) We will be hosting a OONI workshop in Kampala (Uganda), we have been preparing the training material and correcting assignments for the course 7) Several test lists (NG, UG, SS) have been updated thanks to URLs provided by community members

1 0