- tor-project - lists.torproject.org

Tor Browser team meeting notes, 5 Feb 2018
by Georg Koppen 05 Feb '18

05 Feb '18

Hi! Here are the meeting notes for the Tor Browser meeting which just finished. The transcript can be found at: http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-02-05-18.59.log… And here are the entries from our pad: Monday, February 05, 2018 Discussion: -sessions for the meeting days -next meeting boklm (maybe afk during meeting): Last week: - worked on some patches for: - #25111: Don't compile Yasm on our own anymore for Windows Tor Browser - #24995: include git hash in tor --version - #20892: use sha256sums-signed-build.txt in download_missing_versions - started opening sub-tickets for #18867 (Ship auto-updates for Tor Browser nightly channel) - started doing some rsyncs to upload nightly builds to nightlies.tbb.torproject.org, but rsync from an .onion seems to be too slow to rsync everything in less than a day - was at FOSDEM this weekend - afk most of this monday This week: - fix the https-everywhere test from our testsuite - work on #18867 (Ship auto-updates for Tor Browser nightly channel) - try to fix upload of builds to nightlies.tbb.torproject.org mcs and brade: Last week: - Commented on some of "our" bugs that are listed in Arthur's Uplift Tracker. - Debugged and fixed #25089 (Special characters not escaped in proxy password). - Helped a little with #25099 (Update nightly version number). - Reviewed the fix for #22794 (Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured). - Did some bug triage, e.g., #25064 (Don't record update history). - Did a little work on #23136 (Moat integration): - Discussed backing out the SOCKS optimistic data patch. - Pinged dcf about creating a new meek tag for us. - Pinged isis regarding the problem where BridgeDB is not returning any bridges. Planned for this week: - Review the updated patch for #22794 (Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured). - For #23136 (Moat integration): - Assist Isis as needed with the "no bridges returned" bug. - Request review of Tor Launcher's Moat client implementation. - Review gk's proposal for redesigning the security controls. - Plan Rome travel. - Triage the Tor Launcher bug list (set priorities, close outdated tickets). sysrqb: Last week: - Ran many Try builds using master and TBA branch and corrected failures - I'd like to patch tor-browser.git with some small changes so Try builds are nearly the same as official Tor Browser builds - I don't have much to discuss, but is there a reason for not doing this? - Started `step 0` of Tor Launcher integration - Built a test package, but I still need to test it - Chatted with Arthur about Tor Launcher in TBA and the current Tor Launcher proposal This week: - Update #19675 (Merge Orfox patches into tor-browser) with current status and next steps - Write a design proposal (with igt0) for TBA (in general) - Decide what the minimal viable product should be for shipping TBA - Should we ship with tor-launcher on mobile or should we release a version that still requires Orbot? - Isa, is the UX team working on designs for mobile, like a Tor Launcher flow? igt0: Last week: - Did few updates in the Tor Button Proposal (I still need to add more info about language importer): https://storm.torproject.org/shared/YzB0w-EaaSIeD8jHszY5MiyeGG7s3Br4RcTwc0F… - Update the commit message and rebased with the latest tor button version #25013 - Ported the code from #25013 to the mobile browser(https://github.com/igortoliveira/tor-browser/tree/tor-button-mobile) (it doesn't work yet because the button does not exists, so the gettorbutton method doesn't work) Geko, Arthur: are we going to move the tor circuit to the address bar? (and what about the new identity?) [Arthur says: yes -- this is #24309 and #24918][It's not decided yet what to do with New Identity but it's more a general thing, not site-specific. Thus, I am inclined to not move it to the address bar but have maybe an own button for it on the toolbar given it's importance - GeKo] This week: - Add the tor button icon in the mobile menu so i can keep integrating the tor button extension into Orfox - Add the language importer in the #25013 Geko, mcs: What about the https://trac.torproject.org/projects/tor/ticket/25126 ? do we have a design document or should we make the current page responsive? tjr Still working on Timer Fuzzing, but think I have a real path forward now Sandbox almost uplifted: gk: Can you remind me/refresh me on what the Sandbox Exports thing is? [That's a suggestion I got from bobowen to avoid mingw-related crashes on win32; they said to me that this is a thing that will be deprecated in the future IIRC and that's fine to take a different code path - GeKo] Bug people may be interested in: https://bugzilla.mozilla.org/show_bug.cgi?id=1435780 pospeselr: Last Week: patch for #22794 This Week: Firefox patch uplift Sync with Pari's spreadsheet arthuredelstein: Last week: Worked on uplift https://bugzilla.mozilla.org/show_bug.cgi?id=1433357 https://bugzilla.mozilla.org/show_bug.cgi?id=1432983 https://bugzilla.mozilla.org/show_bug.cgi?id=1432983 https://bugzilla.mozilla.org/show_bug.cgi?id=1432905 https://bugzilla.mozilla.org/show_bug.cgi?id=1433517 https://bugzilla.mozilla.org/1330467 (wrestling with weird bug in rebase) Looked into what locales we can add (#20628). Made some comments about security slider issues Discussed tor-launcher strategy with sysrqb This week Continue uplift Try to fix https://bugzilla.mozilla.org/1330467 Continue rebasing to mozilla-central Yet another revision for Save As bug (#22343) isabela Was sick most of last week. Got the extension for sponsor4 negotiated (also added 2 small tasks, so we could receive remaining funds from this grant) Working on sponsor8 report (late cuz i was sick) - will follow up with mobile team after meeting hopefully meet this wed and catch up on the circuit display work GeKo: Last week: -worked on #21777 and made little progress -wrote a patch for the .onion mixed content blocking -debugged sandbox related crashes on 64bit systems -thought a bit about Vista crashes with 7.5 (#25112) This week: -work harder on #21777 -fix tests for the .onion mixed content blocking and put ticket in needs_review -further debug sandbox related crashes on 64bit systems Georg

1 0

December & January Grants Update
by Tommy Collison 05 Feb '18

05 Feb '18

A bumper two-month update: Grants: - Wrote and submitted a grant to the Rose Foundation's consumer privacy rights fund. - Wrote and submitted a grant to OTF to support a secure email bundle. - Wrote and submitted an interim report for a general operating support grant. - Was part of a grants meeting in December to figure out our 2018 grants strategy. - Was part of another grants meeting in January to figure out our plan for the next two/three months. - Worked with Alison on a letter of inquiry to support our global south work. - Worked on a statement of interest to support our modularization work. - Worked on a statement of interest to support our Tor Browser work. - Worked with Sue, Shari, and Roger to organize and populate our grants repository, so that all our important grant proposals, contracts, reports, and deadlines live in one place. - Planned a grant for onion services. - Planned a research grant with Roger. - Copy-edited various things for different people. - Researched how foundations evaluate grants to try and write better monitoring-and-evaluation sections. - Started to research more sources of funding in places that aren't North America. As a reminder, you can use https://pipeline.torproject.net to tell me about things you're working on. I'm not the one who decides what gets funded, but I can do some financial match-making to find foundations that like to support different sorts of work. Other: - Worked with Steph to publish two more volunteer spotlights: https://blog.torproject.org/aggregation-feed-types/volunteer-spotlight - Worked with Shari, Steph, Alison, and Jon to wrap up our end-of-year crowdfunding campaign, which (thanks to Mozilla's generous match) brought in $420,522.84. How about them onions! - Worked with Shari and Steph to publish our 2017 year-in-review: https://blog.torproject.org/2017-was-big-year-tor - Continued getting my pilot's license as part of my plan to fly to the autumn Tor meeting. TC

1 0

January User issues and bugs spreadsheet
by Parinishtha Yadav 05 Feb '18

05 Feb '18

Hello everyone! Here is the spreadsheet link with issues picked up from the previous month: https://storm.torproject.org/shared/XuN4uMdY0Y6vm6G1vOZs0bx9mmRtq-MpSgKoa6W… (The spreadsheet also contains records of progress on older issues from Nov/Dec'17. Please navigate to the second and third sheet for January'18.) These issues have been picked up from various different sources like IRC, blog comments, stack exchange, reddit and RT. Feel free to reach out to me in case there are any updates/feedback on the issues listed. *A brief overview of the updates and progress on issues from Dec/Nov'17 spreadsheet:* 1. Issues listed that were closed/fixed: * #24511 <https://trac.torproject.org/projects/tor/ticket/24511>: TorBrowser 7.5 a8 takes multiple minutes to connect * #23970 <https://trac.torproject.org/projects/tor/ticket/23970> : Printing to a file is broken with Linux content sandboxing enabled * #24709 <https://trac.torproject.org/projects/tor/ticket/24709> : Tor Browser Error Message 0x80520015 (NS_ERROR_FILE_ACCESS_DENIED) on "New Identity" on Windows * #24052 <https://trac.torproject.org/projects/tor/ticket/24052> : Streamline handling of file:// resources on OS X and Linux * #18947 <https://trac.torproject.org/projects/tor/ticket/18947> : 6.0a5 is not starting on OS X if put into /Applications 2. Issues that remain open/ were reopened: * #23968 <https://trac.torproject.org/projects/tor/ticket/23968> (reopened defect): NoScript icon jumps to the right after update * #23620 <https://trac.torproject.org/projects/tor/ticket/23620> : Tor lies about "Optimistically trying directory fetches again" * #24136 <https://trac.torproject.org/projects/tor/ticket/24136> : After loading file:// URLs clicking on links is broken on OS X and Linux 3. Many of the user queries and commonly asked doubts from Nov/Dec have been included in the Support Portal FAQs by the Community Team. *Themes in the January'18 sheet:* January saw the release of Tor Browser 7.5, 8.0a1 and most of the listed items are bugs around these. There is also some user feedback on UI of the 7.5. Apart from this, some general queries on installing and connecting, video streaming and running relays. Best, Pari

1 0

Notes from February 1 2018 Vegas team meeting
by Karsten Loesing 02 Feb '18

02 Feb '18

Notes for February 1 2018 meeting: Nick: 1) Met with Mozilla folks on Mon/Tue to braindump. Things seemed to have gone well. They seem more comfortable with our design and specs than they were coming into it 2) More stable releases coming soon, probably some time next week. 3) Alphas including DoS mitigation coming soon too, I hope. 4) Trying to sequence fixes for TROVE-2018-001 and TROVE-2018-002 and the ongoing DoS. Georg: 1) Finished another bunch of items from my backlog (design doc update/proposal comments/proposal write-up) 2) Began to think about possible team meetings on the team meetings day in Rome making sure we are aware of requirements by other teams 3) We are starting to focus on our preparations for Firefox 60 ESR Shari: 1) I'm *still* sick. It's definitely slowing me down. :( 2) Hired new CFGO. Her name is Heather, and she starts February 19. She hopes to move to Seattle in March. (She currently lives in Oklahoma.) 3) Trying out bluejeans conference software. Was unimpressed first meeting. (It couldn't detect my camera, and Alison had trouble logging in.) Gonna give it another chance and probably try Chime next (https://aws.amazon.com/chime/) 4) Working with Sue on audit and other financial cleanup. 5) Various edits to funding documents. 6) Talking with Laura at DRL next week about our modularization proposal. 7) Various personnel things. Alison: 1) Lots of great feedback on the meeting mailing list about scheduling. I will send a response with some more ideas from the meeting organizers today or tomorrow. 2) Rightscon tickets...do we have to do anything else on this? 3) Organizing a meeting to talk about the HOPE CFP and other Tor plans there -- Wednesday February 7 at 1600 UTC in #tor-meeting (sending out a reminder email today) 4) CoC conversation is still open; hoping to get open comments resolved by Friday and then ask for co-sponsors. 5) Library Freedom Institute update: today is the deadline for applications and we're getting tons! I'm still looking for a couple more Tor people to do guest lectures (online or in NYC). 6) Preparing for the Tor meetup on February 15th and for a talk at Barnard College that weekend 7) Did you schedule your team meeting days for Rome? Karsten: 1) Evaluated 2017/18 roadmap progress and found that we're pretty much on track (yay!): https://trac.torproject.org/projects/tor/wiki/org/teams/MetricsTeam#Burndow… 2) Compiled first 20 pages of content for Reproducible Metrics deliverable for Sponsor 13. 3) Merged CollecTor's webstats module, but still need to make performance optimizations in order to support bulk imports. 4) Still working on Onionoo's graph issue after relays increased bandwidth reporting interval from 4 to 24 hours. Steph: 1) Published post to encourage news orgs & activists to set up onions, got feedback from several folks (dev and comms). 2) Newsletter went out yesterday 3) Working on relay guide blog post. Edited several other posts. Working with Tommy on upcoming volunteer spotlights. 4) Jon, Tommy, and I are getting segmentation training from GR isabela: 1) super sick and behind on a loooooooooooot of things 2) reviewed SOI modularization and SOI TB desktop - asked tommy to share it with gk too 3) will ping adam for the extension contract (and give him what he needs for that) - emailed isis work agreement copied shari and nick 4) today (and maybe tomorrow but i hope not but i am still super sick so ... who knows) get Q4 sponsor8 report out 5) will be at valencia with ux team doing user testing before rome Mike: 1) Working on guard-discovery defenses and packaging for the vanguard script

1 0

January 2018 Transifex report
by Colin Childs 01 Feb '18

01 Feb '18

Hi everyone, Below is the monthly Transifex report for January, 2018: ### Report Attached are daily, weekly and monthly translation graphs. The Y axis is "source words”. 12.76k source words 1.43k source strings 3,429 collaborators 154 languages 42 Project resources 17 languages at 100% completion (across all 42 project resources): Bengali (Bangladesh) (bn_BD) Catalan (ca) Chinese (China) (zh_CN) Chinese (Taiwan) (zh_TW) Dutch (nl) English (United Kingdom) (en_GB) French (fr) French (Canada) (fr_CA) German (de) Hebrew (he) Indonesian (id) Irish (ga) Italian (it) Norwegian Bokmål (nb) Portuguese (Brazil) (pt_BR) Spanish (es) Turkish (tr) -- Colin Childs Tor Project https://www.torproject.org Twitter: @Phoul

1 0

Notes from network team meeting, 29 Jan 2018
by Alexander Færøy 30 Jan '18

30 Jan '18

Hello! Our meeting IRC logs can be found at: http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-01-29-18.00.html Pad copied below ---------------- Network team meeting pad, 29 January 2018 La lettre N formait sans doute l'initiale du nom de l'énigmatique personnage qui commandait au fond des mers ! --- Jules Verne, _VINGT MILLE LIEUES SOUS LES MERS_ Welcome to our meeting! Mondays at 1800 UTC on #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in boldface! 3. Show up to the IRC meeting and say hi! Note the meeting location: #tor-meeting on OFTC! (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) Meeting notes from previous weeks: * https://lists.torproject.org/pipermail/tor-project/2018-January/001639.html * https://lists.torproject.org/pipermail/tor-project/2018-January/001644.html Old Announcements: - Let's have some proposal discussions. Isis kicked off the process here: https://lists.torproject.org/pipermail/tor-dev/2017-December/012666.html - We are planning a single-day pre-planned highly-focused hackfest before the Rome Tor meeting - teor: pre-Rome hackfest venue is confirmed - komlo: Should there be a Rust update/planning session? What should we prepare/do beforehand to help this be planned/highly-focused? - On the roadmap spreadsheet: Please take February tasks. (If somebody else has already taken something you want, please talk to them and/or add yourself too.) https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… Announcements: * 0.3.3.x is in feature-freeze. No new features (except for #24902, which has permission.). * No 0.3.4.x patches will be merged till the window opens on Feb 15. * Please, work on bugfixes! It would be great to have this release release on time. (Planned date is 15 April) * Support for 0.3.0.x will end on 1 Feb. * There are tons of tiny 0.3.3.x tickets. Maybe if you can do one of them in <X minutes for some small X, you should just do it? * Review group 31 is open! https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… -- please help all your colleagues' tickets get reviewed. Discussion: * There are over 200 open tickets in 0.3.3.x. Some are bugs we should fix. Some we should defer to 0.3.4.x. Some should get tossed into the aether. Suggested process? * We have way too many open tickets left in 0.3.3.x, including ones that are assigned to people. Is this how it should be? Where, if anywhere did we go wrong? How to do better in 0.3.4.x? * There are still tickets left in 0.3.2.x. What shall we do with them? Let's get them done soon. * Looks like 28 May - 1 June 2018 and 4 June - 8 June 2018 are good dates for a hackfest. Which week do we want to do a hackfest? (4 - 8 June is just before Mozilla All-Hands) Which city/country? Does anyone want to help organise it? [teor can do some of the organising] [dgoulet: Replied offering my help][isa can help too] Nick: * Last week: - Released 0.3.3.1-alpha, including review and merge of lots of last-minute patches. - Reviewed #24902 a bunch. - Began big triage on remaining 0.3.3.x tickets. - Grabbed many small 0.3.3.x tickets and did them. - Talked w isis et al about TLS1.3. - Tried OpenSSL 1.1.1's git master branch (openssl is not yet released). Found various bugs. Navigated openssl's contributor license agreement and code review bureaucracy * This week: - Missing Monday and Tuesday: in a meeting with mozilla folks in Boston, brain-dumping all the Tor internals. - More triage on 0.3.3.x and 0.3.4.x. - More bugfixes, review, merging. teor: * Last week: - (experimental) PrivCount bug fixes and client descriptor fetch stubs - Still keeping my relays operating and supporting relay operators - Did not get time to review or revise much Tor code - The test network started running new IPv6 consensus methods 27 & 28 (The microdescs and microdesc consensus changed, nothing crashed) - Read up on general floating point issues, and read Rust's Rand f64 impl - It was a short week for me due to a local public holiday * This week: - Fix some more experimental PrivCount bugs - Implement and test experimental PrivCount onion service stats - Make a trac user page that lists the tickets I'm working on in priority order - Maybe I will get time to review or revise tickets this week asn: [Not sure if I will be present in meeting tonight. Woke up pretty early.] Last week: - More review on #24902. Found some bugs and wrote another unittest for it. - Coded #24896 and it's now on needs_review. Works fine on my HSes. - Did some research stuff. Met with a researcher who is interested in integrating PIR with HSDirs. Helped them out with chutney and gave them a few pointers on the tor codebase. - Opened a few prop224 tickets of bugs I encountered: #24972, #24976, #24977 Also reviewed's nick's patch for #24972. - Opened #24973 which might be yet another way that clients overwhelm the network. This week: - Bug triage and coverity duties. - Work on prop279 (name system proposal). - More prop247 or whatever else needs work/reviewing. dgoulet: * Last week: - Finalized code for #24902. An v4 branch now exists. Been running for at least 5 days now so I think it is getting more and more in a state to be merged upstream. - Small review on #24914 - Opened #24962, a parent ticket for most of our Tor2web DoS issues. And also two child tickets. - Bug found by arma while reviewing #24902, I opened #24975 for it. * This week: - Address reviews on #24902. I expect this to be much less work than last week thus allowing me to put time in other things. - 0.3.3.x bug triage. - Ticket work for which I really need to have them in a better state: #22781, #24554 and #24975. isabela: - got extension from sponsor4 - working on email/agreement to isis, suggested by nick. - sponsor8 Q4 report - reading pwr research on .onion / also planning on digesting our user testing results (probably on thursday/frida) and starting to put together a write up of it - team meeting on March 11 **different from team hackfest on the 10th** - this should be for retrospective, roadmapping etc. [sent email about it] catalyst: Last week (2018-W04): * reviewed #24484 * worked on making us have a better-functioning github repo * our "official" github repo is building on Travis CI now! * CoC review * sick day spent in Urgent Care again (very persistent respiratory infection) This week (2018-W05): * review tickets * CoC and Statement of Values feedback * more github adjustments as needed * draft some text about how people should interact with our github repo * try to get enough uninterrupted time to focus on #24661 Mike: Last week: - Fixed a couple purposed-related warn bugs from the vanguard prototype - Began brainstorming things the controller could do This week: - Write a README for the vanguard controller; make it more usable for 0.3.3 alpha users - Maybe start cleaning up prop247? ahf Last week: Sponsor 8: - Convert DTrace programs to SystemTap to allow more people to use it. - Spend some time getting SystemTap to work on my laptop in Qubes VM's. - Looked into some old discussions from the WebKit community on memory profiling. Misc: - Found and fixed #25026. - Got approval for Rome traveling, aiming for arriving the 7th and leaving the 16th. - Some Torsocks compatibility issue on some Linux'es. Hello71 submitted a patch that includes a fix for this in #24967 (+ some macos issues). - Read up on the prop#279 (naming layer) and especially around using it with catch-all TLD's. This week: Sponsor 8: - Begin initial memory optimization work on smartlist_t usage. - After Tim's suggestion: look into struct padding size. - Collect some baseline information for event loop usage. Misc: - Going to FOSDEM on Friday. Wont be online after 12 UTC until the evening. Limited communications over the weekend. - End of the month reporting. isis last week: - last few bugs in moat #24432 - google shut down access to my appengine account for the moat reflector - implementing prop#249 (#24986) - worked on the TLS 1.3 proposal - organised the steps to getting to a post-quantum secure circuit-layer handshake and made tickets for each #24985 this week: - schedule proposal meetings - more prop#249 work - get moat accounts shifted over to TPO ownership -- Alexander Færøy

1 0

Tor Browser team meeting notes, 29 Jan 2018
by Georg Koppen 30 Jan '18

30 Jan '18

Hi! We had another Tor Browser meeting yesterday in #tor-meeting. Here is the meeting transcript: http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-01-29-18.59.log… And the notes from the pad are: Monday, January 29, 2018 Discussion: - Tor patch uplift plan - Sessions we want to have for the team meeting day GeKo: Last week: 1) Finished design doc update (#21256) 2) Finally finished debugging (#22256) and posted a backported patch for review 3) Dealt with release and post-release work (going over blog comments/new tickets etc.) 4) Continued writing the "Redesign of Tor Browser's security controls"-proposal 5) Some reviews 6) tjr: do you have https://bugzilla.mozilla.org/show_bug.cgi?id=1392604 on your radar too? Or should we try to deal with it for ESR 60? (GeKo: We poke ourselves I guess) This week: 1) More reviews 2) Finish the proposal and post it to tbb-dev for further discussion 3) Get back to work on #21777 (new clang-based toolchain for Windows cross-builds) 4) Get back to get the sandbox running on Windows 64bit (#24197) 5) Work on exempting .onions from mixed content warnings (#23439) 6) Look at tor launcher proposal 7) Monthly team admin stuff tjr: mcs/brade: Can you explain https://trac.torproject.org/projects/tor/ticket/19121 / https://gitweb.torproject.org/tor-browser.git/patch/?id=a4341a6 to me? from mcs: We reinstated a check that Mozilla removed. With the hash check in place, all MAR files that are applied must be "advertised" in the update.xml metadata. Mozilla views this check as unnecessary because all MAR files are signed. We were more comfortable keeping the check in case there is some kind of update attack that we did not think of that removing the check makes possible. gk and mikeperry might have something specific in mind (gk agreed that we should reinstate the check). GeKo: nothing specific, but with that check an attacker has to break more than the signing in at least a bunch of scenarios and given that automatic updates are pretty important to safeguard we felt having two independent systems in place makes more sense. tjr: So we're protecting against an attacker than can a) send the wrong update files b) forge or bypass the mar signatures but can't c) send their own update.xml file (which isn't cryptographicly verified and only contains a list of hashes?) Why could they do (a) but not (c)? Spectre Stuff More timer stuff Lots of JIT stuff landed MinGW Sandbox almost uplifted! (GeKo: I wonder whether we don't need to take care about the SANDBOX_EXPORTS or whether we want to have this uplifted as well) Fixed several mingw build breaks that popped up Wrote a (rudimentary) Binary Transparency auditor for Moz's in-progress BT stuff Arthur, Richard and I quick-triaged ~200 tor bugs Have some followup from this we will talk about in our Tuesday-same-time-as-this meeting All P1 bugs we are trying to get into 60: https://mzl.la/2DyHp6B All P2 bugs we are going to try and get into 61-62: https://mzl.la/2E7hzrH (GeKo: I think I want to work on the remaining .onion mixed content bug and get both pieces upstreamed into ESR 60) tjr: Is that https://bugzilla.mozilla.org/show_bug.cgi?id=1382359 ? I'll P1 it and assign them to you if so (GeKo: yes, that's the bug) mcs and brade: Last week: - Did some testing of Tor Browser 7.5-build3 and 8.0a1-build3 on OSX (focused on the updater). - Looked at icons and branding some more: #10888 (Mozilla trademarks still remain in some about: urls) #24578 (about:tbupdate popup notification formatting error) - Posted a patch for #24159 (Torbutton version check does not deal properly with platform specific checks). - After Isis fixed a server-side problem, we were able to resume work on #23136 (Moat integration). We found a meek client/Tor Browser issue that dcf is helping us solve. We found a problem where BridgeDB is not returning any bridges which Isis will need to help us solve. Planned for this week: - More work on #23136 (Moat integration). - Work with dcf to solve the meek client/Tor Browser SOCKS optimistic data bug. - Assist Isis as needed with the "no bridges returned" bug. - Review and comment on some of "our" bugs that are listed in Arthur's Uplift Tracker. - Triage the Tor Launcher bug list (set priorities, close outdated tickets). igt0: Last Week: - Sent patch moving Tor Button to Tor Browser repository (#25013) - Removed Tor Button from the Tor Browser build (#25013) - Continued work on Integrating Tor Button in the Tor Browser mobile version (#24855) This week: - Work in the (#24855) - I still need to investigate https://bugzilla.mozilla.org/show_bug.cgi?id=1415595 from tjr: While this would be nice, I think the protections provided by fortify source are small enough that it isn't a huge priority. Just my opinion. pospeselr: Last Week: - continued work on #22794 (Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured.) - Jury Duty - met with tjr and arthur re tor uplift This Week: - finish #22794 - begin work on tor uplift patches sysrqb: Last week: Continued working on Orfox patches. - Running mochi, junit, etc tests take a painfully long time - Mochitests fail when the Android App is not the focused UI element - After running the mochitests on a headless server, I finally found why all the UI tests were failing: https://people.torproject.org/~sysrqb/screenshot3.png - Debugged and patched some failing tests Worked a little on TorLauncher on Mobile (thinking about how we should integrate it) Read about HTTP/2 (over the weekend) and started thinking about how we can evaluate it and enable pieces of it Also read about QUIC and started thinking about how Tor can prepare for that This week: Finally finish the Orfox patches and request review Work on a branch tor-browser-build for TBA (Tor Browser for Android) Review Tor Browser uplift patch list tjr: Do you have mozilla try access? Might be useful/faster for unit tests, especially if you have n changes you want to test independently. sysrqb: Nope, but that sounds extremely useful. GeKo mentioned that last week, too, but I don't know how I should go about requesting access (igt0 will probably appreciate having access too) arthur: I got access following these instructions: https://wiki.mozilla.org/ReleaseEngineering/TryServer#Getting_access_to_the… Also I use https://github.com/mozilla/moz-git-tools which allows you to use git to push to the try servers. tjr: Yea, do that and send me the bug you file and I'll nominate you. sysrqb: sweet! thanks! I didn't actually think about looking for a doc about how to do it...will do! boklm: Last week: - published the new releases - finished #6119 (FPCentral) and all sub-tickets - started fixing some testsuite issues This week: - Fix upload of nightly builds to https://nightlies.tbb.torproject.org/ and enable testsuite on nightly builds - Fix testsuite issues to have all tests passing - Start working on #18867 (Ship auto-updates for Tor Browser nightly channel) - Will be afk next monday (but should be there for the meeting) arthuredelstein: Last week: Opened lots of bugzilla tickets Updated torpat.ch Created uplift patches for 1433357, 1433507, 1433509. Working on 1432983 Continued to rebase patches for mozilla-central This week: Uplift, uplift, and away! More rebasing Also want to look at HTTP/2 -- sysrqb: would be useful to chat about this - from sysrqb: ack yes isabela: - working with sponsor4 on extension - we got it, just need new contract to sign etc. also working with network team / isis on organizing their work for finishing this deliverable - sponsor8 report due wed - meeting with arthur and geko on wed 1900utc (confirmed? antonela said that works for her) on circuit display work (GeKo: works for me) (arthur: wfm too) Georg

1 0

Notes from January 25 2018 Vegas team meeting
by Karsten Loesing 26 Jan '18

26 Jan '18

Notes for January 25 2018 meeting: Alison: 1) Code of conduct discussion is progressing well! I hope we can begin voting sometime next week. 2) Coordinating guest lecturers for LFI. 3) Giving a talk at Georgetown this Friday. 4) Tor Meeting stuff. Will send out an email about the open days to the meeting list soon. 5) Who is submitting talks for the HOPE CFP? We should have a coordinating meeting. Georg: 1) Tor Browser 7.5 is out! I am happy with it so far and have been especially happy about the good work we did with the UX-team. Karsten: 1) We'd like to get support with proofreading and editing documentation for Sponsor 13. Very rough estimate is 50,000 words for 30 specifications for reproducing Tor Metrics graphs or tables with 1,000 words each on average and 1 technical report of 20,000 words. Should we contract this out to somebody, ask a friendly Tor person whose first language is English to do this for us, or just do our best at writing? [Answer: Start by asking Tommy, and consider contracting this to somebody else later in the process.] 2) Made a very first step forward towards writing documentation for Sponsor 13. 3) CollecTor module to sanitize Tor web server logs almost complete. Last tests are running, might get this done by end of this month. 4) Can I create EC2 accounts for iwakeh and irl to do resource-intensive metrics tasks? We once had a that Tor employees/contractors could have such accounts as long as they keep their usage below 30$/month. But that policy is 2.5 years old and predates Shari's time at Tor. Is it still a good policy? [Answer: yes, do it if it's appropriate and really that cheap.] Nick: 1) Putting out an alpha today; another alpha to follow in 5-14 days. 2) Deferring more stable releases until we can get dgoulet's #24902 anti-dos code tested in an alpha. 3) Meeting with Mozilla folks on Monday/Tuesday to brain-dump about Tor internals. Probably will have limited net presence. 4) Scrambling to get 0.3.3.x freeze period to go well. Mike: 1) Continuing work on guard discovery defenses. Arturo: 1) We are releasing a new version of the OONI Probe app, that definitively changes the name from ooniprobe to OONI Probe 2) Made a lot of progress in terms of implementing the revamped OONI Explorer 3) We have established a new partnership with Tuwindi Foundation (Mali), see: https://twitter.com/OpenObservatory/status/956167750874992645 4) Migrating our database and improving the latency of OONI Explorer and API is moving forward well 5) Thanks to the localisation lab and many community members some new strings for OONI Probe have been translated to 10 languages. 6) We will be hosting a OONI workshop in Kampala (Uganda), we have been preparing the training material and correcting assignments for the course 7) Several test lists (NG, UG, SS) have been updated thanks to URLs provided by community members

1 0

Notes from network team meeting, 22 Jan 2018
by Nick Mathewson 25 Jan '18

25 Jan '18

Hi! Meeting logs are available at http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-01-22-18.01.html Pad copied below: ------- Network team meeting pad, 22 January 2018 Andre-Louis paused. "The less we mention names perhaps the better." --- Rafael Sabatini, _Scaramouche_ Welcome to our meeting! Mondays at 1800 UTC on #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in boldface! 3. Show up to the IRC meeting and say hi! Note the meeting location: #tor-meeting on OFTC! (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) Meeting notes from last week: * are on the tor-project list, send on 17 January 2017 ( https://lists.torproject.org/ was down when I checked) Old Announcements: - Tor 0.3.2.9 came out on 10 January 2018 - Soon it will be It is now time to triage 0.3.3.x tickets. Please make yourself the owner of tickets in that milestone that you will do. - The meeting time is now 1800 UTC. - Let's have some proposal discussions. Isis kicked off the process here: https://lists.torproject.org/pipermail/tor-dev/2017-December/012666.html - We are planning a single-day pre-planned highly-focused hackfest before the Rome Tor meeting - teor: pre-Rome hackfest venue is confirmed - komlo: Should there be a Rust update/planning session? What should we prepare/do beforehand to help this be planned/highly-focused? Announcements: - On the roadmap spreadsheet: Please take February tasks. (If somebody else has already taken something you want, please talk to them and/or add yourself too.) https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… - review-group-29 is open, there are 2 tickets left in needs_review: https://trac.torproject.org/projects/tor/query?status=needs_review&keywords… - review-group-30 is open, there is 1 ticket left in needs_review: https://trac.torproject.org/projects/tor/query?status=needs_review&keywords… - We still need head count in the team rotation: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TeamRot… - 0.3.3 freeze today! Please work on bugs in 0.3.3 as they come up, so we can release it on time! Discussion: - teor: Do we still want a hackfest in May? I need to book flights in the next week or two. I have made a pad so we can pick dates: https://pad.riseup.net/p/0RxS2ZcRe9Eb http://5jp7xtmox6jyoqd5.onion/p/0RxS2ZcRe9Eb - teor: do we want to implement Tor2web overload defences at HSDirs and Intro Points? They can be off by default. But if the load gets worse, we will want them deployed on most of the network before we activate them. Context: https://trac.torproject.org/projects/tor/ticket/24902#comment:16 [dgoulet] I've asked the same question on comment:17 on if we should have them all and backported or only RP and merge the other ones later. teor: - Last week: - Implemented the Tor part of (experimental) PrivCount onion service descriptor fetches - Keeping my relays operating and supporting relay operators - Did not get time to review or revise code, but did review community documents - Damian started on ORPort support for Stem, using Endosome as a scaffold: https://gitweb.torproject.org/stem.git/commit/ Stem now speaks link-layer Tor cells (the link layer is the lowest layer, the higher layers are circuits and streams). - This week: - Implement and test experimental PrivCount onion service stats (This is the last experimental PrivCount feature) - Make a trac user page that lists the tickets I'm working on - Get the test network running new IPv6 consensus code - Maybe I will get time to review or revise tickets this week - It's a short week for me, because Australia has a holiday on the date of the colonisation of Sydney Nick: - Last week: * Worked towards stable releases * Reviewed and merged lots of things for 0.3.3, including vanguards experiment branch * Fixed scan-build * Worked more on getting Tor to be happy restarting in-process - This week: * Release 0.3.3.1-alpha * FEATURE FREEZE BEGINS. (The anti-DoS work has permission to break the freeze.) * Talk with Isis about TLS1.3 work * Merge more things * Continue experiments on killing off ancient clients. * Fix as many bugs in 0.3.3 as possible. * Work on restart-in-process work * Book all travel to Rome dgoulet: - Last week: * My time has been again devoted to DoS mitigation. The ticket is #24902. On Sunday, I've finalized code for the 3 defenses mentionned in the ticket and put the 0.2.9 branch under review. * Starting addressing the review with many fixup commits. * I've opened couple of tickets: #24952 and #24914 * Reviewed and worked on #24895 to have it backported cleanly. * Rome booking is done for me! - This week: * Very high priority for me is #24902 to be merged in 033 as a beta test run and at the same time finalize the 029 branch as we fix things. * If the above can be achieved, I can go back to a more regular work schedule of reviewing tickets, patches and continuing my tor tasks. * Many things have been delayed on my parts and pushed to 034 so I want to go over tickets and mark them accordingly as well as the roadmap. * Profile 032 fast relays to hunt down any high CPU usage that tor-relays@ has been reporting lately (might not only be caused by the DoS). * If time permits, finalizing #24554 which addresses couple important things that needs to be fixed in the scheduler mainly #24700, #23579 and the removal of a lot of memory allocation in the scheduler run. Meeting logs here: ahf Last week: Sponsor 8: - Got SystemTap to work via the 'sdt-inteface' (A DTrace compatible interface to defining probes) such that tracing works on macOS, FreeBSD, and Linux. - Got systemtap to work on device, but it was painful, and just showed the same results as I could reproduce on 32-bit desktop Linux. - Started writing some notes to discuss memory optimization and how far we are interested to go at the expense of code simplicity. Misc: - Reviewed #24652, #21074 - Bug triage This week: Sponsor 8: - Finish memory optimization document. - Discuss initial memory optimization strategies and begin implementing them. - Land systemtap compatible dtrace code. Misc: - Book Rome travel. isis: from dec 19 - now: - prevent bridgedb from handing out bridges in the same /16 (or ::/64) - proposal writing (migration to TLS 1.3) - revised the large create cell proposal to meet concerns/ideas raised in discussion meeting this week: - check in on moat deployment stuff and fix any remaining config problems - organise proposal meetings - phone call with ian to discuss ntor changes - start working on the large create cell implementation - TLS 1.3 meeting in a couple hours catalyst: Last week (2018-W03): - Travis CI workarounds (#24863) - looked a bit more at STACK stuff (#24423) - CoC feedback - slowly recovering from illness This week (2018-W04): - #24661 - look into making our GitHub presence a bit more real - Rome travel stuff - monitor CoC feedback as needed isabela: sponsor4 - I will ask for extension, Matt Finkel and the TB team are helping me figure out how much more time to ask. Hope to request it asap. sponsor8 - Q$ report time. Deadline is Jan 31st. I will start to put things together for it this week. .onion user test - Antonella and I decided to include a test for India meetup, Antonela executed it and just shared results, we will share more soon as we digest it. I will be in seattle Thursday/Friday asn: Last week: - #13837 and #23101 are now merged! Spent some time reviewing and testing this feature this past week. - Spent time reviewing and analyzing the DoS mitigation subsystem of david and roger. Did some review, wrote some unittests, found some bugs. - Reviewed #24894, #24946 - Had a meeting with a researcher about integrating PIR in HSDirs. Helped him with code and chutney/shadow. Likely doing another meeting in a week or two. - Had a meeting with some people who want to implement prop279 on core Tor. Discussed the proposal, made a small implementation plan and planning to meet again in a week or two. - Started hacking on #24896. This week: - More work on the DoS issue since that's the main priority of the network right now. Also finalize #24896. - I have a bunch of prop224 from my service that I need to start analyzing and filing. [dgoulet]: You have log for the non decodable descriptor issue? - Synch up on prop247 with mike. Mike: Last week: - Finishing touches on #13837 and #23101 to get them merged - Updates to vanguards.py to improve circuit length checks and some othe stuff - Wrote fix for a spurious log_warn introduced by #13837 (See #24946) This week: - vanguards.py improvements, prototypes, README, packaging, etc. pastly: Tried 0.3.2.9 in Shadow. Doesn't work out of the box (no surprise). There's a few places Tor assumes it is not 1970, 1972, or 1985. That's not good for Shadow (shadow starts time at unix timestamp 0 AKA jan 1st 1970) Coming up: Work will ya'll to see about not making these assumptions or making Shadow work better. related: - log with two nonfatal asserts http://paste.debian.net/hidden/fd2ce05f/ - probably dangerous/broken/stupid patch that makes hs_get_time_period_num not fail due to it being period number 0 in 1970 http://paste.debian.net/1005897/ - opened #24961

1 0

Tor Browser team meeting notes, 22 Jan 2018
by Georg Koppen 23 Jan '18

23 Jan '18

Hi all! We had the weekly Tor Browser meeting yesterday in #tor-meeting. Here is the meeting transcript: http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-01-22-19.00.log… And the notes from the pad are: Monday, January 22, 2018 Discussion: What to do about the Mozilla team meeting Wens nights Worth making a separate one? Probably can just use this one for now. GSOC Projects? tjr intends to keep the Crash Reporter one up; but took down the 'Making Tor Browser faster' one Will ask Shari for cloud resources if we get anyone tjr: Spectre Stuff I'm working on Timer stuff, taking a lot of my time Moz intends to pursue Fuzzyfox, might land (off or on) somewhere in the post-60 timeframe. JIT Mitigations landing in 59: children of https://bugzilla.mozilla.org/show_bug.cgi?id=1430049 MinGW Going to try and get back in front of this for 60. Beginning with Sandbox uplift, children of https://bugzilla.mozilla.org/show_bug.cgi?id=1230910 for tracking Also trying to uplift these all the way to chromium Besides Sandbox, what is and is not high-priority for me to uplift in 60 for build stuff? Yes: Get the #&$(@& thing running: https://bugzilla.mozilla.org/show_bug.cgi?id=1411401 Yes but not me: Stylo Yes: x64 Patches https://gitweb.torproject.org/tor-browser.git/patch/?id=5aa8644 Any others? https://gitweb.torproject.org/tor-browser.git/patch/?id=ba9e5d6 <- don't need this Yes: Fix the TaskCluster integration on not-central-trees Ideally: jemalloc https://bugzilla.mozilla.org/show_bug.cgi?id=1420350 Ideally: x64 in Task cluster No: WebRTC Discussed Rome in the Sandboxing meeting Related/Unrelated, the timeframe for https://bugzilla.mozilla.org/show_bug.cgi?id=1322426 WAS 'Behind a pref in 61, enable for release in 63' but is now "This will not be happening in the near term, due to staffing changes. It’s not yet clear when or if this will occur." Will need to re-triage Mozilla bugs and plans =( Have a lot of 'For 60' things to work on, so if you have some of those yourself, please let me know. My intention is to search for the whiteboard tags [tor OR fingerprinting which gives this list: https://bugzilla.mozilla.org/buglist.cgi?quicksearch=sw%3A%5Btor%20OR%20fin… mcs and brade: Last week: - Reviewed Android Torbutton and Tor Launcher proposals and replied on the tbb-dev "Tor Button Proposal" thread. - Found the root cause and proposed a fix for #24421 (Temporarily allow all this page and New Identity). - Posted patches for #21850 (Update about:tbupdate patch for e10s) Planned for this week: - If there is anything we can do to help, assist Matt with #24432 (meek/Moat tunnel) . - After #24432 is fixed, test and put the Tor Launcher Moat integration code out for review. - Work on #24578 (about:tbupdate popup notification formatting error). - Work on #24159 (The Torbutton version check does not deal properly with platform specific checks). - Triage the Tor Launcher bug list (set priorities, close outdated tickets). igt0: Last week: - Moved Tor Button to the browser/extension folder (build system, add files to allowed dupe) - Migrated the chrome.manifest to use jar.mn - Added Tor Button in the tor button mobile omni.jar - Updated the Tor Button Proposal This Week: - Verify why torbutton-logger is not printing debug messages in the console (mobile) - Update the overlay components to work in the mobile browser when needed. (about:addons, extensions, about:tbupdate[maybe not needed, Android has its own thing about updates]) (the work is being made here: https://github.com/igortoliveira/tor-browser) boklm: Last week: - helped with building the new releases - made some patches for #24924, #24931 - opened #24921 to create https://nightlies.tbb.torproject.org/ This week: - publish the new releases - finish fpcentral setup/integration in testsuite to be able to close all fpcentral tickets - enable testsuite on nightly builds and fix any issue in the tests sysrqb: Last Week: - Opened some tickets for Tor Browser for Android (TBA), based on Orfox bugs - Re-wrote some Orfox commits - Wrote a revised TorLauncher proposal - Started looking at Moat - Ran into some problems during Orfox rebase - Investigated Firefox preferences parsing This week: - Finishing Orfox/TBA branch with squashed/rebase/rewritten patches - Investigating why a couple firefox prefs are not overwritten: - On desktop, app.update.staging.enabled is not set correctly - On mobile, browser.casting.enabled is not set correct - Probably look more at Moat server-side pospeselr: Last Week: - Posted a 'fix' for #15599 (by fix I mean it just disables the broken feature) - Started work on #22794, synced with Yawning - made travel plans for Rome - got setup with mozilla testing TryServer This Week: - Get ae patch up for #22794 - JURY DUTY Wednesday -> Friday arthuredelstein: Last Week: - Worked on rebasing to mozilla-central and nightly rebase. Getting closer! - Worked https://trac.torproject.org/projects/tor/ticket/22343 (Save As) - Here's my proposed list of bugs to work on for uplift: https://mzl.la/2E1eVn2 (Deadline, roughly March 12) This Week: - Continue on rebasing - Try to rebase #22343 - Work on uplifting patches - Look at https://trac.torproject.org/projects/tor/ticket/24918 GeKo: Last Week - release preparations and working on the Tor Browser design doc update This Week - finish the design doc update and work on the toolbar and security indicator improvements proposal isabela: 2 months extension for sponsor4 sponsor8 Q4 report - I will probably ping some mobile folks and geko to make sure I collected all the tickets etc antonela did user testing in India! o/ Tor Launcher new UI (tested text interpretation of our new copy) and .onion http/https states icons comprehension - will share more soon also want to check if arthur/geko can meet about tor circuit (probably next week) ux team will help with the blog post for the release - add stuff about the Tor Launcher new UI Georg

1 0