Hello!
Here come the notes from our first weekly Tor Browser meeting in July. The IRC log can be found at:
http://meetbot.debian.net/tor-meeting2/2019/tor-meeting2.2019-07-01-17.32.lo...
The items from our pad are copied below:
Discussion: - state of the onion at dev meeting, applications/browser part (GeKo: pospeselr stepped up and will present Tor Browser things; potential items are: mobile release, security settings, accessibility support for Windows, looking forward to S27 onion services and esr68 transition)
Georg: Last week: - reviews (#30549, #31041, #28672, #30863, #30577, #30683) - gave #10760 a first review pass while working on reviews for #30429 - patch for #30849 (backport of two sec-moderate bugs) - finally finished aarch64 support patch for mobile (#28119) - spent some time thinking about integrating the snowflake pt for android (#30318) (GeKo: I'll ask the Guardian Project folks about a way forward here) - wrote patches for macOS toolchain update for with esr68 (#30323): I got everything built I think (there was just a packaging error in the firefox build step), we need to clean up things a bit, though - hackerone work - (mozilla all hands) backlog - filed https://bugzilla.mozilla.org/show_bug.cgi?id=1561589 for getting a mozilla-esr68 branch on gecko-dev This week: - release prep (including patch for #30468) - reviews (above all first full pass on #30429, hopefully mobile patches as well (#31010), and #27503 for the alpha) - begin of the month team admin stuff
mcs and brade: Last week: - Worked on #30000 (Integrating client-side authorization to onion services v3). - Posted work-in-progress patches for the Onion Services client auth prompt (#30237). - Made some test builds available that include this feature. - Reviewed and tried to test the #18101 patch (IP leak from Windows/macOS UI dialog with URI). - Finally tested Snowflake on macOS 10.9 for #26251. This week: - Review for #30683 (Properties in dom/locales/$lang/chrome/ allow detecting user locale). - Prepare for travel to the Stockholm meeting. - Out of the office Thursday and Friday (U.S. Independence Day holiday). - Upcoming: #30126 (Make Tor Browser on macOS compatible with Apple's notarization). - Upcoming: #29197 (remove use of overlays from Tor Launcher) - Upcoming: #30429 (ESR 68 Rebase — updater patches).
pospeselr: Last week: - rebasing and integrating review feedback - discovered and worked on a fix for a bug introduced in my widl patch-set where valid IDL would generate invalid headers This week: - hopefully finish fixing said issue today and then back on track for getting patchset ready for second round of reviews later this week
sisbell: Last week: - Opened PR for Orbot Changes: https://github.com/guardianproject/orbot/pull/240 - #31047: Resources Should Match Orbot (Issue also raised in #30199) - #31042 - VPN Module - lots of fixes since we ignored this code previously/ (not needed for tor browser but need to keep in sync with Orbot) - Refactored tor android service and orbot code to make separation easier to maintain. This Week - Orbot has moved to using info.pluggabletransports libraries. I need to start looking into the code of this project. If we go this route, it will be done through TOPL, which contains the PT dependencies. (Do we want to build these ourselves or are these precompiled native libraries how we want to do it?) Also #31045 - JSocks now has prebuilt dependency in Orbot. - #31049 - Orbot Using Tor Service - we should start looking into this as soon as everything is in sync (Is this the direction we want?) - Work on Settings in TOPL. Orbot has introduced new settings that could be useful. I also need to incorporate the ipv6 settings currently in patch as part of this. - #30144 - Update tor binaries (What version do we target for next release?) (GeKo: The latest and greatest. :) In general I like to move as fast on mobile as desktop, to help the network team finding mobile specific bugs; but that requires our own tor. We are not there yet, though. :( )
boklm: Last week: - updated patch for #30549 (Add script to remove expired sub-keys from a keyring file) - fixed build reproducibility issues for #28672 (Android reproducible build of Snowflake) - reviewed #28119 (Provide Tor Browser for Android for arm64-v8a devices) - started looking at #30321 to try to build 32bit mar-tools This week: - Update patch for #28672 (Android reproducible build of Snowflake) after review - Add android aarch64 nightly builds (#31054) - look how we can build 32bit mar-tools: https://trac.torproject.org/projects/tor/ticket/30321#comment:10 - look at remaining failing testsuite tests - check that archive.tpo rsync scripts are working correctly on the new machine for #29697 - help with releases builds - Clean up keyring files (#30548), using the scripts added in #30549
sysrqb: Last week: Backlog and ticket triage Laptop recovery 68esr rebase (opened #31010) Looked into "interaction avec l'application Gmail sur Android" (#30584) - multiple reports of this This week: Continuing mobile patch rebase F-Droid More bug triage Preparing for travel AFK some parts of this week
acat: Last week: - Filed bugzilla tickets for #26514 and #24056. #21830 will hopefully soon by fixed in https://bugzilla.mozilla.org/show_bug.cgi?id=1396224. - Add Fundraising Banner with next TBB security update (#30577). - Addressed review comments for #10760. - Small fix for #31041.
This week: - Follow up bugzilla tickets, investigate/file tickets for #23104 and #26353. - Continue torbutton cleanup/refactor (#28745)
tjr: - Learned that the alloc/dealloc mismatch on Windows with jemalloc also affects x64 too. Disabled jemalloc on -central :( We'll need to disable it on esr68 too, hasn't been landed yet. Going to go back to Jacek/Martin and see if we can figure things out here - Temporarily disabled mingwclang builds on -central due to missing APIs for a patch landing. Hopefully fixing that today/this week - Investigating AppContainer sandboxing. Seems possible to use this to disable access to networking from Windows content processes although it will not be trivial work. Also seems like using it may write registry values or something related to disk indicating the name of the profile. =/ - I noticed Gary has a patch for the fingerprinting ftp:// timezone issue \o/ [GeKo: Where? (https://bugzilla.mozilla.org/show_bug.cgi?id=1560574) Could we test that one in the upcoming 9.0a4 alpha?]
Georg