Hello everyone!
Two weeks ago we held our weekly Tor Browser Team meeting. The notes are available http://meetbot.debian.net/tor-meeting2/2019/tor-meeting2.2019-11-25-18.31.lo...
That was a short week for many people because the U.S. celebrated a bank holiday on Thursday and Friday. We prepared for two upcoming releases, 9.0.2 (stable) and 9.5a3 (alpha).
During the meeting we discussed three main topic, plus set last-minute goals for fixing bugs in the releases.
The discussions were: 1) Should Tor Browser provide a preference for disabling updates? The question was asked because in older version of Tor Browser (and Firefox), there existed a preference for this, but Mozilla removed. We decided there exist some preferences which may be used for this purpose, and we will test and document how these prefs should be set as a solution. If the tests fail, then we will consider implementing a new pref for this, but we prefer not going that route.
2) Can Tor Browser enable the JIT in privileged code, when the JIT is disabled for content? We experimented with enabling WebAssembly for webextensions when it is not allowed in content scripts, however there still exists a performance problem because the JIT is still disabled. We'll work with Mozilla on finding a solution for enabling the JIT, as well, in privileged contexts when the JIT is disabled in the content.
3) We discussed two upcoming UI changes within Tor Browser related to website redirection from a registered domain to an onion address.
=================================================================== Discussion: - upcoming releases (are we good? last minute things we want to get into? who will build the releases?) - ticket assignments for everyone
pospeselr (afk this meeting):
Last week:
- updated uplift patch for Mozilla 159445 (letterboxing UX improvements)
- fixes for #32359 and #32508 (security level UX stuff)
- flu!
- #30570 investigation/protoyping
- pinged NoScript's Giorgo via email to get his opinion on how we can make this+NoScript play nicely together
This week:
- more flu!
- holiday travel through Dec 6th, intermittent online availability this week, better availabiilty next
- #30570
- antonela: we should chat this week and get an idea of what the UX we want to do here looks like (the technical/backend side of things are looking a bit scary :p )
mcs and brade: Last week: - Sponsor 27 work: #19757 (permanent storage of client auth keys and associated management UI). - The Network Team is working on #32562 for us (Allow ONION_CLIENT_AUTH_ADD credentials to be made permanent). - Commented in #31506 (Write up comprehensive advice to "Tor unexpectedly exited"). - Commented in #32327 (apt-win-crt*dll files are missing on some Windows 8 and Windows 7 systems). - Investigated #32418 (Torbrowser tells on every start, that it can't update although it is newest). Should we provide a pref to disable updates, like Tor Browser and Firefox had previously? This week/upcoming: - More work on #19757 (permanent storage of client auth keys and associated management UI). - Review #32498 (MAR_CHANNEL_ID for nightly builds). - Add actual points to completed tickets. - Out of the office most of Wednesday-Friday this week (U.S. Thanksgiving holiday).
GeKo: Last week: - help with the OTF proposal (I believe we submitted what I believe to be a better proposal in time, thanks to everyone who helped) - #32053 (I tried to fix this bug by another workaround but that failed :( I asked on the LLVM bug whether that could give us at least some clue) - #31597 (Go over all closed bugs/bugs where patches landed between Firefox 61 and 68) - #25021 (design doc update; I revisited all Release notes between 7.0 and 9.0 and noted down all tickets potentially affecting the design doc; now the next step is to take the text and match that to those bugs and update it where needed, discarding the tickets not needed) - wrote small patches for #30548 (cleaning up our tor-browser-build keyring file), #30786 (add th locale), #30787 (add lt locale), and #32531 (Mozilla backport of a patch) - reviews (#30548, #30888, #28745, #32255, #32497, first stab at #30558, #32475, another round for #31130) - made good progress over the weekend on RLBox work; I am close to what Mozilla is currently having ready This week: - more work on #32053, #31597, and #25021 - provide patches for ms inclusion as well (#30788) - reviews - release prep - work on apple signing infrastructure update (#32173 + #32556) - potentially more RLBox investigation in my spare time
tjr
- Did something, yay! But still very time-limited, so please proactively ping me if you have questions or would like me to see something and possibly provide input
- Got -central updated to clang-9: https://bugzilla.mozilla.org/show_bug.cgi?id=1590624
This included an stl-wrapper fix that affects esr68, but apparently doesn't cause problems? Maybe? [GeKo: How would problems look like? So far, I don't know of a bug we've heard of that would match a potential issue here. But maybe I just don't understand stl-wrappers good enough. However, we maybe might want to backport that fix for the alpha to test it and be able to quickly use it for stable, too, in case there *is* actually an issue we should fix/be concerned about.] [tjr: I have zero idea. Mine manifested as a compilation error.]
clang-9 is desirable because it's one step closer to clang-10, which includes support for Control Flow Guard (on Windows)
- My next task is to work on a backlog of #ifndef __MINGW32__'s that have gone into -central because mingw-w64 headers are missing stuff
- In not-tor work, I have developed a google sheets <-> Bugzilla syncing script that allows (what I think is) a better dashboard of bugs and easy, notes of the status of bugs. If such a thing would be useful to you, LMK
- Apparently the next ESR is 78. Everything subject to change I presume.
Nightly Start: 5/4/2020 Beta Release: 6/1/2020 Release: 6/30/2020
Jeremy Rand: Last week: - Addressed Georg's feedback on #30558. - Nick merged #19859, so it's no longer blocking an eventual merge of #30558. This week: - Address whatever review happens on #30558. - @Georg, do you happen to have a (totally non-binding) guess on the probability of #30558 getting fully reviewed by end of 2019, assuming that I respond to review approximately as quickly as I've been doing so far? If it does get merged by then, there's a chance I'd be interested in doing a talk at the 36C3 Critical Decentralization Cluster stage about that work (I think that's the stage that the Tor Assembly will be using as well). It's fine if it's not fully reviewed by then; if so, I won't do the talk; I'm just trying to gauge things so that I can plan more effectively. [GeKo: I'll get it fully reviewed by then (hopefully this week and/or next week should be enough to get through all of the changes); however, I can't promise that the code will be merged by the end of the year as I don't know what I'll find. :)] [Jeremy: ok, sounds good. :)]
boklm: Last week: - Made patches for: - #32527 (rbm downloads 0B sig file if network drops; rejects sig on next run) - #32497 (Change nightly update channel to nightly) - #32475 (Reduce the number of locales we provide updates for in nightly) - #32498 (Update MAR_CHANNEL_ID for nightly) - Worked on patch for #25101 (Generate incremental mar files for nightly builds) - Reviewed #30548 (Clean up keyring files) - Blog triage This week: - Review #30786 (Ship Thai Tor Browser in alpha series) - Help with build of new releases - Finish patch for #25101 (Generate incremental mar files for nightly builds) - Generate a mar signing key for nightly builds (#31988) - Work on #25102 (Add script to sign nightly build mar files) - Test/review rebased patch for #30334 (build_go_lib for executables) - Will be at Reproducible Builds summit the following week: https://reproducible-builds.org/events/Marrakesh2019/
pili: Last week: - trac triage - Ticket assignment meeting - Some work on S27 reports - Tor Browser presentation at https://womanlidertic.donesenxarxa.cat/es/programa2019/ - S9 report This week: - Mainly S9 report
sysrqb: Last week: - Mailing list, bug, blog triage - Code reviews - OTF proposal - Misc. meetings - Not much code written This week: - Release prep - Finish #32365 (localization is broken on Android)
acat: Last week: - Wrap up work on #21952, and do builds so that it can be tested. - #32255 (Missing ORIGIN header breaks CORS in Tor Browser 9.0): - Upstreamed: https://bugzilla.mozilla.org/show_bug.cgi?id=1598647 - Revised #28745: THE Torbutton clean-up - Tried to reproduce #32297 (unsuccessfully) This week: - Revise #21952 according to anto's review comments. - What should we do with #23719: Make sure WebExtensions are spared from JIT disabling in higher security settings (Medium-High)?
https://bugzilla.mozilla.org/show_bug.cgi?id=1599226
- #22919: Form tracking and OS fingerprinting (only Windows, but without Javascript)
Antonela
- I'm back from vacations
- per-site security settings: https://trac.torproject.org/projects/tor/ticket/30570#comment:12
- letterboxing: https://trac.torproject.org/projects/tor/ticket/32324#comment:7
- prioritize onions: https://trac.torproject.org/projects/tor/attachment/ticket/21952/21952%20-%2...
How should we treat the lock icon?
Is privacy&security the best place in about:preferences for general onion redirect opt-in?
- do we have S27 meeting this week? [yes]
sisbell: Last Week: - #31992 - ApkTool - located issue as aapt when processing resources
- #30676 Fixes for custom bridges in torch building - Created independent modules for tor-service/TOPL - #32476 TorService JNI, got up to speed on JNI and went through guardian project implementation This week: - #30501: BridgeList Preferences, move over previous work to new commit, these will be breaking changes - #32476: JNI - I have some more specific suggestions for implementation. Some work to see about creating a JNI layer independent of TorService (Something like TorEmbedded) - Adding unit tests for some topl components. - #31130: Buster support - just one small issue left on determining dependencies. Will have this done early in week for review. =======================================================
- Matt