Hello everyone,
We held our weekly team meeting on 13 January. The meeting logs are available at: http://meetbot.debian.net/tor-meeting2/2020/tor-meeting2.2020-01-13-18.29.lo...
We released three Tor Browser updates (two stables, and one alpha) the previous week. Huge thanks to everyone involved in the process!
Summary: 1) We discussed site-specific settings again, with a focus on integrating the functionality directly into the browser (Tor Browser, but ideally Firefox) 2) We're beginning to look at UniGL[0] for possible integration into Tor Browser 3) There is a question about who we should contact when we are notified about an upcoming, unscheduled Firefox release 4) Discussed where the new namecoin integration should be announced and how feedback should be received (probably starting with tor-talk@ and going from there). 5) We are beginning to update "actual points" on our tickets on a weekly basis, instead of when the ticket is completed.
[0] https://github.com/UniGL/addon
Meeting notes: ============================== Week of January 13, 2020
Discussion: - Anything we want to highlight for the "State of the Onion" FOSDEM talk?
pospeselr: Last week: - reviews: #21952 (Onion-Location), #32778 (tor publish/subscribe fix for Windows)
- probably spent way too much time on #21952
- discussed the spec with asn
- the tldr; is that the spec itself is old and was not thoroughly thought out with how the new header should interact with all of the possible HTTP results (ie what should happen if you get an Onion-Location header with a 404, 30X redirects, etc, etc)
- they suggested we ping web folks who would actually use Onion-Location header (anarcat/hiro, our Facebook friendo, etc) and see how they would want it to work/how they would configure web services to use it
- dove into uMatrix for #30570, haven't had a chance to write up findings yet on ticket
- the tldr; uMatrix looks like a good alternative to NoScript, already supports 'scoping' rules off of domain (so we get 3rd party isolation of content blocking rules for 'free')
This week:
- #30750: actually start writing some prototype code for Tor Browser to interface with uMatrix for script isolation
GeKo: Last week: - finished #31597 Firefox 61-68 bug review (finally, and we are good \o/) - helped with the Tor Browser releases - wrote patch for preferences clean-up (#27268) - posted patches for RLBox build changes in tor-browser-build (#32434, #32435, #32436, #32437) - ticket triage - design doc update (#25021) - wrote mail to tbb-dev about potential tbb proposal changes (https://lists.torproject.org/pipermail/tbb-dev/2020-January/001033.html) This week: - mar signing key creation (#32658) - more work on RLBox integration - ticket triage - design doc update (#25021)
mcs and brade: Last week: - Sponsor 27 work: - Reviewed UX design for #19251 (error page specific to when .onion links fail). - Made progress on #19757 (permanent storage of client auth keys and associated management UI). This week/upcoming: - Create estimates for our remaining Sponsor 27 items. - #19757 (permanent storage of client auth keys and associated management UI). - We plan to post patches this week. - Make available to Antonela a “work in progress” build that contains the Sponsor 27 auth prompt and key management UI.
boklm: Last week: - Helped to build/publish new releases - Looked at blog comments - Worked on #25102 (Add script to sign nightly build mar files, generate update-responses xml and publish the new version) This week: - Review RLBox patches - Review #32456 (Add a question in support.tpo about anti-virus reporting a virus in Tor Browser) - Finish work on #25102 (script to sign nightly build mar files, generate update-responses xml and publish the new version) and remaining things for #18867 (Ship auto-updates for Tor Browser nightly channel) - Try #32768 (Make script to optimize upload and download of Tor Browser releases) - Look at macOS signing situation
sysrqb: Last week: Three releases! (thanks for everyone's help!) Began Jan 2020 roadmapping Attended Real World Cryptography Symposium This week: Working on finishing Jan 2020 roadmap, and moving onto Feb/March roadmap Reviewing tickets and reprioritising
Jeremy Rand: Last week: Pondered next steps for Namecoin a bit. Was a bit less productive than usual due to minor illness. This week: [discuss] Where should I be asking users to report their feedback on the Namecoin integration in Nightly? (So far I've just been telling people "let me know if you see any bugs", which isn't really ideal for making sure Tor sees representative feedback.)
acat: Last week: - Revised #28745: THE Torbutton clean-up - Revised #21952: Onion-location: increasing the use of onion services through automatic redirects and aliasing - Tested/checked tom's new patch for #23719: Make sure WebExtensions are spared from JIT disabling in higher security settings (Medium-High) - Patch for #32414: window.external.AddSearchProvider request goes through catch-all circuit - Revised #22919: Form tracking and OS fingerprinting This week: - Probably some more revision for the last week work. - ? #28005: Officially support onions in HTTPS-Everywhere ? - #31395: Remove inline <script> in aboutTor.xhtml - #32767: Remove Disconnect search as it is discontinued - Do estimates for remaining s27 items.
sisbell: Last Week: - #28765 - LibEvent Android - moved to using clang (this solved a bunch of problems with building tor android) - #28766 - Tor Build for Android - verified compiling with armv7 and x86_64 (still need to do proper packing for apk) This week: - #28766 - Handle packaging and input into tor-android-service, verify build runs on device
Antonela: - I should work on S27 related tickets this week: - Review #30090 - Onion Errors - Review #32645 - URL bar indicators - sysrqb: We should talk about the overlapping bits in our roadmaps. Berlin seems a good time for us to coordinate it.
Pili: Last week: - Catching up after vacations This week: - High Level Roadmapping for 2020 - Refining our capacity estimates based on 2019 data - It would be useful if people could update "Actual Points" for tickets they worked on during a month to make it easy to break up actual capacity for tickets spanning multiple months - Would people be ok with doing that? [discuss] - Getting back to a trac triage routine ==============================
Thanks, Matt