Hi everyone,
We held our weekly meeting on 2 March. The meeting logs are available at: http://meetbot.debian.net/tor-meeting2/2020/tor-meeting2.2020-03-02-18.29.lo...
During this meeting we briefly discussed #13410 and how Alec Muffett's S.O.O.C. proposal [SOOC] overlaps with the goal of this ticket. We didn't make any decisions about this topic, however.
[SOOC] https://github.com/alecmuffett/onion-dv-certificate-proposal/blob/master/tex...
Team progress and discussion notes ================================== Discussion:
GeKo:
Last week:
-I worked mainly on RLBox backports
* I have the Linux version up for review (see: #32380 and #32389)
* I got the macOS version ready for review, too (see: #33481, #33487, #33410)
This week:
-finally getting back to design doc update
-maybe working on RLBox reproducibility (#33488) tjr: I recall glandium and/or you had ideas for https://bugzilla.mozilla.org/show_bug.cgi?id=1612035, no? Now would be a good time to add those. :)
mcs and brade: Last week: - Reviewed #32645 patch (Update URL bar onion indicators). - Worked on onion service error strings (#33035). - Investigated and closed #31984 (partial update: unable to remove directory: tobedeleted). - Worked on small issues for #19251 (onion services error page). - Reviewed February Sponsor 27 report. - Worked on peer feedback for TPI Feedback Cycle 2020-1. This week/upcoming: - Review latest #32645 patch (Update URL bar onion indicators). - Finish and post patches for #19251 (onion services error page). - Revisit #32418 (Torbrowser tells on every start, that it can't update). - Finish and submit self, peer, and team lead feedback. - Start to review #28005 (Officially support onions in HTTPS-Everywhere).
pospeselr: Last week: - patch out for #13410
- put out for code review on Mozilla
- consensus among folks who know things about certs (dkeeler, alecmuffet, arma) is seems to be that what we're trying to do here is a bad idea and needs to be more restrictive
- dkeeler pointed me to alecmuffet's SOOC cert spec ( https://github.com/alecmuffett/onion-dv-certificate-proposal/blob/master/tex... ) as well a short summary of the discussions alec has apparently already had with the Mozilla folks
- alecmuffet pointed me to a doc containing the discussions about the spec as well as how to properly implement in firefox
- tldr; removing the chain-of-trust check for onions is not sufficient, but I have a high level understanding of the 'right' way to do this:
- implement sections 1.1 through 1.6 of the SOOC spec in a new 'TrustDomain' in Firefox that is used for onions
- final update for #32645 fixing some icon scaling issues
This week:
- peer feedback
- release notes review
- #13410 updates?
so to implement 1.1 through 1.6 the suggested mozilla way should mostly just be engineering/programming work with very little investigation, but it's still a sizable chunk of time (I'd estimate ~1-2 weeks?)
[discuss] do we want to go through the effort of redoing this for S27, or should we just take what we have now, stick it behind a only-enabled-in-alpha pref and come back to this when we have less time pressure?
- braindump on ticket, maybe start prototyping this
boklm: Last week: - Some reviews: #32437, #32436, #33216, #32992, #32991, #28766, #28765, #33215 - Helped with gpg signing new alpha - Looked at #32650 (Check translations for bogus characters) - Started looking at testsuite setup - Looked at blog comments This week: - Waiting for someone to review/merge #33402 and #33403 to check if nightly updates are working - Work on testsuite setup - More reviews - Submit feedback
sysrqb: Last week: Progress on getting macOS signing/notarization on the hosted signing machine Investigated CSS font-embedding on Safest security level Spent some time on the OTF grant Responded to Jeremy Looked at some possible paths for TLS cert warnings This week: Releasing 9.5a6 Code reviews Create a rough roadmap for the next one-two months (with Pili) Review S27 summary ...
sisbell: Last Week: - Android for Tor - a number of updates, testing. Following merged: #33216, #33215, #32992, #32991. Left with getting OpenSSL, Libevent and Tor project changes approved and merged. - #32476: JNI got build working in tbb - Fenix investigations around dependencies and latest gradle This Week: - Respond and fixes based on reviews to #28764, #28765, #28766 (Tor) - #28765: LibEvent: make small change to handle all platforms - Upgrade tor binaries to 4.x in tor-android-services - #32476 - integrate and test with TOPL, open branch for review
acat: Last week: - Rebase Tor Browser patches onto mozilla-central. This week: - Fix/polish a few remaining things of the mozilla-central patches rebase and create ticket for review. - Write feedback. - Revise #21952 (Onion-Location) to support meta tags. - Investigate #33342 (Disconnect search addon causes error at startup)
pili: Last week: - S27 February report - S27 release planning - GSoC wrangling This week: - Browser team February report - Start of month housekeeping - More GSoC wrangling - Work on developer portal - Tor Browser Release meeting this week
Jeremy Rand: Last week: - Posted on tor-talk asking for feedback on Namecoin integration in Nightly. - Looks like that thread attracted the attention of a journalist: https://linuxreviews.org/The_Nightly_Tor_Browser_Build_Has_Support_For_Namec... - More progress on the linux-arm port of Tor Browser... figured out why the Firefox build was failing with assembler errors; managed to get a working Tor Browser binary built in rbm. This week: - Await feedback on tor-talk thread. - Maybe more linux-arm port stuff. - File ticket about Namecoin TLS support. ==================================
Thanks, Matt