Hello!
We held our weekly Tor Browser meeting on Monday in #tor-meeting2. Here is the IRC log: http://meetbot.debian.net/tor-meeting2/2019/tor-meeting2.2019-10-28-17.30.lo...
First, we successfully released Tor Browser 9.0! It was a significant achievement with the last few months being full of getting Tor Browser stabilized based on Firefox 68esr. Congrats and many thanks to everyone involved in this!
Unfortunately, there isn't much time to waste. We're working on bug fixes this week, as well as implementing the end-of-year campaign in the browser. The next point release is scheduled at the beginning of next week which should include these updates.
From the 9.0 release, we received significant feedback on the new
Letterboxing feature. It was recognized this feature wasn't introduced as well as it should be, and the new margins are both concerning and confusing. We're planning on addressing these issues over the next few releases.
In the meeting, we discussed a situation affecting some Windows users where Tor Browser won't run on an older version of Windows due to a missing library (ucrt). This library is available for installation via Windows updates on most older (supported) Windows versions, but some computers still do not have it installed. Mozilla work around this issue by bundling the library in their builds. We do not currently bundle the library, and we don't know how many users are affected by this. This is being tracked on https://trac.torproject.org/projects/tor/ticket/32327.
Another question was asked about providing access to the cookie behavior configuration in about:preferences. This UI is now controlled by Firefox's Enhanced Tracking Protection (ETP) feature, and the setting UI disappeared when Tor Browser disabled ETP. There are tradeoffs with providing an easy configuration UI for this. This is being tracked on https://trac.torproject.org/projects/tor/ticket/32330.
Meeting Notes: ============================== Week of October 28, 2019 Discussions: Git admins (git{,web,-rw}.torproject.org) Tor Browser 9.0 post-mortem Upcoming releases S27 Work YE Campaign - about:tor page
Jeremy Rand: Last week: - #19859 is believed to be in a complete state (both spec and Tor daemon code). Feedback from Nick is addressed, including adding a unit test. Planning to test that patch for a bit in conjunction with other Namecoin ecosystem stream isolation patches before asking for a merge. - Started implementing stream isolation in StemNS. It's now feature-complete but needs some more testing before a merge. - Implemented and merged patches to ncbtcjson, ncrpcclient, ncdns, and ncprop279 for using a current fork of btcd's RPC client library instead of the ancient 2015-era fork we had been using. This was a prerequisite to getting stream isolation plumbed from ncprop279 to Electrum-NMC. We're still engaging with btcd devs on getting patches merged so that we can abandon that fork completely and use upstream directly. - Implemented and merged patches to ncbtcjson, ncrpcclient, ncdns to pass through stream isolation data to Electrum-NMC. (ncprop279 didn't need any additional patches.) This week: - Minor patch for Electrum-NMC's JSON-RPC server to handle stream isolation in a way that ncrpcclient can convey (it's so nice when one library serializes the arguments in a JSON array while another library deserializes them from a JSON object...). - Finish testing stream isolation with Namecoin. - Ask Nick to review #19859 again once the above testing is complete. - Maybe do some auditing for proxy leaks. - Maybe do some auditing for build reproducibility. - Running out of TODOs; that's a good sign I guess.
mcs and brade: Last week: - Added Actual Points to our completed tickets. - Fixed #32184 (red dot during mar download). - Helped with triage for #32212 (Tor Browser 9.0 does not restart correctly after updating from 8.5.5, on Debian stretch). - Commented in #21542 (use Subprocess.jsm to launch tor). - We were afk Thursday and Friday. This week/upcoming: - Sponsor 27 work: #30237 (v3 onion services client auth). - Maybe #32119 (onboarding for "Goodbye Onion Button" could be better). - waiting on UX input.
GeKo: Last week: - helped with releases; tb9 is out and not exploding yet, yay! - Spent a lot of my time on our blog and other support channels - tbb-9.0-issues (https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~... ) and tbb-9.0.1-can (https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~... ) - unaddressed issues yet - ucrt support on Windows < 10 (missing dlls on some computers; should we actually bundle them? No.) - what about our general cookie setting UI being hidden now? - made progress on tracking down reproducible builds issue on macOS (#32053); now slowly bisecting rust versions - thought about OTF proposal feedback - wrote small patch for our signature checks (#32284) - struggling with closing/finishing remaining esr68 transition issues - reviews (#30783, #31658, #32210, #32188, #32164, #31803, #31764, #32169, #32184) - how do we want to proceed with our mozconfig files in tor-browser (re: #32116)? (let's talk about it next week) This week: - finish more esr68 transition items (#31591, #30429, #31010) - make progress on review of all bugs closed between esr60 and esr68 (#31597) - prepare 9.0.1 and 9.5a2 (pospeselr: can you help building them?) - more work on #32053 - reviews
Pili: Last week: - Mozfest This week - Helped publish the new releases: - More Browser proposal revisions after sponsor review - Reviewing workload and roadmap for November - Catching up from Mozfest - AFK on Friday due to public holiday
tjr - We've updated to clang 9 on -central, I am (slowly, occasionally) working on that for the mingw builds. - Ethan said there is not timeframe for when uplift may resume.
sysrqb: Last week: 9.0 and 9.5a1 releases for Android Code review (#30501, #30518) Opened some tickets for bugs in 9.0 (#32214, #32243, #32303) Investigated a couple of the bugs (#32238, #32303) This week: Created a useful https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser page Fix some bugs: at least obfsproxy on Android Q (#32303) More on the OTF proposal Code reviews Pick up a tbb-9.0-issues ticket
boklm: Last week: - Helped publish the new releases - Fixed some website tickets (#32222, #32223, #32201) - Continued investigating reproducibility issues (#32052 and #32053) - Reviewed #32284 (No need to save all bundles for mar-signing and authenticode-signing check until we are done) - Reviewed #31130 (Use Debian 10 for our Android container images) - Looked at patch for #30334 (build_go_lib for executables) and saw that it needs changes to be rebased on master This week: - Continue investigating reproducibility issues (#32052 and #32053) - Try to rebase patch for #30334 (build_go_lib for executables) - Try to fix fpcentral (#32014), and related fpcentral tickets (#31987 and #31986) - Work on #18867 (Ship auto-updates for Tor Browser nightly channel) and sub-tickets
sisbell: Last Week: -#30552: Android- cleanup torc (in review) - removed transparent proxy fields used by orbot and various default field values - #31130 - Android tor Debian - tried a number of approaches, narrowed down right one, defined dependencies needed - #31922 - ApkTool - some investigation This week: - Reviewing and commenting on new TorService code (and VPN cleanup) by eight have - #30501: BridgeList an overloaded field - respond to review/make changes - #31130 - Android tor Debian - expect to have something ready for review by 10/28 -#30842 - Some more emulator testing (fennec as baseline) - Does esr68 work correctly on JellyBean arm devices? - #31922 - ApkTool, I think I have a solution for getting correct version (I can use similar approach as using for openjdk download)
pospeselr: Last Week: - a bunch of small tbb-9.0-issues fixes - filed https://bugzilla.mozilla.org/show_bug.cgi?id=1590538 (broken paste and go)
- mozilla posted a patch that's under review now that's slightly different from my fix
- filed https://bugzilla.mozilla.org/show_bug.cgi?id=1591259 (NS_ERROR_NOT_AVAILABLE thrown on launch)
- no response yet, but not a regression in Tor Browser, its broken in latest Firefox
- figured out problem with my office/build machine (tor-browser-build/tmp not getting cleaned up, filed #32272 to track)
This Week:
- ?
acat: Last week: - Rebased #28745 - Revise https://bugzilla.mozilla.org/show_bug.cgi?id=1581537. [Browser UI locale is leaked in several ways] - tor#30783: End of Year Fundraising Campaign Banner - [new] - https://bugs.torproject.org/30783 - Worked on #27604: Relocating the Tor Browser directory is broken with Tor Browser 8 This week: - Finish fixing #27604: Relocating the Tor Browser directory is broken with Tor Browser 8 - #32255: Missing ORIGIN header breaks CORS in Tor Browser 9.0 - Revise (hopefully last one) https://bugzilla.mozilla.org/show_bug.cgi?id=1581537. [Browser UI locale is leaked in several ways]
antonela - Filed #32324 - Introduce Letterboxing to users - Filed #32325 - Allow Letterboxing opt-in/out ==============================
- Matt