Hi!
We had another weekly Tor Browser meeting yesterday. For those interested in the chat backlog, see:
http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-10-22-18.00.log....
The items from our pad are:
Discussion: - [tjr] TBB 8 Retrospective. Proposed Times: - Tuesday: 3 PM UTC - Thu/Fri 2:30 PM UTC - Either this week or next; same times. (GeKo: Next week Tue 3 PM UTC sounds good) - Ideally would like to get georg, boklm, arthur and anyone else interested
tjr - Regrets for missing last weeks meeting and saying nothing - Tickets I think we can close: https://trac.torproject.org/projects/tor/ticket/13410 (Disable self-signed certificate warnings when visiting .onion sites) [GeKo: I don't think we tackled that issue] https://trac.torproject.org/projects/tor/ticket/22162 We did this, right? (Review speculative connections) [GeKo: I don't think we got to that yet] - I want to start filing sandbox tickets. - Specifically: If an attacker's goal is to identify a user outside Tor, by stealing a persistent identifier and causing a proxy bypass, and they can accomplish these goals inside the Content Process, I see no reason to spend efforts on sandboxing the parent first. (Excepting promoting architectural decisions that will make it easier to do the Parent later.) - So I want to file tickets about issues we need to fix in the content process to block the attacker. - First examples: PTCPSocket and PUDPSocket IPC methods look like they would allow this; although I haven't tested - Maybe landing fuzzyfox this week? - mingw-clang - Landed pdb support, and it works! symbolized stack traces, yay! - Got --enable-sandbox to compile with help from Martin - Working on why build doesn't run: https://bugzilla.mozilla.org/show_bug.cgi?id=1497895 - Also doing various build cleanup stuff: https://bugzilla.mozilla.org/show_bug.cgi?id=1500802 and children; https://bugzilla.mozilla.org/show_bug.cgi?id=1500102
mcs and brade: Last week - Finished #26263 (browser app icon positioned incorrectly in macOS DMG installer window). - With the same patch, we also fixed #25151 (Update Tor Browser branding on installation). - Helped with #28039 (Tor Browser log is not shown anymore in terminal since Tor Browser 8.5a2). - Reviewed the team roadmap, especially our tasks. Upcoming: - We will be on vacation Tuesday, October 23 - Wednesday, October 31.
sysrqb: Last week: Reviewed #26690 (Padlock icon for TBA) Reviewed #27111 (about:tor for TBA) Began creating a patch for #24920 (TBA should only have Private Tabs) Continued Rust audit (#27616) Investigated #27431/#28125 (TBA DNS leak) S19 text This week: Create branch for patching #28125 (TBA DNS leak) Finish rust audit - #27616 At funder's meeting this week
pili:
Last week:
Sponsor19 report brainstorming
Tor Browser Release meeting
This week:
Looking to label tickets with Sponsors
Evaluating best ways to track roadmap items, spreadsheet, other...
Orfox issues - are we tracking all the relevant issues sent over by Fabiola from Guardian Project? How are they identified?
[sysrqb: No, and unfortunately we're mostly ignoring Orfox currently. We should follow up on those issues and decide on a plan for Orfox]
GeKo: Last week: -release prep -reviews -worked on #26475, Tor Browser design doc update (#25021), #28039, and #28075 -meetings and syncs -ticket triage (there is no Applications/Torbutton anymore, please use Applications/Tor Browser + keyword `tbb-torbutton, similar things will happen this week with Applications/Tor bundles/installation: it will DIE; please use Applications/Tor Browser + keyword `tbb-rbm` if really needed) This week: -release help -more work Tor Browser design doc update -die, Applications/Tor bundles/installation, die (#20648) -looking into singe-locale language repacks (#27466) -mail to Apple about their experiences with redirect isolation
sisbell: Last week: - # 27441 Debian image to use stretch (ready to merge) - # 26696 Platform def in rbm,conf (ready to merge) - # 26976 hardening wrapper - closed (don’t need to fix) - # 26975 Mobile branding (fixed/closed) - # 26697 Android toolchain - removed gradle dependencies (now in Firefox project) - # 27443 Firefox for Android - applied boklm patch for a script to download and package artifacts This Week: - Investigate if patches (or parts of patches) needed with latest setup - Investigate if sdk 23 still needed with latest Firefox code
[sysrqb: we should be targeting 26, so I don't think we need 23 for anything(?)]
arthuredelstein:
Last week:
Patches for:
#26498 (Fix bn-BD and es-AR locale for Tor Browser)
#28082 (Add 4 more Tor Browser locales)
#28111 (For about:tor, use a Tor Browser icon in identity box)
#22343 (Save as... in the context menu results in using the catch-all circuit)
#28093 (2018 Tor Browser Android donation banner)
Worked on:
https://bugzilla.mozilla.org/show_bug.cgi?id=1330467 (When "privacy.firstparty.isolate" is true, double-key permissions to origin + firstPartyDomain)
S19 text
This week:
Keep trying to finish permissions FPI
Help to look at redirect FPI approaches
Help with TBA donation banner? (#28093) (GeKo: igt0 put this on his plate and is coordinating with antonela in case there are assets that need to get adapted)
boklm: Last week: - helped with building the new releases - reviewed and tested patches for: - #21704 (Abort install if CPU is missing SSE2 support) - #26475 (ESR60-based Tor Browser bundles are not built reproducibly with Stylo enabled using rustc > 1.25.0) - reviewed patches for #26693 (Integrate Tor Browser for Android into tor-browser-build) - made patch for #27438 (Android Gradle Build Downloads) - started looking at #28117 (Some URLs can't be downloaded with LC_ALL=C) - worked on tor browser testsuite setup (#26149) This week: - help publish the new releases - enable running testsuite on nightly builds (#26149) - check if more updates are needed for #25030
pospeselr: Last week: - #3600 work (redirect cookies)
- began work on design doc (turns out this is a really hard problem)
- fixed a few bugs in tbblogger
This week: - #finish design doc edits and post on storm - #3600
igt0: Last week: - #25013 (Sent a patch and tested on android and desktop with different locales) - Reviewed and tested #28104 This week: - More work on #25013 - Update #26690 (padlock icon for tba) - Update #27111 (about:tor button for tba)
Georg