Hello! Below come the notes from our weekly meeting which we had yesterday at 1730 UTC. The IRC log can be found at: http://meetbot.debian.net/tor-meeting2/2019/tor-meeting2.2019-04-29-17.31.lo... and the items from our pad are Discussion: - Tor Browser team meeting slots for the dev meeting? (GeKo: I'll ask for five, 2 roadmapping, 1 retrospective, 1 Tor Browser vision, 1 team capacity) - migration to esr68 (GeKo: we started to think about it; will nail down more detailed plan with action items either next week or the week thereafter) sisbell: Last Week: - #30280 - Wrong SHA-256 - due to use of jcenter which can proxy different artifact repositories. Removed jcenter from dependencies (ready for review). Also removed use of jcenter from TOPL(#109)/android-tor-service(#23) projects (GeKo: are we good with that bug or is there something left that needs to get fixed before review)(sisbell: it's ready for review, no more work) - #30162 - Bootstrap process stuck - implemented fix that takes ownership of tor process so that tor will shut itself down when the control connection dies (TOPL#59). Also implemented a fix for reusing an open tor control connection (TOPL#111). - #30166 - Custom bridges. The content of the textfield for user-defined bridges is overloaded (it acts a filter for pre-defined bridges OR it contains bridge information directly). Introduced fixes to make this work with TOPL(#115) + tor-android-service(#26). - Verified #30162 and #30166 work against an Orbot build. - Self-feedback This week: - Add #30162 and #30166 fixes into tor-android-build. Test and fix any issues. mcs and brade: Last week: - #30000 (Integrating client-side authorization to onion services v3). - experimented with HTTP CONNECT for the browser/tor connection. This week: - #30000 (Integrating client-side authorization to onion services v3). - Finalize travel plans for the Stockholm meeting. - Out of the office Thursday May 2 and Friday May 3. GeKo: Last week: - work in localization/branding land (wrote patches for #30136 and #30069), helped with special characters in Android strings issue (#30054) - reviews (#29981, #30086, #30115, #28369, #30166) - dealing with bug bounty issues - looked into snowflake for android over the weekend (#28672) but that's more involved than a (couple of) weekend activity(-ies), thus 301 -> boklm This week: - getting back to tjr's letterboxing email - preparing 8.5 (GeKo: We still stick to the idea of building 8.5 this week) - more work on tbb-8.5-must/tbb-8.5 items - reviews - start begin-of-the-month admin work acat: Last week: - Revised patch for 30115: NoScript's XSS popup breaks circuit display in some cases - Looked into 26605: investigate window.requestIdleCallback() for possible timing leaks - Looked into 26607: verify that subpixel accuracy of window scroll properties does not add fingerprinting risk - Looked into 30304: Browser locale can be obtained via DTD strings [tjr: what did you find?] acat: Well, it leaks browser locale, yes (I understand there's currently no other known way to get browser locale from website) The suggested approach in https://bugzilla.mozilla.org/show_bug.cgi?id=467035, creating hidden iframe loading the xml and reading localized text works in Tor Browser. The simple fix suggested in bugzilla (reverting https://hg.mozilla.org/mozilla-central/rev/7ace0805c2d3) breaks about:tor, the DTD for localization cannot be read which makes sense, since the reason of that patch is to unbreak addons (legacy, I assume) it would work fine if about:tor was privileged (no URI_SAFE_FOR_UNTRUSTED_CONTENT), but I think we don't want that so I'm still investigating/understanding the relevant code and trying to find the best way of not breaking it I also want to test it in Android, because I suspect the code for handling some about:* pages is not the same there (mobile/android/components/AboutRedirector.js) This week: - Finish 30304 and 26607. - Backlog: 26599, 26602, 26601, https://bugzilla.mozilla.org/show_bug.cgi?id=1461454. boklm: Last week: - Updated patch for #29981 (Add option to build without using containers) - started testing patches for #30325 (Remove bison from the list of default packages on android and osx builds) and #30326 (Remove yasm from the list of dependencies for the firefox android build) - started disabling failing testsuite tests - sent (late) self-feedback This week: - finish disabling all failing testsuite tests - start looking at #28672 (Android reproducible build of Snowflake) - review #29307 (Use Debian Stretch for cross-compiling our Windows builds) and #29319 (Remove FTE support in Windows bundles) - help with 8.5 build/release - afk (holidays) on Wednesday and Thursday tjr - Started/tried backporting letterboxing to 60. Ran into a complex refactor I need to work around, sent an email no response - Someone also filed https://bugzilla.mozilla.org/show_bug.cgi?id=1546832 which is a bit of a problem. I'm not sure if it should block bringing it to TB Nightly. (GeKo: I don't think so) - Started working on mingw build stuff again. - Getting tests running on Try: finding lots of crashes.Indicative of real issues that could crash? Don't know!! antonela: Last week: - #27399, #29955, in progress - #30000, in progress This week: - #27399, #29955, in progress - #30000, in progress https://trac.torproject.org/projects/tor/ticket/30237#comment:1 pili: Last week: - All teams project planning - Submitted google season of docs application This week: - S27 - first report - work estimation and planning - start thinking about dev meeting sessions pospeselr: Last week: - Worked on wine bug #47035 for tor #27503 - got most of the way through this, should have a patch ready for review tomorrowish This week: - See if swapping in pre-built MIDL Accessibility2 related bits fixes our issues here - continued work on widl patches Georg