Hello!

Due to Easter we had our weekly meeting on Tuesday this week (same time, same location, though). The IRC log can be found at

http://meetbot.debian.net/tor-meeting2/2019/tor-meeting2.2019-04-23-17.31.lo...

and our pad items are pasted below:

Discussion: - tbb-8.5-must tickets and 8.5 release (GeKo: We plan to get the building for 8.5 started next week)

GeKo: Last week: - mostly offline, trying to do some vacation This week: - backlog processing - getting back to reviews - back to work on Tor Browser 8.5 blockers starting with missing localization for mobile (#30069) - I am still missing self-feedback from some of you (not naming names)

sysrqb: Last week: - Alpha release - TOPL review (#30199, #27609) - Reviewed Google Play analytics, opened tickets for reported crashes - Opened and began investigating #30239 This week: - Finish investigating and start writing patch for #30239 - Work on animation for #28329

antonela: Last week: - Tried to be offline. This week: - #25658, what is left here? Anything needed on my side? (GeKo: I think we are good here for 8.5; we should pick up the missing site-permissons in May, I think) - #28800, still in April? - https://trac.torproject.org/projects/tor/ticket/28800 (GeKo: no, that's more for May) - #27399, #29955 could we sync on it? (GeKo: yes, let's do that in the next days) - #30000, in progress - DRL review, O3 GeKo, could we sync about this objective to be in the same page? Deadline is Friday (GeKo: sure)

acat: Last week(s):

- 24622: Torcrazybutton can't decipher website s3.amazonaws.com

- 30115: NoScript's XSS popup breaks circuit display in some cases

- 30171: Always accepting third party cookies seems to break first party isolation

- 26607: verify that subpixel accuracy of window scroll properties does not add fingerprinting risk

- 26608: investigate <link rel="preload">)

This week: - Follow up 26607 - More fingerprinting (if there is nothing with more priority)

26599: investigate CSS masks feature for fingerprinting potential

26602: investigate whether CSS clip-path adds a fingerprinting risk

26601: investigate whether SVGGeometryElement introduces a fingerprinting vector

26605: investigate window.requestIdleCallback() for possible timing leaks

[Tom] Looking at bugzilla, https://bugzilla.mozilla.org/show_bug.cgi?id=467035 and https://bugzilla.mozilla.org/show_bug.cgi?id=1461454 may be active fingerprinting vectors I'd suggest reviewing the status of (GeKo: I'll look into that and file at least tickets if needed)

mcs and brade: Past two weeks: - #29768 (Introduce new features to users in Tor Browser). - #30104 (browser onboarding: 8.5 security level image includes English text). - Posted patch for #29045 (ask tor to leave dormant mode). - #30000 (Integrating client-side authorization to onion services v3). - set up and experimented with v2 and v3 onion services that have client authorization enabled. - Helped with triage of incoming tickets. - Code reviews. - Completed our self-evaluations for the Tor employee/team feedback process. - Took some time off for Easter. This week: - #30000 (Integrating client-side authorization to onion services v3) - Finalize travel plans for the Stockholm meeting.

tjr - Sent mail about letterboxing - Next step: I'd like to get a Yay or Nay on the proposed solution. (It's very similar to the current rounding of 200x100) (GeKo: I look closer at it this week) Can people test in Nightly using the pref string, or should I bake the logic in there so people only have to toggle the pref on? - Then try to backport to 60 for TB Alpha testing?

boklm: Past two weeks: - helped build 8.5a11, published it and followed comments on the blog - did some cleanup on dist.tpo (#30204) - some reviews - updated patch for #29981 (Add option to build without using containers) - made patch for #30089 (Use apksigner instead of jarsigner) This week: - Finish fixing #27137 and disable all currently failing tests - Make some patch for #26907 (Guard against failures during MAR file generation) - Travel plans for the Stockholm meeting

pili: Last week: - vacation This week: - Submitted google season of Docs application - ideas reviews still welcome: https://trac.torproject.org/projects/tor/wiki/doc/GoogleSeasonOfDocs2019 - S27 roadmapping - Need to think about how to deal with orbot tickets (GeKo: I think we should call a meeting with n8fr8 and nail things down, finally)

pospeselr: Last weeks: - #27503 investigation (widl is at least partially to blame here) - filed several bugs with wine devs with min repros demonstrating invalid tlb generation - submitted a patch for one of the issues - misc nextcloud admin'y things - reviewed the 'Decks' app This week: - working on widl patches

sisbell: Last week: - #30162: Tor bootstrap process stuck. Investigated. Confirmed this is due to previous tor process running. Opened some issues in TOPL regarding fixes - #30272: Opened this issue - startup doesn’t handle loss of connection like airplane mode -#30166: Custom bridge - fixed issue - TOPL Pull request approved and merged into their master. This Week: - Fixes for #30162 - there are a few issues surrounding this to improved startup - #30168 : Cleanup tor-browser-build for TOPL fixes. Specifically fix Orbot issue #199 - Move resources from orbotservice to main app - Do self-review

Georg