Tor Browser team meeting notes, 15 Jan 2018 - tor-project

16 Jan 2018


      Hi!
We had our second Tor Browser meeting in 2018. Here is the meeting
transcript:
http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-01-15-19.00.log....
And the notes from the pad are:
Monday, January 15, 2018
Discussion:
    -What about Taler (https://taler.net/en/ ) integration into Tor Browser?
    -Who wants to be the PoC for Pari's helpdesk reports (following it,
amending it with tickets we already track, making sure it is correct
from a browser side etc.)? (Richard volunteered)
    -I want to establish some feedback mechanism within the team by
doing a 1to1 with each team member, say at least once a year. I plan to
start this round end of June 2018
mcs and brade:
    Last week:
        - Worked on Moat integration loose ends (#23136).
                - incorporated activity spinner image from Antonela
(#24696).
                - added support for multiple bridges returned by BridgeDB.
                - reviewed dcf's patch for #24642 (cannot use
TOR_PT_EXIT_ON_STDIN_CLOSE)
        - Attended the UX + Tor Browser meeting on IRC.
        - Read the Android Torbutton and Tor Launcher proposals.
        - Investigated the Tor Launcher aspects of #24826 (compressed
consensus diffs stall Tor Browser launch).
        - Worked on #24421 (Temporarily allow all this page and New
Identity).
        - Helped with triage of new tickets.
Planned for this week:
        - After a test server is deployed by the Network Team, test and
put Moat integration code out for review.
        - Comment on Matt's Android Tor Launcher proposal.
        - Do more debugging for #24421 (Temporarily allow all this page
and New Identity).
        - Work on about:tbupdate issues (#21850 and #24578; avoid using
a query string),
Georg:
    Last week:
        -fought my backlog
        -ticket review (and partially merge): #24702, #23911, #23892,
#24842, #21245, #22343, and #18691
        -made a bit progress on our mingw-w64/clang-based toolchain (#21777)
        -wrote a patch for #23916
        -worked on the Tor Browser design doc update (#21256)
        -worked on the proposal for the toolbar redesign and better
understanding of security features
        -started to think about our android reproducible builds and
updates for Tor Browser on Mobile
This week:
        -release preparations for 7.5 and 8.0a1
        -more reviews
        -finish design doc update (#21256); aimed for Friday this week
        -further work on the proposal for the toolbar redesign and
better understanding of security features
        -think about some improvements to our release signing scripts
arthuredelstein
Last week:
- Worked on rebasing tor-browser.git to mozilla-central. I am about
2/3 of the way through. Once all patches are rebased, I will set up on a
nightly automatic rebase script.
- Made a list of patches we should try to upstream for ESR60. I will
send the list to tbb-dev and update bugzilla where needed.
- Attended the Mozilla/Tor UX video meeting and a second meeting
with Mozilla uplift team on fingerprinting patch triage.
- Checked in https://bugzilla.mozilla.org/show_bug.cgi?id=1384309
This week:
- I will continue to work on the rebase, and also push forward
any upstreaming patches that look feasible.
- Try to move forward on https://trac.torproject.org/24309 (tor
circuit door hanger)
- If there is time, I also want to look at
https://trac.torproject.org/14952 (HTTP2 audit/patching)
boklm:
    Last Week:
        - Worked some patches for:
            -  #24842 (debug builds are missing libasan.so.2 and
libubsan.so.0)
            - #18691 (switch Windows builds from precise to jessie)
            - #24879 (enable fetching of new commits by default for
nightly builds)
    This Week:
        - follow the fpcentral setup
        - make our testsuite run on nightly builds
        - look again at some improvements to our release signing scripts
(#24331)
        - review #23916 (Create a new MAR signing key for Tor Browser)
        - help with building of the new releases
igt0:
    Last Week:
        - PoC Tor Button for Mobile(basically, I moved the code to the
tor-browser.git and started to integrate with the Firefox build system).
        - Updates in the Tor Button proposal
        - Reading about how tor-android(
https://github.com/n8fr8/tor-android) works
    This Week:
        - Finish the PoC
        - Review sysrqb proposal
        - Updates to the tor button proposal
pospeselr:
Last Week:
- investigated more avenues regarding #15559 (Range requests used by
pdfjs are not isolated to URL bar domain); conclusion I've come to is
there no nice surgical fix here
- pdf.js seems to require the nsISystemPrincipal for range-based
requests to work properly
- the JS Context the range-requests run in are missing the original
principal and first-party domain information needed to be put on the
correct circuit
- looks like the best that can be done is to just disable
range-based requests, but at the cost of pdf performance
- will no longer be able to read pdfs as they load, the whole thing
has to be downloaded
This Week:
- it's easy enough to disable range-request, so will have a patch up
for this later today
- will find some other (hopefully simpler) fingerprinting bug to work on
Georg