Tor Browser team meeting notes, 8 Oct 2018 - tor-project

9 Oct 2018


      Hi all!
We had our first weekly Tor Browser meeting in October yesterday and
here are, as usual, the link to the the IRC meeting log:
http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-10-08-18.01.log....
and to our meeting notes on the pad:
Discussion:
    -Roadmap (https://pad.riseup.net/p/tbb-roadmap-2018-19)
    -Timesheets! (GeKo: they need to be submitted by 7th the following
month and approved by 10th the following month)
    -status updates redux (GeKo: If you work, then please put a status
update to #tor-dev, so we all  keep in sync over the week)
    -team rotations (see:
https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TeamRota...
for what the network team has) (GeKo: We'll start with more build duty
rotations and think about other areas where the rotation idea might be
useful)
    - tjr: should i cancel the monthly mozilla sync tomorrow?  Leaning
strongly towards yes. (GeKo: Yes, this got cancelled)
GeKo:
    Last week:
        -dev meeting
        -secruity releases preparation (much thanks to boklm for doing
the heavy-lifting!)
    This week:
        -esr60 wrap-up
        -catching up on reviews
        -work on design doc (#25021) and release doc update (#25030)
        -finalizing the roadmap
        -getting back to staring at our reproducible build issues with
rust (#26475)
        -start looking into single-locale repacks (#27466)
        -tjr: when would be a good time to chat about the tb8
retrospective with focus on mozilla stuff?
            - [tjr] Did Ethan & co indicate they wanted to be there?
15:00 UTC is our usual meeting time for Europe+West Coast...
        -mcs/brade: do we still need to do #27239 or are we done with
the feedback for the network team? Response from mcs: We recently
commented in #27691 (a child ticket). There are a lot of tickets though,
so we should take another look and give feedback to the network team. We
may need to ask catalyst for a summary of how clients like Tor Launcher
will be affected.
mcs and brade:
  Since our last meeting:
    - Attended face-to-face meeting in Mexico City.
    - Helped with triage of new tickets.
    - Completed some code reviews.
    - Tested Tor Browser 8.0 to 8.0.1 updates.
    - Created a patch for #27623 (wrong default pref values in Tor
Browser 8.0).
       - Helped with regression #27865 (Tor Browser 8.5a2 is crashing on
Windows).
    - Created a patch for #27905 (many occurrences of "Firefox" in
about:preferences).
    - Investigated #27828 ("Check for Tor Browser update" doesn't seem
to do anything).
    - Completed end-of-month administrative things.
  This week:
    - Finish post-travel paperwork.
    - #27828 ("Check for Tor Browser update" doesn't seem to do anything).
igt0:
    Last week:
        - Attended the f2f Tor meeting
        - decompressing from the meeting. (take a look in the notes,
double check the roadmap and so on)
    This week:
        - #25013 (Move TorButton code to the tor browser repository)
        - Write proposal for tor button for android.
boklm:
    Last week:
        - attending Mexico meeting
        - releasing security releases
    This week:
        - work on torbrowser testsuite
        - try to make rebundling faster by generating multiple bundles
in parrallel (#27218)
        - some reviews
sisbell:
  Last week:
    - Generated tarball of android dependencies
    - android-toolchain work and testing: #26697 #27439
  This Week:
    - #27440 LLVM Support (fix regression)
    - #27443 - Firefox: this requires some amount of rework to align
with changes in android-toolchain.
pospeselr:
    Last week:
        - mexico city
        - fixed dev pc
        - cleaned up logger built to debug #26381 (sandbox race
condition on windows)
    This week
        - ping ethan on #3600
- #3600 work (disable cookies being passed through on redirects)
- [tjr] any chance you could summarize what the plan is for
this? [pospeselr] yes
- last week, was getting up to speed on the redirect cookie
problem ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections
seems like a good place to start here for reference)
- it looks like there are three classes we need to worry about:
HTTP redirects (302 and friends), JS redirects (window.location), and
HTML redirects (http-equiv="refresh" meta tag)
- initial plan is to prototype/hack a solution for HTTP redirects,
see what breaks (and build test page for each)
- [tjr] When you say " just disable the cookie redirect via a
pref"... what do you mean?
- rather than just blanket disabling cookie forwarding on redirect,
only do so when a pref is enabled to improve chance the patch can get
uplifted
- [tjr] I still don't understand.  You're on a.com. You click a link
to b.com (which sends cookies for b.com). You receive a redirect to
c.com. You're saying "We won't send cookies for c.com"?
- [pospeselr] that sounds about right, unless I'm misunderstanding
the ticket
- [tjr] I don't think this is helpful. The cookies for b.com have
already been sent to b.com. There's a very limited benefit here...  I
think a design document would be helpful; but it's up to you =)
- [pospeselr] the discussion can be found here:
https://trac.torproject.org/projects/tor/ticket/3600
Not my area of expertise so if there's obvious holes here I'm all
ears.  Seems like concern of affiliated websites cookies being used to
auto-log you in (ie when traversing various google properties)
- putting logger up on github w/ patch that can be directly
applied to firefox for that logging goodness
tjr
 - Close to landing a mingw-clang x86 job
 - Close to landing pdb support for mingw-clang
 - Worked on mingw-gcc jemalloc a bunch. No conclusions. Next step is to
compile esr60 with mingw-clang and see how that looks....
 - Worked on the mozilla-release issue with sukhe a bit. Couldn't build
tb-alpha. This is really confusing. I wonder which will get done first:
mingw-clang or this....
pili
- How do we decide when/whether to incorporate user feedback into Tor
Browser releases? (GeKo: There are no strict rules that govern this so
far: it depends on how many users are affected by an issue, what else we
have to do etc.)
arthuredelstein:
  Last week:
  - Finished at Mexico meeting
  - Took a day off
  - Worked on https://bugzilla.mozilla.org/show_bug.cgi?id=1330467 (FPI
permissions)
  - Patch for https://trac.torproject.org/27959 (2018 Tor Browser
donation text)
  This week:
  - Try to finish FPI permissions
  - Look at tbb/8 issues, including
https://trac.torproject.org/projects/tor/ticket/27290
  - Work on donation banner code when ready
  - Optimistics SOCKS if time
Georg