Hi! We had another weekly Tor Browser meeting yesterday. For those interested in the chat backlog, see: http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-10-22-18.00.log.... The items from our pad are: Discussion: - [tjr] TBB 8 Retrospective. Proposed Times: - Tuesday: 3 PM UTC - Thu/Fri 2:30 PM UTC - Either this week or next; same times. (GeKo: Next week Tue 3 PM UTC sounds good) - Ideally would like to get georg, boklm, arthur and anyone else interested tjr - Regrets for missing last weeks meeting and saying nothing - Tickets I think we can close: https://trac.torproject.org/projects/tor/ticket/13410 (Disable self-signed certificate warnings when visiting .onion sites) [GeKo: I don't think we tackled that issue] https://trac.torproject.org/projects/tor/ticket/22162 We did this, right? (Review speculative connections) [GeKo: I don't think we got to that yet] - I want to start filing sandbox tickets. - Specifically: If an attacker's goal is to identify a user outside Tor, by stealing a persistent identifier and causing a proxy bypass, and they can accomplish these goals inside the Content Process, I see no reason to spend efforts on sandboxing the parent first. (Excepting promoting architectural decisions that will make it easier to do the Parent later.) - So I want to file tickets about issues we need to fix in the content process to block the attacker. - First examples: PTCPSocket and PUDPSocket IPC methods look like they would allow this; although I haven't tested - Maybe landing fuzzyfox this week? - mingw-clang - Landed pdb support, and it works! symbolized stack traces, yay! - Got --enable-sandbox to compile with help from Martin - Working on why build doesn't run: https://bugzilla.mozilla.org/show_bug.cgi?id=1497895 - Also doing various build cleanup stuff: https://bugzilla.mozilla.org/show_bug.cgi?id=1500802 and children; https://bugzilla.mozilla.org/show_bug.cgi?id=1500102 mcs and brade: Last week - Finished #26263 (browser app icon positioned incorrectly in macOS DMG installer window). - With the same patch, we also fixed #25151 (Update Tor Browser branding on installation). - Helped with #28039 (Tor Browser log is not shown anymore in terminal since Tor Browser 8.5a2). - Reviewed the team roadmap, especially our tasks. Upcoming: - We will be on vacation Tuesday, October 23 - Wednesday, October 31. sysrqb: Last week: Reviewed #26690 (Padlock icon for TBA) Reviewed #27111 (about:tor for TBA) Began creating a patch for #24920 (TBA should only have Private Tabs) Continued Rust audit (#27616) Investigated #27431/#28125 (TBA DNS leak) S19 text This week: Create branch for patching #28125 (TBA DNS leak) Finish rust audit - #27616 At funder's meeting this week pili: Last week: Sponsor19 report brainstorming Tor Browser Release meeting This week: Looking to label tickets with Sponsors Evaluating best ways to track roadmap items, spreadsheet, other... Orfox issues - are we tracking all the relevant issues sent over by Fabiola from Guardian Project? How are they identified? [sysrqb: No, and unfortunately we're mostly ignoring Orfox currently. We should follow up on those issues and decide on a plan for Orfox] GeKo: Last week: -release prep -reviews -worked on #26475, Tor Browser design doc update (#25021), #28039, and #28075 -meetings and syncs -ticket triage (there is no Applications/Torbutton anymore, please use Applications/Tor Browser + keyword `tbb-torbutton, similar things will happen this week with Applications/Tor bundles/installation: it will DIE; please use Applications/Tor Browser + keyword `tbb-rbm` if really needed) This week: -release help -more work Tor Browser design doc update -die, Applications/Tor bundles/installation, die (#20648) -looking into singe-locale language repacks (#27466) -mail to Apple about their experiences with redirect isolation sisbell: Last week: - # 27441 Debian image to use stretch (ready to merge) - # 26696 Platform def in rbm,conf (ready to merge) - # 26976 hardening wrapper - closed (don’t need to fix) - # 26975 Mobile branding (fixed/closed) - # 26697 Android toolchain - removed gradle dependencies (now in Firefox project) - # 27443 Firefox for Android - applied boklm patch for a script to download and package artifacts This Week: - Investigate if patches (or parts of patches) needed with latest setup - Investigate if sdk 23 still needed with latest Firefox code [sysrqb: we should be targeting 26, so I don't think we need 23 for anything(?)] arthuredelstein: Last week: Patches for: #26498 (Fix bn-BD and es-AR locale for Tor Browser) #28082 (Add 4 more Tor Browser locales) #28111 (For about:tor, use a Tor Browser icon in identity box) #22343 (Save as... in the context menu results in using the catch-all circuit) #28093 (2018 Tor Browser Android donation banner) Worked on: https://bugzilla.mozilla.org/show_bug.cgi?id=1330467 (When "privacy.firstparty.isolate" is true, double-key permissions to origin + firstPartyDomain) S19 text This week: Keep trying to finish permissions FPI Help to look at redirect FPI approaches Help with TBA donation banner? (#28093) (GeKo: igt0 put this on his plate and is coordinating with antonela in case there are assets that need to get adapted) boklm: Last week: - helped with building the new releases - reviewed and tested patches for: - #21704 (Abort install if CPU is missing SSE2 support) - #26475 (ESR60-based Tor Browser bundles are not built reproducibly with Stylo enabled using rustc > 1.25.0) - reviewed patches for #26693 (Integrate Tor Browser for Android into tor-browser-build) - made patch for #27438 (Android Gradle Build Downloads) - started looking at #28117 (Some URLs can't be downloaded with LC_ALL=C) - worked on tor browser testsuite setup (#26149) This week: - help publish the new releases - enable running testsuite on nightly builds (#26149) - check if more updates are needed for #25030 pospeselr: Last week: - #3600 work (redirect cookies) - began work on design doc (turns out this is a really hard problem) - fixed a few bugs in tbblogger This week: - #finish design doc edits and post on storm - #3600 igt0: Last week: - #25013 (Sent a patch and tested on android and desktop with different locales) - Reviewed and tested #28104 This week: - More work on #25013 - Update #26690 (padlock icon for tba) - Update #27111 (about:tor button for tba) Georg