[tor-project] Tor Browser team meeting notes 29 April 2019

Georg Koppen gk at torproject.org
Tue Apr 30 10:12:00 UTC 2019


Below come the notes from our weekly meeting which we had yesterday at
1730 UTC. The IRC log can be found at:


and the items from our pad are

    - Tor Browser team meeting slots for the dev meeting? (GeKo: I'll
ask for five, 2 roadmapping, 1 retrospective, 1 Tor Browser vision, 1
team capacity)
    - migration to esr68 (GeKo: we started to think about it; will nail
down more detailed plan with action items either next week or the week

  Last Week:
     - #30280 - Wrong SHA-256 - due to use of jcenter which can proxy
different artifact repositories. Removed jcenter from dependencies
(ready for review). Also removed use of jcenter from
TOPL(#109)/android-tor-service(#23) projects (GeKo: are we good with
that bug or is there something left that needs to get fixed before
review)(sisbell: it's ready for review, no more work)
     - #30162 - Bootstrap process stuck - implemented fix that takes
ownership of tor process so that tor will shut itself down when the
control connection dies (TOPL#59). Also implemented a fix for reusing an
open tor control connection  (TOPL#111).
     - #30166 - Custom bridges. The content of the textfield for
user-defined bridges is overloaded (it acts a filter for pre-defined
bridges OR it contains bridge information directly). Introduced fixes to
make this work with TOPL(#115) + tor-android-service(#26).
     - Verified #30162 and #30166 work against an Orbot build.
     - Self-feedback
   This week:
     - Add #30162 and #30166 fixes into tor-android-build. Test and fix
any issues.

mcs and brade:
    Last week:
        - #30000 (Integrating client-side authorization to onion
services v3).
            - experimented with HTTP CONNECT for the browser/tor connection.
    This week:
        - #30000 (Integrating client-side authorization to onion
services v3).
        - Finalize travel plans for the Stockholm meeting.
        - Out of the office Thursday May 2 and Friday May 3.

    Last week:
        - work in localization/branding land (wrote patches for #30136
and #30069), helped with special characters in Android strings issue
        - reviews (#29981, #30086, #30115, #28369, #30166)
        - dealing with bug bounty issues
        - looked into snowflake for android over the weekend (#28672)
but that's more involved than a (couple of) weekend activity(-ies), thus
301 -> boklm
    This week:
        - getting back to tjr's letterboxing email
        - preparing 8.5 (GeKo: We still stick to the idea of building
8.5 this week)
        - more work on tbb-8.5-must/tbb-8.5 items
        - reviews
        - start begin-of-the-month admin work

    Last week:
        - Revised patch for 30115: NoScript's XSS popup breaks circuit
display in some cases
        - Looked into 26605: investigate window.requestIdleCallback()
for possible timing leaks
        - Looked into 26607: verify that subpixel accuracy of window
scroll properties does not add fingerprinting risk
        - Looked into 30304: Browser locale can be obtained via DTD
strings [tjr: what did you find?]

          acat: Well, it leaks browser locale, yes (I understand there's
currently no other known way to get browser locale from website)

    The suggested approach in
https://bugzilla.mozilla.org/show_bug.cgi?id=467035, creating hidden
iframe loading the xml and reading localized text works in Tor Browser.

    The simple fix suggested in bugzilla (reverting
https://hg.mozilla.org/mozilla-central/rev/7ace0805c2d3) breaks
about:tor, the DTD for localization cannot be read

    which makes sense, since the reason of that patch is to unbreak
addons (legacy, I assume)

    it would work fine if about:tor was privileged (no
URI_SAFE_FOR_UNTRUSTED_CONTENT), but I think we don't want that

    so I'm still investigating/understanding the relevant code and
trying to find the best way of not breaking it

    I also want to test it in Android, because I suspect the code for
handling some about:* pages is not the same there

    This week:
        - Finish 30304 and 26607.
        - Backlog: 26599, 26602, 26601,

    Last week:
        - Updated patch for #29981 (Add option to build without using
        - started testing patches for #30325 (Remove bison from the list
of default packages on android and osx builds) and #30326 (Remove yasm
from the list of dependencies for the firefox android build)
        - started disabling failing testsuite tests
        - sent (late) self-feedback
    This week:
        - finish disabling all failing testsuite tests
        - start looking at #28672 (Android reproducible build of Snowflake)
        - review #29307 (Use Debian Stretch for cross-compiling our
Windows builds) and #29319 (Remove FTE support in Windows bundles)
        - help with 8.5 build/release
        - afk (holidays) on Wednesday and Thursday

 - Started/tried backporting letterboxing to 60. Ran into a complex
refactor I need to work around, sent an email no response
   - Someone also filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1546832 which is a bit of a
problem.  I'm not sure if it should block bringing it to TB Nightly.
(GeKo: I don't think so)
 - Started working on mingw build stuff again.
   - Getting tests running on Try: finding lots of crashes.Indicative of
real issues that could crash? Don't know!!

   Last week:
       - #27399, #29955, in progress
       - #30000, in progress
   This week:
       - #27399, #29955, in progress
       - #30000, in progress

    Last week:
        - All teams project planning
        - Submitted google season of docs application

    This week:

    - S27

    - first report

    - work estimation and planning

    - start thinking about dev meeting sessions


    Last week:

        - Worked on wine bug #47035 for tor #27503

            - got most of the way through this, should have a patch
ready for review tomorrowish

    This week:

     - See if swapping in pre-built MIDL Accessibility2 related bits
fixes our issues here

    - continued work on widl patches


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20190430/4e5abb96/attachment.sig>

More information about the tor-project mailing list