[tor-project] Tor Browser Team Meeting notes, 25 November 2019

Matthew Finkel sysrqb at torproject.org
Mon Dec 9 18:16:54 UTC 2019

Hello everyone!

Two weeks ago we held our weekly Tor Browser Team meeting. The notes are

That was a short week for many people because the U.S. celebrated a bank
holiday on Thursday and Friday. We prepared for two upcoming releases,
9.0.2 (stable) and 9.5a3 (alpha).

During the meeting we discussed three main topic, plus set last-minute
goals for fixing bugs in the releases.

The discussions were:
1) Should Tor Browser provide a preference for disabling updates? The
question was asked because in older version of Tor Browser (and
Firefox), there existed a preference for this, but Mozilla removed. We
decided there exist some preferences which may be used for this purpose,
and we will test and document how these prefs should be set as a
solution. If the tests fail, then we will consider implementing a new
pref for this, but we prefer not going that route.

2) Can Tor Browser enable the JIT in privileged code, when the JIT is
disabled for content? We experimented with enabling WebAssembly for
webextensions when it is not allowed in content scripts, however there
still exists a performance problem because the JIT is still disabled.
We'll work with Mozilla on finding a solution for enabling the JIT, as
well, in privileged contexts when the JIT is disabled in the content.

3) We discussed two upcoming UI changes within Tor Browser related to
website redirection from a registered domain to an onion address.

    - upcoming releases (are we good? last minute things we want to get
into? who will build the releases?)
    - ticket assignments for everyone

pospeselr (afk this meeting):

    Last week:

    - updated uplift patch for Mozilla 159445 (letterboxing UX

    - fixes for #32359 and #32508 (security level UX stuff)

    - flu!

    - #30570 investigation/protoyping

      - pinged NoScript's Giorgo via email to get his opinion on how we
can make this+NoScript play nicely together

    This week:

      - more flu!

      - holiday travel through Dec 6th, intermittent online availability
this week, better availabiilty next

      - #30570

        - antonela: we should chat this week and get an idea of what the
UX we want to do here looks like (the technical/backend side of things
are looking a bit scary :p )

mcs and brade:
    Last week:
        - Sponsor 27 work: #19757 (permanent storage of client auth keys
and associated management UI).
            - The Network Team is working on #32562 for us (Allow
ONION_CLIENT_AUTH_ADD credentials to be made permanent).
        - Commented in #31506 (Write up comprehensive advice to "Tor
unexpectedly exited").
        - Commented in #32327 (apt-win-crt*dll files are missing on some
Windows 8 and Windows 7 systems).
        - Investigated #32418 (Torbrowser tells on every start, that it
can't update although it is newest).
            Should we provide a pref to disable updates, like Tor
Browser and Firefox had previously?
    This week/upcoming:
        - More work on #19757 (permanent storage of client auth keys and
associated management UI).
        - Review #32498 (MAR_CHANNEL_ID for nightly builds).
        - Add actual points to completed tickets.
        - Out of the office most of Wednesday-Friday this week (U.S.
Thanksgiving holiday).

    Last week:
        - help with the OTF proposal (I believe we submitted what I
believe to be a better proposal in time, thanks to everyone who helped)
        - #32053 (I tried to fix this bug by another workaround but that
failed :( I asked on the LLVM bug whether that could give us at least
some clue)
        - #31597 (Go over all closed bugs/bugs where patches landed
between Firefox 61 and 68)
        - #25021 (design doc update; I revisited all Release notes
between 7.0 and 9.0 and noted down all tickets potentially affecting the
design doc; now the next step is to take the text and match that to
those bugs and update it where needed, discarding the tickets not
        - wrote small patches for #30548 (cleaning up our
tor-browser-build keyring file), #30786 (add th locale), #30787 (add lt
locale), and #32531 (Mozilla backport of a patch)
        - reviews (#30548, #30888, #28745, #32255, #32497, first stab at
#30558, #32475, another round for #31130)
        - made good progress over the weekend on RLBox work; I am close
to what Mozilla is currently having ready
    This week:
        - more work on #32053, #31597, and #25021
        - provide patches for ms inclusion as well (#30788)
        - reviews
        - release prep
        - work on apple signing infrastructure update (#32173 + #32556)
        - potentially more RLBox investigation in my spare time


    - Did something, yay! But still very time-limited, so please
proactively ping me if you have questions or would like me to see
something and possibly provide input

    - Got -central updated to clang-9:

    This included an stl-wrapper fix that affects esr68, but apparently
doesn't cause problems? Maybe? [GeKo: How would problems look like? So
far, I don't know of a bug we've heard of that would match a potential
issue here. But maybe I just don't understand stl-wrappers good enough.
However, we maybe might want to backport that fix for the alpha to test
it and be able to quickly use it for stable, too, in case there *is*
actually an issue we should fix/be concerned about.] [tjr: I have zero
idea. Mine manifested as a compilation error.]

    clang-9 is desirable because it's one step closer to clang-10, which
includes support for Control Flow Guard (on Windows)

    - My next task is to work on a backlog of #ifndef __MINGW32__'s that
have gone into -central because mingw-w64 headers are missing stuff

    - In not-tor work, I have developed a google sheets <-> Bugzilla
syncing script that allows (what I think is) a better dashboard of bugs
and easy, notes of the status of bugs. If such a thing would be useful
to you, LMK

    - Apparently the next ESR is 78. Everything subject to change I

    Nightly Start: 5/4/2020        Beta Release: 6/1/2020       
Release: 6/30/2020

Jeremy Rand:
    Last week:
        - Addressed Georg's feedback on #30558.
        - Nick merged #19859, so it's no longer blocking an eventual
merge of #30558.
    This week:
        - Address whatever review happens on #30558.
        - @Georg, do you happen to have a (totally non-binding) guess on
the probability of #30558 getting fully reviewed by end of 2019,
assuming that I respond to review approximately as quickly as I've been
doing so far?  If it does get merged by then, there's a chance I'd be
interested in doing a talk at the 36C3 Critical Decentralization Cluster
stage about that work (I think that's the stage that the Tor Assembly
will be using as well).  It's fine if it's not fully reviewed by then;
if so, I won't do the talk; I'm just trying to gauge things so that I
can plan more effectively. [GeKo: I'll get it fully reviewed by then
(hopefully this week and/or next week should be enough to get through
all of the changes); however, I can't promise that the code will be
merged by the end of the year as I don't know what I'll find. :)] 
[Jeremy: ok, sounds good.  :)]

    Last week:
        - Made patches for:
            - #32527 (rbm downloads 0B sig file if network drops;
rejects sig on next run)
            - #32497 (Change nightly update channel to nightly)
            - #32475 (Reduce the number of locales we provide updates
for in nightly)
            - #32498 (Update MAR_CHANNEL_ID for nightly)
        - Worked on patch for #25101 (Generate incremental mar files for
nightly builds)
        - Reviewed #30548 (Clean up keyring files)
        - Blog triage
    This week:
        - Review #30786 (Ship Thai Tor Browser in alpha series)
        - Help with build of new releases
        - Finish patch for #25101 (Generate incremental mar files for
nightly builds)
        - Generate a mar signing key for nightly builds (#31988)
        - Work on #25102 (Add script to sign nightly build mar files)
        - Test/review rebased patch for #30334 (build_go_lib for
        - Will be at Reproducible Builds summit the following week:

    Last week:
        - trac triage
        - Ticket assignment meeting
        - Some work on S27 reports
        - Tor Browser presentation at
        - S9 report
    This week:
        - Mainly S9 report

    Last week:
        - Mailing list, bug, blog triage
        - Code reviews
        - OTF proposal
        - Misc. meetings
        - Not much code written
    This week:
        - Release prep
        - Finish #32365 (localization is broken on Android)

    Last week:
        - Wrap up work on #21952, and do builds so that it can be
        - #32255 (Missing ORIGIN header breaks CORS in Tor Browser 9.0):
            - Upstreamed:
        - Revised #28745: THE Torbutton clean-up
        - Tried to reproduce #32297 (unsuccessfully)
    This week:
    - Revise #21952 according to anto's review comments.
    - What should we do with #23719: Make sure WebExtensions are spared
from JIT disabling in higher security settings (Medium-High)?


    - #22919: Form tracking and OS fingerprinting (only Windows, but
without Javascript)


    - I'm back from vacations

    - per-site security settings:

    - letterboxing:

    - prioritize onions:

    How should we treat the lock icon?

    Is privacy&security the best place in about:preferences for general
onion redirect opt-in?

    - do we have S27 meeting this week? [yes]

    Last Week:
    - #31992 - ApkTool - located issue as aapt when processing resources

    - #30676 Fixes for custom bridges in torch building
    - Created independent modules for tor-service/TOPL
    - #32476 TorService JNI, got up to speed on JNI and went through
guardian project implementation
   This week:
   - #30501: BridgeList Preferences, move over previous work to new
commit, these will be breaking changes
   - #32476: JNI - I have some more specific suggestions for
implementation. Some work to see about creating a JNI layer independent
of TorService (Something like TorEmbedded)
   - Adding unit tests for some topl components.
    - #31130: Buster support - just one small issue left on determining
dependencies. Will have this done early in week for review.       

- Matt

More information about the tor-project mailing list