[tor-project] Tor Browser team Meeting Notes, 30 September 2019

Matthew Finkel sysrqb at torproject.org
Wed Oct 2 16:36:46 UTC 2019


We held our weekly Tor Browser meeting on Monday in #tor-meeting2. Here
is the IRC log:

>From the weekly updates, we discussed some options for a new icon that
Tor Browser will use for its "New Identity" button. The chosen image
should embody the idea of throwing away a person's current digital
identity (as it is seen by websites) and creating a new one. This is not
an easy task, and, in addition to this, the concept of "identity" as
provided in a web browser is not intuitive. The team is considering some
options on ticket #25711 [0].

During the meeting there was a call-for-proposals for submitting talks
to FOSDEM (both main track and non-main track).

Next, we dove into some details about the on-going issue with building
reproducible Tor Browser APKs for Android. The new Tor Browser Alpha
version based on Firefox 68esr introduced new build dependencies that
do not output the same exact result every time (for the same source
code). This is being investigated in ticket #31564 [1].

We also heard some updates about tor integration into NameCoin.

Lastly, we chose a time for meeting again this week on the topic
of moving Tor Browser onto Mozilla's Rapid Release cycle. The meeting
will be tomorrow (Thursday) at 1500 UTC.

[0] https://trac.torproject.org/projects/tor/ticket/27511#comment:17
[1] https://bugs.torproject.org/31564

Week of September 30, 2019

    sysrqb: Meeting this week for discussing questions about moving onto
rapid release cycle

    Last week:
        - release preparations
        - work on feature audit (#31597, #31591)
        - investigation of ko bundles bustage (#31886)
        - backported patch for macOS Catalina (#31702)
        - investigation of OpenSSL CVE ticket (#31383): boklm: nice
catch! I think that means we can close the ticket? Let's do so tomorrow
if there is no new input. [boklm: Yes, I think we can close it if no
other input tomorrow]
        - tried to find patches for stack smashing protection bug
(#29013) and PDB files exposure (#31546); Thanks for Martin Storsjö the
former seems achievable soon-ish
        - reviews (a  bit #31010, #31844, #31192/#30380, #25483, #31664,
#31575, #31720, backport for bug 1573276, #28196, #31822, #30429,
        - started to look over ff68-esr tickets not yet considered for
TB 9
    This week:
        - release preparations
        - finish triaging ff68-esr tickets for TB 9
        - work on feature audit (#31597, #31591)
        - come up with patch for #29013
        - reviews


    - #27511 - New Identity button, any thought?

    - #31286 - Net Settings, all good pospeselr? pospeselr: so good,
unless you have opinions on how tor daemon logs should be
viewed/acquired. | For sure i have, do we have a child ticket? is a
blocker for TB9.0 stable? pospeselr: no I don't think so, but was
planning on implementing this today, catch me after the meeting :) |
will do :3

    - #31768 - TB9 Onboarding, working on it with Dunqan

    - #31778 - Anything needed on my side for this?

    - S27: We are working on #30025 - Better onion errors in clients.
There are multiple tickets involved, but we are first listing onion
errors here #30090. If you want to join us, we will discuss it tomorrow
Tuesday at 15UTC in #tor-meeting. asn sent

    - S30: We have a kickoff meeting next Monday October 7th, 15UTC in
#tor-meeting. UX and TB teams will work together on Objective 3.
https://trac.torproject.org/projects/tor/ticket/31265 [Improve Tor
Browser experience for human rights defenders under censorship.]Closed 

    Last week:
        - fully functional patch for #31286 up for review
    This week:
        - test builds for y'all to look at
        - some more work on #31286 remains, probably a few days worth
(not including any revisions needed from code-review)

            - Tor log viewer

            - smarter SETCONF behavior

            - proper string support

     - update the learnmore links

     - other misc cleanup/refactoring/todo completion

Jeremy Rand:
    Last week:
        - Submitted initial patch for #19859.  Nick reviewed it, wants
some minor changes, but should be straightforward to get into a
mergeable state.
        - Maintain a pool of clean connections for Electrum-NMC stream
isolation.  Eliminates latency cost of having stream isolation in
Electrum-NMC.  Submitted upstream to Electrum; will be in Electrum-NMC
        - Electrum-NMC stream isolation covers all network-related RPC
methods.  Submitted upstream to Electrum; will be in Electrum-NMC 3.3.8.
        - Stream isolation for Electrum-NMC name-related RPC methods. 
Will be in Electrum-NMC 3.3.8.
        - Filed Namecoin Core issue for hashed name lookups.  Daniel
Kraft (Namecoin Core developer) says he should be able to get it done
with circa a day or so of work; he should have time to spend on it
within the next couple months.  When complete, this will allow us to
decrease name lookups to 1 round trip (status quo is 2 round trips). 
(This is, AFAICT, not a blocker for Tor Browser nightlies, but would be
a useful improvement.)
        - Submitted patch to Electrum for fetching a single header
instead of a full chunk when doing SPV verification; will be in
Electrum-NMC 3.3.8.
        - Patched Electrum SPV verifier to work without a wallet; this
allows avoiding code duplication for name lookups.  Submitted to
upstream Electrum; will be in Electrum-NMC 3.3.8.
        - Patched upstream Electrum gettransaction RPC method to support
SPV verification.
        - Refactored name_show RPC method in Electrum-NMC to use
upstream gettransaction RPC method (with above patch) for most of the
implementation.  Simplifies our code substantially.  Will be in
Electrum-NMC 3.3.8.
        - Fixed various small bugs in Electrum-NMC 3.3.8 branch.
        - Noticed that ~150kB of the binary size cost of adding
Electrum-NMC to Tor Browser is taken up by Electrum-NMC's copy of the
root CA list; tried and failed to find a straightforward way to make
Electrum-NMC use Firefox/NSS's copy of that.  Will come back to this in
the future, but there are better things to optimize short-term.
    This week:
        - Forward-port some remaining optimizations (e.g. parallelized
blockchain download and binary size improvements) from the branch I
demoed in Stockholm to play well with Electrum-NMC 3.3.8 branch and rbm
build environment.
        - Address Nick's feedback on #19859.
        - Maybe make some progress on stream isolation in ncprop279 and

mcs and brade:
    Last week:
        - Vacation.
     This week:
        - Test 9.0a7 candidate builds on macOS 10.15 beta 8.
        - #31019 (Investigate update on Windows via BITS)
            - double-check that BITS is 100% disabled in Tor Browser
        - #31607 (App menu items stop working).
        - (maybe) Sponsor 27 meeting r.e. onion service errors vs. SOCKS
optimistic data.
        - End of month / end of quarter administrative tasks.

    Last week:
        Finished mobile/android/ rebase (#31010)
        Created patch for slider not showing on Android security slider
        Reviewed backports for Catalina (#31702)
        Reviewed patch for mozconfigs (#27493)
        Patched tor-android-service for avoiding Dormant mode (#30380)
        Finished patch for x86_64 (#31192)
        Reviewed tor-android-service patches (#30199)
        Finished Private Tabs By Default on Android (and opened
follow-up tickets (#24920)
        Fixed autocomplete on Android (#31720)
    This week:
        Release prep and release
        Investigate EME and bundled fonts on Android (#31880 and #31881)
        Other Android things

    Last week:
        - Worked on fixing .onion security expectations patch for
android (#30429, #31010)
        - https://bugzilla.mozilla.org/show_bug.cgi?id=1573276 landed
        - #30504: Investigate if New Identity works properly after
moving to ESR 68
        - Finish fixing Localization issues: #28196
        - Backported patch for #30304: Browser locale can be obtained
via DTD strings
    This week:
        - Finish fixing .onion security expectations patch for android
(#30429, #31010)
        - Finish fixing Localization issues: #31747 (old onboarding
        - #30463: Make sure telemetry reporting is disabled in Tor
Browser 9
        - #19417: asm.js files should be no linkability risk
        - #31778: Support default dark-theme for the Circuit Display UI
        - #27511: Add New identity button to toolbar
        - https://bugzilla.mozilla.org/show_bug.cgi?id=1581537

    Last week:
        - Fixed #31844 (OpenSSL 1.1.1d fails to compile for some
        - Enabled android-x86_64 nightly builds
        - Reviewed/tested #29187 (Bump NSIS version to 3.04)
        - Helped build new release
    This week:
        - Help publish the new alpha
        - Work on #18867 (Ship auto-updates for Tor Browser nightly
channel) and sub-tickets
        - Review #30334 (build_go_lib for executables), #29187 (Bump
NSIS version to 3.04), #31550 (Fix shellcheck (and related) issues in

 - unstuck on wasm: https://bugzilla.mozilla.org/show_bug.cgi?id=1576254

 - Expecting finishing this this week, and will prep backport

    Last week:
        - S27 work completion and monthly report
        - roadmap gardening
        - Tor Browser release meeting
        - Fosdem organization
    This week:
        - OTF Browser proposal
        - Fosdem organization - any browser devs in Europe up for doing
a talk?
        - more roadmap gardening
        - kicking off developer portal work

    Last Week:
  - #31564: Android Reproducibility: Tried out a number of things. Got
openjdk-8 working with buster. Still problem with apktool version in
buster, the version reported is not the actual version so its too old to
use. Can’t shrink apk to remove problem resources since Firefox uses
dynamic lookup of resources
   This week:
  - 31564 - going to track each dependency and manually use aapt/appt2
to rebuild resources.

- Matt

More information about the tor-project mailing list