[tor-project] Tor Browser Team Meeting Notes, 28 October 2019

Matthew Finkel sysrqb at torproject.org
Thu Oct 31 20:48:38 UTC 2019


We held our weekly Tor Browser meeting on Monday in #tor-meeting2. Here
is the IRC log:

First, we successfully released Tor Browser 9.0! It was a significant
achievement with the last few months being full of getting Tor Browser
stabilized based on Firefox 68esr. Congrats and many thanks to everyone
involved in this!

Unfortunately, there isn't much time to waste. We're working on bug
fixes this week, as well as implementing the end-of-year campaign in the
browser. The next point release is scheduled at the beginning of next
week which should include these updates.

>From the 9.0 release, we received significant feedback on the new
Letterboxing feature. It was recognized this feature wasn't introduced
as well as it should be, and the new margins are both concerning and
confusing. We're planning on addressing these issues over the next few

In the meeting, we discussed a situation affecting some Windows users
where Tor Browser won't run on an older version of Windows due to a
missing library (ucrt). This library is available for installation via
Windows updates on most older (supported) Windows versions, but some
computers still do not have it installed. Mozilla work around this issue
by bundling the library in their builds. We do not currently bundle the
library, and we don't know how many users are affected by this. This is
being tracked on https://trac.torproject.org/projects/tor/ticket/32327.

Another question was asked about providing access to the cookie behavior
configuration in about:preferences. This UI is now controlled by
Firefox's Enhanced Tracking Protection (ETP) feature, and the setting UI
disappeared when Tor Browser disabled ETP. There are tradeoffs with
providing an easy configuration UI for this. This is being tracked on

Meeting Notes:
Week of October 28, 2019
    Git admins (git{,web,-rw}.torproject.org)
    Tor Browser 9.0 post-mortem
    Upcoming releases
    S27 Work
    YE Campaign - about:tor page
Jeremy Rand:
    Last week:
        - #19859 is believed to be in a complete state (both spec and
Tor daemon code).  Feedback from Nick is addressed, including adding a
unit test.  Planning to test that patch for a bit in conjunction with
other Namecoin ecosystem stream isolation patches before asking for a
        - Started implementing stream isolation in StemNS.  It's now
feature-complete but needs some more testing before a merge.
        - Implemented and merged patches to ncbtcjson, ncrpcclient,
ncdns, and ncprop279 for using a current fork of btcd's RPC client
library instead of the ancient 2015-era fork we had been using.  This
was a prerequisite to getting stream isolation plumbed from ncprop279 to
Electrum-NMC.  We're still engaging with btcd devs on getting patches
merged so that we can abandon that fork completely and use upstream
        - Implemented and merged patches to ncbtcjson, ncrpcclient,
ncdns to pass through stream isolation data to Electrum-NMC.  (ncprop279
didn't need any additional patches.)
    This week:
        - Minor patch for Electrum-NMC's JSON-RPC server to handle
stream isolation in a way that ncrpcclient can convey (it's so nice when
one library serializes the arguments in a JSON array while another
library deserializes them from a JSON object...).
        - Finish testing stream isolation with Namecoin.
        - Ask Nick to review #19859 again once the above testing is
        - Maybe do some auditing for proxy leaks.
        - Maybe do some auditing for build reproducibility.
        - Running out of TODOs; that's a good sign I guess.

mcs and brade:
    Last week:
        - Added Actual Points to our completed tickets.
        - Fixed #32184 (red dot during mar download).
        - Helped with triage for #32212 (Tor Browser 9.0 does not
restart correctly after updating from 8.5.5, on Debian stretch).
        - Commented in #21542 (use Subprocess.jsm to launch tor).
        - We were afk Thursday and Friday.
    This week/upcoming:
        - Sponsor 27 work: #30237 (v3 onion services client auth).
        - Maybe #32119 (onboarding for "Goodbye Onion Button" could be
            - waiting on UX input.
      Last week:
          - helped with releases; tb9 is out and not exploding yet, yay!
          - Spent a lot of my time on our blog and other support
            - tbb-9.0-issues
) and tbb-9.0.1-can
            - unaddressed issues yet
              - ucrt support on Windows < 10 (missing dlls on some
computers; should we actually bundle them? No.)
              - what about our general cookie setting UI being hidden
           - made progress on tracking down reproducible builds issue on
macOS (#32053); now slowly bisecting rust versions
           - thought about OTF proposal feedback
           - wrote small patch for our signature checks (#32284)
           - struggling with closing/finishing remaining esr68
transition issues
           - reviews (#30783, #31658, #32210, #32188, #32164, #31803,
#31764, #32169, #32184)
           - how do we want to proceed with our mozconfig files in
tor-browser (re: #32116)? (let's talk about it next week)
        This week:
           - finish more esr68 transition items (#31591, #30429, #31010)
           - make progress on review of all bugs closed between esr60
and esr68 (#31597)
           - prepare 9.0.1 and 9.5a2 (pospeselr: can you help building
           - more work on #32053
           - reviews

    Last week:
        - Mozfest
    This week
        - Helped publish the new releases:
        - More Browser proposal revisions after sponsor review
        - Reviewing workload and roadmap for November
        - Catching up from Mozfest
        - AFK on Friday due to public holiday
 - We've updated to clang 9 on -central, I am (slowly, occasionally)
working on that for the mingw builds.
 - Ethan said there is not timeframe for when uplift may resume.

    Last week:
        9.0 and 9.5a1 releases for Android
        Code review (#30501, #30518)
        Opened some tickets for bugs in 9.0 (#32214, #32243, #32303)
        Investigated a couple of the bugs (#32238, #32303)
     This week:
         Created a useful
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser page
         Fix some bugs: at least obfsproxy on Android Q (#32303)
         More on the OTF proposal
         Code reviews
         Pick up a tbb-9.0-issues ticket
     Last week:
         - Helped publish the new releases
         - Fixed some website tickets (#32222, #32223, #32201)
         - Continued investigating reproducibility issues (#32052 and
         - Reviewed #32284 (No need to save all bundles for mar-signing
and authenticode-signing check until we are done)
         - Reviewed #31130 (Use Debian 10 for our Android container
         - Looked at patch for #30334 (build_go_lib for executables) and
saw that it needs changes to be rebased on master
     This week:
         - Continue investigating reproducibility issues (#32052 and
         - Try to rebase patch for #30334 (build_go_lib for executables)
         - Try to fix fpcentral (#32014), and related fpcentral tickets
(#31987 and #31986)
         - Work on #18867 (Ship auto-updates for Tor Browser nightly
channel) and sub-tickets
    Last Week:
  -#30552:  Android- cleanup torc (in review) - removed transparent
proxy fields used by orbot and various default field values
  - #31130 - Android tor Debian - tried a number of approaches, narrowed
down right one, defined dependencies needed
  - #31922 - ApkTool - some investigation
   This week:
  - Reviewing and commenting on new TorService code (and VPN cleanup) by
eight have
  - #30501: BridgeList an overloaded field - respond to review/make
  - #31130 - Android tor Debian - expect to have something ready for
review by 10/28
  -#30842 - Some more emulator testing (fennec as baseline) - Does esr68
work correctly on JellyBean arm devices?
 - #31922 - ApkTool, I think I have a solution for getting correct
version (I can use similar approach as using for openjdk download)
     Last Week: 
         - a bunch of small tbb-9.0-issues fixes
         - filed https://bugzilla.mozilla.org/show_bug.cgi?id=1590538
(broken paste and go)

             - mozilla posted a patch that's under review now that's
slightly different from my fix

         - filed https://bugzilla.mozilla.org/show_bug.cgi?id=1591259
(NS_ERROR_NOT_AVAILABLE thrown on launch)

             - no response yet, but not a regression in Tor Browser, its
broken in latest Firefox

        - figured out problem with my office/build machine
(tor-browser-build/tmp not getting cleaned up, filed #32272 to track)

    This Week:

    - ?

  Last week:
      - Rebased #28745
      - Revise https://bugzilla.mozilla.org/show_bug.cgi?id=1581537.
[Browser UI locale is leaked in several ways]
      - tor#30783: End of Year Fundraising Campaign Banner - [new] -
      - Worked on #27604: Relocating the Tor Browser directory is broken
with Tor Browser 8
  This week:
      - Finish fixing #27604: Relocating the Tor Browser directory is
broken with Tor Browser 8
      - #32255: Missing ORIGIN header breaks CORS in Tor Browser 9.0
      - Revise (hopefully last one)
https://bugzilla.mozilla.org/show_bug.cgi?id=1581537. [Browser UI locale
is leaked in several ways]

- Filed #32324 - Introduce Letterboxing to users
- Filed #32325 - Allow Letterboxing opt-in/out

- Matt

More information about the tor-project mailing list