[tor-project] Tor Browser Team Meeting Notes, 02 March 2020

Matthew Finkel sysrqb at torproject.org
Mon Mar 9 20:50:44 UTC 2020

Hi everyone,

We held our weekly meeting on 2 March. The meeting logs are available

During this meeting we briefly discussed #13410 and how Alec Muffett's
S.O.O.C. proposal [SOOC] overlaps with the goal of this ticket. We
didn't make any decisions about this topic, however.

[SOOC] https://github.com/alecmuffett/onion-dv-certificate-proposal/blob/master/text/draft-muffett-same-origin-onion-certificates.txt

Team progress and discussion notes


    Last week:

    -I worked mainly on RLBox backports

    * I have the Linux version up for review (see: #32380 and #32389)

    * I got the macOS version ready for review, too (see: #33481, #33487, #33410)

    This week:

    -finally getting back to design doc update

    -maybe working on RLBox reproducibility (#33488) tjr: I recall glandium and/or you had ideas for https://bugzilla.mozilla.org/show_bug.cgi?id=1612035, no? Now would be a good time to add those. :)

mcs and brade:
    Last week:
        - Reviewed #32645 patch (Update URL bar onion indicators).
        - Worked on onion service error strings (#33035).
        - Investigated and closed #31984 (partial update: unable to remove directory: tobedeleted).
        - Worked on small issues for #19251 (onion services error page).
        - Reviewed February Sponsor 27 report.
        - Worked on peer feedback for TPI Feedback Cycle 2020-1.
    This week/upcoming:
        - Review latest #32645 patch (Update URL bar onion indicators).
        - Finish and post patches for #19251 (onion services error page).
        - Revisit #32418 (Torbrowser tells on every start, that it can't update).
        - Finish and submit self, peer, and team lead feedback.
        - Start to review #28005 (Officially support onions in HTTPS-Everywhere).

    Last week:
        - patch out for #13410

            - put out for code review on Mozilla

    - consensus among folks who know things about certs (dkeeler, alecmuffet, arma) is seems to be that what we're trying to do here is a bad idea and needs to be more restrictive

    - dkeeler pointed me to alecmuffet's SOOC cert spec ( https://github.com/alecmuffett/onion-dv-certificate-proposal/blob/master/text/draft-muffett-same-origin-onion-certificates.txt ) as well a short summary of the discussions alec has apparently already had with the Mozilla folks

    - alecmuffet pointed me to a doc containing the discussions about the spec as well as how to properly implement in firefox

    - tldr; removing the chain-of-trust check for onions is not sufficient, but I have a high level understanding of the 'right' way to do this:

    - implement sections 1.1 through 1.6 of the SOOC spec in a new 'TrustDomain' in Firefox that is used for onions

    - final update for #32645 fixing some icon scaling issues

    This week:

      - peer feedback

      - release notes review

    - #13410 updates?

    so to implement 1.1 through 1.6 the suggested mozilla way should mostly just be engineering/programming work with very little investigation, but it's still a sizable chunk of time (I'd estimate ~1-2 weeks?)

    [discuss] do we want to go through the effort of redoing this for S27, or should we just take what we have now, stick it behind a only-enabled-in-alpha pref and come back to this when we have less time pressure?

    - braindump on ticket, maybe start prototyping this

    Last week:
        - Some reviews: #32437, #32436, #33216, #32992, #32991, #28766, #28765, #33215
        - Helped with gpg signing new alpha
        - Looked at #32650 (Check translations for bogus characters)
        - Started looking at testsuite setup
        - Looked at blog comments
    This week:
        - Waiting for someone to review/merge #33402 and #33403 to check if nightly updates are working
        - Work on testsuite setup
        - More reviews
        - Submit feedback

    Last week:
        Progress on getting macOS signing/notarization on the hosted signing machine
        Investigated CSS font-embedding on Safest security level
        Spent some time on the OTF grant
        Responded to Jeremy
        Looked at some possible paths for TLS cert warnings
    This week:
        Releasing 9.5a6
        Code reviews
        Create a rough roadmap for the next one-two months (with Pili)
        Review S27 summary

   Last Week:
   - Android for Tor - a number of updates, testing. Following merged: #33216, #33215, #32992, #32991. Left with getting OpenSSL, Libevent and Tor project changes approved and merged.
   -  #32476: JNI got build working in tbb
   -  Fenix investigations around dependencies and latest gradle
   This Week:
   - Respond and fixes based on reviews to #28764, #28765, #28766 (Tor)
   - #28765: LibEvent: make small change to handle all platforms
   - Upgrade tor binaries to 4.x in tor-android-services
   - #32476 - integrate and test with TOPL, open branch for review

    Last week:
        - Rebase Tor Browser patches onto mozilla-central.
    This week:
        - Fix/polish a few remaining things of the mozilla-central patches rebase and create ticket for review.
        - Write feedback.
        - Revise #21952 (Onion-Location) to support meta tags.
        - Investigate #33342 (Disconnect search addon causes error at startup)

    Last week:
        - S27 February report
        - S27 release planning
        - GSoC wrangling
    This week:
        - Browser team February report
        - Start of month housekeeping
        - More GSoC wrangling
        - Work on developer portal 
        - Tor Browser Release meeting this week

Jeremy Rand:
    Last week:
        - Posted on tor-talk asking for feedback on Namecoin integration in Nightly.
        - Looks like that thread attracted the attention of a journalist: https://linuxreviews.org/The_Nightly_Tor_Browser_Build_Has_Support_For_Namecoin_Domain_Names
        - More progress on the linux-arm port of Tor Browser... figured out why the Firefox build was failing with assembler errors; managed to get a working Tor Browser binary built in rbm.
    This week:
        - Await feedback on tor-talk thread.
        - Maybe more linux-arm port stuff.
        - File ticket about Namecoin TLS support.


More information about the tor-project mailing list