[tor-reports] March 2014 Report for the Tor Browser Team

Mike Perry mikeperry at torproject.org
Wed Apr 2 03:25:22 UTC 2014

In March, the Tor Browser team made two releases: 3.6-beta-1[1], and
3.5.3[2].  Both releases included Mozilla's 24.4.0ESR update, which
fixed several security issues. Due to improvements in our release
process, we were able to make these releases within a day of Mozilla's
official release.

The 3.5.3 release featured a fix for a keyboard input failure on Ubuntu
13.10[3], a fix for a disk record leak while viewing video content[4], a
fix for a hang when downloading content from certain HTTP server
configurations[5], a fix for a localization fingerprinting issue[6],
build process and debugging improvements[7,8], and a fix to enable the
translation of Tor connectivity status and error messages in the Tor
Launcher UI[9].          

The 3.6-beta-1 release featured a single, unified bundle for both
censored and uncensored users, and included three Pluggable Transports
and default bridges.  We put a fair amount of work into making sure the
Pluggable Transport configuration was safe and usable, and backported
several Tor patches to ensure correct functionality of Pluggable
Transport use and configuration[10].  The 3.6-beta-1 release also
featured a new DMG-based installer for MacOS, which should greatly
improve usability on that platform[11].

We presented the 3.6-beta-1 at the RightsCon conference in San
Francisco[12], with a live demo of the new MacOS DMG installation
process and Pluggable Transport configuration. People seemed impressed
with the usability improvements we have made since they last used Tor

We've also been working hard on our next release, which will likely be
3.6-rc-1. This release will feature Turkish translations[13], a fix for
an update notification issue[14], a fix for the remaining screen
resolution/resizing issues[15], translation improvements[16], and
several Tor Launcher usability improvements[17].

In terms of ongoing development, progress has continued on our
Firefox-based updater[18]. We discussed restructuring the bundles to
simplify our changes to the Firefox update code, and have arrived at an
agreement on how to proceed[19,20].  Several other issues that are
as-yet unsolved were also investigated, including a few crash
bugs[21,22,23], Windows hardening improvements[24], and issues with
websites that might be related to changes to our browser[25]. We also
investigated markup and content for the Tor Browser Short User

On the Mozilla merge process front, all of our patches to improve build
reproducibility have been merged[27]. The ball is now in Mozilla's court
to ensure that the rest of their build infrastructure is capable of
creating reproducible builds[28]. We also merged an API to assist Tor
Launcher in handling the Tor sub-process[29], and wrote unit tests and
helped investigate a couple of other Firefox bugs that affect us[30,31].

On the QA and Testing front, we improved our nightly build process to
prune old builds[32], improved our usage of Mozilla's automated testing
infrastructure[33], and began deploying our own suite of automated
integration tests[34].

On the community coordination front, we wrote a Tor Browser Hacking
introductory document, to help get volunteers and potential new hires up
to speed on contributing to Tor Browser as quickly and as painlessly as
possible[35]. We have also begun tagging and listing the frequently
encountered support issues in our bug tracker, and posting them with the
release announcements[36].

On the external coordination front, we continued our meetings with the
Mozilla Security and Privacy team, and also met with the EFF to discuss
and work on improvements to the Decentralized SSL Observatory.

On the interview process front, all of our candidates selected tickets
at the beginning of this month, and two of have selected tickets that
would help get patches merged by Mozilla. Unfortunately, they have not
yet been issued contracts to officially begin work due the Tor Project's
efforts to change its contracting processes. To the candidates' credit,
some of them have begun work anyway.

In April, we will continue our efforts at improving and stabilizing the
unified 3.6 bundles, releasing at least 3.6-rc-1, and ideally
3.6-stable. We will continue improving Tor Launcher usability for
Pluggable Transports as part of this process.

In terms of ongoing development, we will continue work on the Firefox
updater, restructuring the bundles, and testing this new layout. If
we're lucky, this may result in a 4.0-alpha with a restructured layout,
or at least a few nightlies. We also hope to complete the Windows
hardening efforts by this time.

In terms of the merge process, the Mozilla merge deadline for Firefox
31ESR is at the end of April. It remains to be seen how much more will
be ready for merge by this point.

1. https://blog.torproject.org/blog/tor-browser-36-beta-1-released
2. https://blog.torproject.org/blog/tor-browser-353-released
3. https://trac.torproject.org/projects/tor/ticket/9353
4. https://trac.torproject.org/projects/tor/ticket/10237                                                                                                            
5. https://trac.torproject.org/projects/tor/ticket/9901                                                                                                             
6. https://trac.torproject.org/projects/tor/ticket/10703                                                                                                            
7. https://trac.torproject.org/projects/tor/ticket/10104                                                                                                            
8. https://trac.torproject.org/projects/tor/ticket/9896                                                                                                             
9. https://trac.torproject.org/projects/tor/ticket/10604
10. https://trac.torproject.org/projects/tor/ticket/10418
11. https://trac.torproject.org/projects/tor/ticket/4261
12. https://www.rightscon.org/
13. https://trac.torproject.org/projects/tor/ticket/9010
14. https://trac.torproject.org/projects/tor/ticket/11242
15. https://trac.torproject.org/projects/tor/ticket/9268
16. https://trac.torproject.org/projects/tor/ticket/10398
17. https://trac.torproject.org/projects/tor/ticket/11180
18. https://trac.torproject.org/projects/tor/ticket/4234
19. https://lists.torproject.org/pipermail/tbb-dev/2014-March/000028.html
20. https://lists.torproject.org/pipermail/tbb-dev/2014-March/000027.html
21. https://bugs.torproject.org/9531
22. https://bugs.torproject.org/11258
23. https://bugs.torproject.org/11260
24. https://bugs.torproject.org/10065
25. https://trac.torproject.org/projects/tor/ticket/10569
26. https://trac.torproject.org/projects/tor/ticket/10974
27. https://bugzilla.mozilla.org/show_bug.cgi?id=885777
28. http://andreasgal.com/2014/01/11/trust-but-verify/
29. https://bugzilla.mozilla.org/show_bug.cgi?id=962314
30. https://bugzilla.mozilla.org/show_bug.cgi?id=971153
31. https://bugzilla.mozilla.org/show_bug.cgi?id=944557
32. https://github.com/boklm/prune-old-builds
33. https://github.com/boklm/tor-browser-try/
34. https://people.torproject.org/~boklm/tbbtests/tests.html
35. https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking
36. https://trac.torproject.org/projects/tor/query?keywords=~tbb-helpdesk-frequent&status=!closed

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20140401/6d0bc7c6/attachment.sig>

More information about the tor-reports mailing list