Hello!
We held our weekly Tor Browser meeting on Monday in #tor-meeting2. Here is the IRC log: http://meetbot.debian.net/tor-meeting2/2019/tor-meeting2.2019-09-30-17.30.lo...
From the weekly updates, we discussed some options for a new icon that
Tor Browser will use for its "New Identity" button. The chosen image should embody the idea of throwing away a person's current digital identity (as it is seen by websites) and creating a new one. This is not an easy task, and, in addition to this, the concept of "identity" as provided in a web browser is not intuitive. The team is considering some options on ticket #25711 [0].
During the meeting there was a call-for-proposals for submitting talks to FOSDEM (both main track and non-main track).
Next, we dove into some details about the on-going issue with building reproducible Tor Browser APKs for Android. The new Tor Browser Alpha version based on Firefox 68esr introduced new build dependencies that do not output the same exact result every time (for the same source code). This is being investigated in ticket #31564 [1].
We also heard some updates about tor integration into NameCoin.
Lastly, we chose a time for meeting again this week on the topic of moving Tor Browser onto Mozilla's Rapid Release cycle. The meeting will be tomorrow (Thursday) at 1500 UTC.
[0] https://trac.torproject.org/projects/tor/ticket/27511#comment:17 [1] https://bugs.torproject.org/31564
================================================== Week of September 30, 2019
Discussion: sysrqb: Meeting this week for discussing questions about moving onto rapid release cycle
GeKo: Last week: - release preparations - work on feature audit (#31597, #31591) - investigation of ko bundles bustage (#31886) https://www.urbandictionary.com/define.php?term=bustage - backported patch for macOS Catalina (#31702) - investigation of OpenSSL CVE ticket (#31383): boklm: nice catch! I think that means we can close the ticket? Let's do so tomorrow if there is no new input. [boklm: Yes, I think we can close it if no other input tomorrow] - tried to find patches for stack smashing protection bug (#29013) and PDB files exposure (#31546); Thanks for Martin Storsjö the former seems achievable soon-ish - reviews (a bit #31010, #31844, #31192/#30380, #25483, #31664, #31575, #31720, backport for bug 1573276, #28196, #31822, #30429, #24920) - started to look over ff68-esr tickets not yet considered for TB 9 This week: - release preparations - finish triaging ff68-esr tickets for TB 9 - work on feature audit (#31597, #31591) - come up with patch for #29013 - reviews
antonela:
- #27511 - New Identity button, any thought? https://trac.torproject.org/projects/tor/ticket/27511#comment:17
- #31286 - Net Settings, all good pospeselr? pospeselr: so good, unless you have opinions on how tor daemon logs should be viewed/acquired. | For sure i have, do we have a child ticket? is a blocker for TB9.0 stable? pospeselr: no I don't think so, but was planning on implementing this today, catch me after the meeting :) | will do :3
- #31768 - TB9 Onboarding, working on it with Dunqan
- #31778 - Anything needed on my side for this?
- S27: We are working on #30025 - Better onion errors in clients. There are multiple tickets involved, but we are first listing onion errors here #30090. If you want to join us, we will discuss it tomorrow Tuesday at 15UTC in #tor-meeting. asn sent https://lists.torproject.org/pipermail/tor-dev/2019-September/014046.html
- S30: We have a kickoff meeting next Monday October 7th, 15UTC in #tor-meeting. UX and TB teams will work together on Objective 3. https://trac.torproject.org/projects/tor/ticket/31265 [Improve Tor Browser experience for human rights defenders under censorship.]Closed
pospeselr: Last week: - fully functional patch for #31286 up for review This week: - test builds for y'all to look at - some more work on #31286 remains, probably a few days worth (not including any revisions needed from code-review)
- Tor log viewer
- smarter SETCONF behavior
- proper string support
- update the learnmore links
- other misc cleanup/refactoring/todo completion
Jeremy Rand: Last week: - Submitted initial patch for #19859. Nick reviewed it, wants some minor changes, but should be straightforward to get into a mergeable state. - Maintain a pool of clean connections for Electrum-NMC stream isolation. Eliminates latency cost of having stream isolation in Electrum-NMC. Submitted upstream to Electrum; will be in Electrum-NMC 3.3.8. - Electrum-NMC stream isolation covers all network-related RPC methods. Submitted upstream to Electrum; will be in Electrum-NMC 3.3.8. - Stream isolation for Electrum-NMC name-related RPC methods. Will be in Electrum-NMC 3.3.8. - Filed Namecoin Core issue for hashed name lookups. Daniel Kraft (Namecoin Core developer) says he should be able to get it done with circa a day or so of work; he should have time to spend on it within the next couple months. When complete, this will allow us to decrease name lookups to 1 round trip (status quo is 2 round trips). (This is, AFAICT, not a blocker for Tor Browser nightlies, but would be a useful improvement.) - Submitted patch to Electrum for fetching a single header instead of a full chunk when doing SPV verification; will be in Electrum-NMC 3.3.8. - Patched Electrum SPV verifier to work without a wallet; this allows avoiding code duplication for name lookups. Submitted to upstream Electrum; will be in Electrum-NMC 3.3.8. - Patched upstream Electrum gettransaction RPC method to support SPV verification. - Refactored name_show RPC method in Electrum-NMC to use upstream gettransaction RPC method (with above patch) for most of the implementation. Simplifies our code substantially. Will be in Electrum-NMC 3.3.8. - Fixed various small bugs in Electrum-NMC 3.3.8 branch. - Noticed that ~150kB of the binary size cost of adding Electrum-NMC to Tor Browser is taken up by Electrum-NMC's copy of the root CA list; tried and failed to find a straightforward way to make Electrum-NMC use Firefox/NSS's copy of that. Will come back to this in the future, but there are better things to optimize short-term. This week: - Forward-port some remaining optimizations (e.g. parallelized blockchain download and binary size improvements) from the branch I demoed in Stockholm to play well with Electrum-NMC 3.3.8 branch and rbm build environment. - Address Nick's feedback on #19859. - Maybe make some progress on stream isolation in ncprop279 and StemNS.
mcs and brade: Last week: - Vacation. This week: - Test 9.0a7 candidate builds on macOS 10.15 beta 8. - #31019 (Investigate update on Windows via BITS) - double-check that BITS is 100% disabled in Tor Browser 9.0. - #31607 (App menu items stop working). - (maybe) Sponsor 27 meeting r.e. onion service errors vs. SOCKS optimistic data. - End of month / end of quarter administrative tasks.
sysrqb: Last week: Finished mobile/android/ rebase (#31010) Created patch for slider not showing on Android security slider (#31822) Reviewed backports for Catalina (#31702) Reviewed patch for mozconfigs (#27493) Patched tor-android-service for avoiding Dormant mode (#30380) Finished patch for x86_64 (#31192) Reviewed tor-android-service patches (#30199) Finished Private Tabs By Default on Android (and opened follow-up tickets (#24920) Fixed autocomplete on Android (#31720) This week: Release prep and release Investigate EME and bundled fonts on Android (#31880 and #31881) Other Android things
acat: Last week: - Worked on fixing .onion security expectations patch for android (#30429, #31010) - https://bugzilla.mozilla.org/show_bug.cgi?id=1573276 landed - #30504: Investigate if New Identity works properly after moving to ESR 68 - Finish fixing Localization issues: #28196 - Backported patch for #30304: Browser locale can be obtained via DTD strings This week: - Finish fixing .onion security expectations patch for android (#30429, #31010) - Finish fixing Localization issues: #31747 (old onboarding strings) - #30463: Make sure telemetry reporting is disabled in Tor Browser 9 - #19417: asm.js files should be no linkability risk - #31778: Support default dark-theme for the Circuit Display UI - #27511: Add New identity button to toolbar - https://bugzilla.mozilla.org/show_bug.cgi?id=1581537
boklm: Last week: - Fixed #31844 (OpenSSL 1.1.1d fails to compile for some platforms/architectures) - Enabled android-x86_64 nightly builds - Reviewed/tested #29187 (Bump NSIS version to 3.04) - Helped build new release This week: - Help publish the new alpha - Work on #18867 (Ship auto-updates for Tor Browser nightly channel) and sub-tickets - Review #30334 (build_go_lib for executables), #29187 (Bump NSIS version to 3.04), #31550 (Fix shellcheck (and related) issues in start-tor-browser)
tjr: - unstuck on wasm: https://bugzilla.mozilla.org/show_bug.cgi?id=1576254
- Expecting finishing this this week, and will prep backport
pili: Last week: - S27 work completion and monthly report - roadmap gardening - Tor Browser release meeting - Fosdem organization This week: - OTF Browser proposal - Fosdem organization - any browser devs in Europe up for doing a talk? - more roadmap gardening - kicking off developer portal work
sisbell: Last Week: - #31564: Android Reproducibility: Tried out a number of things. Got openjdk-8 working with buster. Still problem with apktool version in buster, the version reported is not the actual version so its too old to use. Can’t shrink apk to remove problem resources since Firefox uses dynamic lookup of resources This week: - 31564 - going to track each dependency and manually use aapt/appt2 to rebuild resources. ============================================
- Matt