14:59:11 <richard> #startmeeting Tor Browser Weekly Meeting 2023-06-26
14:59:11 <MeetBot> Meeting started Mon Jun 26 14:59:11 2023 UTC.  The chair is richard. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:59:11 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:59:17 <richard> pad: https://pad.riseup.net/p/tor-tbb-keep#L76
14:59:51 <richard> as usual, please use some of this time to cleanup your boards
14:59:53 <Jeremy_Rand_36C3[m]> Hi!
14:59:56 <richard> hello!
15:00:27 <richard> we released Tor Browser 12.5 last week!
15:00:42 <ma1> \o/
15:00:44 <GeKo> \o/
15:00:48 <jagtalon> congrats!
15:01:02 <richard> looks like mullvad came through today and Mullvad Browser 12.5 gets the greenlight for release as well, so I'll be signing that today
15:01:16 <richard> once again, I'm very pleased with this release
15:01:51 <richard> it's good to see some issues get fixed that we likely wouldn't have gotten to w/o mullvad
15:01:54 <dan_b> woo
15:02:23 <richard> also very pleased to see MB's changelog for 12.5 isn't empty despite us not having any paritcular features planned or scheuled since the initial release
15:02:41 <richard> so the parasitic back and forth bug fixing seems to be working ^^;
15:03:28 <richard> this week we should be prioritising any important must-have bug fixes for the 12.5 series
15:03:43 <jagtalon> richard: where can one see their 12.5 release notes?
15:03:50 <richard> I've been offline all weekend so hopefully we haven't had a flood of bug reports over the weeekend
15:04:52 <richard> jagtalon: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/maint-12.5/projects/browser/Bundle-Data/Docs-MB/ChangeLog.txt
15:05:03 <PieroV> richard: I see only one issue
15:05:21 <PieroV> tor-browser#41857
15:05:31 <jagtalon> richard: thank you!
15:05:55 <ma1> BTW, a guy wrote to security@tpo telling us that his opt/tor-browser installation on Mint had been erased out of the blue. Is there anything in the update process which might cause this?
15:06:26 <richard> ma1: nothing on our end I would think
15:06:34 <boklm> what is opt/tor-browser?
15:06:42 <PieroV> In addition to that we have the onion prompt thing (we can push it back, but we can at least use a quick workaround), the download thingie, and finally the problem with persistent storage (we ignored it for one year, but I quickly analyzed last Friday an it's very annoying :( )
15:06:44 <ma1> it was installed in /opt/
15:06:47 <richard> i presume they installed to /opt/tor-browser
15:07:13 <ma1> ^ boklm this
15:07:22 <PieroV> ma1: was it a full update? I.e., one for which we don't have incremental updates?
15:07:33 <boklm> possibly some permission problem, if the files are owned by a different users, and the updater tries to update the files
15:07:35 <PieroV> Can you open an issue with the content of that email?
15:07:53 <ma1> PieroV, not sure (he didn't even mention an update, I guessed from the timing). I can ask.
15:07:57 <donuts> sorry i'm late, got distracted by colors o/
15:08:09 <richard> donuts: unbelievable
15:08:23 <ma1> PieroV, yes, I'll ask for more details & open an issue
15:08:35 <donuts> richard: :P
15:08:41 <PieroV> ma1: thanks!
15:08:42 <Jeremy_Rand_36C3[m]> Is installing Tor Browser into /opt/ actually something that works? Last I checked Whonix installs it into /home/ because installing elsewhere is supposedly a minefield
15:09:05 <Jeremy_Rand_36C3[m]> (Don't get me wrong -- if it doesn't work, we should probably fix it)
15:09:05 <PieroV> Jeremy_Rand_36C3[m]: /opt without permissions?
15:09:15 <PieroV> Or /opt with the proper permissions?
15:09:30 <Jeremy_Rand_36C3[m]> Good question
15:09:31 <PieroV> Also, after my changes users got more luck with the secret not portable mode
15:09:45 <PieroV> With that it should be possible to install it everywhere
15:10:01 <Jeremy_Rand_36C3[m]> PieroV: which secret mode is this? Is it something that distros like Whonix/Tails could use?
15:10:06 <PieroV> In general, I worked a lot on this kind of stuff during the latest year (paths, getting tor files, etc)
15:10:11 <richard> ^so looking forward to this in the 13.0 series
15:10:28 <PieroV> I hope I fixed at least a few little problems, and not only created big ones that I still don't know about :D
15:11:00 <PieroV> Jeremy_Rand_36C3[m]: a file placed next to firefox whose name I don't remember at the moment disables the portable mode
15:11:53 <PieroV> Oh, right the file needs to be called `system-install`. Tails and Whonix that provide an external tor daemon would probably appreciate it
15:11:57 <Jeremy_Rand_36C3[m]> PieroV: interesting. Maybe I should test that in Whonix and send them a patch if it works; I know the Whonix guys have been mildly dissatisfied for years with having to put Tor Browser in /home/
15:12:36 <PieroV> Jeremy_Rand_36C3[m]: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20497
15:13:08 <Jeremy_Rand_36C3[m]> PieroV: cool, thanks
15:14:47 <richard> ok I don't have nay furhter discussion points or announcements
15:14:54 <PieroV> richard: you actually do
15:14:59 <PieroV> But you don't remember about
15:14:59 <richard> i see now that I do
15:15:23 <richard> do we have any volunteers for the 12.5.1 release prep this/next week?
15:16:17 <PieroV> I can be one
15:16:19 <richard> they should be simple enough rebases for the next minor esr update
15:16:30 <PieroV> Well, not really :P
15:16:32 <richard> plus the docs have been updated :3
15:16:45 <PieroV> We have to move around a lot of commits that we added for the release marathon :D
15:16:55 <PieroV> But hopefully they won't create conflicts
15:17:06 <richard> ah true, simple enough rebases and some patch shuffling
15:17:44 <richard> also ma1: what's the status of you getting access to mozilla security issues for anroid backports?
15:17:53 <ma1> richard, all set
15:17:59 <richard> excellent
15:18:02 <richard> we have doubled our beach factor
15:18:19 <ma1> I've been just added to an unresolved Android bug, BTW, not sure why (maybe they want us to fix it and then upstream...)
15:18:31 <ma1> beach factor ftw!
15:18:35 <richard> yeah that happens, RIP your inbox :p
15:20:04 <jagtalon> i noticed something this morning. clicking on the 'learn more' link in the onboarding on 12.5 goes to the 12.0 release notes i think. is this intentional?
15:20:10 <jagtalon> https://share.riseup.net/#x7mfMVDy1z6_jqoRyChLYQ
15:20:22 <PieroV> jagtalon: it isn't, we just always forget about that link
15:20:34 <richard> argh
15:20:48 <richard> jagtalon: please open an issue and we cna fix that in 12.5.1
15:20:51 <jagtalon> PieroV: i can make a ticket if there isn't one!
15:20:52 <jagtalon> yuss
15:21:02 <jagtalon> it'll be my first ticket
15:21:15 <ma1> jagtalon, congrats!
15:21:32 <ma1> Speaking of 12.5.1, is tor-browser!688 confirmed as game?
15:21:46 <jagtalon> ma1: :>
15:22:17 <dan_b> game?
15:22:37 <ma1> I mean are we still going to fit it in 12.5.1?
15:22:45 <dan_b> ah
15:23:27 <richard> ma1: depends, if it's a surgical-ish fix that we can verify well before we release then I say go for it
15:23:49 <richard> iirc this is an upstream bug right?
15:24:03 <ma1> richard, yes, it's a half-baked firefox feature
15:24:20 <richard> in which case pleae update the upstreaming meta ticket so we don't lose track
15:24:25 <ma1> (they kept a lot of loose end because they thought nobody would enable it)
15:24:35 <richard> jokes on them I guess :D
15:25:17 <ma1> and on cure 53 >:[
15:25:24 <richard> yes
15:25:50 <ma1> OK, I'll bake a Windows build for Jeremy_Rand_36C3[m] to check tonight.
15:26:09 <Jeremy_Rand_36C3[m]> ma1: great, thanks!
15:26:13 <richard> :)
15:26:36 <PieroV> Speaking of upstream bugs
15:26:53 <richard> in the meantime, if you don't have any bug fixes for 12.5.1, continue with your regularly scheduled 13.0/esr115 work
15:27:06 <PieroV> (please review 115 work everyone :))
15:27:12 <richard> ah yes
15:27:12 <dan_b> ma1: should i review !688 then as it's good to go?
15:27:16 * richard updates todo list
15:27:24 <ma1> dan_b, yes please
15:27:29 <dan_b> cool
15:27:29 <PieroV> We have a thing for 12.5.1, it's very annoying but not surgical
15:27:44 <richard> tor-browser!688
15:27:54 <richard> ack
15:28:29 <richard> PieroV: which thing?
15:28:47 <PieroV> navigator.storage.estimate()
15:29:16 <PieroV> When the estimation is < 10GiB, it's too precise.
15:29:41 <PieroV> We have a MR from cypherpunks1, but I think we haven't deepened the implications of that fix
15:30:06 <PieroV> Upstream had some movement last week, and I hoped also a patch, but it hasn't happened
15:30:43 <richard> yeah i saw that come in over the weekend, we should push that in the alpha series
15:31:23 <PieroV> That's the wisest approach I think, even though it's extremely annoying
15:32:19 <PieroV> So, to sum up, we only need the download fix
15:33:16 <ma1> do we want the onion service auth noitification "quick fix" and go for the prompt in 13?
15:33:41 <PieroV> Oh, right, also that one, sorry for forgetting
15:33:46 <richard> what's the issue w/ the onion service auth prompt?
15:33:56 <PieroV> Everything for me :D
15:34:03 <ma1> tor-browser!691
15:34:28 <PieroV> Instead of being a real prompt, it's a panel that is forced to be always visible
15:34:35 <PieroV> And it has bugs with focus
15:34:47 <PieroV> Like you click on the prompt and nothing happens. You need to focus the browser first
15:36:30 <richard> ma1: so i presume the 'real' fix for the prompt would involve some major rewrite or something?
15:36:37 <PieroV> Yes
15:36:46 <ma1> richard, correct
15:36:50 <henry-x> Is there any issue if you remove the "persistent" flag?
15:37:05 <PieroV> henry-x: yes
15:37:09 <ma1> henry-x, I can try. As PieroV says, nobody has memory of why it's there
15:37:21 <ma1> (probably we wanted it to behave like a prompt)
15:37:35 <PieroV> I think the reason for which that thing is forced to be always visible is that people risk of not seeing the small key icon next to the URL
15:37:50 <PieroV> And they keep waiting for a page to load just because it's waiting for them to insert the auth key
15:38:45 <henry-x> Can you make it not dismissable, but not persistent. So it always shows when you select the tab
15:39:33 <PieroV> I think that was the initial intention
15:39:33 <henry-x> But it won't show when you are in a different tab or another application
15:41:00 <ma1> henry-x, I can look into the API and see if that's at all possible. But IMHO it being on top is annoying, but much less now that you can put it back on focus (and possibly dismiss it) by just clicking it, without having to look for the buried browser window.
15:42:48 <richard> well let' see what we can reasonably do this week an  then see what more work can b done in 13.0
15:43:14 <PieroV> I think we'll have to go through all the patches anyway in 13.0
15:43:17 <henry-x> Looking at the code, that should be the default behaviour without the "persistent" flag
15:43:28 <PieroV> If we want to ESify them
15:46:06 <ma1> henry-x, I can try with "persistence: 1" instead of persistence. We don't want it to be implicitly dismissed, anyway (which seems to happen if no persistence option is set, according to the "persistent" comment)
15:47:13 <henry-x> It is not clear what it means by "implicitly dismissed", and I don't see an obvious point in the code where that happens
15:48:25 <ma1> henry-x, my gut feeling is that dismiss() get called on focus change, and can only be overridden by persistent: true.
15:50:34 <richard> well we can figure it out this week
15:50:36 <henry-x> Yeah I can't actually try it myself, but looking at PopupNotifications.jsm where the .persistent flag is read, it doesn't do that. It just relates to autohide and this https://searchfox.org/mozilla-esr102/rev/485b64f36847bf38b6b272a458ec00e298f4224a/toolkit/modules/PopupNotifications.jsm#1389-1396
15:50:56 <richard> are there any remaining urgent topics of discussion?
15:51:05 <PieroV> Nothing from me
15:51:09 <henry-x> nope
15:51:26 <richard> ok
15:51:26 <ma1> nope
15:51:31 <richard> have a good week everyone o/
15:51:32 <richard> #endmeeting