The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-03-20T14:17:51Zhttps://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/44UX Review: Mullvad Browser 12.0.42023-03-20T14:17:51ZrichardUX Review: Mullvad Browser 12.0.4Review the 12.0.4 build and ensure we're tracking any discovered UX issues.Review the 12.0.4 build and ensure we're tracking any discovered UX issues.https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/8Mullvad Browser 12.0.42023-03-20T17:53:28ZrichardMullvad Browser 12.0.42023-03-14https://gitlab.torproject.org/tpo/applications/vpn/-/issues/100Design a temporary application icon for the VPN pre-alpha2023-08-01T16:33:33ZdonutsDesign a temporary application icon for the VPN pre-alphaI think something based on the onion rings (i.e. keeping it generic would be good enough for now. Maybe with a sparkle?
- Resources: [Guidelines](https://developer.android.com/develop/ui/views/launch/icon_design_adaptive) | [Templates](...I think something based on the onion rings (i.e. keeping it generic would be good enough for now. Maybe with a sparkle?
- Resources: [Guidelines](https://developer.android.com/develop/ui/views/launch/icon_design_adaptive) | [Templates](https://www.figma.com/file/sjNWeIOpb0BckjmxApXd5m/VPN-pre-alpha?node-id=939%3A2070&t=xXPiif40TbrHiSJg-1) (in Figma)Sponsor 101 - Tor VPN Client for Androiddonutsdonutshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41515Letterboxing can change by a few px unnecessarily when opening find bar.2023-01-05T12:16:53ZhenryLetterboxing can change by a few px unnecessarily when opening find bar.## Steps to reproduce
1. Open a web page.
2. Resize the window so you have some significant letterbox padding at the bottom that can fit the find bar.
3. Open and close the find bar with Ctrl+F and Esc respectively.
## Result
The lett...## Steps to reproduce
1. Open a web page.
2. Resize the window so you have some significant letterbox padding at the bottom that can fit the find bar.
3. Open and close the find bar with Ctrl+F and Esc respectively.
## Result
The letterbox padding jumps up and down by a few pixels during the transition. This is measurable by `window.innerHeight`.
## Expect
The letterbox size should remain the same whilst the find bar is being revealed or closed.
## Cause?
I think this may have something to do with the findbar's CSS `transition` properties. During the transition the findbar is changing in size.ma1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41510The "Restore Defaults" doesn't restore the Security Level preferences2023-04-19T11:34:54ZPier Angelo VendrameThe "Restore Defaults" doesn't restore the Security Level preferencesWhile reviewing !464, I've noticed that the "Restore Defaults" link in about:preferences#privacy doesn't do anything (see also https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/464#note_2860237).
Initially, I t...While reviewing !464, I've noticed that the "Restore Defaults" link in about:preferences#privacy doesn't do anything (see also https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/464#note_2860237).
Initially, I thought adding an `is="text-link"` was enough, because some telemetry nonsense looks for that attribute, which we're missing and we get an exception that is visible in the console.
However, adding it doesn't seem to be enough, and we might need some additional investigation.
As a workaround, the button in the panel works, so we might release 12.0 with this problem, and add it to known bugs.
/cc @richard @duncanhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41483Tor Browser says Firefox timed out, confusing users2022-12-07T08:44:31ZHackerNCoderhackerncoder@encryptionin.spaceTor Browser says Firefox timed out, confusing usersIf a connection times out, Tor Browser will display the default Firefox page stating "Firefox can’t establish a connection to the server". At least two people I have talked to have been confused by this, thinking it had something to do w...If a connection times out, Tor Browser will display the default Firefox page stating "Firefox can’t establish a connection to the server". At least two people I have talked to have been confused by this, thinking it had something to do with a separate Firefox installation. Please consider whether to change this.Sponsor 131 - Phase 2 - Privacy Browserhenryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40928Mullvad Browser branding patches in mullvad-browser branch2022-12-09T14:18:20ZrichardMullvad Browser branding patches in mullvad-browser branchWe need to identify all of the branding we have replaced in tor-browser, and make an equivalent branding commit in mullvad-browser that replaces with Mullvad provided icons, colors, etc, etcWe need to identify all of the branding we have replaced in tor-browser, and make an equivalent branding commit in mullvad-browser that replaces with Mullvad provided icons, colors, etc, etcSponsor 131 - Phase 2 - Privacy Browserdonutsdonutshttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40688Disable updater in base-browser2022-11-17T08:58:06ZboklmDisable updater in base-browserIt seems base-browser nightly currently gets updated to firefox nightly.
Until we have base-browser updates working, I think we should disable the updater.
Removing the line `--enable-update-channel=[% c("var/channel") %]` in `projects...It seems base-browser nightly currently gets updated to firefox nightly.
Until we have base-browser updates working, I think we should disable the updater.
Removing the line `--enable-update-channel=[% c("var/channel") %]` in `projects/firefox/build` should do that.Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40415GnuPG signing configuration regressed2023-01-19T10:49:16ZGeorg KoppenGnuPG signing configuration regressedLooking at older GnuPG signatures e.g. in the 10.5a10 folder one gets something like
```
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJhdvL6AAoJEOt3RJHZ/wbiWuQQAKcZ38SWVPFvBDsu4cJuJjC3
RPJaN/TdGiF2F5YlQQaQkGwJCF1z/O0uQyeJ3/mnb9dIJR41iviI...Looking at older GnuPG signatures e.g. in the 10.5a10 folder one gets something like
```
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJhdvL6AAoJEOt3RJHZ/wbiWuQQAKcZ38SWVPFvBDsu4cJuJjC3
RPJaN/TdGiF2F5YlQQaQkGwJCF1z/O0uQyeJ3/mnb9dIJR41iviI9if107QGsqKf
aFtDiOUEpYXWvPeNOrmC+dQUW4zEiMBCkuZshxJqm+5xMkBziAWnlM8J7OVp/XcD
bJVPBK5iuFxEuBBDsj/wOZ7aYXPNuXHKev0mxTDHR8NPmUjqk17VhLo3TOPJr5qt
JqCKWTlyvRXGnQXN2T92wbuyG0nfb/RhsyVfTPM5Ar3UGUnZRnWcL9uFxqDh7O8/
v14F+NlqnfM+AysUE7sL0rxSEwcBv6ZkK1zIVIzRfFE/V/87ECZE38iToBjv8NGF
T+wOm3BKgH4DwVCWa1Jyij5O9BOeVIrUY0kSQc9tI3VLh55Wa2j6Wj3/cpD+PvRL
/E/IDHlHwYaitm8STpDrs1l4bGyfs+b5Kd/HVYZatjQMiE0uuGHdlbKQvIK40xwm
DYxGvmVrvDgfwTTq19L2U3Pw11fdCEsB/wbvj0Jc1ehM4K4C0xAiq+5U5CqWUf2/
wGpUTc0KROw/J92EflQEZkmcaoNEBfge9RxaRlPdtl36p1ZC+m0W5FkXe1UYmlu0
a0CzNR3M4ir4yksjCxxbghWxKnAGbVvd/0QrMItF3R3AA5fjHhYaJuIK3XvwbaOr
r8CPKwHsULDDcSMte3/T
=1mA1
-----END PGP SIGNATURE-----
```
However, lately we start getting detached signatures like
```
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJh2pq5AAoJEOU9mJqeLUe/hUIP/ihKMJRs88To2dNsaRk9PPWm
w7kAHBCgWsQRSvgdqa5KJxxyFKCKz88pb2qV/prKRrIDnqyh8rV+T6uxGwa+c4yW
fkUDeWsJmfENVqZCmr/I3QJXNIW13wi7UH1t6VVBVwqqfDJod/o7ts0iZqvx1Phd
ez8OR5nX4jZFF4JRRMiCXnHE4jx4EVqSG/yp9fkgxzY7TTx3N4buIzYCXjOjzSdH
F1Qv5BQ+9vUZpYhYOn8xdNSDmr73DP8WqaU9FN6VNgbvH8QGV5DQ5MLudTNUxuYU
9lOmrBM205DxbLp8PaGBlSD9r1WcS9MQV9YYsHd9yVQ2bDzMZwCeFbI5IimnEoSS
MZEraXuaFZ3T0zwalzu0/NNno6F50ivEx9dgo9+9c3zive4zAhbx2Va2H1x7q5+x
18Uqc3MOghgacrh8DyCxIFFRuq330QHD8TUQ9MhAo8y8KdR7Du3jhlMryjk6lPtN
To3kfwG/3KRt+XSM0UnzcMEwVPmUpdWZ/3HB3Ro3a1PoQ1yI9y4YdFqngiTtAWXr
GUl/sEwqM6GdZ2kMKlfEp/d3P2YZWOoBQ1VWmDXU8/etoxZGF0NhPSfU2/pIexRG
EedRaKrB0XZoJBFfS5NVIuNm64TbBRUyfT7Yc8AwM+rX7chb+wYOtsktp5zpEsTJ
KWVEa6NcKroOUb79P743
=ILAL
-----END PGP SIGNATURE-----
```
It seems our signing configuration regressed recently, likely when we switched to our new OpnePGP subkey.Sponsor 131 - Phase 3 - Major ESR 102 Migrationboklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40622Update obfs4proxy to 0.0.14 in Tor Browser2022-11-09T09:52:55ZboklmUpdate obfs4proxy to 0.0.14 in Tor BrowserThere is a new obfs4proxy version including a security fix (tpo/anti-censorship/pluggable-transports/obfs4#40008), so we should update it in Tor Browser.There is a new obfs4proxy version including a security fix (tpo/anti-censorship/pluggable-transports/obfs4#40008), so we should update it in Tor Browser.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40873Prepare Mullvad Browser Alpha 13.0a12023-08-02T15:53:55ZrichardPrepare Mullvad Browser Alpha 13.0a1<details>
<summary>Explanation of variables</summary>
- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
- **example...<details>
<summary>Explanation of variables</summary>
- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
- **example** : `pierov`
- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc
- **example** : `91.6.0`
- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version
- **example** : `11`
- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version
- **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format
- **example** : `12.5a3`, `12.0.3`
- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
- **example** : `build1`
- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
- **example** : `build2`
- **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :
- if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
- if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version
- **example** : `11.5a6`, `11.0.7`
- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version
- **example** : `mb-12.0.7-build1`
</details>
**NOTE** It is assumed that the `tor-browser` alpha rebase and security backport tasks have been completed
<details>
<summary>Building</summary>
### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
Mullvad Browser Alpha (and Nightly) are on the `main` branch
- [x] Update `rbm.conf`
- [ ] `var/torbrowser_version` : update to next version
- [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
- [ ] `var/torbrowser_incremental_from` : update to previous Desktop version
- **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
- [x] Update build configs
- [x] Update `projects/firefox/config`
- [x] `browser_build` : update to match `mullvad-browser` tag
- [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
- [x] Update `projects/translation/config`:
- [ ] run `make list_translation_updates-alpha` to get updated hashes
- [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
- [ ] `steps/base-browser-fluent/git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
- [ ] Update common build configs
- [x] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
- [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
- [ ] `URL`
- [ ] `sha256sum`
- [x] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
- [x] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
- [x] `URL`
- [x] `sha256sum`
- [x] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases
- [x] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
- [x] `URL`
- [x] `sha256sum`
- [x] Open MR with above changes
- [x] Merge
- [x] Sign/Tag commit: `make mullvadbrowser-signtag-alpha`
- [x] Push tag to `origin`
- [x] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
- [ ] **TODO** Submit build-tag to Mullvad build infra
- [x] Ensure builders have matching builds
</details>
<details>
<summary>QA</summary>
### send the build
- [x] Email Mullvad QA: support@mullvad.net, rui@mullvad.net
<details>
<summary>email template</summary>
Subject:
New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (unsigned)
Body:
unsigned builds: https://tb-build-05.torproject.org/~$(BUILDER)/builds/mullvadbrowser/release/unsigned/$(MB_BUILD_TAG)
changelog:
...
</details>
- ***(Optional)*** Add additional information:
- [ ] Note any new functionality which needs testing
- [ ] Link to any known issues
</details>
<details>
<summary>Signing</summary>
### signing
- [x] On `$(STAGING_SERVER)`, ensure updated:
- [x] `tor-browser-build/tools/signing/set-config.hosts`
- `ssh_host_builder` : ssh hostname of machine with unsigned builds
- **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
- `ssh_host_linux_signer` : ssh hostname of linux signing machine
- `ssh_host_macos_signer` : ssh hostname of macOS signing machine
- [x] `tor-browser-build/tools/signing/set-config.macos-notarization`
- `macos_notarization_user` : the email login for a mullvad notariser Apple Developer account
- [x] `set-config.update-responses`
- `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`
- [x] `tor-browser-build/tools/signing/set-config.tbb-version`
- `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
- `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
- `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
- [x] On `$(STAGING_SERVER)` in a separate `screen` session, run the macOS proxy script:
- `cd tor-browser-build/tools/signing/`
- `./macos-signer-proxy`
- [x] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
- [x] run do-all-signing script:
- `cd tor-browser-build/tools/signing/`
- `./do-all-signing.mullvadbrowser`
- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
- [x] Update `staticiforme.torproject.org`:
- From `screen` session on `staticiforme.torproject.org`:
- [ ] Static update components : `static-update-component dist.torproject.org`
- [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
- [ ] Static update components (again) : `static-update-component dist.torproject.org`
</details>
<details>
<summary>Publishing</summary>
### email
- [x] Email Mullvad with release information: support@mullvad.net, rui@mullvad.net
<details>
<summary>email template</summary>
Subject:
New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
Body:
signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
changelog:
...
</details>
### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
- [x] Push this release's associated `mullvad-browser.git` branch to github
- [x] Push this release's associated tags to github:
- [x] Firefox ESR tag
- **example** : `FIREFOX_102_12_0esr_BUILD1,`
- [x] `base-browser` tag
- **example** : `base-browser-102.12.0esr-12.0-1-build1`
- [x] `mullvad-browser` tag
- **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
- [x] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
- **Tag**: `$(MULLVAD_BROWSER_VERSION)`
- **example** : `12.5a7`
- **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
- **example** : `102.12.0esr-based 12.5a7`
- [x] Push tag to github
</details>
<details>
<summary>Downstream</summary>
### notify packagers
- [ ] **(Optional, Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
<details>
<summary>email template</summary>
...
...
</details>
- **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of
- [ ] flathub package maintainer: proletarius101@protonmail.com
- [ ] arch package maintainer: bootctl@gmail.com
- [ ] nixOS package maintainer: dev@felschr.com
</details>richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40757Change projects/browser/windows-installer/torbrowser.nsi to a template file2023-02-15T18:53:21ZboklmChange projects/browser/windows-installer/torbrowser.nsi to a template fileTo avoid having `basebrowser.nsi`, `privacybrowser.nsi`, `torbrowser.nsi` as separate files with mostly the same content, we can create a single template file.To avoid having `basebrowser.nsi`, `privacybrowser.nsi`, `torbrowser.nsi` as separate files with mostly the same content, we can create a single template file.boklmboklmhttps://gitlab.torproject.org/tpo/applications/vpn/-/issues/91Appearance Screen2024-03-13T13:43:06ZcybertaAppearance ScreenAs part of the app settings the user can choose between different app background designs and app icons.
Within this issue, we'll implement the background design selection and the basic app icon selection UI. The logic to switch the app ...As part of the app settings the user can choose between different app background designs and app icons.
Within this issue, we'll implement the background design selection and the basic app icon selection UI. The logic to switch the app icons and the integration of alternative app icon images will be implemented in a separate issue.VPN pre-alpha 06cybertacybertahttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/27260Audit network.http.spdy.enabled.deps2022-10-25T22:52:00ZArthur EdelsteinAudit network.http.spdy.enabled.depsDoes leaving this pref to "true" have any fingerprinting or linkability risks?Does leaving this pref to "true" have any fingerprinting or linkability risks?Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41317Tor Browser leaks banned ports in network.security.ports.banned2023-02-22T14:54:12Zcypherpunks1Tor Browser leaks banned ports in network.security.ports.bannedIn Tor Browser linux releases, the start-tor-browser script suggests modifying the network.security.ports.banned preference when using a system-installed Tor process.
However, the ports banned using this preference are leaked by the bro...In Tor Browser linux releases, the start-tor-browser script suggests modifying the network.security.ports.banned preference when using a system-installed Tor process.
However, the ports banned using this preference are leaked by the browser and custom preferences can be detected. For example, Tails users can be easily identified due to using a custom preference.
Code to detect banned ports can be found here:
https://pseudo-flaw.net/tor/torbutton/detect-banned-ports.html
https://privacycheck.sec.lrz.de/active/fp_je/fp_js_echo.htmlSponsor 131 - Phase 3 - Major ESR 102 Migrationma1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41126Review Mozilla 1734262: Rewrite pingsender as a Gecko Background Task2022-10-24T06:48:45ZrichardReview Mozilla 1734262: Rewrite pingsender as a Gecko Background TaskWe disable building the pingsender executable (part of the vanilla updater iirc) entirely. We should ensure any funcitonality we don't want here is disabled.We disable building the pingsender executable (part of the vanilla updater iirc) entirely. We should ensure any funcitonality we don't want here is disabled.Sponsor 131 - Phase 3 - Major ESR 102 Migrationma1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41139Review Mozilla 1637922: Consider disabling dom.netinfo.enabled on mobile2022-10-25T22:16:40ZrichardReview Mozilla 1637922: Consider disabling dom.netinfo.enabled on mobile## https://bugzilla.mozilla.org/show_bug.cgi?id=1637922
Not sure what this is but we should investigate and see if we also want it disabled## https://bugzilla.mozilla.org/show_bug.cgi?id=1637922
Not sure what this is but we should investigate and see if we also want it disabledSponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41130Review Mozilla 1741428: Bump the MinGW version2022-10-24T22:44:58ZrichardReview Mozilla 1741428: Bump the MinGW version## https://bugzilla.mozilla.org/show_bug.cgi?id=1741428
So it seems there is a bug in latest widl where enums aren't forward declared correctly in C++:
- https://bugs.winehq.org/show_bug.cgi?id=53431
We will need to either patch the m...## https://bugzilla.mozilla.org/show_bug.cgi?id=1741428
So it seems there is a bug in latest widl where enums aren't forward declared correctly in C++:
- https://bugs.winehq.org/show_bug.cgi?id=53431
We will need to either patch the mingw headres (firefox approach) or we can go fix widl (iirc this should be an easy-ish fix)
cc @tom, @boklm, @pierovSponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40044FF92/93 Audit2022-10-26T22:02:37ZMatthew FinkelFF92/93 Audit# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java...# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
## Firefox: https://github.com/mozilla/gecko-dev.git ( https://hg.mozilla.org/releases/ )
- Start: `be2c584eacac4f7fe827c1d2409399fe13ba614a` ( `FIREFOX_RELEASE_92_BASE` )
- End: `7ea8b05d021fc8e0194e1b8eb9d37a351c9bdc5f` ( `FIREFOX_RELEASE_93_END` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
---
## Application Services: https://github.com/mozilla/application-services.git
- Start: `11f7a4b079c83d37505067bd00e17e96ed52ed64` ( `v82.3.0` )
- End: `b1f371719ca20db642b64a0e860b4ecb0aaf316f` ( `v86.1.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Android Components: https://github.com/mozilla-mobile/android-components.git
- Start: `84553b30da506c656f2a323aed66f8d335fcbf2b`
- End: `e39f5dba3f9c29b46856d700701f6715adc261c5` ( `v93.0.12` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Fenix: https://github.com/mozilla-mobile/fenix.git
- Start: `9552ae0ab75c81bf72637b27f59031f1d088a7bf`
- End: `bcd31c22cd5460867092c71382392f13aeb95e64` ( `v93.2.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Ticket Review ##
### Review List
#### 92 (https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=92%20Branch&order=priority%2Cbug_severity&limit=0 )
- https://bugzilla.mozilla.org/show_bug.cgi?id=1226042 : @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41116
- https://bugzilla.mozilla.org/show_bug.cgi?id=1512851 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41117
- https://bugzilla.mozilla.org/show_bug.cgi?id=1714583 : @ma1 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41118
- https://bugzilla.mozilla.org/show_bug.cgi?id=1721178 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41119
- https://bugzilla.mozilla.org/show_bug.cgi?id=1723869 : @boklm https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41120
- https://bugzilla.mozilla.org/show_bug.cgi?id=516362 : @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41121
#### 93 (https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=93%20Branch&order=priority%2Cbug_severity&limit=0 )
none!
### foreach PROBLEMATIC_TICKET:
#### $(PROBLEMATIC_TICKET)
- Summary
- Review Result: (SAFE|BAD)
## Regression/Prior Vuln Review ##
Review proxy bypass bugs; check for new vectors to look for:
- https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
- Look for new features like these. Especially external app launch vectors
## Export
- [ ] Export Report and save to `tor-browser-spec/audits`Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40024FF96 Audit2022-10-24T20:28:29ZaguestuserFF96 Audit# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java...# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
## Firefox: https://github.com/mozilla/gecko-dev.git
- Start: `6a277ae5bdf6554793cd0da292a9c9ea804b4ed9` ( `FIREFOX_RELEASE_96_BASE` )
- End: `e6b83e1727b7e9a6847e6e15bdb935d9937099e4` ( `FIREFOX_RELEASE_97_BASE` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
#### e88ab3dace9ad1c671c6c37a5aa1a3652e754544
- Some windows proxy stuff we need to check
- Review Result: (SAFE|BAD)
---
## Application Services: https://github.com/mozilla/application-services.git
- Start: `5ceeb43598871a7d8550acc574a6a3fb93803ad7` ( `v87.3.0` )
- End: `df53ad867be7d79899e05797533cd624f1eeb2a2` ( `v90.0.1` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Android Components: https://github.com/mozilla-mobile/android-components.git
- Start: `ea5bd2687c9b64245ea8e3cdcb84faa5d87d540a` ( `v96.0.0` )
- End: `0178a6fde98fa8c76885d67a2362f2ca310b67fd` ( `v96.0.15` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
**OR**
## Fenix: https://github.com/mozilla-mobile/fenix.git
- Start: `a7afdb776ca202bf5eafc29d6a84f047c1609e0f` ( `v96.0.0-beta.1` )
- End: `abe11c163d14fab17bdcf8aebbef2de2a3360032` ( `releases_v96.0.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
**OR**
## Ticket Review ##
### Review List
#### 96 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=96%20Branch&order=priority%2Cbug_severity&limit=0
- https://bugzilla.mozilla.org/show_bug.cgi?id=1740840 : @ma1 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41129
### foreach PROBLEMATIC_TICKET:
#### $(PROBLEMATIC_TICKET)
- Summary
- Review Result: (SAFE|BAD)
## Regression/Prior Vuln Review ##
Review proxy bypass bugs; check for new vectors to look for:
- https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
- Look for new features like these. Especially external app launch vectors
## Export
- [x] Export Report and save to `tor-browser-spec/audits`Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichard