The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2024-03-26T07:25:52Zhttps://gitlab.torproject.org/tpo/network-health/metrics/metrics-bin/-/issues/3Run cleanup and other checks for NS API build2024-03-26T07:25:52ZMattia RighettiRun cleanup and other checks for NS API buildIt could be useful to do some cleanup of the build folder each time we need to build a new version of the ns api
Referencing https://gitlab.torproject.org/tpo/network-health/metrics/networkstatusapi/-/issues/54#note_3011903It could be useful to do some cleanup of the build folder each time we need to build a new version of the ns api
Referencing https://gitlab.torproject.org/tpo/network-health/metrics/networkstatusapi/-/issues/54#note_3011903Mattia RighettiMattia Righettihttps://gitlab.torproject.org/tpo/community/support/-/issues/40118Update privacy policy on the Tor Forum2024-03-26T02:49:50Zebanamebanam@torproject.orgUpdate privacy policy on the Tor ForumAs pointed out in the latest (24 June 2023) relay operators' meetup, as we are now self-hosting the [Tor Forum](https://forum.torproject.org), we should update the [privacy policy](https://forum.torproject.org/privacy).
/cc @gusAs pointed out in the latest (24 June 2023) relay operators' meetup, as we are now self-hosting the [Tor Forum](https://forum.torproject.org), we should update the [privacy policy](https://forum.torproject.org/privacy).
/cc @gusGusGushttps://gitlab.torproject.org/tpo/community/outreach/-/issues/40069Content review2024-03-26T00:39:27ZnicobContent reviewHow much/if any of this content will change/do we need to consider with overall design? Suggestions per feedback could mean adding more information. Is it helpful to have individual documents or should they all be combined? Some of these...How much/if any of this content will change/do we need to consider with overall design? Suggestions per feedback could mean adding more information. Is it helpful to have individual documents or should they all be combined? Some of these answers will probably depend on information from others, so may be more of an ongoing task.
* complexity: medium (3 days)
* uncertainty: moderate (1.5)
* total: 3-4.5 days
* actual:Sponsor 9 - Phase 7 - Usability and Community Intervention on Support for Democracy and Human Rightsnicobnicobhttps://gitlab.torproject.org/tpo/community/outreach/-/issues/40070Formatting and layout design2024-03-26T00:38:30ZnicobFormatting and layout designExplore formatting and layout with content and illustrations that will work well for both online and print.
* complexity: medium (3 days)
* uncertainty: moderate (1.5)
* total: 3-4.5 days
* actual:Explore formatting and layout with content and illustrations that will work well for both online and print.
* complexity: medium (3 days)
* uncertainty: moderate (1.5)
* total: 3-4.5 days
* actual:Sponsor 9 - Phase 7 - Usability and Community Intervention on Support for Democracy and Human Rightsnicobnicobhttps://gitlab.torproject.org/tpo/community/outreach/-/issues/40068Illustrating design2024-03-25T23:58:03ZnicobIllustrating design* complexity: medium (3 days)
* uncertainty: low (1.1)
* total: 3.3 days
* actual:* complexity: medium (3 days)
* uncertainty: low (1.1)
* total: 3.3 days
* actual:Sponsor 9 - Phase 7 - Usability and Community Intervention on Support for Democracy and Human Rightsnicobnicobhttps://gitlab.torproject.org/tpo/community/outreach/-/issues/40067Concepting and sketching
2024-03-25T23:52:36ZnicobConcepting and sketching
* complexity: medium (3 days)
* uncertainty: low (1.1)
* total: 3-3.3 days
* actual:* complexity: medium (3 days)
* uncertainty: low (1.1)
* total: 3-3.3 days
* actual:Sponsor 9 - Phase 7 - Usability and Community Intervention on Support for Democracy and Human Rightsnicobnicobhttps://gitlab.torproject.org/tpo/community/outreach/-/issues/40053Review and update the street team kit2024-03-25T22:29:02ZdonutsReview and update the street team kitMany of the materials that are part of the [Street Team Kit](https://community.torproject.org/outreach/kit/) are out of date (from a brand/design POV), designed for print, and/or cannot be updated because the original working files are l...Many of the materials that are part of the [Street Team Kit](https://community.torproject.org/outreach/kit/) are out of date (from a brand/design POV), designed for print, and/or cannot be updated because the original working files are long gone. As such, we should:
- Review the list to decide on which materials we want to keep and update, and in what order.
- Update each to match our new brand guidelines, when ready.
- Update the layouts so they're suitable for both digital use and print.
- Implement feedback from LATAM partners collected here: https://gitlab.torproject.org/tpo/ux/research/-/issues/22#note_2825275
- Improve accessibility where possible—I believe some of these were originally done in Sketch, so text recognition/text to speech may not be great.
I don't expect we'll be able to redo all of these materials in a single phase, however.Sponsor 9 - Phase 7 - Usability and Community Intervention on Support for Democracy and Human Rightsnicobnicobhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41520Intermittent GitLab CI runner failures: "network already exists"2024-03-25T21:30:51ZJérôme Charaouilavamind@torproject.orgIntermittent GitLab CI runner failures: "network already exists"Since enabling the `FF_NETWORK_PER_BUILD` on our Podman CI runners, there have been a number of intermittent errors like [this one](https://gitlab.torproject.org/tpo/tpa/ci-test/-/jobs/473518):
```
Running with gitlab-runner 16.8.0 (c72...Since enabling the `FF_NETWORK_PER_BUILD` on our Podman CI runners, there have been a number of intermittent errors like [this one](https://gitlab.torproject.org/tpo/tpa/ci-test/-/jobs/473518):
```
Running with gitlab-runner 16.8.0 (c72a09b6)
on ci-runner-x86-02-main __hc2zXq, system ID: s_39a8ec4bc83a
feature flags: FF_NETWORK_PER_BUILD:true
Preparing the "docker" executor 00:11
Using Docker executor with image debian:latest ...
ERROR: Preparation failed: Error response from daemon: container d4bbbaa38009ad974fa78664c59a1e28536096505fbf5c9dcbf99675343d50c3 does not exist in database: no such container (manager.go:81:1s)
Will be retried in 3s ...
Using Docker executor with image debian:latest ...
ERROR: Preparation failed: Error response from daemon: network name runner-hc2zxq-project-1144-concurrent-0-job-473518-network already used: network already exists (manager.go:67:0s)
Will be retried in 3s ...
Using Docker executor with image debian:latest ...
ERROR: Preparation failed: Error response from daemon: network name runner-hc2zxq-project-1144-concurrent-0-job-473518-network already used: network already exists (manager.go:67:0s)
Will be retried in 3s ...
ERROR: Job failed (system failure): Error response from daemon: network name runner-hc2zxq-project-1144-concurrent-0-job-473518-network already used: network already exists (manager.go:67:0s)
```
The issue has been documented in this GitLab ticket: [Podman. preparation failed, sometimes](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/28971). The gist is that it's been identified as an issue in Podman 4.4 (which we run), and the fix is to upgrade the runners to Podman 4.5, which isn't straightforward because that's not available in Debian stable currently.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.org2024-04-06https://gitlab.torproject.org/tpo/applications/android-components/-/issues/40080Change Tor Browser language by App languages system setting screen2024-03-25T21:00:55ZRahim RollinsChange Tor Browser language by App languages system setting screenI suggest you consider changing the language of the application through a single control center for the languages of installed applications, available in the latest versions of Google Android. Read more about it in the article "[Change a...I suggest you consider changing the language of the application through a single control center for the languages of installed applications, available in the latest versions of Google Android. Read more about it in the article "[Change app language on your Android phone](https://support.google.com/android/answer/12395118)" of the official OS help. [Screenshot](https://drive.google.com/file/d/1rhT3cFpo8cpeLrXIPteFH-0202ks_IYy/view)https://gitlab.torproject.org/tpo/tpa/team/-/issues/32351review our ssl ciphers suite2024-03-25T20:15:39Zanarcatreview our ssl ciphers suiteWe currently use magic incantation from the Mozilla SSL observatory in our Apache (and now nginx, see legacy/trac#32239) installations. We should review it and see if it's still relevant. It seems we're using the suites as per the Mozill...We currently use magic incantation from the Mozilla SSL observatory in our Apache (and now nginx, see legacy/trac#32239) installations. We should review it and see if it's still relevant. It seems we're using the suites as per the Mozilla observatory, but since we're upgrading to buster, it might be worth upgrading our suite a little.
The documentation in the file mentions those URLs:
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.0.2l&hsts=yes&profile=intermediate
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.1.0&hsts=no&profile=intermediate
But that's *two* lists... maybe what we have is the merged one?
In any case, this probably needs a kick. The list was created in 2014 and last touched in 2018, according to the comments in the apache config.
Unless we have per openssl-version configs, this will have to wait until legacy/trac#29399 is done at least.
List of places we need to fix this:
- [ ] apache (watch out for WKD and GnuPG on windows, see #33751)
- [ ] nginx (`modules/profile/manifests/nginx.pp`, `modules/profile/files/gitlab/gitlab.torproject.org.conf`, see #40481)
- [ ] postfix (watch out for #33413)
- [ ] haproxy (configured in `modules/roles/templates/onionoo/haproxy.cfg.erb` but maybe other places)
- [ ] ipsec?
Todo list:
- [ ] review https://cipherli.st/
- [ ] test with https://www.ssllabs.com/ssltest/
- [ ] test mail servers with swaks
- [ ] set a baseline of supported clients
- [ ] update https://help.torproject.org/tsa/howto/tls/ with changes
- [ ] compliance monitoring, maybe with [zlint](https://github.com/zmap/zlint)anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41563evaluate impact of Let's Encrypt chain shortening2024-03-25T20:15:38Zanarcatevaluate impact of Let's Encrypt chain shorteningIn [this article from July 2023](https://letsencrypt.org/2023/07/10/cross-sign-expiration.html), let's encrypt mentioned the cross-sign with IdenTrust will stop working in September 2024.
Their timeline is this:
> - On Thursday, Feb 8t...In [this article from July 2023](https://letsencrypt.org/2023/07/10/cross-sign-expiration.html), let's encrypt mentioned the cross-sign with IdenTrust will stop working in September 2024.
Their timeline is this:
> - On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in requests made to our /acme/certificate API endpoint. For most Subscribers, this means that your ACME client will configure a chain which terminates at ISRG Root X1, and your webserver will begin providing this shorter chain in all TLS handshakes. The longer chain, terminating at the soon-to-expire cross-sign, will still be available as an alternate chain which you can configure your client to request.
> - On Thursday, June 6th, 2024, we will stop providing the longer cross-signed chain entirely. This is just over 90 days (the lifetime of one certificate) before the cross-sign expires, and we need to make sure subscribers have had at least one full issuance cycle to migrate off of the cross-signed chain.
> - On Monday, September 30th, 2024, the cross-signed certificate will expire. This should be a non-event for most people, as any client breakages should have occurred over the preceding six months.
So part of the transition has already happened, with a reduced chain for most certificates issued. This should already have impacted us.
We need to see what other impacts that has for us. In #32351, we've been hesitant at performing cipher changes for backwards compatibility concerns. According to [this graph](https://gs.statcounter.com/android-version-market-share/mobile-tablet/worldwide/#monthly-202302-202402-bar), we're talking about 5% of Android users affected here, for example. The [compatibility page](https://letsencrypt.org/docs/certificate-compatibility/) has a more detailed breakdown.
So basically the task is to evaluate the above table and see if we need to do anything special to any of our services.2024-04-25https://gitlab.torproject.org/tpo/tpa/team/-/issues/40116disable TLS 1.0 and 1.12024-03-25T20:05:50Zweasel (Peter Palfrader)disable TLS 1.0 and 1.1ssllabs now gives bad grades for servers that even offer TLS 1.0 and 1.1. Modern browsers deprecated TLS 1.0 or 1.1.
Re support see also:
* https://en.wikipedia.org/wiki/Transport_Layer_Security#Applications_and_adoption
* https://cani...ssllabs now gives bad grades for servers that even offer TLS 1.0 and 1.1. Modern browsers deprecated TLS 1.0 or 1.1.
Re support see also:
* https://en.wikipedia.org/wiki/Transport_Layer_Security#Applications_and_adoption
* https://caniuse.com/tls1-1
* https://caniuse.com/tls1-2
And it seems 1.2 has been around quite long. I propose we stop offering TLS 1.0 and 1.1 on our webservers.https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/278Create asset(s) for the Mullvad Browser installer2024-03-25T19:09:50ZPier Angelo VendrameCreate asset(s) for the Mullvad Browser installerCurrently, we use NSIS's default images for the last page of the installers, however we could customize it:
<details><summary>Screenshots</summary>
Our page:
![Screenshot_from_2024-02-06_17-22-53](/uploads/cbbb28d1d4fb72f83165b82ba92...Currently, we use NSIS's default images for the last page of the installers, however we could customize it:
<details><summary>Screenshots</summary>
Our page:
![Screenshot_from_2024-02-06_17-22-53](/uploads/cbbb28d1d4fb72f83165b82ba920bc04/Screenshot_from_2024-02-06_17-22-53.png)
Firefox:
![Screenshot_2024-01-17_054914](/uploads/513037b0c2df23114fb5008bf431fa0f/Screenshot_2024-01-17_054914.png)
</details>
Firefox uses the same asset is used also for the first page.
We don't use that page, but in case we can also re-use the same asset, or create a new issue if needed.
We customize the icon for the channel, so if easy enough we could have multiple version of that asset, too (but I'm not sure of the requirement on the sponsor side).
/cc @donuts @nicobnicobnicobhttps://gitlab.torproject.org/tpo/team/-/issues/265Draft agenda2024-03-25T17:38:08ZGabagaba@torproject.orgDraft agendaGabagaba@torproject.orgGabagaba@torproject.org2024-03-26https://gitlab.torproject.org/tpo/team/-/issues/202gitlab ultimate2024-03-25T17:38:07ZGabagaba@torproject.orggitlab ultimateLook at least of new features we would gain from having gitlab ultimate and how we would use them.
- [x] Write all features from Gitlab Ultimate and how we could use them in https://nc.torproject.net/f/487875
- [ ] Add a section on how ...Look at least of new features we would gain from having gitlab ultimate and how we would use them.
- [x] Write all features from Gitlab Ultimate and how we could use them in https://nc.torproject.net/f/487875
- [ ] Add a section on how we are doing software development for each project.
- [ ] Get it review.
- [ ] Send proposal to isa, micah and team leads to make a decision.Gabagaba@torproject.orgGabagaba@torproject.orghttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42054ESR128: investigate - thorin's list2024-03-25T17:24:20ZThorinESR128: investigate - thorin's listsee big comment list belowsee big comment list belowhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41538Create new email address for use with CiviCRM relationship management2024-03-25T16:59:30Zal smithCreate new email address for use with CiviCRM relationship managementHi TPA,
Fundraising + Mathieu need a new email address created for a function we're introducing in CiviCRM. (It will allow us to BCC an email address to automatically add a record of that email to an individual's records in CiviCRM. You...Hi TPA,
Fundraising + Mathieu need a new email address created for a function we're introducing in CiviCRM. (It will allow us to BCC an email address to automatically add a record of that email to an individual's records in CiviCRM. You can see the overarching ticket here: https://gitlab.torproject.org/tpo/web/civicrm/-/issues/112.)
I'm requesting `crm@torproject.org`.
Please let me know if there's anything I need to do to facilitate this. :) Thanks!Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.org2024-03-31https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42478Update text in the "remove all bridges" warning dialog2024-03-25T16:15:15ZhenryUpdate text in the "remove all bridges" warning dialogTaken from https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/890#note_2985074.
Currently, whenever the user selects "..." > "Remove all bridges", they get a warning dialog, with the text:
> Remove all bridges?...Taken from https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/890#note_2985074.
Currently, whenever the user selects "..." > "Remove all bridges", they get a warning dialog, with the text:
> Remove all bridges?
>
> If these bridges were received from torproject.org or added manually, this action cannot be undone
This is shown whether the user is removing *any* of the following:
1. Bridges they added themselves.
2. Bridges added through the Tor Browser captcha request.
3. Built-in bridges.
4. Bridge pass (Lox) bridges.
Do we want to update this text, or customize it for the individual cases? For example, if you are removing built-in bridges the warning is less relevant.
The other consideration is that "added manually" is the old wording, that we replaced with "added by you" in the UI.
/cc @donutshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42477Decide what to do with the "Choose a bridge for me" button in Tor Connection ...2024-03-25T15:53:46ZhenryDecide what to do with the "Choose a bridge for me" button in Tor Connection settings.Spin off from https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42036#note_2974796.
When "about:torconnect" has failed to perform a regular Bootstrap we show in "about:preferences#connection" the location selector and ...Spin off from https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42036#note_2974796.
When "about:torconnect" has failed to perform a regular Bootstrap we show in "about:preferences#connection" the location selector and a "Choose a Bridge for me..." button to open "about:preferences" and trigger "Auto-Bootstrapping". Once connected to tor, it won't show again.
![Screenshot of location selector and trigger button shown in the bridge settings](/uploads/7f82218d21c518f003e24931d9775ddf/choose-bridge.png)
We should decide on whether we want to drop this, or replace it with something else.
/cc @donuts do we want to do anything for 13.5?https://gitlab.torproject.org/tpo/web/support/-/issues/358Add Letterboxing to the glossary2024-03-25T15:27:33ZemmapeelAdd Letterboxing to the glossaryWe need to add Letterboxing to the glossary, as it is a new term that we use on the documentation.We need to add Letterboxing to the glossary, as it is a new term that we use on the documentation.ebanamebanam@torproject.orgebanamebanam@torproject.org