The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2022-12-20T14:33:24Zhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40694aarch64 tor-expert-bundle for macOS is not exported as part of the browser build2022-12-20T14:33:24Zrichardaarch64 tor-expert-bundle for macOS is not exported as part of the browser buildWe need to add a special case for `mac_universal` builds to copy along the tor expert bundle otherwise only x86_64 is published.We need to add a special case for `mac_universal` builds to copy along the tor expert bundle otherwise only x86_64 is published.richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40645Verify we no longer depend on any signed tags from sysrqb and gk , and remove...2022-12-20T14:33:29ZrichardVerify we no longer depend on any signed tags from sysrqb and gk , and remove them from torbutton.gpgSponsor 131 - Phase 5 - Ongoing Maintenancerichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40702Nightly builds fails with "error: pathspec 'tor-browser-102.5.0esr-12.0-2' di...2022-12-20T14:33:43ZboklmNightly builds fails with "error: pathspec 'tor-browser-102.5.0esr-12.0-2' did not match any file(s) known to git"Nightly builds try to use branch `tor-browser-102.5.0esr-12.0-2`, which does not exist.
We need to update the `2` in `projects/geckoview/config`.Nightly builds try to use branch `tor-browser-102.5.0esr-12.0-2`, which does not exist.
We need to update the `2` in `projects/geckoview/config`.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41520Regression: rearranging bookmarks / place items by drag & drop doesn't work ...2022-12-20T14:37:36Zma1Regression: rearranging bookmarks / place items by drag & drop doesn't work anymoreThis is a regression from fixing #41353 (torbutton!106).
Work to fix it is being done in #41518.This is a regression from fixing #41353 (torbutton!106).
Work to fix it is being done in #41518.ma1ma1https://gitlab.torproject.org/tpo/onion-services/onionspray-log-parser/-/issues/6Refactor eotk-get-logs-from-s32022-12-20T14:59:33ZSilvio RhattoRefactor eotk-get-logs-from-s3Implement support on [eotk-get-logs-from-s3](eotk-get-logs-from-s3) to emulate commands like
aws s3 --profile myprofile sync s3://my-eotk-logs logs/
Currently the script is dependent on API calls to determine the instance ID. A con...Implement support on [eotk-get-logs-from-s3](eotk-get-logs-from-s3) to emulate commands like
aws s3 --profile myprofile sync s3://my-eotk-logs logs/
Currently the script is dependent on API calls to determine the instance ID. A configuration option should be implemented to switch between this behavior and another where it's possible to supply a bucket name via command line.Sponsor 123: Tor Secure Access Package for USAGM [First Phase]Silvio RhattoSilvio Rhatto2023-01-06https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41537Yubikeys do not work for .onion pages2022-12-20T16:20:14ZrichardYubikeys do not work for .onion pagesReported by @lavamind, the fix for this should possible by part of the 'Bug 23247: Communicating security expectations for .onion' patch, or maybe as a standalone for eventual uplift.
`security.webauth.webauthn` needs to be `true` for y...Reported by @lavamind, the fix for this should possible by part of the 'Bug 23247: Communicating security expectations for .onion' patch, or maybe as a standalone for eventual uplift.
`security.webauth.webauthn` needs to be `true` for yubikeys in general to work (see tor-browser#26614)https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40678Force all 11.5 users to update through 11.5.8 before 12.02022-12-20T16:23:04ZboklmForce all 11.5 users to update through 11.5.8 before 12.0This will require keeping a copy of 11.5.8 mar files on the mirrors for a while. By the way I think we still have some pre 8.0 mar files there that we could remove.
The mechanism to do that is copying the 11.5.8 update xml files from ht...This will require keeping a copy of 11.5.8 mar files on the mirrors for a while. By the way I think we still have some pre 8.0 mar files there that we could remove.
The mechanism to do that is copying the 11.5.8 update xml files from https://aus1.torproject.org/torbrowser/update_3/release/ to an other directory like https://aus1.torproject.org/torbrowser/update_pre12.0/release/, and before publishing the 12.0 update, edit `projects/release/update_responses_config.yml` to add some redirect rules in `htaccess_rewrite_rules`, to redirect users of 11.* to `update_pre12.0`.Sponsor 131 - Phase 3 - Major ESR 102 Migrationboklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41148Review Mozilla 1661450: Enable Firefox to be built on Wayland without X112022-12-20T18:06:12ZrichardReview Mozilla 1661450: Enable Firefox to be built on Wayland without X11## https://bugzilla.mozilla.org/show_bug.cgi?id=1661450
More Wayland and X11 stuff, may be useful for fixing https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40565## https://bugzilla.mozilla.org/show_bug.cgi?id=1661450
More Wayland and X11 stuff, may be useful for fixing https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40565Sponsor 131 - Phase 2 - Privacy Browserboklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40036FF101 Audit2022-12-20T18:13:49ZrichardFF101 Audit# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java...# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
## Firefox: https://github.com/mozilla/gecko-dev.git
- Start: `59930a20119813ea25546eaca75dcc3bbc500039` ( `FIREFOX_RELEASE_101_BASE` )
- End: `856b9168439ef597dbd103cd1e2940a8ad110450` ( `FIREFOX_RELEASE_102_BASE` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
---
## Application Services: https://github.com/mozilla/application-services.git
- Start: `6a4737d1c043d71dfac67e270ee4afa4fb6c73b4` ( `v93.2.1` )
- End: `0302b89604bb29adb34fdcd710feabd3dd01992d` ( `v93.5.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Android Components: https://github.com/mozilla-mobile/android-components.git
- Start: `4eef6c129c9611b6927bd50a5a1620ede57744b1` ( `v101.0.0` )
- End: `95fe1972b83b518a70febc76cdf3e27d5cfa390f` ( `v101.0.9` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Fenix: https://github.com/mozilla-mobile/fenix.git
- Start: `02ca27633b10acbe4db08aecf9c0a12d83376fd9` ( `v101.0.0-beta.1` )
- End: `be90007a460cc7b06008f319447011b2dce76aaa` ( `releases_v101.0.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Ticket Review ##
### 101 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=101%20Branch&order=priority%2Cbug_severity&limit=0
- https://bugzilla.mozilla.org/show_bug.cgi?id=1766401 : @ma1 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41147
- https://bugzilla.mozilla.org/show_bug.cgi?id=1661450 : @boklm https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41148
- https://bugzilla.mozilla.org/show_bug.cgi?id=1762576 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41149
- https://bugzilla.mozilla.org/show_bug.cgi?id=1753302 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41150
- https://bugzilla.mozilla.org/show_bug.cgi?id=1757823 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41151
## Regression/Prior Vuln Review ##
Review proxy bypass bugs; check for new vectors to look for:
- https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
- Look for new features like these. Especially external app launch vectors
## Export
- [x] Export Report and save to `tor-browser-spec/audits`Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/136gitlab-dev.tpo redirecting to gitlab.tpo2022-12-20T18:29:10Zmicahmicah@torproject.orggitlab-dev.tpo redirecting to gitlab.tpoI was looking to test a gitlab patch on gitlab-dev (cf. #23), but I noticed that if I try to visit https://gitlab-dev.torproject.org I get redirected to https://gitlab.torproject.org.
The nginx configuration does have `server_name gitl...I was looking to test a gitlab patch on gitlab-dev (cf. #23), but I noticed that if I try to visit https://gitlab-dev.torproject.org I get redirected to https://gitlab.torproject.org.
The nginx configuration does have `server_name gitlab-dev.torproject.org;`
Interestingly, https://gitlab-dev.torproject.org/users/sign_in does work :thinking:https://gitlab.torproject.org/tpo/core/tor/-/issues/40731relay: Decouple streams blocked on channel2022-12-20T18:45:23ZDavid Gouletdgoulet@torproject.orgrelay: Decouple streams blocked on channelThe `streams_blocked_on_n_chan` and `streams_blocked_on_p_chan` are set if the cell queue of the circuit is above the high watermark (256). And unblocked if the queue goes back below low watermark (10).
However, conflux and congestion c...The `streams_blocked_on_n_chan` and `streams_blocked_on_p_chan` are set if the cell queue of the circuit is above the high watermark (256). And unblocked if the queue goes back below low watermark (10).
However, conflux and congestion control need more than that to decide if the streams ends up actually blocked.
So, in order to do that, we'll decouple this logic outside into the circuit subsystem in order to be able to make a decision based on different algorithms that can look at:
* Conflux state
* Congestion control state
* KIST scheduling state
* High and low watermark.Tor: 0.4.8.x-freezeDavid Gouletdgoulet@torproject.orgDavid Gouletdgoulet@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31243TPA-RFC-2: define how users get support, what's an emergency and what is supp...2022-12-20T18:59:27ZanarcatTPA-RFC-2: define how users get support, what's an emergency and what is supportedExtract from parent ticket (#30881):
# 2. Are "the 3 empowering policies" defined and published?
http://opsreportcard.com/section/2
Specifically, this is three questions:
## How do users get help?
Right now, this is unofficially "op...Extract from parent ticket (#30881):
# 2. Are "the 3 empowering policies" defined and published?
http://opsreportcard.com/section/2
Specifically, this is three questions:
## How do users get help?
Right now, this is unofficially "open a ticket in Trac", "ping us over IRC for small stuff", or "write us an email". This could be made more official somewhere.
## What is an emergency?
I am not sure this is formally defined.
## What is supported?
We have the distinction between systems and service admins. We did [talk in Stockholm](https://trac.torproject.org/projects/tor/wiki/org/meetings/2019Stockholm/Notes/SysadminTeamRoadmapping) about clarifying that item, so this is worth expanding further.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41001Out of memory on colchicifolium2022-12-20T19:08:55ZHiroOut of memory on colchicifoliumI am getting "out of memory" errors on colchicifolium. It seems like collector is using all the memory (https://grafana1.torproject.org/d/Z7T7Cfemz/node-exporter-full?orgId=1&var-job=node&var-node=colchicifolium.torproject.org&var-port=9...I am getting "out of memory" errors on colchicifolium. It seems like collector is using all the memory (https://grafana1.torproject.org/d/Z7T7Cfemz/node-exporter-full?orgId=1&var-job=node&var-node=colchicifolium.torproject.org&var-port=9100).
Would it be possible to add more ram to this VM?Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41012Issue with varnish on onionoo-frontends2022-12-20T19:09:13ZHiroIssue with varnish on onionoo-frontendsI have been receiving every few hours alerts from nagios about onionoo backend not updating the index. But I have checked and the service has been running every hour and updating the statuses (summary from the logs pasted below). I wonde...I have been receiving every few hours alerts from nagios about onionoo backend not updating the index. But I have checked and the service has been running every hour and updating the statuses (summary from the logs pasted below). I wonder if we are having some issues with Varnish caching the results?
The nagios check is triggered if at least one index has not been updated for a few hours. @gk has hourly snapshots from onionoo so we can check what has been served in the last few days.
I have checked our configs in puppet and I can't spot anything that would cause an issue. I have also been looking at requests on the frontends and it seems varnish is querying the backend correctly.
```
2022-12-17 00:07:15,827 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
1 hours of bridge uptimes processed
8,702 uptime status files updated
--
2022-12-17 01:06:52,137 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
1 hours of bridge uptimes processed
8,692 uptime status files updated
--
2022-12-17 02:07:26,965 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
1 hours of bridge uptimes processed
8,739 uptime status files updated
--
2022-12-17 03:06:36,807 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
0 hours of bridge uptimes processed
6,109 uptime status files updated
--
2022-12-17 04:08:06,285 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
2 hours of relay uptimes processed
2 hours of bridge uptimes processed
8,765 uptime status files updated
--
2022-12-17 05:07:02,203 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
1 hours of bridge uptimes processed
8,698 uptime status files updated
--
2022-12-17 06:06:34,321 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
1 hours of bridge uptimes processed
8,697 uptime status files updated
--
2022-12-17 07:06:29,204 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
1 hours of bridge uptimes processed
8,715 uptime status files updated
--
2022-12-17 08:07:45,006 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
1 hours of bridge uptimes processed
8,706 uptime status files updated
--
2022-12-17 09:06:27,389 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
0 hours of bridge uptimes processed
6,083 uptime status files updated
--
2022-12-17 10:06:39,656 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
2 hours of bridge uptimes processed
8,697 uptime status files updated
--
2022-12-17 11:07:11,588 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
1 hours of bridge uptimes processed
8,702 uptime status files updated
--
2022-12-17 12:07:09,905 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
1 hours of bridge uptimes processed
8,705 uptime status files updated
--
2022-12-17 13:06:34,323 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
1 hours of bridge uptimes processed
8,671 uptime status files updated
--
2022-12-17 14:06:47,110 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
1 hours of bridge uptimes processed
8,688 uptime status files updated
--
2022-12-17 15:07:03,315 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
0 hours of bridge uptimes processed
6,086 uptime status files updated
--
2022-12-17 16:06:42,723 INFO o.t.m.o.u.StatusUpdateRunner:51 UptimeStatusUpdater
1 hours of relay uptimes processed
2 hours of bridge uptimes processed
8,696 uptime status files updated
```anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/30881answer the opsreportcard questionnaire, AKA the "limoncelli test"2022-12-20T19:13:24Zanarcatanswer the opsreportcard questionnaire, AKA the "limoncelli test"Tom Limoncelli is the reknowned author of [Time management for sysadmins](https://www.tomontime.com/) and [practice of network and system administration](https://the-sysadmin-book.com/), two excellent books I recommend every sysadmin rea...Tom Limoncelli is the reknowned author of [Time management for sysadmins](https://www.tomontime.com/) and [practice of network and system administration](https://the-sysadmin-book.com/), two excellent books I recommend every sysadmin reads attentively.
He made up a [32-question test](https://everythingsysadmin.com/the-test.pdf) (PDF, website version on [opsreportcard.com](http://opsreportcard.com/) or the [previous one-page HTML version](http://web.archive.org/web/20120827040816/http://everythingsysadmin.com:80/the-test.html)) that covers the basic of a well-rounded setup. I believe we will get a good score, but going through the list will make sure we don't miss anything.anarcatanarcathttps://gitlab.torproject.org/tpo/web/tpo/-/issues/357updating Open Technology Fund on sponsors page2022-12-20T19:21:20ZBekeela Davilaupdating Open Technology Fund on sponsors pageHi,
I'd like to update the last sentence in the OTF section so that it reads this:
These contracts are used to provide an end-to-end solution for USAGM web content to be distributed in censored or surveilled areas, to facilitate access...Hi,
I'd like to update the last sentence in the OTF section so that it reads this:
These contracts are used to provide an end-to-end solution for USAGM web content to be distributed in censored or surveilled areas, to facilitate access to news and information in Russia following ongoing censorship events by supporting Russian-language support to Tor users in Russia, and provide increased circumvention services in response to ongoing government censorship in Iran.https://gitlab.torproject.org/tpo/tpa/team/-/issues/29304Manage the lifecycle of systems2022-12-20T19:25:37ZJens KubiezielManage the lifecycle of systemsDuring the sysadmin meeting in Brussels we discussed our infrastructure. Systems are managed by service admins/owners. They sometimes disappear or services become irrelevant. This means we have systems without proper owner which are rott...During the sysadmin meeting in Brussels we discussed our infrastructure. Systems are managed by service admins/owners. They sometimes disappear or services become irrelevant. This means we have systems without proper owner which are rotting over time.
To better handle such systems we decided that systems like `$host.torproject.org` should have an expiration date which is initially one or two years in the future. When the expiration date is near the service owner receives an email informing about the possible shutdown and the means to prevent it (write an email answer to tpa). If the mail is answered the expiration date will be prolonged. If not, the system will be deactivated. The deactivation can easily be revoked. However after some more time without any feedback the host will be decommissioned.
This ticket is to track the several steps for implementing this new policy.https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/32Integrate GetTor into rdsys2022-12-20T19:26:45ZChristian FrommeIntegrate GetTor into rdsysBoth GetTor and BridgeDB seem have a lot of requirements in common when it comes to email processing and configuration. (For instance, mail filtering, DKIM checks and so on)
Maybe we should sync the email processing code into something ...Both GetTor and BridgeDB seem have a lot of requirements in common when it comes to email processing and configuration. (For instance, mail filtering, DKIM checks and so on)
Maybe we should sync the email processing code into something like a python tor email library for both at some point in the future.
Since we are reconfiguring BridgeDB to use rdsys as a backend, let's also make sure rdsys is generalizable enough to handle distributing GetTor links.Sponsor 30 - Objective 2.3meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31226add validation checks in puppet2022-12-20T19:56:26Zanarcatadd validation checks in puppetwe often do "YOLO" (You Only Live Once) commits in Puppet because of silly syntax errors and typos that could be caught by automated systems. even just a simple git hook checking for syntax errors in manifests would be an improvement, bu...we often do "YOLO" (You Only Live Once) commits in Puppet because of silly syntax errors and typos that could be caught by automated systems. even just a simple git hook checking for syntax errors in manifests would be an improvement, but we could also run tests and so on.Puppet CIhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40991create milestones for the 2023 roadmap2022-12-20T20:03:13Zanarcatcreate milestones for the 2023 roadmapsee wiki-replica@e0b193d77325bd25d4bab3f7399dae4f304543besee wiki-replica@e0b193d77325bd25d4bab3f7399dae4f304543beanarcatanarcat2023-01-15