[tor-project] PieroV's Monthly Status Report, August 2024

PieroV · 2024-09-02T11:43:54.000Z

Hi everyone!
Here is my status report for August 2024.

I spent this month almost only on tasks linked with the transition from Firefox ESR115 to ESR128.
At the beginning of the month, I reviewed Dan's Android rebase.
Then, after it landed, I checked for new reproducibility problems. I found only one with the license files [0]. The oss-license-plugin wasn't updated upstream this year, so it must be linked with other toolchain updates (including Java from 11 to 17 and Gradle).
The solution [1] was to build and use a patched plugin that uses `TreeSet` instead of a `HashSet`.
Sadly, the APK sizes grew a lot between 115 and 128. For this reason, we couldn't publish 14.0a2 and 14.0a3 on the Play Store for the x86 and x86-64 architectures [2].
During this month, Claire, cohosh from the AC team, and I spent some time investigating this. 14.0a4 should fit at least for Android x86-64. For Android x86, we might have to shave another 100-200kB if we understood how this threshold works.

Another issue I worked on was a leak of regional locale data with the `Intl` API. During the rebase, we had to start specifying `RFPTarget`s, and I chose the only one handled differently without realizing it.
This was a reminder of how important it is to upstream our patches whenever possible.
I started the process for this one two years ago [3], but then it didn't land because it would have applied also to the browser UI.
After finding a new fix that worked for us, I added a proposal to the upstream bug on a possible approach that might also work for Firefox.

Another bug worth mentioning was a problem with mixed content in Onion Services [4]. The fix eventually was easy [5], but it took me quite a while to understand what was going on because it involved debugging between parent and content processes.
Also, it was a great occasion to improve the Onion Sites I implemented for testing [6] and the documentation around them. While doing so, I accidentally learned that we accept self-signed certificates only if they specify subject alternative names. This new knowledge allowed me to quickly answer another issue [7] without further investigation.

Finally, Mozilla is releasing Firefox 115.15 tomorrow, which is expected to be the last update for the 115 series [8].
However, it's also the last version supporting Windows 7. While we agree that people shouldn't use unsupported operating systems, we know some of our users don't have another choice.
So, if eventually Mozilla decides to extend the support for Firefox 115, we might end up extending Tor Browser 13.5's life as well [9].
One of our updater changes is to check for the minimum requirements on the client side to avoid sending the OS version to our update servers.
So, this month, I also simulated providing several updates to Firefox: one compatible with Windows >= 7 and one with Windows >= 10.
Sadly, the updater didn't handle this case as expected, and I needed to create a patch. We will need some additional deployment steps if we actually provide the alternative update path.
In this case, we will also drop the hash check on the update files (it's redundant since they are already signed) [10].

Cheers,
Pier

···

_______________________________________________
tor-project mailing list
tor-project@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project