Re: [Tails-dev] Testing the ISO Verification Extension
sajolida: > Giorgio Maone: >> On 18/11/2015 19:54, sajolida wrote: Meta: I created a bunch of tickets on Redmine to track all these pending issues. Feel free to reassign them to tchou if you think that should be on our plate, or to me for review (using "QA Check: Ready for QA"). >>> I read this too fast. Actually, we don't want the extension to open the >>> file browser of the OS right now. After clicking on the "Next" button, >>> people will go through step-by-step instructions and we'll tell them >>> when to use the ISO image. >> >> So, when you click "Next" the extension should NOT open the file browser >> NOR reload the page to initial state, correct? >> What should happen exactly, instead? Should I just leave it up to you >> (i.e. the web page)? > > Sorry for being unclear here. The cases where the extension should reset > were not super clear to us either until now. We gave it a second thought > this morning. We think that the extension should reset (ie. go back to > the state it is right after installing) in the following cases only: > > 1. The IDF has changed. I'm not sure exactly when the extension > downloads the IDF again as of now, but whenever the IDF changes (for > example if we issue an emergency release) and the user goes back to the > same page the extension should reset. We can probably skip the corner > cases when the IDF changes *while* the user is downloading. > > 2. The "Download again" button is clicked. > > 3. The "Cancel" button is clicked. > > So yes, after giving it a second though, when the user clicks on the > "Next" button the extension should not reset. We'll simply use an href > to redirect to or toggle the rest of the instructions if needed. In some > cases the instructions might be on the very same page already and we > might not even have a "Next" button. > > In other words, I think that we'll rescue the logic you had already for > the "Next" button and make it the "Download again" button. > > Regarding opening the file browser, neither the "Download again" nor the > "Cancel" button nor the "Next" button should open the file browser. > But maybe we might want to open the file browser from the same page, > later on in the rest of the instructions. But this would be outside of > the big div #download-and-verify. Can you still give us that possibility? I created #10682 to track the issue of opening the file browser. >>> Here are the new issues: >>> >>> 1. Clicking the "Next" button should also bring back #use-button to >>>"show" and #use-text to "hide". >> >> So, if you click "Next", you get the "Use Firefox extension" button >> again visible, right? >> What is exactly supposed to happen when you click it, though? > > Sorry but we're changing a bit our minds here. Forget about the "Next" > button. As said in the previous point, the "Download again" and "Cancel" > buttons should reset the full state of the page as when the extension > was installed. That means with the "Use Firefox extension" (and the > minor BitTorrent option) visible again. > > We might find a better wording for the "Download again" button but the > idea is to give the user a way of resetting everything. For example, if > they come back after delete the ISO or something... > >>> 2. #bittorrent-minor should also be visible when #use-button >>>and #install-button are visible. See slides 3 and 4. >> >> OK, done in latest commit. > > I don't see this. I tested with 0.2.5 and it didn't work. I also don't > see any change while search on 'bittorrent' in the Git history as of > 1039f5f. Maybe you forgot to push? Created #10676 for that. Assigned to tchou for the moment. >>> 3. Clicking #use-button or #install-button should #i_have_iso (when >>>the download starts). >> You mean *hide* #i_have_iso, correct? Tentatively done, then. > > Sorry for the missing word. You understand correctly, I meant "Clicking > #use-button or #install-button should hide #i_have_iso". Still, I don't > see this in 0.2.5. See screenshot in attachment. Created #10677 for that. Assigned to tchou as well. >>> 4. The page reloads every 10s. Why? It makes it blink pretty badly on >>>Tor Browser and also sometimes loses state. >> >> Weird, can you consistently reproduce, and how? > > Yes, when in Tails, Tor Browser outside of Tails and FF38. See this > screencast. The first blinking and reset appears at 0:49, then it goes on: > > https://dl.poivron.org/p27bqufzog2ekqmkqttt-cbt2g3hglv62s4jv > > Note that I need to force a reload of the page for this to happen. If I > don't reload the page it doesn't blink. Created #10678 for this one. >>> 8. When doing "Resume", the progress bar goes to 100%, displays ???, >>>and then go back to where it was once the download really started >>>again. The progress bar should instead freeze where it is until the >>>download starts again for real. >> >> Tentatively fixed in 0.2.5 > > Ack for the progress bar. Now, there's still a minor glitch as the > displayed
[Tails-dev] Testing the ISO Verification Extension
Hi,
Giorgio Maone:
As soon as it's on AMO it's gonna be signed by Mozilla.
Also, in a near future, installing extensions which have not been
signed
by Mozilla will automatically fail.
Finally, if we want hash-based verification right now, rather than
providing a raw link, we can use Firefox's proprietary
window.InstallTrigger method, like this:
InstallTrigger.install(
"Download and Verify Extension 0.2.6": {
URL: "dave.xpi",
Hash:
"sha256:c750017b572ebc6417324196f216a13216e5f65de6abd8b1a5a1ce07618ccfdc"
}
);
Gangster.
Wordlife,
Spencer
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Testing the ISO Verification Extension
Giorgio Maone: > On 19/11/2015 13:17, sajolida wrote: 2. #bittorrent-minor should also be visible when #use-button and #install-button are visible. See slides 3 and 4. >>> OK, done in latest commit. >> I don't see this. I tested with 0.2.5 and it didn't work. I also don't >> see any change while search on 'bittorrent' in the Git history as of >> 1039f5f. Maybe you forgot to push? >> 3. Clicking #use-button or #install-button should #i_have_iso (when the download starts). >>> You mean *hide* #i_have_iso, correct? Tentatively done, then. >> Sorry for the missing word. You understand correctly, I meant "Clicking >> #use-button or #install-button should hide #i_have_iso". Still, I don't >> see this in 0.2.5. See screenshot in attachment. > > Are you using latest dave.css? Indeed we were missing some changes there. We integrated them in 53f0a63. You can see it live on https://tails.boum.org/install/download. We'll try to fix as much as we can on our side with CSS but we're a bit learning as we do... ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Testing the ISO Verification Extension
On 19/11/2015 13:17, sajolida wrote: >>> 2. #bittorrent-minor should also be visible when #use-button >>>and #install-button are visible. See slides 3 and 4. >> OK, done in latest commit. > I don't see this. I tested with 0.2.5 and it didn't work. I also don't > see any change while search on 'bittorrent' in the Git history as of > 1039f5f. Maybe you forgot to push? > >>> 3. Clicking #use-button or #install-button should #i_have_iso (when >>>the download starts). >> You mean *hide* #i_have_iso, correct? Tentatively done, then. > Sorry for the missing word. You understand correctly, I meant "Clicking > #use-button or #install-button should hide #i_have_iso". Still, I don't > see this in 0.2.5. See screenshot in attachment. Are you using latest dave.css? -- G ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Testing the ISO Verification Extension
On 19/11/2015 17:46, Spencer wrote:
>
>> sajolida:
>> You can see it live on https://tails.boum.org/install/download.
>>
>
> Is there a way to verify the extension?
As soon as it's on AMO, it's gonna be signed by Mozilla.
Also, in a near future, installing extensions which have not been signed
by Mozilla will automatically fail.
Finally, if we want hash-based verification right now, rather than
providing a raw link we can use Firefox's proprietary
window.InstallTrigger method like this:
InstallTrigger.install(
"Download and Verify Extension 0.2.6": {
URL: "dave.xpi",
Hash:
"sha256:c750017b572ebc6417324196f216a13216e5f65de6abd8b1a5a1ce07618ccfdc"
}
);
--
Giorgio Maone
https://maone.net
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Testing the ISO Verification Extension
sajolida: > I'll merge answering to both your emails. Today we studied your work more in details to understand how it was manipulating the page, how we could modify the HTML ourselves, etc. We fixed a bunch of things on our side. Still, here are some more issues that I think you could only fix yourself. Correct us if that's not the case. We're a bit late on the schedule to be ready for testing on Friday but we'll do fine... If you could fix at least some of these issue, the more the better. > Giorgio Maone:> On 12/11/2015 17:38, sajolida wrote: >>> 2. The extension is great because it preserves its state even if you >>> close the tab. You can open it again and the result of the verification >>> is still there. Still, I think we should reset its state in some cases: >>> >>> - When the download is finished and the user clicks on the "next" >>> button. :maone: >> >> Done: once you click "Next", the filesystem browser is shown with the >> file highlighted while in the background the page gets reloaded and goes >> in its initial state. > > It works, thanks. I read this too fast. Actually, we don't want the extension to open the file browser of the OS right now. After clicking on the "Next" button, people will go through step-by-step instructions and we'll tell them when to use the ISO image. Here are the new issues: 1. Clicking the "Next" button should also bring back #use-button to "show" and #use-text to "hide". 2. #bittorrent-minor should also be visible when #use-button and #install-button are visible. See slides 3 and 4. 3. Clicking #use-button or #install-button should #i_have_iso (when the download starts). 4. The page reloads every 10s. Why? It makes it blink pretty badly on Tor Browser and also sometimes loses state. 5. We tried in 26642eb to add a link below the "Next" button to reset the page as well but it didn't work. Are you triggering the cancelation only on the *first* "#verify-text-success .btn" in line 207-210? 6. We tried in 7bcda1a to replace the URL in the download button with the size in MiB but it failed. Maybe you should set iso-size-MiB in updateBlobView around line 88. 7. We managed to get a negative ETA displayed :) See screenshot in attachment. 8. When doing "Resume", the progress bar goes to 100%, displays ???, and then go back to where it was once the download really started again. The progress bar should instead freeze where it is until the download starts again for real. 9. #verify-text-label should be visible once #download is visible. See slide 11. We should be able to change its opacity until we get to the verification state. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Testing the ISO Verification Extension
Giorgio Maone:
> On 17/11/2015 17:11, sajolida wrote:
>> Giorgio Maone:
>> Now you've got the flexibility of choosing to pin the domain cert, the
>> issuer's (CA's) cert or both.
>> I've seen that in conf.json. Regarding the different kinds of pinning,
>> how do you switch from trusting the cert to trusting the issuer or both?
>> By adding and removing the corresponding information in the
>> configuration file? Is it that any pinning available in the
>> configuration file is trusted?
>>
> In the "pins" section, you can add as many "certs" and "issuers" entries
> as you want, listing identifiers for domain certificates and their
> issuers, respectively.
> Whether they're actually used to verify a certain domain or not is
> determined by the content of "pins" > "domains", though.
> This section currently looks like this:
>
> "domains": {
> "tails.boum.org": {
> "cert": null,
> "issuer": "Gandi"
> },
> "maone.net": {
> "cert": "maone.net",
> "issuer": "COMODO"
> }
> }
>
> For any entry in "domains", you can specify a reference to a "certs"
> entry ("cert"), to an "issuers" entry ("issuer") or both.
> In the example above, "tails.boum.org" is pinned on its issuer ("Gandi")
> only (because "cert" is null, rather than "*.boum.org"), while the
> "maone.net" domain is pinned both on the certificated referenced by the
> "maone.net" key and to the "COMODO" issuer.
>
> If I've not been clear enough, feel free to ask.
Cristal clear, thanks. I'm quite tired these days due to tons of work. I
didn't pay enough attention to the differences between tails.boum.org
and maone.net (like "cert": null).
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Testing the ISO Verification Extension
On 18/11/2015 19:54, sajolida wrote: > > I read this too fast. Actually, we don't want the extension to open the > file browser of the OS right now. After clicking on the "Next" button, > people will go through step-by-step instructions and we'll tell them > when to use the ISO image. So, when you click "Next" the extension should NOT open the file browser NOR reload the page to initial state, correct? What should happen exactly, instead? Should I just leave it up to you (i.e. the web page)? > > Here are the new issues: > > 1. Clicking the "Next" button should also bring back #use-button to >"show" and #use-text to "hide". So, if you click "Next", you get the "Use Firefox extension" button again visible, right? What is exactly supposed to happen when you click it, though? > 2. #bittorrent-minor should also be visible when #use-button >and #install-button are visible. See slides 3 and 4. OK, done in latest commit. > 3. Clicking #use-button or #install-button should #i_have_iso (when >the download starts). You mean *hide* #i_have_iso, correct? Tentatively done, then. > 4. The page reloads every 10s. Why? It makes it blink pretty badly on >Tor Browser and also sometimes loses state. Weird, can you consistently reproduce, and how? > 5. We tried in 26642eb to add a link below the "Next" button to reset >the page as well but it didn't work. Are you triggering the >cancelation only on the *first* "#verify-text-success .btn" in line >207-210? Yes I was. Fixed in latest commits. > 6. We tried in 7bcda1a to replace the URL in the download button with >the size in MiB but it failed. Maybe you should set iso-size-MiB in >updateBlobView around line 88. Fixed. > 7. We managed to get a negative ETA displayed :) See screenshot in >attachment. I couldn't find any screenshot, sorry. > 8. When doing "Resume", the progress bar goes to 100%, displays ???, >and then go back to where it was once the download really started >again. The progress bar should instead freeze where it is until the >download starts again for real. Tentatively fixed in 0.2.5 > 9. #verify-text-label should be visible once #download is visible. See >slide 11. We should be able to change its opacity until we get to >the verification state. And it shouldn't be clickable either, correct? So I suppose the extension should manage both the disabled state (maybe setting an attribute that you can use to style the button) and behavior, correct? -- G ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Testing the ISO Verification Extension
On 17/11/2015 17:11, sajolida wrote:
> Giorgio Maone:
> Now you've got the flexibility of choosing to pin the domain cert, the
> issuer's (CA's) cert or both.
> I've seen that in conf.json. Regarding the different kinds of pinning,
> how do you switch from trusting the cert to trusting the issuer or both?
> By adding and removing the corresponding information in the
> configuration file? Is it that any pinning available in the
> configuration file is trusted?
>
In the "pins" section, you can add as many "certs" and "issuers" entries
as you want, listing identifiers for domain certificates and their
issuers, respectively.
Whether they're actually used to verify a certain domain or not is
determined by the content of "pins" > "domains", though.
This section currently looks like this:
"domains": {
"tails.boum.org": {
"cert": null,
"issuer": "Gandi"
},
"maone.net": {
"cert": "maone.net",
"issuer": "COMODO"
}
}
For any entry in "domains", you can specify a reference to a "certs"
entry ("cert"), to an "issuers" entry ("issuer") or both.
In the example above, "tails.boum.org" is pinned on its issuer ("Gandi")
only (because "cert" is null, rather than "*.boum.org"), while the
"maone.net" domain is pinned both on the certificated referenced by the
"maone.net" key and to the "COMODO" issuer.
If I've not been clear enough, feel free to ask.
Cheers
--
Giorgio Maone
https://maone.net
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Testing the ISO Verification Extension
Status update as of latest commit (extension version 0.2.1) follows. On 12/11/2015 17:38, sajolida wrote: > 2. The extension is great because it preserves its state even if you > close the tab. You can open it again and the result of the verification > is still there. Still, I think we should reset its state in some cases: > > - When the download is finished and the user clicks on the "next" > button. :maone: Done: once you click "Next", the filesystem browser is shown with the file highlighted while in the background the page gets reloaded and goes in its initial state. > > 3. Regarding resetting the state of the extension, we were wondering how > this interacts with the Private Browsing of Firefox. Is is reseted when > going in and out of Private Browsing? The extension syncs with the download manager, hence if a download has been initiated from a private window it won't be available anymore once you close that window (even though if you already have the UI opened in another window it will still show its state until reloaded). Of course the state is not persisted across sessions if the download started from a private window. > > 4. We looked at the SSL information embedded in the code (conf.json) and > there's the fingerprint of the certificate for tails.boum.org. According > to the specification on > https://tails.boum.org/blueprint/bootstrapping/extension/#index5h2 it > should instead include "root certificate of the authority expected to > sign the certificate of https://tails.boum.org/;. We don't want the > extension to break when boum.org renew their certificates. :maone: Done, maybe. Now you've got the flexibility of choosing to pin the domain cert, the issuer's (CA's) cert or both. I decided not to let you pin on the actual root, but on the nearest issuer in the chain (Gandi, in your case), because it seemed to me that pinning on a root CA which has many resellers (like "The UserTrust Network", in your case) would have sensibly reduced the security of this setup. If you actually prefer the root to be tested, rather than the intermediate, I'm gonna implement it as a further option. > > 5. In 2cf4737 you added a class to the tag. We can't really do > that in ikiwiki. So is it possible to move this somewhere else in the > code? Maybe on #download-and-verify? :maone: Yes, just move the "dave.js"
Re: [Tails-dev] Testing the ISO Verification Extension
On 12/11/2015 17:38, sajolida wrote: > We also published an alpha version of that page on the website, for > testing purposes as well here: > > https://tails.boum.org/install/download/ > > But since the time we synced with Giorgio's code we did some changes, of > course :) They are visible in wiki/src/download.inline.mdwn in our main > repo (5c97222..926f355) but we'll comment on them here when relevant. > Giorgio, I wonder how we should do this syncing; as I understand that > you want to have some test HTML in your repo as well... Indeed, latest commit (minutes ago) addresses most of your feedback, but I cannot comment in deep right now. I will probably do it tomorrow, but in the meanwhile the most important points are: 1. From now on I'll strictly refer to the HTML at https://tails.boum.org/install/download/ and send tchou patches if and only if I actually need the markup to be modified 2. Latest iterations of the extension from git or from https://maone.net/dev/tails/dave.xpi automatically detect if they're used on an outdated page (by comaring with #extension-version) and if they're more up-to-date automatically replace the dave.css stylesheet with the one from https://maone.net, so while we're still in development I don't need to actually push it on the site 3. If you want to use the .chrome-unsupported class on #download-and-verify, rather than on the element, you just need to be sure dave.js is loaded after the element exists (e.g. by placing its
