Volunteers to handle "Hole in the roof" tickets this month

adamb will look into Vagrant issues.

Availability and plans for monthly low-hanging fruits meeting

Six of us will try, to various degrees, to make it.

Claws Mail leaks cleartext of encrypted email to the IMAP server

Security advisory synopsis

All those who commented found the synopsis on #9161 great. It has a few issues, though, that intrigeri reported on the ticket (note 9).

Consider proposing POP instead of IMAP by default

We agreed that this would be good, if we can preconfigure it to not delete messages from the server by default (which makes sense especially in an amnesic live system).

sajolida will investigate if we can do that.

Consider shipping claws-mail 3.10.1-2~bpo70+1

We agreed that doing this is useless, given cleartext email will be sent to the server's Queue folder anyway, unless manual configuration is done.

And while we're at it, we're also going to reject #8305.

How much do we want Tor Browser's per-tab circuit view?

For most applications (e.g. Pidgin, but not Claws Mail), Vidalia currently displays DOMAIN:PORT information for each circuit. But according to the screenshots on #6842, once we replace Vidalia with Tor Monitor, we'll only have IP:PORT information, that most users won't be able to correlate with their web browsing activity.

But we're not there yet. So, for the moment we'll simply keep Tor Browser's per-tab circuit view disabled, on the grounds that this info is already available in Vidalia.

And later, some of us will argue that when we replace Vidalia with Tor Monitor, in order to avoid a UX regression, either we ship Tor Browser's per-tab circuit view (and go through a complicated security analysis thereof), or we have Tor Monitor display the DOMAIN:PORT information like Vidalia does. That was suggested on #6842.

Also note that the security analysis isn't only about Tor Browser's per-tab circuit view. It's also about Tor Monitor, Vidalia, retrieving info via the X protocol, and what practical attacks one can conduct with the full circuits/streams info in hand. anonym will file tickets about it.

Research BitTorrent trackers we could use

The open tracker we're using currently has difficulties handling the load and costs. It's been proposed to use http://coppersurfer.tk/ instead, but there are many unknowns about it, and some of us would like to support the tracker we've been using forever. So, we've decided to add http://coppersurfer.tk/ to the list of trackers in our torrents for a couple releases, and then see => #9335.

Non-US keyboard layout selected with Greeter sometimes is not active when logged in

This bug has an easy workaround, it seems that it doesn't affect Tails/Jessie, and it doesn't seem easy to fix. So we decided to simply flag it as resolved in the 4.0 milestone, and add it to known issues for Wheezy (along with the trivial workaround when it happens) if it's not there yet. BitingBird will do the latter (#9336).

Create tickets to track UX regressions caused by AppArmor

Frontdesk sees a lot of user despair that's possibly related to AppArmor, and most importantly, to the fact that no notification tells users that AppArmor is blocking things. OTOH, developers got very very few actionable bug reports on this topic, so it's hard to create useful tickets about it. intrigeri will investigate installing apparmor-notify to provide notifications on AppArmor denials, which should alleviate the most pressing UX problems: #9337.