<div dir="ltr">Collecting basic information about when rules are used should be no worse than collecting basic information about when certificates are observed, via the SSL Observatory.<br><div><div class="gmail_extra"><br>
</div><div class="gmail_extra">If only a small number of users ever visit sites covered by a particular ruleset, and a large proportion (but still a small number) of those users disable the ruleset, can we detect this?<br>
</div><div class="gmail_extra"><br></div><div class="gmail_extra">I’m still concerned about the other part of my message. Right now, it seems that, to review a ruleset properly, there are at least four places that I need to check:<br>
<br></div><div class="gmail_extra">1. Mailing list archives<br></div><div class="gmail_extra">2. <a href="http://trac.torproject.org">trac.torproject.org</a> bug tracker<br></div><div class="gmail_extra">3. Github bug tracker<br>
</div><div class="gmail_extra">4. Git (to find out the history of the ruleset, especially if I’m using a stable release but want to account for ruleset changes in the development branch)<br></div><div class="gmail_extra">
<br></div><div class="gmail_extra">If we want to move rules to the stable branch when they have been sufficiently tested with no problems, we need to know whether they have had problems.<br></div><div class="gmail_extra">
<br clear="all"></div><div class="gmail_extra"><div><div dir="ltr"><div>--<br>Brian Drake<br><br>All content created by me: <a href="http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html" target="_blank">Copyright</a> © 2014 Brian Drake. All rights reserved.<br>
</div></div></div>
<br><div class="gmail_quote">On Tue, Jan 14, 2014 at 0536 (UTC), Yan Zhu <span dir="ltr"><<a href="mailto:yan@eff.org" target="_blank">yan@eff.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
<br>
<br>
</div><div class="im">On 01/13/2014 09:18 PM, Drake, Brian wrote:<br>
> Maybe people could opt-in to … is this where we would say<br>
> “telemetry”? We could collect information about how much the rules<br>
> actually get used, as well as things like redirect loops, to try to<br>
> determine if a rule has been tested enough with no problems being<br>
> found.<br>
<br>
</div>This is theoretically a good idea, except in practice there are some<br>
obstacles:<br>
<br>
1. Stuff like automatically detecting when a page appears "broken" or<br>
even just Javascript redirects is really, really hard. People have<br>
tried using metrics like the Levenshtein distance between the DOM tree<br>
of the HTTP and HTTPS sites, but nothing so far really works.<br>
<br>
2. Given that automatically detecting breakage is tricky, it seems<br>
that one of our best ways to figure out when something breaks is to<br>
see how often users disable certain rules. This is hopefully going to<br>
get merged soon (see other thread).<br>
<br>
3. Info like "how often a rule gets used" is hard to collect safely,<br>
in the sense that collecting enough of it tends to inadvertently<br>
create the risk of deanonymizing users. EFF tries as hard as it can<br>
not to collect and store fingerprintable data on its servers. :)<br>
<div class="im"><br>
><br>
> What we desperately need as well is an easy way to find any issues<br>
> already reported with a ruleset.<br>
><br>
> For example, I when I was working on <a href="http://boohoo.com" target="_blank">boohoo.com</a><br>
</div>> <<a href="http://boohoo.com" target="_blank">http://boohoo.com</a>>, I found many rulesets in the development<br>
<div class="im">> branch (but not yet in stable) that were relevant, carefully<br>
> checked the rules in them, and found many issues [1]. But since I<br>
> am not familiar with any of those domains, I might have missed<br>
> something. Or I might have reported issues that were already known.<br>
> I have no idea.<br>
><br>
> [1]<br>
> <a href="https://lists.eff.org/pipermail/https-everywhere-rules/2014-January/001792.html" target="_blank">https://lists.eff.org/pipermail/https-everywhere-rules/2014-January/001792.html</a><br>
><br>
> -- Brian Drake<br>
><br>
> All content created by me: Copyright<br>
</div>> <<a href="http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html" target="_blank">http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html</a>> ©<br>
<div class="im">> 2014 Brian Drake. All rights reserved.<br>
><br>
> On Tue, Jan 14, 2014 at 0435 (UTC), Yan Zhu <<a href="mailto:yan@eff.org">yan@eff.org</a><br>
</div><div class="im">> <mailto:<a href="mailto:yan@eff.org">yan@eff.org</a>>> wrote:<br>
><br>
><br>
><br>
> On 01/13/2014 06:29 PM, Drake, Brian wrote:<br>
>> What is the process for moving a ruleset from the development<br>
>> branch to the stable branch?<br>
><br>
> Thank you thank you thank you for asking that question. I opened a<br>
> ticket for this exact problem a few weeks ago:<br>
> <a href="https://trac.torproject.org/projects/tor/ticket/10310" target="_blank">https://trac.torproject.org/projects/tor/ticket/10310</a><br>
><br>
> Right now, the answer is "when yan or peter thinks it's important<br>
> and probably been tested enough." I'll also merge something from<br>
> dev to stable if someone pokes me about it specifically (ex: in the<br>
> case of the stackexchange rule, since that was a blocker for Tor<br>
> launching their own stackexchange site).<br>
><br>
> Anyway, whoever works on that ticket linked above gets my undying<br>
> love.<br>
><br>
</div><div class="im">> -Yan<br>
><br>
><br>
><br>
<br>
- --<br>
Yan Zhu <a href="mailto:yan@eff.org">yan@eff.org</a><br>
Technologist Tel <a href="tel:%2B1%20415%20436%209333%20x134" value="+14154369333">+1 415 436 9333 x134</a><br>
Electronic Frontier Foundation Fax <a href="tel:%2B1%20415%20436%209993" value="+14154369993">+1 415 436 9993</a><br>
-----BEGIN PGP SIGNATURE-----<br>
<br>
</div>iQEcBAEBCgAGBQJS1MzKAAoJENC7YDZD/dnsrVgIALQQwOl7I5H2zB4DzwT+X9Rq<br>
3D5NhDK0217Bq9PWxV3tMCNNYQ4AG6BzXFHX9sugNi90s32xEtSmV4sVSJ0TLA7o<br>
1JLJkZnmGo6UtXltZQpzIcV3Sd0NePqFigQuHH4nclAQ7QK4F9TuXdG3GsmUVbIZ<br>
3MUcyd/YLoYqQv5N4yxSxU0SH1drDPTqPX62T9qhsOQvakMFogpTLysLfkI3SNd3<br>
CQC8qHGrDBSyzfiuiHrihc2eSjIDEBS2Hs0rx7L65/4GkCNcs9Q4XVRwCgeoieQd<br>
/gdECzjjMr5brXn0QWk9G3s7XRWYAn+bGMnERg2kAKnnhwO8aYtlvXSXBNyil9U=<br>
=YEuN<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div></div></div></div>