04:53:29 RRSAgent has joined #dap 04:53:29 logging to https://www.w3.org/2020/10/23-dap-irc 04:53:53 Meeting: Devices and Sensors F2F - Day 2/2 04:54:02 present+ 04:54:12 rrsagent, make log public 04:54:17 rrsagent, make minutes v2 04:54:17 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html xfq 04:57:05 hazel_ has joined #dap 04:58:12 takio has joined #dap 05:00:34 larsgk has joined #dap 05:07:00 present+ 05:07:05 present+ 05:07:31 present + 05:08:06 marcosc has joined #dap 05:08:35 we are in https://mit.zoom.com.cn/j/91237600443?pwd=SjdPOWtRaC8wRkc4ZzU2Q1JjSUFlUT09 05:09:50 s/https://mit.zoom.com.cn/j/91237600443?pwd=SjdPOWtRaC8wRkc4ZzU2Q1JjSUFlUT09/https://mit.zoom.com.cn/ 05:09:53 :) 05:10:17 Mizushima has joined #dap 05:11:16 RRSAgent, make logs public 05:11:18 rrsagent, make minutes v2 05:11:18 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html xfq 05:11:22 Meeting: Devices and Sensors F2F - Day 2/2 05:11:40 RRSAgent, draft minutes v2 05:11:40 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 05:11:56 Chair: Anssi, Reilly 05:12:00 Agenda: https://github.com/w3c/devicesensors-wg/issues/31 05:12:08 Scribe: reillyg 05:12:29 present+ reillyg 05:12:47 Laura_Morinigo: Samsung SR UK 05:13:01 ... Here to discuss mobile devices and foldables. 05:13:13 Present+ amandy_, Anssi_Kostiainen, Arno Mandy, Eric_Mcobobia, Hazel, Heejin_Chung, Intel Corporation, James_Hollyer, JamesH, Kenneth_Christiansen, Lars_Knudsen, marcosc, Mark_Foltz, Matt_Reynolds, Peter Burrows, Peter_Burrows, Philippe_Le_Hageret, plh, rakuco, reillyg, Satotu_Takagi, scheib, Takio_Yamaoka, tomayac, Tomoaki_Mizushima, xfq, Zoltan_Kis, Laura_Morinigo, Lukasz_Olejnik 05:13:24 TOPIC: Introductions 05:13:38 present+ Sangwhan_Moon 05:13:47 RRSAgent, draft minutes v2 05:13:47 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 05:14:13 Sangwhan_Moon: TAG Invited Expert (@cynthia on GitHub) 05:14:38 JamesH_ has joined #dap 05:14:49 present+ 05:15:03 TOPIC: Agenda Bashing 05:15:16 https://github.com/w3c/devicesensors-wg/issues/31 05:15:18 -> https://github.com/w3c/devicesensors-wg/issues/31 05:16:36 RG: Shuffle privacy discussions first and then follow with the technical topics which fell off of the agenda from yesterday. 05:16:49 AK: Move WebHID first since it has the most concrete discussion to be had. 05:17:34 Lukasz: I have a specific privacy concern to discuss as well. 05:18:47 Eric has joined #dap 05:19:37 ... The Network Information API seems like a type of sensor which has privacy concerns beyond what is discussed in the Generic Sensors API. 05:22:06 q+ To ask about ALS 05:24:34 RRSAgent, draft minutes v2 05:24:34 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 05:24:37 q? 05:24:57 q? 05:25:01 ack tomayac 05:25:01 tomayac, you wanted to ask about ALS 05:25:19 ALS = Ambient Light Sensor 05:25:20 TS: I would like to discuss ALS. Where are we today? 05:25:38 s/ALS/Ambient Light Sensor/ 05:26:03 q+ Should we spend a few minutes discussing what are *not* actual privacy issues - but gets a lot of FUD in media/twitter? 05:26:08 q? 05:26:18 q+ Should we spend a few minutes discussing what are *not* actual privacy issues but gets a lot of FUD in media/twitter? 05:26:48 lmorinigo has joined #dap 05:27:26 present+ 05:27:37 present+ 05:27:42 Peter_Burrows has joined #dap 05:27:54 larsgk: Can we discuss non-goals for addressing privacy concerns as these APIs often collect a lot of FUD arguments. 05:28:51 AK: Historically this group started with a much broader and non-browser view of these APIs which didn't focus on privacy and that has given us a bad reputation. 05:29:10 MC: 2012 was a different time. We didn't have the permissions models we do today. 05:29:33 AK: It's not easy to fight the fake news. Let's stay professional and stick to the data. 05:30:41 RG: I think we need to apply common patterns to avoid re-litigating discussions for each API. 05:31:20 q? 05:31:25 AK: We should liaise with the PING and we thank Lukazs for being here today. 05:31:37 TOPIC: Privacy Discussion: WebHID 05:32:17 MR: WebHID is the API for accessing human interface devices. 05:32:23 ... It is shaped very similarly to WebUSB. 05:32:44 -> https://wicg.github.io/webhid/ WebHID API spec 05:32:45 ... human interface devices are typically USB or Bluetooth but are excluded from WebUSB and Web Bluetooth. 05:33:14 ... Keyboards and mice are excluded from WebHID because they are already covered by existing APIs and allowing low-level access would allow for keyloggers and such. 05:33:57 ... Sangwhan raised concerns during the TAG review over the read/write capabilities of the API and the shared access model. 05:34:27 ... The HID protocol allows devices to declare the data they provide in a standardized format. This provides high entropy. 05:34:43 ... Devices may also provide access to data (i.e. serial numbers) which would provide high entropy. 05:34:59 ... The API does not directly provide access to this data. 05:35:01 RRSAgent, draft minutes v2 05:35:01 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 05:35:02 q? 05:35:51 ... Another concern, the API could be used to change the behavior of the device to cause malicious behavior towards the user or the host the device is connected to. 05:36:46 MS: Any device which allows writing can be used as a side channel and that breaks the same origin model. 05:37:11 q? 05:37:12 ... No ideas for how to mitigate this. Read-only or exclusive access only get you so far. 05:37:47 MR: Existing strategy is providing a blocklist to deny access to known vulnerable devices and to block access to data that looks like keyboard or mouse input. 05:38:03 ... We are building an intake for vendors to propose new blocking rules for their devices. 05:38:29 ... WebUSB and Web Bluetooth have similar blocklists. HID may be more granular than USB because of the report info. 05:38:43 Present+ Keiko_Itakura 05:39:06 Lukasz: Why a blocklist instead of an allowlist? 05:39:07 q+ 05:39:13 q? 05:39:30 MR: There is a long tail of devices. An allowlist couldn't cover enough devices to make the API broadly useful. 05:39:56 MS: Usages to block is being communicated directly to the browser vendors? 05:39:58 MR: Yes. 05:40:47 Lukasz: A blocklist could create a bad impression. 05:40:48 ack scheib 05:41:45 VS: Regarding allow- vs. block-lists. We explored this for WebUSB. That API originally chose an allow-list approach and the community saw many downsides and not many upsides. 05:42:02 RRSAgent, draft minutes v2 05:42:02 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 05:42:04 q+ to ask about how to make the deny-allow list consistently applied across implementations 05:42:39 q+ to ask about user interface 05:42:44 q? 05:42:53 q+ 05:43:45 I think that's the Medium article @scheib was referring to: https://medium.com/dev-channel/the-webusb-security-model-f48ee04de0ab. 05:44:03 VS: Regarding same-origin policy, APIs such as file access already "violate" the policy and users understand that this violates the model by allowing data to be transmitted between sites if chosen by the user. 05:44:07 scribenick: tomayac 05:44:22 q? 05:44:58 scheib: It's hard to take over a device, there's a picker model, and one that would have to be overcome for multiple origins. 05:45:33 We're solving a computing need on the web, instead of on the native platform, which would be more dangerous. 05:45:36 ack sangwhan 05:45:36 sangwhan, you wanted to ask about how to make the deny-allow list consistently applied across implementations 05:46:00 sangwhan: Would like to know if there's a path forward to make the blocklists and blocked messages shareable across implementations? 05:46:21 reillyg: The block list is part of the repo 05:46:27 It's the plan to share this 05:46:32 q? 05:46:36 ack lukasz 05:46:36 lukasz, you wanted to ask about user interface 05:46:37 sangwhan: Sounds reasonable 05:46:53 lukasz I see that the spec is very closely related to WebUSB 05:47:10 I wonder how the process of connecting to the device look like? 05:47:13 A picker? 05:47:46 For hubs(?) you would need to reassure a better reception 05:48:02 Does the spec define the UI 05:48:21 ...improve the reputation 05:48:42 mattreynolds The current implementation uses the same picker model 05:48:51 q+ 05:48:59 ...We can probably take some lessons from WebUSB and apply them 05:49:07 q+ 05:49:08 q? 05:49:17 ack reillyg 05:49:49 q+ to ask if exclusive access can be mandated by the spec 05:50:02 reillyg: The SOP aspect of this and the existenmce of the picker model brings this out of the SOP, it's the user bringing the decvice to the page and making it interact with it. 05:50:15 s/existenmce/existence/ 05:50:27 s/decvice/device/ 05:51:00 ...in terms of bringing in WebUSB lessons, the article that I wrote, I spec'ed browsers should announce to the browser that there is a device that accompanies it 05:51:13 ...so sort of bringing the SOP to this 05:51:39 ...even for device vendors interested in this, they were reluctant, since updating devices in the field is hard 05:51:47 ...so it was hard to make progress 05:52:03 q? 05:52:04 ...therefore we came up with vendors registering in the allowlist 05:52:14 ...we are reasonable comfortable to accept blocklists 05:52:30 ...like this device gives everyone access to your bitcoin 05:52:43 ...we need to validate that the site owns a device 05:53:01 ...the third aspect was (feedback from Mozilla or marcosc) 05:53:11 ...it runs counter to open development and innovation 05:53:23 ...once the vendor goes out of business, the device is lsot 05:53:32 ...so we moved to another model. 05:53:42 ...(see my article) 05:53:54 ...Web Bluetooth didn't have this at the time 05:54:09 ...so I felt bad about it for a while for Web Bluetooth being less secure 05:54:13 ...but I was wrong 05:54:23 ...The change was difficult to make. 05:54:35 ...since we opened ourselves to more vectors of attack 05:54:46 ...Can the user make security decisions with a picker 05:55:04 ...that's why we still have the blocklist and a way to inform other vendors of this list 05:55:12 ...we also have security key tokens 05:55:30 q? 05:55:38 ...but that attack was never used in the wild, but a security researcher found it and reported it 05:55:49 q? 05:55:55 ...but there are, apart from the security keys, no other devices on the block list. 05:55:57 ack JamesH_ 05:56:09 JamesH: I like what reillyg said 05:56:27 ...There should be something in the spec saying that there should be a picker 05:56:40 q+ to ask about user awareness and intentionally malicious devices 05:56:44 ...sounds like lukasz would be a good person to do this 05:56:49 q? 05:57:00 ...I feel like that this is the case, but I don't have data 05:57:11 ack lukasz 05:57:11 lukasz, you wanted to ask about user awareness and intentionally malicious devices 05:57:35 anssik: lukasz, do you have research on pickers? 05:57:48 lukasz: Thanks for the explanations, reillyg. 05:58:04 ...sorry for disrupting this a bit. We all have pickers and SOP. 05:58:17 ...It's unclear if users understand SOP. 05:58:29 ...It should be designed well from the ground up. 05:59:08 ...Did you consider, as another attack scenario, malicious devices being distributed to users, like thousands, that advertise a software that makes browsing bank sites more secure 05:59:22 ...when users connect such a device, unlikely, but let's assume. 05:59:46 ...Can we assume users will understand the risk. 06:00:04 q? 06:00:04 ...So maybe allowlists would be better suited. 06:00:35 reillyg: The attacks that we consider are attacks by a site on a device causes it to be malicious on its own 06:00:52 ...for example, a site takes a device and pokes the user in the eye 06:01:03 ...if the user can be convinced to connect a device 06:01:18 ...that device already can do a looot of things without the browser 06:01:41 ...The distribution of such a device doesn't change the attack vector from a UA point of view 06:01:43 q? 06:02:00 lukasz: HID and Web USB would not change anything? 06:02:04 reillyg: Correct 06:02:12 lukasz: Would not make anything easier? 06:02:15 reillyg: No 06:02:30 anssik: Wanted to come back on picker UI research? 06:02:46 anssik: It's the same model as used by file pickers 06:03:17 marcosc: It's context driven for files 06:03:29 ...So pickers are closely connected mentally 06:03:35 ...unlike with device pickers 06:03:55 ...it becomes ridiculous to ask for research on the research 06:04:06 anssik: otherwise it becomes opinion 06:04:08 q? 06:04:25 marcosc: W eknow the attacks take place. If something hasn't been hacked today means it'll be hacked tomorrow 06:04:41 ...plugging in things that were never designed for the web is dangerous 06:04:55 ...like raw sockets, if you connect a random printer it could do bad things 06:05:02 ...we've seen those attacks 06:05:25 ...concrete example: the US attacking Iranian centrifuges over USB 06:05:31 ...These cases exist 06:05:33 ack larsgk 06:05:49 larsgk: Huge Web USB and WebHID fan 06:06:06 ....WebHID can connect to Corsair keyboards 06:06:21 Related article from a Chrome security member discussing permissions https://emilymstark.com/2020/07/14/debunking-the-users-always-click-yes-myth.html 06:06:21 q? 06:06:25 ...I can store colors, right. There's a chance someone may not understand this. 06:06:48 ...we can consider if it makes sense to use a token based model, even if it means extra work 06:07:01 anssi: Let's flush the queue 06:07:01 ack sangwhan 06:07:01 sangwhan, you wanted to ask if exclusive access can be mandated by the spec 06:07:36 qq+ 06:07:37 sangwhan Question plus suggestion: the current spec allows multiple origins to access. Is there a particular use case when you designed it this way? Could it be restricted to a single tab? 06:08:03 mattreynolds Would be possible, but might make the API harder 06:08:40 ...The use cases for multiple tabs were: you might want to draw a picture of gamepad interaction in different tabs. Streamers use this to show gamepad state while playing 06:08:55 ...Or lights used as a notification from multiple sources 06:08:55 q? 06:09:14 ack JamesH_ 06:09:14 JamesH_, you wanted to react to sangwhan 06:09:44 q? 06:09:49 JamesH: Espruino devices have a serial port. I connect to it from different tabs. One for flashing, one for interacting with the flashed code. Doesn't work for Web USB 06:10:00 sangwhan This are same origins? 06:10:18 mattreynolds Not necessarily. Could be stadia.com and gamepadviewer.com 06:10:31 anssik: We're getting close to the break. Resolutiuon? 06:10:57 reillyg: The concerns I'm hearing: general question of malicious devices 06:11:23 ...and I hear a concern about users understanding the impact of connecting devices, with SOP, but also general trust 06:11:33 ...we covered allow and block lists 06:11:44 ...We discussed this and answered questions 06:11:58 anssik: User studies would be much welcome 06:12:09 ...Does Google have resources? 06:12:17 reillyg: We've studied permissions in general 06:12:31 ...our experience with these APIs has been limited enough. 06:12:52 ...we're seeing developers build interesting things. But not enough to require a deep study 06:13:08 anssik We have some university members in the group who are interested 06:13:21 ...maryam (?) and (?name) 06:13:39 JamesH: We have a note about using the picker 06:13:59 reillyg: The spec provides some language to use about the question to ask 06:14:24 anssik: Can you formulate a resolution? 06:14:36 s/maryam/Maryam Mehrnezhad 06:14:41 reillyg Want to make sure this is productive for sangwhan and help the TAG. 06:14:50 q 06:14:51 s/name/Ehsan Toreini 06:14:55 q? 06:14:58 sangwhan: I have to ask other questions through GitHub. Thanks! 06:15:31 scheib: There's enough appreciation for raising concerns. But also important to understand what it takes for a user to get a task done. 06:16:01 ...Our goal is to make the interaction easy. We know users happily install high priviilege software. 06:16:09 RRSAgent, draft minutes v2 06:16:09 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 06:16:23 ...Web Bluetooth and WebHID lower this risk, but are still somewaht risky. 06:16:34 q? 06:16:39 ...Definitely more secure than installing native programs 06:16:52 ...of larger range of permission and of longer time. Need to find a balance. 06:17:00 anssik: Let's break with this. 06:17:05 [break] 06:19:13 reillyg6 has joined #dap 06:31:28 scribenick: Anssi 06:32:01 Topic: Privacy Discussion: Ambient Light Sensor 06:32:48 reillyg: the ALS API looks for more interest to move forward 06:33:24 ... in Chromium we implemented mitigation to too much data exposed limiting the brightness interval to 50 lux, so can defer whether the user is in a dark room or a light room 06:33:46 ... use cases include identifying is the conditions are good for taking a photo etc. 06:33:59 Another use case is the maps one: you drive through a tunnel during the day, and the map would switch to dark mode temporarily 06:34:24 ... in the context of Orientation Sensor we discussed data precision and fingerprinting last year 06:35:02 ... Chromium implements mitigations for that spec, bugs filed for Firefox and not sure what is the Safari's status 06:35:29 ... reason for not shipping yet is not enough people asking for it to make a decision to ship -- the current state is good, we could ship it as is 06:36:02 ... use cases for ALS with camera may need more precise readings, maybe we can provide more precision if camera permission granted alongside 06:36:44 -> https://bugs.chromium.org/p/chromium/issues/detail?id=606766 ALS crbug 06:37:01 maybe: https://bugzilla.mozilla.org/show_bug.cgi?id=1057185 bugzilla bug? 06:37:33 anssik: what could be done to help this API ship? 06:37:45 I wrote a small assessment of the ambient light sensors privacy design https://blog.lukaszolejnik.com/shedding-light-on-designing-web-features-with-privacy-risks-impact-assessments-case-study/ including with a paper (linked inside) 06:37:55 lauram has joined #dap 06:37:57 (if anyone finds this of interest) 06:38:14 reillyg: the API is available behind a flag and when developers have increased interest in it, we look into shipping 06:38:16 q+ 06:38:24 ack marcosc 06:38:52 marcosc: reillyg mentioned use cases, given the current state of the world and how the cameras are used in the world 06:39:13 I don't see an origin trial for ALS. 06:39:27 ... on the iPhone you can adjust the brightness when taking the picture? 06:40:11 reillyg: clarifying the use case, developer to get absolute signal for exposure so instructions can be provided to the user "please turn on the light" or "go outside" 06:40:30 ... there's another use case to do facial recognition and use ALS to assist the user to fix lightning conditions 06:40:33 q? 06:40:57 kenchris has joined #dap 06:40:57 tomayac: another use case, drive through tunnel and it becomes dark, when you leave the tunnel switch back 06:40:59 q? 06:41:00 q+ 06:41:10 ... this should a reasonable use case 06:41:19 q+ to say, darkmode is OS controlled 06:41:28 ... discussion on prefers color scheme etc. but this is a temporary situation 06:41:44 reillyg: ambient light level signal could be exposed through CSS to complement the API 06:41:48 q? 06:42:00 https://github.com/w3c/csswg-drafts/issues/5359 06:43:00 Anssi: there are use cases for having both JS API and CSS feature for ALS 06:43:23 tomayac: there are some customer requests for ALS 06:43:42 Rafael: iProof company is very interested in this API 06:43:51 s/Rafael/Raphael/ 06:43:54 s/iProof/iProov/ 06:44:15 reillyg: as with the dark more, there's a bit of developer trendiness issue, if we make light level reactive sites trending more sites might take advantage of this 06:44:16 q? 06:44:25 ack larsgk 06:45:00 Lars: we have a very concrete need for this with shipping, avoiding the people to get blinded using ALS 06:45:08 q? 06:45:46 We ack Mandy Michael's demo https://www.youtube.com/watch?v=ivz1hdAhJmE&ab_channel=MandyMichael 06:45:57 reillyg: there's a question how reactive this API should be, there's signal from the environment (what's the lightning like) and from the user (use dark mode) 06:46:14 s/lightning/lighting/ 06:46:25 q? 06:46:26 ack marcosc 06:46:26 marcosc, you wanted to say, darkmode is OS controlled 06:46:56 marcosc: dark more being both OS and user controlled is important 06:47:16 ... on macOS it switched dark mode based on sunset 06:47:26 ... it is about the balance 06:47:31 q? 06:47:46 Two nice demos: https://codepen.io/arnofiva/pen/VJjxRZ and https://variablefonts.dev/posts/light-sensor-demo/ 06:48:21 -> https://w3c.github.io/ambient-light/#usecases-requirements ALS use cases 06:52:04 -> https://w3c.github.io/ambient-light/#security-and-privacy ALS Security and Privacy consideration 06:52:27 relevant gecko bugs https://bugzilla.mozilla.org/show_bug.cgi?id=1359076 - AmbientSensor was removed from Gecko 06:52:40 sangwhan: curious if the 50 lux stepping should be tracked in a GH issue to make it normative 06:53:49 q+ to say, should we consider implementer interest? 06:54:02 ack marcosc 06:54:02 marcosc, you wanted to say, should we consider implementer interest? 06:54:06 q+ normative aspects of 50 lux recommendation 06:54:24 q? 06:54:30 q+ to say about normative aspects of 50 lux recommendation 06:54:48 reillyg: we set developer interest first, implementer interest second 06:56:39 q+ are enterprises counted as 1 developer? (dev need counting) 06:57:15 q? 06:57:50 q+ larsgk 06:57:58 q? 06:59:48 q? 06:59:57 ack lukasz 06:59:57 lukasz, you wanted to say about normative aspects of 50 lux recommendation 07:00:06 MC: agree with everything reillyg said 07:00:57 Lukasz: perhaps 50 lux cap should be specified in a way it is normative, but just want to point out it might be a rare example security and privacy consideration become normative? 07:01:29 q? 07:01:33 ack larsgk 07:01:49 rrsagent, draft minutes 07:01:49 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html sangwhan 07:02:30 Lars: traditional enterprises migrate tools to the web, it is dangerous if browser vendors only consider vocal developers who are well known, new domains do not have as strong voices in the process of making standards 07:03:06 reillyg: with Thomas we talk to many enterprise developers so we're aware of this, we agree with you that enterprises do work more behind closed doors 07:05:35 +1 07:05:39 RESOLUTION: Continue monitoring ALS API developer interest. Encourage developers the experiment with existing prototypes. 07:06:16 s/RESOLUTION: Continue monitoring ALS API developer interest. Encourage developers the experiment with existing prototypes.// 07:07:15 +1 07:07:21 RESOLUTION: Continue monitoring ALS API developer interest and work with more browser vendors. Encourage developers to experiment with existing prototypes. 07:07:28 RRSAgent, draft minutes v2 07:07:28 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 07:08:05 Topic: Privacy Discussion: Network Information API 07:08:43 -> https://lists.w3.org/Archives/Public/public-device-apis/2020Oct/0004.html DAS WG and Web Perf WG collaboration opportunity 07:08:55 reillyg: when you raised this topic you mentioned couple of topics 07:10:04 ... all the fields in the current proposed spec, as resolved yesterday, we are interested in collaboration with Web Perf WG on aspects that have to do with the signal about saving data or metered connection info 07:10:21 ... other signals may provide more info than the site needs or poorly specified 07:10:47 ... looking at the current users of the API, we ask, what those more problematic fields in the API are and could they be deprecated? 07:11:06 ... moving forward we'd focus on this privacy-preserving subset and better specify other parts of the API 07:11:08 q? 07:11:21 The Web & Networks Interest Group is also exploring this topic: https://www.w3.org/wiki/Network_Quality_Monitoring_and_Prediction 07:11:40 -> https://www.w3.org/2020/10/22-dap-minutes.html#t04 DAS WG F2F Day 1 minutes 07:12:37 +q to ask about aptness of generic sensors considerations as applied to NIA 07:13:16 Lukasz: ack lukasz 07:15:22 Lukasz: the actual API differs from the other specifications in this group, it is unclear if the Generic Sensors considerations could be casted on the Netinfo API 07:15:44 -> https://w3c.github.io/sensors/#security-and-privacy Generic Sensor API S&P Considerations 07:16:09 Lukasz: when the user is roaming, you expect these changes to happen often, an event might fire quite often(?) 07:16:15 ... could allow profiling the user 07:16:37 ... re RTT, I don't fully understand the semantics, is it RTT of the base station? 07:16:43 q? 07:16:47 ack lukasz 07:16:47 lukasz, you wanted to ask about aptness of generic sensors considerations as applied to NIA 07:17:36 -> https://wicg.github.io/netinfo/#rtt-attribute RTT attribute 07:17:49 reillyg: RTT might not survive the refactor of the spec 07:18:05 ... marcos feedback was that Firefox has difficulty in implementing RTT 07:18:13 MC: nit, EffectiveConnectionType is hard 07:18:26 s/RTT/EffectiveConnectionType 07:19:07 reillyg: we're reduce the spec to "save data" and "on metered connection" signals 07:19:19 Lukasz: is there a way to get rid of the RTT 07:19:47 q+ 07:19:57 q- 07:19:59 Lukasz: maybe too premature to assess privacy of this API at this point? 07:20:18 reillyg: privacy experts should engaged when we possibly refactor this spec 07:20:24 s/should/should be 07:21:01 q? 07:21:19 marcos: without interest, it likely won't be edited 07:21:44 ... these issues are in the Netinfo API tracker on GH, I'm not expecting any work to happen unless DAS WG wants to take this work on 07:22:47 q? 07:23:01 sangwhan: curious how this ties into the network goodness hints that WebRTC has, and also hints one can pull out of adaptive streaming (e.g. DASH) - feels like there are three places where this information can be retrieved, all probably in different formats 07:23:52 reillyg: that level of information is in WebRTC and should stay there and we don't want to duplicate that in the context of the Netinfo API 07:24:35 sangwhan: I'm interesting in non-WebRTC use cases then? 07:24:55 reillyg: use case is for the user to express to the site the user is on metered connection 07:25:05 ... this is about expressing a preference for low data usage 07:25:29 ... the use cases have not been updated as the scope of the API shifted 07:25:33 So summarized - the "I'm not on wifi" API 07:25:50 ... the first order biz would be to update the use cases to match the revised scope 07:27:09 reillyg: the proposed refactor of the Netinfo API is to provide a signal "I'm on WiFi that is free and unlimited" 07:27:36 RRSAgent, draft minutes v2 07:27:36 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 07:29:26 +1 07:29:37 +1 07:29:45 +1 07:29:52 +1 07:30:09 (I've already provided some preliminary points) 07:32:32 RESOLUTION: Engage with privacy experts in the proposed refactor of the Network Information API, figure out coordination between DAS, WebPerf, and WICG; and possible standards track adoption at a later stage 07:32:54 RRSAgent, draft minutes v2 07:32:54 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 07:33:17 Topic: Test automation 07:33:24 scribenick: tomayac 07:33:55 reillyg: There was a question raised on specifying test automation 07:34:03 ...one was to use webdriver 07:34:32 ...the other was take the approach of Web XR to make a full Web API available for testing purposes. 07:34:42 ...I have opinions. 07:35:12 ...There are two audiences: 1: us as web platform community. This audience is interested in testing if the impl is correct. 07:35:34 2: web developers, who are interested if their sites work correctly. 07:35:46 ...sometimes these interests align, sometimes not. 07:36:24 ...If there is a sensor that is expressing a certain value, implementors want to make sure it goes through correctly. 07:36:37 ...whereas developers just want to know if their site behaves correctly. 07:36:56 ...The Web USB testing API is capable of emulating certain device conditions and signals. 07:37:08 ...If you're a developer writing a site, you might not need much of this infra. 07:37:19 ...You can just mock out the entire browser APIs. 07:37:33 RRSAgent, draft minutes v2 07:37:33 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 07:37:38 ...You can test if your site behaves properly, maybe even outside of the browser through unit tests. 07:37:47 ...Browser automation is different. 07:38:01 ...You probably want to loop in real devices, and detect the presence of devices. 07:38:16 ...Without any kind of permission UI so it can be scripted. 07:38:34 ...Implementors care about pretending devices. 07:38:58 ...When we define webdriver extensions, it's the thing developers use when they need a browser involved. 07:39:09 ...Those are the kinds of things I'd need to consider. 07:39:41 ...Defining a test-only API targeted to web platform tests, and another targeted to developers: both might make sense. 07:39:52 ...This would be orthogonal to the existing testing API. 07:40:34 ...To a certain degree none of this matters, the goal is to provide an automation API, if it's shaped like web driver or something else, no matter 07:40:41 ...People can use it either way 07:40:52 q+ 07:41:13 marcosc: Just wanted to say that's great. But need to balance the resources of the WG. 07:41:31 ...If it doesn't serve the purpose of interop, I'm not sure it should be focus of the group. 07:42:05 ...Sending the permissions API through webdriver might make sense, but, striking that balance is additional work. 07:42:16 reillyg: Maybe I misunderstand you. 07:42:39 ...Disagree. Developer infra is important for interop 07:42:53 ...If we have a way for developers to test at all, it should be interoperable. 07:43:03 ...There is a W3C group that owns that 07:43:11 It's good for developers to have them. 07:43:21 marcosc: My question is if _we_ design those 07:43:31 ...Or working with another community. 07:43:48 ...Like "click this button", etc. (describes the flow) 07:43:59 reillyg: If you want it done, you gotta do it yourself 07:44:17 ...I got a lot of stars on the bugs for adding it 07:44:42 The question is: should it be a default, so all specs need to come with one. Or write it later when developers ask for it? 07:44:59 marcosc: Agree. Then the question becomes to which APIs we add this. 07:45:15 ...If there's a strong case coming from developers if it would help, we should add it. 07:45:32 reillyg: Ironically currently there is just an ad-hoc testing impl. 07:45:52 ...The interesting thing is that we have refactored the entire architecture of the device orientation API. 07:46:02 ...This uses the same infra as generic sensors. 07:46:18 ...But currently there are no WPT tests. 07:46:38 ...This raises the question how to, in an ionteroperable way, to express this. 07:47:06 scheib: I have a humble opinion when to do the impl work for the webdriver tests 07:47:38 ...It's faster to start early. 07:47:48 ...Sometimes there's churn in what we need. 07:47:55 ...There is an upfront cost. 07:48:45 reillyg: It's easier to say there's this API, rather than having certain endpoints APIs need to specify. 07:49:11 scheib: It priotizes to have implementeations of tests for multiple purposes. 07:49:32 reillyg: It took us forever to get testdriver.click. Why was that? It's ridiculous. 07:49:47 ...Someone maybe back in the 90ies should have thought about this. 07:50:34 marcosc: To reillyg's points> scheib said including tests as we specify tests 07:51:04 ...is hard 07:51:15 reillyg: Do we want to wrap up with a resolution? 07:51:19 MC: add tests as you specify 07:51:35 reillyg: Like webdriver not formally required 07:52:15 Rafael: reillyg's summary is a fair summary of the status quo 07:52:25 ...there is no conclusion either 07:52:35 ...there is interest in reaching a common ground. 07:52:54 ...It's hard to commit to a stable webdriver impl if your spec is in early stage 07:53:11 RRSAgent, draft minutes v2 07:53:11 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 07:53:13 ...this should work with Web Bluetooth and -USB 07:53:25 reillyg: I complained last year in the testing WG that it's hard 07:53:48 reillyg It might make sense to start with something less formal, that then converges into something more formal. 07:53:57 ...Having webdriver hooks is a sign of a stable impl. 07:54:18 s/Rafael/Raphael/ 07:54:20 Raphael: Currently there is no process for moving to a formal model 07:54:50 reillyg: Yeah. There has been an effort, so these tests should work outside of the Chromium CI now. 07:55:18 ...At least documenting the APIs should be given. Just uploading the tests without docs wasn't good. 07:55:27 ...WebXR may have done a similar thing. 07:55:53 ...Maybe we want a policy: to have a certain amount of documentation that explains how it works and what the expectations are 07:56:07 anssik: I let reillyg converge on a resolution 07:56:33 reillyg: Starting with my initial idea: testing should be given. We have it in our charter 07:56:41 ...And we need to define a process 07:57:07 ...Webdriver tests. And what counts as a truly interoperable way? 07:57:41 Raphael: Is the goal to make spec writer do this? 07:58:02 marcosc: That's a good point. Wondering if we have the expertise to do this. 07:58:13 Raphael: At least as we did for generic sensors. 07:58:24 marcosc: Who did Generic Sensors? 07:58:36 Raphael: A colleague at Intel 07:58:53 anssik The specs are now back in WD stage 07:59:03 marcosc: If we have the know-how that is great 07:59:33 reillyg: This was my exact complaint. In my attempt, I searched around, and it was hard. 07:59:34 -> https://w3c.github.io/sensors/#automation Generic Sensor API - Web Driver extensions 07:59:53 ...Maybe there is some more infra work that needs to be done. 08:00:03 ...Specifying a webdriver extension isn't that hard. 08:00:07 -> https://w3c.github.io/ambient-light/#automation Ambient Light Sensor - Web Driver extensions 08:00:31 marcosc: If we have the resources to do this ourselves, that's great 08:00:41 anssik: Dropped a number of links 08:00:54 marcosc: The spec part is easy, the impl is harder in C++ etc., 08:01:04 anssik: What reillyg said isn't documented 08:01:49 Raphael Have reached some experience with that. It's complicated, and in addition, one would also need to implement the driver and spec it with the WPT community. It's a lot of work. 08:02:24 reillyg This was my complaint. Was then told that it's not that hard by someone from Chromium. 08:02:37 Raphael: Talking about the WPT meeting? 08:02:47 reillyg Talking about the Testing and Tools meeting 08:02:57 reillyg: Talking about the proposed resolution 08:03:28 +1 08:03:29 +1 08:03:47 RESOLUTION: Developing tests in parallel to specifications is best practice. The WG should develop a policy on when to consider specifying Web Driver extensions and a policy for the level of formal specification of test-only APIs before they can be used in Web Platform Tests. 08:03:54 +1 08:03:56 RRSAgent, draft minutes v2 08:03:56 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 08:05:43 TOPIC: Adjourn 08:06:20 scribenick: anssik 08:06:37 Eric: to join the group http://www.w3.org/2004/01/pp-impl/43696/join 08:06:50 s/Eric:/Eric, 08:07:04 Anssi: Thank you all for participating! Thank you scribes, speakers, we'll follow up with possible another F2F in not so distant future. 08:07:17 🎉🎉🎉 08:08:00 ah, thanks for reminding me 08:08:19 RRSAgent, draft minutes v2 08:08:19 I have made the request to generate https://www.w3.org/2020/10/23-dap-minutes.html anssik 09:14:02 xfq has joined #dap 09:41:40 Zakim has left #dap