Skip to content

Sprint Planning Meeting 2022 01 19

Erik Moeller edited this page Jan 19, 2022 · 1 revision

Sprint Planning Meeting, SecureDrop, 2022-01-19

Sprint timeframe: Mid-Day (PST) 2022-01-19 to Mid-Day (PST) 2022-02-02

1) Previous sprint priorities
  • Complete a time-boxed Qubes 4.1 RC3+ compatibility spike

Status: https://github.com/freedomofpress/securedrop-workstation/pull/751

There's an experimental branch that Conor and Michael have been working on. Ultimately the diff is relatively small. Changes to how template is installed & RPC policies. The branch uses the new 5.0 format; we could also use the same format as before. Some other cleanup required.

You can install now using make dev on 4.1. Old repo still works but qvm-template tool isn't entirely happy - to properly support it we should create a template repo.

  • Complete upgrade of Flask and associated requirements

Status: Mostly there, one dependency review & manual testing pending.

  • Get "Download conversation" feature for SecureDrop Client to "Ready for review"

Status: Functionally working including some "nice to have". You can "download all" via menu / shortcut. Optimizing parts of the code / test failures; formal review pending.

Other accomplishments:

  • (Infra) docs.securedrop.org now self-hosted
  • HOTP validation fixes landed
  • Source deletion speedup landed
  • Tor packages updated (in test repo, not in prod yet)
  • Orientation sessions: Threat modeling, release process
  • Dependency updates (pillow, https-e)
  • Dev env podman support
  • SD client i18n tooling cleanup
  • SD client release process more clearly documented
  • Ready for review: T14 docs (intermediate notes in Confluence INFRA); DB session mgmt improvements
  • Ongoing review: Deleted user mgmt changes; JI accessibility changes; preflight updater error handling
  • A pile of new screenshots

2) Retrospective

What worked well:

  • Steady orientation rhythm! Feels good to rotate presentations around the team, dish out some good ol' knowledge transfer +1+1+1+1+1+1
    • Really enjoying cross-FPF 1:1s too as a kind of relational orientation. +1
  • lightning talks (in their infancy) on sdw are nice +1+1
  • Continued progress on hiring front!+1
  • Nice to see voluntary/discretionary review feedback from folks unassigned but interested.
  • Qubes tooling being developed by the team
  • Docker env plus documentation plus tests made it really easy to write database migrations

What can be improved:

  • (cfm) First stint of security triage: glad to do, and my cadence had me miss the one thing that came in towards the end of (my) last week until Erik flagged it. --> How do we want to rotate this responsibility? +1 thanks for volunteering; i suggest handover at sprint-planning is reasonable

    • Looks like some Gitter communications too: should this triage/response role be more general?
  • Leverage Qubes direct-dial more often. A lot of the 4.1 debugging maybe could have been a quick question to Marek & team. we had conversations about this, and about being mindful of the Qubes team's issue backlog/prioritizing

  • Qubes troubleshooting is time-consuming/the same Qubes experts end up responding to pings in addition to their original workload +1

  • Better engagement with research community. Some folks have reached with interesting ideas, and follow-up can be sketchy

What's still a puzzle:

  • Cory: you mentioned a tool to synchronize git repos en masse; can you re-share that?

  • Still figuring out best way to run tests locally (slow) vs letting CI run them (a bit spammy for everyone else)

    • can isolate tests with bin/dev-shell bin/run-test <pytest stuff here>, either by file or by class matches
  • Note that pushing up a branch alone is sufficient to see CI results

3) Key dates and time commitments

  • Erik and Conor alternating 48+PTO / 410, always off Fridays
  • Allie still on 3*10, Mo-Wed
  • Gonzalo still on 3*8, Mo-Wed
  • Ro still Mo-Thu, ~8-10 per day
  • Cory 4*~10 Mon–Thu
  • Giulio TBD, ~10-15 hours/week
2022-01-25: (Tentative) SecureDrop Client QA begins
2022-01-26: Australia holiday
2022-02-01: (Tentative) SecureDrop Client Release
2022-02-01: SecureDrop 2.2.0 QA period begins
2022-02-01 - 2021-02-13: cfm offline; sorry to miss QA :-( (will still attend all-staff &c.)
2022-02-15: SecureDrop 2.2.0
TBD       : SecureDrop Workstation RPM release
2022-02-17: Ro PTO? (tentative)

Vulnerabilities triage: Kunal

4) Next sprint priorities

  1. Land SecureDrop 2.2.0 prerequisites: Flask upgrade, "deleted" user changes, kernel upgrade

Rationale: hardware upgrades increasingly time-sensitive; Flask upgrade as previously noted

  1. Release SecureDrop Client 0.6.0 with deletion performance improvement

Rationale: Deletion performance improvement will deliver significant end user benefit especially in spam management.

  1. Implement experimental 4.1 support that allows SDW to be installed on both 4.0.4 and 4.1 Qubes versions (not necessarily "ready for review")

Rationale: 4.1 may finally be around the corner after RC4, and 4.0.4 may not be supported much longer after that.

5) Task selection

Clone this wiki locally