Skip to content

Sprint Planning Meeting 2022 05 11

Jump to bottom
Erik Moeller edited this page May 12, 2022 · 1 revision

Sprint Planning Meeting, SecureDrop, 2022-05-11

Sprint timeframe: Mid-Day (PST) 2022-05-11 to Mid-Day (PST) 2022-05-25

1) Review previous sprint priorities

  • Complete key deliverables for SecureDrop 2.4.0 and begin QA

Status: Completed. 2.4.0 key deliverables have been merged and QA is underway. Additionally, we released a 2.3.2 point release to add Tails 5.0 compatibility code.

  • Land initial SecureDrop Workstation 4.1 compatibility PR, and complete a round of testing on sys-USB changes

Status: Partially completed. 4.1 compatibility PR was merged. sys-usb testing on 4.1 fresh install pending.

2) Retrospective

What worked well:

  • Fast turnaround on SecureDrop 2.3.2 with Tails 5.0 support!+1 +1+1
  • Pairing with Cory and Ro brought grest insights!
    • +1 more pairing conversations generally! +1+1
  • Loved the handling of the rat-tail of little bugs that appeared after the nightly/test unclobbering +1
  • Product-design introduction!+1+1
  • Impressive progress on Qubes 4.1 support - getting closer to a fully installable & working 4.1 system +1

What can be improved:

  • Clearly defining the desired state of apt.*, apt-test.* (main vs. nightly) and dev/staging/prod (in workstation config.json) could help us in troubleshooting discrepancies of behavior between what we see vs. what our users see. +1+1+1+1

    • distinguish between our environments vs the actual packaging (nightly != prod, dev etc)
    • Are we tracking unreleased commits in all the components?
    • Once there's a Github Issue, I'd like to add what I would expect for dev vs staging vs prod

  • SecureDrop 2.3.2 release coverage felt a little scramblish late on a Thursday. (No deputy RM formally assigned, for example.)it did run longer than expected too iirc

    • [kev] do hotfix releases need the same level of rigour?
      • [erik] tails-specific changes did, but we may be overtesting other components -- shorter smoketest?
      • more functional testing and higher test coverage - we could commit to this now, reduce manual testing load

  • Conor's been awfully quiet lately. + :'( + :(

  • How might we increse PR review rates? +1

    • Capacity issue imo
    • Getting a reviewer assigned or the speed at which it gets reviewed? A: Getting actually reviewed, well ultimately merged ; )
    • +1; I struggle to build in time for this without an explicit commitment/assignment. +1
    • kunal: dedicated review days? Works well in a pair system, in which when you're reviewing, the author is on hand or can implement the fixes soon, so it can be re-reviewed when you're still in that mindset.

Followup on Tails 5.0 workflow changes and bugs

What's still a mystery:

  • Would like to understand supply chain attack mitigations re: dependency management better+1+1+1
    • Sort of tacking on here: in-depth threat-model step-through would be good because I feel like I do not fully understand all mitigations/assumptions around them+1
  • Currently our threat model is pretty vague around this specifically
    • I would like to know which dependencies aren't reproducible - the list was shrinking last we checked and this could use another review

3) Key dates and time commitments

  • Erik alternating 48+PTO / 410, always off Fridays
  • Cory @ 4*10 Mon-Thu
  • Allie @ 3*10 Mon-Wed
  • Ro @ ~4*8-10 Mon-Thu
  • Giulio ~20 hours/week
  • Gonzalo back at ~24 hours/week Mon-Wed
  • Tina @ 4*10 / Mon-Thur
2022-05-19   : SecureDrop 2.4.0 release
2022-05-18/19: Ro PTO

After sprint:

TBD          : SecureDrop Server and Workstation keyring updates (expires july 4th)
2022-05-26/27: Kunal PTO
Early May    : Potential translation launch for SecureDrop Client
2022-05-31   : QA begins for SecureDrop Workstation releases
2022-06-13-24 : Ro PTO (2wk) to move
2022-06-07   : SecureDrop Workstation releases
2022-06-07   : Fedora 34 EOL - must upgrade SDW to Fedora 35
2022-07-04   : SecureDrop release key expires
2022-08-02   : Debian Buster EOL / Qubes 4.0 EOL
  • Vulnerabilities triage: Kev
  • Support triage: Michael

4) Review top sprint priorities

  1. Release SecureDrop 2.4.0

Rationale: Choo-choo! The release train is coming.

  1. Make it possible to create a full Qubes 4.1/bullseye fresh install

Components:

  • sys-usb fixes (Cory)
  • Bullseye templates with 4.1 repos (Allie/TBD)
  • Bullseye builds of SecureDrop Workstation packages (Kunal/Michael/Gonzalo/Allie/Cory)

Rationale: Qubes 4.0/Buster EOL approaching in August

  1. Update keyring expiry by 1 year and prepare packages with said update for server and workstation

Rationale: Release key expiry fast-approaching in July.

5) Review project board

https://github.com/orgs/freedomofpress/projects/1

Clone this wiki locally