Sprint Planning Meeting 2020 10 15

Sprint Planning Meeting, SecureDrop, 2020-10-15

Sprint timeframe: Beginning of Day (PDT) 2020-10-15 to Beginning of Day (PDT) 2020-10-28

1) Retrospective

What we said we would do:

• Release SecureDrop 1.6.0

Sprint goal met: SecureDrop 1.6.0 released with no known issues.

• Finish template consolidation and prepare for release

Sprint goal partially met:

• Critical PRs ready or close to ready

• New "template-consolidation" component on apt-test.freedom.press allows convenient testing

• Updater logic improvements and smaller per-repo changes pending

• securedrop-export config consolidation pending

• Threat model work pending

• Pre-release QA pending

• Run Focal (Python 3.8) application tests in CI

Sprint goal partially met:

• Good progress on dev container & testinfra fixes for Focal
• Focal staging environment PR ready for review
• Final review & app test fixes pending

Additional accomplishments

• Used new docs workflow for release and post-release docs changes
• Reply badges have landed in SecureDrop Client nightlies, and they're beautiful!
• Landed a round of type annotation PRs by @nabla-c0d3
• Landed 2FA styling fix and platform.linux_distribution replacement by @DrGFreeman
• Infra team migrated securedrop.org to k8s for continuous deployment fun, which should make future deploys & fixes faster

Other team comments

What worked well:

• I'm happy with all the planning we did up front with seen/unseen, because now it feels we can work independently at length (has the spec been updated to match the ultimate implementation? the spec is pretty accurate, but is a working doc and can be updated as we go, not sure if I will add all the detail about null journalist ids, etc. because I was thinking about deleting the spec later (because we will have API docs and database diagrams), but I wonder if there's value in keeping it around?)
• Generating SDK cassettes was faster this time with the recent updates
• Code walkthrough of template consolidation was helpful and fun
• Mirabox
• A lot of inter-dependent changes merged fairly quickly (core api, sdk, client)

What can be improved:

• (Erik) As we get close to the finish line on template consolidation, I recommend blocking away continuous time for review and testing. This is the kind of thing we would have brought people together for in person pre-COVID.

  • +1, major changes to the workstation are still hard to test, but we now have a path forward with separate apt channels

• (John) Lack of SD core test coverage makes changes that touch a lot of code (type annotations, black/isort, OS upgrades) more worrisome than they need to be.+1

• (kushal) Dependency management for the non-core app code (develop and test requirements) can be improved/looked at regularly.+1 (deleting my comment in favour of this one)

ACTION: Schedule first dependency review in early 2021

• nightly builds infra isn't well monitored, we should be getting alerts on broken pipelines

ACTION: Conor to file issue in infra to consider monitoring options

What's still a puzzle:

• apt-test cron not updating nightly builds +1

• (Erik) Would it make sense at some point to do knowledge shares about some of the security-related technologies we use in SD and SDW (AppArmor, PaX, etc.)?

• Tor browser upgrades in dev container+2 (also question to Kev: how did you find out that blank page open trick/option?)(I don't know what you mean, but the answer is probably the murky depths of StackOverflow) :)

  • (Kev) We'd previously discussed maybe automatically picking the latest version.

ACTION: Erik or Kev will file issue for ^^

Learning time debrief

• (kushal) Tried to replace gpg with my johnnycanencrypt module in the Focal container, report at https://kushaldas.in/posts/updates-from-johnnycanencrpt-development-in-last-few-weeks.html

• (Conor) More research on reproducible builds -- see #learning write-up.

2) Review key dates and time commitments

2020-10-16              : PTO: Erik (0.5 day), Mickael
2020-10-26              : Threat model discussions with auditors begin
2020-10-22              : Kushal PTO (it is in calendar)
2020-10-23 to 2020-10-26: India Holiday (Durga Puja)

After sprint period:

2020-10-30              : FPF Holiday
2020-11-16              : SecureDrop Workstation audit begins

Additional PTO plans:

• (Erik) 1 day PTO

3) Agree upon top 3 priorities for the next two weeks

• Merge template consolidation changes, draft test plan, and begin QA, aiming for consolidated release early in the next sprint.

This will need to include QA for many other changes landed since July.

• Update our hardware recommendations for SD Workstation and SD Core

  • Test & document the most supportable way to install SD on NUC8
  • Test T490, attempt to get Ethernet support working

• Land pending Focal support PRs & fixes, and fix additional test failures for app and infra tests

4) Select and estimate tasks

https://docs.google.com/spreadsheets/d/19B9onbuHYXeWI6Sl3VUX3-MinH3rrKEoXKSfYaB32tQ/edit#gid=0