Sprint Planning Meeting 2021 05 20

Sprint Planning Meeting, SecureDrop, 2021-05-20

Sprint timeframe: Beginning of Day (PST) 2021-05-20 to Beginning of Day (PST) 2021-06-02

1) Retrospective

What we said we would do:

Complete first iteration of Safe Deletion for SecureDrop Client

Status: Goal not met.

Iteration on UX design proposal completed (pending feasibility investigation)
Round of user research completed

Complete deliverables for SecureDrop 1.8.2, test them, and issue a point release

Status: Goal met. Fix for low severity JI vulnerability was also scoped into the release.

Update TemplateVMs to Fedora 33

Status: Goal met. PR landed, pending upstream fixes and release.

Additional accomplishments

8 days from report of low severity vuln to issuance of point release with a fix, including in-depth investigation, comms, internal incident response docs, & identification of areas for future improvement; more info: https://securedrop.org/news/security-advisory-cross-site-request-forgery-vulnerability-on-journalist-interface-test-alert-form/
PR ready for "flag for reply" removal
PR ready for v3 Admin Workstation rebuild docs
Landed app-tests CI performance improvement via faster Alembic migrations
Agreed upon more efficient process for updating dev dependencies as described in https://github.com/freedomofpress/securedrop-proxy/pull/88
Landed community PRs by Prateek, DrG

Other team comments

(Scope includes the CSRF security issue; 1.8.2 release and fun w/ pip)

What worked well:

excellent coordination of responsibilities during vulnerability triage. we wound up a great result on the otherside of a somewhat complicated point release +3 +1
- shows the power of process documentation +1
- we shipped the keyring update for servers and Tails workstations. that's great!+1
good flexibility overall re: point release scope.
continued focus on reducing admin pain points via small fixes. shows strong communication related to migration via support comms.

What can be improved:

release process overall remains slow and tedious. discussion about features for point release included recognition that another point release would be a prohibitive amount of work, which is an unfortunate pattern +1+1+1
- deb package builds take a while
- Action?: workstation-style packaging
- Action?: Consider https://github.com/freedomofpress/securedrop-debian-packaging/pull/65
- Action?: Make ci faster, staging-with-rebase and app-tests jobs are very long
QA/testing also takes a very long time
Cross-team knowledge for pip/dh-virtualenv issues; process/architecture parity between SecureDrop Workstation & SecureDrop Core +1+1
Could be catching simple webapp vulnerabilities with automation of Zap or similar +1
release branching strategy and conflicts when large changes are merged into develop?more?
- Action?: edit circleci configuration in the release branch reflecting the changes in develop to avoid merging PRs that are failing CI (Adding the documentation to the release management docs)

What's still a puzzle:

No issues raised this time

Learning time debrief

Conor: Some Rust learning https://github.com/conorsch/innisfree
KOG: Nothing learned :/

2) Review key dates and time commitments

2021-05-21              : @emkll's last day
2021-05-24 to 2021-05-28: Time off: Ro
2021-05-24              : Holiday (Canada): Victoria Day
2021-05-25              : fedora 32 end of life
2021-05-28              : Allie PTO (extra long weekend)
2021-05-28              : John PTO
2021-05-31              : Holiday (US): Memorial Day
2021-06-01              : Tails 4.19 release - includes new connection wizard
                          QA / feature freeze for SecureDrop 2.0.0

After sprint:

2021-06-04              : Time off: Erik
2021-06-14 to 2021-06-25: Time off: Conor
2021-06-15              : SecureDrop 2.0.0 released (signed with new release key)
2021-06-30              : SecureDrop Signing Key expires
2021-07-12 to 2021-07-16: Time off: KOG

3) Agree upon top 3 priorities for the next two weeks

Safe Deletion: Land first iteration PR with minimal UX and finalize planning for UX iterations; land API for change for 2.0.0
Keyring update: Deliver keyring update (round 1) to SecureDrop Workstation users & publish new HTTPSEverywhere channel signed w/ new keyring
Prep for 2.0.0: Complete release blockers for SD 2.0.0 as identified in https://github.com/freedomofpress/securedrop/milestone/69

4) Select and estimate tasks

https://docs.google.com/spreadsheets/d/1IOOqJDMutPShCaWtS36h6dE8iEGO2DAx-06waZqK_LM4/edit#gid=0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly