Sprint Planning Meeting 2021 12 01

Sprint Planning Meeting, SecureDrop, 2021-12-01

Sprint timeframe: Mid-Day (PST) 2021-12-01 to Mid-Day (PST) 2021-12-15

1) Retrospective

Previous sprint priorities:

• Release SecureDrop Client 0.5.0

  • Critical bugfixes have been merged

  • Final pre-release QA is in progress

• Update Fedora template to F34 for Workstation

  • Changes were merged and released

• Client localization workflows

  • Consensus on initial workflow for managing translation catalogs
  • Once https://github.com/freedomofpress/securedrop-client/pull/1348 is merged and the workflow is documented, we are unblocked on making the SecureDrop Client translatable
  • There is an ongoing conversation on how to manage string changes in a way that minimizes translation churn and keeps review velocity high: https://github.com/freedomofpress/securedrop-client/issues/1360

Other accomplishments:

• Added onion service support to Docker-based environment
• Rebased securedrop-e2e and landed various cleanup improvements
• Updated Tor; Rust in build container; pip in packaging repo
• Hired two new full-time developers

What worked well:

• Lots of explicit testing steps around Client changes (thanks Allie for your patience!)
• proactive approach to updates/technical debt (keeping deps up-to-date despite everything else in progress, etc) +1+1
  • Notifications are helping, thanks to everyone for taking the time to be responsive to new alerts
  • We're quick to improve docs if we notice something that isn't captured, use of github wikis seems to help keep friction low
• Workstation developer hangouts and code walkthroughs are very useful
• New to me, I'm finding the Makefile targets for testing work smoothly 👏 (More than others I've used before.)
• Lots of knowledge sharing between team members, including updater, using toxiproxy for testing, and obs-studio +1
• just a shoutout, it's so nice to have new people on the team, looking at c and g :)

What can be improved:

• securedrop-e2e (+ securedrop@signal-proto-focal) will continue to require time-consuming maintenance (rebasing, etc.) for as long as it's a back-burnered prototype.
• still a few complex points of confusion/clarification in onboarding to our workflows; will be relevant as we onboard more people +1+1(simply so I can hear more <3)+1
  • ACTION: Improve & use standard onboarding curriculum for new hires (definitely for next two, need server/workstation code walkthrus and such)
  • Suggestion: curriculum is (or at least starts from) links to documentation consulted and updated continuously by the whole team, especially for process considerations. :-) (I.e., onboarding is a function of reference material.)
• release mechanics: lots of manual action by developers, and we still mandate us of the prod signing key. let's consider using individual dev keys for repo tags +1
• documentation is pretty good around releasing sdw components, but it would be helpful to document more around QA and release candidates

What's still a puzzle:

• what's the long-term plan for Onion Names? we have an issue for this already (https://github.com/freedomofpress/securedrop-https-everywhere-ruleset/issues/67), but it came up again at State of the Onion +1+1
  • ACTION: Kev to poke Tor folks for further discussion (cfm happy to shadow)
  • hardware situation: we haven't been bitten hard yet, but....+1 (I have a NUC 11 in FedEx limbo, will begin kernel build/testing once it arrives.) I got them too, happy to use them for testing whatever's useful.If it doesn't get out of limbo soon I may take you up on that!

What we're learning:

• I (Cory) am tinkering with Slack notifications etc. to balance focus and responsiveness....+1+1(so i can hear more about it <3)
• Finding the appropriate apporoach / balance to suggest / discuss maintenance of Client code.
• (KOG) Rust - wasm-bindgen etc.
• What do we need to do for proper E2E? Pre-encryption via GPG is fairly straightforward, replies are a pain in the posterior (alsoa good learning/duscussion topic, do we want to pursue an incremental approach? at what stage do we say goodbye to GPG?)
• Tor/DNS/OnionNames research in https://arxiv.org/abs/2110.03168:+1:
• Work life balance (as always)
• Reading about onion services atm

2) Key dates and time commitments

Work schedule notes:

• Erik alternating 48+PTO / 410, always off Fridays
• Allie still on 3*10, Mo-Wed
• Gonzalo still on 3*8, Mo-Wed
• Conor will be 4*8+PTO, for always-off Fridays
• Ro still Mo-Thu ~8-10 per day
• Cory 4*~10 Mon–Thu

2021-12-06              : Erika joins the team as Outreachy intern (30 hours/week)
2021-12-08              : PTO: Conor
2021-12-13              : New full-time developer starts
2021-12-13              : Docs collaboration with DigiSec team (docs sprint):hand_up:

After sprint:

2021-12-23 to 2021-12-31: FPF break - emergency coverage: https://docs.google.com/spreadsheets/d/1CGo75HCtbqxcqpI4IX4Fai15ClI78HL5oRqTlMkyxW8/edit#gid=0
2022-01-05              : New full-time developer starts

3) Sprint priorities

• SecureDrop Workstation: Release SecureDrop Client 0.5.0 Rationale: Shipping long-awaited functionality & bugfixes to end users

• SecureDrop Server: Prepare update of Flask to version 2.0, along with associated requirements Rationale: Addressing longstanding technical debt and unblocking future security updates

• SecureDrop Workstation: Implement "Download all files for a given Source" and finalize scope and UX for "Export all" MVP Rationale: Seen as lower-hanging fruit than "Export all for a given Source", while we define goals for "Export all for a given Source". Could be used later to enable automated downloads when exporting if we want to.

4) Select and estimate tasks

Project board: https://github.com/orgs/freedomofpress/projects/1