Skip to content

Sprint Planning Meeting 2020 09 17

Jump to bottom
Erik Moeller edited this page Sep 17, 2020 · 1 revision

Sprint Planning Meeting, SecureDrop, 2020-09-17

Sprint timeframe: Beginning of Day (PDT) 2020-09-17 to Beginning of Day (PDT) 2020-10-01

1) Retrospective

What we said we would do:

  1. Template consolidation
  • Complete consolidation of MIME type handling
  • Spike: Create a working branch & draft PR with small/large template provisioning logic (scoped to creation of the templates only, side-by-side with existing templates, we can record/open issues for any unforseen followup)

Sprint goal met: Some leftover work for securedrop-proxy MIME type handling, but exceeded goals of spike (got basic client functionality working)

  1. Seen/unseen

Complete server-side requirements in preparation for 1.6.0 release:

Sprint goal partially met: Both changes are still being worked on, but quite far along.

  1. Ubuntu 20.04 transition
  • Provide tor, linux kernel, ossec, and securedrop packages for Focal via apt-test
  • make fetch-tor-debs to pull both Xenial and Focal tor debs
  • Land initial work on packaging and make staging-focal target

Sprint goal partially met: Landed work on staging target and updated make fetch-tor-debs. apt-test still missing core packages for Focal; staging environment not yet using grsec kernel.

Additional accomplishments

Other team comments

What worked well:

  • (Erik) I feel we're getting better at ad hoc small group technical & scoping sessions without overloading everyone's calendar +3
  • (mickael) Good progress and documentation of complex research tasks (seen/unseen, template consolidation, focal, setuptools, deletion, reproducible builds) -- quite a few productive brainstorming/design sessions lately, and the collaboration has been really nice.+1+1+1+1
  • (kushal) We did good work (with proper handovers) on the setuptools issue, a lot of research/tries were done for that. +1

What can be improved:

  • (kushal) Kernel/grsec, why and how still can be documented beter.referring to build or installation?(both)fair enough

  • We use slightly different tools for same purpose, e.g. paxctl vs paxctld +1

  • not any time soon, but each OS upgrade points out how messy SD core packaging/testing is -- some configuration happens only via Ansible, some in package installation, the Ansible/Molecule inclusion is kind of a rat's nest ... we could use a push to try to buy down that technical debt.+1000000000000000000001+1

  • (Mickael) Perhaps we can combine cleanup work with reproducibility improvements. Would it be useful to separate out the build code a bit more?

  • (John) We were talking about adapting the split strategy from the SecureDrop Workstation from core. A refactoring spike to identify logic that's redundant or could be pulled into an include -- cleanup the directory structure, organize things better.

    • sometimes helps to have fresh eyes and more folks looking at the same code and processes

  • (Kev) We may be able to reorganize as part ofupcoming Focal switch.

  • another taking-stock kind of spike: evaluating the server-side database. Allie discovered that we're not enforcing referential integrity, after all these years. we could just review the schema, with an eye to catching things like lack of unique constraints, or things that have been incompletely considered or aren't aging well, like journalist deletion.

    • There's also a database schema diagram that could probably use an update

    • There's so much already that we could start prioritizing (we have github issues and project cards on the board) and the more eyes we have on architecture the better it'll be.

What's still a puzzle:

  • molecule + Vagrant+ libvirt is PAIN.
  • rpm build process isn't easily reproducible, more learning time required
  • sometimes python packaging can surprise us

Learning time debrief

(Erik) Reading through Qt5 book, identifying some first small areas of improvement in client codebase. This is the book: https://www.learnpyqt.com/pyqt5-book/#the-book <- it's CC-BY-NC-SA; shared a copy over on #learning

(Conor) Explored reproducible build tooling for .rpm packages, rather than .deb packages. Comparatively foreign, so didn't achieve deterministic builds, but get more comfortable with python -> rpm in general

(Kev, Mickael) learning time fail last Fri :(

(kushal) a lot of network calls

(John) a tiny bit more reading about GitHub/Google APIs for tracker automation, but no code yet

2) Review key dates and time commitments

PTO check-in:

2020-09-18              : PTO: Mickael (0.5 days)
2020-09-21              : Go/no-go check-in on 1.6.0 schedule
2020-09-22              : SecureDrop 1.6.0 QA Begins [pending above]
                          Tails 4.11 release (we'll do a bulk announcement)
                          PTO: Conor (0.5 days)
                          CfP deadline for GitHub Universe
                          https://githubuniverse.com/
2020-09-25              : FPF Holiday

After sprint period:

2020-10-02              : FPF Holiday
2020-10-06              : SecureDrop 1.6.0 Release [pending above]
2020-10-26              : Threat model discussions with auditors begin
2020-11-16              : SecureDrop Workstation audit begins

3) Agree upon top 3 priorities for the next two weeks

  1. Land critical changes for SecureDrop 1.6.0 and test them extensively.
  • Server-side changes for seen/unseen. Need to ensure clean migration for long-running instances
  1. Land preparatory changes to complete template consolidation in the next sprint.
  1. Switch staging environment for Ubuntu 20.04 to grsec-patched kernel

4) Select and estimate tasks

https://docs.google.com/spreadsheets/d/1nUXrlIqpB7_dcqsncevBBBcmf_iHQikzi5aDJHrJkC4/edit#gid=0

Clone this wiki locally