Sprint Retrospective 2021 12 15

SecureDrop Sprint Retrospective and Backlog Review, 2021-12-15

1) Retrospective

Top priorities:

• SecureDrop Workstation: Release SecureDrop Client 0.5.0

Shipped SecureDrop Client release and 0.5.1 follow-up (we'll dive further into that next week)

• SecureDrop Server: Prepare update of Flask to version 2.0, along with associated requirements

  • wtforms update has landed: https://github.com/freedomofpress/securedrop/pull/6190

  • Review of https://github.com/freedomofpress/securedrop/pull/6160 in progress

  • Other type-checking related changes will be needed (issues TK)

• SecureDrop Workstation: Implement "Download all files for a given Source" and finalize scope and UX for "Export all" MVP

  • Mid-sprint we agreed to focus on scoping on "Download all"

  • Prepared feature branch, extracting components from widgets.py; see https://github.com/freedomofpress/securedrop-client/pull/1369 and linked PR

Other accomplishments:

• Landed "Remind me later / Update now" options for SDW notifier
• Landed tooling for continuous translation updates to SD Client
  • Documentation (WIP securedrop-client#1304): https://github.com/freedomofpress/securedrop-client/wiki/Internationalization
• Removed "Refresh codename" feature in preparation for further Source Interface improvements
• Scoped first round of Source Interface improvements w/ Nina (issue TK)
• Scoped initial changes to deleted user management on SD Server
• Landed community improvements to SI/JI headers
• Fixed long-standing bugs in OTP secret management (merge TK)
• Cleaned up developer environment for SecureDrop Workstation updater
• Welcomed a new team member (and an intern!) to the project!
• Good news on funding front

What went well:

• Scoping of the "Download All" feature was effective and clarifying (MoSCoW)
• Figma is nice to use for collaboration between design and dev
• sdw hangouts/team process discussions are helpful, as are the refinements (eg dedicating some time to step through a PR or some code and some time to raise other issues)+1
• We welcomed Erika :)+1+1
• We welcomed Michael =)+1+1
• process improvement suggestions, targeting where we can distribute knowledge better (see "what can be improved" below); appreciated everyone's willingness to try a new format for exploring these questions together
• scoping for inverted flow was speedy and iterative (thanks to the MoSCoW format introduced by Gonzalo above)(-> Erik!)
• Despite lack of compatibility, SDW on Qubes 4.1 seems to be possible to achieve with a little manual intervention
• clearer handoff of review of accessibility-related work; thanks so far to Saptak and in advance to Kev :-)

What can be improved:

• stronger documentation and team familiarity with incident response, coordination roles, and off-hours/on-call escalation. +1
  • Concrete process suggestions from December 2 retrospective: https://docs.google.com/document/d/1-vFrGIc4H-5i_G6R9J5uQaXAtR6UQDZPr7yKGHKZW44/edit#heading=h.lhqmykx0adic
• Proposal/discussion/correction/review process is slower than I anticipated, I think that's something we probably should iterate on as a delivery-speed investment+1 +1
• It may be worth considering processes like https://martinfowler.com/articles/ship-show-ask.html when working in feature branches +1
  • (Kev) I can see ship/show/ask approach working in web app -- but in application-style release schedule, you may be deferring a bunch of testing to release time, which would make release painful
  • (Ro) Part of the issue may be branching/review; part of it may be time estimation. Are we leaving enough time for review?
  • (Gonzalo) I'd love to try the show/ask subset (where "show" is reserved to PRs tthat are merged into feature branches). I think that would allow to balance small PRs (ease of review) and perspective (how a series of changes work together to achieve a given outcome).
• cfm: have not been fitting in my own learning time; want to resume that +1+1
• Time estimation/biting off more than can be chewed in a sprint: maybe we need cards or time set aside for review (or learning, or other things)?
• Is it worth having a chat about estimating time vs estimating uncertainty?
• developer environment setup/'figuring things out' continues to be a large hidden time sink? (at least for me)+1 ing so we talk about it
  • agreed, and hopefully the updater dev env is easier to get started with now that we have docs and makefile targets to build the virtual envs
• is there anything in particular that was a pain point?
  • not one specific thing. Maybe figuring out testing? The dev-deps PR that just landed was really helpful
  • +1, cfm has some interesting work here
• prep for onboarding - we could do with better decks/pedagogical material in general
• Might be worth considering the Divio documentation system (https://documentation.divio.com/) for the distinction between the team's onboarding and reference materials.+1

What have we learned:

• cfm: thanks for threat-model introduction as part of orientation +1
• conorsch: started digging into qrexec internals and really enjoying the deep dive
• eaon: all the things (sort of) =D <3
• kog: more poking about in e2e white papers

2) Team coverage during the holidays

Reminder: Emergency coverage spreadsheet can be found here https://docs.google.com/spreadsheets/d/1CGo75HCtbqxcqpI4IX4Fai15ClI78HL5oRqTlMkyxW8/edit#gid=0

3) Board/backlog review

https://github.com/orgs/freedomofpress/projects/1