Skip to content

Standup Notes 2018 12 13

Jump to bottom
Erik Moeller edited this page Dec 14, 2018 · 2 revisions

Participants (alphabetical): Conor, Emmanuel, Erik, Heartsucker, Jaysinh, Jen, Kevin, Kushal, Mike, Mickael, Nina

Extended agenda

Ansible community roles

  • Topic: Use of Ansible community roles and other Xenial transition prep not currently tracked in https://github.com/freedomofpress/securedrop/issues/3204

  • Conor: Hard to come up with example how this would assist with Xenial transition

  • Heartsucker: If we have to touch anything related to Tor or SSH, those two are easy to implement

  • Consensus: Backburner for now, will revisit if discovery shows that it can save time in Xenial transition, otherwise will revisit post-transition as tech debt task

Topic: Test plans for PRs

  • General comment on test plans and who should be testing what:
  • for each PR, at least two people need to verify that changes do what is advertised. The submitter should test their own changes do what is advertised unless there is a compelling reason not to, i.e. "I had to sign off for the day and I did not get a chance to run through full testing here" is a fine reason, just note that on the PR so another person can pick up your work. We have a checkbox in the PR template in order to indicate whether or not this was done.
  • In addition to the submitter, either the reviewer, or a QA participant should also test that changes do what is advertised (or that automated tests that have been added sufficiently test the change). If we think that the manual test plan is too onerous, we should discuss how to strike the right balance in the PR as part of review. The test plan is part of the PR template to clearly indicate what has been tested, which aids us both in collaboration and for the purpose of retrospectives.
  • Action (case by case, depending on complexity): Be more specific in issues such that the submitter has acceptance criteria to use both in implementation and the reviewer can use to review

Topic: How to structure config files as part of static config transition

  • Read only configuration for the SecureDrop application on the server

  • Heartsucker: My assumption was, we have one master SD config we use for source & journalist info. Do we want to split that into two? Right now it's one JSON object that has two keys. If we split them into two files with two different AppArmor configs, in future system configs (e.g., via gunicorn), we might be able to restrict server process access via AppArmor.

  • Kushal: Yes -- good idea. Have done similar things w/ nginx, gunicorn. Actual config should be read-only by the application. Should be writable by the root user.

  • Heartsucker: Agreed re: r/w access.

  • Mickael: Better story with splitting DB on the backend, but it's a good move in the right direction.

  • Jen: Seems reasonable time to make the change.

Standup portion

Conor

Yesterday: No SD progress, mostly meetings and SD-related hiring yesterday.

Today: Weblate planning (to avoid service outage as we saw in final stages of 0.11 release), security auditor conversation related to Workstation prototype. Will review latest Xenial tickets on current sprint and start planning next steps.

Blockers: None

Emmanuel

Yesterday:

Today:

Blockers:

Erik

Yesterday:

  • Hiring (3 interviews)
  • Thinking through UX funding options w/ Nina

Today:

  • Hiring (prep materials for 3 interviews tomorrow, help w/ 1 in the PM)
  • Meeting with auditors & associated follow-up
  • Work on UX funding proposal
  • Support & spec work as time allows

Blockers:

  • None

Heartsucker

Running unit tests for config migration. Will continue on that through the evening.

Blockers: Would be good to get additional review from Kushal

Jen

Yesterday:

  • Mostly hiring
  • Post release 0.11 merge
  • Update urllib3 because we had a CVE

Today:

  • Audit results for SecureDrop workstation alpha
  • Couple more hiring meetings... we're getting there

Blockers:

  • Hey who wants to update the upgrade testing scenario? -> Conor
  • Request: Kushal want to review heartsucker's config PR? [good to get any comments in soon]

Josh

Spent a fair amount of time on source snippet issue, has gotten more complex than I anticipated. Gets to same MVC problems we've been seeing with the rest of the app. What snippet needs to do when new messages arrive -- needs to dynamically update. Very similar problem as conversation view. Hesitant to pour more time. Perhaps wait until refactor is complete.

Today intend to review Kushal's PR.

Kevin

(offsite, no update)

Kushal

Yesterday:

  • QA/review of #3850 static config

Today:

  • Will push more comments on the PR in the my morning.

Blockers: None

Mike

At Kubecon

Mickael

Yesterday:

Interviews/meeting

Today:

  • Updated docs for threat model to unblock Olivia for public docs work
  • More interviews/meetings; tomorrow morning may grab Xenial-related ticket

Blockers:

Nina

  • UX meeting - review of client mockups
  • Iterating on design based on feedback Yesterday:

Today:

Blockers:

Clone this wiki locally