Standup Notes 2019 01 31
Participants (alphabetical): Allie, Conor, Emmanuel, Erik, Jen, Kevin, Kushal, Mike, Mickael, Nina
- Dependency updates (security review process etc.). A modest proposal:
-
continue to update dependencies as needed during regular development
-
at release [even at component level, i.e. tag for a single repo like securedrop-sdk] prep time, do dependency review ** discussion needed here **
Advantage of at release time: We only need to do the review once, i.e. if the dependency changes 3 times between releases, we only need to review the change once.
Advantage of at merge time: Smaller diffs
-
at build time, push new packages to PyPI Q. What should the dependency review look like? How about at first changelog review?
-
Kushal: points to remember: 1. we build the wheels and keep them ready for building the debian package. When do we build the wheels? At the time of final release? Benefit of pushing time / Pipfile is that we'll have only the required changes every time. Other question: what machine to build wheels on. Would like to transition to build machine.
Jen: Break up responsibilities among multiple people
Mickael: Separate levels from changelog all the way down to diffs. Out of caution I would suggest merge time may be better -- too many other checkboxes during release time. Time to review may go up -- diffs likely smaller.
Jen: Let's try Mickael's process, will create on-wiki plan. Let's exclude dev/test-only dependencies.
Mickael/Kushal: Agreed
- Overview of apt changes
- no more tor-apt repo (tor/sd debs consolidated in FPF repo)
- PR #4080 changes, coupled with Xenial migration plan of running "install" task, cleans up
- fetch-tor-packages logic: currently in infra, suggest moving to SD repo
- consider redirecting old tor-apt repo at a later date (relevant to apt vulnerability, blocked upgrades)
Yesterday:
- UX download on SecureDrop + client w/ Nina + Erik
Today:
- Code deep dive with Jen
Blockers:
May post on chat as issues arise
Yesterday:
- More Xenial build work
Today:
- Post release task for 0.11.1
- Comms catch-up
- Maybe poke at https://github.com/freedomofpress/securedrop/pull/4092
Blockers:
None
On PTO
Yesterday:
- All-day UX download (user research, design, client features/user stories)
Today:
- SecureDrop support
- Audit client user stories for beta - https://docs.google.com/spreadsheets/u/1/d/1DQEQp-0e6zN-pCPa0qqY-MGtmpc2SN5mzUsR4nEkpCQ/edit#gid=0
- Hiring-related tasks
Blockers:
None
Yesterday:
- Tested gpg changes in trusty and xenial staging both, journalist reply decryption now works
- Tests passing in trusty
- Decryption tests pass in xenial now, but other tests don't pass in xenial, because resolving the gpg decryption issue... introduced a new fun issue, which is that deleting reply keypairs does not work. This is not a horrific showstopper but I need to dig into how to resolve to maintain the current functionality.
Today:
- Lots of code review this afternoon
- Digging into this gpg delete keypair fun
Blockers:
- None
Yesterday:
- Large file upload investigation
Today:
- Break from that, support & PR review for 4080
- Return to large file upload
Blockers:
None
Yesterday:
- tested #4080 for the initial review.
- Trying to identify the cause of #4078, still no luck, will update the ticket after I try out a few more numbers.
Tomorrow:
- Learning session
- Back on #4080 and #4078
Blockers:
- None
Yesterday:
- Reviewed backend changes on #4080
- Opened #4092 to migrate torrc to format for 0.3.5 series (needed for Xenial)
Today:
- More on ^^
Blockers: None
Yesterday: Kubernetes all day. Everyday.
Today: Maybe weblate? Waiting for my Ops colleague to logon to discuss.
Blockers: [?]
Yesterday:
- UX Deep dive as noted above
Today:
- Heads down on getting OTF grant response
Blockers: None