-
Notifications
You must be signed in to change notification settings - Fork 685
Standup Notes 2018 12 13
Participants (alphabetical): Conor, Emmanuel, Erik, Heartsucker, Jaysinh, Jen, Kevin, Kushal, Mike, Mickael, Nina
-
Topic: Use of Ansible community roles and other Xenial transition prep not currently tracked in https://github.com/freedomofpress/securedrop/issues/3204
-
Conor: Hard to come up with example how this would assist with Xenial transition
-
Heartsucker: If we have to touch anything related to Tor or SSH, those two are easy to implement
-
Consensus: Backburner for now, will revisit if discovery shows that it can save time in Xenial transition, otherwise will revisit post-transition as tech debt task
- General comment on test plans and who should be testing what:
- for each PR, at least two people need to verify that changes do what is advertised. The submitter should test their own changes do what is advertised unless there is a compelling reason not to, i.e. "I had to sign off for the day and I did not get a chance to run through full testing here" is a fine reason, just note that on the PR so another person can pick up your work. We have a checkbox in the PR template in order to indicate whether or not this was done.
- In addition to the submitter, either the reviewer, or a QA participant should also test that changes do what is advertised (or that automated tests that have been added sufficiently test the change). If we think that the manual test plan is too onerous, we should discuss how to strike the right balance in the PR as part of review. The test plan is part of the PR template to clearly indicate what has been tested, which aids us both in collaboration and for the purpose of retrospectives.
- Action (case by case, depending on complexity): Be more specific in issues such that the submitter has acceptance criteria to use both in implementation and the reviewer can use to review
-
Read only configuration for the SecureDrop application on the server
-
Heartsucker: My assumption was, we have one master SD config we use for source & journalist info. Do we want to split that into two? Right now it's one JSON object that has two keys. If we split them into two files with two different AppArmor configs, in future system configs (e.g., via gunicorn), we might be able to restrict server process access via AppArmor.
-
Kushal: Yes -- good idea. Have done similar things w/ nginx, gunicorn. Actual config should be read-only by the application. Should be writable by the root user.
-
Heartsucker: Agreed re: r/w access.
-
Mickael: Better story with splitting DB on the backend, but it's a good move in the right direction.
-
Jen: Seems reasonable time to make the change.
Yesterday: No SD progress, mostly meetings and SD-related hiring yesterday.
Today: Weblate planning (to avoid service outage as we saw in final stages of 0.11 release), security auditor conversation related to Workstation prototype. Will review latest Xenial tickets on current sprint and start planning next steps.
Blockers: None
Yesterday:
Today:
Blockers:
Yesterday:
- Hiring (3 interviews)
- Thinking through UX funding options w/ Nina
Today:
- Hiring (prep materials for 3 interviews tomorrow, help w/ 1 in the PM)
- Meeting with auditors & associated follow-up
- Work on UX funding proposal
- Support & spec work as time allows
Blockers:
- None
Running unit tests for config migration. Will continue on that through the evening.
Blockers: Would be good to get additional review from Kushal
Yesterday:
- Mostly hiring
- Post release 0.11 merge
- Update urllib3 because we had a CVE
Today:
- Audit results for SecureDrop workstation alpha
- Couple more hiring meetings... we're getting there
Blockers:
- Hey who wants to update the upgrade testing scenario? -> Conor
- Request: Kushal want to review heartsucker's config PR? [good to get any comments in soon]
Spent a fair amount of time on source snippet issue, has gotten more complex than I anticipated. Gets to same MVC problems we've been seeing with the rest of the app. What snippet needs to do when new messages arrive -- needs to dynamically update. Very similar problem as conversation view. Hesitant to pour more time. Perhaps wait until refactor is complete.
Today intend to review Kushal's PR.
(offsite, no update)
Yesterday:
- QA/review of #3850 static config
Today:
- Will push more comments on the PR in the my morning.
Blockers: None
At Kubecon
Yesterday:
Interviews/meeting
Today:
- Updated docs for threat model to unblock Olivia for public docs work
- More interviews/meetings; tomorrow morning may grab Xenial-related ticket
Blockers:
- UX meeting - review of client mockups
- Iterating on design based on feedback Yesterday:
Today:
Blockers: