Hannah Sutorchanged title from 15.2 Planning for Manage::Authentication and Authorization to DRAFT: 15.3 Planning for Manage::Authentication and Authorization
changed title from 15.2 Planning for Manage::Authentication and Authorization to DRAFT: 15.3 Planning for Manage::Authentication and Authorization
Hannah Sutorchanged the descriptionCompare with previous version
Thanks for the very clear and concise planning issue @hsutor
Some thoughts
Some of the 15.3 issues don't indicate if they are maintenance, bugs, or features. Could you add for clarity?
Can you add links to the list of maintenance priorities provided by develolpment and the list of bug priorities provided by quality that were considered for this milestone?
Can you tag the other quad members (dev EM, quality leader, UX leader) for this group so they are aware of this issue and can collaborate on it?
Can you add commentary of the ratio of maintenance, bugs, features from the previous month and if the quad thinks these ratios are what the group intended?
@m_gill It looks like it was something I came up with here.
I said this:
We plan to complete 2 of these issues per milestone. Considering our average newsecuritybugvulnerability is 2 per milestone, this leaves us in a place of never burning down our number of active security vulnerabilities.
I think this was based on me eye-balling the new security vulnerabilities over the past few releases, but I think it is low.
I read this issue in detail trying to see if there was a number of avg net new per milestone mentioned, but I didn't see one.
I don't think the number of them matters as much as the weight of fixing whatever issues' SLOs are coming due.
For 15.2, we are using 9 (half of our weight) on security issues.
Should we aim for a weight ratio/percentage instead? It might be more helpful than the # of security vulnerability issues.
I think a weight of 9 is a good place to start, it looks like %15.3 will be somewhere around there, too.
@bdenkovych the %15.2 security release will go out a few days after the regular %15.2 release (July 22). This technically makes it %15.3 but the work does not slip and the issues can remain in %15.2 until they are closed. If they don't make the %15.2 security release on July 28, then the answer would be "yes" to both your questions. Does that make sense?
@sliaquat@hsutor in short, I don't think this will work. 😅 There will be no frontend or backend bugs that are less than 3w or 1w. How are we thinking about this? Are we looking at issue counts instead?
@m_gill The percentages were removed from the cross prioritization information. It is up to each team to decide their own percentages, so I don't think we should put too much weight into trying to meet a goal that no longer exists.
@hsutor using this board, in the far right (frontend and backend columns) you can see the where we stand today based on your planning items in the description. By including ~9 weight in security issues, some of the bugs need to come out, and the un-weighted ones at the bottom of the list. Frontend is under capacity, but I think this issue will fill that gitlab-org/gitlab#356432 (closed)
@m_gill Thanks for this. Can you put Deliverable on the ones you are confident we have capacity for, and Stretch on the others? Are you OK with me leaving the Stretch ones in the planning issue?
Hannah Sutorchanged title from DRAFT: 15.3 Planning for Manage::Authentication and Authorization to 15.3 Planning for Manage::Authentication and Authorization
changed title from DRAFT: 15.3 Planning for Manage::Authentication and Authorization to 15.3 Planning for Manage::Authentication and Authorization
Hannah Sutorchanged the descriptionCompare with previous version
I thought we did all of the absolutely necessary FIPS work and the rest could follow on. I know the app sec team (@connorgilbert) is working on looking at what we have left and will decide what is absolutely necessary for the next deadline in October. Once I get that list, I will put it into milestone planning.
Please, if there is any typefeature work you feel strongly about, ping me on the issue and I will put it into a future milestone. Product is DRI for typefeature.
The early analysis from @corey-oas from Dedicated Compliance for ~"group::authentication and authorization", shared in Slack, was:
I reviewed the epics/issues with the group label and the few that are in FIPS Follow-up items epic and Dev section FedRAMP compliance - Misc. epic do seem like valid things to tackle next, given anything FIPS/encryption related is a top priority. Regarding the old gap analysis, I would hold off on those as they aren’t all required for a FedRAMP Readiness Assessment.
We're around 50% through the release and at about 38% progress on this issues. There are more issues in dev at the same time than I would like, but overall this is not bad given we had vacation at the beginning of the release.
Closed/Verification: 2 (11%)
In Review: 3 (13%)
In Dev: 6 (13%)
Unstarted: 7 (39%)
Deliverables today: 18 (2 issues were added as S1s but none came out)
@eread I am OOO Tues -> Fri next week but I believe we are in a pretty good place with all of our release posts drafted, I have been keeping this area of the planning issue up to date as I work through them. I think you've seen all of them by now, but the links are there FYI.
ETA: I just went through MR's and found a couple Community contribution that are release post worthy, so I just added those to the table.