15.0 planning - Composition Analysis (April-May)
Helpful Links 🔗
Click to expand...
- How we work
- Slack channel: #g_secure-composition-analysis
-
Planning Board for checking Deliverable/
Stretch/"Next Patch Release" - Dev workflow Board for checking workflowscheduling and workflowready for development
- Group Assignment Board
- Kickoff Board - direction and release post items
- upcoming milestones board
- [tier board - cleanup](https://gitlab.com/groups/gitlab-org/-/boards/1362488?label_name[]=group%3A%3Acomposition%20analysis]
- SCA Categories Board
- work type board
- All Secure Issues
- All CA Issues
- All Backend CA issues
- All Frontend CA issues
- CA priorities for the year 2022
- UX Secure & Protect Team Planning Issue for 15.0
Context
Capacity variations
This includes planned OOO, internships, conferences and other initiatives outside of groupcomposition analysis.
-
backend => 67%
- Fabien: 85% (support rotation)
- Igor: 50% (onboading buddy + security rotation)
- Tetiana: 100%
- Adam: 75% (Maintainership rotation)
- Oscar: 25% (Onboarding)
-
frontend => 100%
- Fernando: 100%
Items slipping from the previous release
This is a rough list of the items that may have a significant impact on that release (no need to be an exhaustive list).
...
Product Goals in priority order
Always
| Feature | Links | Notes |
|---|---|---|
| Reaction rotation - Security | triage incoming bugs, security, customers, community contributions. use timeboxing. now must also include checking for new container OSes, tool versions, languages and package managers | |
| Reaction rotation - Maintainership | triage incoming bugs, security, customers, community contributions. use timeboxing. now must also include checking for new container OSes, tool versions, languages and package managers | |
| Reaction rotation - Support & Bugs | triage incoming bugs, security, customers, community contributions. use timeboxing. now must also include checking for new container OSes, tool versions, languages and package managers | |
| infradev | must do within SLO | |
| security | must do within SLO, start with P1, if none move to P2, if none move to P3. | |
| bugs | filled in as we have space |
Time sensitive
| Feature | Links | Notes |
|---|---|---|
| Bump Analyzer Version | issue | in 15.0 Major+1 |
| Remove Temporary container for 3.9 python | issue | |
| [15.0] Remove bundler-audit analyzer | issue | |
| [15.0] Remove Retire.js from Dependency Scanning | issue | |
| [docs-only] Deprecation and Removal of 3.6 python for Dependency Scanning - swap for 3.9 | issue and issue | |
| [15.0 Feature flag] Rollout of legacy approval_status removal for License Compliance | epic | |
[15.0] Remove legacy approval status names from managed_licenses API |
issue | |
[15.0] Remove ci_max_artifact_size_license_management column in the plan_limits table |
issue | |
| [15.0] Remove deprecated DS_DEFAULT_ANALYZERS variable | issue |
Major Projects
| Priority | Feature | Links | Notes |
|---|---|---|---|
| 1 | UBI/FIPS | - | - |
| 2 | License MR widget extension | epic | Major GitLab project to improve MR we are slightly behind and want to reach MVC parity |
| 3 | EPIC: Show paths to dependencies MVC | - | |
| 4 | EPIC: SBOM MVC | DS CycloneDX epic |
We should be working on FIPS as much as possible, if there is no FIPS then we can work on the others, priority order above is important.
GOALS
| Feature | Links | Notes |
|---|---|---|
| 1 test | all - this milestone | keep incrementally improving, do 1 per |
| 1 typemaintenance | all - P1 - this milestone | keep incrementally improving, do 1 per |
| 1 customer | all - this milestone | keep incrementally improving, do 1 per |
Stretch
| Feature | Links | Notes |
|---|---|---|
| EPIC: Engineering Research: How do we advance alternate license scanning | - | |
| Refactor / Containers | - | - |
| Help S&P / GitLab | mr widget work | |
| frontend | issues | UX Improvements (SUS), OKRs (pajamas), Feature Flag survey cleanup, 15.0 cleanup/prep |
|
|
Unification of backend for CE & EE |
OKRs
| Feature | Links | Notes |
|---|---|---|
| Product | error budget | switch to new error budget method |
| Product | sec issue | See above top priority items |
| Product | SUS issues | none for CA last i looked |
| Product - Pajamas | issues and board and unassigned | If it has group::foundations on it, it can be re-assigned to your own group |
| UX | board | many labels, none of which I think we can take on right now |
| Engineering | ||
| Quality |
UX
UX Secure & Protect Team Planning Issue for 15.0
Quality
Technical Writing
| Issue | Technical writing weight |
|---|---|
| Reorganise License Compliance documentation page (gitlab-org/gitlab#346085 - closed) | tw-weight8 |
| TOTAL | 8 |
Notes
Please work the above in order. If something of a higher category comes in you can feel free to swap it for a lower item (cc Sam and Oliver). If it does not fall into one of the above and you think it can wait please place in %Backlog.
Feel free to use the following message Here are our priorities for [calendar year 2022](https://gitlab.com/gitlab-org/secure/general/-/issues/187). Upvoting and commenting on issues is the best way to make sure it is considered high priority as backlog items begin to be brought back in.