From Feb 27th to March 13th the 0.6 SecureDrop milestone is in Q/A. If you are interested in participating, please vote below. If there is enough interest detailed instructions will be provided to distribute the workload.
Yes, Q/A is tedious when you repeat the same manual steps for the 100th time. But if that’s your first time it is a great learning experience. It also is an opportunity to significantly help producing a quality release and discuss with the developers who will be eager to fix the bugs you file on that occasion.
Yes, I want to help with Q/A, count me in!
No, I unfortunately cannot but you have my full moral support.
That’s five of US: more than enough to deserve a little preparation A very useful part of QA is to use the journalist interface as well as the source interface in conditions that are very close to production. The first step to do that is to start a staging environment.
I propose each of us does that and display a screenshot of the tor browser showing:
The source interface
The journalist interface displaying at least one submission
The screenshot must display the .onion URL of the journalist and source interface to show we did not run make dev instead
Here are my screenshots and the instructions I followed:
make build-debs
vagrant up /staging/
vagrant ssh app-staging
sudo su
cd /var/www/securedrop/
./create-dev-data.py
Then exit from the vagrant ssh
copy cat install_files/ansible-base/app-journalist-aths and paste in~/Downloads/tor-browser_en/Browser/TorBrowser/Data/Tor/torrc
Start tor browser
The journalist link is given in install_files/ansible-base/app-journalist-aths and source link is in install_files/ansible-base/app-source-ths
QA started today and once you have a staging environment you are ready to run the QA steps. If this is your first time doing QA for SecureDrop, please ask questions in this thread or in gitter instead of adding to the QA issues. This way we will be able to answer any questions you may have and not interfere with more experienced developers.
Landing page base cases
✓JS warning bar does not appear when using Security Slider high
✓JS warning bar does appear when using Security Slider Low
First submission base cases
✓On generate page, refreshing codename produces a new 7-word codename
✓On submit page, empty submissions produce flashed message
✓On submit page, short message submitted successfully
- On submit page, file greater than 500 MB produces “The connection was reset” in Tor Browser quickly before the entire file is uploaded
✓On submit page, file less than 500 MB submitted successfully
Returning source base cases
✓Nonexistent codename cannot log in
✓Empty codename cannot log in
✓Legitimate codename can log in
✓Returning user can view journalist replies - need to log into journalist interface to test
Journalist Interface
Login base cases
✓Can log in with 2FA tokens
✓incorrect password cannot log in
✓invalid 2fa token cannot log in
✓2fa immediate reuse cannot log in
Index base cases
✓Filter by codename works
✓Starring and unstarring works
✓Click select all selects all submissions
✓Selecting all and clicking “Download all” works
Individual source page
✓You can submit a reply and a flashed message and new row appears
✓You cannot submit an empty reply
✓Clicking “Delete collection” and the source and docs are deleted
- You can click on a document and successfully decrypt using application private key
Basic Server Testing
-I can access both the source and journalist interfaces
-I can SSH into both machines over Tor
-AppArmor is loaded on app
-AppArmor is loaded on mon
-Both servers are running grsec kernels
-iptables rules loaded
-OSSEC emails begin to flow after install
-OSSEC emails are decrypted to correct key and I am able to decrypt them
Command Line User Generation
-Can successfully add admin user and login
Although I’ve performed the tests under Basic Server Testing on a Debian machine, I haven’t performed them on an ‘Admin Tails Drive’. Thus I have marked them as untested.