Updates v3 warnings with varying messages based on instance configs #5679
Conversation
zenmonkeykstop
force-pushed
the
5672-update-v3-warnings
branch
from
30bcae8
to
34be75c
Compare
|
I'm leaving this as draft for now pending UX feedback. For @eloquence and/or @ninavizz attention, screenshots attached with suggested text/color from #5672 for both cases (and one with a smaller window just coz): |
Codecov Report
@@ Coverage Diff @@
## develop #5679 +/- ##
===========================================
- Coverage 85.54% 81.43% -4.12%
===========================================
Files 52 53 +1
Lines 3771 3969 +198
Branches 474 497 +23
===========================================
+ Hits 3226 3232 +6
- Misses 440 632 +192
Partials 105 105
Continue to review full report at Codecov.
|
zenmonkeykstop
force-pushed
the
5672-update-v3-warnings
branch
from
705d120
to
9b61677
Compare
zenmonkeykstop
requested review from
kushaldas and
redshiftzero
as code owners
| <div id="v2-onion-eol" class="warning-banner"> | ||
| {{ gettext('<strong>Update Required:</strong> Your SecureDrop servers are still running v2 onion services, which are being phased out for security reasons. In February 2021, v2 onion services will be disabled, and your SecureDrop servers may become unreachable. <a href="//securedrop.org/v2-onion-eol" rel="noreferrer">Learn More</a>') }} | ||
| <div id="v2-onion-eol" class="alert-banner"> | ||
| {{ gettext('<strong>Update Required:</strong> You must switch your SecureDrop to v3 onion services to ensure that it is reachable after April 30, 2021. <a href="//securedrop.org/v2-onion-eol" rel="noreferrer">Learn More</a>') }} |
There was a problem hiding this comment.
What about "update required" -> "action required"?
There was a problem hiding this comment.
There was a problem hiding this comment.
That might have been a bit facetious - I think it would be good to hash out final wording with the larger group and with @ninavizz' input.
There was a problem hiding this comment.
Thanks for the changes @zenmonkeykstop , once tests are added I believe this should be good to merge. My comments are mostly related to the language/style of the alerts, best suited to discuss in a synchronous discussion to reduce back and forth
|
|
||
| {% if g.show_v2_onion_migration_warning %} | ||
| <div id="v2-onion-eol" class="alert-banner"> | ||
| {{ gettext('<strong>Update Required:</strong> Your SecureDrop servers are still reachable via v2 and v3 onion services. Make sure admins, journalists, and sources are using v3 onion services - then disable v2 onion services. <a href="//securedrop.org/v2-onion-eol" rel="noreferrer">Learn More</a>') }} |
There was a problem hiding this comment.
I propose we word it as follows, as I was under the impression we were will be disabling v2 services as part of 1.8.0 (or later):
Make sure admins, journalists and sources are using v3 onion services, as they will be disabled disabled on $DATE
| </div> | ||
| {% endif %} | ||
|
|
||
| {% if g.show_v2_onion_migration_warning %} |
There was a problem hiding this comment.
Given that v3 has already been configured, it might make sense to make this alert a lower level than alert
|
Just created tickets in the docs repo, for requested changes for the Docs page this banner lands upon. Important for the banner to be meaningful or have impact, as it's the behavior of users from an experience we care about; not page prettiness. Will post mox here for banner, later today. |
zenmonkeykstop
force-pushed
the
5672-update-v3-warnings
branch
from
9b61677
to
2f4d8ce
Compare
|
Found the Issue for this, so put UX stuff in it per 2019 discussion to keep UX discussion out of PRs. |
|
|
||
| {% if g.show_v2_onion_migration_warning %} | ||
| <div id="v2-complete-migration" class="alert-banner"> | ||
| <img src="{{ url_for('static', filename='i/bang-circle.png') }}" width="20" height="20"> {{ gettext('<strong>Update Required:</strong> Steps remain to complete your onion service update. Please notifyyour admin. <a href="//securedrop.org/v2-onion-eol" rel="noreferrer">Learn More</a>') }} |
There was a problem hiding this comment.
typo: notifyyour->notify your
I'm fine with the wording here but I would suggest a slightly tweaked version
Update Completion Required: Steps remain to complete your SecureDrop server's update to v3 onion services.
Rationale:
-
The wording "Update Completion" is from @ninavizz's proposal in Add clearer action reminder in Journalist Interface to enable v3 #5672 and I think makes sense, especially since completing the update may involve landing page changes & multi-stakeholder comms. If it sounds too nonstandard, perhaps "Action Required" would work as well.
-
I think the phrase "v3 onion services" should be included because it very clearly identifies the technical component we're talking about (if I'm an admin, there's at least a chance I've heard of it). The user shouldn't have to click through to "Learn more" to find out that important detail.
-
IMO we can ditch the "Please notify" for brevity; it's essentially implied, not included in the other notice, and the person seeing the notice may well be an admin.
There was a problem hiding this comment.
How about best of all worlds:
"Action Required Set up v3 onion services before April 30 to keep your SecureDrop servers online. Learn more"
"Action Required Complete the v3 onion services setup before April 30. Learn more"
(This suggestion is based on both your comments above and feedback in #5672 - it's about as terse as I think it can get while still being accurate. I'm dead set against "Update Completion Required," it has a high cognitive load factor compared to just "Update required" IMO and reads like an awkward phishing attempt.)
|
Clearly identifying technical components to non-technical users, I am not ok with. This is not the time nor the place for that. Docs text is the time and place for that. Likewise, "implying" what action we want the user to take in a notification breaks the number one rule of notifications, which is to respect your user enough to directly tell them what is being asked of them. This text is for journalist users. Not admins. Sure, "some" admins are both, but the primary user here is journalists—whom are non-technical users. Period. We need them to alert their admins. Behavioral compliance is the desired outcome. My recommendations follow that. It is a known problem, getting orgs to follow update instruction. Please try something new, here, for a change. Most of the edit suggestions from @eloquence and @zenmonkeykstop break best-practice rules for messaging text, which frustrates me a lot. I did not compose the text willy-nilly, and am not looking for excuses to justify poor grammar. Those are simply industry standard rules, period. Security engineers are not the audience; non-technical users, are. The best summation of best practice "rules" for UI text that I've seen to date, are in Material.io's guide. I cannot give my blessing to messaging that neither tells the user explicitly what to do, nor that includes overly technical details. If this were the Admin UI, it would be different, but it is not. It is the Journalist UI. |
|
Fair enough, will update banners as per text in #5672 and call it done. |
If this is in reference to whether or not to include "v3 onion services" in the banner, then I disagree, but I'll defer to @emkll to make the final call here in review. |
There was a problem hiding this comment.
I left a few comments inline, but tl;dr I think that the language proposed in #5679 (comment) seems like the best approach to me.
I however disagree with the following:
IMO we can ditch the "Please notify" for brevity; it's essentially implied, not included in the other notice, and the person seeing the notice may well be an admin.
It seems that through the back-and-forth and different perspectives, we all agree with the ultimate goal of this change: Upon seeing the notification,a Journalist should contact their administrator (so that the administrator can migrate their instance to v3 onion services). This will ensure journalists reach out to admins, reducing the risk of potential confusion. We should therefore be concise and accurate when describing the issue.
In other words, the goal of this PR as I see it, is to
- Have journalists contact admins
- When contacting their admin, the journalist can describe the issue in less than a sentence
Better phrased by @zenmonkeykstop in #5672 (comment) :
We're not providing directly relevant instructions/warnings, we're trying to convince users that there's a completely new problem that they have to go and solve somewhere else.
The guidance/instructions for the migration (and its rationale) is provided in the documentation, this PR merely introduced a notification. Being concise and (technically) accurate to me is key here, provided of course, it results in a journalist reaching out to an administrator after looking at the notification.
We should ensure both journalists and admins are not alarmed by the messaging (adhering to the existing tone/language in the Journalist Interface is one way of doing that). Given the timeline, I would be inclined to reserve changes to style for a later date, especially given the relatively straightforward nature of the task, from the perspective of a journalist (please reach out to your admin)
What do you all think with the following?
"Action Required Set up v3 Onion services before April 30 to keep your SecureDrop servers online. Please contact your administrator or learn more"
"Action Required Complete the v3 Onion Services setup before April 30. Please contact your administrator or learn more"
|
|
||
| {% if g.show_v2_onion_migration_warning %} | ||
| <div id="v2-complete-migration" class="alert-banner"> | ||
| <img src="{{ url_for('static', filename='i/bang-circle.png') }}" width="20" height="20"> {{ gettext('<strong>Update Required</strong> Steps remain to complete your onion service update. Please notify admin. <a href="//securedrop.org/v2-onion-eol" rel="noreferrer">Learn More</a>') }} |
There was a problem hiding this comment.
I agree with your comment in #5679 (comment)
steps remain to complete -> complete , in the spirit of not only less is more, but it may be interpreted by a journalist that they (the journalist) need to update something.
There was a problem hiding this comment.
I propose we also update the wording
please notify admin -> please notify your administrator.
From the associated issue:
UI text is often not grammatically correct per-se, for usability reasons.
In my experience, this makes translation more difficult.
| <div id="v2-onion-eol" class="warning-banner"> | ||
| {{ gettext('<strong>Update Required:</strong> Your SecureDrop servers are still running v2 onion services, which are being phased out for security reasons. In February 2021, v2 onion services will be disabled, and your SecureDrop servers may become unreachable. <a href="//securedrop.org/v2-onion-eol" rel="noreferrer">Learn More</a>') }} | ||
| <div id="v2-onion-eol" class="alert-banner"> | ||
| <img src="{{ url_for('static', filename='i/bang-circle.png') }}" width="20" height="20"> {{ gettext('<strong>Update Required</strong> Your SecureDrop servers must be updated to v3 onion services by April 30 to remain live. <a href="//securedrop.org/v2-onion-eol" rel="noreferrer">Learn More</a>') }} |
There was a problem hiding this comment.
I recommend something along the lines of "please notify your administrator" per @ninavizz comment in #5679 (comment)
We need them to alert their admins.
| <div id="v2-onion-eol" class="warning-banner"> | ||
| {{ gettext('<strong>Update Required:</strong> Your SecureDrop servers are still running v2 onion services, which are being phased out for security reasons. In February 2021, v2 onion services will be disabled, and your SecureDrop servers may become unreachable. <a href="//securedrop.org/v2-onion-eol" rel="noreferrer">Learn More</a>') }} | ||
| <div id="v2-onion-eol" class="alert-banner"> | ||
| <img src="{{ url_for('static', filename='i/bang-circle.png') }}" width="20" height="20"> {{ gettext('<strong>Update Required</strong> Your SecureDrop servers must be updated to v3 onion services by April 30 to remain live. <a href="//securedrop.org/v2-onion-eol" rel="noreferrer">Learn More</a>') }} |
There was a problem hiding this comment.
nit: I think onion services need to be capitalized
| <div id="v2-onion-eol" class="warning-banner"> | ||
| {{ gettext('<strong>Update Required:</strong> Your SecureDrop servers are still running v2 onion services, which are being phased out for security reasons. In February 2021, v2 onion services will be disabled, and your SecureDrop servers may become unreachable. <a href="//securedrop.org/v2-onion-eol" rel="noreferrer">Learn More</a>') }} | ||
| <div id="v2-onion-eol" class="alert-banner"> | ||
| <img src="{{ url_for('static', filename='i/bang-circle.png') }}" width="20" height="20"> {{ gettext('<strong>Update Required</strong> Your SecureDrop servers must be updated to v3 onion services by April 30 to remain live. <a href="//securedrop.org/v2-onion-eol" rel="noreferrer">Learn More</a>') }} |
Sounds good from my end (I'm assuming formatting as in the current implementation). I have a soft preference for "Please contact your administrator. [Learn more]" over "Please contact your administrator or learn more", but either is fine with me. Thanks much y'all for hammering this out. |
|
Updating banner text based on recent discussion. |
There was a problem hiding this comment.
Thanks @zenmonkeykstop and everyone for input here, this is now good to merge for inclusion in the upcoming 1.7.0 release.
Status
Work in progress
Description of Changes
Fixes #5672 .
Updates the upgrade banner text/color in the Journalist Interface for instances with v2+v3 onion services enabled, and separate more urgent message if an instance is v2-only.
Testing
Staging:
make build-debsandmake stagingagainst this branchapp-stagingserver, remove the file/var/lib/securedrop/source_v3_url, and restart apacheDeployment
Deployed as part of regular install/update.
Checklist
If you made changes to the server application code:
make lint) and tests (make test) pass in the development containerIf you made non-trivial code changes:
Choose one of the following: