Governance Meeting, December 9, 2024

2024-12-09T17:30:00Z

9 Dec 2024

Attendees :busts_in_silhouette:

Upcoming Calendar :calendar:

  • Election results announced
  • Next weekly release: 2.489, Tuesday December 10, 2024
  • Next LTS: 2.479.3, January 8, 2025 - Kris Stern release lead, using LTS release checklist
    • Release candidate Wednesday December 11, 2024
  • Choose next LTS baseline 18 Dec 2024
  • Next major events:
    • Jenkins contributor summit 31 Jan 2025
      • Alyssa Tong has the venue for up to 24 participants and is organizing logistics
      • Bruno Verachten organizing the agenda
    • FOSDEM 2025 - February 1-2, 2025
      • Jenkins is confirmed for a stand
      • We plan to sell Jenkins T-shirts, brought to Belgium by Mark Waite

Agenda

News

  • Jenkins 2.479.x release dates
    • 08 Jan 2025 - 2.479.3 (two week break at end of year)

Action Items

  • Basil create the attribution entries for the downloads page
    • Jenkins sponsors have changed
    • Continues on the to-do list draft PR

Community activity

  • Jenkins Content Security Policy project
    • Announcement, progress report one, and progress report two
    • Adapting plugins to be compatible with a future, broader implementation of a more restrictive content security policy
    • Submitting pull requests, releasing plugins, preparing for future enablement in core
    • Project has been running for 10 weeks - tracking sheet shows great progress
    • Yaroslav Afenkin and Shlomo Dahan on the project until end of calendar year
      • Think we may be able to fix most detected violations for plugins above 10k installs
      • May have time to resolve some plugins above 1k installs
    • Released CSP fixes for Jenkins core and more than 40 plugins
    • Run Jenkins ATH with CSP enabled
    • Static Analysis of CSP violations across the Jenkins repositories (Daniel Beck’s CSP scanner)
    • Will continue to deliver more fixes
      • Basil runs ATH with CSP violation checking regularly
      • Detects regressions reliably
      • Static analysis has some false positives and false negatives
        • Would want to further refine before it is a part of every build
      • If we can reach a point of confidence, can include it in plugin builds
      • ATH is sufficient for those plugins covered in ATH
  • Jenkins Content Security project part 2
    • Possible project scope is being discussed with Jenkins security team
    • No funding commitment from Alpha Omega yet, but hopeful they will fund the next phase of the project
      • Mark Waite check with Michael Winser on details needed to request 2025 funding
  • Spring Security 6.x Upgrade - mailing list thread
    • Upgrade guide and changelog
      • Some plugins require a lockstep upgrade
      • Build failure results analyzer known failure
        • Requires a lockstep upgrade in a relatively minor feature of the plugin (released 6 weeks ago)
    • EnvInject plugin specific issue
      • Documentation update on the Env Inject plugin in the LTS upgrade guide
        • Much larger project to make a larger fix
        • Multiple duplicates of this issue, likely more once Java 17 is required in LTS
        • Redirect people to that comment
  • Contributor Spotlight
    • 12 months of contributor spotlights completed, more to come
    • Recently published: Vincent Latombe

Governance Topics

  • Meeting time proposals

    • Second Monday of each month at 17:30 UTC
      • Early enough for Arizona, California, and Colorado
      • Late enough for Europe
      • Approved by all 4 attending board members
  • $9000 available for Jenkins project at Software in the Public Interest

    • Approved last meeting that funds will be used as travel reimbursement for Jenkins Contributor Summit and FOSDEM
    • Can we finalize the priority by end of this week?
      • Allow time to confirm with proposed attendees and let them schedule travel before end of calendar 2024
      • Confirmed that we will complete prioriization this week, notify participants next week
  • Cloud expenses and plans

    • Azure (CDF paid)
      • July: $4.6k
      • August: $4.5k
      • September: $3.9k
      • October: $4.2k
      • November: $4.3k
    • Azure Sponsorship (Microsoft Credits) - $41k remaining, donation ends May 2025
      • July: $10k
      • August: $10.5k
      • September: $10.3k
      • October: $12.9k
      • November: $13k
    • DigitalOcean - Remaining $15k (~5k consumed) until 02 January 2025
      • July: $176
      • August $200
      • September: $158
      • October: $196
      • November: $146
    • AWS:
      • CloudBees:
        • July: $6.5k
        • August: $6.3k
        • September: $6.3k
        • October: $6.4k
        • November: $3.9k
      • Sponsored account
        • October: $178
        • November: $482
        • Global Status:
          • Credits left: $59,800 until 31 January 2025
          • Credits left: $60k until 31 July 2025
        • Moving ci.jenkins.io to AWS sponsored account
          • Likely $10k per month Dec 2024 - Jul 2025
  • Java tip and tail release model discussion 17 Dec 2024

    • Bruno attend for Jenkins project, consider Basil as a possible attendee
    • How can downstream libraries adopt the release model?
      • What if Eclipse Jetty adopts it or if Spring adopts it?