Governance Meeting, March 20, 2023

Community
,
1

2023-03-20T17:00:00Z

Participants: Mark Waite, Basil Crow, Alexander Brandes, Bruno Verachten, Oleg Nenashev, Daniel Beck

Agenda:

  • Claim from BMC to GitHub Trust and Safety (update center PR 692)
    • Late last week GitHub owners received a report of claim of publication of private information, copyrighted material, or password without consent
      • Tim asked the committers what is happening
      • Daniel filed a pull request to stop distribution of BMC Compuware plugins
      • Maintainer replied by fixing it to rewrite the repository history (as recommended by GitHub)
      • Immediate notification was addressed but organization claimed its own published sources as private information was inconsistent
      • Nov 2022 several BMC plugins were relicensed to proprietary license (no longer OSI approved)
      • What next?
        • Suspend everything from BMC
        • Decide how to proceed next
        • Do they want to remain hosted?
        • Why was a claim filed?
        • Do we need to delete or remove artifacts?
        • Copyright claim was in tests, but if in source files, then should we remove it from artifact repository
      • Mail arrived last Friday or last Saturday
      • If GitHub gives us only 3 days to respond, then we are almost out of time to respond
      • Plugin is published by BMC with a copyright claim by BMC
        • Delete it out of principle, let their customers complain
        • Suspend distribution immediately (easy to do, 1 pull request)
        • Can block further plugin releases until issue is resolved
        • Could move the artifacts into a private repository so that they are not available from repo.jenkins-ci.org (similar to how we stage security releases)
        • Removing old versions with an OSI complaint license seems too much
      • Complaint is filed against the repository
        • Make the repository private or transfer it to a different organization temporarily
        • Do not want to risk the rest of the jenkinsci organization
        • Before publication, need a resolution to the license issue
        • Make the repository private first, then …
        • Transfer the repository to an organization defined by the plugin maintainers, then they submit a hosting request to ask for Jenkins hosting
        • If they do not repair the licensing, the transfer remains permanent and the plugin remains no longer published
      • GitHub trust and safety needs immediate action
        • Don’t risk that we’re locked out of GitHub by bogus claims to GitHub Trust and Safety
        • When a repository is made private, it detaches the fork network
          • Consider search for other risky strings, make those repos private as well
        • Suspend the plugins
        • Daniel PR suggests suspending all Compuware and BMC plugins
          • That may be more than we need, since license and GitHub Trust and Safety are limited to a few plugins, specifically previously owned by Compuware
        • What do the maintainers need to do to restore distribution?
          • Active confirmation that other BMC repositories are approved
      • Proposals for discussion
        • Make Compuware / BMC repositories private, pending confirmation that GitHub Trust & Safety claims have been rescinded and no future claims will be made
          • Alternative 0 - Do not do anything
          • Alternative 1- Only common-configuration
          • Alternative 1.5 - Only common-configuration until the second complaint, then everything (Basil, DB, Oleg, Alex, Mark)
          • Alternative 2 - All (preferred by Basil)
          • Alternative 3 - Any plugins that would match the complaint
          • Alternative 4 - Alternative 1 and Transfer repository to one or more maintainers
          • Alternative 5 - Alternative 2 and Transfer repository to one or more maintainers (Bruno)
          • Alternative 6 - Alternative 3 and Transfer repository to one or more maintainers
        • Block future releases of non-OSI Compuware / BMC plugins, pending restoration of OSI compatible license
          • Alternative 0 - Do not do anything
          • Alternative 1 - (preferred by Basil, DB, Oleg, Alex, Mark, Bruno)
        • Suspend distribution of Compuware / BMC plugins
          • Alternative 0 - Do not do anything
          • Alternative 1 - suspend all, pending confirmation that GitHub Trust & Safety claims have been rescinded and no future claims will be made, and restoration of OSI compatible license (preferred by Basil, DB, Alex, Mark)
          • Alternative 2 - remove non-compliant licensed plugin releases, pending restoration of OSI compatible license (Oleg, Bruno)
        • Remove Compuware / BMC plugins from artifact repository
          • Alternative 0 - Do not do anything
          • Alternative 1 - remove all, pending confirmation that GitHub Trust & Safety claims have been rescinded and no future claims will be made, and restoration of OSI compatible license (easier for DB, Alex, Mark, Basil)
          • Alternative 2 - remove non-compliant licensed plugin releases, pending restoration of OSI compatible license (preferred by Basil, Oleg, Alex, Bruno)
    • Action items:
  • News
    • Jenkins 2.387.1, 2.375.4, and 2.394 released March 8, 2023
    • Plugin security advisory announced for tomorrow, March 21, 2023
  • Action Items
    • EasyCLA to be documented by Oleg
      • No progress, no requests pending, pick it up if there are CLA submissions
    • Mark Waite submit jenkins.io pull request to combine subprojects and SIGs into a single concept - “working groups”
      • No progress, Mark to complete
      • Roadmap update pull requests, make it current for April 12 CDF TOC presentation
    • Retire the Chinese Jenkins site
      • Chinese site link removed from www.jenkins.io header
      • Rick recommends that we redirect the chinese pages to English equivalents
      • Kevin Martens (Docs Officer) tracking help desk ticket to replace the Chinese pages with redirects to the English pages
    • Mark Waite and Gavin “halkeye” Mogan archive the governance meeting notes to a GitHub repository, use the Google doc as the working document, then publish final notes
      • Gavin has prepared the archive, need a destination repository
      • Alexander Brandes has something in mind on how to structure things.
      • Infra team raised about the repository location as a question
      • Oleg prefers jenkinsci rather than jenkins-infra for a governance repository (this is not about the archive repository!)
        • Mark check the infra team preference, discuss if not jenkinsci
    • Build Monitor View plugin repository transfer to jenkinsci org @Basil
  • Jira license changes complete for Jenkins project
    • Transition is complete, announced in blog post
    • Thanks to Atlassian for the donation and thanks to Linux Foundation for Jira hosting
  • CDF topics
    • Jenkins project presentation to the CDF Technical Oversight Committee April 12, 2023
      • Mark Waite prepare and present Jenkins status report
        • Mark create presentation, share it with this group, invite comments, corrections
        • Last TOC confirmed that they are OK with a project review that looks at participation in addition to technical topics
    • LFX Tools working group starting based on last CDF TOC meeting
  • Community activity
    • Artifactory bandwidth reduction project https://repo.jenkins-ci.org
    • Google Summer of Code 2023
      • 22 draft proposals submitted for review by potential mentors
  • Adjusting meeting time for European change to Daylight Saving Time?
    • In past years, we’ve adjusted meeting start time so that it remains at the same hour of the day for our European board members, whether they are in summer time or not