2024-10-14T18:00:00Z

14 October 2024

Zoom Meeting Room | Shared Calendar | Meeting notes |

Attendees

• @MarkEWaite (Mark Waite)
• @kmartens27 (Kevin Martens)
• @uhafner (Ullrich Hafner)
• @basil (Basil Crow)

Upcoming Calendar

• Election voter registration in progress, September 16 - October 31, 2024
  • Blog post guides people to register in the elections 2024 community group
• Next weekly release: 2.481, Tuesday October 15, 2024
• Next LTS: 2.479.1, October 30, 2024, release candidate Wednesday 16 Oct 2024
• Next major events:
  • FOSDEM 2025 - February 1-2, 2025
    • Jenkins requesting a stand
  • Jenkins contributor summit prior to FOSDEM 2025 - January 31, 2025
    • Alyssa Tong organizing the venue and logistics
    • Bruno Verachten organizing the agenda

Agenda

News

• Hacktoberfest runs from October 1, 2024 through October 31, 2024
  • Blog post and event page to help new contributors
• Jenkins 2.479.x release dates
  • 30 Oct 2024 - 2.479.1
  • 27 Nov 2024 - 2.479.2
  • 08 Jan 2025 - 2.479.3 (two week break at end of year)
• Jetty project announced a vulnerability that was fixed in a previous Jetty release
  • Not affected in 2.479, already using most recent version
  • Existing LTS line may be affected, needs more discussion with security team
    • May not affect Jenkins at all, uncalled method

Action Items

• Basil create the attribution entries for the downloads page
  • Jenkins sponsors have changed
  • Continues on the to-do list draft PR
• Kevin Martens retire the Chinese Jenkins site
  • Kevin and Mark will meet with Damien in November
  • More work pending
  • Basil has lots of experience with redirecting if needed, don’t break the URL’s

Community activity

• Contributor Spotlight
  • 9 months of contributor spotlights completed, more to come
  • Published: Adrien Lecharpentier
  • Upcoming: Devin Nusbaum
• Jenkins Content Security Policy project
  • Project has been running for a few weeks
  • Released CSP fixes for about a dozen plugins and in Jenkins core
  • Run Jenkins ATH with CSP enabled
  • Static Analysis of CSP violations across the Jenkins repositories
  • Yaroslav Afenkin and Shlomo Dahan both planned to work on it over the next 3 months
    • Think we may be able to fix all detected violations for plugins above 10k installs
    • May have time to resolve some plugins above 1k installs
  • Will continue to deliver more fixes
  • Can we include static analysis to defend us against the injection of new violations?
    • Basil plans to run ATH with CSP violation checking regularly
    • Detects regressions reliably
    • Static analysis has some false positives and false negatives
      • Would want to further refine before it is a part of every build
      • Static analysis arrived only a day or two ago, very new
    • If we can reach a point of confidence, can include it in plugin builds
    • ATH is sufficient for those plugins covered in ATH
  • Monthly report is due to Alpha Omega by Bruno Verachten
    • Attended one of the meetings, in the loop

Governance Topics

• Proposal to remove promotion of geopolitical causes from Jenkins project
  • Remove the Ukraine messaging
    • Been visible on the site for a little over two years. OK to remove it now
  • Close the issue that proposes to add Palestine messaging
  • Focus on being an open-source software project without having to decide which geopolitical causes to promote
  • Approved by all attending the meeting - 3 board members plus 1 officer
  • Basil take the action item to implement it
• $9000 available for Jenkins project at Software in the Public Interest
  • Cannot be transferred to Crowdfunding or the Linux Foundation
  • Can be used to reimburse expenses that directly benefit the Jenkins project
  • Mark reviewed several topics
    • Travel funding for Jenkins Contributor Summit and FOSDEM
    • T-shirt production for FOSDEM
    • Funding for equipment
• Governance board and Jenkins officer voter registration in progress - Election Calendar
  • Blog posts
    • Voter registration - 26 Sep 2024
    • Candidate statements - 3 Oct 2024
    • 69 voters registered as of 14 Oct 2024
  • Governance board term ends in December for Alex and Ulli
  • Governance board positions are available for election for the term 2024/12/03 - 2026/12/02
  • 6 candidates nominated and confirmed for 3 positions on the governance board
    • Alex Earl
    • Alexander Brandes
    • Kris Stern
    • Oleg Nenashev
    • Stefan Spieker
    • Valentin Delaye
  • 2 candidates nominated and confirmed for Release Officer
    • Alex Earl
    • Tim Jacomb
  • 1 candidate nominated and confirmed for other officer positions
    • Alyssa Tong - Events Officer
    • Damien Duportal - Infrastructure Officer
    • Kevin Martens - Docuemntation Officer
    • Wadeck Follonier - Security Officer
• Spring Security 6.x Upgrade - mailing list thread
  • Phase 1 - Apache File Upload 2.0 - done
  • Phase 2 - Require Java 17 in weekly - done
  • Phase 3 - Upgrade Jetty 10 to Jetty 12 EE 8 - done
  • Phase 4 - Upgrade Jetty 12 EE 8 to Jetty 12 EE 9 + Spring Security 6.x - done
    • Jenkins 2.475 (3 Sep 2024) and later
    • Jenkins 2.479.1 LTS (30 Oct 2024) - LTS release checklist
  • Some lockstep plugin updates needed for Spring Security 6.x Upgrade
    • LDAP plugin lockstep upgrade as noted in 2.475 changelog, LDAP plugin changelog, and community.jenkins.io post
    • CAS plugin lockstep upgrade as noted in 2.475 changelog and
    • Documentation update on the Env Inject plugin that will be included in the LTS upgrade guide
      • Much larger project to make a larger fix
      • Multiple duplicates of this issue, likely more once Java 17 is required in LTS
      • Redirect people to that comment
  • Known failure in the build failure results analyzer
    • Will require a lockstep upgraded in a relatively minor feature of the build failure results analyzer
  • Other details
    • Spring Security 5.8.x end of public support 31 Aug 2024
• Cloud expenses and plans
  • Azure (CDF paid)
    • June: $4,287
    • July: $4,571
    • August: $4,552
    • September: $3,910
  • Azure Sponsorship (Microsoft Credits)
    • June: $7.3k
    • July: $10k
    • August: $10.5k
    • September: $10.3k
  • DigitalOcean - Remaining $15,852.91 (~4k consumed) until 02 January 2025
    • June: $165.32
    • July: $176.01
    • August $200.08
    • September: Forecast at ~$160
      • Half is (outbound) bandwidth for archives.jenkins.io
  • AWS:
    • CloudBees:
      • June: $5,862
      • July: $6.5k
      • August: $6.3k
      • September: $6.3k
    • Sponsored account
      • Global Status:
        • Credits left: $60,000 until 31 January 2025
      • Moving ci.jenkins.io to AWS sponsored account in October
        • Likely $10k per month Oct 2024 - Jan 2025