Attending:
- Yatharth Katta
- Hervé Le Meur
- Salman
- Rahul Barma
- Bruno Verachten
Agenda
- Windows (MSI) installer signing certificate expires in May - Mark Waite
- Needs a combined effort of platform SIG, infrastructure, and MSI installer maintainers
- Last renewal required 2-3 months to satisfy all the requirements from the certificate issuers
- Mark started something, and will be back at it after his holiday
- [pkg.jenkins.io/release.jenkins.io] Certificate signing the MSI Jenkins package expires on 16 May 2026
- Interesting discussion on jenkinsci-dev about switching from WiX/MSI to NSIS/EXE (additional reply)
- Alex Earl proposes migrating to NSIS to reduce build complexity (no .NET dependency, can build on Linux)
- Fritz Elfert points out WiX can already run on Linux via Docker, and MSI was likely chosen for SCCM (System Center Configuration Manager, now Microsoft Endpoint Configuration Manager) compatibility - many corporations mandate SCCM for software deployment, and it works natively with MSI packages
- No decision yet, seeking community input
- Needs a combined effort of platform SIG, infrastructure, and MSI installer maintainers
- Java 17 and 21: status update
- Java 17 end-of-life proposal
- March 31, 2026, is the warning date in the admin monitor
- Jenkins Core 2.545+ requires JDK21, LTS 2.541.x still supports Java 17
- Next LTS baseline (to be selected March 4, 2026) will drop Java 17 support
- Remove JDK17 from controller images is still open
- Misguided PR to jenkins.io tried to switch Docker docs back from JDK21 to JDK17 - was closed
- Latest JDK versions in Docker images
- JDK 17: 17.0.18+8
- JDK 21: 21.0.10+7
- JDK 25: 25.0.2+10
- Java 17 end-of-life proposal
- Java 25
- Released Sep 16, 2025
- Jenkins core itself is compatible with JDK 25 since 2.534
- Plugins are moving to JDK25
- More than 300 plugins are already compiling with JDK 25 as a target
- Mark’s checks show 220+ of 250 repositories already testing with Java 25
- Ignored deprecated repositories
- Ignored archived repositories
- Ignored repositories that do not have a Jenkinsfile
- https://github.com/orgs/jenkinsci/projects/41 is a GitHub project to see how we progress with JDK25
- Beginning in March 2029, users will be warned that Java 25 will be reaching its end of support in the Jenkins project.
- Would be nice to have a JDK repartition bar chart, with plugins grouped by popularity
- Docker Hub 429 rate limit errors (infra topic)
- 429 rate limit errors from Docker Hub since January 2026 - still open
- Linux image publication with docker buildx bake started failing with HTTP 429 around Feb 4, 2026
- Even authenticated with the Jenkins sponsored Docker account
- Docker support escalated to their infra/hub team
- Root cause investigation: Jenkins account request rate reported as ~3000/min by Docker (later found to be much lower, ~690 requests/hour normally)
- The docker-agents repo was not using infra.withDockerCredentials during builds on ci.jenkins.io (only during publication on trusted.ci), likely explaining why this repo was hit harder than others
- Workaround: batching Linux images publication by distribution
- Related infra work:
- Move docker controller images publication job from trusted.ci to release.ci - in progress
- Clarification for Dockerhub publishing of controller containers - process documented
- Docker controller publication job was temporarily disabled after old tags were unexpectedly republished
- 429 rate limit errors from Docker Hub since January 2026 - still open
- Container image updates for the Jenkins controller
- LTS
- 2.541.2 was released Feb 18, 2026
Security: fixes per 2026-02-18 security advisory:
- CVE-2026-27099 (High, CVSS 8.8): Stored XSS in node offline cause description
- CVE-2026-27100 (Medium, CVSS 4.3): Build information disclosure via run parameter
- Release Lead: Shalini with @krisstern assisting
- 2.541.2 was released Feb 18, 2026
- Weekly 2.551 (released Feb 18, 2026)
- Security: same fixes as LTS 2.541.2 above
Bug fixes
- fix(windows): proper tags on publication (#2255)
Maintenance
- chore: quiet docker compose file generation (#2254)
- Other notable merged PRs:
- fix: restore JENKINS_VERSION env var in images (was missing from images - issue #2260), labeled into-lts
- chore(pipeline): use infra.withDockerCredentials only on publication - ensures mirror registry is properly tested
- chore(updatecli): track JENKINS_VERSION in expected_env_vars_except_hostname.txt
- fix: prevent images publication if not latest Weekly or LTS - was reverted in #2257 due to issues
Dependency updates
- Bump RHEL version to 9.7-1771346757
- LTS
- No new releases for the SSH agent since 7.14.0 (Feb 8)
- Two new releases for the Docker agent/inbound-agent:
- 3355.v388858a_47b_33-13 (Feb 14)
Breaking change: Default JDK is now 21 (#1133, @timja)- Maintenance
- chore(pipeline): facilitate replay of specific bake targets (#1159)
- chore(updatecli): target build.ps1 renamed to make.ps1 (#1158)
- 3355.v388858a_47b_33-14 (Feb 17)
- Maintenance release to validate publication process
- fix(pipeline): pass publication env vars to all stages (#1161)
- chore(pipeline): batch Linux images publication by distribution (#1162)
- Merged PRs:
- 3355.v388858a_47b_33-13 (Feb 14)
- Work in progress on images:
- Controller:
- feat(linux): add HEALTHCHECK instruction
- Add environment variable substitution for reference configuration files
- feat: Add custom root CA certificate import support (new, community contribution for enterprise environments)
- chore: don’t use JENKINS_REPO for tags and publication
- Docker-agent:
- Docker-ssh-agent:
- Deprecation and archival of jenkinsci/docker-inbound-agents
- Accepted in Jan 13 meeting. Archival in progress.
- Support for Windows 2025 agents
- Helpdesk ticket is now closed
- Windows 1809 images have been dropped across all three repos
- Controller: