Platform SIG March 24, 2026

Attending:

• Mark Waite
• Bruno Verachten
• Salman

Agenda

• Windows (MSI) installer signing certificate expires on May 16 - Mark Waite
  • [pkg.jenkins.io/release.jenkins.io] Certificate signing the MSI Jenkins package expires on 16 May 2026 - still open
  • About 2 months left - Mark has started the process, not panicked yet
  • Target: include new cert in 2.555.1 (April 15); fallback: .2 release (mid-May, closer to the edge than ideal)
  • From today’s infra meeting: MSI signing renewal is “absolute top priority (2nd)”
  • Discussion on jenkinsci-dev about switching from WiX/MSI to NSIS/EXE is still open, no decision yet
• Java 17 and 21: status update
  • Java 17 end-of-life proposal
    • March 31, 2026, is the warning date in the admin monitor - one week away
    • Weekly already stopped supporting Java 17 a long time ago; LTS 2.541.x still supports it
    • The next LTS upgrade (2.555.1) will absolutely stop supporting Java 17
    • Won’t change anything in the UI for current LTS users - warning banner stays as-is
    • Remove JDK17 from controller images is still open
  • Latest JDK versions in Docker images (unchanged)
    • JDK 17: 17.0.18+8
    • JDK 21: 21.0.10+7
    • JDK 25: 25.0.2+10
• Java 25
  • Released Sep 16, 2025
  • Jenkins core itself is compatible with JDK 25 since 2.534
  • Plugins are moving to JDK25
    • Now between 350 and 380 plugins compiling with JDK 25 as a target (up from 300+ two weeks ago), tracking page
    • Good organic growth (Mark)
  • https://github.com/orgs/jenkinsci/projects/41 is a GitHub project to see how we progress with JDK25
  • Beginning in March 2029, users will be warned that Java 25 will be reaching its end of support in the Jenkins project (next LTS JDK will be 29)
  • From today’s infra meeting: Jenkins controllers now running JDK25 (completed) - ci.jenkins.io is running JDK25, works just fine
• LTS updates
  • LTS 2.541.3 was released Mar 18, 2026
    • Security release - see 2026-03-18 security advisory
      • CVE-2026-33001 (High): Link following vulnerability allows arbitrary file creation during .tar/.tar.gz archive extraction (affects artifact archiving)
      • CVE-2026-33002 (High): DNS rebinding attack can bypass CLI WebSocket endpoint origin validation
      • CVE-2026-33003/CVE-2026-33004 (Medium): LoadNinja Plugin stores and displays API keys in plain text
  • New LTS baseline: 2.555
    • Next LTS: 2.555.1 on April 15, 2026 - 3 weeks from now
    • Release lead: Shalini Sudarsan with Kris Stern assisting (announcement)
    • This is the first LTS to drop Java 17 support
    • LTS release checklist “assumes you’re an expert” (Mark) - could use improvement for new release leads
• Spring Security 7 and Spring Framework 7 - Mark Waite
  • Available from yesterday
  • Not in LTS until July 2026
  • Spring Security 6.x end of support is June 31, 2026
• Container image updates for the Jenkins controller
  • LTS 2.541.3 (Mar 18) - security release (details above)
  • Three weekly releases: 2.554, 2.555, and 2.556
    • New features and improvements
      • feat: add linux/riscv64 platform to Debian images (#2277, @gounthar) - in 2.556
      • Spring Framework v7 + Spring Security v7 upgrade in 2.556 (released today) - intentionally placed after the LTS 2.555 baseline so it won’t be in 2.555.1
        • Mark ran all Jenkins core tests, plugin BOM tests, and ATH tests - all pass
        • Still watching carefully for user bug reports; may not be sufficient despite passing tests
        • Spring Security 6 end of public support: June 30, 2026 - brief window between June 30 and mid-July LTS where we’ll run an unsupported Spring version (same pattern as Spring Security 5→6 transition)
        • Jakarta Servlet 6.1 upgrade still pending - an even bigger change to come
        • Plugin developers: 1-2 minor changes were needed in core and some proprietary CloudBees plugins, but nothing dramatic
    • Security
      • 2.555 includes fixes per 2026-03-18 security advisory
    • Maintenance
      • chore(windows): no --parallel on build (#2280)
    • Dependency updates
      • Bump Debian version to 20260316
      • Bump RHEL version to 9.7-1774227732
      • Bump release-drafter/release-drafter from 6 to 7
• Three new releases for the SSH agent: 7.16.0, 8.0.0, and 8.1.0
  • Breaking changes
    • Default JDK is now 21 (#617, @lemeurherve) - in 8.0.0
  • New features and improvements
    • feat: add linux/riscv64 platform to Debian images (#621, @gounthar) - in 8.1.0
    • Bump Git version on Windows to 2.53.0.windows.2 - in 7.16.0
  • Dependency updates
    • Bump Debian Trixie Linux version to trixie-20260316
• Two new releases for the Docker agent/inbound-agent: 3355.v388858a_47b_33-16 and 3355.v388858a_47b_33-17
  • New features and improvements
    • feat: Add linux/riscv64 platform support for Debian images (#1172, @gounthar) - in -16
    • Bump Git version on Windows to 2.53.0.windows.2 - in -16
  • Maintenance
    • chore(updatecli): check for linux/riscv64 architecture in JDK manifests (#1174) - in -17
    • chore(windows): no --parallel on build (#1179)
  • Dependency updates
    • Bump Debian trixie Linux version to trixie-20260316
    • Bump UBI9 version to 9.7-1774227732
• RISC-V 64-bit image support - shipped!
  • riscv64 docker image - now CLOSED
  • linux/riscv64 Debian images now published across all three repos:
    • Controller: docker#2277 (in 2.556)
    • Docker-agent/inbound-agent: docker-agents#1172 (in 3355-16)
    • SSH-agent: docker-ssh-agent#621 (in 8.1.0)
  • UpdateCLI now checks for riscv64 architecture in JDK manifests (#1174)
  • Currently using QEMU emulation (like ppc64le) - works but “okay-ish”, real hardware is better for catching architecture-specific quirks
  • Bruno working on getting 2 real RISC-V machines as CI agents through the RISE project (RISC-V Software Ecosystem) - meeting scheduled today
  • Triggered by a single user request (docker-agents#1168 by @yuzibo) - proved there was demand beyond Bruno’s personal goal
  • More updates in 2 weeks
• Work in progress on images:
  • Controller:
    • feat(linux): add HEALTHCHECK instruction
    • Add environment variable substitution for reference configuration files
    • feat: Add custom root CA certificate import support
    • chore: don’t use JENKINS_REPO for tags and publication
  • Docker-agent:
    • chore(windows): build from Windows 2025 agents by default
    • chore(windows): run each JDK tests in parallel
  • Docker-ssh-agent:
    • feat: add Windows 2025 images for docker-ssh-agent
  • Deprecation and archival of jenkinsci/docker-inbound-agents
    • Accepted in Jan 13 meeting. Repository still not archived.
  • Support for Windows 2025 agents
    • Helpdesk ticket is closed
    • Windows 1809 images have been dropped across all three repos
    • Optimise cost and maintenance by merging Windows 2022 and Windows 2025 templates - pending bandwidth
  • Drop Windows 2019 support - in progress (infra)
• From today’s infra meeting - notable items:
  • Weekly 2.555 released last week, 2.556 releasing today (major change: new Spring version, per Mark)
  • Damien off until mid-April 2026
  • Azure sponsored subscription ($100k credits) now active, workloads being migrated
  • AWS costs still high ($9.5k forecast for March, down from $15.5k in January)
  • cdCon May 18-20 in Minnesota - Mark will be MC
    • CDF awards, including Jenkins Awards, will be announced there
  • Spot instance failure not retried on ci.jenkins.io - new issue
  • Postgres 13 losing Azure standard support on March 31 - affects Uplink, Rating, PHS, Keycloak
  • Provide Maven 4 pre-release templates on ci.jenkins.io - could be available soon
• Next meeting may have a change in how it’s handled - possibly a new lead for some time