2022-07-20T16:00:00Z
July 20, 2022
-
Video index
-
Attending
- Mark Waite
- Wadeck Follonier
- Daniel Beck
- TIm Jacomb
- Cristina Pizzagalli
- Antoine Neveux
- Bruno Verachten
- Adrien Lecharpentier
-
Recording:
-
Security reviews for UX pull requests - Wadeck
- Review how it is working, are we blocking pull request
- Feedback from others? Is the security team responding quickly enough?
- One that is pending for a month and has not been reviewed
- Symbol change, review planned soon by Daniel Beck
- Colored node labels review pending for two weeks
- Ongoing discussion trying to understand how it will work
- Trying to understand if the PR needs substantial rework before security review
- If a selection of colors, then rather than a text field, will need some selector
- Consider adding a label that states that a security change is needed
- The Tippy pull request needs a security fix, no label to identify that
- One that is pending for a month and has not been reviewed
- Security team plans to continue review process so long as they find security issues in PRs
- Cheaper for the security team to find the issues before PR is merged
- Continue this as a meeting agenda item
- If the security reviews become a serious barrier, we want to discuss
- 3 need review, 30 have been reviewed and approved since the process started
-
UX improvements - Jan Faracik & Tim Jacomb
- Daniel: New UX paradigms in mostly unrelated PRs
- One of the recent pull request reviews noted that new UI elements are arriving in unrelated changes without impact assessment for larger ecosystem
- 2.360 includes the new configuration form with title on the side panel
- New pull request brings title onto the side panel for the plugin manager
- Introduced a separator in the side panel (sensible, but incomplete?)
- Better to separately discuss and review changes that have a larger downstream impact
- Some technique like JEP that encourages discussion
- Considering that as a possible future destination
- Would need updates in many plugins to move the title
- Moving scrollspy tabs to side panel
- Side panels are reused for multiple pages
- Being discussed in the pull request
- One of the recent pull request reviews noted that new UI elements are arriving in unrelated changes without impact assessment for larger ecosystem
- Developer improvement for Jenkins CI org GitHub comment ops
- Daniel: New UX paradigms in mostly unrelated PRs
-
Daniel: CSP compatibility of new code
- Content security policy compatibility for the Jenkins pages
- Need to un-inline the Javascript from more pages
- Propose for Jenkins core (and possibly for plugins) the concept that new and substantially changed Javascript should be CSP compatible
- Don’t place Javascript inline into Jelly pages
- Don’t mix Jelly variables with inline Javascript
- Use modern form validation
- Do not use eval in Jelly code
- More likely to come from a less-experienced developer or new contributor
- Add to the CONTRIBUTING guide? Daniel plans to do that
- Could we add those types of checks to lint in the future?
- Could consider InjectedTest or others that look for CSP violations
- May be able to add now or soon and ignore untouched files
- More difficult to ignore dynamically generated Javascript
- Could ignore specific Jelly files with known issue
- Not yet ready for widespread application of a lint rule
- Build button with its context menu
- Content security policy compatibility for the Jenkins pages
-
Deferred
- Require Java 11 and fully support Java 17 - Mark
- Stalled UX pull requests
- Mark review open UX pull requests, note any that appear stalled
- Accessibility assessment
- Mark see if he can provide a copy of the report