User Experience SIG - November 6, 2024

2024-11-06T17:00:00Z

Nov 6, 2024

  • Attending

    • Mark Waite
    • Antoine Neveux
    • Bruno Verachten
  • Topics

    • GSoC project proposals
      • Google funds new contributors as the help open source projects
        • Projects have been successful in Jenkins
        • Kris Stern - GSoC lead organization admin
      • Would anyone have an idea of a project that would fit in the GSoC timeframe?
        • Wondering if a UI project is a good choice for a GSoC contributor
      • Would anyone be willing to mentor?
        • No project idea will be submitted to Google without multiple mentors
    • Jenkins releases
      • Jenkins 2.484 released 5 Nov 2024
      • Jenkins 2.479.1 released 30 Oct 2024
        • First LTS to require Java 17
        • First to deliver Spring Security 6, Jakarta EE 9, and Jetty 12
        • Watching bug tracker closely, looks quite smooth
      • 2.479.2 scheduled for 27 Nov 2024, RC 13 Nov 2024
      • Blog post announcing the new Java requirement - not done
        • Good if blog post also suggests Java 21 instead of Java 17
        • We’ll end of life Java 17 next year
      • Changelog and upgrade guide that announce it
    • YahooUI removal - progress report and next steps
      • Markus Winter and Tim Jacomb discussing when and how we remove YahooUI from Jenkins
        • 2 plugin releases remaining
        • Tim suggested to possibly switch the feature flag to default without YahooUI
          • Then switch if off completely after a few weeks
        • Just remove it and acknowledge it has been removed
        • In the chat channel, make your voice heard there
    • Jenkins Content Security Policy project
      • 3 month project for Yaroslav Afenkin and Shlomo Dahan
        • Funded by Alpha-Omega, improving security of open source projects
      • Blog post with the results from first month
      • Sheet shows the progress
      • Deployment alternatives for more restrictive Jenkins policy
        • Use a phase approach, good examples and experience with phase approaches
          • Java version updates as an example
          • Seems like the same process will work for CSP improvements
        • Updating plugins to compatible versions as they are released
          • Good for early adopters to enable more restrictive CSP today
          • Depends on the plugins that you are using, significant portion of plugins affected
            • Many more than PrototypeJS
            • Many more than Jakarta EE 9
            • Many more than tables to divs
          • Bad for later adopters to enable more restrictive CSP today
        • Feature flag to allow users to enable more restrictive policy
        • Blog posts or other marketing effort to show benefits of CSP to users
          • Clear, proactive communication
          • Videos
        • How should we implement the CSP enforcement?
          • Some edge cases are not covered by the current plugin
            • HTML publisher not covered
            • Build monitor plugin not covered
            • If we want to improve enforcement, may need to work at a different layer
          • Continue with CSP as a plugin or include in Jenkins core
            • Convenient as a plugin to opt-in or opt-out
            • Installing a new plugin is a persuasion and marketing effort
        • Include CSP plugin in the setup wizard as a suggested plugin
        • Include CSP plugin in the setup wizard default plugin set
        • Admin monitor to recommend restricted CSP for current users
          • Not as successful as we hoped
          • Good to warn the users several months in advance before we enable
        • Eventually will want to enable by default, but long project to make that transition
        • … Other ideas
      • What can others do to help?
        • Upgrade your plugins to CSP compatible plugin versions
      • Data collection might help us decide, but comes with an implementation cost
        • Which are the most important plugins to make compatible
          • Which plugins are installed and their versions
          • Is CSP not enabled because they have an incompatible plugin?
        • Plugin install counts already show us some basic information
          • Number of installations of CSP plugin
        • Is the plugin running restrictive mode or report-only mode
    • Recent UI topics
      • Active work / pending in Jenkins core (13 with web-ui label, 6 are draft, 6 unresolved merge conflicts)
        • Remove YahooUI from Jenkins core and Jenkins plugins
          • Progress continues - when do we remove from Jenkins core
        • PR-7569 - Use a command palette for search
          • Removes another use of YahooUI
          • Question from Daniel Beck (2 months old) to judovana has not been answered
            • Do we answer it ourselves and move forward?
        • PR-8435 - Update appearance of keyboard shortcut tooltips
          • Needs additional review
        • PR-7288 - Support gz content viewing
          • Needs extension point
        • PR-7078 - Margins for help text paragraphs and headers
          • Recent comments indicate more interest
    • Upcoming in next LTS baseline (5 Feb 2025)
      • PR-9462 - Use standard dropdowns for combo box
      • Branch API show pull request title in name column (not in core)
        • Implemented as the default
          • Was an existing trait that would enable it
          • That trait is now the default
        • Do we need a trait that disables it?
          • One comment about length of PR titles
          • May have a fix proposed to allow disabling it
            • Just merged, new release coming soon
    • Results from Jenkins dashboard survey (Google form) - Jan Faracik
      • See the recording for details