2024-11-06T17:00:00Z
Nov 6, 2024
-
Attending
- Mark Waite
- Antoine Neveux
- Bruno Verachten
-
Topics
- GSoC project proposals
- Google funds new contributors as the help open source projects
- Projects have been successful in Jenkins
- Kris Stern - GSoC lead organization admin
- Would anyone have an idea of a project that would fit in the GSoC timeframe?
- Wondering if a UI project is a good choice for a GSoC contributor
- Would anyone be willing to mentor?
- No project idea will be submitted to Google without multiple mentors
- Google funds new contributors as the help open source projects
- Jenkins releases
- Jenkins 2.484 released 5 Nov 2024
- Jenkins 2.479.1 released 30 Oct 2024
- First LTS to require Java 17
- First to deliver Spring Security 6, Jakarta EE 9, and Jetty 12
- Watching bug tracker closely, looks quite smooth
- 2.479.2 scheduled for 27 Nov 2024, RC 13 Nov 2024
- Kris Stern is release lead, using the release checklist
- Blog post announcing the new Java requirement - not done
- Good if blog post also suggests Java 21 instead of Java 17
- We’ll end of life Java 17 next year
- Changelog and upgrade guide that announce it
- YahooUI removal - progress report and next steps
- Markus Winter and Tim Jacomb discussing when and how we remove YahooUI from Jenkins
- 2 plugin releases remaining
- Tim suggested to possibly switch the feature flag to default without YahooUI
- Then switch if off completely after a few weeks
- Just remove it and acknowledge it has been removed
- In the chat channel, make your voice heard there
- Markus Winter and Tim Jacomb discussing when and how we remove YahooUI from Jenkins
- Jenkins Content Security Policy project
- 3 month project for Yaroslav Afenkin and Shlomo Dahan
- Funded by Alpha-Omega, improving security of open source projects
- Blog post with the results from first month
- Sheet shows the progress
- Deployment alternatives for more restrictive Jenkins policy
- Use a phase approach, good examples and experience with phase approaches
- Java version updates as an example
- Seems like the same process will work for CSP improvements
- Updating plugins to compatible versions as they are released
- Good for early adopters to enable more restrictive CSP today
- Depends on the plugins that you are using, significant portion of plugins affected
- Many more than PrototypeJS
- Many more than Jakarta EE 9
- Many more than tables to divs
- Bad for later adopters to enable more restrictive CSP today
- Feature flag to allow users to enable more restrictive policy
- Blog posts or other marketing effort to show benefits of CSP to users
- Clear, proactive communication
- Videos
- How should we implement the CSP enforcement?
- Some edge cases are not covered by the current plugin
- HTML publisher not covered
- Build monitor plugin not covered
- If we want to improve enforcement, may need to work at a different layer
- Continue with CSP as a plugin or include in Jenkins core
- Convenient as a plugin to opt-in or opt-out
- Installing a new plugin is a persuasion and marketing effort
- Some edge cases are not covered by the current plugin
- Include CSP plugin in the setup wizard as a suggested plugin
- Include CSP plugin in the setup wizard default plugin set
- Admin monitor to recommend restricted CSP for current users
- Not as successful as we hoped
- Good to warn the users several months in advance before we enable
- Eventually will want to enable by default, but long project to make that transition
- … Other ideas
- Use a phase approach, good examples and experience with phase approaches
- What can others do to help?
- Upgrade your plugins to CSP compatible plugin versions
- Data collection might help us decide, but comes with an implementation cost
- Which are the most important plugins to make compatible
- Which plugins are installed and their versions
- Is CSP not enabled because they have an incompatible plugin?
- Plugin install counts already show us some basic information
- Number of installations of CSP plugin
- Is the plugin running restrictive mode or report-only mode
- Which are the most important plugins to make compatible
- 3 month project for Yaroslav Afenkin and Shlomo Dahan
- Recent UI topics
- Active work / pending in Jenkins core (13 with web-ui label, 6 are draft, 6 unresolved merge conflicts)
- Remove YahooUI from Jenkins core and Jenkins plugins
- Progress continues - when do we remove from Jenkins core
- PR-7569 - Use a command palette for search
- Removes another use of YahooUI
- Question from Daniel Beck (2 months old) to judovana has not been answered
- Do we answer it ourselves and move forward?
- PR-8435 - Update appearance of keyboard shortcut tooltips
- Needs additional review
- PR-7288 - Support gz content viewing
- Needs extension point
- PR-7078 - Margins for help text paragraphs and headers
- Recent comments indicate more interest
- Remove YahooUI from Jenkins core and Jenkins plugins
- Active work / pending in Jenkins core (13 with web-ui label, 6 are draft, 6 unresolved merge conflicts)
- Upcoming in next LTS baseline (5 Feb 2025)
- PR-9462 - Use standard dropdowns for combo box
- Branch API show pull request title in name column (not in core)
- Implemented as the default
- Was an existing trait that would enable it
- That trait is now the default
- Do we need a trait that disables it?
- One comment about length of PR titles
- May have a fix proposed to allow disabling it
- Just merged, new release coming soon
- Implemented as the default
- Results from Jenkins dashboard survey (Google form) - Jan Faracik
- See the recording for details
- GSoC project proposals