#jenkins-meeting log

18:00:10 <rtyler> #startmeeting
18:00:10 <robobutler> Let the Jenkins meeting commence!
18:00:19 <rtyler> #chair kohsuke danielbeck ogondza
18:00:19 <robobutler> Current chairs: danielbeck kohsuke ogondza rtyler
18:00:24 <rtyler> #topic Last meeting's actions
18:00:39 <rtyler> based on what I can see, there weren't any
18:00:39 <rtyler> heh
18:01:19 * rtyler waits for people to show up
18:01:49 <rtyler> ogondza: you awake and ready for the next topic?
18:02:00 <ogondza> rtyler: sure I am
18:02:31 <ogondza> I have done the backporting and will push RC as son as ATH reports completion
18:02:32 <rtyler> #topic LTS status check
18:02:56 <rtyler> this is for 2.32.x still right?
18:03:05 <ogondza> rtyler: 2.32.3
18:03:20 * rtyler nods
18:03:46 <ogondza> rtyler: fyi, I intent to get this automates so that any backport pushed will produce rc for people to test
18:03:57 <ogondza> *atomated
18:04:09 <rtyler> the ATH testing?
18:04:13 <ogondza> so noone has to wait for me pushing the RC
18:04:20 <ogondza> that would be part of it
18:04:28 <rtyler> https://issues.jenkins-ci.org/browse/INFRA-960 is relevant to your interests then
18:04:35 <rtyler> we should have plenty of capacity for ATH on ci.j.io
18:04:39 <danielbeck> ogondza that seems questionable to me, as nobody could be sure it's really the last one, but should be discussed elsewhere
18:04:47 <ogondza> I am thing about pipeline backport > jenkins-test-harness > ATH > RC push
18:05:11 <ogondza> danielbeck: ok
18:05:57 <danielbeck> ogondza so, what's .3 RC status? :)
18:06:19 <ogondza> #action ogondza will push 2.32.3 RC tomorrow morning
18:06:27 <danielbeck> \o/
18:06:45 <ogondza> the snapshot version number did not make it
18:06:58 <danielbeck> #info in two weeks we'll select the next LTS baseline
18:07:05 <danielbeck> as a reminder
18:07:20 * ogondza putting that on agenda
18:07:34 <danielbeck> I think we can move on? rtyler ?
18:07:44 <ogondza> yes, we can
18:07:56 <rtyler> #topic GSoC Update
18:08:01 <rtyler> oleg-nenashev: are you going to drive this topic?
18:08:58 * rtyler counts down
18:08:59 <danielbeck> doesn't seem to be around
18:09:20 <rtyler> alright, I'll fill in
18:09:28 <rtyler> #info the GSoC 2017 application has been submitted
18:09:36 <rtyler> https://jenkins.io/projects/gsoc for more details
18:09:55 <rtyler> not really much more for us to do here
18:09:56 <rtyler> IMO
18:10:03 <danielbeck> looking for projects and mentors?
18:10:08 <danielbeck> or too late anyway?
18:10:24 <rtyler> students can always suggest projects in their own applications
18:10:26 <schristouu88> I might be switching to a mentor, I got a student asking about the support core plugin improvements
18:10:35 <rtyler> as far as our application with suggested projects, that's kind of done
18:10:41 <danielbeck> okay
18:11:22 <danielbeck> so now we'd probably monitor the dev list and be responsive there when students post questions?
18:11:25 * rtyler nods
18:11:43 <rtyler> any other gsoc related questions?
18:12:20 <ageer> when is mentor deadline?
18:12:50 <rtyler> uhhhhhh, I'm not sure, I believe we can pair mentors up with students right up to the beginning of the program
18:13:08 <rtyler> there's still plenty of time to volunteer as a mentor :)
18:13:18 <danielbeck> makes sense if students propose projects -- otherwise there'd be mismatches
18:13:38 * rtyler nods
18:14:14 <danielbeck> also, probably afterwards too, if we need to improvise
18:14:20 * rtyler nods
18:14:48 <rtyler> onwards?
18:15:07 <danielbeck> sure
18:15:14 <rtyler> #topic Infrastructure update
18:15:17 <danielbeck> oh boy
18:15:20 <rtyler> \o/
18:15:40 <rtyler> #info Every monday we're having an infra hangout on https://jenkins.io/hangout at 20:00 UTC
18:15:52 <rtyler> mostly just to review what's in the INFRA project and make sure that the right stuff is getting solved for
18:16:18 <rtyler> olblak is making progress on provisioning kubernetes (k8s) in Azure to migrate applications over to, starting with plugins.jenkins.io
18:16:41 <rtyler> we have a JIRA upgrade which we need to schedule a maintenance window for
18:16:52 <rtyler> we also have the SCM API 2 upgrades on ci.jenkins.io which we need to schedule a maintenance window for
18:17:13 <rtyler> unfortunately time has been sparse lately, and some of this won't get resolved until closer to the end of february :(
18:17:43 <rtyler> because of the lack of time, we're still seeing github rate limit errors daily on ci.j.io :(
18:18:07 <danielbeck> how is that related to your lack of time?
18:18:28 <rtyler> SCM API 2 is supposed to help reduce the github api calls
18:18:29 <ogondza> perhaps it is github's lack of time
18:18:39 <danielbeck> rtyler makes sense
18:18:51 <rtyler> there's also the "crazy caching proxy" idea which would make this problem go away entirely :)
18:19:11 <rtyler> but requires time to prototype and determine whether it's a "crazy stupid idea" or "crazy smart idea"
18:19:34 <autojack> crazy like a fox.
18:19:43 <rtyler> another issue which has been causing trouble more and more is the increased prevelance of interdependent plugin releases
18:19:57 <rtyler> and a known "race condition" between mirrors serving update-center.json and the plugin HPIs themselves
18:20:04 <rtyler> this is more or less tracked in INFRA-160
18:20:37 <rtyler> and, as we discussed in our sync meeting on Monday, we basically need to expedite serving the update center from Azure storage instead of relying on our slow mirror network
18:20:46 <rtyler> which is not a good fit for the frequent changes to update-center.json
18:20:51 <danielbeck> this will result in https everywhere, right?
18:21:06 <rtyler> s/everywhere/moreplaces/
18:21:18 <danielbeck> well, all the update center stuff at least
18:21:21 <danielbeck> or no?
18:21:29 <rtyler> .war and installers are still through the mirror network right now
18:21:32 <rtyler> yes, for the update center
18:21:49 <danielbeck> okay
18:22:02 <rtyler> at my nearest opportunity I will be campaigning for revamping the way the update center works in Jenkins  regardless of this effort
18:22:24 <rtyler> as each instance fetching a 1MB JSON file every day is unnecessary and incurs real cost across 150k instances
18:22:54 <rtyler> #info rtyler will be pushing for better collaboration between core development changes and infrastructure changes where they are dependent
18:23:36 <rtyler> i386 has also done some prototyping on new update center dependency resolution stuff, but I haven't reviewed his prototype yet, so I don't know whether it's addressing some of our present infra/cost issues
18:24:16 <danielbeck> I think that's more about transitive dependencies, to ensure everything can actually be installed
18:24:39 <rtyler> either way, I know there's some interest in fixing update center, so we have to make sure we address the infra impact as well
18:24:57 <danielbeck> right now, plugin A can depend on plugin B, and be published, but B may not be on the update site, breaking A installation
18:25:12 <danielbeck> AFAIU
18:25:27 <rtyler> #info as per usual, interested parties are recommended to join #jenkins-infra and infra@lists.jenkins-ci.org
18:25:38 <rtyler> if there are questions, pipe up, otherwise we can move on
18:25:40 <danielbeck> rtyler anything on the state of the wiki?
18:26:25 <rtyler> oh right
18:26:30 <rtyler> #info the wiki is perpetually on fire
18:26:31 <rtyler> heh
18:26:34 <danielbeck> lol
18:27:12 <ageer> why is it on fire and what exactly does that mean (forgive my unfamiliarity with this issue)
18:27:15 <rtyler> #info danielbeck and rtyler have started doing some initial research into what systems depend on the wiki so we can reduce the wiki load and get it upgraded sooner rather than later
18:27:27 <rtyler> ageer: on fire means it's constantly at capacity nowadays
18:27:34 <ageer> thank you
18:27:40 <rtyler> occasionally resulting in no service for developers trying to edit pages
18:27:56 <rtyler> we have a number of layers of caching in between a request and the confluence app itself, but those can only do so much
18:27:59 <danielbeck> [Monitor Alert] Triggered: Confluence is choking <<< THis arrived in my inbox a minute ago, timing SO perfect I suspect rtyler triggered it
18:28:05 <rtyler> heh
18:28:27 <rtyler> the issues are: old confluence, underpowered VM, exhorbinant load from malicious and benign actors
18:28:38 <rtyler> the wiki is a prime target for spammers
18:28:58 <rtyler> so there's no updates on that really other than, it's on fire
18:29:18 <rtyler> it's known, but there's so much dependent on the wiki that it's hard to fix without severe risk to downstream systems
18:29:25 <ageer> are analytics available on traffic to determine the significance of spam impact?
18:30:03 <rtyler> "available' in that I see it in the access logs
18:30:10 <rtyler> not available in that we don't publish logs anywhere
18:30:28 <rtyler> we have automated systems which clean up spam
18:30:44 <danielbeck> (which add to the load again)
18:30:53 <rtyler> so that means we have spammers (sweatshop spammers from india, etc) and our own tooling competing to see who can DDoS wiki.jenkins-ci.org faster :P
18:32:05 <rtyler> anything else before moving on?
18:32:32 <danielbeck> FWIW I've recently moved some of the more static wiki content over to jenkins.io, help is always welcome
18:33:06 <rtyler> batmat: awake? :)
18:33:54 <rtyler> #topic Should we host plugins with closed-source dependencies?
18:33:58 <rtyler> orrc: how about you
18:35:10 <danielbeck> doesn't look like it?
18:35:17 * rtyler facepalms
18:35:27 <orrc> sort of awake
18:35:34 <orrc> but yeah, this was something that batmat brought up
18:35:36 <rtyler> the gist of this issue is that we have had a hosting request for a plugin which relies on closed source dependencies
18:35:39 <rtyler> https://issues.jenkins-ci.org/browse/HOSTING-271
18:36:31 <orrc> ah, it's been hosted
18:36:37 <rtyler> https://jenkins.io/project/governance/#license
18:36:46 <orrc> so we do explicitly say that closed source plugins aren't allowed
18:36:49 <rtyler> #info "But no such plugins will be hosted by the Jenkins project."
18:37:11 <danielbeck> rtyler right, but the question now is closed source dependencies
18:37:14 <orrc> but what about closed source dependencies, and by extension, I guess that would extend to their transitive dependencies
18:38:00 <rtyler> I wish Slide hadn't hosted this :/
18:38:06 <rtyler> somebody should have blocked this request pending this discussion
18:38:24 <orrc> I'm not sure if there's precedence here, but I could imagine we have some plugins that are open source but depend on some closed source SDK or so
18:38:44 <danielbeck> we probably need an inventory of existing plugins to even begin considering this
18:38:48 <ageer> is access to the closed source sdk freely available or proprietary?
18:39:03 <rtyler> the update-center.json just includes a reference to an .hpi
18:39:15 <rtyler> so in essence doesn't this mean that the plugin as built is not open source?
18:40:08 <danielbeck> rtyler FWIW that plugin is not yet published, and no upload permissions granted, so we can block that while we determine how to proceed here
18:40:15 * rtyler nods
18:40:34 <orrc> we're only hosting new plugins from jenkinsci, so we should know where the source is. and in artifactory the sources.jar for each release *should* be there
18:41:01 <danielbeck> orrc Just pull the Artifactory listing and take a look -- you have no idea.
18:41:04 <rtyler> as far as I understand this situation, the .hpi would contain proprietary software which we do not have a license for distribution
18:41:24 <orrc> danielbeck: yeah, I know it's wild out there in reality :)
18:41:42 <rtyler> if that's correct, then I actually think this issue is relatively straight-forward within our existing guidelines
18:41:46 <orrc> rtyler: right
18:41:59 <danielbeck> Welllll
18:42:09 <rtyler> from a legal standpoint, we have no license to distribute this code
18:42:33 <danielbeck> depends on the license of the dependency
18:42:49 <rtyler> if it's not open source, then i'm not sure it matters
18:43:09 <rtyler> this plugin depends on some closed source stuff beign published to an s3 bucket
18:43:23 <rtyler> which is, bizarre to begin with :P
18:43:38 <danielbeck> well, a plugin can be open source but not have an OSI license, and what then?
18:43:49 <rtyler> that's not open source as far as I am concerned
18:44:15 <danielbeck> that should be clarified in the governance document then, that we mean Open Source, not just open source.
18:44:16 <ageer> this doesnt sound open source if you have a blackbox your pulling in as part of the plugin functionality
18:44:41 <danielbeck> mvn
18:44:42 <danielbeck> "plugins are free to choose their own licenses, so long as it’s an OSI-approved open-source license."
18:44:59 <danielbeck> so, rtyler is right
18:45:02 <rtyler> YAY
18:45:11 <rtyler> I've been waiting my whole week for that danielbeck :P
18:45:19 <danielbeck> rtyler try harder then ;-)
18:45:22 <rtyler> haha
18:45:41 <rtyler> so a clarification point I think we can make to this plugin author in particular
18:45:59 <danielbeck> now to find out whether a thing can be OSI licensed without being open source all the way down -- I doubt it, but we should make sure
18:46:01 <rtyler> if the plugin, once installed, prompts the user to download proprietary dependencies or something like that, I think that's suitable
18:46:16 <rtyler> since that's more or less how many toolchain-based plugins operate
18:46:25 <danielbeck> right -- we've had that model a few times, like Black Duck and CloudBees "installers"
18:46:30 * rtyler nods
18:46:39 <rtyler> danielbeck: I would hope Artifactory has some integration we can enable here
18:46:42 <ageer> that seems appropriate
18:47:07 <rtyler> #action rtyler and danielbeck to investigate whether we can ensure OSI-licensed code is being distributed "all the way down" for plugins to comply with governance document guidelines around proprietary code in plugins
18:47:51 <danielbeck> I think this is all we can discuss on this topic for the moment?
18:47:52 <rtyler> I think from a practical standpoint, we should be gentle with plugin authors like this and explain why this is important and still welcome them into the community
18:48:13 <rtyler> chances are this developer isn't the one who made the decision to not kopen source something
18:48:26 <rtyler> orrc: what do you think, have we resolved this topic for today?
18:48:41 <orrc> sure
18:49:03 <rtyler> #info to summarize, bits being packaged into an .hpi should be OSI-licensed (Open Source) to be published through the official Jenkins Update Center
18:49:17 <danielbeck> s/should/need to
18:49:40 <rtyler> go full RFC "MUST"
18:49:41 <rtyler> :D
18:49:43 <rtyler> anywhoo
18:49:48 <rtyler> #topic Next meeting
18:50:04 <rtyler> I see that ogondza has already added some items for Feb 29, which doesn't exist this year :P
18:50:26 <rtyler> #info Next meeting March 1st, 2017
18:50:29 <rtyler> :)
18:50:31 <rtyler> #endmeeting