18:00:42 #startmeeting 18:00:42 Let the Jenkins meeting commence! 18:00:51 #chairs hare_brain rtyler abayer 18:01:01 #chair hare_brain rtyler 18:01:01 Current chairs: hare_brain kohsuke rtyler 18:01:08 #chair abayer 18:01:08 Current chairs: abayer hare_brain kohsuke rtyler 18:01:23 Hi guys 18:01:30 hi there 18:01:31 #info https://wiki.jenkins-ci.org/display/JENKINS/Governance+Meeting+Agenda 18:01:54 #info https://issues.jenkins-ci.org/browse/MEETING 18:02:11 #topic recap of actions 18:02:30 #action (argh) kohsuke to post about our draft voting process proposal 18:02:48 wrt MEETING-4, I think I got your draft, tonylampada 18:03:04 I'll upload it and check with rtyler 18:03:40 it was MEETING-6, rather 18:03:44 ok, I think I forgot to add the links on it. I'll update the gist today ok? 18:03:51 thanks 18:04:15 #topic discussion about future funding plan/source 18:04:36 I'll post a comment to the jira ticket when it's ok 18:04:48 also, I have a new version of the freedomsponsors plugin 18:05:01 that will hide the link for closed/resolved issues 18:05:25 https://github.com/freedomsponsors/freedomsponsors-jira-plugin/downloads 18:05:46 #action kohsuke to upload new version of freedomsponsors JIRA plugin 18:06:00 Back to the future funding plan... 18:06:43 #info http://www.spi-inc.org/meetings/minutes/2012/2012-08-09/ says our current cash reserve is $7348 18:07:19 and we did our last fund-raiser around last year this time 18:07:56 would JUC be a good place to kick off fund-raising? 18:08:20 Good idea. I'll mention that in the slides 18:09:19 Looking at the records, to be more precise, it started around Sep 15th, and when orrc did a Wikipedia mockup of me begging for money on ci.jenkins-ci.org around December it really took off 18:09:45 And I think we announced the success and thank you around 2012 Jan 18:10:26 The run rate of the project has been pretty small 18:10:58 With most server/bandwidth cost handled by free hosting by OSUOSL and our mirrors 18:11:21 The only thing we really need is occasional certificates, domain registrations, and promotion materials (stickers and T-shirts) 18:12:20 so if that's how we keep it, we can survive with what already have. 18:12:27 ... for years 18:12:52 * kohsuke pokes hare_brain and rtyler 18:13:53 now, there's some interest in spending money for travel grants, which led to the question of how frequent the fundraising should be for it to be not too annoying 18:14:02 > "when orrc did a Wikipedia mockup of me begging for money" (can we still see that? - just curious) 18:14:40 tonylampada: I think it's gone :-) 18:14:47 ... unless it's in the internet archive 18:15:08 bummer :-) 18:15:09 kohsuke, how about some feature-for-money project? :) ie instead of just voting that a feature is important, people could say that they're willing to pay N dollars if this gets done :) 18:15:50 erm... 18:15:52 nanonyme: tonylampada had just that, except the money goes to the person who fixes it 18:15:52 isn't this what freedomsponsors is for already? 18:15:54 :-) 18:15:58 yup 18:16:22 oh, neat :) 18:16:23 We do have this small thank-you gift of a "friend of Jenkins" plugin 18:16:35 we send it out to those who donated >$25 18:16:41 nanonyme: please see http://www.freedomsponsors.org// 18:16:46 tombevers: http://i.imgur.com/3voWb.png 18:16:51 tonylampada, even: http://i.imgur.com/3voWb.png 18:17:16 what's the "friend of Jenkins" plugin do 18:17:35 dapak: it shows an appreciation note on your footer 18:17:48 o'rly 18:18:31 I don't have any strong preference, but I thought it'd be nice if we can make our money last for one more year 18:19:02 And that's still about $4000/yr budget 18:19:22 do you think companies might bid to get an 'expert for a day' or a speaker? 18:19:55 our sticker ran rate is about $1000/year, and T-shirts so far is about $300/yr, so enough to spend $1K-$2K on other things 18:20:34 LisaWells: speaking on which, there's also the possibility of selling ad space on our websites 18:20:40 if the SPI could do provide infrastructure recurring monthly/annual subscriptions, that might be nice for people/companies 18:20:58 ad space would be great 18:21:12 orrc: I can ask them but I'm pretty sure they don't have any 18:21:28 Second the recurring subscriptions. 18:21:41 seems like something that would benefit all their projects -- their current donation UI very nice in any case 18:21:54 orrc: that is an excellent picture. 18:22:02 #action kohsuke to write a feedback to SPI that it'd be nice to have recurring donation subscription, and European payment handler 18:22:09 which reminds me.. I should follow up on the possibility for easier EU subscriptions 18:22:11 ah :) 18:22:34 I forgot the exact nature of the problem but it didn't take payments in euro or something, right? 18:23:09 And yes, I also got the feedback that some people were nervous that the UI didn't really look authentic 18:23:33 kohsuke: yeah. I donated in dollars. but I found an organisation that's partnered with SPI in Europe. I'll email them again to see if we can set up a link 18:23:43 Thanks 18:24:23 I should probably move on to the next topic 18:24:37 Can't really record any agreement without hare_brain and abayer 18:24:52 #topic Add more hackers to the SECURITY project 18:24:54 I'm sorry, I'm sitting in new hire orientation 18:25:28 hare_brain: thanks for ack. I figured something like that is going on 18:25:51 #info there's a separate SECURTY project in JIRA that handles security vulnerabilities 18:26:17 Issues filed there are protected so that only the submitter can see it 18:26:39 For the longest time I was the only one who were able to see it, and we recently added jorgenpt and jglick 18:27:14 I think it's good to have multiple people, so long as it's not open to the public, so to speak. 18:27:30 Are all patched vulnerabilities in fact filed there? 18:27:43 Yes 18:28:52 I'm not sure if we need any process for adding people, so I think we can just start by asking if there are more people willing to work on those inbound security tickets 18:29:06 I'm not sure if rtyler had any other thoughts 18:29:11 or jorgenpt for that matter 18:29:21 but clearly they aren't here today :-( 18:29:46 anyone else with any thoughts on this? 18:30:07 I think this makes sense! 18:30:38 kohsuke: few hours ago rtyler mentioned that he wouldn't be able to attend the meeting, but he said something about this topic 18:30:46 Oh OK 18:31:25 all right, he did mention a process 18:31:45 I would say that we MUST have a CLA on file for anyone with access to the security project in JIRA 18:31:47 "what I wanted to get out of my line item, was a process to pull in more people into the SECURITY project to help triage and solve security issues" 18:32:19 hare_brain: Yeah, that's reasonable 18:32:44 I think having some bar here is indeed useful 18:32:54 and CLA comes with their contact info, which helps establish trust 18:33:06 Yeah, security issues are not something you want to hand off to just anyone. 18:33:40 I think I'll start with soliciting volunteers with this criteria 18:33:41 So I guess I don't have suggestions for how to recruit people, but opinions on how to make sure that people who volunteer are qualified to help with these 18:34:05 Definitely code reviews are important here. 18:34:11 I suspect there won't to be too many to call for a formal process 18:34:19 Well, it's GitHub, so a pull request is a code review 18:34:21 There's a bigger question of how to handle security releases, yes 18:34:47 Anybody aware of a plugin, or quick method to integrate the GitHub Status API with my Jenkins-CI Project? 18:34:47 There's really no easy way in OSS to discuss anything behind closed door 18:35:03 A different IRC channel? 18:35:13 Pull requests are probably inappropriate for these—publicize the vulnerability too early. 18:35:22 jglick: right 18:35:28 jglick good point 18:35:44 I know setting up invite-only mailing list is pretty easy 18:35:47 Emailed patch requests then 18:35:57 Not requests 18:36:01 Just the patches 18:36:03 I also suspect for rtyler or somebody with enough IRC-fu, setting up a closed IRC channel isn't too hard either 18:36:05 git-format-patch I guess. 18:36:11 jglick: yeah 18:36:54 kohsuke, to date, what's been the source of security issues? Do you find them? 18:37:01 OK, so let's start with mailing list 18:37:07 I do find some 18:37:17 But many comes from users 18:37:21 IRC might not work if you have only a small number of people and you want to make sure all of them see all relevant traffic despite timezone differences and so on. 18:37:23 via the SECURITY project 18:37:37 jglick: yes 18:37:42 Is there a notification alias for the JIRA project? 18:37:55 I think we need to set a separate one for the SECURITY project 18:38:04 and a mailing list would be convenient for that purpose too 18:38:09 That is what I meant. Notifications on JENKINS are overwhelming. 18:38:49 Preferably JIRA could be configured to just mail links, no content, so you would need to log in to see details. 18:38:58 #action kohsuke to set up a private jenkinsci-security@googlegroups.com 18:39:19 #agreed we'll require CLA in place for someone to join this list 18:40:11 #action kohsuke to call for volunteers for this list to see if how many would be willing or if we need any more process 18:40:29 jglick: if you are interested in tinkering with JIRA, you are welcome! 18:40:36 BTW there are FreedomSponsors.org links in the SECURITY project which would ideally be suppressed. 18:40:50 I'll check if I can tweak the content of the e-mail 18:41:11 jglick: that'd be tonylampada. I think he has an issue tracker that keeps RFEs for his JIRA plugin 18:41:35 Right, fine for JENKINS but hope no one clicks this in SECURITY. 18:41:37 OK, I think that's good for this topic for now 18:41:50 #topic Review survey questions for JUC San Francisco 18:41:56 Let me find the draft link 18:42:21 http://wiki.cloudbees.com/bin/view/Jenkins+Enterprise/2012+Jenkins+Survey+Draft 18:42:39 ah thank you 18:43:04 I guess the question was if there's anything else we'd want to learn from our users 18:43:21 #action kohsuke to add getServletConfig().getServletContext().getServerInfo() to the usage statistics 18:43:37 I wonder our statistician imod has any thoughts on this 18:43:57 I think this will be a nice new graph :) 18:43:57 I liked the suggestion to add "How do you like to get Jenkins support?" and also a free text comment field 18:44:24 Yes, free text comment field 18:44:29 Oh 18:44:41 jglick: there are a few ways to handle this problem. I'll post an issue to (https://github.com/freedomsponsors/freedomsponsors-jira-plugin/issues) describing a few ideas 18:45:02 On a similar line of thoughts, I wonder if we can ask for people to say something nice that we can quote on our websites? 18:45:09 tonylampada: OK. Low priority. 18:45:31 I wonder If we can get more info about what people are using jenkins for - other then just building stuff 18:45:31 You know those lines "I trimmed off 15kg thanks to this new diet program!" - Joe Chin, San Jose 18:45:49 could add a text section "What do you like best about Jenkins? And can we quote you?" 18:45:52 User testimonials 18:46:06 Yes, testimonials is the word 18:46:08 yeah these are nice 18:46:28 One thing I would suggest is some information about HOW the data from the survey will be used. 18:46:36 hard to do full testimonial in survey, but could ask "would you be interested in doing a user testimonial?" and then could contact afterwards 18:46:59 LisaWells: that works for me 18:47:20 hare_brain: privacy statement of a sort 18:48:01 Sort of, but not just that. It's not just about where information about me is going, but what I'm going to get out of the project by giving you this information. 18:48:08 i.e., prioritization of features 18:48:10 privacy for the data or users? supplying your details is optional 18:48:15 Changes to documentation 18:48:28 right now, anyone who completes the survey gets the results 18:48:40 I don't even necessarily care about the results. 18:48:53 It's, what's going to change for the better about the project based on the feedback I supply? 18:49:20 hare_brain: I'm not sure what we can commit to, but it sure makes sense to say "we'd like your feedback to prioritize our efforts" 18:49:30 If the information is just going to get aggregated and redistributed, but nothing is going to change, I'd want to know that. 18:49:33 the challenge obviously is that this being OSS, we can't actually say anyone will work on those 18:49:59 Right. So just be clearer about what the collected data will be used for. 18:50:12 OK 18:50:23 Again, if it's just aggregated and re-distributed to people who give their email address, set that expectation. 18:50:42 If it's really going to get fed back to try to prioritize something, set that expectation. 18:50:58 it's up to the community what to do with the results 18:51:22 So something like "We'd like your feedback so that the project can prioritize efforts, even though being OSS project , we can't really promise you that it'll happen. And you will get the result." 18:51:54 We can also point out that we did listen to the last survey result 18:52:03 People said "UI improvements!" and it did actually happen 18:52:25 I guess I'll add that in the http://jenkins-ci.org/ post for the survey 18:52:43 I want to talk about the idea of the project meeting in JUC 18:52:45 Really? I always thought Jenkins had superior UI compared to other CI systems to begin with 18:52:50 can we move to that topic? 18:52:54 nanonyme: thanks! 18:53:09 #topic project meeting in JUC 18:53:20 This page: https://groups.google.com/forum/?fromgroups=#!topic/jenkinsci-users/r3HhqbJO3Es talks about a "slave-setup" page. But I'm not seeing that in the Manage Jenkins page. What am I missing? 18:53:23 nanonyme: I agree :-) 18:53:44 Sorry, I had one more thing on the last topic. I got pulled into a side conversation 18:53:45 Alyssa who's handling event organization said she's OK with hijacking the panel discussion with the project meeting 18:53:46 Also, a question about the role of the respondent in their org (dev, release, qa) 18:54:40 I mean, add a question about the respondent's role to the survey 18:54:41 My only real concern is 1) logistics, 2) if we can line up enough things to talk about for an hour 18:54:47 hare_brain: yes, I got it 18:54:57 Or more importantly, I think LisaWells got it 18:55:02 Thanks 18:55:04 @hare_brain: we had that Q last year and cut it purely to keep the length down. figured it might not change much. shall i add it back in? 18:55:36 kohsuke: We can talk about this after the meeting - sorry I missed most of it - but are there any guidelines on how to handle committing things in the SEC JIRA? If we just tag them with [SEC-XX], won't "malicious" people be able to pick up on that before we ship a new release? How do we inform people of important sec fixes? (cc [reed]) 18:55:36 LisaWells I think understanding the perspective of the answers is important, so yes. 18:55:55 I'll add it back then. Thanks for the suggestion 18:56:17 Back to the current topic, if we do project meeting at 6pm PT, what's that translate to in other time zones? 18:56:19 on logistics side, I think I can set up live UStream broadcast 18:56:37 Or, we can have someone transcribe into the IRC channel 18:57:07 We probably want to have a log of the actions and agreements recorded. Might we well use existing techniques for that 18:57:50 If we want to have a cross over between real world and virtual world, I wonder if transcribing to IRC can keep it up 18:58:29 #info time zone around the world for 6pm PDT: http://www.timeanddate.com/worldclock/fixedtime.html?msg=Jenkins+Governance+Meeting&iso=20120918T18&p1=224&ah=1&sort=1 18:58:48 Europe is out 18:59:03 Asia is better: Tokyo 11am 18:59:49 if we are to do this from JUC (that's Sunday 6pm PDT), anyone here would be willing to attend virtually? 19:00:01 Yeah, that was my next question. :) 19:00:44 The silence is deafening 19:00:46 I can project the IRC screen on the room and then broadcast the room 19:00:55 anyone knows what time would that be in Brazil? 19:01:03 see the link above 19:01:05 tonylampada: I'm looking at that now 19:01:09 11pm 19:01:47 I might, can't make any promess though :-) 19:02:01 If we tweaks the topics so that it's oriented more for users, I think we might be able to attract some US attendees 19:02:12 I will try to attend it too :-) 19:02:14 We probably need that anyway for it to make sense in JUC 19:02:18 Agreed 19:02:54 We could probably form an agenda around some of the questions in the survey and talk about them live? 19:03:07 i.e., pain points, priorities 19:03:14 Yes, if that's OK with LisaWells, I'd love to steal some agenda from there 19:03:17 broadcasting the room might bring in additional attendees 19:03:32 nice to put faces with names and see the actual community 19:03:50 and yes, by all means, steal survey Qs/agenda items 19:04:15 #action kohsuke to make a post to call for agenda item for the JUC live project meeting with ideas stolen from the survey 19:04:40 hare_brain: you'll be there, right? 19:04:44 Yes. 19:04:46 I know rtyler is 19:04:50 abayer I need to check 19:05:04 Good, so we'll have a quorum 19:05:24 I realize that we are running late. I think that's it for today. 19:05:33 Project funding would be an interesting topic to talk about live. 19:05:38 ah yes 19:05:49 #topic next meeting time 19:06:01 Haha I think we just talked about that. :) 19:06:03 So the next one would be in JUC, Sep 30th 6pm PST 19:06:20 And then back to the regular schedule online after 19:06:21 the one after that ... I guess we'll do that in JUC 19:06:28 yeah 19:06:32 +1 19:06:48 all right, in that case unless anyone wants to add anything we are done for the day 19:06:55 #endmeeting