18:01:16 <kohsuke> #startmeeting 18:01:16 <robobutler> Let the Jenkins meeting commence! 18:01:27 <kohsuke> https://wiki.jenkins-ci.org/display/JENKINS/Governance+Meeting+Agenda 18:01:39 <kohsuke> #topic Q4 patron ads on Jenkins Wiki 18:01:55 <FofG> woah 18:02:23 <kohsuke> FofG: rpetti: sorry to interrupt your conversations 18:02:45 <kohsuke> So the first one is the patron message change proposal 18:02:50 <kohsuke> ... and the diff is in https://github.com/jenkinsci/patron/pull/1/files 18:03:14 <kohsuke> for the context, we have this "patron of Jenkins" program going for while: https://wiki.jenkins-ci.org/display/JENKINS/Patron+of+Jenkins+program 18:03:26 <kohsuke> ... where large donors get to put messages in our Wiki 18:04:01 <kohsuke> And when the message changes, we want to pre-approve the messages so that it won't get too flashy or advertisement-ish 18:04:06 <hare_brain> Looks OK to me. +1 18:04:33 <kohsuke> Any other +1s? concerns? 18:05:02 <danielbeck> seems fine 18:05:43 <kohsuke> #agreed the proposed message change looks OK to us 18:05:51 <kohsuke> #topic Plugins not getting forked into jenkinsci, or not getting released from there 18:06:34 <kohsuke> danielbeck: are we seeing a lot of those now? 18:06:41 <danielbeck> subjectively this has come up a few times in the past, organizations that don't fork into the jenkinsci org, or actually use their own, or don't use the Jenkins JIRA 18:06:53 <hare_brain> What problems does this cause? 18:06:55 <danielbeck> no specific numbers but I've seen a few in the past few weeks 18:07:16 <danielbeck> It's more difficult to find the repo and issue tracker 18:07:35 <danielbeck> the community cannot contribute outside jenkinsci 18:07:35 <kohsuke> hare_brain: part of it is that when the original author goes inactive, it increases the hurdle for others to take over 18:08:39 <ogondza> for instance, there is a security issue in sonar-plugin: https://github.com/SonarSource/jenkins-sonar-plugin/pull/9 18:08:54 <ogondza> not sure there is a way for us to take the lead 18:09:27 <kohsuke> I still think overall sufficient number of plugins are getting hosted in the jenkinsci org 18:09:45 <kohsuke> I think our governance document talks about that and generally encourages people to do it that way 18:10:32 <hare_brain> Is there a commonality to plugins that are not hosted on jenkins-ci.org? i.e., are they from individuals? Companies? 18:10:47 <kohsuke> if we think the people doing it outside our org is doing so because they don't know we want thier plugins co-hosted, perhaps a bit of outreach would be worthwhile 18:10:54 <danielbeck> haven't systematically checked it, but seems to be mostly companies 18:11:22 <danielbeck> IIRC the DotCi devs specifically mentioned wanting a popular looking GitHub org with stars 18:11:37 <kohsuke> But OTOH if someone like sonarsource people really wants to control it by themselves, not sure how far we can push 18:11:42 <hare_brain> Yeah 18:12:30 <kohsuke> Do we think additional carrots/sticks would be needed to encourage people to move into the community? 18:12:35 <hare_brain> #idea Plugins that are not hosted in jenkinsci GitHub org do not get wiki pages on jenkinsci.org, nor do they show up as an available plugin from default update center 18:12:48 <hare_brain> In other words, discovery of these plugins gets harder. 18:13:09 <danielbeck> Like some Linux distros with separate "non-free" repos maybe? 18:13:24 <danielbeck> check an option and you still get them, but off by default 18:13:41 <hare_brain> Something like that. 18:13:44 <kohsuke> hare_brain: I agree. That's the intention of our UC anyway, but just haven't enforced them 18:14:47 <danielbeck> AFAICT right now almost anyone can upload anything and it'll show up in the UC 18:15:11 <kohsuke> Yes, which is also bit of a security nightmare 18:15:50 <hare_brain> #idea Add UI to plugin manager for “report a bug”. Plugin authors can add a link to their issue tracker to the plugin metadata. 18:17:27 <larrys> There was also a recent plugin, vnc recorder plugin, which went straight into Subversion, instead of a github repo... which I found odd, and have been meaning to ask why its source code is in subversion, and not github 18:17:35 <kohsuke> I really want to encourage every plugin to be in this massive melting pot / salad bowl 18:18:20 <kohsuke> And so I'm not really keen on helping people who want to do them otherwise 18:18:35 <danielbeck> Yes, authors should be encouraged to integrate with project infra (wiki, Jira, github org) 18:18:52 <danielbeck> anything besides those three? 18:19:41 <kohsuke> What makes it difficult for me is that I think we benefited from not actively rejecting those companies/projects who do feel strongly about hosting plugins elsewhere 18:19:57 <kohsuke> Many of them do produce rather interesting plugins 18:20:34 <hare_brain> Right, and for those plugins, that separation makes it hard for a Jenkins user to be able to report problems, or find documentation. 18:21:25 <danielbeck> They still may have a wiki page but it's still weird, especially if as an experienced user you start looking on github.com/jenkinsci, or in Jira 18:21:52 <hare_brain> But not all users are experienced. 18:22:26 <danielbeck> we should probably find out how many and which are actually affected (no Jira component, no jenkinsci repo, no releases in jenkinsci, no wiki page) 18:22:38 <hare_brain> Data would be good. :) 18:23:13 <danielbeck> wanted to bring this up now primarily to find out whether I'm the only one who doesn't like it if authors do this 18:23:48 <hare_brain> I don’t think we should explicitly disallow this, but we can do things to encourage people to use our infrastructure. 18:23:52 <danielbeck> FWIW the wiki plugin element also cannot handle it sometimes 18:23:56 <kohsuke> I don't like it either. But I think it's an OK compromise 18:24:08 <hare_brain> (Like discoverability, etc.) 18:24:12 <danielbeck> right, disallowing would be bad. 18:24:38 <danielbeck> as I mentioned, an off-by-default 'include plugins not hosted on jenkinsci infra' option to UC 18:24:43 <danielbeck> or something similar 18:24:59 <danielbeck> (off for new installs only probably) 18:25:13 <hare_brain> Call out plugins on https://wiki.jenkins-ci.org/display/JENKINS/Plugins that are hosted externally. Or remove their references entirely 18:25:44 <kohsuke> #action kohsuke to improve UC generation so that we can track plugins that do not follow the encouraged hosting guideline 18:26:08 <larrys> There is something that Atlassian started to do recently with their "marketplace" where they have "Verified" badges that plugins get, among some other badges... not sure how (or if) we could do something similar... 18:27:06 <kohsuke> I think we are starting from a better position than theirs because in our case I think the most of the plugin does follow the guideline 18:27:27 <kohsuke> I don't know what Atlassian Verified does, but presumably that's a sign of quality (which is different from the topic at hand but still good to do) 18:27:35 <hare_brain> I thought about a badge too, but I don’t know what it would actually mean to a user that a plugin is hosted by the community infrastructure. 18:28:58 <hare_brain> I think getting data about how many plugins this is true for, and then not including them in the UC metadata are good first steps. 18:29:26 <danielbeck> hare_brain: You mean completely remove them? 18:29:44 <kohsuke> hare_brain: I took the action to keep track of that, and I wouldn't quite go so far as to remove them from UC, at least not yet 18:29:46 <hare_brain> Remove, or not on by default. 18:30:12 <hare_brain> But yes, that’s step two. 18:30:16 <kohsuke> I want to see which ones would be impacted 18:30:19 <hare_brain> Agreed 18:30:48 <kohsuke> All right, shall we move on? 18:30:51 <danielbeck> yes 18:31:01 <kohsuke> #topic GitHub private repositories for security work 18:31:10 <kohsuke> I sent the proposal to the dev list 18:31:32 <kohsuke> #info the idea is to pay $300/yr to get 10 or so private repositories on GitHub, primarily to be used for Jenkins CERT work 18:31:41 <kohsuke> ... which requires developing fixes in private 18:31:42 <hare_brain> +1 18:31:50 <danielbeck> looks reasonable 18:32:07 <hare_brain> Maybe GitHub will even give us special dispensation. 18:32:26 <kohsuke> abayer tried that a few years ago but that didn't work 18:32:30 <hare_brain> Haha. OK 18:32:40 <kohsuke> But anyone knows anybody there, please give it a try 18:32:44 <abayer> Yeaaaaah. 18:32:57 <abayer> If we can pull it off, that'd be great, but it just kinda withered on the vine. 18:33:28 <kohsuke> And they do already provide us free hosting, so there's that. 18:33:56 <hare_brain> $300/year is totally reasonable. 18:34:03 <kohsuke> #agreed paying for GitHub private repos is approved 18:34:11 <danielbeck> especially when compared to $2k for stickers... 18:34:19 <hare_brain> Hahaha 18:34:27 <hare_brain> Marketing is important! 18:34:40 <kohsuke> I think I misremembered that figure 18:34:49 <kohsuke> It's more like 2000 stickers/yr, for $600 or so 18:35:01 <kohsuke> But anyway, overall picture remains the same 18:35:03 <hare_brain> Yes, I remember that’s more accurate. 18:35:33 <kohsuke> Does anyone have any preference on separate org vs same org? 18:35:46 <kohsuke> I was going to put this in a separate org 18:35:55 <kohsuke> So if you disagree let me know soon 18:36:08 <kohsuke> #topic New LTS base line 18:36:09 <hare_brain> Probably better to separate, so permissions can be managed independently. 18:36:31 <kohsuke> hare_brain: yes, one of the factors is that I'm concerned about bot doing some unexpected things with them 18:37:06 <mark0n> I'm running into problems installing the warnings plug-in using puppet-jenkins v1.2: The package gets downloaded and extracted into /var/lib/jenkins/plugins/ but it does not show up on the web GUI. 18:37:07 <kohsuke> #info I'm releaseing 1.565.3 today, which means it's time to pick the new base line 18:37:28 <kohsuke> http://jenkins-ci.org/changelog 18:37:35 <danielbeck> mark0n: Please wait a few minutes, project meeting right now 18:38:01 <mark0n> I also noted that the most recent version of the plug-in is 4.28 on http://updates.jenkins-ci.org/download/plugins/warnings/ and 4.42 on https://wiki.jenkins-ci.org/display/JENKINS/Warnings+Plugin - why is that? 18:38:01 <kohsuke> FYI 1.577+ would allow us to bring workflow to LTS users 18:38:22 <mark0n> danielbeck: ok 18:38:31 <danielbeck> 1.581 issues are completely bogus, just ignore the 3 votes 18:38:57 <danielbeck> all recent versions look pretty good IMO 18:39:11 <kohsuke> Yes, certainly looks that way 18:39:17 <danielbeck> there may be problems with the user name migration, but that's in since 1.568 or so 18:40:09 <kohsuke> ogondza: are you there? 18:40:23 <kohsuke> jglick told me JavaOne network blocks him from accessing IRC 18:40:31 <ogondza> 1.577+ works for me 18:40:46 * ogondza scanning change log 18:40:52 <kohsuke> 1.580? 18:41:07 <danielbeck> final choice now, or do we still have some time to look over issues? 18:41:12 <kohsuke> It is the oldest in the recent stability streak 18:41:33 <kohsuke> danielbeck: we want to decide now to have room for backporting window 18:41:43 <danielbeck> 1.581 would shut the X-Frame-Options users up 18:41:57 <danielbeck> OTOH we get the background color regression I messed up 18:42:23 <danielbeck> but that's an easy fix 18:42:33 <ogondza> I see no reason to go with anything older than 1.580, so ack from me 18:42:46 <kohsuke> danielbeck: I think you can just backport fc78fdee 18:43:23 <danielbeck> Like ogondza would allow that :-) 18:43:58 <ogondza> :) 18:44:01 <kohsuke> danielbeck: is 1.580 OK? Or do you really want 1.581? 18:44:24 <danielbeck> 1.580 is fine 18:44:29 <kohsuke> #agreed 1.580 18:44:43 <kohsuke> #topic next meeting 18:45:20 <kohsuke> #info next meeting would be Oct 15th 18:45:43 <kohsuke> Yep, I'll be here 18:45:50 <kohsuke> #endmeeting