►
From YouTube: Jenkins Configuration as Code office Hours
Description
* Brief overview of the Jenkins security process by Oleg
* Sync-up w,r,t pending pull requests
* Short-term plans
A
Okay,
it's
sensible
life,
so
hello,
everyone,
a
Oleg
and
John.
Thank
you
for
joining,
and
everyone
who
watch
on
YouTube
will
watch
in
the
future.
Today
we
have
a
couple
of
issues
in
the
agenda
where
we
want
to
talk
about
a
number
of
pull
requests.
That
I
feel
I
need
some
some
insight
and
then
we
we
have.
We
had
trouble
in
the
past
with
handling
security
issues
in
a
proper
way.
We
don't
want
to
do
it
anymore,
so
all
the
comforts
to
explain
there.
How
do
we
handle
security
issues?
How
to
handle
security
issues?
B
B
So
I'll
share
my
screen.
Do
you
see
it?
Yes?
Okay,
so
unless
I
mess
up
something
on
my
own
yeah,
just
okay,
those
just
talking
know
me
and
they
channel
before
that.
Okay,
so,
regarding
the
security
protests,
we
actually
the
entire
process
is
documented
Roenick,
single
breach,
which
is
not
surprised
and
sorry.
Sledge
security.
It's
neat
from
the
main
thing.
It's
on
your
side,
so
it
describes
the
process
in
detail
for
users,
so
we
have
advisories,
you
can
subscribe
to
them.
B
You
can
receive
notifications
etc
and
if
you
are
using
and
if
you
discover
a
security
vulnerability,
it
also
explains
how
to
report
this
vulnerability.
Just
to
be
clear,
this
process
applies
not
only
to
Jane
can
score,
but
also
to
all
plugins
and
also
projects.
So
here
you
may
see
release
so
it's
blows
and
every
in
infrastructure
configuration
as
koenkan.
Sex-Change
is
remoting
so
from
the
Jenkins
project
standpoint,
whatever
Janey's
level,
we
use
you
expected
to
use
this
process.
If
you
discover
a
security
vulnerability,
it's
important,
because
if
you
miss
reported
Asia,
it
immediately
becomes
public.
B
So,
for
example,
we,
if
you
submit
a
security
report
on
github
wishes
they
become
public
morale
would
kill
the
last
week's.
It
was
also
not
possible
to
remove
these
issues,
so
it
was
even
worse
the
same
for
twitter
same
for
public
Jenkins
JIRA.
So
if
you
just
report
an
issue
to
the
genies
project,
it
becomes
public
and
some
people
may
see
that
we
can
create
exploits
and
they
mean,
but
not
only
Jenkins
users,
but
also
you
particularly
if
you
miss
report
that
so
you
do
not
want
that
and
yeah.
That's.
B
Why
I'm
using
this
project,
we
have
security
project
and
when
you
create
discover
Anisha,
please
follow
this
process,
so
I
clicked
the
button
and
now
I
need
to
log
in
oops
yeah
no
edge
I
shouldn't
open
this
link
because
probably
show
the
security
Tisha's.
What
I
need
to
do?
I
just
go
to
the
bug
tracker
to
them.
B
Okay,
here
I
can
click
the
create
button
and
on
the
kid
button
you
see
that
there
are
multiple
projects.
So
if
you
want
to
report
a
security
issue,
you
click
security,
let's
say
I
because
again
a
security
bug
or
not.
You
don't
need
to
be
a
specific
baby
because
always
just
a
milk
cherished.
So
what
we
asked
is
just
the
Portage's
against
this
product
and
we
will
fix
a
diversity
if
it's
misreported,
so
you
just
describe
the
issue
and
attic
you
click
read
and
then
the
security
she
is
a
deported.
B
This
is
what
described
here
and
the
question
from
Irina
was
what
happens
next
for
planning
making
us
current
configuration
of
the
Genki
security
project
that,
of
course,
maintenance
do
not
have
access
to
security
issues
by
default
because
we
restrict
access
to
the
security
team
on
them.
But
when
that
is
the
security
she
reported,
the
particular
company
and,
for
example,
configuration
is
called
plug
in
one
of
the
security
team
members.
Usually
it's
Daniel
back
security
officer.
He
reaches
out
to
maintenance.
B
He
describes
the
issues
he
assigns
them
to
them
so
that
they
able
to
see
this
issue
and
come
and
know
that
and
if
needed,
we
also
provide
a
secure
bug
tracker,
so
any
maintainer
can
fix
being
ship
privately
attribute
with
the
security
team
and
then
because
we
need
the
release.
What
we
expect
from
plug-in
mediums
that
security
releases
don't
happen
in
public
just
to
fix
security,
but
they
happen
in
a
coordinated
way
or
why
we
do
that
because,
as
I
said,
there
are
many
aging
his
users
and
we
need
to
prepare
the
release.
B
We
need
to
prepare
the
announcement.
We
need
to
send
announcement
in
advance
so
that
James
Michener's
are
ready
to
update
the
instances
that
they
know
that
the
bit
is
incoming
and
that's
why
we
ask
all
plugin
maintenance
to
follow
the
process.
So,
for
example,
here
we
had
one
security
release
in
October.
B
There
is
a
security
release
in
common
today,
according
to
the
announcement,
but
here
you
may
see
that
a
very
good
to
plugins
released
and
if
you
scroll
down,
you
may
see
the
there
are
many
advisories
and
some
advice
that
is
saying
include
plugins
and
I
thought.
There
was
one
other
way.
This
configuration
as
code
yeah,
that
is
advisory
for
configuration,
is
called
dated
to
June
25th.
So
there
was
one
of
it
doesn't
work
on
that
in
that
way.
B
So,
if
you
just
scroll
down,
we
may
see
that
there
is
a
configuration
code
plug-in
about
any
one
user
at
all.
The
treat
access
projects
configuration.
So
it
was
a
reported
reported
defect.
It
was
fixed
and
it
was
announced
as
a
part
of
advisor
so
that
anybody
who
follows
of
it
they
receive
this
identification
without
looking
at
whatever
changelogs,
whatever
release
notes,
eater,
etc
and
yeah.
This
is
the
process
we
try
to
follow
any
questions
so
far.
B
Right
so
yeah
Jake
security
team
will
reach
out
to
you.
If
there
is
a
security
report
and
yeah,
we
ask
all
people
to
be
silent
as
possible
about
security
issues
so
that
we
can
coordinate
releases,
especially
in
the
case
of
it
important
ones.
Of
course,
if
you
use
at
her
said
needs
initially
in
github
or
if
he
reports
it
in
deter.
You
cannot
do
much
about
that,
but
at
least
we
can
still
follow
the
process
and
in
particular
cases
it's
also
expedited
the
process.
B
A
C
B
C
A
B
I
mean
if
you
want
to
have
more
control
work
around
the
process.
Actually,
there
is
a
way
to
join
jigs.
You
know
any
other
engine
testing,
we
need
more
contributors
and
we
will
appreciate
all
in
tears
joining
the
team.
Of
course,
joining
security
team
requires
some
background
in
the
Jenkins
community,
etc.
But
if
you
want
it's
possible
to
discuss
that
other
some
requirements
like
setting
up
two
factory
identifications
and
silly
etc,
nothing
really
specific,
and
after
that
we
can
grant
him
access
so
that
you
can
participate
in
a
catenation
of
religious
etc.
B
A
A
You
had
some
comments
about
and
I'd
like
to
hear
a
little
bit
more
from
you
by
far
so
there's
this
future
exporting
plugins
to
come,
and
you
comment
you
like
the
feature
but
you're
not
sure
if
it
should
be
part
of
Jake
as
plug-in
or
separate
blogging,
so
I
mean
I
rely
on
your
opinion,
a
lot
when
it
comes
to
that
kind
of
stuff.
So
would
you
would
you
skip,
merging
and
suggest
Oliver
to
just
have
it
as
a
separate,
plug-in
or
or
you
think
having
it
in
Jake
Jake,
as
is
acceptable.
B
B
So
it's
a
way
to
package
Jenkins,
including
James
5,
run
at
cetera
and
what
it
does
here
effectively.
It
produces
input
for
custom
work
packages.
For
me,
to
be
honest,
it
would
either
be
a
part
of
the
support
core
plug-in
because
support
core
plug-in
already
produced
plug-in
64
docker.
So
there
is
no
reason
to
not
practice
on
maximal
there.
I
would
say
so.
Mm-Hmm.
C
B
A
year
from
what
I've
seen
in
the
code,
actually
all
the
code
isn't
really
binded
to
Jake
asked
logic,
so
it
could
be
easily
exported
to
a
separate
plugin
and,
for
example,
if
it's
not
support
core
plug-in,
we
could
make
it
a
part
of
customer
packager
if
you
need
it
as
well.
So
mm-hmm
yeah
I
do
not
think
that
it
needs
to
be
in
configuration
as
code
I'm
waiting
waiting
for
the
feedback
from
Oliver
but
yeah.
Maybe
it
makes
sense
to
just
think
him.
Yeah.
A
I
I
thought
that's
what
I
was
going
to
do
just
wanted
to
get
more
more
background
for
it
from
you.
It's
like
it's
not
a
nice
feature,
but
not
integral
part
of
configuration
as
code
as
I
understand
that
I
mean
IIIi,
see
okay,
so
hey
whatever
you
like
me,
not
whatever.
What
do
they
have
just
said?
I
will
I
will
I
will
pink
him
with
that
comment
and
we'll
see.
B
One
of
the
ways
integrated
risk
and
so
Paul
maximal
expert
is
one
story.
Another
possible
option
is
to
export
plug-ins.
Jake
asked
has
featured
to
install
plugins
were
jenkins
llamo
and
what
we
could
do
in
the
universe
way.
We
could
teach
custom
or
packages
to
understand
plugins
section
in
these
configurations.
Mm-Hmm.
B
A
B
A
A
Well,
we'll
follow
up
with
Oliver
then,
and
there
was
another
issue
that
well
kind
of
showed
the
the
problems
of
the
process
we
have.
Is
this
configuration
installed?
Yes,
so
poor
request
template
those
are
pull
requests
template
introduced
before
without
going
through
poor
review
process
and
well
not
everyone
might.
Work
was
happy
with
that
with
the
template
and
so
following
their
suggestions,
I
reverted
it
and
I
created
it
back
as
a
pull
request.
A
So
I
will,
after
I
update
the
pull
request,
template
to
not
contain
the
last
line,
and
then
there
was
also
a
comment
from
from
Liam
that
maybe
we
could
have
a
checkbox
check
boxes
and
I
mean
it
looks
nice,
but
it's
yeah
what
what
my
first
thought
was.
So
people
will
just
check
the
check
box
and
it
doesn't
really.
We
don't
really
check
if
that
description
of
the
change
made
was
provided.
A
B
C
B
People
tend
to
click
on
check
boxes.
As
you
said,
some
people
just
tend
to
delete
template
and
ignore
it
at
all.
Unfortunately,
there
is
no
way
to
prevent
that.
Well,
we
could
connect
into
port
requests
builders
to
prevent
that,
but
we
don't
so
yeah
I.
Think
it's
just
as
you
wish.
Checkbox
just
saves
some
place
because
when
you
open
pull
request
use
multiple
headers,
the
additional
related
box
is
bigger
me.
It's
my
not
comment.
Okay,.
A
C
A
C
A
B
Clarify
in
my
feedback,
so
my
main
concern
was
that
it
was
pushed
without
pull,
request,
review
and
just
whoosh,
so
it's
or
the
main
source
of
my
frustration.
Yes,
I,
do
not
like
this
funny
images
and
pull
request
templates
right,
but
it's
if
others
would
fold
it
and
fine
if
snow
yep,
if
you're
not
sure
that
yeah.
A
So
the
the
summer
is
more
like
yeah,
we
have
you
the
comments,
you'll
find
with
it,
except
the
last
line.
A
John
said
that
he
doesn't
care.
Then
I,
don't
know
the
name
of
X
10
a
and
14,
but
he
supports
your
comments.
And
so
that's
that's.
That's
all
the
feedback
I
got
and
then
there
is
Joseph.
Was
that
you're
right
commenting
you.
A
Yeah
yeah,
then
that's
that's
the
decision.
That's
then
that
now
we
follow
the
process.
So
I
hope
that
we
like
everyone,
it
was
will
be
satisfied
and
then
there
was
like
one
one
one.
So
sorry
there
was
one
more
issues
that
I
think:
okay,
six
five
six
I
mean
there
was
more
poor
requests,
but
those
those
are
the
ones
that
I
wanted
to
hear
some
comment
and
I.
B
B
B
A
A
B
Okay,
so
now
there
is
comparison,
it
should.
Let
me
check.
I
checked,
you
probably
missed
it
in
the
original
review.
I
chipped,
a
navigate
hub
by
the
way
mmm-hmm
I
haven't
seen
any
conflict
in
copper,
kiss
law
keys,
but
you're,
one
of
the
things
we
didn't
know
and
which
inputs
the
junkies
users
jakers,
doesn't
fetch
symbols
by
Clause.
B
So
we
have
a
more
general
issue
with
Jake:
ask
that
plugin
developers
can
it
create
conflicting
symbols
and
their
plugins,
and
this
is
not
how
a
single
system
is
designed
so
with
regarding
this
plot
across
a
different
type
of
that
okay,
yeah.
My
concern
is
about
architecture
in
general.
You
should
do
something
about
that,
because
yeah
I
did
yet
another
plug-in
me
in
recently.
B
A
A
B
B
B
D
B
B
D
A
Dsl
is
the
way
to
go
right.
Yeah
they
want
I
mean
we're
not
planning
to
provide
a
some
separate
tool
for
that.
Okay,
you
know
yeah,
that's
it
for
now
and
yeah,
so
my
focus
currently
is
to
make
plugins
I
I
find
not
being
compliant
with
configuration.
Is
code
compliant?
So
so
so
so
that's
it.
But
then
then
we
like
there's,
there's,
there's
an
interesting
full
request.
I
think
as
a
bad,
build
pipeline
step
for
cast,
plugging
and
I
haven't
had
a
chance
to
have
a
look
at
it.
A
Daniel
said
it's
considered
a
work
in
progress,
but
that
the
simple
functionality
is
tested,
so
I
guess
I
will
follow
up
a
checking
Keith.
If
he's
planning
to
develop
it
further
or
or
this
is
it
and
we
can
take
it
from
from
there.
Are
you
talking
sorry
you're
talking
about
jab
yourself,
Daniel,
the
maintainer
of
job?
You
saw
hey
I'm
talking
about
Daniel,
Carson
I,
know
it
different
Daniel
I
assume.
Now
it's
a
it's
a
pipeline,
build
step,
forecast,
plug-in
and
I,
and
it
addresses
so
that.
A
B
In
the
future
there
are
also
some
plug-in
prototypes,
for
example,
pipeline
as
llamo,
so
there
was
a
J
sub
project
to
create
pipelines
figurations
as
gamal,
and
once
it's
done
it
can
be
nicely
integrated
into
configurations
code
by
your
offering
concentrated
in
that
plugins
right
right.
So
in
the
future
they
may
be
even
more
ways
to
get
it
finished
without.
C
B
B
D
B
D
A
B
D
B
A
But
yeah
I
mean
I
I.
Think
it's
worth
mentioning
that
there
is
a
lot
of
things
like
that
happening
in
Jenkins
community,
not
only
around
takis
jinkies
configuration
is
called
blogging.
There
is
a
lot
of
groups
that
have
public
meetings
where
you
can
discuss
issues,
so
you
know
just
to
let
you
know
that
it's
it's
not
only
ask
yeah.
D
Yeah,
yes,
always
sadly,
kind
of
quiet,
so
you
know
that
one
could
use
like
more
public
group
meetings
and
stuff,
but
I
don't
know
Java
nearly
well
enough
to
really
do
much.
I
did
I,
do
drop
into
a
Java
debugger,
sometimes
and
try
to
understand
Jenkins.
But
it's
not
easy.
It's
it's
pretty
much
John
going
from
nothing
to
you
know
a
Speed
Racer
like
you
know
that
Jenkins
is
heavy.
It's
team,
Giada
yeah.
B
A
D
D
D
B
D
Maybe
it's
okay,
I!
Don't
wanna
take
up
too
much
of
your
time,
but
yeah
thanks
for
yeah
you
could
you
can
drop
a
link
into
the
get
ur
channel
or
something
maybe
but
yeah
that
helps
I
mean
I'd.
Try
I'd
mess
around
a
little
bit
with
a
goodie
hook,
but
I
did
you
know
just
first
try
and
then
I
gave
up
so
maybe
I'll.
Try
that
again
cool
okay.
So.
B
A
So
well,
that's
that's
all
I
had
in
my
agenda
the
the
pool
request,
I
wanted
to
comment
and
the
security
issue
thinks
I
I
told
you
what
what
I'm
planning
to
work
on
the
in
upcoming
weeks
and
we
still
have
time
I,
don't
know
how
about
you,
but
theoretically
we
still
have
time.
So
is
there
anything
any
of
you
would
like
to
talk
about
now.
B
Nothing
specific
from
me
yep,
so
one
heads-up
from
me.
Let
I
will
be
like
unavailable
on
the
current
system
basis
for
the
next
several
months
and
they
really
know
the
reason
so
yeah
they're
regarding
video
broadcasts
and
other
such
things.
Probably
it's
time
to
bottleneck
me
so
yeah.
If
you
could
really
know
it
would
be
really
cool.
Is.
B
A
A
A
B
B
B
We
request
all
security,
team
members
or
people
whose
jenkees
corners
permissions
and
all
people
who
is
infrastructure.
It's
essentially
the
process
is
described
here.
Generally,
you
clip
a
PDF
encrypted
properly
and
send
it
by
a
pull
request.
A
here's,
a
number
of
such
requests,
I
believe
yeah,
and
you
just
create
one
on
your
own.
Then
third,
you
will
integrate
these
permissions
I
believe
we
present.
So
it
has
to
be
reviewed
by
somebody
from
Jenkins
board.
Now
it's
it
that
Tyler
wrote
Kiki.
Usually
it's
Tyler
then
gets
integrated
and
we
have
collected
series
there.
B
So
it's
ICA
individual
contributor,
License
Agreement.
So
there
is
a
bunch
of
people
here
likely
that
was
me
as
well.
Is
me
so
there
is
some
committal
properties,
so
you
may
see
that
we
started
mail.
Restoring
the
table
ID
duska
budget
here
please,
but
here
that's
how
it
works
now
and
they
same
force
is
your
way.
So
she's
really
is
something
for
companies
and
some
companies
my
opting
and
the
same
necessarily
if
they
want,
but
it's
totally
up
to
the
companies.
What
we
need
for
infrastructure
is
individual
contributor,
License
Agreement.
A
B
You
will
still
need
to
create
a
public
infrastructure
request
to
get
permissions,
but
I
can
grant
permissions
on
my
own
belief
and
the
Lincoln
grant
permissions
Tyler
can
grant
permissions.
So
there
is
a
bunch
of
people.
You
just
come,
for
example,
to
the
community
channel,
ask
here
or
send
a
message
to
the
infrastructure
mailing
list
and
you
can
get
these
permissions,
but.
A
B
C
A
B
A
Yeah
I
was
so
I
was
trying
to
revisit
it
when
I
office
today,
retrospective,
but
I
guess
it
was
a
it
wasn't
the
right
time
so
and
I
don't
think
the
just
before
Christmas
is
also
the
right
time.
So
we
may,
we
may
maybe
try
to
try
to
fix
it
at
the
beginning
of
next
year.
I
think
we
have
some
contributors
from
States,
so
maybe
we
can
adapt
to
everything.