►
From YouTube: Jenkins Governance Meeting, Jan 13, 2021
Description
Recording of the regular Jenkins Governance meeting. We discussed the recent news, upcoming events, and key priorities for 2021: contributor onboarding, security, etc.. Agenda and meeting notes: https://docs.google.com/document/d/11Nr8QpqYgBiZjORplL_3Zkwys2qK1vEvK-NYyYa4rzg/edit#heading=h.v4sls9rnbtoa
A
A
Okay,
do
you
see
it?
Yes,
so
yeah
we
have
a
few
news
and
we
have
planning
for
2021,
mostly
defining
key
priorities
and
other
things
we
started
doing
that
for
the
new
year,
blog
post,
but
yeah.
This
is
a
good
place
where
we
can
discuss
what
else
we
would
like
to
see
happening
next
year
and
what
would
be
the
priorities
for
the
governance
board?
A
A
Okay,
so
let's
go
to
news
one,
fresh
news:
that
today
we
had
a
security
release.
The
security
release
involves
multiple
fixes
in
the
jenkins
core,
including
xss,
and
whether
it's
a
civilization,
error,
potential,
fast
traversal
and
access
to
files.
So
if
you
use
jenkins,
please
update
this
video
and
we
have
cs
and
weekly
released.
So
all
the
packages
are
available
now.
A
Other
news
is
that
we
have
fosdom
as
usual,
so
this
year,
for
them
will
be
virtual
and
we
will
have
a
jenkins
developer
stand
there
and
at
the
cicd
room
we
will
have
a
talk
by
victor
martinez
jenkins
and
probably
there
will
be
more
talks
at
the
conference.
So
please
check
agenda
and
yeah.
If
you
are
interested
to
participate
just
to
buy
the
jenkins
booth,
it
will
happen
on
the
weekend
and
we
will
definitely
have
someone
available.
B
A
A
C
B
A
A
We
have
a
few
topics
in
the
message
about
the
governance
meeting.
I
wanted
to
specifically
talk
about
the
contributor
onboarding
and
security,
but
yeah.
This
is
a
place
where
you
can
discuss
other
topics.
If
you
have
anything
in
mind
because
we
still
have
documentation,
we
still
have
events.
We
need
to
organize
and
other
things,
so
we
can
just
discuss
what
would
be
the
priorities
and.
A
Why
I
put
contributor
onboarding
to
the
list
is
mostly
because
of
this
graph.
We
discussed
a
few
times
before,
but
yeah
this
year.
When
the
covert
situation
started,
we
have
seen
quite
significant
deep
in
terms
of
company
contributors
and
in
june
we
sent
a
request
to
the
linux
foundation
to
verify
whether
this
data
is
actual
and
my
understanding
that,
yes,
it's
actual
so
how
it
gets
generated.
A
B
B
A
A
A
A
Yeah
yeah
it's
a
case
and
what
it
means
for
us
that
we
should
do
better
outreach
to
users
for
different
platforms
and
and
yeah,
of
course,
with
alsace
offerings.
Now
the
situation
becomes
more
complicated
in
terms
of
attracting
contributors.
It's
not
a
surprise.
We've
been
discussing
that
at
the
contributor
summits
before
but
yeah.
We
still
should
work
in,
because
jenkins
is
used
in
so
many
areas
and
yeah.
A
B
Yeah,
I've
I've
definitely
seen
companies
that
previously
were
not
doing
any
continuous
integration
looking
towards
it.
So
I
think
there
is
still
an
opportunity
for
us
to
have
new
people
arriving
even
with
the
increased
competition
from
sas
providers
and
others
yeah.
But
it's
we
need
to.
We
need
to
actively
work
to
onboard
contributors.
A
Eric
and
here
come
events
and
other
activities
so
again,
yeah
you
can
participate
in
hacktoberfest
octoberfest
helps
here,
no
doubt
getting
individual
contributors.
I
believe
it
helps
less
with
company
contributions,
though
particular
initiatives
could
help
as
well.
So,
for
example,
targeting
custom
platforms
is
one
of
the
areas
which
we
discussed
before
multiple
times
and
yeah.
I
think
you
should
do
between
that.
A
E
An
opportunity
just
to
focus
on
that.
I
think
it's
I
think
the
corona
problematic
is,
for
instance,
in
germany.
Nobody
has
really
time
for
anything
for
his
free
time.
So
in
my
spare
time
I
need
to
care
for
the
children
more.
So
maybe
this
is
also
a
problem.
I
don't
know
if
others
also
have
the
same
problems.
E
D
B
So,
but
that
is
a
good
observation
that
the
the
what
looks
like
the
average
number
of
individual
contributors
is
roughly
the
same
from
2019
to
2020.,
but
there
is
a
there
is
an
observable
difference
between
contributing
companies.
So
do
we
need
to
consider
a
way
to
reach
out
to
companies
to
encourage
them
to
motivate
their?
I
don't
know
how
we
do
that
even,
but
I
think
oh,
like
I
think
that
was
part
of
your
point-
was
that
it's
not
it's
individual
developers
were
relatively
flat,
but
companies
are
the
thing.
That's
down.
A
Yeah
so,
firstly,
it's
two
workshop
for
contributions,
because
we
know
that
for
many
plugins,
basically
contributions
and
get
stuck
and
providing
timely
feedback
assist
with
getting
changes
in
is
one
of
the
the
opportunities
to
onboard
and
retain
contributors.
So
this
one
area
and
secondary
again
focusing
on
cases
which
are
important
for
bigger
contributors.
A
C
A
A
E
And
do
you
do
you
have
already
an
idea
how
to
proceed
on
that
topic,
because
something
that
we
did
in
the
past
was
to
identify
key
areas
that
third
company
want
to
promote
and
maybe
trying
to
find
a
way
to
promote
those
areas.
So,
for
instance,
I
know
that
rudolph
is
interested
with
the
jenkins
communities
operator
and
the
second
company.
I
can't
remember
the
name
as
well,
so
maybe
this
is
the
kind
of
initiatives
where
we
can
help.
D
A
D
A
A
A
B
B
I
was
thinking
advocacy
now
it
reaches
the
place,
but
just
so
people
here
are
aware.
I
think
we
should
do
a
contributor
summit
in
the
what
northern
hemisphere
we
might
call
the
spring
fosdum
you
know,
february
or
march,
that
kind
of
time.
It
definitely
won't
be
before
fosdem
and
it
won't
be
during
fosdem.
A
B
E
D
E
Terms
of
reaching
to
users,
I
think
the
first
them
will
be
the
good
place,
and
in
this
case
we
are
more
interested
about
how
we
federate
about
all
the
different
initiatives
on
the
jenkins
community.
So
to
me
to
me,
I
would
be
definitely
more
interested
for
a
small
contributor
summit
than
the
user
and
also
the
other
reason
why
it
would
be
easier
is
because,
depending
on
the
technology
that
we
would
use,
I
mean
it's
easier
to
target
a
smaller
audience.
A
B
Right
and
and
time
zone
is
one
of
the
complicating
factors
there.
So
that's
that's
a
good
thing
to
note
that
I
I
I
think
it
needs
to
be
live
and
therefore
time
zone
is
a
challenge,
but
it's
worth
the
challenge,
because
we
then
have
more
communication.
And,
yes,
I
think
we
should
use
breakout
rooms.
I've
I've
liked
how
they've
worked
in
other
environments,
where
I've
used
them
and
I've
been
impressed
at
how
helpful
that
is
to
do
a
breakout.
E
Room
but
but
something
that
we
also
have
to
keep
in
mind
is
since
not
everybody
will
I
mean,
since
we
are
not
in
the
same
location,
we
don't
have
to
do
the
contributor
summits.
I
mean
the
same
day.
We
could
play
the
contributor
summits
on
different
days
and
say,
let's
say
on
monday:
we
want
to
focus
on
that
area
and
choose
this
area
and
so
on,
and
so
we
have
smaller
periods
where
we
have
to
focus,
and
maybe
it
will
be
easier
for
people
to
participate.
Good,
yeah,
good
suggestion.
B
E
Okay,
thank
you
also
just
for
the
date.
I
would
also
not
suggest
to
use
a
date
close
to
neither
first
them
our
skill,
because
one
of
the
reasons
why
we
did
that
during
first
them
or
any
other
major
event
is
because
everybody
was
there
at
the
same
time.
But
on
the
other
side,
we
already
have
plenty
of
things
to
do
for
first
time
and
other
major
events,
which
means
that
it's
maybe
easier
to
just
find
a
moment
where
it's
more
calm.
B
Agreed,
particularly
since
fosdem,
in
order
to
participate
in
the
stand,
I'm
going
to
be
giving
time
saturday
and
sunday
and
that'll
make
it,
make
it
more
challenging.
For
me
to
say:
let's
do
something
immediately
after
that
yeah
it.
I
will
probably
ask
for
a
little
bit
of
gap
timewise
between
the
fosdem
event
and
when
we
do
this
summit.
A
Okay,
so
other
I
think
we
should
double
down
on
this.
Here
is
jinky
security,
because
yeah
all
the
recent
events
with
solar
winds,
etc.
There
are
much
higher
expectations
from
all
components,
participating
in
software
delivery
cycle,
they've
already
some
questions
coming
about
security,
and
I
think
that
we
should
facilitate
this
discussion
in
the
community
and
to
see
what
we
could
improve.
Actually,
there
is
a
lot
of
improvements
happening.
A
For
example,
last
year
I
published
some
starts
so
were
19
advisories,
almost
200
fixed
vulnerabilities
plus
somewhere,
which
were
firstly
disclosed
and
this
fixed.
So
it's
a
quite
high
number
and
there
were
also
two
improvements.
So
now
many
plugins
have
dependable,
including
automatic
security
scanning.
We
have
give
up
material,
fancy
bugs
and
other
components.
A
There
so
yeah,
there
are
definitely
opportunities
for
us,
and
I
think
that
we
can
collaborate
tomorrow.
Yeah,
that
is,
security,
team
and
security
team
is
doing
a
great
job
more
members.
They
could
also
help
especially
getting
more
vendors
participating
because,
right
now
we
have
basically
only
two
vendors
represented
the
security
team,
and
there
is
a
lot
more
so
yeah,
I'm
not
sure
what
exactly
they
deliver
in
terms
of
security.
What
service?
But
it's
up
to.
A
C
E
D
It
yeah,
it's
probably
worth
I
know,
I'm
throwing
into
other
people,
but
it's
probably
worth
putting
up
a
blog
post
about
this,
because
it's
one
thing
for
the
people
who
are
already
involved
to
get
more
involved,
but
this
would
be
a
great
opportunity
for
a
lot
of
people
who
are
not
involved
to
get
involved.
You
know
a
lot
of
there's
a
lot
of
you
know.
New
security
analysts
out
there
that
are
really
excited
for
a
project
to
get
working
on.
A
Well,
there
are
tools
like
sneak
available
there,
and
also
we
can
probably
even
apply
for
an
audit
program,
though
the
program
doesn't
seem
to
be
related.
You
know,
and
we
can
also
continue
our
certification,
because
even
if
we
have
100
percent,
which
we
have
133
percent
in
jenkins,
now
there
is
still
178
percent
more
we
could
achieve,
and
there
is
a
lot
of
additional
security
practices
which
we
could
adopt
so.
A
A
Zero
or
five
means
that
you
just
didn't
process
that
actually
but
yeah.
You
can
see
that
there
are
some
requirements
like
using
basically
package
practices,
which
is
slightly
okay
here
or
some
software
delivery
requirements,
protection
from
the
middle
some
additional
requirements
like
security
review
within
the
last
five
years,
yeah.
A
C
A
B
D
D
D
E
D
So
but
the
problem
was
that
we
let
everyone
use
different
tools,
which
means
that
you
know
the.
So
there
are
complaints
that
in
the
that
used
to
be
able
to
talk
to
quote
developers
in
irc,
but
now
you
can't
anymore
because
they're
not
there
and
you
know
that's.
The
problem
is
everyone's
in
different
spots,
so
that
nobody's
in
any
spot.
A
C
C
B
D
D
Maybe
we
want
to
look
in
running
jenkins,
home
server,
so
then
that
might
be
willing
to
wait
for
as
well
so
that
you
know
use
your
ldap
credentials
or
whatever
else
you
log
in
and
you
get
access
to
getter
you
get
access
to
all
the
chat
rooms
they're
all
there
easily
searchable.
So
there's
two
things
I
think
it
might
be
worth
deciding,
maybe
not
implementing,
but
deciding
before
we
do
a
demo.
A
A
A
A
D
A
D
D
D
E
D
D
C
E
It
might
be
upfront
now.
I
would
be
curious
to
know
to
have
the
visualization
of
what's
the
top
10
plugins,
that
people
are
looking
for
information.
What's
the
top
10
plugins
of
what
people
are
contributing
and
what's
the
top
10
plugin
that
people
are
using
well,
I've
been
studying
over
the
past
months.
D
The
sad
thing
right
now
is,
if
you
look
at
the
trending
graph,
all
the
api
ones
are
the
ones
of
the
top
users,
because
every
plug-in
or
a
bunch
of
them
install
them.
So
it's
not
very
useful
data,
but
I'll
think
about
it.
The
other
way
is
is
to
know
which
plugins
are
worth
contributing
to.
You
know
it'd
be
nice
to
see
which
ones
are
having
been
updated
in
a
while
in
a
public
list,
so
people
can
be
like.
Oh,
I
want
to
maintain
this.
D
A
D
A
B
E
I
mean
it
would
be
better
if
we
have
it
later
or
before
this
time,
because
seven
o'clock
here
is
the
time
when
I'm
bringing
kids
to
bed
and
yeah
seems
exactly
the
same
for
me.
Okay
then
find
another
time,
maybe
two
hours
before
or
two
hours
after
it
would
be
fine
for
me.
So
just
seven
is
a
little
bit
hard.
D
C
F
B
C
B
B
B
D
It
was
something
that
came
up
on
the
board
mailing
list
earlier,
and
I
was
just
thinking
about
you
know
when
people
do
donate
what
we
do
for
them,
and
I
was
wondering
if
there's
a
list
of
you
know
like
some
some
like,
if
you
do
like
a
patron
or
something
some
people
have
like
a
little
icon
on
the
bottom
of
their
page.
It
says
these
are
all
the
donators.
A
D
Yeah,
because
I
was
thinking
about
you
know
like
this
donations
is
always
a
good
way
to
get
people
to
be
like
you
want
some
marketing
to
people
who
use
the
product.
You
know
having
jenkins
at
sponsors
with
a
list
of
all
the
people
that
sponsor
in
whatever
way
they
sponsor
could
be
in,
for
it
could
be
other
things
you
know,
and
then
people
would
be
able
to
be.
Like
oh
look,
they
were
friends
of
jenkins.
We
should
give
them
more
money,
because
jenkins
is
awesome.