►
From YouTube: Platform SIG 2020 08 13
Description
Jenkins platform special interest group August 13, 2020 with topics focused on Alpine Docker image updates, AdoptOpenJDK for Debian and CentOS images, alternatives for image rebuild, and plans to drop support for Debian 9 (stretch) as it approaches the end of its security fix support.
A
And
then
off
we
go
so
welcome
to
the
platform
sig
meeting
the
13th
of
august
we've
got
a
topic
on
the
agenda
related
to
adopt
open
action
items
we'll
review
briefly,
adopt
open
jdk
for
docker
on
alpine
or
for
let's
type
docker
on
alpine.
Only
alpine
doc
adopt
open
jdk
8
for
docker
on
alpine
and
then
we'll
create
a
separate
item
for
adopt
open
jdk
8
for
docker
on
other.
A
A
A
And
I
that
was
probably
tim
yeah
and
I
think
that
one
is
just
a
status
report,
so
that
can
be
me
or
you
alex
right,
because
it's
it's
availa,
it's
intended
to
be
available
preview
mode
and
we'll
we'll
talk
to
it
anything
else
that
needs
to
be
on
the
agenda
alex.
A
If
we
want
want
to
fix
and
that's
what
oleg
has
submitted
as
a
proposal
alex
any
concern
there
from
you
in
terms
of
accepting
a
breaking
change
in
order
to
make
that
transition.
A
And
so
the
there
are
pull
requests
pending
to
update
docker
the
docker
image,
the
agent
images
and
it's
multiple
agent
images.
If
I
recall
correctly
as
well.
C
Yeah,
we
need
to
ship
all
the
repositories,
so
in
this
case,
docker
ssh
build
agents
is
the
biggest
priority,
taking
the
nature
of
disclosed
issues,
but
other
images
also
require
update,
so
go
ahead.
Yeah
inbound
also
with
agent
also
all
glp
agents-
think
because
they
also
include
dependencies
on
alpine
versions.
C
C
B
Yeah,
I
think
the
issue
is
that
this
one
was
never
updated
to
pin
the
pester
at
a
specific
version,
so
I
can
I
can
put
in
a
pr
for
this.
It
should
be
easy.
B
C
No,
it
was
under
one
image,
the
point
about
engines.
We
still
need
to
get
the
upstream
image
here
to
this
first
before
get
full
cir
running.
That's
why
I
focus
on
it
first:
okay,
because
yeah
we
need
additional
time
and
yeah
release
draft,
isn't
working
as
well
likely
because
of
some
issues
so
yeah.
I
will
switch
it
to
github
actions.
C
A
B
B
I
thought
they'd
already
done
that.
So
that's
that's
good
news,
at
least,
but
that,
if
we're
so,
if
we're
not
pinning
to
a
specific
version
of
like
adopt
open
jdk,
for
instance,
when
they.
C
A
Oh
well,
and
I
think
that
that
the
pattern
oleg's
shown
us
is
he's
pinning
strongly
to
a
specific
version
of
adopt
open,
jdk's,
docker
image,
and
I
prefer
that
as
well.
So
does
that?
Does
that
mean
that
this
discussion,
the
discussion
of
buster
or
centos,
is
actually
no?
I
guess
it's
not
irrelevant,
because
they
adopt
open
jdk
provides
a
buster
image.
A
B
One
is
the
the
top
one,
and
then
this
is
the
official.
Oh,
oh,
and
we
need
unofficial
so
well
we're
we
have
to
use
some
of
the
unofficial
images
like
the
buster
is
part
of
their
official.
A
A
B
Ever
be
so,
the
docker
official
images
are
the
ones
that
are
built
by
the
docker
people
themselves,
right
the
adopt
open,
a
jk
repository
or
whatever
you
want
to
call.
It
are
the
ones
built
by
adoption
jdk,
so
that
one
right
there
is
built
by
adopt
open
jdk.
So
it's
not
like
it's
some
third
random
party,
or
rather.
C
Personal,
they
do
not
have
full
test
coverage
being
compared
to
official
images
so
platforms
meeting
several
months
ago
when
we
were
discussing
that
well,
it
was
brought
up
as
a
main
concern
block
and
jay
of
alpine
images
and,
as
alex
said,
there
is
no
guarantee
that
they
will
ever
be
in
ge.
A
C
Yeah
yeah
there
is
even
to
do
in
the
pull
request.
You
reviewed
this
pull
request
to
do
successfully
references
it
as
experimental
ones
right
and
well.
We
couldn't
do
anything
better
and,
let's
be
honest,
I'm
not
sure
what
is
better
partial
experimental
test
coverage,
but
by
adopting
ngk
a
conglomerate
of
multiple
engineers
and
contributors
working
on
the
baseline
or
in-house
builds
by
docker,
for
which
we
have
already
experienced
quite
a
number
of
problems.
A
C
A
B
B
A
A
B
Not
pulling
from
there
right
now
from
their
image
for
its
sentiment.
Okay,
all
right
from
send
to
us
not
from
adopt
open,
jdk,
centers.
A
A
Well,
it
installs
this
page
adk.
It
just
does
yum
install
java
java
develop
okay,
so
it's
installing
a
in
installs
all
right,
so
it
sells
jdk
with
yum,
with
the
package
manager
from
the
os.
A
B
B
A
B
A
The
number
of
potential
people
affected,
but
if
I
remember
correctly,
the
even
even
on
our
debian
image,
we're
not
running
a
brand
new.
It's
not
running
a
latest
version
of
jdk
because
the
debian
base
doesn't
offer
us
a
or
the
open
jdk
base
doesn't
offer
us
a
newer.
B
B
A
A
A
B
You
know
it's
one
of
the
it's
one
of
the
it's,
not
a
organization.
Oh,
it
is
not
no,
it's
part
of
the
official
docker.
So
we
go
to
the
official
docker
open,
open,
jdk.
A
A
A
A
A
A
B
At
least
give
us
a
way
to
pin
to
buster
so
well
since
adopt
open.
Jdk
does
not
provide
a
buster
specific
tag.
B
A
C
You
mean
the
event
when
medium
3.6.21
broke,
because
the
issues
in
debian
right.
A
A
B
A
Yeah
yeah,
that's
exactly
what
I
was
thinking
thanks,
you
remind
very
well.
What
we
really
need
is
a
is
a
technical
discussion
and
we
have
a
forum
to
do
technical
discussions
called
the
jenkins
enhancement
proposal
process
yeah.
So
yes,
wholehearted
agreement,
and-
and
that's
one
of
these-
this
is
a
an
education
point
for
me
that
our
choice
of
which
base
image-
okay
got
it.
So,
yes,
that
needs
to
be
there.
A
A
All
right
are
there
other
things
we
need
to
discuss
here,
other
than
that
a
jep's
got
to
be
created
and
we've
got
to
discuss
that.
I
don't
think
we
have
any
any
issues
that
are
burning
things
down
on
these
images.
Currently
we
know
that
january
2021
21
is
a
or
let's
say
it
differently.
Debian
bullseye
release.
A
A
A
C
B
C
Yeah,
I
guess
the
way
to
go
is
just
setup
dependable.
C
There
might
be
tricky
parts.
For
example,
how
do
we
update
remote
inc
and
other
things,
but
for
base
images?
Dependable
will
do
the
job
so.
A
Dependable
will
change
the
base
image
that
we're
running.
I
thought
alex
was
also
concerned
about,
so
that
updates
to
the
versions
of
items
that
are
that
are
specif
specified
by
version
in
the
my
concern.
B
Is
let's
say
that
they,
you
know,
there's
a
package
that
we're
installing
via
app
that
has
a
security
issue
right.
That's
that's
not
going
to
be
copied.
B
C
So
yeah
it
depends
what
would
be
chicken
dependencies
automatically
then,
when
it
discovers
dependencies
it
would
be
creating
pull
requests.
C
This
request
will
be
built
by
jenkins
ci
here
and
if
there
are
related
security
updates,
etc,
you
would
be
getting
information
in
the
security
tap
on
github.
Basically,
any
maintenance
will
have
access
to
this
information
so
default.
Behavior
is
that
update
is
public,
but
the
security
details
are
private,
though,
if
you
want
you
can
disable
a
security
full
request
at
all
and
just
get
security
controls.
C
On
how
security
is
kind
of
currently
working
now
for
docker,
because
the
bot
has
two
littles,
so
I'm
not
sure
what
would
you
get
now
and
I'm
not
sure
what
would
you
get
tomorrow
and
nevertheless
yeah?
If
we
really
want
to
have
a
deep
securities
coming,
then
we
should
just
at
the
tool
like
ensure
or
whatever
in
our
pipeline.
C
A
A
C
It's
not
really
a
question
of
dependable
because
dependable,
let's
say
it's
additional
feature:
it's
rather
a
matter
of
reproducible
builds
so
well,
I'm
still
using
attack,
but
at
least
it
provides
some
uncertainty.
What
you
said
the
image,
because
otherwise
you
may
easily
end
up
with
a
situation
that
you
cut
an
lcs
release.
C
Then
there
is
a
java
release
or
whatever
release
happening
in
parallel,
so
that
you
ship
one
of
the
just
one
version
of
java.
Another
version
of
use,
another
java-
or
you
might
be
a
shipping
conversion
which
wasn't
tested
by
your
continuous
integration
environment
and
you
discovered
it
on
the
one
you
cut
the
release
because
release
pickup
picked
up
another
version
from
the
same
tag
so
in
the
current
state,
our
official
packaging
is
exposed
to
all
these
issues.
Pinion
conversion
is
what
I
would
highly
recommend
for
any
use
case
of
docker.
C
A
Right
so
it's
it's
more
about
build
repeatability,
your
preference
towards
explicitly
enumerating
the
version
numbers
inside
the
component
inside
the
the
from
line
of
the
docker
image.
A
A
B
We
actually
already
have
buster
images
for
the
agents,
whereas
we
it
looks
like
we
don't
for
the
controller,
so
it
would
just
be
in
this
case
not
publishing
them
anymore.
A
A
A
C
C
Yeah,
it
won't
cover
100
of
use
cases,
but
it
will
definitely
cover
the
most
common
use
cases
for
that
good
yeah.
If
you
want
to
go
further,
you
can
do
the
same,
for
example
on
the
remoting
side,
so
that
it
also
appears
in
the
build
blocks,
but
for
build
locks.
You
will
really
need
to
tweak
remote
ink
well
unless
docker
plug
you
know,
kubernetes
plugin
recognizes
messages.
A
C
Yeah,
so
if
well,
if
you
want
to
provide
good
user
experience,
then
yes,
you
would
need
to
change
remoting.
I
see
okay.
Well,
there
might
be
other
approaches,
but
yeah.
It's
not
exactly
a
huge
patch
got
it.
Okay
and
this
patch
can
be
actually
useful
for
many
other
use
cases.
So
I
would
be
definitely
willing
to
support.
A
A
A
A
C
Yeah
so
yeah,
definitely
we
could
do
a
longer
demo,
but
well,
I
don't
think
it
makes
much
sense,
because
next
week
we
will
have
a
presentation
by
casual,
including
sergent
and
sao
so
just
join
online
youtube,
if
you're
interested
to
see
details
how
it
works
on
little
plugins.
C
But
yeah
the
agency
was
switched
so
now.
We've
got
a
higher
epi
rate
limit
and
also
pipeline
libraries,
etc.
Now
use
github
checks,
api
for
reporting,
as
well
as
multi-branch
pipeline.
A
Last
item
using
plugin
installation
manager
and
docker
images,
so
this
is
in
preview
preview
from
tim
jacobs,
pull
request
have:
has
the
image
been
released
with
that.
C
Preview
in
it,
no,
we
agreed
to
delete
until
there
is
a
security
release.
I
think
in
the
current
situation.
C
A
Okay,
well
so
yeah
when,
when
you
say
weekly,
oh,
oh
right,
weekly,
the
docker
image
based
on
the
weekly.
Is
that
what
you
mean
so
so,
which
is
2.253,
will
be
the
next
weekly.
A
C
C
Also
it's
building,
although
you
still
need
to
see
what
it
will
be
resolved
for
that,
but
yeah
the
image
is
running
so
at
least
latest
versions
should
be
updated,
I'm
not
sure
about
text,
but
this
is
something
we
want
to
verify.
You
know
quite
fine,
then,
for
sage,
build
agents,
I'm
still
waiting
for
puller
requests
to
complete
because
alex
updated
faster
before
that
it
was
filling
on
windows.
C
So
we
need
to
pick
up
a
fix.
Then
we
spend
the
release
or
maybe
do
a
blind
release
with
valencia,
but
yeah
right
now.
It's
still
running
and
yeah
for
inbound
engine
and
for
gnlp
agents
representatories.
We
still
need
to
do
the
stuff
so
optimistically.
By
the
end
of
the
day,
everything
will
be
released,
but
yeah.
It's
not
something
like.
I
will
finish
it
in
one
hour.