►
From YouTube: 2020 12 18 Platform SIG
Description
Jenkins Platform Special Interest Group meeting Dec 18, 2020 with topics including Docker images, new ARM servers from Amazon, release processes, and security release processes.
A
Now
welcome
this
is
the
jenkins
platform
special
interest
group.
It's
the
21st
of
december
thanks
for
being
here
topics.
I've
got
on
my
list:
action
items,
windows,
docker
images
for
ltsc,
2019,
the
master
branch
and
I'd
like
if
we
have
time
to
review
a
draft
of
the
jep
that
I've
created
in
a
google
doc
trying
to
trying
to
get
some
progress
on
that
that
jenkins
enhancement
proposal.
Are
there
any
other
topics
that
you'd
like
to
bring
to
the
meeting.
A
A
Great,
so
I
have
the
action
item
to
open
a
jet
for
docker
operating
system,
support,
ongoing
and
finally
started
the
evolution
of
the
document.
I
did
a
bunch
of
investigation
comparing
contrasting
a
few
weeks
ago,
we'll
review
that
later
today,
centos
options
for
adopt
open,
jdk,
so
alex
you've
opened
a
pr
for
this
thanks
very
much.
Could
you
share
with
us
what
you
learned
from
that
pr.
B
B
B
A
Got
it
okay,
excellent,
so
so
that
one
now
the
that
would
give
us
instead
of
relying
on
the
centos-based
jdk.
We
would
then
rely
on
adopts
of
the
adoption.
Jdk
correct,
nice,
okay-
and
I
saw
here
that
it's
using
jfrog.io,
so
that's
the
official,
that's
their
official
yum
repository
for
adopt
open,
jdk,
yeah.
B
A
A
Okay,
good
excellent.
Thank
you.
Thank
you.
So,
in
terms
of
communicating
that
change
is
there
anything,
we
fundamentally
need
to
communicate
and
do
we
have
a
vehicle
to
to
communicate
that
I
I
mean,
there's
nothing
that's
displayed
to
users
when
they
run
a
new
docker
image.
They
just
get
the
new
image
right,
correct.
B
B
A
A
Just
in
general,
you
mean
yeah
wondering
in
in
the
general
case,
not
as
you
know
so:
hey
we're
going
to
drop
debian
debian
9
support
in
the
not
too
distant
future
we're
going
to,
and
that
will
need
some
way
of
saying
it.
We
could
use
a
github
release
and
a
tag
or
we
could.
We
could
do
some
other
notification,
blog
post,
whatever.
B
A
A
A
A
A
C
A
A
D
So
the
server
images
are
all
there
we're
only
building
jdk
11.
and
we
start
to
have
an
official
release
of
adopt
open
jdk
on
that
version.
So,
but
that's
okay
for
the
time
being,
in
terms
of
the
agent
images,
there
are
two
open
pr's
for
that
just
need
reviewing
to
add
jdk
eight
in
and
that
should
be
for
the
docker
agent
and
I
think
it's
the
ssh
agent
and
then
the
other
one
is
the
docker
inbound
agent,
and
that
requires
some
well.
D
D
D
A
Okay,
so
so,
and
while
while
alex
is
doing
that
investigation,
I
need
to
be
sure
I
capture
this,
because
I'm
still
still
learning
the
structure.
So
we've
got
a
docker
agent
repository.
That
is
the
base
image
and
then
we've
got
inbound
and
the
docker
ssh
image
that
are
both
derived
from
that
image.
Is
that
correct
gareth?
Or
could
you
describe
that
a
little
further
for
me.
A
D
D
A
B
D
B
B
A
A
A
A
D
D
B
A
B
B
All
right,
4.6-2
is
released
on
the
docker
agent
repo,
all
for
once.
The
tag
shows
up
I'll
verify
that
that
trusted
sees
it
and
we
can
build
it.
I
don't
think
that
tags
are
automatically
built
untrusted,
so
generally,
just
as
an
fyi,
and
if
you
ever
do
this,
you
have
to
go
and
trust
it
and
verify
that
the
the
tag
gets
built.
A
A
Right,
okay,
yeah
now
that
that
I
think,
is
a
separate
topic,
but
there's
been
some
discussion.
Trusted
is
used
to
build
the
docker
images
because
of
the
credentials
required.
Is
that
one
where
we
would
be
willing
to
consider,
possibly
in
the
future,
moving
it
from
trusted?
That's
behind
that
ssh
tunnel
to
infra,
that's
on
the
vpn
and
not
behind
the
tunnel.
Or
do
you
have
a
strong
feeling
that
no,
it
really
needs
to
stay
entrusted.
C
A
A
Yeah
you
I
that
I
don't
know,
I
would
think
you
should,
but
well
then
again
olivier
intentionally
limits
who
can
who
can
access
release.ci.jenkins.io
to
a
relatively
narrow
group?
If
we
were
to
move
docker
builds
there,
we
would
need
to
grant
you
access
to
that.
It
sure
it
certainly
would
make
sense.
A
A
I
think
that
covered
that
covers
the
windows,
docker
images,
then
anything
else
gareth
on
windows,
docker
images-
oh
that's
everything.
Okay,
all
right
last
month
or
last
two
weeks
ago,
I
had
asked
about
ci.jenkins.org
master
branch,
docker
image.
Building
the
job's
been
failing
for
a
while
alex.
Do
you
have
any
anything
you
wanted
to
share
on
that?
Is
that
still
a
reasonable
goal.
B
Yeah,
we
definitely
want
to
do
that.
We
can
disable
the
the
experimental
publish
if
we
want.
I
don't
think,
that's
a
problem.
I
think
I'll
go
and
make
a
pr
for
that,
and
then
we
can
just
do
some
work
on
some
prs
and
stuff,
because
I
think
all
three
of
us
have
access
that
our
jenkins
file
changes
might
get
pulled
in.
So
I
think
it
should
be
fine.
A
A
A
E
If
that
is
the
problem
there,
we
need
to
be
mindful
that
we're
not
ending
up
in
some
sort
of
what's
the
term
where
one
part
cannot
be
repaired
because
another
part
is
broken,
and
vice
versa,
just
stuff
like
that,
but
otherwise
just
we.
We
need
to
be
prepared
how
to
handle
outages
of
various
sorts.
Otherwise
I
don't
really
have
an
opinion
right
now.
What
happens
is
before
we
publish
security
advisories.
I
make
sure
that
all
of
the
updated
components
can
be
downloaded,
which
means
packaging
for.
E
Regular
jenkins
wars,
the
plug-in
hpis,
if
any,
are
included
and
as
well
as
the
docker
images
and
notably
docker
images,
are
required
because
I
update
ci
jenkins
io
before
I
announce
the
security
fixes
in
an
advisory
and
cr
jenkins.
I
o
needs
to
be
online
for
the
site,
build
on
trusted
ci
to
work
so
there's
quite
there's
even
a
dependency
chain
in
the
content
publishing
process
there
and
any
changes
here
would
need
to
be
mindful
of
these
dependencies.
A
Me,
okay,
so
so
that
that
concept,
the
concept
of
docker
image
staging
I'm
I'm
ignorant
sort
of
on
that
one.
Is
that
one
that
you
would?
Would
you
be
willing
to
have
a
further
conversation
with
that
either
today
or
in
in
a
later
session?
I'm
interested
in
that
it
would
mean
I
assume,
changes
to
our
docker
build
process,
but
we're
already
building
the
images
ourselves,
and
I
think
we
intend
to
keep
doing
that
because
we
need
control
of
the
images
so
so
that
that
seems
reasonable,
alex
any
insights
from
you
or
daniel
first
questioned.
E
The
problem
is
on
release
day
when
I
want
things
to
go
out
quickly,
so
that
I
can
quickly
release
the
security
advisory.
The
need
to
build
the
docker
images
immediately
then
still
add
some
degree
of
uncertainty
and
fragility
to
the
process
that
isn't
really
inherently
necessary,
so
yeah.
I
would
be
very
happy
to
talk
to
you
about
it.
Unfortunately,
I'm
not
that
well
versed
with
poker
repositories,
images
and
such
so.
I
don't
know
how
much
I
can
contribute
in
the
implementation.
There.
A
A
B
B
If
you
could
take
a
look
and
see
if
there
are
other
specific
tags
that
you
would
want
removed,
I
asked
them
about
removing
the
repository
completely
and
they
said
that
that's
generally
caused
issues
in
the
past,
so
they
were
very
hesitant
to
do
that,
but
they
were
willing
to
remove
tags.
So
I
don't
know
if
the
old
old
versions
on
there
are
fine
to
keep
or
if
we
want
to
just
whack
everything
if
possible,
I'm
not
sure
if
removing
all
tags
is
possible
or
not,
but.
E
E
All
right,
I
think
that's
enough
of
a
speed
bomb.
So
to
I
mean
dr
paul
jenkins
on
the
top
right,
there
is
the
copyable
command
that
would
break
them
correct,
I
believe
so
I
believe
it
will
yeah.
I
think
I
think
that's
enough
of
a
speed
bump
to
make
people
look
at
the
page
and
it
has
the
giant
all
caps
deprecation
knowledges.
I
think
that
should
be
good
enough
to
make
them
think
twice
about
using
the
images
there.
Thank
you
very
much
for
doing
this.
B
A
E
B
B
E
A
A
A
Okay,
so
then
next
topic-
and
this
is
a
precious
I
propose-
we
will
stop
at
in
in
nine
minutes.
So
let's
use
the
next
nine
minutes
for
for
this
specific
item,
I've
got
a
draft
proposal
for
I'd
like
to
change
how
we
manage
docker
images
process
wise,
and
this
is
my
draft
proposal.
I
wanted
to
bring
it's
particularly
valuable,
alex
with
you
and
with
daniel
here,
to
see
hear
your
inputs
get
your
comments.
Oh,
this
is
crazy.
This
won't
work
etc.
A
A
I
was
thinking
it
would
just
be
up
for
adoption.
I
wouldn't
demote
it
to
unofficial.
I
would
just
make
it
up
for
adoption,
but
I'm
open
to
open
to
arguments
either
direction
there.
I
was
I
didn't
want
to
with
this
proposal,
change
the
status
of
the
existing
images
dramatically,
but
I'm
I'm
open
to
that
suggestion.
It's
I
thought
up
for
adoption
was
was
a
safe
enough
concept
that
it
would
allow
people
to
continue
using
the
images
that
are
there,
but
knowing
that
hey,
this
does
not
have
an
active
maintainer
on
it.
B
A
E
And
so
how
do
you
distinguish?
Well,
the
base
image
hasn't
changed
in
a
few
months
from
nobody's.
Maintaining
this
anymore
and
people
do
not
announce
when
they
leave
at
least
the
vast
majority.
Don't
some
well-known
contributors
in
the
community
like
nicola
gregory,
you
barcino
or
more
recently,
who
am
I
forgetting
not
chris
chris,
is
still
around,
but
swiss
guy
sorry,
don't
remember
the
name
they
announced
they
were
leaving
and
we're
looking
for
new
maintainers
for
their
stuff.
E
A
E
I
don't
know
I'm
just
you
know,
thinking
about
what
I've
observed,
trying
to
reach
out
to
maintainers
after
four
years
of
nothing
and
some
were
like
yeah
sure
I
will
help
you,
but
I
have
no
idea
how
to
release
anything
anymore
and
some
well
email
sponsored
and
there
there's
the
full
spectrum
there.
And
if
I
it's
it's
also,
if
you
use
a
plug-in,
you
have
a
relatively
easy
time
to
tell
in
jenkins
that
you're
using
it.
E
That
is
less
the
case
with
docker
images
or
packages.
You've
set
it
up
years
ago,
and
since
then
I
don't
know
I'm
lucky
enough
that
I
have
don't
have
to
care
about
it
because
olivia
handles
that.
But
I
think
there's
also
this
situation
where
someone
set
something
up
far
in
the
past
and
nobody
knows
how
it
works
and
I
think,
with
more
the
system
level
configuration
I
think,
as
a
user.
E
A
Actually,
I
think
you
you
lobbied
towards
one
maybe
back
to
the
idea
that
alex
had
offered
that
maybe
we
should
as
part
of
this
proposal
it's
a
significant
approach
enough
proposal.
Maybe
we
should
declare
if,
if
at,
if,
when
we
implement
this
proposal,
a
docker
image
does
not
have
a
specific
code
owner.
Maybe
we
do
mark
it
as
not
market?
We
actually
demote
it
back
from
the
jenkins
org
to
the
jenkins
for
eval
org.
A
B
Yeah,
so
the
id
the
idea
would
be
we.
We
have
a
set
of
specific
images
that
are
official
images.
Those
are
the
ones
that
daniel
would
have
to
care
about
when
doing
a
security
release,
so
we'd
want
to
keep
it
fairly
small,
and
then
we
have
other
ones
that
are
unofficial.
That
are,
you
know,
whatever
anyone
wants
to
put
in
there
right.
E
E
As
long
as
we
tell
people
upfront
what
is
properly
integrated
into
our
release
process
and
what
is
not
what
we
care
about
and
what
we
don't-
and
I
think
that's
that
gives
users
or
that
gives
admins
the
necessary
information
to
judge
for
themselves
whether
they
really
want
to
operate
jenkins.
Out
of,
I
don't
know,
they're
some
weird
distribution
like
sender,
six
or
whatever,
when
there
may
not
be
any
security
updates
afterwards,
that
that
makes
sense.
Okay,
thank
you.
Yeah.
A
All
right,
so
thanks
very
much
the
already
the
insights
of
I
had.
I
had
not
considered
the
security
implications
of
this
jet
so
daniel
thanks
very
much
for
your
insights
here.
I
will
certainly
cop
you
on
the
link
to
this
and
and
get
further
involvement.
This
is
very
much
in
a
draft
state
right
now.
I
intend
to
keep
working
it
trying
to
look
at
various
compromises
and
alternatives
that
are
hiding
the
impact
of
proposals
that
are
happening
in
each
of
these.
A
So
the
the
up
for
adoption
proposal
versus
the
become
become
an
unofficial
image
and
I
think
the
place
I'm
supposed
to
put
that
is
in
the
motivation
section
or
there's
another
section
that
describes
about
alternatives
and
why
they
were
not
selected.
So
I'll
continue
working
that
through
the
jet
process.
E
And
only
the
less
popular
plugins
typically
are
supported.
However,
their
maintainers
wish
to
support
them,
which
is
a
very
wide
range
and
for
the
docker
images,
since
cloudbees
products
are
packaged
independently,
it
is
purely
community
support
in
a
way,
so
we
try
to
get
stuff
fixed
there,
but
there
is
not
really
this
corporate
entity
that
directly
supports
it,
and
so
this
is
sort
of
this
weird
situation
here
and
also
why
it
this
problem
feels
like
it
should
have
come
up
in
the
past,
but
in
a
way
it
didn't.
A
Right
well,
and
I
think
your
example
of
cloud
bees
probably
also
applies
to
red
hat
right
in
their
open
shift
distribution.
Don't
they
deliver
a
jenkins
component,
which
is
probably
docker
image
based?
So
it's
it's
even
not
it's
the
same
same
class
of
challenge
there,
where
we've
got
the
community
is,
doesn't
have
at
its
at
its
foundation
or
at
its
base.
E
E
I
don't
know
whether
he
was
working
with
openshift
folks,
but
they
have
never
directly
engaged
with
us
and
right
now.
We
now
have
nobody
from
red
hat
on
the
security
team,
so
they
are
probably
just
downstream
consumers
of
what
we
deliver,
but
if
they
consume
basically
the
war
and
the
plug-ins,
then
they
benefit
from
the
security
fixes
we
deliver
there
and
if
they
do
their
own
images
and
tooling
around
it,
they
are
independent
of
what
we
deliver
in
terms
of
docker
images
right,
okay,.
A
A
A
A
Oh
yeah,
actually,
okay,
one
minute
highlight
amazon,
has
rolled
out
their
their
next.
It's
they
call
it
graviton
2.
I
think
servers
are
now
available
and
they've
got
a
promotional
period
going
on
where
they're
giving
a
deal
on
lower
cost.
If
you
use
one
of
those
new
arm,
64
servers
that
they've
created.
A
For
lower
cost,
I've
been
running
one
now
for
in
a
spot
instance
for
a
week
or
so
attached
to
my
ci.
Server
works
great,
so
so
just
be
aware
that
a
newer
armed
servers
are
coming
online
and
we
may,
for
instance,
gareth
you
and
I
had
talked
possibly
about
lts
release
candidate
x,
test
execution,
and
these
graviton
servers
might
actually
be
quite
interesting
as
a
way
to
run
lts
release
candidate
tests
instead
of
running
them
on
intel.
A
They
are
apparently
about
40,
cheaper
price
performance
wise,
so
just
just
for
consider
for
the
future,
not
not
anything.
We
need
to
take
action
on
immediately
just
be
aware
that
amazon
has
rolled
out
even
better
arm-based
servers
now
cool.
I
have
to
look
at
those
yeah.
I
was
really
impressed
and
they
they
offer
offer
a
a
discount
right
now
for
using
them.
It's
like
well
gee.
There
makes
them
really
low
cost.