 Welcome all. This is the 24th of July 2023. This is the Jenkins governance meeting topics I've got on the list include news report on action items. Then Jenkins board and officer elections in 2023 and community activity including several items there. Bandwidth reduction prototype JS HTML unit three any other topics that need to go on the agenda today. Okay, then let's go ahead with the news items. Thanks. We're looking forward to the release Wednesday of 2.401.3 it will be a security release as announced in the advisory's mailing list. It means the weekly will also be a security release. And to make that job easier right now mergers or mergers are paused to the master branch of Jenkins core. Alex, did I get that correct. Yes. Okay, great. 2.414 release now almost two weeks ago has has been chosen as the baseline for the long term support release. And release candidate do August 9 with final release August 23. We know that back porting of the security advisory will be needed. My keyboard is no longer active. Oh, that's why. Got it. Just a moment. Sorry, I'm not sure what reload fine. Okay. Any comments or other things on the action on the news. Okay, action items then. We had one archive the governance dock governance meeting notes. So that archive has been completed but Alex has suggested as a topic for discussion discussion today. Should we consider a switch to using hack MD and retire this long Google Doc. As it's as it is. Go ahead. Mark did just a great presentation why I'm not a big fan of the Google Doc. If it loads it takes years at least for me to load the I think 200 pages we have at the moment. The idea to use would be hack MD that's the same the infoteam uses low and features like pushing directly to the to their repository. And we could configure it to push with the governance repository and retire the Google Doc totally to simplify the workflow but if given it's marked who does take the notes. I think it would be up to you to, if you want to use that or not. Yeah, I've found hack MD to be more difficult for me at least during note taking. But I'm, I'm open to it. It's, it's easy enough to truncate this document or to create a new one so that we don't have a very long document like we do right now. I'm hesitant to go to hack MD unless others find compelling reasons just because I find it more difficult to to watch and view the note taking from hack MD than from then from a Google Doc comments from others. Do you feel feel like, hey, that would be an improvement. How about the following. Yeah, we could gain a little bit on the speed of course, but for the ease of use. Also use hack MD and frankly, I'm struggling more with hack MD that I'm struggling with Google Docs. But I'm struggling also with course, you know, as long as soon as you want to change, you know, the zoom ratio, for example, you lose some of the command and so on. It's not that good of thing, but maybe I'm not investing enough time into hack MD to manage to do it. I saw Damian week after week entering text into the hack MD document without suffering. I guess so that can be done, but I guess it depends on the person and as you are the final user entering documentation mark. I guess it's up to you. Okay. So how about the following then as a proposal. Let's test drive next week next meeting on hack MD just to see because that way we can we can watch it and see. And if it's if it's a workable experience, great. Would that work for you Alex. Yeah, sounds good to me. I think I dropped the link of the workspace I created for demo purposes a bit above yes right there. And I don't think I've got access to that workspace but I assume I can request that access and we'll test drive it. But you know when somebody is trying to modify the command while taking notes you have to interrupt your flow in order to accept if the people are not yet part of the document editing you know on Google Docs. Right there I made a modification earlier in the meeting and you would have to click. Okay. If you know earlier up or upper in the document. And you know it kind of breaks the flow of editing because you have to accept modifications supplied by the other users in hack MD. As long as you've got the link and you are signing I guess you can edit without the real author to accept your modifications so that could be a plus for I can do maybe. Yeah, we've, and one of the one of the things we dreamt of years ago from Google Docs was non non editors being able to make useful contributions but the reality has been just doesn't happen. So there's there's no no value to something that never happens. Good. Let's try hack MD next in two weeks and we'll see how it goes. Okay, anything, any other on hack MD before we go to the next topic. Okay, so the next one is a retrospective on the signing certificate renewal process I've not made progress in the last two weeks on this one. I've got some notes in the in the retrospective but it needs many more there's a detailed list of timeline for MSI and timeline for Linux. And already in the timeline there are some points of oh wow that was a mistake it shouldn't have happened so late. Just the start of this timeline is dismayingly late. And so, so there, there are things to improve there that already are obvious just by creating the timeline. I'll do more work on that over the course of the next two weeks and have a good report for next next meeting on well inviting others to give contribute their ideas on ways to improve the process. Next one was pull request to convert us from sub projects and six to working groups. No, no progress there. Next topic then was Jenkins board and officer elections I'd like to get us started early on this one. Last year we were a little late getting started on it so it's we're now in July about to enter August. In November, we would run the elections, so that their results can be announced in December and new officers and new board members can take, take up those possession positions. Last year we had Damian to portal run it. Because, well, because the info officer and typically run it this year I'd propose, since neither Alex nor I are up for election this year let's have the two of us run it. Other than Damian who is up for election. Alex would you be willing to join me in this. Yeah, sounds good to me. I mean the process is not that complicated it's largely a communication process and a gathering and inviting and encouraging process. So I'll put that into our action items and sorry, we're not hearing you. Did you have a comment. Well we'll look to look for when he's back and see if he has additional additional concerns there or proposals we need to discuss. Okay, next topics then we're on relative to community activity. The Artifactory bandwidth reduction project is has been an info project for many months. What happened was, we'd, we've detected that some abusers had been misusing Jenkins repo dot Jenkins CI dot org bandwidth to the point where we were able to block one IP address and save 20 terabytes a month. But JFrog has asked for further reductions, and their next recommendation is please password protect the mirrors, like Maven central and J get and others that we use to mirror other repositories. With that proposal. I was worried. Hey, it could be breaking for lots of uses of Jenkins casual developers, because it would require authentication in order to access those mirrors. There is now a proposal out for a limited approach to that to password protect our cache of Maven central and rely on the defaults that Maven provides to always be willing to pull from Maven central without having to list it as a repository. I've scheduled a session to talk with the security team in the infra team on Wednesday about the topic with this idea to see if we can get agreement that it makes sense to to immediately stop mirroring Maven central as a public repository, and then we can revisit whether we should mirror the others that data results show that Maven central is about 75 or 80% of the volume that we do compared to what Jenkins releases are so there's a chance that this will be enough for Jay frog to say hey good enough you don't have to password protect others. If we have to password protect others than Maven central. It's more complicated because then we must change palm files. Questions or comments on the bandwidth reduction project. Okay next topic then was prototype JS. Can you take us through this one. Not particularly. Okay, all right, no problem. So I'm happy to give my description of it, it is that we're, we're seeing progress, the tracking sheet shows that progress. The credentials plug in. And I thought I had seen this one actually now released. So maybe I'm mistaken there but there was the two. Part two off. Thank you, muscle. Okay. So declarative pipeline that two weeks ago had not yet released has now released. And the, the blue ocean pull request has been merged but not yet released. So we're seeing, seeing further progress. One of the concerns that that for me is worth worth a little bit of worry is that some of the company maintained plugins that are relatively high on the list. They are not things that we can test. And in order to implement these we really owe it to ourselves to test the implementation interactively. The Artifactory plug in the fortify plug in co verity the x-ray plug in for Jira and Q test are all examples of plugins that look to be owned by companies and or owned by is the wrong way to say it maintained by companies and needing special services in order to test them to verify them. So my sense right now is we may need to may need to ask them to make special requests to those maintainers to ask them to implement the changes comments or concerns there. Okay. Thank you to Rahul for implementing the prototype fixes for get parameter and active choices because both of those were difficult PRs to file, and they've both been released now. Oh, okay, so active choices has been released. Good. Great. Thank you Rahul. Thanks very much. And I'll tell us on prototype JS. Next topic then was HTML unit three upgrades and there. It, it looks like it's continuing, although the pace is not as as rapid as with prototype JS. I'm not, I'm not overly concerned by it in that it's testing upgrades not upgrades in core function or in functionality that's visible to end users. The tracking sheet shows this. And before we get to read other than the Chinese the Chinese localization plug in. We're all the way down into the 20,000 installations. Any concerns there or items of worry. Last item is just a reminder that the midterm evaluations are complete for Google summer of code projects, continuing we've got about another four or five weeks before the end of the projects. Any other topics we need to bring to the meeting only you had a comment earlier possibly on the elections was there a concern there. Yes. It's my microphone or right now working great. From the board document it looks like Alex and I were elected last year. That means that the other three people are up for real. Oh, so I've, oh my mistake I've been I was not elected last year I thought I was okay. No, from the link you are your time is up for a reelection this year I think. Okay. So then that I think it then doesn't make sense for me to lead it. Would it be okay Alex if we had you and really lead it. Yeah, I think I will help with Alex to get this done. Great. Excellent. Thank you. Thanks very much thanks for correcting detecting that mistake. Thank you. Thank you. Any other corrections we need to make or updates. Let's, let's call it a meeting for today then thanks very much for your time. Maybe one thing after the record. You bet.