 Yeah, so recording is on so welcome everybody. Let's start this new Jenkins infrastructure weekly. So There are multiple things that a few people would like to bring here So but before we start, I just want to highlight the fight that I enabled the mark For emails on the Jenkins.io and Jenkins CI.org So basically the mark is I mean, I have no idea how to pronounce that in English But basically it's the two. It's a it's a new feature on the mail So it is when you have You can enable SPF on your email you can enable Decaym on your emails and basically if those checks are failing basically it send a report To a specific email address. So for example If I if you try to send an email and you just specify the from either Jenkins CI.org and you're sending that email from a non-authorized IP address You just block your your email and send me a report saying that you try to send an email Even if you are not supposed to do so the good thing No, not necessarily a good thing But the interesting thing is I'm receiving a lot of reports saying that a lot of people try to send emails on behalf of the Jenkins projects But on the other side, we also have a false positive or Yeah specific configuration that you have to update. So right now Every email should be sent via SendGrid. So I'm configuring each services to use the SendGrid API But yeah, it's something that we can still see in the in the coming weeks like If you send an email and it does not arrive Yeah, don't feel free to open an issue there So that's the most important one Yeah, just a question. You mean sending emails from Say Jenkins.io and other services Yeah, so basically if you send an email and you specify the from header Jenkins CI.org So let's say that you send an email and just said No reply at Jenkins CI.org whatever so that email can be sent for example from JIRA. It can be sent from Some machines It depends normally we don't use that a lot. I mean we basically don't use that because mailing lists are using google groups So yeah, that's why that's why I was surprised to see so many emails sent on the alpha of the Jenkins project It's still not clear how to To publish and how how to use those report because basically I just receive each time Someone try to use try to send an email and receive a report With an attachment that contains a zip file then I have to I mean I have to unzip the attachment And then I have a beautiful xml file. So Yeah, it's not not really clear right now the best way to use those reports, but um, yeah That's why it's going to be hard to detective. Um, we are rejecting Really miss that should be sent Yeah, so But basically it doesn't save us from somebody else Sending with some mail for example if I am as a malicious attacker Send an efficient campaign using whatever admin of the Jenkins IO If it doesn't go through our service, we don't capture it, right? No, sorry That's the purpose of that. That's the purpose of this So that the idea is just to be sure that nobody is allowed to send an email saying Coming from Jenkins that are your project on Jenkins. So basically for that it used two checks um spf so the spf is just um Something that you specify in your dns records. It's just um dns records of type txt And so basically inside that you just say either you can send email from a domain or from a specific ip So this information is public. You just I can give you the read the check after that And the dkm is something used to encrypt the email So just to verify that the image was really sent from that specific source And so this is an additional protection basically Okay Thank you Okay, second second topics the github project. So basically a leg you ask on rc to enable github projects specifically for the Jenkins IO website. Do you want to I mean to tell a bit more about this. Yeah, so the context that we are preparing to your UX hackathon And since we're greater that we would rather like to use a bit of issues for this project We need to somehow group these issues and for grouping we have three main ways labelling milestones and github projects So now we have access to milestones and labels, but it would be great It also have ability to create projects so that we can have dashboards and other cool things available Um, so yeah specific. So basically what I did is I enable the github projects on the Jenkins info organization Also enable it for Jenkins IO websites. Um, I think for a specific project like this. I mean It could make sense to to use it But um, I think this is something that you really have to pay attention for the whole organization because if we start it If we start using it for every kit repository, it will really become a mess very quickly I think we need it Maybe for plug-in site and other repositories in the future an old strong opinion but definitely not or quite Okay, so and if we want to do it, um Or quite maybe it can make say it could make some sense as well. But yeah, this is something that should be discussed Let me yeah, but otherwise here in this case I think it would be a nice next project to just experiment see how it be. I mean how it works And if it simplify the process to manage the project, so If you use github projects, uh for some Components for example configuration as code plugin Also some development tools now like customer packages to Jenkins file runner And some google summer of code projects chose to use github issues It's a really convenient first and the long components all components which are tightly integrated in the Jenkins system and if I cross dependencies on Jenkins g it's a bit more complicated but doable Yeah, for example, Jenkins IO is defunct isolated because we use the website In the Jenkins github, so it's already supposed to be isolated Okay, yep So, yeah, otherwise Yeah, it's enabled Um, next topic that mark want to bring here, which is about a Seattle Jenkins that I use stability Do you want to yesterday we yesterday we hadn't What appeared to be an outage on the aci allocation of windows aci agents Uh, we resolved the the outage by working around it by using the by assigning the wrong label to the EC2 windows agent So it looked like it was an aci agent and it seemed to resolve the The the bigger picture problem that people weren't getting their their processes executed What we don't know is how to get windows to allocate those or how azure to allocate those aci agents It appeared from the message that tim was able to find on the azure console As though the zone was refusing to allocate new aci items But i'm not entirely sure because i'm not familiar with that that allocation message Was it was it a limitation on the number of deployments? No, no, it wasn't It was a it was a limit said so said that they they said they didn't have the capacity in ecu s2 So it wasn't a quota limit. It was a hard limit on the region Yeah, but here i mean specifically mentioned the zone, right us. It was east east west something That's a special region. So it's it's not it's not like a zone. It's an actual region Okay, it's a different data center. I think Okay That's right. Yeah, I can have a look after the meeting But yeah, I can have a look after this meeting. I mean I have to dig in the console to see what's happening there Okay, so in the intro of we're using the workaround that just for your info, um, olivia The ecu windows agent is mislabeled and it's intentionally mislabeled with the maven-windows label and once we get windows aci agents allocating again, we should remove that label from the ecu windows agent But just to be sure it was working before rights. Do you have an idea it was working several days ago? Absolutely, it's the the failures be or the failure to allocate began yesterday. It was about 28 or 29 hours ago okay Um Yeah, right. I look after the meeting um The la the the next the next to be that I want to to mention is I started word three. I just can say I just it's still happening. I just pasted the era in gene consent for Thank you. Okay. So it's it's fresh there so that olivia has got Fresh fresh information to read if he needs it. Thanks, tim Yep I look right after meeting. Um, so yeah anything else about this specific outage Okay, right um any Do are we still affected by the windows by the amazon instances being disconnected after why or yes Very very frequently and the workaround is I reconnect them with the connect button And I like to all legs comment that in june will spend additional energy After we get the the release or as we get core release automation further along okay You can write a script that automatically connects any disconnected agents Yeah, this sounds like a really stupid idea because it will work and then we we will forget about that And then we discover that issues in one year. Anyway, um, okay, right So next topic what you mentioned about automated release I started working on promoting artifacts so basically on the The different promotions. So we have two things that we have to promote Especially it's important for the security releases. The first one is to promote The git repository. So basically to promote any commits from the private repository used by the security team to the to the public um Repository so to Jenkins the other slash Jenkins and the second thing that we also have to promote is The maven artifacts that we pushed on basically on artifactory and so There is an open pr right now and where it's mainly daniel and I discussing about the best way to promote so daniel is Would prefer the approach where you just copy every Fives under a specific repository to the the the prediction one And so we have to deal with We have to be sure that the source repository only contains what we want to copy Where uh, personally, I would prefer to have the possibility to to move Items based on the on the specific version. Let's say that we want to move Every artifact related to the version to the to the 2302 for example But the limitation here is that I'm not sure how to know which Group ID we can use so for example, you have org dot main dot jenkin ci dot for example Jenkins war. Oh, you have the pump. You have the cli and I'm not sure. Um If there is a way to retrieve that information I don't know if you have an opinion And I'm not sure. I mean, I don't know if I was clear enough here It was like nope I'm not I'm not understanding and I'm my my general tendency is on things security related When daniel says it makes a suggestion. I consider that almost almost a biblical Mandate kids. So so I'm curious your your your preference for something else. So teach us more So, um Let me show my screen. Maybe it will be more of use. Um, sure Oh No, how do I show from here showing your screen? Yeah application Can you see my screen? Yeah, so I'm alighting. I'm highlighting a few things. So basically when we trigger when we push on your Jenkins release We push multiple artifacts on the artifactory. So we push Um, uh wildfire, I mean, we we push our items under our jenkin ci slash main cli We push items under jenkins bum. We push items under jenkin score And basically what we want to promote from one version to another is we want to promote for example this specific item our jenkin ci main jenkin score That specific version to to the release maven repository So to the one that people really have access and downloads Those information and so basically what daniel is suggesting is to not copy Those specific items individually, but really to copy the the the full repository from a source to the destination, but um, this this implies that The source destination only contain informations For that specific release because the risk is if in the source repository, we have this specific version But we also have um a few other version or testing version or whatever It will also move those specific version into the the prediction one. So it's like, um the solution that um daniel is proposing is like it seems like You move everything but you have to be sure that you only have the content that you want on the source repository Where um what I would like to do is to find a way to know What we need to move from a source to a destination But knowing how daniel develops the The how he has to stay tightly sandboxed in that Location where he's developing. I thought they were quite rigorous in being sure that the only things they allowed in that sandbox Were things that they intended to be part of that Yes, which in the case of the security release But um the reason why I was interested to have specific version Is because we could also use that for the weekly version for example Because in this case we could have a staging maven repository where we pushed version And then once we are ready we can promote that specific version into prediction And so we are not public until we decide that we go public. So that's that's the main that's my main motivation Um, so we could we could take the shortcut of daniel and in that case It only worked for security, but then we only use a promotion for security basically I see Yeah, and I I I don't have a compelling case For using promotion outside of security, but I think I understand why daniel has to have it for security Okay, so I guess I'll continue the discussion with daniel on that specific pr Stop sharing Um Yeah, otherwise the next the final the last topic that I can mention But I want to mention is that we are still working with Because okay and the cdf to transfer The azure accounts to the cdf basically It's still a work in progress. What we did recently is we transferred the account from tiger to me So it could be easier to have I mean to remove one Intermediary in this case because yeah, it's quite hard to have Tyler case again because okay, and then at the same time on the same The thing but yeah It's still working progress basically Otherwise, yeah, anything else that we want to discuss. Yes Yeah, so regarding intermediate state, uh, we have a billion period and coming in one week if I recall correctly uh, it's It's it's it's it's in one week Yeah, why we can now Yeah, so If we do not finish transfer but that time what is our plan b? The plan b is kk pay the bill like he did previously So it's a kk is credit card not yours on the hook So right now it's mine because I have to put mine For the transfer. Um, I did that on friday, but um, I have to to switch back to kk because My credit card will not be able to pay the bill anyway So it was something like temporary like, um, I also use mark weights our phone because I had I needed a us phone number to to send the validation code But yeah, this is something that I really would like to see to see finished Before the next bill arrived That's right. So if we have just a few days left There's a just renewable emergency or plan whether it's kiki or not Yep Well, and and olivia if you need it My card could actually survive One month worth of that bill. So if kk says no, it's not coming back to me. I could I could do it temporarily Somebody's got to pay me. I mean that's a big chunk of money, but but my credit card could survive it for one Yeah, but yeah, there's something I mean the only thing that we need now Is some information some input from the cdf. Um, so I think we we are almost there Okay I did one other item on azure costs. We have Through end of may to do azure costs Above the 10k goal But is it through end of beginning june one that we need to be down to under 10k for our azure costs Or is it end of june? I think it's end of june Okay, I think it's end of june. Um, we still have some work to do there. The main the the biggest cost that we have right now is um about package of jenkins.io because We also so basically right now package of jenkins.io Fetch the artifact from azure Instead of fetching those artifacts from the murals. Um, this is something that was put in place several years ago and um Basically, we have we have to to disable that because we are paying bandwidth on azure for this And I mean we don't need it the main limitation that I have now and that is something that I have to work is In order to use the murals Mirals need to be able to to work on htps So even if we are not redirected to I mean, yeah, we need to be able to work on htps for the murals If I want to be able to to get rid of the azure storage for package of jenkins.io And so this this will reduce the bill a lot Okay, um, right, um last question One time Two time three times. So if you don't have any more questions, uh, thanks for your time and see you on rc Yeah, might be a one question. Uh, do you have access to the developer malinkist? I mean admin access Um, that's a good question. I think I don't have I'm Um, I can check I check. Um, I know I know that I have some access, but I'm not sure if I have full admin access Yeah, so that's why I'm why I'm asking uh, google has recently introduced new feature for google groups Uh, allowing to mark particular threats as completed Okay, yeah, as we manage permission transfers that set, uh, through Malinkist, which would be useful to have this speech enabled in general on the malinkist Let me yep, I'll check if I have full access. Otherwise, I'm pretty sure daniel does Yeah, oh like I think I may have admin access to to The jenkins developers Maybe well I have a oh, okay. I'm not the owner so I can't delete the group but I can group email into threads based on subject. I can archive messages Can you manage user permission? Uh permissions, okay basic permissions Who can join? Yeah, so Tell me again. What was the what was the what was the feature that you were looking for olag? It was uh, so It's it should be possible To allow marking threats as completed or answered Yeah, so if you have permissions, we can just take it offline and handle it later I I I am not sure that I do but it seems that I may have permissions to Yeah, I I can't I can't I don't find that particular setting Me neither, but I can check Okay yep, so Any other last question one time two time three time. Thanks for your time. Have a good day. Bye. Bye