 Welcome everyone. It's the 31st of March 2023. This is documentation office hours. Topics on the agenda Jenkins awards voting roadmap updates PGP signing key MSI windows MSI signing certificate, and possibly two more items on end of life items. Any other topics you want to add Chris anything you want to add. We probably won't have time, because I've been wanting to talk about you talk a little bit. Well, let's put it on the list and let's put it top of the list because all the other topics I think are could easily wait a week. Okay. What about season of docs are we doing are you doing that too or just good let's let's put that I'll put that one ahead of it that way we're clear on it. Yeah, because some of the docs. Good. Okay. Any other topics you want to add. All right, then let's go through them so Jenkins award voting period ended will be announced. Results will be announced at CD con May 8 Vancouver, Washington are not Vancouver, Washington sorry Vancouver Canada. Yeah, Columbia, right. Vancouver BC. Yep, that's correct. Season of docs, Jenkins project won't participate, not participating this year. We're full focus on Google see summer of code. Okay. Google summer of code okay Chris what topics. Go summer code so we may want to talk about like, let me think, because I. We have, I think, let me check it because like we have almost all the draft proposals received. And I'm not expecting any more because I think we have in total 37, but developed ones are numbered at 28. So currently is like, I can see like most most mentors have already reviewed one at about at least two or three. And we're going to do a bit more a bit better but I'm not sure if you have the time because I think this year we've been with a lot of proposals. Yeah, so mine, my reviews have been damaged by work so I'll be reviewing this weekend. Okay, and if they if they don't take my feedback that's perfectly fine as well just it's it's not worked for me to do the reviews I sincerely apologize but that's that's how it's been. It just been well code signing certificates etc had to get my highest priority. Yeah. Actually I'll say it this way reviewing more this weekend because I've reviewed at least three of them, but yeah, I haven't certainly haven't reviewed 30 of them. Okay. Do you have any idea how many we're going to be able to do. So john mark today said he thinks that we'll likely be able to do four projects. Yeah. What we've done this year Meg is we've set a different standard and I like the standard very much. We specifically want a designated lead mentor for each project. Yeah, that lead mentor has strong experience has permissions to the repositories etc. And want three plus mentors in total for each project. Yeah, that way we've got, and Chris my sense is we've got the depth to do both those things for for up to four projects. Yeah, thanks for currently here. We've had really, really strong, strong participation from several of these candidates to be be the additional mentors rather than and lead mentor we've got me, Chris, Adrienne. Who else john Bruno Verracht and possibly so, so it's looking, it's looking quite promising. Okay, excellent. So, go ahead, Chris, we start reviewing on the fourth you see. Right. Is it, I think it is April, April four is, is, is at the end and then we immediately get access or do we actually get access on the fifth. Why should you get access now, as they come in. Okay, all right. But we want to wait until like, having been settled. Okay, so current proposals are already visible to mentors. Yeah. Oh, good. Okay. On the GSOC site. And then candidates and upload replacement versions of their proposal through April four right. Yep. Good. Okay. So this is the end. So yeah, right. So next, next week, the door closes. Yeah, they should be getting they should all have been reviewed by their mentors now and gotten some feedback right. Well, no, it's okay. So it's this is we're in the draft phase now, right. So, so they're, they're, they're able to refine their change refine and improve things based on our feedback. After April four, those things are frozen and we start the, the ranking, the, the prioritization, the assembling of our proposed mentoring teams that will then be submitted to Google in what is it two weeks or three weeks after the start Chris I don't remember the exact timeline. Yeah, but it's about that time. Yeah. Yeah. Any other points on that on that topic, Chris. I think it's like, um, we haven't been hearing a lot from some of the mentors. So I'm not sure about how available they will be between the mentoring phase. Okay. I see some are quite active, but not everyone has. What you're saying I think is their indications that some of the mentors won't be available. Are not not available or may not be available. Not, not really sure but they don't realize what they should be doing now to the hippie. Yeah, and I think john marks been pretty clear with them, but, but there is certainly that risk right that john, what is john marks role is he he's been acting as the head of the organization at the team. All right. So it's in good hands. Yeah. Well and, and Google certainly doesn't require three mentors for each project right it's that's our, our request so that we don't risk burning out a mentor. Yeah. And if somebody, you know, it's a long theory, you can lose people along the way. Yeah, one reason or another so you've got a little depth. Any, any other points there so the review, the review tracking is happening in the in the worksheet in the public worksheet right. You have a link to it. I'm pretty sure I do. I've had it before. And then go ahead. I think that too is a yes in case. Oh good thank you. Okay. Okay, sure. Copy link on this one. Okay, let me see if I'm otherwise, but good. Graph proposal tracking. I'm going to open that in a new window and move the window out just in case this is the one that's private. Oh no, don't worry. Oh good. Okay. Very good. Oh yep, that is all right so here we go. Okay so very good. Any, anything else on Google summer of coachers. Um, let me think. I can talk about other things but for now I was like, um, I think I can tell like some of the proposals are quite promising but it depends on like the final submissions to because I think this year in particular. So many, many, many are deciding to submit the proposals late to Google. So we haven't, we haven't done like, I haven't seen like most proposals, like they estimate food draft version on the portal yet. Okay, so the Google docs are still there are still many more Google docs drafts. Then there are PDF files in the Google portal. Yeah. But we do have the email addresses right of the of a can. So we can always we can certainly send a reminder to them to post their, their draft, their PDF files to the Google portal. It would be a sad thing for them to have done the work of creating it and then miss the submission deadline. Yeah, sure. Anything else. Don't think so. Okay, so I'd propose we skip the roadmap updates topic just because I'm not really ready for a working session the idea there was that we've got this page on Jenkins.io. It needs to be updated so we go about roadmap and a number of the topics. For instance, let's pick improve pipeline step doc generator. This was last year's Google summer of code project so it's in the wrong location on the roadmap. It shows that as future it is in fact released. Okay. So then user interface rework is clearly in progress right now. And user guide improvements have been in progress for a while. So those kinds of things need to be updated remoting over Web sockets is done. Production use lots of places so we've got a number of things like that that need to move around on this so that they accurately show where we're at. Okay. Then this one I think is worth us having a conversation about to hear particularly Chris if you've had any further feedback to offer Meg to be sure you're aware of it and have any things to suggest so what happened is the, the 2.397 Jenkins weekly. Okay. It uses a new PGP signing key for the dev and the RPM files. That's because the old one has expired and that's intentional right we don't want the those keys to last forever. And so we've we've rotated them. However, it means that the LTS release. 2.387.1 gives a key is blocked. Unless you change the install install configuration. Okay, and the next thing is LTS release 2.387.2 on 5 April 2023 will resolve the issue. Okay. So what we got was we got and certainly there's it's a fair question. Hey, you mean the LTS is going to be blocked is not going to be installable per default instructions for a week and the answer is yes that's correct. Now we could, we could apply a change to the install instructions temporarily. At least to the devian instructions. Yeah. I'm not sure that it's worth it. Given that that really the change we would be making is a non recommended change by by the people who maintain devian packages, it would I think it would be as likely to get us complaints as anything. So what we would do is change this text here. Instead of this signed by message is signed by string it would say something as noted here. Where it says allow unsigned equals true or some such thing just a minute. And the problem with allow unsigned equals true allow insecure equals yes. And that does work. I've confirmed it. It actually works. But the problem is what it does is you still get this big warning message signatures are invalid. It just turns them into warnings instead of a hard air. Okay. And so my thought was, I'm not sure it's worth changing the install documentation for a week. The assumption that this is going to affect anyone who attempts to upgrade to 387.1 and a new install and the only ones who would actually detect this are those who read the new install instructions. We don't have anything like this in the upgraded structures. Yeah. Now 387.2 will have it in its upgrade guide it will tell people to, to use this use the new key and it will, it just works. Okay. But if they do that they do end up with an insecure system right. They end up with one package installed that was not installed with a strong signature right with a with a from a signed package so yes. Now it's only one it's only packages from this repository that are made that are allowed to be done without the signature check. And so that means it's in this case only exactly one Jenkins, but it is one. And with Jenkins you could do some damage. And what I'm thinking is if I were a certain kind of person I'd be scooting around the internet looking for this release of Jenkins. And systems that might give, I mean, it's, it's like, you know, it's something that it's kind of a it's going to be a known thing. And I'm also thinking that this is to work around that should only be implemented by people who know what they're doing. They're not going to reread the installation instructions anyhow. Exactly and, and this kind of thing if you do it should should be removed as soon as possible. Right so at most this is a six day work around. Right. Is there a notice some place to people about the problem some public. There is so there's a blog post here. Okay that's so here's this blog post. There's an entry in the change log here. That puts a big banner up that says hey a new key has been issued. There will be a change log entry in the LTS change log and there will be an LTS upgrade guide for it. Yeah. Okay. So yeah and we, and we tweeted about it and we've done a Jenkins developer mailing list post about it and a LinkedIn post about it. So yes we've covered and, and the Hawaii police shouldn't be installing a new release the first week it comes out anyhow. Well and see at this point to 2.387.1 has been out for three or four weeks already. Okay. So, so those of us who are adopted on the leading edge have already done it. Okay, yeah. So, yeah I think it's under control that sounds all good to me. Yeah. And Chris have you seen any any noise or confusion that justifies anything bigger than that anything where you'd recommend something different. No, I wouldn't do that differently. Okay. Oh, I take it back there is something we do need to do that now you've now I've thought of this. It's a perfect thing with you here Chris you're the release lead for 387.2 correct. So we need to merge the approve and merge and merge the change log and upgrade guide. Are you okay if in these last few minutes we take the time to do that review and do the merge. I had reviewed it with Kevin, Kevin Martens, but I would really like to get it merged we like to have it merged well before the release date. So that that keeps the release leads things about which they must worry less. Yeah. Okay, so here we have Oh, oh, okay there's a reason we want to check it because it failed to build. Now let's see why. Because like some some issues before the weekend. Ah, here's what it is. Okay this this is infrastructure. So let's do an update the branch this will cause it to build again. While it's building again let's review it. Okay, so I had reviewed it once previously here is the banner for the signing the change of the signing key. And a link to the blog post let's double check that this link is the correct link by going here and testing it. It is good. Okay. Then here was a bug fix that was back ported. Okay, here's a backport of a another bug fix. This is a backport of the security fixes. Okay. That were applied to bundle some bundled plugins and the message on but okay good. And then here is the here is the changelog entry beginning with Jenkins LTS 2.387.2 stable repositories will be signed with the same gpz key that sign keys that sign the weekly repositories. Administrator's Linux systems must install the new scenic signing keys on their Linux servers before installing Jenkins 2.387.2. Oh, okay. This is outdated. Good thing we reviewed it, bringing up the editor now to fix this. This has got a mistake in it that Basel Crow detected. Okay. And so let's go fix it. Oh, wrong one Jenkins.io. Okay, so we need this one 6173. And now I need to find the reference content for that blog post and it is. There we go. Okay, so we need this blog post. Right here. And we need content underscore data, changelogs. Oh, no, this was the this is the upgrade guide right. 387 dash to. Okay, good. The mistake I had made was I copied a three year old blog post and used its instructions. We have since updated the installation instructions. And these on the right hand window are the new are the modern installation instructions. Okay. We're going to use the better ones and now we need to change this one text string here to Debian stable. Okay, that one's done. So curl T to the key ring. And then the deadline, which will then use that key ring and the Debian stable repository. Good. All right now, this one. Oh, and the red hat. The red hat one is only had needs a minor change in its red hat dash stable. All right. Hey, any objections to that change for either of you. Same key install in stable as weekly minor change to the repository name is the only difference. So we should see that change and here it is deep in Ubuntu. Okay, make run. Oops. And now bringing up our favorite web browser. So we want to look at slash change log dash stable. Here it is 2.387.2 adjust the Web socket time out that bug report. And it opens the correct bug. Yep, this one opens the correct bug. Opens the correct security advisory. And the other whoops, let's see was that one of 124 it was good and this one opens the next one. Good. Okay. So then we look at the LTS upgrade guide the one where I had to make a change. 387.2. Here's the new text. Here's the new text. I think we're ready. Any objections from the two of you for me to market ready to merge. No, no. Let's do a refresh. Oh, maybe I haven't pushed yet. It would help if I pushed. Yes. Okay, now refresh. Here's the new text. We're going to review the changes approved. Ready to ready to go. And I'm going to enable auto merge. Okay. All right, thanks. So done. Done and done. I've, I've hit pretty much the time where I need to pause. If you're interested, I can give you a two minutes summary of this last one and then we would end. Okay. Go for it. I haven't heard about this. Okay. And this one probably matters to Chris as well. So there are, in addition to the PGP signature expiring that when we renewed ourselves, the code signing certificate that we use to sign the windows MSI installer is also it has now expired. And we started the renewal process about a month or a month and a half ago. It turns out that lawyers had to be involved. And the process is not yet complete. So we're not I'm not 100% sure of the impact on the 2.387.2 release. So, so let me talk to what that means because also signs the jar file. Okay. Right. So the jar file won't be signed. And that's relatively low impact. Most people don't expect to get signed jar files and hardly anyone that I know of checks that whether they're signed or not. Yeah, low impact low risk. Right. The MSI installer won't be signed. And that's high impact. Yeah, because windows users won't install an unsigned jar. Exactly. Or excuse me, an unsigned MSI. Yeah, and they probably shouldn't windows is risky enough platform that you don't want to, to run a an unauthenticated installer. So one of the proposals and I'll be sending this. I'll send it actually to you Chris to to. I'll send it back home to the Jenkins board and to Vadek Filoni, the security officer and to Damian DuPortal, the infrastructure officer proposing to drop to not generate an MSI with 2.387.2. And I think it's worse to deliver an unsigned one than to not deliver one users that want to upgrade windows to 2.387.2 install an earlier version 2.387.1 and then upgrade the war file. So I don't think the impact is huge. So long as we intentionally do not deliver that thing until we have. And what that would mean is we would test drive that that non delivery of of MSI with the 2.398 weekly next Tuesday. Right so we confirm that it works the way we expect that we were able to successfully disable the MSI, and it didn't break everything and then we use what we learned from that to be sure it's successful on Wednesday when we deliver LTS. Yeah. Any any inputs you want to give their Chris, what do you think. I think. There's a good way to do the issue at the moment. I guess like never know how he takes. Okay, good. All right, so I will. Now in terms of the how to document it. So weekly change log. We'll get an entry, right. Get a banner. Right. The MSI installer is not available. We probably need a blog post explaining why, why the MSI installer has not been is not updated. As far as I can tell when an MSI installers signature expires. There is nothing shown to the Windows user to hint that. We've got old, old, old MSI installers. I brought one up like 1.612 or something, and it opened on my Windows computer just fine, even though it's certificate is long ago expired. So it's tied, it must be tied to the software not to the calendar. Well, it's, it's more that they've they understood that the act of signing a, a, an installer is a validating act, and it doesn't become invalid because the certificate that signed it has reached its end of life. It's still it was validly signed when it was signed. Yeah. So I'm, I think I'd propose that we not modify the, the install documents themselves, just because I hope this won't be a long term thing. So is there any notification out there for people or if they get burned, they'll find it out. Well, they, they will be notified so let's say they, what they would do is they, they pick. Actually, there's one thing we would need to check need to check that the download site doesn't is not broken by the non delivery of 2.387.2, the windows download site, or windows download page I should say 2.387.2 MSI, right. And we'll have to explore to be sure are there other things we should put on the checklist. Reasonable so far. Yep. Okay. Great and I probably won't send that message until tomorrow Chris, I'm just tired today. So 1214 hours from now you should plan to see a message. Okay, cool. Yeah. Any other topics for today's session. No sleep tight. Alright. Thanks everybody. Nice to everybody have a good week. Bye.