 Welcome everyone to the platform special interest group. It's the 26th of March. Thanks for being here. So proposed agenda items talk about open action items open container labeling for our Docker images was a topic that we'd wanted to discuss in oh I should put one in here which is summary of the of the containers and platforms track. From the contributor summit. And that would be me and Cara, and, and Gareth I think, okay then open container labeling for our Docker images of proposal. We had coordinating Docker proposed Docker changes. I think that's probably still worth a topic of conversation isn't it. Any other topics that you'd like to be sure we get on the agenda. All right. Oh, I take I take back I have one yes I have one which is the she code Africa. April event. And April contribute on contribute on. And I wanted to talk about that briefly. Anything else. All right. So, first action and the jet on Docker operating system support it was discussed in depth during the during the contributor summit. And we've got agreement that the techniques were proposing match and it justifies a jet so so they had good feedback from Daniel Beck and from others on the topic. So I'm not sure about this what about this how will you display it. Suggestion from Daniel was that we might consider a way of using an administrative monitor to alert people when the Docker image they're using is now up for adoption. So I don't know how to do that, but I know that there are plenty of examples of of administrative monitors that show information like that. And so I think it's a good candidate to include in the gap. Any questions there. Okay. So I have a blog post on plugin installation manager and update center. Gareth and I were having this conversation, I think just yesterday and, and I tend to agree now that we need more and we need to inform people about what's available in plugin installation manager just how powerful it is. Gareth was there. I think you would, you would learned of a specific feature that was, was, oh nice to nice to realize but because we don't have active documentation for it on www.jankins.io wasn't immediately obvious that that feature was there. Yeah, I built the UC tool, because I was unable to update plugin text files with the latest plugins matching Jenkins version. So it's actually functionality that plugin installation manager supports. We just didn't know about it. Yeah, so for me I think that's that's a good, a good excuse for us to consider this as a blog over the course of the next few weeks, that hey let's, or a documentation page and a blog post that points people to the documentation page. Right now, I'm not as clear where it would fit in the documentation so I got to think about that a little bit and I'll include that in a poll request. Alex you your PR on replacing the internals of install plugins.sh is still needing review I apologize I'm behind on that. I hope that one likewise within the next few weeks. Any insights you've gained in the in this waiting period of things that we need to be aware of. I don't think so. I just been super busy with work so I kept up on it and asked for reviews and things like that. But if anybody wants to review it. PR and link. Yeah, yeah it definitely is and. Yeah, so that's just and, and I think Alex rather than having you do that blog post if you're okay with it. I'd like to take that one on because it needs a it needs a where does it go in the documentation question to be answered. Is that okay with you. Yeah, it's fine. Okay, great. Latest changes so I've not, I've not seen any outrage on the debbie and nine to debbie and 10 upgrade, or on the centos change, and they're both delivered and running so congratulations. And we did have good interactions with Jim in where was it was he in the contributor summit I forget if we. Yes, we I think we had him in the contributor Senate summit session discussing further refinements on multi art support for our doctor images. All right. Any any questions or concerns on the on topics related to action items. Okay, so here I was just going to bring up the slide that we use to talk about containers and platforms. Alex this is probably a good place for us to discuss. Hey, did we say something that sounds to you like it's outrageous and that was crazy. So here's what, here's what we said, continue the 2020 roadmap work. That's not from doctor images including arm as 390 and power PC. Then improving our image governance and this is where we describe the gap ideas, discuss those in some depth. Image maintainers adopt this image accelerating our Docker builds that was greeted with with positive view from Daniel Beck and the security team. Thanks for everyone for being willing to consider it. And then scanning the doctor images and the securing the delivery pipeline segment also had a scanning topic. Their scanning topic was more scanning source code and dependencies for issues. But it's the same scanning tool provided by the Linux Foundation, a commercial commercial license to sneak. It's, it looks very promising that hey this thing is possible in the in the track discussing containers and platforms one of the big concerns was, how do we deal with the mass volume of alerts and warnings that come from these kind of security scanning tools. We looked at tentatively one of them and it alerts about things related to SSL and and where there isn't a change available from the operating system to do anything about it. So, I, it's not clear to me yet how that's exactly going to work, but I think it's the right thing to have on our roadmap. And then we highlighted that we want to continue doing cloud cloud improvements, and in particular, we continue to use Helm charts for the Jenkins infrastructure, and we're grateful that the community is providing a Jenkins controller help chart. Gareth or Cara anything that you wanted to highlight as other crucial things we may oh wait a sec one more thing than not list. The list included that we do, we are not likely to do Java 15, but Tim Jacob noted. Hey, the scheduled release date for Java 17, the new LTS of Java is expected to be the fall of 2021. So autumn of 2021. And he's seen that Jenkins works and compiles and tests just fine on Java 15. So we may, we may yet have this one come in but we specifically said it's not on our, not on our plan for right now to do anything in 2021 corrections questions concerns. I think that's valid because I think there are more people using Java seven and Java 11. Yes, yes and that's, that's a that's a keen observation right that, oh dear, we've got an LTS version that we fully support that we did a significant work to get Java 11 support in, but still, it's it is not a terribly popular platform. Right. No, no. Sorry, go on. No, no, go ahead, Gareth. I was I was going to talk about the security scanning stuff. There may be an opportunity to chat to Fred blaze about defect dojo. That's one of the tools that he produces. And it is meant to be very good at taking security events from a wide range of things. So like different scanning tools, I think he has got there, there is integration with snike already and presenting it in a way that can be managed. So there might be an opportunity there, because it's an open source tool. So you say it's called defect dojo defect dojo is what cloud base use internally to manage security defects, but it's an open source tool that is. I think Fred is actually one of the main maintainers of it as well. So, yeah, we could we should have a conversation with him about. Can we. Yeah. What does it support. Can we get up and running would it be useful for this kind of stuff. And I suppose whether Daniel would find it useful. That sounds interesting. Good. Okay, to assist. So what it's done is it get it collects scanning results from various tools and allows people to process them to, I assume, ignore some to flag others as more important. Yeah, exactly. Nice. Mark, just so I'm clear, are we using the snick based security tool from the Linux foundation that we have a potential to use through the continuous delivery foundation there are. Yeah, that's the one we're using. Okay. So using is using is a very that's a very generous use of that gerund verb using right. We plan to use that that so yes I'm experimenting with it, but my experiments are not using the they're just using a sneak free account, whereas the Linux foundation account as I understand it actually has additional features that are only available to commercial consumers of snake. So, the foundation I believe has negotiated with with snick to get additional capabilities available to us. Yes. And I think there's a way for the Jenkins project to apply to use it through the CDF and we should. Absolutely. So that's, and I think I think I suspect there, the project has already applied, and it's already actually being used on Jenkins content, but there's still some registration stuff that needs to happen and, for instance, Oleg in the session was was demonstrating a couple of bumps and bruises that we need to talk to Alex, the Linux foundation. All right, anything else on summary of the results or Alex any questions from you on hey what was said or concerns. No, all looks good. Okay. All right, so next topic was open container labeling so Gareth, you want to give us an overview of that and Yeah, so I think this came up in the containers and platform that contributed summit as well I think Damien raised this as an option. It's just it's about that there are two specs at the moment there's the label schema and open container. labels or annotations spec, but they seem to offer the same kind of thing. There are common set of labels that you can add to your Docker containers, just to try and provide some hints on where that Docker image has come from, how it was produced. It's a repo commit hash, when it was built, and, and other information as well that you may want to add to it. And, yeah, I think this is just an idea that we should come up with a common set that we would like to attach to all of our images and start doing that. I think I mentioned this last time is that one of those schema specs. Yeah, so I think that was the label schema spec that it added, it added most of the sort of static labels, I'd say, so it's like descriptions and maintainers and that kind of stuff. You had to get URL but it didn't contain any show in there. Or commit a search or anything like that so you can see exactly at what point it did. So, so to change that you actually you have to need to do that build time, rather than just add them statically into the, into the Docker file itself. Yeah, so we need to move that over to our own infrastructure, rather than yes builds on Docker hub. So Docker hub is problematic for that I think unless unless there is a way that they pass a build out or something that of a commit hash which I've not seen them do that I don't know whether that's something they've changed but yeah. But I think we should kind of, I don't know whether we want to support both specs or whether we should choose one of those specs to support. Whichever one we pick someone will be angry that we didn't pick the other one. So if it's if it's easy to do both, we should probably just do both. Just so that we don't get lots of complaints because you know, whichever one we choose, you know, someone will be all up in arms and we didn't choose the other one so hopefully there's not a third one introduced anytime soon. And then there may also be some additional labels that we want to support. Yeah, what one of the ones that I find really easy is already really handy is to put in the git state the get tree state and whether or not it's dirty or clean. So that I when I'm debugging an issue I can see that somebody has made a modification and built it on the desktop and push it up, and it's not come from get. I think Amy knows I had an idea of some additional labels as well that would be handy. Right. Great. Anything else Gareth there so it seems like this one is dependent on our eventual transition to building the images on our own infra, but that we've got to do anyway for s390 likely for arm 64 and for power PC so so that's an eventual transition no matter what right we're we're making that transition as part of our roadmap. Yeah, we can add a subset of the labels at the moment, I think. So the ones that are relatively static week we can add those upfront. To get a sort of a complete set and probably the more useful labels like can it show. You probably build date and things like that you probably want to get moving move the infrastructure over so we have control over those. But I had I had missed that that I think that's a valuable thing we could immediately add those those more static labels, and that way there may be some people already get value and we then are reminded oh yes let's keep using the static labels and as we make more transitions we add more static labels. Yeah I like that a lot. Alex did you have a comment there. Yeah but I forgot what it was so. Super. Okay. All right. So, so anything else on container labeling. I'll just put in the chat. I work tool to help us do that and inspect the images. I'm just going to put that in if anyone finds that useful. Yeah, let me put a link to it that's inspect tool to view and view labels. You can also help you generate the labels when you're building the image. Oh, okay. And now technology wise how are those labels actually applied. They're not tags in the sense of a tag there's some sort of metadata associated with the Docker image. Yeah in the band in the Docker sort of manifest as a section for labels. It's just like key value pairs. Okay. And then, and then the key thing here is the schema spec is what allows people to comprehend to make sense of what we what we package inside that manifest. Yeah it's just that they're a common, a common set of labels that it sort of says that you should add. Got it. Okay. Excellent. Next topic then she code Africa April contribute on so Alex this was a, this was me spinning an angle that you may want to check with your employer I'm checking with mine. And it's looking promising. What there is is there is a team of open source contributors. There's an organization in in Western or in Africa, called she code Africa, and one of their leaders Zina Babu Bacar is Jenkins documentation contributor. And she's noted that they have upcoming a contribute on where they're going to seek sponsors seek commercial sponsors who fund them to then pay women in Africa to contribute to open source projects. And they have sponsorships available. My thought was if your employer is interested in sponsoring these kind of things where various groups we would like to increase their involvement in tech. It might be worth you asking I know I've asked my employer and I'm getting good promising results that they're likely willing to support a this this kind of initiative. I'll I can put the links to it. Yeah, that'd be great. Are you going through your like HR for that or what. Yeah, that's what that's what that we've got a we've got a diversity and a diversity and inclusion group now that we have a company and that kind of thing is, is where yeah and my guess was you've probably got it and I think I'm going to I'm going to ping Jim Crowley as well because I'm reasonably confident that that IBM's got something similar. And so yeah here it is so this is the link to it so what this is is right now they're assembling donations from from sponsor companies. During the month of April, these women will be assigned tasks from project ideas that open source projects have suggested, and will be paid to contribute to those tasks. So it gets them involved and it has the benefit that they're funded while they do it so they're not just donating their time. Awesome. I think it's absolutely brilliant and it's a great excuse for people to for companies to help out in this way so let's see. So she she code Africa.org. Right yeah she code Africa.org and the contributon is described on their events page. Perfect. I will reach out today. Excellent. Thank you. And, and the sponsorships range from $1,000 to $5,000 for corporations. Certainly you could sponsor beyond but what, what their goal the way the ways you know described it was they will be delighted if they get $40,000 and sponsors, and my thought was between your employer my employer and Jim's employer. We might be a significant way towards funding she code Africa with just those three companies. So, for me it was it was it's very attractive as a way for us to do some diversity work. Awesome. Now project ideas are a little more complicated in that we need to find those project ideas. I'm not sure there are specific platform related project ideas, but I think it's worth us considering as a platform SIG what we, what could we have them do that have a contributor do that might help and there may well be thing parts of our roadmap where they would they would really benefit and we would benefit. Great. Yeah, I'll definitely reach out today to my inclusion and diversity team. Great. Thank you. Super. Let's see in terms of maybe maybe we could take a few minutes here and talk about what are some project ideas we might see that the plat that are platform specific for instance. Could we consider having them. Well let's see what have we got on the roadmap if I think about roadmap topics we've got. Now how about I guess arm 64 arm 64 might work if one or more of theirs have a raspberry pi four. Now that's that's kind of a rather strange thing but you never know. I mean, pi four can actually run 64 bit arm right and so arm 64 support might be a possible. The others might. Let's see. Yeah I don't know about the labeling I guess maybe test test improvements. The suggestions from Damian had been techniques to accelerate the speed at which we perform certain of the tests. He's found a Google tool that does that will inspect the contents of a Docker image or test the Docker image without actually running the image. And it seems to be faster than starting and stopping the image process. So test improvements might be a might be a candidate. Any other suggestions. Certainly documentation, and, yeah, has been one that we've discussed, but that's not specifically to the platform and screenshot updates, because we're getting a significant change to the UI in March, and we need to update pictures. All right, next topic, proposed Docker changes so multi arch builds install plugins.sh. Still in progress car on the non root user on the agent Docker image you want to give us a, how's it going there what do we need to help with. What are the challenges, etc. That is a question it's actually all fine it's had a bit of a delay because I just got pulled into other things like talks and stuff. So I had not worked on this in well over a week but it's pretty close to that and I now have a clearing in my time which I will give a push on this. Well, similar to the Docker builder. So there's no particular blockers. Thank you for your offer but there's no particular it's just me needing to see it, make sure it gets done. That's fine. I thought there was some, maybe I thought I understood that there was still some some open question on non root, or is that all been resolved as far as you know. I think there was like one or two more pieces of work that needed to be done but that it was getting to be pretty close. Okay. All right. Okay, so, but you're not aware of anything that's that's in your way. No, just me. Hey, volunteers or volunteers there is no obligation on volunteers right there's just none. It's like your, your time is is deeply appreciated and very kind that you give it thank you. Any other topics we should discuss here today. Okay, so we, Jim mentioned verbose tagging, and I think that's still just we need to keep making progress on that way using that follow the tagging pattern that we're using in the windows images and adopt him is showing the same tagging pattern as well so that for me just feels like a good good plan. All right, I think that's it then no other topics let's call an end I'll post the recording later today. Thanks everybody.