 So welcome to Governance Board. Let me share my screen and we can take a look at the agenda. So items I had were news, CD events, I think was a carryover from last time, Google Summer of Code, a proposal to cancel the governance meeting in two weeks and highlights from the mailing list. Any other topics we need to put on the list? There is a request from Perva about access to infrastructure, I mean administrative access. So I wanted to discuss briefly here because it looks like we started the circumventing CLA a lot. So I just want to agree what would be the expectation there. Okay, good. All right. Any other topics to be included? All right, let's disconnect it. Let's take that one first then. So I think, Oleg, you're referencing that Erve Lemur had sent a request asking for access to the Jenkins Infra org, right? Yeah, and those two security bug tracker. So both this request actually require a CLA to be signed. And I just want to show that we keep a requirement of it. Yeah, so I agree that that makes sense, signed CLA. And for right now, I assume it would be done with the following the existing process. Yeah, I can enable easy CLA right now for this repository. I was about to drink it ahead of the meeting but yeah, I didn't. Okay. So I think that I will actually enable it. Great. And I think that makes sense. I think it's good that we remind each other that, hey, we need a contributor license agreement for certain roles and encourage it. Yeah, speaking of that, I'm still a manager for CloudBus CLA on the Linux Foundation. So if someone from CloudBus has concerns about it, probably they need to follow up because they have no idea why and have no idea what to do with it. Okay, good. Yeah, so Mark to check with Linux Foundation on how to update that. But yeah, I'm also a manager for the CDF, so I will get it enabled. Okay. Anything else on the administrative access request? We had a similar thing going on. I'm not sure it's where we know that we need CLAs before we allow someone to become a member of the docs copy editors group. Hope. But generally our agreement was that every role that requires special permissions for the Jenkins core from the structure should go through CLA. And for example, if a public request reviewer that says it doesn't require special permissions, but yeah, for the editor role it does. So it actually goes through the process. Excellent. Yeah, and that makes sense to me. Anything else on that topic? Oh, oops, and we, sorry, we skipped news. My apologies. Okay, if we go back to news for a minute. Okay. So there it was, we had a zero day on Friday. Apache log for J2 versions up through 2.14.0 had a zero day that apparently was being actively exploited as well. There's a blog post about it and a Jira Epic tracking it. Jenkins core by itself is not vulnerable and a relatively small number about 12 plugins are vulnerable and they're how to detect, how to mitigate included in that Jira Epic. And from all of these plugins I'm concerned only about the audit log because this is a plugin which is likely to be used by enterprises. At the same time, there are no performance issues. So I'm not sure how many actually use it, but from all the plugins, so this is actually don't the plugin be concerned. Great. Okay, good. The other news, we've got new changes in current, in the most recently released weekly for the plugin manager UI. Looks very nice. Special thanks to Jan Faricic and thanks to Basel Crow. A groovy upgrade is coming in the next weekly. 2.4.12 inside Jenkins will be 2.4.21. Thanks to Devin Nussbaum and Jesse Glick for reviewing the pull request. And we've got a Jenkins LTS that's been, its release date has been shifted from the typical four weeks to be six weeks so that we can let people have some time off at the end of the calendar year. So January 12 will be the release date. And Fosdom Call for Papers is open. That's it for news. Any questions there? Okay. Next topic then. Anything we needed to discuss on CD events? Well, there is no major updates since the last meeting. So it's officially accepted to the continuous delivery foundation. We will need to do something about cloud events plugin. So I think that it should be even renamed to CD events or maybe at least explicitly get integration with CD events. But generally it's a question of what do we get to contribute those? Eventually I will get to that, maybe. Okay. Next topic was anything else on CD events? Okay, next topic then Google Summer of Code. And there Alyssa Tong and John Mark Meason are ready to step up and help. They're starting planning and looking forward to collecting project ideas, et cetera. I did see and I'll reach out to them later. There's someone in the GSOC channel that said they wanted to help mentor. Good, okay. That's excellent. Very good. Anything else on Google Summer of Code? So that was a question, but I can't join advocacy and outreach seek the tomorrow to provide some knowledge first. It's a problem that I cannot. And basically I'm happy to help us or can meet you too. I'm not sure what will be my capacity, but we need to agree on the time when we actually restore office hours. Because currently advocacy and outreach seek, I've been unable to participate in it since September. I've noted a few times about changing the time, but probably I've had other things to do too. Great. Well, and let's assume that we need more than just you to be staffing the office hours, right? I think that makes sense that we shouldn't be just relying on your shoulders. So they think that right now we will have very better time overlap with Alisa. And Alisa will have really better overlap with the students. Right. So, and this is a problem because I'm not sure how it's going to work. But if we need to schedule office hours in a time zone when Alisa is available, it should be the super late in the European time zone or it should be Monday or Tuesday because otherwise I won't be available. Got it, okay. Yeah, basically I communicated to Alisa a few weeks ago so I'm waiting till something gets scaled. Okay. Anything else on Google Summer of Code? Basically, from what I understand from the discussion this year, Jenkins would continue independently. So this is probably something we need to discuss at the board level or in the developer money list but it looks like the current consensus. But this nobody accepts the traces that we should be a part of the city of this year. So. Yeah, I think we should be independent this year. Now, Alisa's also started a thread in community.jankens.io. Would it be okay if we hosted it there instead of the mailing list? Or Oleg as you're feeling that I think she plans to communicate mailing list, get her chat and community. Could we direct people towards community or is it not well enough attended yet that we need to keep it in the mailing list? I think that the community is finally we just need to stop this conversation. As well, we'll see in one month's lead compared to how we usually start the JSOC. Ah, all right. Great, thanks. Okay. So yeah, it's time for you to zoom in. All right, next topic then was proposal to cancel governance meeting in two weeks. I'm hoping to be off personally. Do any of the rest of you have any objections to canceling in two weeks? No. I have no objections. I'm around either way though. Okay, so plus one from all four attendees. Great, I'll remove it. Mark removed from the calendar. We'll do. And then Gavin highlights from the mailing list and the community forum. Yeah, I actually got a few early ones this week or written down ones this week. The main ones we've been, you know, Mark and Damien. And I think even myself have been putting meeting minutes into the community forums and they've been fairly well received. Yeah, just generally the whatever notes we have in the minutes, not spending a lot of time putting them up just so that they're there. And, you know, as we get more feedback we'll know what's better to record what's not. But so far across the board and all the things it's been well received. Yeah, so in for team meetings doing the same thing. Yeah, if you click on the meeting tag right underneath the title. Oh, right. You get all of them. So yeah, so far they've been well received. They're not being removed from the Google Docs. They're still there. I think Infra does it in HackMD but like it's up to the team to decide where they put it, I guess. But this way at least it's in a single source that everyone can see them, don't have to go find them, don't have to go find the calendar and write that kind of thing. So it has been well received. Excellent, thank you. Yeah, I confess I'm really pleased with it. It's increased the number of views of the recordings. It's had a positive impact. Yeah. And then I started, I found out that discourse can send notifications to Gitter, actually to Matrix, but Gitter. So I have, I don't know, about six rules set up. I'm gonna try to keep adding more as I think about them. So like anything in events or the advocacy key, advocacy and outreach, a SIG tagged are going to that channel. All the generic ask a question, help ones, they go to the Gitter Jenkins channel. That way people who don't normally check it can see it, see a question was asked, maybe put the information one place or the other or be like, I figured it didn't hurt. It didn't add much traffic. So, so far I think it's a good thing. People have been pretty happy with it. Excellent, thank you. I think docs, I hooked up as well. Great. Not that there's a lot of docs question on the phone. Right, sorry that we're not getting much traffic there. Yep, all right. Yeah. That's me, it's been pretty quiet. Other than the CV, it's been pretty quiet for the last couple of weeks. Great. And so I see Daniel has joined us. Daniel, did you want to share any additional on the CV or things that came from that? No, well, unfortunately I was a bit too late. So I don't know what you discussed, but the blog post and especially the epic in Gira have all the most up to date information. We updated the Gira issue continuously and I currently believe that this is the complete list of all plugins that ever included log4j, at least among plugins that we currently distribute and their versions that we currently distribute, which means I downloaded all of the things over the last two days and unzip all of the things and looked inside and this is the result. Thank you very much. And here's to your internet service provider. Thank you very much to them. Yeah, I probably contributed to the info a little bit. That's well done. Thank you, thank you. All right. And generally I've been even on the comments and stuff other than the one person who said I have a really old version and how do I fix it? It's been, you know, people have been pretty good about, you know, going to the right sources. There's combined between the two posts about CVE on the forums, there's 6,000 views to those posts, which is even a single one is 3,000. And that's more than any other posts has ever got it on the forums. So, you know, people are definitely interested in it. The only thing I can think of is we probably want to start making sure that the advisory mailing list is a more big public, whatever you want to call it, so that in the future people know that they should be signing up for that email. I know I've been telling people when I see them, but you know, a lot of people will read it and just move on. So I don't know if it's in the blog posts or not. Yeah, I don't think so. I don't recall that we put it there, but it's a good idea that when we've got a vulnerability or when we've got a process like that, we should remind people, hey, subscribe here for your own benefit. So regarding the 6,000 views, is that Community Jenkins IOWA or is that a blog post? Oh, okay. I don't know. I do have metrics on Jenkins IOWA. I can actually look at that as well. Yeah, that might be interesting because what I've seen is there are a few lists floating around the internet of vendor responses to the log for J issue. And just for fun, I looked for Jenkins entries and we're in there and they look, they link to the blog post. So that was very good that we published that on Friday in a timely manner. And so that gives people a kind of landing page for the issue in Jenkins, even if we're not really all that affected. People are very, very eager to find out. Yes. I will specifically right after this meeting go and find the numbers for the blog post and update the minutes with them. Cool, thank you. This will take me longer than I think I want to do right now. Great, thank you. Any other topics we need to discuss before we conclude the meeting today? Maybe one question to you, Mark, since you're being representative, is there any one handling application requests on GitHub? Because I was just checking requests and a lot of requests for courtesy, for drive-ins and for the GitHub apps. And somebody is actually expected to be reviewing them. Damian's been reviewing them because I accidentally triggered a few and he's been asking me about them. Okay. But he might be doing info only. You know, I might be happy to reject all of them. That's no problem at all. Way to say. If you request something and you can't even be bothered to send an email to the dev list or something along those lines, then it can't be that important. GitHub UI is also a little bit confusing because it might, I've thought a couple of times that it was approved. I'm like, oh, cool, I can use this. And turns out it's not approved and it sends the request. So it could be something like that where people didn't actually want to use it. They just saw that it was approved and they're like, oh, I could use it. So. So, Oleg, I think your original question was, is anybody handling them? I'm not confident I can assert they are. Gavin, it sounds like you're confident that Damian is definitely handling Jenkins-infra. Yes, because it's happened a few times for me. Okay. How would I investigate that? And is that? It could only be the admins of the org. Ah, okay. Usually it was me doing that. But, yeah, so when I was doing a transfer, I believe last September, et cetera, I believe you mark became more or can mean. I'm not sure whether you took this responsibility at that point or not. But yeah, since that it was a bit sporadic. So, Oleg was handling it, Oliver was handling it from time to time. But I don't think that anyone is looking into the drug, yeah? Yeah, so I know I have not handled any. And so that's a thanks for the reminder. I'll have to go learn that and understand. So who can, is this one where Daniel can be my guide or Oleg, do I need to get you to be my guide in terms of should we approve it or disapprove it? Always so. We could just leave it as not anything until someone emails the list and say, hey, I want this. Well, let's be honest, there is no trivial guideline for maintainers. So when they request access through GitHub web interface, there is no pop-up saying that you should send the email to the menu. Yep. But there's also no pop-up saying it's approved and it'll be used. So we're kind of a weird middle ground right now. Yeah, so well, in the past I could certainly take the action of asking them, hey, based on GitHub ID or go find a repository. No, really I can't, can I? Because I don't necessarily know their email address. You can see a repository, you can see a full request access and you can basically investigate based on the disability. So we know that many people try to use code C, so it's basically okay because yeah, we were exploring having Jenkins organization for code C, but we have never proceeded with that. So we were looking into that with Zuni and we had permission issues and then we gave up. So everyone sets up our code C individually these days. For Travis, well, I have no idea why would anyone need Travis into summer 21 for Jenkins. Right. But yeah. There's a lot. You don't know why, but people are using Travis. Not. No problem. I have no problem with the other use, but for Jenkins repositories, it seems like a weird choice. Right. Well, then I will say a simple say of it, please. Yeah. Okay, so that one feels like I've got an action item. If you deny a request, it doesn't say anything to the end user either. So that's why I was like, it's not down in the world to not do it either. Okay. Got it. All right. Any other topics? Okay. Thanks everybody. I think we can call it a meeting for today. No meeting in two weeks. We'll meet next in four weeks. Bye.