Back to blog

Jenkins March 2023 Newsletter

Alyssa Tong
Alyssa Tong
Damien DUPORTAL
Damien DUPORTAL
Kevin Martens
Kevin Martens
Mark Waite
Mark Waite
Bruno Verachten
Bruno Verachten
Kevin Guerroudj
Kevin Guerroudj
April 12, 2023

Jenkins March Newsletter

Highlights

  • Jenkins 2.397 and 2.387.2 are both using new Linux repository signing keys.

  • The Pipeline graph view plugin continues to evolve and improve as a Pipeline visualization replacement for Blue Ocean.

  • The number of pull requests merged for jenkins.io crossed into triple digits this month (101).

Governance Update

Contributed by: Mark Waite

Jenkins' installers for Debian and Red Hat have all been signed with new PGP private keys. Refer to the Jenkins blog post for more details. The Jenkins installer for Windows and the Jenkins WAR file have also been signed with a new code signing certificate issued by DigiCert. Thanks to the Continuous Delivery Foundation for their help with the new code signing certificate.

The Chinese translation of the Jenkins documentation has been unmaintained for almost two years. Rather than risk confusing Chinese users that are following outdated instructions, we’ve removed the link to the outdated Chinese site. We invite Chinese users to use the English language documentation.

Jenkins press contacts have been simplified, to invite members of the press with questions about Jenkins to post their questions to the press category on community.jenkins.io. Special thanks to Discourse for hosting the Jenkins community site.

The Jenkins board, members of the Jenkins security team, and several others were involved in resolving an incorrect claim against a repository of the Jenkins GitHub organization. The claim incorrectly asserted that one of the Jenkins GitHub repositories had published private information, copyrighted material, or a password without consent. The issue was resolved through the efforts of Daniel Beck, the company that filed the incorrect report, and the maintainers of the affected plugins. Thanks to all involved for resolving the issue.

Security Update

Contributed by: Kevin Guerroudj

Two security advisories have been published during the month of March:

  • One regarding plugins

    • 13 plugins were impacted

    • 9 without fixes according to our documentation

  • One regarding core and update-center2

    • The most critical being an XSS which we were able to confirm that there was no exploit.

Infrastructure Update Contributed by: Damien Duportal

Over the course of March, the Jenkins infrastructure team has worked to provide several enhancements and updates including:

  • Huge effort on bandwidth reduction for dependencies from JFrog, by switching almost all workloads to the new artifact caching proxy, with a focus on developer UX to allow disabling it when unreliable.

  • All of the controller Azure credentials are managed as code, opening the door for safer identity management.

  • Improved safety and reliability for the releases of both weekly and Jenkins Core, by migrating this process into a new private Kubernetes cluster.

  • Maven 3.9.0 and 3.9.1 were rolled-out to developers.

  • The Ubuntu 22.04 upgrade campaign has been planned and started.

  • A new GPG key rolled-out for signing Jenkins repositories and Core artifacts.

  • Usual maintenance efforts to keep the infrastructure running, including weekly dependency upgrades, support for the 2 security advisories, and migrating pipelines from GitHub actions to our own Jenkins private instances.

User Experience Update

Contributed by: Mark Waite

The Jenkins user experience continues to improve thanks to the efforts of many contributors, with special thanks to Jan Faracik and the many reviewers involved in the improvements.

The Pipeline graph view plugin continues to evolve and improve as a Pipeline visualization replacement for Blue Ocean. It now includes progressive viewing of log files. Thanks to Tim Brown for the improvements.

The "About Jenkins" page in Jenkins weekly releases now includes a new image and an invitation to "get involved" with the Jenkins project.

The Jenkins icon legend is now a modal dialog in Jenkins weekly releases. The modal dialog does not move the user away from the current page. Expect to see more modal dialogs in Jenkins in the future.

More Jenkins messages have been translated into Turkish thanks to Mustafa Ulu. They have been released in Jenkins weekly releases in March.

Support for user experimental flags ("feature flags") has been added to Jenkins core. Developers can deliver new features and allow users to enable or disable those features for their own account. Thanks to Wadeck Follonier for the implementation and thanks to all those who reviewed and helped with the pull request.

Documentation Update Contributed by: Kevin Martens

Over the course of March, there were 7 blog posts published, featuring several different authors. Bruno Verachten has shared his experiences using Jenkins in intriguing ways, as well as starting a new series of posts regarding Android and Jenkins. We also crossed into triple digits (101) for the number of pull requests merged this month for jenkins.io alone. Along with recent UI updates, the Jenkins documentation is being updated to reflect the simplified Manage Jenkins settings names. Thanks to all of the continuing and new contributors, all of your work helps support both the Jenkins project and the Open-Source community.

Platform Modernization Update

Contributed by: Bruno Verachten

Over the course of March, the Jenkins platform team provided several updates and improvements. These improvements include:

  • Jenkins 2.397 and 2.387.2 both using new Linux repository signing keys.

    • There is a great article by Mark Waite to explain why the keys have changed and how to update accordingly.

    • Nothing has to be done for Jenkins Docker installation, because the key is not required for container installations, as we manage the service ourselves in the container.

  • Docker end of open source software images (Docker announcement with later changes)

    • The old jenkinsci handle could have gone away, as it was not protected by OSS organization, before Docker changed their mind.

    • Jenkins4Eval may go, as it is dangerous and not really needed.

      • At this time, it is for a very niche use.

  • PowerPC 64: has made some nice progress. Thank you so much for your contribution Kenneth!

    • docker-agent: PR reviewed, checks have passed.

    • docker-ssh-agent: PR reviewed, checks have passed too.

    • Inbound-agent: PR reviewed, checks will pass once the docker-agent PR will be accepted.

    • Controller: PR is done as well, checks have passed too. It shouldn’t be long until all of these PRs make it into the next release.

    • Welcome to the community Kenneth, we’re delighted to have you onboard!

  • Alpine aarch64 images issue:

    • We’ve been following the progress for a few months now, and it looks like it won’t be solved soon. Temurin needs help to get this back on track. In the meantime, we have other Debian based images that can do the job.

  • Windows MSI installer code signing certificate updated (also signs jar file):

    • Windows users expect their installers to be signed/secured (because of malware and so on). The previous certificate expired March 30, 2023. Fortunately, Mark Waite and other members of the community managed to get a new one, so the latest weekly release is signed.

    • Lawyers had to be involved, but the process is now complete.

    • The MSI installer is signed with the new key.

  • Latest updates on the agent images:

    • Ssh-agent release 4.13.0

      • chore(deps): bump debian from bullseye-20230208 to bullseye-20230320 in /8/11/17bullseye (#222)

    • Docker-agent release 3107.v665000b_51092-6

      • chore(deps): bump archlinux from base-20230226 to base-20230319.0.135218 in /11/archlinux (#393)

      • chore(deps): bump debian from bullseye-20230227 to bullseye-20230320 in /11/17/bullseye (#394)

  • Experiments with RISC-V have progressed.

Outreach and advocacy Update

Contributed by: Alyssa Tong

So thrilled to have been back at the usual spot (Pasadena Convention Center, CA) for SCALE this year, an added bonus were visits from special friends 🥰, Kohsuke Kawaguchi & Arun Gupta 🎉!

Many thanks to the Jenkins fans for stopping by the booth to let us know how much they love Jenkins! Special thanks to the SCALE committee for being a wonderful host! 🚀

image image image image

Jenkins in Google Summer of Code (GSoC)

If you lurk on the Jenkins GSoC Gitter channel, you will be quite surprised at the level of engagement…​ It is anything but quiet. The hustle and bustle indicates the level of interest in Jenkins in GSoC. Here’s where we currently stand:

  • We’ve received over 50 proposals via the Google Summer of Code portal.

  • Organization administrators and mentoring are reviewing and ranking the proposals.

Jenkins Awards

image

The list of nominations for the Jenkins Contributor Awards is quite impressive this year, with more people being nominated than ever before. We want to thank and congratulate all nominees, your contributions are seen, recognized and appreciated!

We also had more people voting this year than in previous years. Thank you to everyone who took the time to vote! Voting is now closed, and the results will be announced on May 8-9 at cdCon.

About the authors

Alyssa Tong

Alyssa Tong

Member of the Jenkins Advocacy and Outreach SIG. Alyssa drives and manages Jenkins participation in community events and conferences like FOSDEM, SCaLE, cdCON, and KubeCon. She is also responsible for Marketing & Community Programs at CloudBees, Inc.

Damien DUPORTAL

Damien DUPORTAL

Damien is the Jenkins Infrastructure officer and a software engineer at CloudBees working as a Site Reliability Engineer for the Jenkins Infrastructure project. Not only he is a decade-old Hudson/Jenkins user but also an open-source citizen who participates in Updatecli, Asciidoctor, Traefik and many others.

Kevin Martens

Kevin Martens

Kevin Martens is part of the CloudBees Documentation team, helping with Jenkins documentation creation and maintenance.

Mark Waite

Mark Waite

Mark is a member of the Jenkins governing board, a long-time Jenkins user and contributor, a core maintainer, and maintainer of the git plugin, the git client plugin, the platform labeler plugin, the embeddable build status plugin, and several others. He is one of the authors of the "Improve a plugin" tutorial.

Bruno Verachten

Bruno Verachten

Bruno is a father of two, husband of one, geek in denial, beekeeper, permie and a Developer Relations for the Jenkins project. He’s been tinkering with continuous integration and continuous deployment since 2013, with various products/tools/platforms (Gitlab CI, Circle CI, Travis CI, Shippable, Github Actions, …​), mostly for mobile and embedded development.
He’s passionate about embedded platforms, the ARM&RISC-V ecosystems, and Edge Computing. His main goal is to add FOSS projects and platforms to the ARM&RISC-V architectures, so that they become as boring as X86_64.
He is also the creator of miniJen, the smallest multi-cpu architectures Jenkins instance known to mankind.

Kevin Guerroudj