Jenkins March 2023 Newsletter
Highlights
-
Jenkins 2.397 and 2.387.2 are both using new Linux repository signing keys.
-
The Pipeline graph view plugin continues to evolve and improve as a Pipeline visualization replacement for Blue Ocean.
-
The number of pull requests merged for jenkins.io crossed into triple digits this month (101).
Contributed by: Mark Waite
Jenkins' installers for Debian and Red Hat have all been signed with new PGP private keys. Refer to the Jenkins blog post for more details. The Jenkins installer for Windows and the Jenkins WAR file have also been signed with a new code signing certificate issued by DigiCert. Thanks to the Continuous Delivery Foundation for their help with the new code signing certificate.
The Chinese translation of the Jenkins documentation has been unmaintained for almost two years. Rather than risk confusing Chinese users that are following outdated instructions, we’ve removed the link to the outdated Chinese site. We invite Chinese users to use the English language documentation.
Jenkins press contacts have been simplified, to invite members of the press with questions about Jenkins to post their questions to the press category on community.jenkins.io. Special thanks to Discourse for hosting the Jenkins community site.
The Jenkins board, members of the Jenkins security team, and several others were involved in resolving an incorrect claim against a repository of the Jenkins GitHub organization. The claim incorrectly asserted that one of the Jenkins GitHub repositories had published private information, copyrighted material, or a password without consent. The issue was resolved through the efforts of Daniel Beck, the company that filed the incorrect report, and the maintainers of the affected plugins. Thanks to all involved for resolving the issue.
Contributed by: Kevin Guerroudj
Two security advisories have been published during the month of March:
-
One regarding plugins
-
13 plugins were impacted
-
9 without fixes according to our documentation
-
-
One regarding core and update-center2
-
The most critical being an XSS which we were able to confirm that there was no exploit.
-
Contributed by: Damien Duportal
Over the course of March, the Jenkins infrastructure team has worked to provide several enhancements and updates including:
-
Huge effort on bandwidth reduction for dependencies from JFrog, by switching almost all workloads to the new artifact caching proxy, with a focus on developer UX to allow disabling it when unreliable.
-
All of the controller Azure credentials are managed as code, opening the door for safer identity management.
-
Improved safety and reliability for the releases of both weekly and Jenkins Core, by migrating this process into a new private Kubernetes cluster.
-
Maven 3.9.0 and 3.9.1 were rolled-out to developers.
-
The Ubuntu 22.04 upgrade campaign has been planned and started.
-
A new GPG key rolled-out for signing Jenkins repositories and Core artifacts.
-
Usual maintenance efforts to keep the infrastructure running, including weekly dependency upgrades, support for the 2 security advisories, and migrating pipelines from GitHub actions to our own Jenkins private instances.
Contributed by: Mark Waite
The Jenkins user experience continues to improve thanks to the efforts of many contributors, with special thanks to Jan Faracik and the many reviewers involved in the improvements.
The Pipeline graph view plugin continues to evolve and improve as a Pipeline visualization replacement for Blue Ocean. It now includes progressive viewing of log files. Thanks to Tim Brown for the improvements.
The "About Jenkins" page in Jenkins weekly releases now includes a new image and an invitation to "get involved" with the Jenkins project.
The Jenkins icon legend is now a modal dialog in Jenkins weekly releases. The modal dialog does not move the user away from the current page. Expect to see more modal dialogs in Jenkins in the future.
More Jenkins messages have been translated into Turkish thanks to Mustafa Ulu. They have been released in Jenkins weekly releases in March.
Support for user experimental flags ("feature flags") has been added to Jenkins core. Developers can deliver new features and allow users to enable or disable those features for their own account. Thanks to Wadeck Follonier for the implementation and thanks to all those who reviewed and helped with the pull request.
Contributed by: Kevin Martens
Over the course of March, there were 7 blog posts published, featuring several different authors. Bruno Verachten has shared his experiences using Jenkins in intriguing ways, as well as starting a new series of posts regarding Android and Jenkins. We also crossed into triple digits (101) for the number of pull requests merged this month for jenkins.io alone. Along with recent UI updates, the Jenkins documentation is being updated to reflect the simplified Manage Jenkins settings names. Thanks to all of the continuing and new contributors, all of your work helps support both the Jenkins project and the Open-Source community.
Contributed by: Bruno Verachten
Over the course of March, the Jenkins platform team provided several updates and improvements. These improvements include:
-
Jenkins 2.397 and 2.387.2 both using new Linux repository signing keys.
-
There is a great article by Mark Waite to explain why the keys have changed and how to update accordingly.
-
Nothing has to be done for Jenkins Docker installation, because the key is not required for container installations, as we manage the service ourselves in the container.
-
-
Docker end of open source software images (Docker announcement with later changes)
-
The old jenkinsci handle could have gone away, as it was not protected by OSS organization, before Docker changed their mind.
-
Jenkins4Eval may go, as it is dangerous and not really needed.
-
At this time, it is for a very niche use.
-
-
-
PowerPC 64: has made some nice progress. Thank you so much for your contribution Kenneth!
-
docker-agent: PR reviewed, checks have passed.
-
docker-ssh-agent: PR reviewed, checks have passed too.
-
Inbound-agent: PR reviewed, checks will pass once the docker-agent PR will be accepted.
-
Controller: PR is done as well, checks have passed too. It shouldn’t be long until all of these PRs make it into the next release.
-
Welcome to the community Kenneth, we’re delighted to have you onboard!
-
-
Alpine aarch64 images issue:
-
We’ve been following the progress for a few months now, and it looks like it won’t be solved soon. Temurin needs help to get this back on track. In the meantime, we have other Debian based images that can do the job.
-
-
Windows MSI installer code signing certificate updated (also signs jar file):
-
Windows users expect their installers to be signed/secured (because of malware and so on). The previous certificate expired March 30, 2023. Fortunately, Mark Waite and other members of the community managed to get a new one, so the latest weekly release is signed.
-
Lawyers had to be involved, but the process is now complete.
-
The MSI installer is signed with the new key.
-
-
Latest updates on the agent images:
-
Ssh-agent release 4.13.0
-
chore(deps): bump debian from bullseye-20230208 to bullseye-20230320 in /8/11/17bullseye (#222)
-
-
Docker-agent release 3107.v665000b_51092-6
-
-
Experiments with RISC-V have progressed.
Contributed by: Alyssa Tong
So thrilled to have been back at the usual spot (Pasadena Convention Center, CA) for SCALE this year, an added bonus were visits from special friends 🥰, Kohsuke Kawaguchi & Arun Gupta 🎉!
Many thanks to the Jenkins fans for stopping by the booth to let us know how much they love Jenkins! Special thanks to the SCALE committee for being a wonderful host! 🚀
Jenkins in Google Summer of Code (GSoC)
If you lurk on the Jenkins GSoC Gitter channel, you will be quite surprised at the level of engagement… It is anything but quiet. The hustle and bustle indicates the level of interest in Jenkins in GSoC. Here’s where we currently stand:
-
We’ve received over 50 proposals via the Google Summer of Code portal.
-
Organization administrators and mentoring are reviewing and ranking the proposals.
Jenkins Awards
The list of nominations for the Jenkins Contributor Awards is quite impressive this year, with more people being nominated than ever before. We want to thank and congratulate all nominees, your contributions are seen, recognized and appreciated!
We also had more people voting this year than in previous years. Thank you to everyone who took the time to vote! Voting is now closed, and the results will be announced on May 8-9 at cdCon.