Hi all, I would like to provide a status update regarding JEP-200 <https://github.com/jenkinsci/jep/tree/master/jep/200> stories. It has been more than 3 months since the original release in Jenkins 2.102 and one month since the release in LTS (announcement <https://jenkins.io/blog/2018/03/15/jep-200-lts/>). Although we still receive some new JEP-200 issues, the community ratings of releases are pretty good. We would like to thank everybody who helped to get the the plugins fixed and released!
As you probably know, the proactive maintenance period ends on May 01 according to the post-release maintenance plan <https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc#phase-4-post-release>. I would like to briefly summarize the current status: - Adoption: >23% of Jenkins installations (April 01 stats) - Since January 13 we got 119 JEP-200 issues <https://issues.jenkins-ci.org/issues/?jql=labels%20%3D%20JEP-200> in Jenkins JIRA, there are also some in GitHub - *82* plugins were affected by JEP-200 <https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+fix+for+JEP-200> (hosted in Jenkins Update Centers) - *66* plugins got fixes, 16 plugins still need fixes (5 pending fixes) - The most of unfixed plugins are niche ones with less than 100 installations - Notable plugins: Google OAut, Kubernetes, Gitlab Merge Request Builder, AWS Device Farm - We have also applied several core patches, including whitelist updates and diagnosability improvements - We hope to get 2 whitelist patches backported to 2.107.3 ( JENKINS-50616 <https://issues.jenkins-ci.org/browse/JENKINS-50616>, JENKINS-50939 <https://issues.jenkins-ci.org/browse/JENKINS-50939>) - There is a major improvement in Remoting Exception serialization, which should be available in the next LTS baseline (part of JENKINS-50237 <https://issues.jenkins-ci.org/browse/JENKINS-50237>) What is going to happen after May 01? - JEP-200 maintainers will deliver the rest of pending fixes - JEP-200 maintainers will stop proactively monitoring *all* tickets in Jenkins JIRA and GitHub issues/PRs to discover regressions caused by the change - Core/Plugin maintainers will be expected to triage newly reported defects to their components - JEP-200 maintainers will be available to do some consulting in mailing lists and reviews in GitHub on-demand We have also started a retrospective Google doc <https://docs.google.com/document/d/1KCCIxWh-c44GJbW_AwKooOd7wD4vthWp_KC0r2OJQl0/edit>. This is the first Jenkins security hardening change with such level of regressions by design, and we would appreciate your feedback in order to make future changes smoother. We will also conduct a JEP-200 status update session tomorrow at the governance meeting <https://wiki.jenkins.io/display/JENKINS/Governance+Meeting+Agenda>. Please feel free to join if you want to discuss JEP-200. Any feedback will be appreciated. Thanks for your time, Oleg Nenashev -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/bf91a2be-a3ab-45a5-a642-826d4af5fea8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
