Another day, another SSL vulnerability! Google has announced a vulnerability in SSL v3, and if you are using the "Winstone" servlet container built into Jenkins, and if you are using the HTTPS connector with the --httpsPort option (it is off by default), then you are vulnerable to this problem.

I've just issued a security advisory on this. If you haven't already subscribed to the Jenkins security advisory mailing list, this is a great opportunity to do so.

The advisory includes the target delivery vehicles for the fix and how you can address the problem in the mean time. Inside corporate intranet, where Jenkins is typically used, I suppose there's a degree of trust among participants to make this less of a problem. But if you run an internet facing Jenkins, be sure to deploy the fix.

(And as I write this, I've fixed all the https://*.jenkins-ci.org servers to disable SSLv3, so we are covered there)

This is a guest post by Craig Rodrigues

The FreeBSD project produces a modern operating system derived from BSD Unix.

In the past 6 months, we have set up Jenkins at http://jenkins.freebsd.org/, to continuously build FreeBSD as developers add new code to the project. This has helped us identify and fix build breaks very quickly.

We have gone even farther by integrating Jenkins, Kyua, and Bhyve.Kyua is a testing framework for infrastructure software.Bhyve is the native hypervisor that comes with FreeBSD (similar to KVM on Linux).

We use the Build Flow plugin in this example Build flow to do the following:

1. Build the FreeBSD kernel and userland on amd64 whenever someone checks in new code to http://svn.freebsd.org
2. Create a bootable FreeBSD disk image with makefs
3. Boot the image under bhyve
4. Run these commands inside the bhyve VM:

cd /usr/tests; kyua test; kyua report-junit --output=test-output.xml

1. Shut down the bhyve VM
2. Imports test-output.xml into Jenkins.
3. Produces a full native test report in Jenkins

The results of this work were presented at the Bay Area FreeBSD Users Group in this presentation in October 2014.

Jenkins has been very easy to set up and use under FreeBSD. We hope that by using Jenkins to run OS-level unit tests, we will be able to improve the quality of FreeBSD. For further information, please feel free to contact us at freebsd-testing@FreeBSD.org .

Jenkins User Conference in Bay Area is this Thursday, and one of the new things this year is the mobile app.

There's an Android version as well as an iPhone version. I've installed it locally, and it's very handy for checking the agenda, get more info about speakers and sponsors.

Jenkins started with a notion of jobs and builds at heart. One script is one job, and as you repeatedly execute jobs, it creates builds as records. As the use case of Jenkins gets more sophisticated, people started combining jobs to orchestrate ever more complex activities.

A number of plugins have been developed to enable all sorts of different ways to compose jobs, and many are used quite successfully in production. But this resulted in a certain degree of complexity for users to figure out how to assemble these plugins.

So we felt the need to develop a single unified solution that subsumes all these different ways to orchestrate activities that may span across multiple build slaves, code repositories, etc. Various inputs from users as well as other plugin developers played a key role.

The result of this is the workflow plugin, which is what a number of us, including Jesse Glick an myself, are focused on in the past few months.

The plugin approaches the problem by defining a DSL for you to describe an execution of a job. Various convenient primitives are available, such as executing shell scripts, checking out the source code, obtaining an executor or a build workspace, etc. All sorts of classic existing plugins contribute their functionalities into this DSL, such as recording test results, fingerprints, or calling into other existing jobs. This allows you to leverage higher-level functionalities and report comprehension capability into a workflow. Similarly, you can leverage the ability of Groovy, the host language of workflow DSL, to define control flows, abstractions, and reuse.

A key feature of a workflow execution is that it's suspendable. That is, while the workflow is running your script, you can shut down Jenkins or lose a connectivity to a slave. When it comes back, Jenkins will still remember what it was doing, and your workflow script resumes execution as if it was never interrupted. A technique known as the "continuation-passing style" execution plays a key role in achieving this.

I'm very happy to report that the workflow plugin is finally 1.0. This version runs on the latest 1.580-based LTS. and we created a docker image for you to play with too. There’s also a JUC presentation that explains this. We are working toward 1.0 release within this year, and in the meantime, the syntax is stable enough to allow you to start designing workflows today.

We've been hearing a lot of good feedbacks and enthusiasm for this new effort. Please let us know what you think.

A lot of us has grown fond of our loyal butler Mr.Jenkins over time, which was created by Frontside and chosen as a result of a logo contest. In the true open-source style, the logo has since evolved into many different derivative works, such as a plugin, a 3D model, and a bobble head.

Our friends at CloudBees are running a #BreakingBuilds social media contest through Jan 5th to have some fun with Mr.Jenkins. Read Sacha Labourey's blog post, where he draws parallels between what a butler does and what continuous delivery can do.

I especially agree with him on this point:

I always loved the idea of using a butler to represent what Jenkins is about, as it projects all of the qualities that define continuous delivery: it is built to be proactive, it will help you fix problems before they happen, it orchestrates your entire pipeline to production without you having to worry about the sophisticated underlying sequence of steps and, if things go wrong Jenkins uses his fingerprint database to trace back the source of the issue. Full service. As your right arm, Jenkins is the reliable and trustworthy guy you want on your team!

Check out the contest rules and participate. Let's raise the visibility of Jenkins and have some fun in the process!

• Read Sacha's blog
• Learn more about the contest and how to win Jenkins prizes
• Go directly to the #BreakingBuilds images

In tomorrow's Jenkins office hours, Jesse Glick will talk about two topics in the workflow plugin that he has been asked about:

• Security model: script security, permissions
• Plugin compatibility: SimpleBuildStep and friends, custom steps, etc.

The session should be interesting to anyone using workflow or thinking about using workflow. Jesse is one of the top contributors in the community, so it'd be definitely worth your time!

The Jenkins User Conference 2015 is seeking submissions that reflect the latest innovations in Jenkins usage. This is your chance to educate, share and inspire the community with stories of how you've used Jenkins to continuously build that amazing project or how you developed that popular plugin that everyone is using.

If you're gamed, here are some suggestions to get your creative juice going:

• Scaling Jenkins within the enterprise
• Jenkins as the orchestrator for continuous delivery
• Plug-in development
• Jenkins techniques that solve testing/building problems in specific application areas: mobile, enterprise/web/cloud and UI testing
• War stories that speak to a problem you faced, the Jenkins solution you implemented to solve it and the results you realized
• Jenkins best practices, tips and tricks
• Jenkins in the cloud - if you or your company is currently using Jenkins in the cloud we’d love to hear your story
• Beyond Java (Jenkins with PHP, Ruby, etc.)

We are upping the ante at this year's JUCs. We are moving from a 1 day conference to a 2 days conference for SF and London - that's 18 additional cutting edge sessions to be learned.

SUBMISSION DEADLINE IS MARCH 8, 2015!

There's also a wide variety of event sponsorship opportunities available. There are offerings from Gold to Silver packages, exhibitor packages in our world-class expo hall, speaking sessions, free passes, and many branding opportunities. For inquiries, pls contact juc-sponsorship@cloudbees.com

Looking forward to receiving your amazing proposals!

Congratulations! The Jenkins project officially went over the 100K active users mark sometime in January. As of January 31, we were at 102,992. YOU are one of the 100K active users!

As discussed on a couple recent project meetings, we have designated February 26 as Jenkins Celebration Day.

To make some noise, here is what we are doing starting NOW:

• Write a blog about anything related to Jenkins. Post your blog and Tweet out a link to it. Include the hashtag #Jenkins100K in your post.
• On February 26, we will hold a raffle and pick four names at random. The grand prize winner will get a 3D Jenkins Butler model. Five others will get their pick of Jenkins swag (up to $20) from the Jenkins online store.

OTHER WAYS TO CELEBRATE

There are a number of other things planned and we want YOU to be involved. This blog post is the central place to come for all things related to the celebration.

• Recording – Jenkins Governance Board Dean, Tyler, Andrew and I will get together this month and record some thoughts about the Jenkins project. We will share that recording with you from this page on February 26.
• Twitter Badge For those of us on social media that want to proudly celebrate our community, we will have a special badge that you can use for your profile image on Twitter or any of the other social media forums. Feel free to use the badge as long as you want – but let’s get as many of us using it as possible between now and February 27.
• Social Media Images (images available below later this week)
  • CloudBees is donating a series of images that we can all push out on social media (whatever platform(s) you use).
  • Pick your favorite(s) and push them out on Twitter, Facebook, G+
• Certificate (available on this blog post soon) Download your very own “I am part of the Jenkins 100K” certificate. Print it out and proudly display it on the wall of your cube or office.
• Visibility The Community will also issue a press release on February 26 announcing our milestone news.
• Sign the “card” Consider this blog a Congratulations card to the entire community. Share your thoughts in a comment on this blog about anything Jenkins-related that you wish!

This is a big milestone for the Community and one you should be proud to be part of! Let’s make some noise…

In preparation of the celebration of 100K installations, 1000 plugins, and 10 years of Jenkins, we've got these images created.

I hope folks can use these images to mark the occasion! The full size pictures are here.

In preparation for Jenkins 100K celebration, I'm going to record a one-time podcast with Dean Yu, Andrew Bayer, and R. Tyler Croy.

My current plan is to go over the history of the project, how big the community was back then, how we grow, where we are now, and maybe a bit about future.

But if you have any other suggestions/questions that you'd like us to discuss, you have 3 or 4 more hours to send in that suggestion! Your feedback would help us make a better recording, so please don't hesitate to tell us.

As a part of the Jenkins 100K celebration, Dean Yu, Andrew Bayer, R. Tyler Croy, Chris Orr, and myself got together late Tuesday evening to go over the history of the project, how big the community was back then, how we grow, where we are now, and maybe a bit about future.

We got carried away and the recording became longer than we all planned. But it has some nice sound bites, back stage stories, and stuff even some of us didn't know about! I hope you'll enjoy it.The MP3 file is here, or you can use your favorite podcast app and subscribe to http://jenkins-ci.org/podcast.

We have some exciting news to share with you! We have finalized most of the dates and locations for the 2015 Jenkins User Conference (JUC) World Tour.

Save the date(s):

• US East (Washington DC): June 18-19
• Europe (London): June 23-24
• Israel: July 16 (ETA)
• US West (Santa Clara): September 3-4

The big news? The JUC agenda has been expanded this year to cover two days! That means you get twice as many opportunities to learn how others are using Jenkins and to network with other Jenkins users.

CALL FOR PAPERS IS OPEN FOR ALL JUC CONFERENCES

We need JUC speakers! The Call for Papers is open now and you can apply here. This is an opportunity for YOU to give back to the community by sharing your Jenkins knowledge and success. Jenkins speakers contribute significantly to the overall JUC experience.

In return for speaking, you will receive free admission to the conference and fame/fortune within the Jenkins community. OK, we can’t guarantee the latter, but we can guarantee the former! Hurry and apply now, becausethe Call for Papers deadline for US East and Europe expires on March 22, 2015.

Not interested in speaking? Another way to contribute to the community is by letting us know who you want to hear from. Nominate or refer that amazing speaker and we’ll do the rest. Contact alytong13@gmail.com

JUC SPONSORSHIPS

Lastly, be a JUC sponsor. Any organization can do this – whether a vendor that sells into the Jenkins ecosystem or a company that has received value from Jenkins and wants to give back to the community. You can find out more here.(NOTE: JUC is not a moneymaking venture for the community – so sponsorships do make a difference.)

This is a guest post from Owen Mehegan (aka autojack)

In 2014 Google announced that they will be shutting down their OpenID 2.0 authentication endpoint and replacing it with Google+ Sign-in, a library built on top of OpenID Connect. The old Google endpoint will shut down on April 20th, 2015! Accordingly, if you are using the Jenkins OpenID plugin to authenticate users with the ‘Google Apps SSO’ feature (typically when Google hosts your personal or corporate email), you need to upgrade. Ryan Campbell took the initiative to develop the new Google Login plugin which implements the Google+ Sign-in functionality. This is the recommended solution going forward. Follow the steps here to configure it for your site. Note that you DON’T need to have a Google+ social network account/profile. Any Google account can be used.

If you find yourself locked out of your Jenkins system after the old endpoint is shut down you will need to follow the steps here to disable Jenkins security temporarily. Then you can connect without authentication and switch to the Google Login plugin. You will probably want to uninstall the old OpenID plugin at that point as well.

References:

• Shutdown announcement from Google
• JENKINS-23431, bug tracking this fix
• Old OpenID plugin
• New Google Login plugin

The deadlines to speak at a 2015 Jenkins User Conference are fast approaching. Don’t miss out on this great opportunity to share your Jenkins tips, tricks, stories, and know-how with the community! Submit your proposal by the below deadlines to have your talk considered by a panel of Jenkins experts:

Please note: The deadline to submit a speaking proposal for East Coast US (DC) and Europe (London) is SUNDAY, MARCH 22, 2015. That is only FIVE days away!

2015 JUC Cities & Call for Papers Deadlines

• East Coast US: Deadline to Submit - March 22, 2015
• London: Deadline to Submit - March 22, 2015
• West Coast US (Bay Area): Deadline to Submit - May 3, 2015
• Israel: Deadline to Submit - May 15, 2015

Not interested in speaking? Contribute to the community in another way: nominate or refer a speaker you would like to hear from at JUC! Contact alytong13@gmail.com or simply become a sponsor.

It's that time of the year again: 2015 Jenkins User Conference Registration is OPEN for all cities. This year, we are making some changes to JUC — JUC will be a two-day event in three out of the four cities across the globe. You will get opportunities to network with other users and developers in the community, learn more about how other people are using Jenkins and attacking broader continuous delivery problem. As always, we love to meet & talk to you to learn what you are doing with Jenkins. To get the sense of how JUC is like, take a look at our past JUC reports like this and this.

Early Bird pricing for JUC tickets is available until May 1.

• East Coast US: June 18-19
• Europe: June 23-24
• West Coast US: September 2-3

You can learn a lot more information here about the 2015 Jenkins User Conference World Tour. As always, we are tweaking JUC to make it better, based on feedback. I'll post about those in coming months. Make sure to follow or tweet at @jenkinsconf to stay up to date on JUC news or to share which JUC you will be attending!

See you there!

About two years ago, we bumped our runtime JRE requirement from Java5 to Java6. And so the time has come once again for us to finally move on to Java7. Because of all the new language features, many of us the developers really wanted to move right on to Java8, but after much discussion we settled to move to Java7 first and then to Java8.

So here is the plan:

• Starting Jenkins 1.608, we start advertising that we will be moving on to Java7, which is why you are reading this.
• Starting Jenkins 1.610 (2 weeks from now), we will ship so-called 51.0 class files that will only load on Java7+. This gives some more warnings to those who don't read our blog.
• Unless we hear uproar from users, starting around 1.614 (6 weeks from now), core developers will start linking directly to new Java7 APIs. We will move on to servlet 3.0 at this time as well.
• The current 1.596 line of LTS will remain compatible with Java6, and most likely the next LTS line will also remain compatible with Java6. So LTS users have additional 3 months before upgrading to Java7.

Java7 has more NIO improvements that allow us to do some file I/O in more portable manner. Similarly, servlet 3.0 will help us build more interactive UI.

Your Jenkins master and all the build slaves need to be running on Java7+. Similarly, those who are using the Maven2 job type must also run Maven with Java7+. However, this does not prevent you from using Jenkins to build your applications that are targeted to earlier versions of Java. According to our research, most platforms people run Jenkins on has been already shipping Java7 for quite some time now. But if you have a good reason why we shouldn't force everyone to Java7, please let us know ASAP.

To put this into context, Oracle will not release updates to Java7 past April 2015. We have always recommended users to run the latest general release according to Oracle, which is currently Java8. As I said, I suspect we will be requiring Java8 pretty soon. So if you are still running Java6, you should definitely upgrade to Java8.

For the past few weeks, I've burnt a lot of midnight oil to get Confluence containerized. The goal is to make Confluence upgrade more manageable and testable. In the proces, I've not only containerized Confluence, but also containerized some other services, including mock LDAP server, to be able to test the copy of the production Confluence dataset against newer versions of Confluence before upgrading production.

The infra team is currently targeting this weekend to migrate our current Confluence instance to this new container, and use the opportunity to move the service to a bigger system. Currently JIRA and Confluence has to live within 2.5GB RAM from the same host, and it's really stretching both services. The new box has 4GB of RAM, and we are splitting JIRA and Confluence to two different servers. So there's a lot of head room.

So please expect some Wiki outage over the next weekend.

As always, our sincere thank you to Oregon State University Open Source Lab for generously hosting our servers. Please donate to them to show your support. Similarly, thank you Atlassian for generously providing the license for running Confluence.

If this goes well, JIRA will follow suit.

The 2015 JUC World Tour dates are rapidly approaching. Since the community has grown so tremendously since last year, the JUC in each city will be the largest gathering of Jenkins users in that region.

Kohsuke will, as always, be the opening keynote speaker at each JUC. But, with the conference going from one to two days, I am happy to announce that Gene Kim will be another keynote on the second day! He is the author of The Phoenix Project and a thought leader in DevOps.

To have these two experts in one place will provide a great opportunity to talk about Jenkins as the foundation of continuous delivery and DevOps practices.

Another exciting announcement: the 2015 Jenkins World Tour will run alongside the CD Summit conferences for both days (at the U.S. East, Europe and U.S. West locations only). Attendees of either conference can attend any of the talks and presentations at both events. Learn more about what CD Summit 2014 was like to get an idea for this year's event.

Registration for all 2015 JUC locations is open. Early bird pricing ends May 1!

• East Coast US: June 18-19
• Europe: June 23-24
• Israel: July 16
• West Coast US: September 2-3

The Call for Papers for JUC is still open for Israel and U.S. West. Submit your own proposal or convince your favorite speaker/Jenkins user to submit one if speaking is not your thing!

• East Coast US: June 18-19
• Israel: July 16

I have some exciting news -- The agendas have been posted for the Jenkins User Conferences (JUC) to be held at U.S. East (Alexandria, VA) and Europe (London). Take a look here to learn more about the talks, speakers and schedules.

As always, there is a great lineup of presenters ready to share their Jenkins stories: Peter Vilim will be presenting “Proving a First Class User Experience with Jenkins” at the U.S. East JUC, and Sander Kieft’s talk is called “Automating a Big Data Platform with Jenkins” at JUC Europe. Learn more about all 2015 JUC speakers and talks here. Explore the pages and see the who/what/where of all JUC 2015 locations!

You will see some familiar names and talks as well: Andrew Bayer will be presenting his very popular talk called “Seven Habits of Highly Effective Jenkins Users” at JUC Europe. Will Soula is returning this year to JUC U.S. East to “chat” about “Chat Ops and Jenkins.” Lorelei McCollum is also back with two talks at JUC U.S. East called “Jenkins 101” and “Getting Groovy with Jenkins.”

This year, you will notice a few differences in the JUC agendas. JUC is now a two-day conference in the U.S. East, Europe and U.S. West locations! Also, each session is assigned a category according to its content: Continuous Delivery, Best Practices, Operations, Plugins, Case Studies/War Stories and more. This will help you decide which talks to attend. You will also notice that several talks, especially in JUC Europe, reflect the industry’s growing interest in big data and Docker.

The agendas are still being finalized for JUC Israel and JUC U.S. West. If you are interested in speaking at either of these locations, you can still send in your talk proposals. The U.S. West deadline is May 3 and the Israel deadline is May 15.

JUC is such a great opportunity for the community to come together and network face-to-face. You can meet Kohsuke Kawaguchi, creator of the Jenkins project, Gene Kim, author of The Phoenix Project and DevOps expert, but you will also have the opportunity to meet Jenkins users, just like you, from all over the world. And this year, with the Jenkins project at well over 100K active installations, JUC as a whole will be the largest gathering of Jenkins users ever.

Early bird pricing for JUC U.S. East and Europe ends May 1, so REGISTER NOW to take advantage of the lower pricing.

In continuing my infra upgrade work, this weekend I'll be migrating JIRA to another server.

This will make upgrade more manageable and testable. The service will be disrupted for a few hours. Check out our @jenkinsci on Twitter for up-to-the-minute status.

Once the migration is done, the next step is to upgrade them.