The Jenkins project has issued an advisory to users that a couple of recent versions had been sending usage stats to the mothership, whether admins had hit the opt-out button for the continuous delivery platform or not.
The advisory said: “A bug was introduced in Jenkins versions 1.645 and 1.642.2 which caused Jenkins to send anonymous usage statistics, even if the administrator opted-out of reporting usage data in the Jenkins web UI.”
The easiest option is to upgrade, the project said. However, if that’s not possible, it supplies a script admins can run which it says will immediately disable usage data submission. At least, it will do this “until you restart Jenkins”.
Which might not be ideal in the world of turn it off and on again IT, so it details how to change your startup script to make the change permanent.
And if you are thinking of upgrading, Jenkins 2.0 is finally due out in the very near future.
In the meantime, the Jenkins project has “regenerated” data for January and February to remove affected data.
Jenkins uses an agent to detail systems it is running on but the information is anonymised. That’s why Cloudbees, the CD vendor that builds its platform atop Jenkins, has a reasonably good idea of the level of experimentation with the product in the market.
According to the Jenkins project’s Wiki on usage stats, the data collected includes version info, info on connected nodes and plug ins and job types, but not “information like job names, user names, host names, IP addresses, build logs, build names or descriptions, etc.”
The Wiki also says that the encrypted data can only be downloaded and decrypted by one of the Jenkins’ board members. ®