[Essentials] Defining the client/server "update lifecycle"

Wed, 18 Apr 2018 07:21:06 -0700 

Howdy! I've been working this week to define the Jenkins Essentials
client<->server contracts for handling the _actual_ updates of Jenkins
Essentials.

To help me organize my thoughts, I sketched out a quick draft of a JEP
yesterday afternoon which can be viewed here.

    https://github.com/jenkinsci/jep/pull/89


Olivier already gave me some really helpful and thought provoking feedback, and
I would love to have a few more eyes on this client/server interaction as its
likely to be one of the most important interactions in the entire Jenkins
Essentials project.


One area which would be helpful, and I don't have a lot of thoughts invested in
yet, is that of "Update Manifest Authenticity". Fundamentally, we are
instructing the evergreen-client to download code for execution on an end-user
machine, and I want to be absolutely certain that the evergreen-client is
downloading the *right* code and not subject to man-in-the-middle attacks or
other forgeries leading to end-user compromise.

I discussed briefly in JEP-303 (Registration/Authentication) the notion of
Certificate Pinning in the evergreen-client
    https://github.com/jenkinsci/jep/tree/master/jep/303#certificate-pinning
Which might be one potential solution here. Or we could model the existing
Update Center process where a certificate authority is baked into the client
and a custom server-side certificate signs the Update Manifest. Another idea
which comes to mind is the "traditional" gpg signing/verification which
yum/apt perform (Joe Damato has done some great presentations about how this
doesn't give you the trust you think it does if you search YouTube :)).

I'm open to suggestions on how we can effectively ensure Update Manifest
Authenticity, the easuer and safer the solution the better :)



Thanks for your time!


Toodles

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/20180418142050.GT1836%40grape.lasagna.io.
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: PGP signature

Reply via email to