On Tue, Feb 8, 2022 at 12:01 PM 'jn...@cloudbees.com' via Jenkins Developers <jenkinsci-dev@googlegroups.com> wrote:
> Hi all, > > A point raised in a permission update for a plugin in RPU is that we are > still granting users permission to Artifactory for deployment of a plugin > that they maintain even if the plugin is using CD. > https://github.com/jenkins-infra/repository-permissions-updater/pull/2265/files#r773914240 > > Is there any reason still to do this? > > Backports for security would as far as I understand be deployed > differently (the security team sets up a special repository in artifactory). > > I also beleive (and may be incorrect) that we should be able to do CD on > branches (however we may need to change <version>{$revision}</version> to > be <version>xxx.{$revision}</version> in order to get a branched version > number (in the cases where a plugin is not already using a prefix like for > libraries). > > Thus are we now in a place where if CD is enabled we can (and should) > remove user level artifactory access for plugins (that we maintain), or > even more broadly across all plugins to get some better security? > We still need to have a reference as to who is the owner/maintainer of a component, and we have not yet defined an extension of the YAML that would separate deployers/uploaders from owners/maintainers. There are downstream scripts depending on these files, so yoloing a change of the key is probably not a good idea. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKqa3XQ3KT_L9h%3Diq4M5vbNA6_WyQvDz3sCuAT2jjMKyg%40mail.gmail.com.
