Good point, Brian! Our teams, and as I mentioned earlier, I think other teams must have very similar needs. One huge distinction between Android and iOS is platform requirement. As far as I know, the iOS app can only be built on OS X but the Android app builds on Linux, OS X, and Windows. However, I think Android should prefer to use Linux since that's what most of the infrastructure uses.
In the lack of a preexisting solution, I would like to submit a ticket. Are there any recommendation on how I should go about this and how to figure out if getting a release server is something that can even be done this fiscal year? It's worth mentioning that in addition to internal solutions, we would be open to discussing a trusted third party SaaS provider if that's more practical. Thanks! --stephen On Thu, Aug 13, 2015 at 4:42 AM, Brian Gerstle <[email protected]> wrote: > Good discussion! iOS is interested in how this goes, as we'd also like to > package, sign, and deploy our app securely. Our current setup lives on our > private, OS X Jenkins server which is only accessible on WMF networks. It's > not versioned in any way, though it could be (using Ansible or > Boxen/puppet). > > Android was considering using the Mac Mini at some point. If we're the > only two teams that need this environment at present, should we try to use > the same machine, or at least hardware/config? > > > On Wednesday, August 12, 2015, Stephen Niedzielski < > [email protected]> wrote: > >> Thanks for the info, Dan! Assuming we went this route, what do we use >> to manage private production configurations? Is there a project that would >> be a good template I could check out? I would ignorantly guess that we >> probably have at least a couple ultra secure machines somewhere and am >> trying to come up to speed with how these are versioned and maintained, and >> the general infrastructure available. >> >> >> --stephen >> >> On Wed, Aug 12, 2015 at 6:32 PM, Dan Duvall <[email protected]> >> wrote: >> >>> On Wed, Aug 12, 2015 at 4:05 PM, Stephen Niedzielski < >>> [email protected]> wrote: >>> >>>> Assuming a better solution does not exist, I _think_ what I'm >>>> ultimately asking for is a Zuul managed / JJB maintained private Jenkins >>>> instance only accessible over SSH, if that makes sense. Is there anything >>>> like that? There must be other teams in the foundation that need a secure >>>> release job and we could either leverage their solution or they ours. >>>> >>> >>> There's a fundamental problem with signing on a Jenkins slave, private >>> or shared, in that it will trust and execute anything the master gives it. >>> It's also possible that the master (and other slaves by extension) is >>> vulnerable to slave response forgery as well.[1] >>> >>> I think to do automated signing right, we'd want to start with a >>> dedicated production host that independently polls/listens for CR events >>> and executes only tightly reviewed jobs that are outside the realm of our >>> CI Zuul/Jenkins altogether. Whether this would be a another, completely >>> private, Jenkins /cluster/ or something lighter, I'm not sure. >>> >>> [1] >>> https://groups.google.com/d/topic/jenkinsci-users/W5dKc06l1qs/discussion >>> >>> -- >>> Dan Duvall >>> Automation Engineer >>> Wikimedia Foundation <http://wikimediafoundation.org> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "android" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/wikimedia.org/d/msgid/android/CACu0jZ5L9qAyH%3D4tOFu_k36omByAjcVBJ6OgFENn2-pu649BiQ%40mail.gmail.com >>> <https://groups.google.com/a/wikimedia.org/d/msgid/android/CACu0jZ5L9qAyH%3D4tOFu_k36omByAjcVBJ6OgFENn2-pu649BiQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> > > -- > EN Wikipedia user page: https://en.wikipedia.org/wiki/User:Brian.gerstle > IRC: bgerstle > >
_______________________________________________ QA mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/qa
