Re: ANN: Jenkins release artifacts uploads blockage on June 09, and a temporary downloads issue

2020-06-17 Thread kjeschkies 
Hm, that does not work. I am using the Gradle JPI plugin. It does not seem
to pick up ~/.m2/settings.xml nor ~/.jenkins-ci.org.


On June 17, 2020 at 15:52:17, Tim Jacomb (timjaco...@gmail.com) wrote:

it's just the same as a password to maven, so use the api key instead of a
password.

On Wed, 17 Jun 2020 at 14:39,  wrote:

> Hi,
>
> thanks for the advice. Hm, my ~/.m2/settings.xml had my encrypted
> password. The docs (
> https://wiki.jenkins.io/display/JENKINS/Hosting+Plugins#HostingPlugins-Releasingtojenkins-ci.org)
> don’t mention the API key. How can I configure Maven to use the API key
> instead?
>
> Many thanks.
> Karsten.
>
>
> On June 17, 2020 at 14:53:22, Mark Waite (mark.earl.wa...@gmail.com)
> wrote:
>
>
>
> On Wed, Jun 17, 2020 at 6:44 AM Karsten Jeschkies 
> wrote:
>
>> Hi,
>>
>> thanks for you hard work. I reset my password successfully but cannot
>> upload a release for the Mesos plugin. Are releases still blocked?
>>
>>
> Releases are not blocked but a password reset will also reset your
> password to the artifact repository.  If you're receiving an HTTP 401 when
> you try to `mvn release perform` you may need to update your password in
> the ~/.m2/settings.xml.
>
> I had to do that in order to release a new version of a plugin yesterday.
> I logged into the Jenkins Artifactory instance and had it generate an
> encrypted password from my profile page on that server.  I inserted that
> encrypted password into my ~/.m2/settings.xml file.  I'm not sure if that
> is the preferred way to do it, but it worked for me.
>
> Mark Waite
>
>
>> Best.
>> Karsten.
>>
>> On Tuesday, June 9, 2020 at 5:00:25 PM UTC+2, Oleg Nenashev wrote:
>>>
>>> Dear all,
>>>
>>> As you may have noticed, the release artifact uploads are currently
>>> blocked in the Jenkins Artifactory instances (
>>> https://repo.jenkins-ci.org/). We are doing a security investigation
>>> due to a partial user database loss on June 02. Today we blocked releases
>>> to the Jenkins artifactory, and there also was a temporary outage of the
>>> Artifactory downloads which was a collateral damage of the temporary
>>> permissions. You can find more details about it in this Jenkins Infra
>>> Thread
>>>  and
>>> in this Dev List thread
>>> 
>>> .
>>>
>>> Current status:
>>>
>>>-
>>>
>>>Downloads are restored for all artifacts on
>>>https://repo.jenkins-ci.org/, Jenkins core historical releases,
>>>Remoting library and Windows Service Wrapper which were among ones 
>>> reported
>>>by Jenkins users.
>>>-
>>>
>>>Uploads: Jenkins artifact uploads are blocked for the most of
>>>Jenkins plugin maintainers and contributors. It affects releases of 
>>> Jenkins
>>>plugins, Jenkins core and modules, developer tools and all libraries 
>>> hosted
>>>on https://repo.jenkins-ci.org/. Incremental and Snapshot
>>>deployments are not affected.
>>>
>>>
>>> Quick summary:
>>>
>>>-
>>>
>>>Jun 02 - There was a Kubernetes Cluster outage on June 02. During
>>>this outage we had to rebuild the cluster from scratch to get some 
>>> services
>>>working again.
>>>-
>>>
>>>Jun 02 - After the recovery we lost three months of LDAP changes. It
>>>has happened due to the broken backup of the LDAP database.
>>>-
>>>
>>>Jun 02 - We identified a number of potential security risks which
>>>may be caused by the LDAP outage. Account overtake and malicious upload 
>>> was
>>>one of the identified risks. FTR this issue is tracked as SECURITY-1895 
>>> as
>>>a follow-up to these discussions. Only the Security team members have
>>>access to it, so I am not sharing a link here.
>>>-
>>>
>>>Jun 09 - After the security risk was independently reported in
>>>public by a plugin maintainer in the dev list thread
>>>, we
>>>decided to block uploads of release artifacts to the Jenkins Artifactory
>>>instance.
>>>-
>>>
>>>Jun 09, 8:50AM UTC - All uploads of release artifacts were blocked
>>>(plugins, Jenkins core and modules, developer tools, etc.). Downloads of
>>>some binaries were also blocked as an unexpected collateral damage. 
>>> Jenkins
>>>core historical releases, Remoting library and Windows Service Wrapper 
>>> are
>>>among the affected binaries
>>>-
>>>
>>>Jun 09, 10AM UTC - We finished reviews of all artifact releases to
>>>https://repo.jenkins-ci.org/, which happened between the infra
>>>outage on June 02 and the blockage of the releases. There are no
>>>maliciously uploaded artifacts. Note that the common plugin release flow
>>>requires access to GitHub in order to push the release commits, so a
>>>malicious attacker would need to overtake both Jenkins and GitHub 
>>> accounts
>>>of a single user to submit a

Re: ANN: Jenkins release artifacts uploads blockage on June 09, and a temporary downloads issue

2020-06-17 Thread kjeschkies 
Hi,

thanks for the advice. Hm, my ~/.m2/settings.xml had my encrypted password.
The docs (
https://wiki.jenkins.io/display/JENKINS/Hosting+Plugins#HostingPlugins-Releasingtojenkins-ci.org)
don’t mention the API key. How can I configure Maven to use the API key
instead?

Many thanks.
Karsten.


On June 17, 2020 at 14:53:22, Mark Waite (mark.earl.wa...@gmail.com) wrote:



On Wed, Jun 17, 2020 at 6:44 AM Karsten Jeschkies 
wrote:

> Hi,
>
> thanks for you hard work. I reset my password successfully but cannot
> upload a release for the Mesos plugin. Are releases still blocked?
>
>
Releases are not blocked but a password reset will also reset your password
to the artifact repository.  If you're receiving an HTTP 401 when you try
to `mvn release perform` you may need to update your password in the
~/.m2/settings.xml.

I had to do that in order to release a new version of a plugin yesterday.
I logged into the Jenkins Artifactory instance and had it generate an
encrypted password from my profile page on that server.  I inserted that
encrypted password into my ~/.m2/settings.xml file.  I'm not sure if that
is the preferred way to do it, but it worked for me.

Mark Waite


> Best.
> Karsten.
>
> On Tuesday, June 9, 2020 at 5:00:25 PM UTC+2, Oleg Nenashev wrote:
>>
>> Dear all,
>>
>> As you may have noticed, the release artifact uploads are currently
>> blocked in the Jenkins Artifactory instances (
>> https://repo.jenkins-ci.org/). We are doing a security investigation due
>> to a partial user database loss on June 02. Today we blocked releases to
>> the Jenkins artifactory, and there also was a temporary outage of the
>> Artifactory downloads which was a collateral damage of the temporary
>> permissions. You can find more details about it in this Jenkins Infra
>> Thread
>>  and
>> in this Dev List thread
>> .
>>
>> Current status:
>>
>>-
>>
>>Downloads are restored for all artifacts on
>>https://repo.jenkins-ci.org/, Jenkins core historical releases,
>>Remoting library and Windows Service Wrapper which were among ones 
>> reported
>>by Jenkins users.
>>-
>>
>>Uploads: Jenkins artifact uploads are blocked for the most of Jenkins
>>plugin maintainers and contributors. It affects releases of Jenkins
>>plugins, Jenkins core and modules, developer tools and all libraries 
>> hosted
>>on https://repo.jenkins-ci.org/. Incremental and Snapshot deployments
>>are not affected.
>>
>>
>> Quick summary:
>>
>>-
>>
>>Jun 02 - There was a Kubernetes Cluster outage on June 02. During
>>this outage we had to rebuild the cluster from scratch to get some 
>> services
>>working again.
>>-
>>
>>Jun 02 - After the recovery we lost three months of LDAP changes. It
>>has happened due to the broken backup of the LDAP database.
>>-
>>
>>Jun 02 - We identified a number of potential security risks which may
>>be caused by the LDAP outage. Account overtake and malicious upload was 
>> one
>>of the identified risks. FTR this issue is tracked as SECURITY-1895 as a
>>follow-up to these discussions. Only the Security team members have access
>>to it, so I am not sharing a link here.
>>-
>>
>>Jun 09 - After the security risk was independently reported in public
>>by a plugin maintainer in the dev list thread
>>, we decided
>>to block uploads of release artifacts to the Jenkins Artifactory instance.
>>-
>>
>>Jun 09, 8:50AM UTC - All uploads of release artifacts were blocked
>>(plugins, Jenkins core and modules, developer tools, etc.). Downloads of
>>some binaries were also blocked as an unexpected collateral damage. 
>> Jenkins
>>core historical releases, Remoting library and Windows Service Wrapper are
>>among the affected binaries
>>-
>>
>>Jun 09, 10AM UTC - We finished reviews of all artifact releases to
>>https://repo.jenkins-ci.org/, which happened between the infra outage
>>on June 02 and the blockage of the releases. There are no maliciously
>>uploaded artifacts. Note that the common plugin release flow requires
>>access to GitHub in order to push the release commits, so a malicious
>>attacker would need to overtake both Jenkins and GitHub accounts of a
>>single user to submit a legitimately-looking release.
>>-
>>
>>Jun 09, ~1PM UTC - Artifact downloads are restored, alternate patch
>>
>> 
>>in the Repository Permission Updater was applied to prevent uploads.
>>Artifact uploads are still blocking
>>-
>>
>>Jun 09, 2PM UTC, based on repo.jenkins-ci.org and
>>issues.jenkins-ci.org data, we restored maintainers accounts.
>>
>>
>> Our next steps would be to communicate the

Re: Mesos Plugin CI: Mesos Installation

2019-10-29 Thread kjeschkies 
Hi,

thanks for the info. I tried to run the build on `docker ` (
https://github.com/jenkinsci/mesos-plugin/pull/360/files#diff-58231b16fdee45a03a4ee3cf94a9f2c3)
but it fails. On
https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fmesos-plugin/detail/PR-360/4/
it
seems to be scheduled on `linux-8`, `windows-8` and others which seems
strange to me. The build instructions are also incorrect. What’s happening
there?

Thanks again.
Karsten.


On October 24, 2019 at 18:07:30, Jesse Glick (jgl...@cloudbees.com) wrote:

On Thu, Oct 24, 2019 at 10:19 AM  wrote:
> Our integration tests require Mesos on a VM. What would be the best way
to have Mesos at hand?

https://github.com/jenkins-infra/documentation/blob/master/ci.adoc#node-labels

-- 
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1TRVpiusdijrjVNSgCH2p2Kh-qNGDAT%2BpGxr32GomsmA%40mail.gmail.com.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAKs8YX%2B0hbcR%3DQr_%2B3zNMup_VKVMhdFcnb18SgoHgkh_F4Cd5g%40mail.gmail.com.

Mesos Plugin CI: Mesos Installation

2019-10-24 Thread kjeschkies 
Hi,

I’m about to merge the Mesos plugin rewrite back upstream (
https://github.com/jenkinsci/mesos-plugin/pull/360). Our integration tests
require Mesos on a VM. What would be the best way to have Mesos at hand?
Currently we simply install it before each start. This works great since
our machines are single use only.

Thanks for any suggestions.
Karsten.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAKs8YX%2Bebg%3DSev0tsfXpEX3HzSjz6txCJCHv4iXUBqPNjpn9PA%40mail.gmail.com.