[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Daniel Beck commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Kanstantsin Shautsou Well, you did claim publicly that fixing this wouldn't result in as much plugins breaking as SECURITY-170. So I had assumed you had some data to back that claim, which would help us in assessing how to proceed here. Is that not the case? (FWIW I don't care about how you phrased things, just the content.) Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Kanstantsin Shautsou commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Daniel Beck you are mixing my words from my personal services with jenkins infra that contains CoC. That not polite. Please keep in mind contexts. List would be all auth plugins that using any acegisecurity classes. Btw, Rob Winch would spring-security be able to work before acegi in Filter routines? Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Daniel Beck commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Kanstantsin Shautsou I'd rather not have a repeat of The most sucking security fix if it could be avoided. It's certainly not something we do for shits and giggles. Problems with acegi seem hypothetical – please report to SECURITY if I'm wrong – while SECURITY-170 was very real, and trivial to exploit. But as you apparently know that acegi upgrade would break less plugins than STUPID-170 please provide a complete list. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Kanstantsin Shautsou commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Obviously not easy and time consuming. After security-170 i see no sense in discussing unbreakable changes. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Daniel Beck commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Rob Winch If you get a build of Jenkins with Spring Security, https://github.com/jenkinsci/plugin-compat-tester will be able tell you what plugins will (likely) break. matrix-auth will just be the tip of the iceberg. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Daniel Beck commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Rob Winch The problem we have is that core exposes Acegi Security to plugins which we'd rather not break. Is there a reasonably sane way to upgrade to Spring Security without breaking all of these? Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch edited a comment on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Thanks for the response [~integer]. It is a real shame if that is the case [~kohsuke] is this just a matter of resources? Is there anything I can do (i.e. get a complete Pull Request together) to get this back into 2.0? Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Thanks for the response Kanstantsin Shautsou. Kohsuke Kawaguchi is this just a matter of resources? Is there anything I can do (i.e. get a complete Pull Request together) to get this back into 2.0? Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Kanstantsin Shautsou commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Seems that Kohsuke doesn't want to do it. Nothing that i can help with. Seems UI is more important than security or ancient library in core. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Kanstantsin Shautsou I see that the 2.0 label was removed. Is there anything that can be done to get this added back to 2.0? I'd even be willing to work more on the PR if I can get some guidance. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Kohsuke Kawaguchi updated an issue Jenkins / JENKINS-5303 Upgrade Acegi Security to the latest Spring Security release Change By: Kohsuke Kawaguchi Labels: 2.0 security Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Kanstantsin Shautsou assigned an issue to Unassigned Jenkins / JENKINS-5303 Upgrade Acegi Security to the latest Spring Security release Change By: Kanstantsin Shautsou Assignee: Kohsuke Kawaguchi Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Oleg Nenashev commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release +1 for handling it. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release I'm very glad to see this issue getting traction! I'd like to formally extend an offer to provide any support with the migration from a Spring Security perspective. Please let me know if you have any questions. Regards, Rob Winch (Spring Security Lead) Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Kanstantsin Shautsou commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Rob Winch will it be possible to create Proxy or backward compatible migration? If not, could provide some PR to core (there is a spring-security branch but with 0 work). Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Kanstantsin Shautsou edited a comment on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release [~rwinch] will it be possible to create Proxy or backward compatible migration? If not, could you provide some PR to core (there is a spring-security branch but with 0 work). Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Kanstantsin Shautsou Thank you for the response. Rob Winch will it be possible to create Proxy or backward compatible migration? Unfortunately, I don't think there is a way to make the transition completely seamless (i.e. using a Proxy). There may be steps we can provide to make the transition easier. However, this is difficult to determine at this point since I'm not familiar with the Jenkins code base. If not, could you provide some PR to core (there is a spring-security branch but with 0 work). Although not clear, my initial intention was to answer any concrete questions that arose when someone else put the PR together. I put together a branch at rwinch/jeknins/tree/security that updates to the latest Spring and Spring Security. At the moment, mvn -Plight-test test passes, but a full build fails. One of the issues appears to be that there are external libraries that will need updating as well (i.e. matrix-auth). There is also some clean up that needs to be done (i.e. whitespace changes that should be removed, etc). I'm not certain I will get time to spend on this again in the near future. Perhaps someone can take what I have put together and polish it? Cheers, Rob Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch edited a comment on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release [~integer] Thank you for the response.{quote}Rob Winch will it be possible to create Proxy or backward compatible migration?{quote}Unfortunately, I don't think there is a way to make the transition completely seamless (i.e. using a Proxy). There may be steps we can provide to make the transition easier. However, this is difficult to determine at this point since I'm not familiar with the Jenkins code base.{quote}If not, could you provide some PR to core (there is a spring-security branch but with 0 work).{quote}Although not clear, my initial intention was to answer any concrete questions that arose when someone else put the PR together.I put together a branch at [rwinch/jeknins/tree/security|https://github.com/rwinch/jenkins/tree/security] that updates to the latest Spring and Spring Security. At the moment, {{mvn -Plight-test test}} passes, but a full build fails. One of the issues appears to be that there are external libraries that will need updating as well (i.e. matrix-auth). There is also some clean up that needs to be done (i.e. whitespace changes that should be removed, etc).I'm not certain I will get time to spend on this again in the near future. Perhaps someone can take what I have put together and polish it?Cheers,Rob PS: At this point I'm fully relying on the tests to catch any errors. it is possible there are logic errors in my changes as I went through them rather abruptly Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Kanstantsin Shautsou updated an issue Jenkins / JENKINS-5303 Upgrade Acegi Security to the latest Spring Security release Change By: Kanstantsin Shautsou Priority: Major Blocker Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Kanstantsin Shautsou commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release In 2015 it's Blocker. Jenkins ships acegi-security released in 2008. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Kanstantsin Shautsou updated an issue Jenkins / JENKINS-5303 Upgrade Acegi Security to the latest Spring Security release Change By: Kanstantsin Shautsou Issue Type: Improvement Task Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Kanstantsin Shautsou updated an issue Jenkins / JENKINS-5303 Upgrade Acegi Security to the latest Spring Security release Change By: Kanstantsin Shautsou Labels: 2.0 security Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Rob Winch commented on JENKINS-5303 Upgrade Acegi Security to the latest Spring Security release Acegi Security's last commit was over 7 years ago. There have been many CVE's reported and fixed within the maintained versions of Spring Security. For this reason I believe this issue should be considered a high priority. Note that it appears that the Hudson team has already updated to Spring Security 3.2.x. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Oleg Nenashev updated JENKINS-5303 Upgrade Acegi Security to the latest Spring Security release Change By: Oleg Nenashev (14/Oct/14 8:09 PM) Labels: security Component/s: core Component/s: security This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.