[Jenkins-infra] Fw: New jenkins mirror in China
Kohsuke Kawaguchi
kkawaguchi at cloudbees.com
Fri Apr 11 00:33:29 UTC 2014
We sign packages, war files, and update center metadata. But we don't
sign plugins. If a nation state is the perceived adversary, they can
tamper plugins as they are sent over the network, so I don't think
accepting a mirror is increasing the overall risk.
Your point about protecting our users from tampered binaries is valid
across the board though. I'll add the checksums of plugins to the update
center metadata to fix this.
On 04/10/2014 09:26 AM, R. Tyler Croy wrote:
> I'd like to ask for some guidance from others on this list about
> accepting a mirror inside of China in the default Jenkins mirror
> network.
>
> I don't want to intersect politics too much with Jenkins, but I want to
> make sure we're very confident in our signing and ability to protect
> users from tampered binaries.
>
> Thoughts?
>
>
> Begin forwarded message:
>
> Date: Thu, 10 Apr 2014 22:05:58 +0800
> From: Ling Li <lilingv at gmail.com>
> To: tyler at linux.com
> Subject: New jenkins mirror in China
>
>
> Hi,
>
> I have created a jenkins mirror in China, the url is
>
> http://mirror.bit.edu.cn/jenkins/
>
> We have 1Gbps bandwidth and usually 150M~300M are used.
>
> We rsync files from ftp.osuosl.org every day two times.
>
> Could you add it mirror information of jenkins?
>
> Cheers.
>
>
> Ling Li
> Beijing Institute of Technology
>
>
>
>
> _______________________________________________
> Jenkins-infra mailing list
> Jenkins-infra at lists.jenkins-ci.org
> http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra
>
--
Kohsuke Kawaguchi | CloudBees, Inc. | http://cloudbees.com/
Try Jenkins Enterprise, our professional version of Jenkins
More information about the Jenkins-infra
mailing list