[Jenkins-infra] Fw: New jenkins mirror in China
Kohsuke Kawaguchi
kk at kohsuke.org
Fri Apr 11 01:40:36 UTC 2014
It looks like we already compute sha1 checksums for all the plugins, but
Jenkins just doesn't validate that when it's actually downloading plugins.
On 04/10/2014 05:33 PM, Kohsuke Kawaguchi wrote:
>
> We sign packages, war files, and update center metadata. But we don't
> sign plugins. If a nation state is the perceived adversary, they can
> tamper plugins as they are sent over the network, so I don't think
> accepting a mirror is increasing the overall risk.
>
> Your point about protecting our users from tampered binaries is valid
> across the board though. I'll add the checksums of plugins to the update
> center metadata to fix this.
>
> On 04/10/2014 09:26 AM, R. Tyler Croy wrote:
>> I'd like to ask for some guidance from others on this list about
>> accepting a mirror inside of China in the default Jenkins mirror
>> network.
>>
>> I don't want to intersect politics too much with Jenkins, but I want to
>> make sure we're very confident in our signing and ability to protect
>> users from tampered binaries.
>>
>> Thoughts?
>>
>>
>> Begin forwarded message:
>>
>> Date: Thu, 10 Apr 2014 22:05:58 +0800
>> From: Ling Li <lilingv at gmail.com>
>> To: tyler at linux.com
>> Subject: New jenkins mirror in China
>>
>>
>> Hi,
>>
>> I have created a jenkins mirror in China, the url is
>>
>> http://mirror.bit.edu.cn/jenkins/
>>
>> We have 1Gbps bandwidth and usually 150M~300M are used.
>>
>> We rsync files from ftp.osuosl.org every day two times.
>>
>> Could you add it mirror information of jenkins?
>>
>> Cheers.
>>
>>
>> Ling Li
>> Beijing Institute of Technology
>>
>>
>>
>>
>> _______________________________________________
>> Jenkins-infra mailing list
>> Jenkins-infra at lists.jenkins-ci.org
>> http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra
>>
>
>
--
Kohsuke Kawaguchi http://kohsuke.org/
More information about the Jenkins-infra
mailing list