Consider removing embeddable-build-status plugin #3013
Comments
|
+1, but then I'd vouch for removing it from all CI instances, including infra, release and weekly. |
It's unlikely to be a big problem inside the VPN, but yes, that never made sense to me. My guess: a leftover from extending |
|
PR to remove it from the weekly and LTS images used on our Kubernetes-hosted controllers (weekly, infra and release):
For trusted and cert, a manual check is required For ci.jenkins.io, we'll need to let developer knows on the mailing list. Reason is some plugins developers might have a badge on their |
|
Thanks for considering the impact on plugins @dduportal . I find 169 plugin repositories that refer to embeddable build status from ci.jenkins.io. The only harm from the removal is that the images will display as broken on the pages where they are referenced, but it would certainly be a nice gesture to plugin maintainers if we submitted pull requests that remove the embeddable build status references from those plugin pages. |
If https://shields.io/ supports the use case of displaying a build status or code coverage for ci.jenkins, URLs could be updated to use that. |
|
Check my gist profile 😃 |
lemeurherve
modified the milestones:
infra-team-sync-2022-06-28,
infra-team-sync-2022-07-05
|
I came across this earlier could be useful: |
|
multi gitter seems easier than whatever I was hacking away at. That is quite a few in jenkinsci org 😅 |
dduportal
modified the milestones:
infra-team-sync-2022-07-05,
infra-team-sync-2022-07-12
|
multi-gitter is perfect for the job, thanks for the pointer @timja!
You can choose which repository you want to include or exclude. I've ran some tests, it doesn't take too long to run multi-gitter on all jenkinsci repositories, and there is a concurrency parameter we can use if needed. I've prepared the bulk PRs, ready to go, here is the pull request I've generated as an example, WDYT? |
|
@lemeurherve couldn't you use shields.io? https://shields.io/category/build Also your commit shows up unsigned 😉 |
Damn, I should have checked it more thoroughly when @NotMyFault mentioned it, I'll look into it, thanks for the additional suggestion @jetersen
Yup, noticed that too, preparing a multi-gitter fix 🙂 |
|
Seems like jenkins.io is not populating the json api anymore. https://ci.jenkins.io/job/Plugins/job/scm-filter-branch-pr-plugin/job/master/api/json Looking at the code for shields.io this the URL |
Do you/someone know where I can find more about this? Their example instance is still providing the json: |
|
We can add a
|
|
@calebcartwright @chris48s is there a list of the IPs used by shield.io available somewhere so we could whitelist them to replace jenkinsci badges by shield.io ones? Also saw badges/shields#4962 and badges/shields#5346 |
|
Meanwhile, I managed to get PR with signed commit: jenkinsci/jenkins-infra-test-plugin#38 |
I'm not sure to understand: where would be store and use this user/password? |
|
IIUC, we could let shield.io requests pass with a token or a basic auth stored on our side as secret. |
Can you dig a bit and lists here the procedure? The link you provided is a YAML file with a list of parameters referencing upper cases strings that I assume to be environment variables. It seems a great feature but it really not clear what it does |
As far as I know, we still do not view the the IP allowlist based approach for services to grant Shields.io an increased rate limit as being a viable strategy. We used to go this route with vendors/upstream services when our environment was deployed on lower level IaaS type services where we had more direct control over networking configuration, but our move to more PaaS/SaaS runtime environments largely obfuscates the networking specifics from us and is subject to change at any time beyond our control and without any warning nor notification. As such, in cases where Shields.io would need to send more traffic to an upstream platform/service than their rate limits would permit, the path we've often taken is to collaborate with the upstream vendor/maintainers/etc. to obtain something Shields.io can then send in the request headers (most often auth related) whicht the upstream platform can then utilize to grant a higher rate limit to Shields.io specifically. I confess I'm not fully up to date on the specifics of this thread and the various moving parts, but I believe/hope the above covers the Shields related questions. Let me know if not though, and/or if there's any other questions we can answer! |
|
Thanks for your response @calebcartwright! I'm not sure proposing a patch in your server codebase to take care of ci.jenkins.io requests would really interest you as there aren't that many uses. I've suggested to self-host a shield.io instance so we could deal ourselves with the auth. Now the question is: do we remove the existing embedabble badges or do we replace them with badges pointing to a self-hosted shield.io instance? |
I vote we remove the plugin + badges (with the batch PR). But we mention the new issue #3044 to explain we are working on something else soon. Reason of this "2 steps proposal": the origin of this issue is the security team asking to remove the plugin from ci.jenkins.io. |
FTR we fixed what was wrong with the plugin in https://www.jenkins.io/security/advisory/2022-06-22/ with the maintainer's approval, but it's still not a well-maintained plugin, and fairly exposed. It is not urgent for us, but would be useful longer term. |
|
jenkinsci/archetypes#228 turned out to be prescient… |
dduportal
modified the milestones:
infra-team-sync-2022-07-12,
infra-team-sync-2022-07-19
…2648) https://docs.google.com/document/d/11Nr8QpqYgBiZjORplL_3Zkwys2qK1vEvK-NYyYa4rzg/edit?disco=AAAAYXxgRHI provides more context for the adoption request. We believe it may be cheaper and easier to adopt this plugin than to remove the plugin from ci.jenkins.io and update the many repositories that refer to it. Help desk jenkins-infra/helpdesk#3013 suggests that we should consider removing the plugin because it is not actively maintained. Help desk jenkins-infra/helpdesk#3044 proposes steps to replace the use of this plugin with something hosted elsewhere on Jenkins infrastructure. One of the existing maintainers needs to approve the adoption request. Existing maintainers are: * @thomas-dee * @mgedmin * @christiangalsterer * @jglick
|
As @MarkEWaite and @darinpope adopted the plugin, it doesn't have to be removed from ci.jenkins.io. |
|
Thanks for these links @jglick |
Not needed anymore: jenkins-infra/helpdesk#3013 (comment)
|
@lemeurherve perhaps you could write a gist or github repo for how you did the multi-gitter stuff :) I may want to rerun jenkins-infra/github-reusable-workflow to discover plugins not yet moved. I have found some manually after the fact that was not found through code search |
|
@jetersen here is the corresponding gist: https://gist.github.com/lemeurherve/e2cd5d883ffa93ae21549dc78d4422ae |
|
@lemeurherve neat! I'll try and see what I can catch with multi-gitter. |
Service(s)
ci.jenkins.io
Summary
https://plugins.jenkins.io/embeddable-build-status/ is not actively maintained. The Jenkins security team had to address multiple vulnerabilities in https://www.jenkins.io/security/advisory/2022-06-22/ to protect Jenkins project infrastructure. While the maintainer (thomas-dee) was happy to let us release the fixes we wrote, i.e. was responsive via email, he also told us he has no capacity to assist in any way. This is unsustainable. Consider removing the plugin from ci.jenkins.io.
Reproduction steps
No response
The text was updated successfully, but these errors were encountered: