Request using the certificate file of the official Jenkins Update Center

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Request using the certificate file of the official Jenkins Update Center

Rick
Hi team,

As we know, there're many mirrors of Jenkins update-center. But if you just look into the update-center.json file. You will find out that all the URLs of the real plugin file are the same.

I try to modify the URL plugins into a mirror one. But it's unavailable due to security reasons. Jenkins will do the validation with update-center.json file. In order to fix this, I just make my own certificate file. Before using it, you need to download the certificate file into your Jenkins. It's still very inconvenient for many users.

So, I was wondering if I can get permission of accessing the official certificate file. People just don't need to do anything besides changing the URL of the update center. I know this file should not share with someone who is not a member of the Jenkins infra team. Because it's very important for all Jenkins users. An alternative solution is that we store the certificate file in a safe place. For example, store it in the GitHub secret.

In case anyone wants to know more about the details. You can see this project https://github.com/jenkins-zh/update-center-mirror

This is the program that modifies the update-center.json file.
 
Best regards

Zhao Xiaojie (Rick)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMM7nTFvMJ6ARbNiyB44hY7YQ7rsLMhf_g1yktpJWCbiwFMz9g%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Request using the certificate file of the official Jenkins Update Center

Daniel Beck


> On 17. Nov 2020, at 14:48, Rick <[hidden email]> wrote:
>
> I try to modify the URL plugins into a mirror one. But it's unavailable due
> to security reasons. Jenkins will do the validation with update-center.json
> file. In order to fix this, I just make my own certificate file. Before
> using it, you need to download the certificate file into your Jenkins. It's
> still very inconvenient for many users.
>
> So, I was wondering if I can get permission of accessing the official
> certificate file. People just don't need to do anything besides changing
> the URL of the update center. I know this file should not share with
> someone who is not a member of the Jenkins infra team. Because it's very
> important for all Jenkins users. An alternative solution is that we store
> the certificate file in a safe place. For example, store it in the GitHub
> secret.

If the only change is download URLs that point to a site in China, we can look into generating appropriately modified files in the regular update center which you can then pull without modification.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/D60E8D5F-A3E0-4FB1-A815-F0A28B7FEA37%40beckweb.net.
Reply | Threaded
Open this post in threaded view
|

Re: Request using the certificate file of the official Jenkins Update Center

Rick-2
Yes, we just need to change the URL of plugins.

You mean generate two or more versions of update-cener.json files? For example, update-center.json and update-center-zh.json ? Am I right?



On 11/17/2020 21:57[hidden email] wrote:


On 17. Nov 2020, at 14:48, Rick <[hidden email]> wrote:

I try to modify the URL plugins into a mirror one. But it's unavailable due
to security reasons. Jenkins will do the validation with update-center.json
file. In order to fix this, I just make my own certificate file. Before
using it, you need to download the certificate file into your Jenkins. It's
still very inconvenient for many users.

So, I was wondering if I can get permission of accessing the official
certificate file. People just don't need to do anything besides changing
the URL of the update center. I know this file should not share with
someone who is not a member of the Jenkins infra team. Because it's very
important for all Jenkins users. An alternative solution is that we store
the certificate file in a safe place. For example, store it in the GitHub
secret.

If the only change is download URLs that point to a site in China, we can look into generating appropriately modified files in the regular update center which you can then pull without modification.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/D60E8D5F-A3E0-4FB1-A815-F0A28B7FEA37%40beckweb.net.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/44f497ab.6a8f.175d683041f.Coremail.zxjlwt%40126.com.
Reply | Threaded
Open this post in threaded view
|

Re: Request using the certificate file of the official Jenkins Update Center

Tim Jacomb
Why don’t the regular files work? Users should be directed to a Chinese mirror already, is it the distance to get the redirect?

On Tue, 17 Nov 2020 at 14:02, Rick <[hidden email]> wrote:
Yes, we just need to change the URL of plugins.

You mean generate two or more versions of update-cener.json files? For example, update-center.json and update-center-zh.json ? Am I right?



On 11/17/2020 21:57[hidden email] wrote:


On 17. Nov 2020, at 14:48, Rick <[hidden email]> wrote:

I try to modify the URL plugins into a mirror one. But it's unavailable due
to security reasons. Jenkins will do the validation with update-center.json
file. In order to fix this, I just make my own certificate file. Before
using it, you need to download the certificate file into your Jenkins. It's
still very inconvenient for many users.

So, I was wondering if I can get permission of accessing the official
certificate file. People just don't need to do anything besides changing
the URL of the update center. I know this file should not share with
someone who is not a member of the Jenkins infra team. Because it's very
important for all Jenkins users. An alternative solution is that we store
the certificate file in a safe place. For example, store it in the GitHub
secret.

If the only change is download URLs that point to a site in China, we can look into generating appropriately modified files in the regular update center which you can then pull without modification.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/D60E8D5F-A3E0-4FB1-A815-F0A28B7FEA37%40beckweb.net.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/44f497ab.6a8f.175d683041f.Coremail.zxjlwt%40126.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BieGO-irB1C7U0ct4eZ%2BXabp1Jy4Mfsu0Wy8JUPjLKznOA%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Request using the certificate file of the official Jenkins Update Center

Rick-2

Because all plugins URL point to https://updates.jenkins.io/download/plugins/xxx instead of the mirror.  



On 11/17/2020 22:40[hidden email] wrote:
Why don’t the regular files work? Users should be directed to a Chinese mirror already, is it the distance to get the redirect?

On Tue, 17 Nov 2020 at 14:02, Rick <[hidden email]> wrote:
Yes, we just need to change the URL of plugins.

You mean generate two or more versions of update-cener.json files? For example, update-center.json and update-center-zh.json ? Am I right?



On 11/17/2020 21:57[hidden email] wrote:


On 17. Nov 2020, at 14:48, Rick <[hidden email]> wrote:

I try to modify the URL plugins into a mirror one. But it's unavailable due
to security reasons. Jenkins will do the validation with update-center.json
file. In order to fix this, I just make my own certificate file. Before
using it, you need to download the certificate file into your Jenkins. It's
still very inconvenient for many users.

So, I was wondering if I can get permission of accessing the official
certificate file. People just don't need to do anything besides changing
the URL of the update center. I know this file should not share with
someone who is not a member of the Jenkins infra team. Because it's very
important for all Jenkins users. An alternative solution is that we store
the certificate file in a safe place. For example, store it in the GitHub
secret.

If the only change is download URLs that point to a site in China, we can look into generating appropriately modified files in the regular update center which you can then pull without modification.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/D60E8D5F-A3E0-4FB1-A815-F0A28B7FEA37%40beckweb.net.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/44f497ab.6a8f.175d683041f.Coremail.zxjlwt%40126.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BieGO-irB1C7U0ct4eZ%2BXabp1Jy4Mfsu0Wy8JUPjLKznOA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/3b80874e.6b81.175d6aa52e8.Coremail.zxjlwt%40126.com.
Reply | Threaded
Open this post in threaded view
|

Re: Request using the certificate file of the official Jenkins Update Center

Olblak-2
> Because all plugins URL point to https://updates.jenkins.io/download/plugins/xxx instead of the mirror.  

And then you are redirected to mirrors

HTTP/1.1 302 Found
Date: Tue, 17 Nov 2020 14:50:34 GMT
Server: Mirrorbits/v0.5.1
Cache-Control: private, no-cache
Content-Type: text/html; charset=utf-8
Via: 1.1 get.jenkins.io

HTTP/2 200
server: nginx/1.14.2
date: Tue, 17 Nov 2020 14:50:35 GMT
content-type: application/octet-stream
content-length: 613574
last-modified: Fri, 16 Oct 2020 07:26:25 GMT
accept-ranges: bytes





On Tue, Nov 17, 2020, at 3:44 PM, Rick wrote:


Because all plugins URL point to https://updates.jenkins.io/download/plugins/xxx instead of the mirror.  





On 11/17/2020 22:40[hidden email] wrote:
Why don’t the regular files work? Users should be directed to a Chinese mirror already, is it the distance to get the redirect?

On Tue, 17 Nov 2020 at 14:02, Rick <[hidden email]> wrote:

Yes, we just need to change the URL of plugins.

You mean generate two or more versions of update-cener.json files? For example, update-center.json and update-center-zh.json ? Am I right?




On 11/17/2020 21:57[hidden email] wrote:


On 17. Nov 2020, at 14:48, Rick <[hidden email]> wrote:

I try to modify the URL plugins into a mirror one. But it's unavailable due
to security reasons. Jenkins will do the validation with update-center.json
file. In order to fix this, I just make my own certificate file. Before
using it, you need to download the certificate file into your Jenkins. It's
still very inconvenient for many users.

So, I was wondering if I can get permission of accessing the official
certificate file. People just don't need to do anything besides changing
the URL of the update center. I know this file should not share with
someone who is not a member of the Jenkins infra team. Because it's very
important for all Jenkins users. An alternative solution is that we store
the certificate file in a safe place. For example, store it in the GitHub
secret.

If the only change is download URLs that point to a site in China, we can look into generating appropriately modified files in the regular update center which you can then pull without modification.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/300b9abe-c22b-4a65-af7d-7676ab50c514%40www.fastmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Request using the certificate file of the official Jenkins Update Center

Rick-2
Yes, I can get the right location via curl -I -Lhttps://get.jenkins.io/plugins/plugin-util-api/1.4.0/plugin-util-api.hpi

But I’m not sure why it’s still super slow sometimes. Perhaps it’s slow when we try to resolve this domain get.jenkins.io




On 11/17/2020 22:52[hidden email] wrote:
> Because all plugins URL point to https://updates.jenkins.io/download/plugins/xxx instead of the mirror.  

And then you are redirected to mirrors

HTTP/1.1 302 Found
Date: Tue, 17 Nov 2020 14:50:34 GMT
Server: Mirrorbits/v0.5.1
Cache-Control: private, no-cache
Content-Type: text/html; charset=utf-8
Via: 1.1 get.jenkins.io

HTTP/2 200
server: nginx/1.14.2
date: Tue, 17 Nov 2020 14:50:35 GMT
content-type: application/octet-stream
content-length: 613574
last-modified: Fri, 16 Oct 2020 07:26:25 GMT
accept-ranges: bytes





On Tue, Nov 17, 2020, at 3:44 PM, Rick wrote:


Because all plugins URL point to https://updates.jenkins.io/download/plugins/xxx instead of the mirror.  





On 11/17/2020 22:40[hidden email] wrote:
Why don’t the regular files work? Users should be directed to a Chinese mirror already, is it the distance to get the redirect?

On Tue, 17 Nov 2020 at 14:02, Rick <[hidden email]> wrote:

Yes, we just need to change the URL of plugins.

You mean generate two or more versions of update-cener.json files? For example, update-center.json and update-center-zh.json ? Am I right?




On 11/17/2020 21:57[hidden email] wrote:


On 17. Nov 2020, at 14:48, Rick <[hidden email]> wrote:

I try to modify the URL plugins into a mirror one. But it's unavailable due
to security reasons. Jenkins will do the validation with update-center.json
file. In order to fix this, I just make my own certificate file. Before
using it, you need to download the certificate file into your Jenkins. It's
still very inconvenient for many users.

So, I was wondering if I can get permission of accessing the official
certificate file. People just don't need to do anything besides changing
the URL of the update center. I know this file should not share with
someone who is not a member of the Jenkins infra team. Because it's very
important for all Jenkins users. An alternative solution is that we store
the certificate file in a safe place. For example, store it in the GitHub
secret.

If the only change is download URLs that point to a site in China, we can look into generating appropriately modified files in the regular update center which you can then pull without modification.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/300b9abe-c22b-4a65-af7d-7676ab50c514%40www.fastmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/5555c3f8.6bd0.175d6b6bfbb.Coremail.zxjlwt%40126.com.
Reply | Threaded
Open this post in threaded view
|

Re: Request using the certificate file of the official Jenkins Update Center

Tim Jacomb
Could you do some timing / benchmarking so we can see where the issue is?

On Tue, 17 Nov 2020 at 14:59, Rick <[hidden email]> wrote:
Yes, I can get the right location via curl -I -Lhttps://get.jenkins.io/plugins/plugin-util-api/1.4.0/plugin-util-api.hpi

But I’m not sure why it’s still super slow sometimes. Perhaps it’s slow when we try to resolve this domain get.jenkins.io




On 11/17/2020 22:52[hidden email] wrote:
> Because all plugins URL point to https://updates.jenkins.io/download/plugins/xxx instead of the mirror.  

And then you are redirected to mirrors

HTTP/1.1 302 Found
Date: Tue, 17 Nov 2020 14:50:34 GMT
Server: Mirrorbits/v0.5.1
Cache-Control: private, no-cache
Content-Type: text/html; charset=utf-8

HTTP/2 200
server: nginx/1.14.2
date: Tue, 17 Nov 2020 14:50:35 GMT
content-type: application/octet-stream
content-length: 613574
last-modified: Fri, 16 Oct 2020 07:26:25 GMT
accept-ranges: bytes





On Tue, Nov 17, 2020, at 3:44 PM, Rick wrote:


Because all plugins URL point to https://updates.jenkins.io/download/plugins/xxx instead of the mirror.  





On 11/17/2020 22:40[hidden email] wrote:
Why don’t the regular files work? Users should be directed to a Chinese mirror already, is it the distance to get the redirect?

On Tue, 17 Nov 2020 at 14:02, Rick <[hidden email]> wrote:

Yes, we just need to change the URL of plugins.

You mean generate two or more versions of update-cener.json files? For example, update-center.json and update-center-zh.json ? Am I right?




On 11/17/2020 21:57[hidden email] wrote:


On 17. Nov 2020, at 14:48, Rick <[hidden email]> wrote:

I try to modify the URL plugins into a mirror one. But it's unavailable due
to security reasons. Jenkins will do the validation with update-center.json
file. In order to fix this, I just make my own certificate file. Before
using it, you need to download the certificate file into your Jenkins. It's
still very inconvenient for many users.

So, I was wondering if I can get permission of accessing the official
certificate file. People just don't need to do anything besides changing
the URL of the update center. I know this file should not share with
someone who is not a member of the Jenkins infra team. Because it's very
important for all Jenkins users. An alternative solution is that we store
the certificate file in a safe place. For example, store it in the GitHub
secret.

If the only change is download URLs that point to a site in China, we can look into generating appropriately modified files in the regular update center which you can then pull without modification.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/300b9abe-c22b-4a65-af7d-7676ab50c514%40www.fastmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/5555c3f8.6bd0.175d6b6bfbb.Coremail.zxjlwt%40126.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BicZwnW29Hb_R7e4N31cyiqtvd2%3DXM_a3u5EDsOghEe%2BWQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Request using the certificate file of the official Jenkins Update Center

Daniel Beck
In reply to this post by Rick-2


> On 17. Nov 2020, at 15:01, Rick <[hidden email]> wrote:
>
>
> You mean generate two or more versions of update-cener.json files? For example, update-center.json and update-center-zh.json ? Am I right?

Basically this, yes.

Re mirrors, did you test using the regular update site recently, and still encounter performance issues? I think we used a pretty badly outdated Geo IP DB until a few months ago, so if you haven't checked in a while, it makes sense to retry using the regular URLs to see how well this works now.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/C975C702-599F-4504-B833-942BE2A3B177%40beckweb.net.
Reply | Threaded
Open this post in threaded view
|

Re: Request using the certificate file of the official Jenkins Update Center

Olblak-2
I am wondering what it would take to directly use get.jenkins.io instead of update-center.
update-center.json is available from the mirror as well  as you can see here
-> https://get.jenkins.io/updates/current/update-center.json?mirrorlist

The challenge is because the json is potentially generated every 3 minutes, it's hard for mirrors to stay up to date but we still control some of them. If no mirrors have the file with the correct checksum, then it fallback to a hardcode mirror that we configured.

We could also ask mirrors maintainers to sync "/updates" every three minutes, it doesn't represent a lot of files.
Also, we must ensure that mirrorbits scan files from /updates every few minutes to generate file hashes.



On Tue, Nov 17, 2020, at 7:03 PM, Daniel Beck wrote:

>
>
> > On 17. Nov 2020, at 15:01, Rick <[hidden email]> wrote:
> >
> >
> > You mean generate two or more versions of update-cener.json files? For example, update-center.json and update-center-zh.json ? Am I right?
>
> Basically this, yes.
>
> Re mirrors, did you test using the regular update site recently, and
> still encounter performance issues? I think we used a pretty badly
> outdated Geo IP DB until a few months ago, so if you haven't checked in
> a while, it makes sense to retry using the regular URLs to see how well
> this works now.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/C975C702-599F-4504-B833-942BE2A3B177%40beckweb.net.
>

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/ca31583c-7c7a-4ec3-a9f0-8752a5ccfd03%40www.fastmail.com.