Introduction of new CI system

Ben Cooksley bcooksley at kde.org
Thu Jun 15 21:51:50 UTC 2017


On Fri, Jun 16, 2017 at 9:44 AM, Albert Astals Cid <aacid at kde.org> wrote:
> El dijous, 15 de juny de 2017, a les 21:45:35 CEST, Ben Cooksley va escriure:
>> On Tue, Jun 13, 2017 at 10:09 AM, Albert Astals Cid <aacid at kde.org> wrote:
>> > El dissabte, 10 de juny de 2017, a les 19:20:46 CEST, Ben Cooksley va
>> >
>> > escriure:
>> >> On Sat, Jun 10, 2017 at 5:48 PM, Luigi Toscano <luigi.toscano at tiscali.it>
>> >
>> > wrote:
>> >> > Il 10 giugno 2017 07:05:53 CEST, Ben Cooksley <bcooksley at kde.org> ha
>> >
>> > scritto:
>> >> >>Next week we will be introducing the new Continuous Integration system.
>> >> >>It can currently be found at https://build-sandbox.kde.org/
>> >> >>
>> >> >>
>> >> >>
>> >> >>In regards to Qt 4 support, this has been discontinued. Only KF5 / Qt
>> >> >>5 builds are supported from this point onward.
>> >> >>
>> >> > As long as KDE Applications keeps releasing kdelibs4 and some relates
>> >> > software, as widely advertised for months with no complaints (lifecycle
>> >> > of KDE Applications 17.08), we need the old CI.
>> >>
>> >> The old CI will be shutdown as soon as is practicable following the
>> >> transition. At this point it represents a significant security risk
>> >> due to multiple issues both in Jenkins itself and some of the plugins
>> >> we run. These cannot be resolved to limitations in the available
>> >> versions of Java for the system which currently hosts the old CI
>> >> system.
>> >>
>> >> During earlier discussion it was agreed that for the short remaining
>> >> time (less than 2 months at this point essentially) we could go
>> >> without CI so I don't see much of an issue here.
>> >
>> > Did I really agree to that? It would be one of those times i surprise
>> > myself.
>> I think so, at least that is what memory says. Can't find the thread
>> where we discussed it though at all currently...
>
> Is it really that bad to leave it running for a few months more? What's the
> worst that could happen?

The list of issues we are vulnerable to is numerous.
As shown by the frontend these include unauthenticated arbitrary code
execution in the context of Jenkins itself, account impersonation, man
in the middle vulnerabilities and CSRF issues.

A good chunk of these are shown at
https://jenkins.io/security/advisory/2017-04-26/ but there are others
as well.

>
> Cheers,
>   Albert

Regards,
Ben

>
>>
>> > Cheers,
>> >
>> >   Albert
>>
>> Regards,
>> Ben
>>
>> >> > Ciao
>> >> >
>> >> > --
>> >> > Luigi
>> >>
>> >> Cheers,
>> >> Ben
>
>


More information about the release-team mailing list