Introduction of new CI system
Luigi Toscano
luigi.toscano at tiscali.it
Thu Jun 15 21:57:58 UTC 2017
Ben Cooksley ha scritto:
> On Fri, Jun 16, 2017 at 9:44 AM, Albert Astals Cid <aacid at kde.org> wrote:
>> El dijous, 15 de juny de 2017, a les 21:45:35 CEST, Ben Cooksley va escriure:
>>> On Tue, Jun 13, 2017 at 10:09 AM, Albert Astals Cid <aacid at kde.org> wrote:
>>>> El dissabte, 10 de juny de 2017, a les 19:20:46 CEST, Ben Cooksley va
>>>>
>>>> escriure:
>>>>> On Sat, Jun 10, 2017 at 5:48 PM, Luigi Toscano <luigi.toscano at tiscali.it>
>>>>
>>>> wrote:
>>>>>> Il 10 giugno 2017 07:05:53 CEST, Ben Cooksley <bcooksley at kde.org> ha
>>>>
>>>> scritto:
>>>>>>> Next week we will be introducing the new Continuous Integration system.
>>>>>>> It can currently be found at https://build-sandbox.kde.org/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> In regards to Qt 4 support, this has been discontinued. Only KF5 / Qt
>>>>>>> 5 builds are supported from this point onward.
>>>>>>>
>>>>>> As long as KDE Applications keeps releasing kdelibs4 and some relates
>>>>>> software, as widely advertised for months with no complaints (lifecycle
>>>>>> of KDE Applications 17.08), we need the old CI.
>>>>>
>>>>> The old CI will be shutdown as soon as is practicable following the
>>>>> transition. At this point it represents a significant security risk
>>>>> due to multiple issues both in Jenkins itself and some of the plugins
>>>>> we run. These cannot be resolved to limitations in the available
>>>>> versions of Java for the system which currently hosts the old CI
>>>>> system.
>>>>>
>>>>> During earlier discussion it was agreed that for the short remaining
>>>>> time (less than 2 months at this point essentially) we could go
>>>>> without CI so I don't see much of an issue here.
>>>>
>>>> Did I really agree to that? It would be one of those times i surprise
>>>> myself.
>>> I think so, at least that is what memory says. Can't find the thread
>>> where we discussed it though at all currently...
>>
>> Is it really that bad to leave it running for a few months more? What's the
>> worst that could happen?
>
> The list of issues we are vulnerable to is numerous.
> As shown by the frontend these include unauthenticated arbitrary code
> execution in the context of Jenkins itself, account impersonation, man
> in the middle vulnerabilities and CSRF issues.
>
> A good chunk of these are shown at
> https://jenkins.io/security/advisory/2017-04-26/ but there are others
> as well.
So after the new jenkins is in place for Qt5 jobs, updating the current
Jenkins can lead to two results:
a) it still works
b) it does not work anymore
If b), it's not different than the expected status.
If a), it means that it can still works until November, when the last release
of 16.08 is planned.
--
Luigi
More information about the release-team
mailing list