<div dir="ltr">Oops, I meant to type "do *not* have a private instance currently". Sorry about that!<div><br></div><div><br></div><div>--stephen</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 12, 2015 at 1:09 PM, Stephen Niedzielski <span dir="ltr"><<a href="mailto:sniedzielski@wikimedia.org" target="_blank">sniedzielski@wikimedia.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hey Chris! I'm happy to clarify our use cases. Is there something specific I can detail?<div><div><br></div><div>We do have a private instance currently but do use JJB (integration/config)[0]. Do we have any private instances at WMF? This might be simplest and most secure.</div><div><br></div><div><br></div><div>--stephen</div><div><br></div><div>[0] We'll soon be running tests too <a href="https://gerrit.wikimedia.org/r/#/c/230260/" target="_blank">https://gerrit.wikimedia.org/r/#/c/230260/</a></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 12, 2015 at 11:33 AM, Chris Steipp <span dir="ltr"><<a href="mailto:csteipp@wikimedia.org" target="_blank">csteipp@wikimedia.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Michael / Stephen,<div><br></div><div>Off the top of my head, I believe hashar setup something on our current Jenkins instance to handle passwords. But nothing extreemly secret goes there.</div><div><br></div><div>There are a number of things we can do to mitigate common attacks. Let's chat about the particular needs and some possible countermeasures we can put into place.</div><div><br></div><div>For background, is your team running its own jenkins instance currently?</div><div><br></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 12, 2015 at 7:54 AM, Michael Holloway <span dir="ltr"><<a href="mailto:mholloway@wikimedia.org" target="_blank">mholloway@wikimedia.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">(adding the security team)</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Tue, Aug 11, 2015 at 6:54 PM, Stephen Niedzielski <span dir="ltr"><<a href="mailto:sniedzielski@wikimedia.org" target="_blank">sniedzielski@wikimedia.org</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr"> Hello all! I have one question: what is the recommend way to keep files, such as a Java keystore, safe on a WMF Jenkins machine?<div><br></div><div> The Android team is trying to automate as much as possible, especially when it comes to releasing software. Our reasons aren't novel: manual releases are time consuming, we worry about unintentionally shipping bad bits, and we don't like doing it. One thing that's been blocking this effort is a security concern over exposing confidential information, such as signing certificates, login credentials, certain lists of strings, etc, on a Jenkins server.</div><div><br></div><div><div> It might be helpful to describe some of our concrete use cases. I know them currently as:</div><div><br></div><div> 1 Sign public jars with a private GnuPG key.</div><div> 2 Upload public jars to OSSRH with private credentials (currently stored in a Gradle properties file but could be supplied on the command line).</div><div> 3 Sign public Android apps with a private Java keystore.</div><div><br></div><div> Our future use cases are likely to include:</div><div><br></div><div> 4 Supply a private list of strings to generate private Android apps.</div><div><div> 5 Upload private and public Android apps to Google Drive (via gdrive[0], requires a private app token).</div><div> 6 Upload public Android apps to the Google Play Developer Console (TBD, likely requires a private app token).</div><div> 7 Upload public Android apps to the Amazon Appstore Developer Portal (TBD, likely requires a private app token).</div><div> 8 Upload public Android apps to Caesium (via SCP).<br></div><div> 9 Update public release notes to a public MediaWiki installation.</div></div><div> 10 Publish public release notes to a mailing list.</div><div><div><br> We currently do all of this on our local dev machines and it's a bit scary. While generating the jars and apps on a build server as unsigned artifacts would be a big win in itself, there would still be a significant and error prone amount of signing and publishing we'd also prefer to live in a controlled, reproducible environment.</div></div></div><div><br></div><div> For simple strings, the Jenkins Mask Passwords Plugin[1] seems promising, and even supported by Jenkins Job Builder[2]. What's not clear is how to land files like our Java keystore and GnuPG keys on the server securely. It's also not clear how we can guard our private Android app artifacts mentioned in #4.</div><div><br></div><div> In summary, we want to automate build and release and we want to keep our private inputs and outputs secure. Surely other teams in the foundation must have the same or very similar problems. What is the best reference implementation?</div><div><br></div><div> Thank you for reading!</div><div><br></div><div><br></div><div>--stephen<br></div><div><div><br></div><div>[0] <a href="https://github.com/prasmussen/gdrive" target="_blank">https://github.com/prasmussen/gdrive</a></div><div>[1] <a href="https://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin" target="_blank">https://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin</a></div><div>[2] <a href="http://docs.openstack.org/infra/jenkins-job-builder/wrappers.html#wrappers.mask-passwords" target="_blank">http://docs.openstack.org/infra/jenkins-job-builder/wrappers.html#wrappers.mask-passwords</a><span><font color="#888888"><br></font></span></div></div></div></div></div><span><font color="#888888"><span><font color="#888888">
<p></p>
-- <br>
You received this message because you are subscribed to the Google Groups "android" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:android+unsubscribe@wikimedia.org" target="_blank">android+unsubscribe@wikimedia.org</a>.<br>
To post to this group, send email to <a href="mailto:android@wikimedia.org" target="_blank">android@wikimedia.org</a>.<br>
To view this discussion on the web visit <a href="https://groups.google.com/a/wikimedia.org/d/msgid/android/CANMtf2cEOHTPiYtPyvTO3Z0TipO6eHBrE%3Ds6q3HGKaFb0ki8TA%40mail.gmail.com?utm_medium=email&utm_source=footer" target="_blank">https://groups.google.com/a/wikimedia.org/d/msgid/android/CANMtf2cEOHTPiYtPyvTO3Z0TipO6eHBrE%3Ds6q3HGKaFb0ki8TA%40mail.gmail.com</a>.<br>
</font></span></font></span></blockquote></div><br></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>