Good discussion! iOS is interested in how this goes, as we'd also like to package, sign, and deploy our app securely. Our current setup lives on our private, OS X Jenkins server which is only accessible on WMF networks. It's not versioned in any way, though it could be (using Ansible or Boxen/puppet). <div><br></div><div>Android was considering using the Mac Mini at some point. If we're the only two teams that need this environment at present, should we try to use the same machine, or at least hardware/config?<span></span><br><div><br>On Wednesday, August 12, 2015, Stephen Niedzielski <<a href="mailto:sniedzielski@wikimedia.org">sniedzielski@wikimedia.org</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"> Thanks for the info, Dan! Assuming we went this route, what do we use to manage private production configurations? Is there a project that would be a good template I could check out? I would ignorantly guess that we probably have at least a couple ultra secure machines somewhere and am trying to come up to speed with how these are versioned and maintained, and the general infrastructure available.<div><br></div><div><br></div><div>--stephen</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 12, 2015 at 6:32 PM, Dan Duvall <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','dduvall@wikimedia.org');" target="_blank">dduvall@wikimedia.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span>On Wed, Aug 12, 2015 at 4:05 PM, Stephen Niedzielski <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','sniedzielski@wikimedia.org');" target="_blank">sniedzielski@wikimedia.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div> Assuming a better solution does not exist, I _think_ what I'm ultimately asking for is a Zuul managed / JJB maintained private Jenkins instance only accessible over SSH, if that makes sense. Is there anything like that? There must be other teams in the foundation that need a secure release job and we could either leverage their solution or they ours.</div></div></blockquote><div><br></div></span><div>There's a fundamental problem with signing on a Jenkins slave, private or shared, in that it will trust and execute anything the master gives it. It's also possible that the master (and other slaves by extension) is vulnerable to slave response forgery as well.[1]</div><div><br></div><div>I think to do automated signing right, we'd want to start with a dedicated production host that independently polls/listens for CR events and executes only tightly reviewed jobs that are outside the realm of our CI Zuul/Jenkins altogether. Whether this would be a another, completely private, Jenkins /cluster/ or something lighter, I'm not sure.</div><div><br></div><div>[1] <a href="https://groups.google.com/d/topic/jenkinsci-users/W5dKc06l1qs/discussion" target="_blank">https://groups.google.com/d/topic/jenkinsci-users/W5dKc06l1qs/discussion</a></div><div><br></div></div>-- <br><div><div dir="ltr">Dan Duvall<div>Automation Engineer</div><div><a href="http://wikimediafoundation.org" target="_blank">Wikimedia Foundation</a><br></div></div></div>
</div></div><span>
<p></p>
-- <br>
You received this message because you are subscribed to the Google Groups "android" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:_e(%7B%7D,'cvml','android%2Bunsubscribe@wikimedia.org');" target="_blank">android+unsubscribe@wikimedia.org</a>.<br>
To post to this group, send email to <a href="javascript:_e(%7B%7D,'cvml','android@wikimedia.org');" target="_blank">android@wikimedia.org</a>.<br></span>
To view this discussion on the web visit <a href="https://groups.google.com/a/wikimedia.org/d/msgid/android/CACu0jZ5L9qAyH%3D4tOFu_k36omByAjcVBJ6OgFENn2-pu649BiQ%40mail.gmail.com?utm_medium=email&utm_source=footer" target="_blank">https://groups.google.com/a/wikimedia.org/d/msgid/android/CACu0jZ5L9qAyH%3D4tOFu_k36omByAjcVBJ6OgFENn2-pu649BiQ%40mail.gmail.com</a>.<br>
</blockquote></div><br></div>
</blockquote></div></div><br><br>-- <br><div dir="ltr"><div><div dir="ltr">EN Wikipedia user page: <a href="https://en.wikipedia.org/wiki/User:Brian.gerstle" target="_blank">https://en.wikipedia.org/wiki/User:Brian.gerstle</a><br>IRC: bgerstle</div></div></div><br>