Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-266

Jenkins and jenkins plugins not available for download via HTTPS

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      mirrors.jenkins-ci.org does not support HTTPS and there is no other way to download Jenkins and Jenkins plugins.

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            Dee Kryvenko There are many ways to can help move this issue forward. The Jenkins project is transitioning to be part of the CD Foundation, and corporate memberships help fund the project (so we may not need to rely on donated mirrors in the future). You can always donate directly too, of course, but I would expect only reliable, recurring income would make us consider committing to paying for the traffic indefinitely. And finally, most of our infrastructure is open source, largely operated by volunteers, and we're always looking for further help to keep it running or even improve it:  https://jenkins.io/projects/infrastructure/

            There are other alternatives if you're not interested in contributing back to the project – You could operate your own update sites (tools make this very straightforward), or pay someone to provide fully HTTPS update sites to you as a service.

            Show
            danielbeck Daniel Beck added a comment - Dee Kryvenko There are many ways to can help move this issue forward. The Jenkins project is transitioning to be part of the CD Foundation, and corporate memberships help fund the project (so we may not need to rely on donated mirrors in the future). You can always donate directly too, of course, but I would expect only reliable, recurring income would make us consider committing to paying for the traffic indefinitely. And finally, most of our infrastructure is open source, largely operated by volunteers, and we're always looking for further help to keep it running or even improve it:  https://jenkins.io/projects/infrastructure/ There are other alternatives if you're not interested in contributing back to the project – You could operate your own update sites (tools make this very straightforward), or pay someone to provide fully HTTPS update sites to you as a service.
            Hide
            llibicpep Dee Kryvenko added a comment -

            Daniel Beck how is this relevant, is this ticket a fundraiser? Is this how Jenkins Jira works now? Make it obvious then and... convenient, replace "vote" button with "donate"

            Just to clarify my comment above to alleviate this controversy, previous comments from
            Jenkins representatives made it clear that this ticket is not considered as rapidly growing priority (or so I read it), rather a small "inconvenience". So before even getting to fundraising if that's so necessary I want to raise awareness and make sure it's crystal clear to everyone as to where the market goes. With the recent major data leaks and increasing compliance requirements and regulations - so basic things as mandatory HTTPS not just becoming more and more common but also pops up as a hard requirement. The sooner we all realize what is that new world we all live in - the better. That said, HTTPS-enabled mirror list does not sounds like a rocket science. As an example a similar technology has already been in use for years by centos community - their yum network. Once we all accept that this request is absolutely necessary to address - the next step would be to define how exactly is to move forward with it. Is this an improvement to the existing mirror network, a voluntary or mandatory SSL certificate to join mirror network, or a whole new CDN platform? Is it even known by now how many mirror network members already have certificates and it's just a matter of config change for them? Then and only then it'll get to fundraising - when it's clear what needs to be done and how much does it cost. With such a great and huge community I'm sure it's not gonna be a problem, and I know there's certain vendors just can't wait to become partners - I already saw one offer above. This is not a new concept in the world, pretty much any open source project got to find means to host some content, pypi/gem/npmjs/yum/maven just to name a few. Nothing unsolvable here.

            And once again I just want to emphasize on what it means not doing this request - for growing number of businesses it becomes a road block to even start/keep using Jenkins and look for alternatives. Entry toll to the Jenkins world becomes a little to high in terms of effort - to setup an internal mirror for a PoC project would be just a little too much. I would imagine vendors who earn money providing Jenkins Enterprise support (hi CloudBees) must be the most interested parties to keep this toll as low as possible.

            Show
            llibicpep Dee Kryvenko added a comment - Daniel Beck how is this relevant, is this ticket a fundraiser? Is this how Jenkins Jira works now? Make it obvious then and... convenient, replace "vote" button with "donate" Just to clarify my comment above to alleviate this controversy, previous comments from Jenkins representatives made it clear that this ticket is not considered as rapidly growing priority (or so I read it), rather a small "inconvenience". So before even getting to fundraising if that's so necessary I want to raise awareness and make sure it's crystal clear to everyone as to where the market goes. With the recent major data leaks and increasing compliance requirements and regulations - so basic things as mandatory HTTPS not just becoming more and more common but also pops up as a hard requirement. The sooner we all realize what is that new world we all live in - the better. That said, HTTPS-enabled mirror list does not sounds like a rocket science. As an example a similar technology has already been in use for years by centos community - their yum network. Once we all accept that this request is absolutely necessary to address - the next step would be to define how exactly is to move forward with it. Is this an improvement to the existing mirror network, a voluntary or mandatory SSL certificate to join mirror network, or a whole new CDN platform? Is it even known by now how many mirror network members already have certificates and it's just a matter of config change for them? Then and only then it'll get to fundraising - when it's clear what needs to be done and how much does it cost. With such a great and huge community I'm sure it's not gonna be a problem, and I know there's certain vendors just can't wait to become partners - I already saw one offer above. This is not a new concept in the world, pretty much any open source project got to find means to host some content, pypi/gem/npmjs/yum/maven just to name a few. Nothing unsolvable here. And once again I just want to emphasize on what it means not doing this request - for growing number of businesses it becomes a road block to even start/keep using Jenkins and look for alternatives. Entry toll to the Jenkins world becomes a little to high in terms of effort - to setup an internal mirror for a PoC project would be just a little too much. I would imagine vendors who earn money providing Jenkins Enterprise support (hi CloudBees) must be the most interested parties to keep this toll as low as possible.
            Hide
            llibicpep Dee Kryvenko added a comment -

            I'll give a simple use case mostly for CloudBees if they read this topic - a small innovation team operates in hardly restricted AWS environment with blocked HTTPS traffic. Before being in a position even to start internal discussions as to using Jenkins for anything which potentially can open doors for Enterprise contract in the future - some internal poc/demo has to be done. Most businesses that is not software development related wouldn't even know what is Jenkins and why they should care. The whole plan falling apart since Jenkins just not able to install any plugins - you can imagine the odds CloudBees will ever even receive the invitation for a pitch.

            Show
            llibicpep Dee Kryvenko added a comment - I'll give a simple use case mostly for CloudBees if they read this topic - a small innovation team operates in hardly restricted AWS environment with blocked HTTPS traffic. Before being in a position even to start internal discussions as to using Jenkins for anything which potentially can open doors for Enterprise contract in the future - some internal poc/demo has to be done. Most businesses that is not software development related wouldn't even know what is Jenkins and why they should care. The whole plan falling apart since Jenkins just not able to install any plugins - you can imagine the odds CloudBees will ever even receive the invitation for a pitch.
            Hide
            timja Tim Jacomb added a comment -

            This should be resolved now, monitoring it for a few days

            Show
            timja Tim Jacomb added a comment - This should be resolved now, monitoring it for a few days
            Hide
            timja Tim Jacomb added a comment -

            mirrors.jenkins-ci.org still is http only because the software it runs (mirrorbrain only supports that)

            We're switched plugins over to the https://get.jenkins.io service yesterday which runs on mirrorbits.

            This service is https only.

            Jenkins distribution packages / wars have been using get.jenkins.io for a few months now.

            Let us know if you hit any issues

            Show
            timja Tim Jacomb added a comment - mirrors.jenkins-ci.org still is http only because the software it runs (mirrorbrain only supports that) We're switched plugins over to the https://get.jenkins.io service yesterday which runs on mirrorbits. This service is https only. Jenkins distribution packages / wars have been using get.jenkins.io for a few months now. Let us know if you hit any issues

              People

              Assignee:
              timja Tim Jacomb
              Reporter:
              coderanger Noah Kantrowitz
              Votes:
              9 Vote for this issue
              Watchers:
              19 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: