Uploaded image for project: 'Jenkins Website'
  1. Jenkins Website
  2. WEBSITE-704

Figure out the state of the Friend of Jenkins plugin

    XMLWordPrintable

    Details

    • Type: Task
    • Status: To Do (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: content
    • Labels:
      None
    • Similar Issues:

      Description

      https://jenkins.io/donate/#friend-of-jenkins documents that there is a Friend of Jenkins plugin. It is not clear whether it still exists and how it is being distributed

       

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Status update:

          • I have got access to source codes, thanks to Daniel Beck
          • The plugin needs an update, but it is quite trivial
          • I am not sure that we should keep the plugin in private-source. It is odd that we distribute a private-source plugin as an open-source project for monetary contributions. I think we are doing it wrong.
          • I would suggest that we update the plugin logic so that its code is public but it uses an alternate protection mechanism. For example, a user could provide a public key, and we sign a plugin HPI based using this key and another private key supplied by the Jenkins infrastructure. Then a user will need to specify a private key path to unlock the plugin on the instance. Using this flow we could use Trusted CI to build plugin bundles and send them to a donor by email

          CC Mark Waite Alex Earl

          Show
          oleg_nenashev Oleg Nenashev added a comment - Status update: I have got access to source codes, thanks to Daniel Beck The plugin needs an update, but it is quite trivial I am not sure that we should keep the plugin in private-source. It is odd that we distribute a private-source plugin as an open-source project for monetary contributions. I think we are doing it wrong. I would suggest that we update the plugin logic so that its code is public but it uses an alternate protection mechanism. For example, a user could provide a public key, and we sign a plugin HPI based using this key and another private key supplied by the Jenkins infrastructure. Then a user will need to specify a private key path to unlock the plugin on the instance. Using this flow we could use Trusted CI to build plugin bundles and send them to a donor by email CC Mark Waite Alex Earl
          Hide
          danielbeck Daniel Beck added a comment -

          I would suggest that we update the plugin logic so that its code is public but it uses an alternate protection mechanism. For example, a user could provide a public key, and we sign a plugin HPI based using this key and another private key supplied by the Jenkins infrastructure. Then a user will need to specify a private key path to unlock the plugin on the instance. Using this flow we could use Trusted CI to build plugin bundles and send them to a donor by email

          Sounds reasonable.

          Being open source helps the trust, and it's not like it was impossible to bypass the donation before anyway, so if someone wants to not donate 10 dollars and still get the plugin, they always could.

          We could even encode personalized messages.

          OTOH this sounds like quite some work and I'm not sure we're prepared to spend the time unless you do it on a weekend.

          Show
          danielbeck Daniel Beck added a comment - I would suggest that we update the plugin logic so that its code is public but it uses an alternate protection mechanism. For example, a user could provide a public key, and we sign a plugin HPI based using this key and another private key supplied by the Jenkins infrastructure. Then a user will need to specify a private key path to unlock the plugin on the instance. Using this flow we could use Trusted CI to build plugin bundles and send them to a donor by email Sounds reasonable. Being open source helps the trust, and it's not like it was impossible to bypass the donation before anyway, so if someone wants to not donate 10 dollars and still get the plugin, they always could. We could even encode personalized messages. OTOH this sounds like quite some work and I'm not sure we're prepared to spend the time unless you do it on a weekend.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Yes... Weekend it is
          There is also a tricky part about how to contact donors to community bridge. I will check whether we could personalize the donation confirmation messages or retrieve a contact email somehow

           

           

           

           

          Show
          oleg_nenashev Oleg Nenashev added a comment - Yes... Weekend it is There is also a tricky part about how to contact donors to community bridge. I will check whether we could personalize the donation confirmation messages or retrieve a contact email somehow        
          Hide
          slide_o_mix Alex Earl added a comment -

          Sounds good, let me know how I can help.

          Show
          slide_o_mix Alex Earl added a comment - Sounds good, let me know how I can help.

            People

            Assignee:
            oleg_nenashev Oleg Nenashev
            Reporter:
            oleg_nenashev Oleg Nenashev
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: