wiki page for Chat Room jenkins plugin

[anitha vivedhan]

Respected,

I created a wiki page for Chat Room jenkins plugin.But that wiki page not listed in jenkins Update center .can You please suggest the solution.

"ChatRoom":{"buildDate":"Apr 25, 2015","dependencies":[],"developers":[{"developerId":"anitha","name":"anitha"}],"excerpt":"A Build status publisher that notifies on Chat Room","gav":"org.jvnet.hudson.plugins:ChatRoom:1.0","name":"ChatRoom","releaseTimestamp":"2015-04-25T21:58:58.00Z","requiredCore":"1.509.3","scm":"github.com","sha1":"1TTT/ZmU2SckjdTRkON+drWO0ts=","title":"Jenkins Chat Room Plugin","url":"http://updates.jenkins-ci.org/download/plugins/ChatRoom/1.0/ChatRoom.hpi","version":"1.0"}

https://wiki.jenkins-ci.org/display/JENKINS/ChatRoom+Plugin

[domi]

You need to update the <url> in the plugins pom.xml and do a new release.

/Domi

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAD9nYjt_GTQQWx9mxi80v5sORMGYds4Bvs5s8FoLEtijF8bq-A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[domi]

…and please make more clear what this plugin is all about, think about your (hopefully new) users - do they understand what they can use the plugin for? 

Personally I would not have a clue why I should choose this plugin instead of all the other plugins integrating a chat systems? Also screenshots help a lot more then anything else!

like:

https://wiki.jenkins-ci.org/display/JENKINS/Jabber+Plugin

https://wiki.jenkins-ci.org/display/JENKINS/IRC+Plugin

so what is the difference? (did we really need an other chat plugin?)

and if it is different, then it might also integrate with?:

https://wiki.jenkins-ci.org/display/JENKINS/Instant+Messaging+Plugin

/Domi

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/BC57B361-E3B2-4AE3-94C3-B68D9B919B55%40fortysix.ch.

[Christopher Orr]

Hey,

On 29/04/15 07:37, anitha vivedhan wrote:
> I created a wiki page for Chat Room jenkins plugin.But that wiki page
> not listed in jenkins Update center .can You please suggest the solution.
>

> https://wiki.jenkins-ci.org/display/JENKINS/ChatRoom+Plugin

The wiki page you mention here links to a repo with no code in it:
https://github.com/anithavivedhan/jenkins-ChatRoom/tree/9c867e9

The plugin itself seems to have been published from a different repo
with a very similar name and the same plugin ID in the pom.xml:
https://github.com/anithavivedhan/ChatRoom-plugin/tree/c91028d

The code in that repo looks similar to the "Sample Plugin" you published
last week:
https://github.com/anithavivedhan/jenkins-sample

At that time, I asked you to kindly stop publishing plugins, as the
plugin was nonsense, appeared to attempt to duplicate the existing
HipChat plugin, and (like the other Git repos here) is a complete mess:
https://groups.google.com/forum/#!msg/jenkinsci-dev/BJ_t1GTPmiA/gYq18vK_CDAJ

This "Chat Room plugin" is similarly nonsense, and contains hardcoded
references to an ASP.NET app on localhost, with parameters which look
like they've been taken from the deprecated HipChat v1 API:
https://github.com/anithavivedhan/ChatRoom-plugin/blob/c91028d/target/checkout/src/main/java/jenkins/plugins/ChatRooms/StandardChatService.java#L70-L82
https://www.hipchat.com/docs/api/method/rooms/message

I also hope that isn't a live HipChat API token you've hardcoded there.

Anyway, as I mentioned, there is an existing HipChat plugin, which also
lets you use a locally-hosted HipChat server, if that's what you're
trying to do:
https://wiki.jenkins-ci.org/display/JENKINS/HipChat+Plugin

Otherwise, this plugin looks very specific to your use case and, as I
mentioned in the above email, you do not need to publish to the Jenkins
Update Centre in this case — you can install your own custom plugins
directly via the Jenkins Plugin Manager UI.

This plugin is of really low quality, has an incredibly generic name, no
useful documentation, and there seems to be a poor understanding of how
Git works.

As I mentioned before, *please* stop publishing plugins to the Jenkins
Update Centre until you can resolve all of these issues. The plugins
are of no use to anybody.

If you can explain what your plugin is meant to do, or you have
questions about Jenkins plugin development, feel free to let us know.

But until then, please refrain from publishing any more plugins.

Thanks,
Chris

[Richard Bywater]

Not sure if I'm the only one who has this concern (or even if its a valid concern), but it seems rather easy for someone to easily stick any old plugin into the update centre. Is there a potential that someone could load up nefarious plugins that trick users into installing them and having them do bad things? (Yes you could do that to any of the plugins that currently exist but at least there's some track of stuff in Github - well, mostly - for JenkinsCI org-hosted ones anyway)

Richard.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/5540D7EF.70507%40orr.me.uk.

[Christopher Orr]

I think it's a valid concern.

AFAIK, once you sign up for an account on jenkins-ci.org, you can push
to the Maven repository, and therefore to the update centre.

In this specific instance, I've filed INFRA-287 to try and get Maven
push access disabled. Long term, I don't know what a good solution
would look like. In the shorter term, if there's a "allow Maven access"
flag in LDAP, maybe we can hook it up to the IRC bot.

Regards,
Chris

> references to an ASP.NET <http://ASP.NET> app on localhost, with

[Daniel Beck]

On 30.04.2015, at 02:26, Richard Bywater <ric...@byh2o.com> wrote:

> Not sure if I'm the only one who has this concern (or even if its a valid concern), but it seems rather easy for someone to easily stick any old plugin into the update centre. Is there a potential that someone could load up nefarious plugins that trick users into installing them and having them do bad things? (Yes you could do that to any of the plugins that currently exist but at least there's some track of stuff in Github - well, mostly - for JenkinsCI org-hosted ones anyway)

I am also concerned about this. I doubt any of our users expect this to even be possible, it is so ludicrous. It'd be trivial for any of several hundred users to upload a patched Email-ext or Maven plugin and get a few thousand installs before we even notice.

This is one of the reasons I want us to require that plugins need to be released from jenkinsci repos. It should be fairly straightforward to match release tags to plugin releases, and if the tag is missing, we don't publish a release in the UC.

And if not everyone were in the 'Everyone' group with write access to every plugin repo by default [1], we could even ensure that the user who released the artifact is (or was at the time the plugin was released) in fact one of the plugin committers. We already have a 'Github ID' field in LDAP/the account app, so this could be matched automatically.

Neither of these would be 100% safe, but I expect that this would make it much more difficult to upload any artifact and have it actually distributed. We're not an 'App Store', we don't vet what we offer. But preventing the most obvious ways to exploit the update center should be shut down.

1: There is nothing wrong with giving users permissions like that when they ask for it (and maybe explain why they want it), but let's not do this by default. 400 people have push (--force) privileges to 1200 repos. What could possibly go wrong?!