Request using the certificate file of the official Jenkins Update Center

[Rick]

Hi team,

As we know, there're many mirrors of Jenkins update-center. But if you just look into the update-center.json file. You will find out that all the URLs of the real plugin file are the same.

I try to modify the URL plugins into a mirror one. But it's unavailable due to security reasons. Jenkins will do the validation with update-center.json file. In order to fix this, I just make my own certificate file. Before using it, you need to download the certificate file into your Jenkins. It's still very inconvenient for many users.

So, I was wondering if I can get permission of accessing the official certificate file. People just don't need to do anything besides changing the URL of the update center. I know this file should not share with someone who is not a member of the Jenkins infra team. Because it's very important for all Jenkins users. An alternative solution is that we store the certificate file in a safe place. For example, store it in the GitHub secret.

In case anyone wants to know more about the details. You can see this project https://github.com/jenkins-zh/update-center-mirror

This is the program that modifies the update-center.json file.

https://github.com/jenkins-zh/update-center-mirror/blob/2e6643b2e26dfee112793d51fe3f0270c93c91e8/.github/workflows/mirror.yaml#L82

 

Best regards

Zhao Xiaojie (Rick)

[Daniel Beck]

> On 17. Nov 2020, at 14:48, Rick <Linux...@gmail.com> wrote:
>
> I try to modify the URL plugins into a mirror one. But it's unavailable due
> to security reasons. Jenkins will do the validation with update-center.json
> file. In order to fix this, I just make my own certificate file. Before
> using it, you need to download the certificate file into your Jenkins. It's
> still very inconvenient for many users.
>
> So, I was wondering if I can get permission of accessing the official
> certificate file. People just don't need to do anything besides changing
> the URL of the update center. I know this file should not share with
> someone who is not a member of the Jenkins infra team. Because it's very
> important for all Jenkins users. An alternative solution is that we store
> the certificate file in a safe place. For example, store it in the GitHub
> secret.

If the only change is download URLs that point to a site in China, we can look into generating appropriately modified files in the regular update center which you can then pull without modification.

[Rick]

Yes, we just need to change the URL of plugins.

You mean generate two or more versions of update-cener.json files? For example, update-center.json and update-center-zh.json ? Am I right?

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/D60E8D5F-A3E0-4FB1-A815-F0A28B7FEA37%40beckweb.net.

[Tim Jacomb]

Why don’t the regular files work? Users should be directed to a Chinese mirror already, is it the distance to get the redirect?

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/44f497ab.6a8f.175d683041f.Coremail.zxjlwt%40126.com.

[Rick]

Because all plugins URL point to https://updates.jenkins.io/download/plugins/xxx instead of the mirror.  

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BieGO-irB1C7U0ct4eZ%2BXabp1Jy4Mfsu0Wy8JUPjLKznOA%40mail.gmail.com.

[Olblak]

> Because all plugins URL point to https://updates.jenkins.io/download/plugins/xxx instead of the mirror.  

And then you are redirected to mirrors

curl -I -L https://get.jenkins.io/plugins/plugin-util-api/1.4.0/plugin-util-api.hpi

HTTP/1.1 302 Found

Date: Tue, 17 Nov 2020 14:50:34 GMT

Server: Mirrorbits/v0.5.1

Cache-Control: private, no-cache

Content-Type: text/html; charset=utf-8

Link: <https://mirror.gruenehoelle.nl/jenkins/plugins/plugin-util-api/1.4.0/plugin-util-api.hpi>; rel=duplicate; pri=1; geo=nl

Link: <https://ftp-nyc.osuosl.org/pub/jenkins/plugins/plugin-util-api/1.4.0/plugin-util-api.hpi>; rel=duplicate; pri=2; geo=us

Link: <https://mirror.serverion.com/jenkins/plugins/plugin-util-api/1.4.0/plugin-util-api.hpi>; rel=duplicate; pri=3; geo=us

Link: <https://ftp-chi.osuosl.org/pub/jenkins/plugins/plugin-util-api/1.4.0/plugin-util-api.hpi>; rel=duplicate; pri=4; geo=us

Link: <https://mirror.xmission.com/jenkins/plugins/plugin-util-api/1.4.0/plugin-util-api.hpi>; rel=duplicate; pri=5; geo=us

Link: <https://mirrors.tuna.tsinghua.edu.cn/jenkins/plugins/plugin-util-api/1.4.0/plugin-util-api.hpi>; rel=duplicate; pri=6; geo=cn

Link: <https://ftp.yz.yamagata-u.ac.jp/pub/misc/jenkins/plugins/plugin-util-api/1.4.0/plugin-util-api.hpi>; rel=duplicate; pri=7; geo=jp

Location: https://ftp.halifax.rwth-aachen.de/jenkins/plugins/plugin-util-api/1.4.0/plugin-util-api.hpi

Via: 1.1 get.jenkins.io

HTTP/2 200

server: nginx/1.14.2

date: Tue, 17 Nov 2020 14:50:35 GMT

content-type: application/octet-stream

content-length: 613574

last-modified: Fri, 16 Oct 2020 07:26:25 GMT

accept-ranges: bytes

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/3b80874e.6b81.175d6aa52e8.Coremail.zxjlwt%40126.com.

[Rick]

Yes, I can get the right location via curl -I -Lhttps://get.jenkins.io/plugins/plugin-util-api/1.4.0/plugin-util-api.hpi

But I’m not sure why it’s still super slow sometimes. Perhaps it’s slow when we try to resolve this domain get.jenkins.io

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/300b9abe-c22b-4a65-af7d-7676ab50c514%40www.fastmail.com.

[Tim Jacomb]

Could you do some timing / benchmarking so we can see where the issue is?

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/5555c3f8.6bd0.175d6b6bfbb.Coremail.zxjlwt%40126.com.

[Daniel Beck]

> On 17. Nov 2020, at 15:01, Rick <zxj...@126.com> wrote:
>
>
> You mean generate two or more versions of update-cener.json files? For example, update-center.json and update-center-zh.json ? Am I right?

Basically this, yes.

Re mirrors, did you test using the regular update site recently, and still encounter performance issues? I think we used a pretty badly outdated Geo IP DB until a few months ago, so if you haven't checked in a while, it makes sense to retry using the regular URLs to see how well this works now.

[Olblak]

I am wondering what it would take to directly use get.jenkins.io instead of update-center.
update-center.json is available from the mirror as well as you can see here
-> https://get.jenkins.io/updates/current/update-center.json?mirrorlist

The challenge is because the json is potentially generated every 3 minutes, it's hard for mirrors to stay up to date but we still control some of them. If no mirrors have the file with the correct checksum, then it fallback to a hardcode mirror that we configured.

We could also ask mirrors maintainers to sync "/updates" every three minutes, it doesn't represent a lot of files.
Also, we must ensure that mirrorbits scan files from /updates every few minutes to generate file hashes.

> --
> You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to jenkinsci-de...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/jenkinsci-dev/C975C702-599F-4504-B833-942BE2A3B177%40beckweb.net.
>

[Xiaojie Zhao]

Using https://get.jenkins.io/updates/current/update-center.json?mirrorlist will easier for the global users. But I got some errors below

There were errors checking the update sites: None of the tool installer metadata passed the signature check