HTTPS Jenkins update site

[Mladen Marev]

Hello,

is there any HTTPS mirror which I can use as a Jenkins update site, for both - the Jenkins itself and plugins. I mean not only the main page but also the redirected one, as usually the download is redirected to some other URLs.

Thanks.

[Stephen Connolly]

IIUC all the update sites are http and https so that you do not get a secure content warning if using the browser based metadata download (which is the only way to get the metadata if your Jenkins is isolated from the internet)

In any case the metadata is signed to ensure integrity and the metadata includes the content hashes of the plugins

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/aea04815-1fab-4116-baab-aa2432061981%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mladen Marev]

Hi Stephen,

thank you for the prompt response. I am looking about HTTPS not because I have any concerns about the metadata or content but because my proxy and firewall allows download of Java content (e.g. Jenkins war file) only from HTTPS protected sites. I have tried manual download of v2.2 but it has been rejected because HTTP connection. 

Regards,

Mladen

[Daniel Beck]

> On 10.05.2016, at 12:23, Mladen Marev <mladen...@gmail.com> wrote:
>
> my proxy and firewall allows download of Java content (e.g. Jenkins war file) only from HTTPS protected sites. I have tried manual download of v2.2 but it has been rejected because HTTP connection.

I'm pretty sure we are currently unable to provide full HTTPS for Jenkins and plugin downloads. Even for metadata it's difficult, see e.g.
https://issues.jenkins-ci.org/browse/INFRA-110?focusedCommentId=210433&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-210433

[Stephen Connolly]

Ahh yes... well FTR the CloudBees update site provides https access and https metadata urls... but obviously the metadata is signed by our own key so you'd need to be a customer to be able to have Jenkins trust our source metadata signatures and get https all the way

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6D7DAF25-D0B2-4552-922E-2B1A84B9AB3A%40beckweb.net.

[Mladen Marev]

Ok, sounds like I need to try to deviler the war using some other ways. Thank you for the helpful comments here :-)

[Mladen Marev]

I found xmission mirror as very helpful, since you can brows and download mainly everything. My Jenkins is already version 2.2 :-)

[R. Tyler Croy]

(replies inline)

Moving to end-to-end TLS encryption for the Jenkins distribution site is
something that is part of an infrastructure project I'm working towards right
now.

I don't have many details I can share right now, but my hope is that we have
TLS distribution before the end of the calendar year.

- R. Tyler Croy

------------------------------------------------------
Code: <https://github.com/rtyler>
Chatter: <https://twitter.com/agentdero>

% gpg --keyserver keys.gnupg.net --recv-key 3F51E16F
------------------------------------------------------