On Tue, Feb 8, 2022 at 12:01 PM '[email protected]' via Jenkins Developers <[email protected]> wrote:
> Hi all, > > A point raised in a permission update for a plugin in RPU is that we are > still granting users permission to Artifactory for deployment of a plugin > that they maintain even if the plugin is using CD. > https://github.com/jenkins-infra/repository-permissions-updater/pull/2265/files#r773914240 > > Is there any reason still to do this? > > Backports for security would as far as I understand be deployed > differently (the security team sets up a special repository in artifactory). > > I also beleive (and may be incorrect) that we should be able to do CD on > branches (however we may need to change <version>{$revision}</version> to > be <version>xxx.{$revision}</version> in order to get a branched version > number (in the cases where a plugin is not already using a prefix like for > libraries). > > Thus are we now in a place where if CD is enabled we can (and should) > remove user level artifactory access for plugins (that we maintain), or > even more broadly across all plugins to get some better security? > We still need to have a reference as to who is the owner/maintainer of a component, and we have not yet defined an extension of the YAML that would separate deployers/uploaders from owners/maintainers. There are downstream scripts depending on these files, so yoloing a change of the key is probably not a good idea. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKqa3XQ3KT_L9h%3Diq4M5vbNA6_WyQvDz3sCuAT2jjMKyg%40mail.gmail.com.
