Re: Jenkins LTS Debian signing key?

2023-04-10 Thread 'Dirk Heinrichs' via Jenkins Users 
Am Donnerstag, dem 06.04.2023 um 10:15 -0700 schrieb Mark Waite:

perform the necessary testing to confirm that it is well behaved

How misbehaving can a package be that stores a single file into a specific 
directory?

Bye...

Dirk

--

Dirk Heinrichs
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
Phone: +49 2226 15966 18
Email: dhein...@opentext.com
Website: 
www.recommind.de
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, 
Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and destroy this e-mail. Any unauthorized 
copying, disclosure or distribution of the material in this e-mail is strictly 
forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht 
gestattet.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/060e6f810d39ee5a47ead089c0ef124961c07664.camel%40opentext.com.

Re: Jenkins LTS Debian signing key?

2023-04-06 Thread Mark Waite 


On Thursday, April 6, 2023 at 6:56:31 AM UTC-6 dheinric wrote:

Am Donnerstag, dem 06.04.2023 um 05:33 -0700 schrieb Mark Waite:

I'd rather not include extra instructions for Debian 10, Debian 11, Ubuntu 
18, and Ubuntu 20, especially when those instructions involve creating 
directories as the root user and assuring those directories have correct 
ownership and permissions.


People knowing that page might then (falsely) assume that the key will be 
managed by a package after initial setup if it is to be placed into 
/usr/share/keyrings. OTOH, creating the directory is just one more line, 
like

sudo sh -c "test -d /etc/apt/keyrings || mkdir -m 0755 /etc/apt/keyrings"

We'll discuss further in the retrospective to see which path we take to 
reduce the problems for Debian and Ubuntu administrators on the next GPG 
key rotation.


Why wait (until next rotation)? Why not create a package which places the 
current key into /usr/share/keyrings and add that as a dependency to the 
main Jenkins package? This is how Element or PostgreSQL (to name a few) 
already do it. Would have the benefit that no documentation change would be 
needed.


Agreed that if the decision from the retrospective and investigation is to 
implement an additional package as a dependency to the main Jenkins 
package, then there is no need to wait until the next key rotation.  The 
bigger challenge is having someone implement that package and perform the 
necessary testing to confirm that it is well behaved on Debian 10, Debian 
11, Ubuntu 18, Ubuntu 20, and Ubuntu 22.  If that effort takes enough time 
that Debian 12 releases before it is done, then Debian 12 will also need to 
be tested.

Mark Waite
 

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/20c19a0a-2846-4d99-9c76-83ea7c06e368n%40googlegroups.com.

Re: Jenkins LTS Debian signing key?

2023-04-06 Thread 'Dirk Heinrichs' via Jenkins Users 
Am Donnerstag, dem 06.04.2023 um 05:33 -0700 schrieb Mark Waite:

I'd rather not include extra instructions for Debian 10, Debian 11, Ubuntu 18, 
and Ubuntu 20, especially when those instructions involve creating directories 
as the root user and assuring those directories have correct ownership and 
permissions.

People knowing that page might then (falsely) assume that the key will be 
managed by a package after initial setup if it is to be placed into 
/usr/share/keyrings. OTOH, creating the directory is just one more line, like


sudo sh -c "test -d /etc/apt/keyrings || mkdir -m 0755 
/etc/apt/keyrings"

We'll discuss further in the retrospective to see which path we take to reduce 
the problems for Debian and Ubuntu administrators on the next GPG key rotation.

Why wait (until next rotation)? Why not create a package which places the 
current key into /usr/share/keyrings and add that as a dependency to the main 
Jenkins package? This is how Element or PostgreSQL (to name a few) already do 
it. Would have the benefit that no documentation change would be needed.

Bye...

Dirk

--

Dirk Heinrichs
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
Phone: +49 2226 15966 18
Email: dhein...@opentext.com
Website: 
www.recommind.de
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, 
Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and destroy this e-mail. Any unauthorized 
copying, disclosure or distribution of the material in this e-mail is strictly 
forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht 
gestattet.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/d6907badbc00fa9e6698c29011899c5392a015c9.camel%40opentext.com.

Re: Jenkins LTS Debian signing key?

2023-04-06 Thread Mark Waite 


On Thursday, March 30, 2023 at 11:40:34 PM UTC-6 dheinric wrote:

Am Donnerstag, dem 30.03.2023 um 10:44 -0700 schrieb Mark Waite:

> Jenkins LTS 2.387.2 (April 5, 2023) will resolve that warning, so long as 
the new PGP public key has been installed by following the instructions in 
the Linux installation page 



Please note that these instructions contain a small mistake. The key should 
be downloaded to "/etc/apt/keyrings", unless it is later managed by a 
package, which is not the case here (see 
https://wiki.debian.org/DebianRepository/UseThirdParty) 
. Would be great if 
that could be corrected (or, as recommended by Debian, a package be provided 
for 
managing the keyring after the initial setup).


I'm hesitant to change those instructions based on the comment in the 
https://wiki.debian.org/DebianRepository/UseThirdParty page where it says:

> In releases older than Debian 12 and Ubuntu 22.04, /etc/apt/keyrings does 
not exist by default. It SHOULD be created with permissions 0755 if it is 
needed and does not already exist.

I'd rather not include extra instructions for Debian 10, Debian 11, Ubuntu 
18, and Ubuntu 20, especially when those instructions involve creating 
directories as the root user and assuring those directories have correct 
ownership and permissions.

We'll discuss further in the retrospective to see which path we take to 
reduce the problems for Debian and Ubuntu administrators on the next GPG 
key rotation.

Mark Waite

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/a7198085-868c-46cf-bc35-a59d05cdebden%40googlegroups.com.

Re: Jenkins LTS Debian signing key?

2023-03-30 Thread 'Dirk Heinrichs' via Jenkins Users 
Am Donnerstag, dem 30.03.2023 um 10:44 -0700 schrieb Mark Waite:


> Jenkins LTS 2.387.2 (April 5, 2023) will resolve that warning, so long as the 
> new PGP public key has been installed by following the instructions in the 
> Linux installation 
> page

Please note that these instructions contain a small mistake. The key should be 
downloaded to "/etc/apt/keyrings", unless it is later managed by a package, 
which is not the case here (see 
https://wiki.debian.org/DebianRepository/UseThirdParty).
 Would be great if that could be corrected (or, as recommended by Debian, a 
package be provided for managing the keyring after the initial setup).

If you need to install Jenkins LTS with the Linux installer between now and 
April 5, your choices include:

  *   Override the package manager to ignore the expired PGP key
  *   Use a container image like 
jenkins/jenkins:2.387.1-jdk11
  *   Install the war file without the Linux installer


  *   Download the deb directly and install via "apt-get install /path/to/file"

HTH...

Dirk

--

Dirk Heinrichs
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
Phone: +49 2226 15966 18
Email: dhein...@opentext.com
Website: 
www.recommind.de
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, 
Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and destroy this e-mail. Any unauthorized 
copying, disclosure or distribution of the material in this e-mail is strictly 
forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht 
gestattet.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/4dabcd3e9484f41b38cbf8682bb3ef8a22fde29f.camel%40opentext.com.

Re: Jenkins LTS Debian signing key?

2023-03-30 Thread alan.l...@gmail.com 
Thanks.  I'll disable the checks and wait for the release.  Thanks for the 
info.


On Thursday, March 30, 2023 at 11:44:11 AM UTC-6 Mark Waite wrote:

> On Thursday, March 30, 2023 at 11:13:20 AM UTC-6 Alan Sparks wrote:
>
> Tried to build a Jenkins image here this morning and getting signing 
> errors on the repo:
>
> W: An error occurred during the signature verification. The repository is 
> not updated and the previous index files will be used. GPG error: 
> https://pkg.jenkins.io/debian-stable binary/ Release: The following 
> signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins Project
>
> W: Failed to fetch http://pkg.jenkins.io/debian-stable/binary/Release.gpg 
>  The following signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins 
> Project
>
> W: Some index files failed to download. They have been ignored, or old 
> ones used instead.
>
>
> I see a post on the Jenkins blog about the key changing, but it says April 
> 5, and we're not then yet.  What has changed for Ubuntu users?  the old key 
> doesn't seem to work, nor does the new one.  I'm using the same repo 
> configuration:
> deb https://pkg.jenkins.io/debian-stable binary/
>
> What has changed?
>
>
> The GPG private key that signs the Jenkins 2.387.1 deb file expired March 
> 30, 2023.  A comment 
> 
>  
> to the blog post 
>  
> says:
>
> > Users installing Jenkins LTS 2.387.1 after March 31, 2023 may see a 
> warning or an error noting that the PGP key has expired.
>
> > Jenkins LTS 2.387.2 (April 5, 2023) will resolve that warning, so long 
> as the new PGP public key has been installed by following the instructions 
> in the Linux installation page 
> 
> You're correct that the old key does not work (because it has expired) and 
> that the new key does not work with the old releases (because they were not 
> signed with the new key). 
>
> The new key works with new releases (like Jenkins 2.397 released March 28, 
> 2023 and Jenkins 2.387.2 that will be released April 5, 2023).
>
> If you need to install Jenkins LTS with the Linux installer between now 
> and April 5, your choices include:
>
>- Override the package manager to ignore the expired PGP key
>- Use a container image like jenkins/jenkins:2.387.1-jdk11 
>
> 
>- Install the war file without the Linux installer
>
> Mark Waite
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/862e7b7f-5d75-4cbe-92bf-69e058a1fbc7n%40googlegroups.com.

Re: Jenkins LTS Debian signing key?

2023-03-30 Thread Mark Waite 

On Thursday, March 30, 2023 at 11:13:20 AM UTC-6 Alan Sparks wrote:

Tried to build a Jenkins image here this morning and getting signing errors 
on the repo:

W: An error occurred during the signature verification. The repository is 
not updated and the previous index files will be used. GPG error: 
https://pkg.jenkins.io/debian-stable binary/ Release: The following 
signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins Project
W: Failed to fetch http://pkg.jenkins.io/debian-stable/binary/Release.gpg 
 The following signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins 
Project
W: Some index files failed to download. They have been ignored, or old ones 
used instead.

I see a post on the Jenkins blog about the key changing, but it says April 
5, and we're not then yet.  What has changed for Ubuntu users?  the old key 
doesn't seem to work, nor does the new one.  I'm using the same repo 
configuration:
deb https://pkg.jenkins.io/debian-stable binary/

What has changed?


The GPG private key that signs the Jenkins 2.387.1 deb file expired March 
30, 2023.  A comment 

 
to the blog post 
 
says:

> Users installing Jenkins LTS 2.387.1 after March 31, 2023 may see a 
warning or an error noting that the PGP key has expired.

> Jenkins LTS 2.387.2 (April 5, 2023) will resolve that warning, so long as 
the new PGP public key has been installed by following the instructions in 
the Linux installation page 

You're correct that the old key does not work (because it has expired) and 
that the new key does not work with the old releases (because they were not 
signed with the new key). 

The new key works with new releases (like Jenkins 2.397 released March 28, 
2023 and Jenkins 2.387.2 that will be released April 5, 2023).

If you need to install Jenkins LTS with the Linux installer between now and 
April 5, your choices include:

   - Override the package manager to ignore the expired PGP key
   - Use a container image like jenkins/jenkins:2.387.1-jdk11 
   

   - Install the war file without the Linux installer

Mark Waite

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/a46275a2-3ee3-405d-9142-5bc2d325119cn%40googlegroups.com.

Re: Jenkins LTS Debian signing key?

2023-03-30 Thread Alex Earl 
I take that back, it only works for the weekly release, not the stable.

On Thu, Mar 30, 2023 at 10:36 AM Alex Earl  wrote:

> I just ran into the same thing, I updated to the new key and it works fine
> now.
>
> On Thu, Mar 30, 2023 at 10:13 AM alan.l...@gmail.com <
> alan.l.spa...@gmail.com> wrote:
>
>> Tried to build a Jenkins image here this morning and getting signing
>> errors on the repo:
>>
>> W: An error occurred during the signature verification. The repository is
>> not updated and the previous index files will be used. GPG error:
>> https://pkg.jenkins.io/debian-stable binary/ Release: The following
>> signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins Project <
>> jenkinsci-bo...@googlegroups.com>
>> W: Failed to fetch http://pkg.jenkins.io/debian-stable/binary/Release.gpg
>>  The following signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins
>> Project 
>> W: Some index files failed to download. They have been ignored, or old
>> ones used instead.
>>
>> I see a post on the Jenkins blog about the key changing, but it says
>> April 5, and we're not then yet.  What has changed for Ubuntu users?  the
>> old key doesn't seem to work, nor does the new one.  I'm using the same
>> repo configuration:
>> deb https://pkg.jenkins.io/debian-stable binary/
>>
>> What has changed?
>>
>> Following instructions for 2.387.1at:
>>
>> https://www.jenkins.io/doc/book/installing/linux/#long-term-support-release
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Jenkins Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to jenkinsci-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-users/54ae60e4-9408-482f-844d-5abb50abc4den%40googlegroups.com
>> 
>> .
>>
>
>
> --
> Website: http://earl-of-code.com
>


-- 
Website: http://earl-of-code.com

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/CAPiUgVf-sUow_82Kk0_ChFA_9LbuJHASmY6FpF50Aiv_EMM6dA%40mail.gmail.com.

Re: Jenkins LTS Debian signing key?

2023-03-30 Thread Alex Earl 
I just ran into the same thing, I updated to the new key and it works fine
now.

On Thu, Mar 30, 2023 at 10:13 AM alan.l...@gmail.com <
alan.l.spa...@gmail.com> wrote:

> Tried to build a Jenkins image here this morning and getting signing
> errors on the repo:
>
> W: An error occurred during the signature verification. The repository is
> not updated and the previous index files will be used. GPG error:
> https://pkg.jenkins.io/debian-stable binary/ Release: The following
> signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins Project <
> jenkinsci-bo...@googlegroups.com>
> W: Failed to fetch http://pkg.jenkins.io/debian-stable/binary/Release.gpg
>  The following signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins
> Project 
> W: Some index files failed to download. They have been ignored, or old
> ones used instead.
>
> I see a post on the Jenkins blog about the key changing, but it says April
> 5, and we're not then yet.  What has changed for Ubuntu users?  the old key
> doesn't seem to work, nor does the new one.  I'm using the same repo
> configuration:
> deb https://pkg.jenkins.io/debian-stable binary/
>
> What has changed?
>
> Following instructions for 2.387.1at:
> https://www.jenkins.io/doc/book/installing/linux/#long-term-support-release
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-users/54ae60e4-9408-482f-844d-5abb50abc4den%40googlegroups.com
> 
> .
>


-- 
Website: http://earl-of-code.com

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/CAPiUgVd%2BM4NXwkkL7htcRVMyf8enrPz1QiBwtMTMn4vDs0Ug5w%40mail.gmail.com.

Jenkins LTS Debian signing key?

2023-03-30 Thread alan.l...@gmail.com 
Tried to build a Jenkins image here this morning and getting signing errors 
on the repo:

W: An error occurred during the signature verification. The repository is 
not updated and the previous index files will be used. GPG error: 
https://pkg.jenkins.io/debian-stable binary/ Release: The following 
signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins Project 

W: Failed to fetch http://pkg.jenkins.io/debian-stable/binary/Release.gpg 
 The following signatures were invalid: EXPKEYSIG FCEF32E745F2C3D5 Jenkins 
Project 
W: Some index files failed to download. They have been ignored, or old ones 
used instead.

I see a post on the Jenkins blog about the key changing, but it says April 
5, and we're not then yet.  What has changed for Ubuntu users?  the old key 
doesn't seem to work, nor does the new one.  I'm using the same repo 
configuration:
deb https://pkg.jenkins.io/debian-stable binary/

What has changed?

Following instructions for 2.387.1at:
https://www.jenkins.io/doc/book/installing/linux/#long-term-support-release

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/54ae60e4-9408-482f-844d-5abb50abc4den%40googlegroups.com.