Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Zaro]

That's just a basic sample script.  Here's a script that will give you
more info:   
https://stackoverflow.com/questions/9815273/how-to-get-a-list-of-installed-jenkins-plugins-with-name-and-version-pair

-Khai

On Wed, Jun 15, 2016 at 4:32 PM, Thanh Ha  wrote:
> I took a look at the groovy script idea. I think it might work but would be
> a bit more involved than the example. It seems
> Jenkins.instance.pluginManager.plugins simply prints a list of all plugins
> without their details like version etc...
>
> Regards,
> Thanh
>
> On 14 June 2016 at 20:11, Zaro  wrote:
>>
>> Thanks for the clarification Andrew.  I almost thought you guys knew
>> something that upstream Jenkins didn't ; )  I am able to repro with
>> ver 1.651.2.  I agree with Thanh, the correct fix is to add a new ACLs
>> to jenkins security plugin to allow retrieving plugin info.  I've
>> reviewed Thanh's workaround and it seems ok to me.  The other possible
>> workaround you might consider is to create a user with 'Read' and
>> 'RunScripts' access which would allow running a groovy script [1] to
>> get the plugin info.
>>
>> [1]
>> https://python-jenkins.readthedocs.io/en/latest/api.html#jenkins.Jenkins.run_script
>>
>>
>> On Tue, Jun 14, 2016 at 12:44 PM, Andrew Grimberg
>>  wrote:
>> > On 06/14/2016 12:18 PM, Zaro wrote:
>> >> ahh, jenkins.io page confused me since it says latest LTS is 1.651.3
>> >>
>> >>
>> >> On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
>> >>  wrote:
>> >>> The 1.652.x series is an lts  release, so fixes were backported to it
>> >>> that
>> >>> are not in subsequent dev releases.
>> >>>
>> >>> Darragh Bailey
>> >>> "Nothing is foolproof to a sufficiently talented fool" - unknown
>> >>>
>> >>> On 14 Jun 2016 20:02, "Zaro"  wrote:
>> 
>>  - [ snippet ] 
>> >
>> > The behavior changed between 1.651.1 and 1.652.2.
>> >
>> > Specifically this was a security fix that came in with 1.652.2. See
>> > the
>> > security fixes [0] that came with the release notes. Search for
>> > SECURITY-250 or CVE-2016-3723.
>> >
>> > -Andy-
>> >
>> > [0]
>> >
>> >
>> > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
>> 
>>  Hmm.  I just tested with Jenkins ver 1.653 and was still able to
>>  access plugin info using REST api as an anonymous user.
>>  I enabled security with following settings:
>>   * jenkins own db
>>   * logged-in user can do anything
>>   * prevent cross site request
>> 
>>  While not logged in I can get plugin info using
>>  '/pluginManager/api/json?depth=1'
>> 
>>  Maybe this there's some setting you have enabled that's causing your
>>  jenkins to require admin to access plugin info?
>> >
>> > LTS is 1.651.x. My missive about the change being between 1.651.1 and
>> > 1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock
>> > down occurred.
>> >
>> > As for what we have enabled in the security system. We use the matrix
>> > security setup.
>> >
>> > Our JJB user is granted rights inside the job category. To be specific:
>> >
>> > Job: Configure, Create, Delete, Discover, Read, Workspace
>> > Overall: Read
>> >
>> > There is no configuration option for listing the plugins. You only get
>> > access to it if you have Overall: Administer with the changes that came
>> > in with 1.651.2 unless there's a permission knob under the covers we
>> > haven't managed to figure out yet.
>> >
>> > -Andy-
>> >
>> > --
>> > Andrew J Grimberg
>> > Systems Administrator
>> > Release Engineering Team Lead
>> > The Linux Foundation
>> >
>
>
>
> ___
> OpenStack-Infra mailing list
> OpenStack-Infra@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
>

___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Thanh Ha]

I took a look at the groovy script idea. I think it might work but would be
a bit more involved than the example. It seems
Jenkins.instance.pluginManager.plugins simply prints a list of all plugins
without their details like version etc...

Regards,
Thanh

On 14 June 2016 at 20:11, Zaro  wrote:

> Thanks for the clarification Andrew.  I almost thought you guys knew
> something that upstream Jenkins didn't ; )  I am able to repro with
> ver 1.651.2.  I agree with Thanh, the correct fix is to add a new ACLs
> to jenkins security plugin to allow retrieving plugin info.  I've
> reviewed Thanh's workaround and it seems ok to me.  The other possible
> workaround you might consider is to create a user with 'Read' and
> 'RunScripts' access which would allow running a groovy script [1] to
> get the plugin info.
>
> [1]
> https://python-jenkins.readthedocs.io/en/latest/api.html#jenkins.Jenkins.run_script
>
>
> On Tue, Jun 14, 2016 at 12:44 PM, Andrew Grimberg
>  wrote:
> > On 06/14/2016 12:18 PM, Zaro wrote:
> >> ahh, jenkins.io page confused me since it says latest LTS is 1.651.3
> >>
> >>
> >> On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
> >>  wrote:
> >>> The 1.652.x series is an lts  release, so fixes were backported to it
> that
> >>> are not in subsequent dev releases.
> >>>
> >>> Darragh Bailey
> >>> "Nothing is foolproof to a sufficiently talented fool" - unknown
> >>>
> >>> On 14 Jun 2016 20:02, "Zaro"  wrote:
> 
>  - [ snippet ] 
> >
> > The behavior changed between 1.651.1 and 1.652.2.
> >
> > Specifically this was a security fix that came in with 1.652.2. See
> the
> > security fixes [0] that came with the release notes. Search for
> > SECURITY-250 or CVE-2016-3723.
> >
> > -Andy-
> >
> > [0]
> >
> >
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
> 
>  Hmm.  I just tested with Jenkins ver 1.653 and was still able to
>  access plugin info using REST api as an anonymous user.
>  I enabled security with following settings:
>   * jenkins own db
>   * logged-in user can do anything
>   * prevent cross site request
> 
>  While not logged in I can get plugin info using
>  '/pluginManager/api/json?depth=1'
> 
>  Maybe this there's some setting you have enabled that's causing your
>  jenkins to require admin to access plugin info?
> >
> > LTS is 1.651.x. My missive about the change being between 1.651.1 and
> > 1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock
> > down occurred.
> >
> > As for what we have enabled in the security system. We use the matrix
> > security setup.
> >
> > Our JJB user is granted rights inside the job category. To be specific:
> >
> > Job: Configure, Create, Delete, Discover, Read, Workspace
> > Overall: Read
> >
> > There is no configuration option for listing the plugins. You only get
> > access to it if you have Overall: Administer with the changes that came
> > in with 1.651.2 unless there's a permission knob under the covers we
> > haven't managed to figure out yet.
> >
> > -Andy-
> >
> > --
> > Andrew J Grimberg
> > Systems Administrator
> > Release Engineering Team Lead
> > The Linux Foundation
> >
>
___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Zaro]

Thanks for the clarification Andrew.  I almost thought you guys knew
something that upstream Jenkins didn't ; )  I am able to repro with
ver 1.651.2.  I agree with Thanh, the correct fix is to add a new ACLs
to jenkins security plugin to allow retrieving plugin info.  I've
reviewed Thanh's workaround and it seems ok to me.  The other possible
workaround you might consider is to create a user with 'Read' and
'RunScripts' access which would allow running a groovy script [1] to
get the plugin info.

[1] 
https://python-jenkins.readthedocs.io/en/latest/api.html#jenkins.Jenkins.run_script


On Tue, Jun 14, 2016 at 12:44 PM, Andrew Grimberg
 wrote:
> On 06/14/2016 12:18 PM, Zaro wrote:
>> ahh, jenkins.io page confused me since it says latest LTS is 1.651.3
>>
>>
>> On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
>>  wrote:
>>> The 1.652.x series is an lts  release, so fixes were backported to it  that
>>> are not in subsequent dev releases.
>>>
>>> Darragh Bailey
>>> "Nothing is foolproof to a sufficiently talented fool" - unknown
>>>
>>> On 14 Jun 2016 20:02, "Zaro"  wrote:

 - [ snippet ] 
>
> The behavior changed between 1.651.1 and 1.652.2.
>
> Specifically this was a security fix that came in with 1.652.2. See the
> security fixes [0] that came with the release notes. Search for
> SECURITY-250 or CVE-2016-3723.
>
> -Andy-
>
> [0]
>
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

 Hmm.  I just tested with Jenkins ver 1.653 and was still able to
 access plugin info using REST api as an anonymous user.
 I enabled security with following settings:
  * jenkins own db
  * logged-in user can do anything
  * prevent cross site request

 While not logged in I can get plugin info using
 '/pluginManager/api/json?depth=1'

 Maybe this there's some setting you have enabled that's causing your
 jenkins to require admin to access plugin info?
>
> LTS is 1.651.x. My missive about the change being between 1.651.1 and
> 1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock
> down occurred.
>
> As for what we have enabled in the security system. We use the matrix
> security setup.
>
> Our JJB user is granted rights inside the job category. To be specific:
>
> Job: Configure, Create, Delete, Discover, Read, Workspace
> Overall: Read
>
> There is no configuration option for listing the plugins. You only get
> access to it if you have Overall: Administer with the changes that came
> in with 1.651.2 unless there's a permission knob under the covers we
> haven't managed to figure out yet.
>
> -Andy-
>
> --
> Andrew J Grimberg
> Systems Administrator
> Release Engineering Team Lead
> The Linux Foundation
>

___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Andrew Grimberg]

On 06/14/2016 12:18 PM, Zaro wrote:
> ahh, jenkins.io page confused me since it says latest LTS is 1.651.3
> 
> 
> On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
>  wrote:
>> The 1.652.x series is an lts  release, so fixes were backported to it  that
>> are not in subsequent dev releases.
>>
>> Darragh Bailey
>> "Nothing is foolproof to a sufficiently talented fool" - unknown
>>
>> On 14 Jun 2016 20:02, "Zaro"  wrote:
>>>
>>> - [ snippet ] 

 The behavior changed between 1.651.1 and 1.652.2.

 Specifically this was a security fix that came in with 1.652.2. See the
 security fixes [0] that came with the release notes. Search for
 SECURITY-250 or CVE-2016-3723.

 -Andy-

 [0]

 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
>>>
>>> Hmm.  I just tested with Jenkins ver 1.653 and was still able to
>>> access plugin info using REST api as an anonymous user.
>>> I enabled security with following settings:
>>>  * jenkins own db
>>>  * logged-in user can do anything
>>>  * prevent cross site request
>>>
>>> While not logged in I can get plugin info using
>>> '/pluginManager/api/json?depth=1'
>>>
>>> Maybe this there's some setting you have enabled that's causing your
>>> jenkins to require admin to access plugin info?

LTS is 1.651.x. My missive about the change being between 1.651.1 and
1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock
down occurred.

As for what we have enabled in the security system. We use the matrix
security setup.

Our JJB user is granted rights inside the job category. To be specific:

Job: Configure, Create, Delete, Discover, Read, Workspace
Overall: Read

There is no configuration option for listing the plugins. You only get
access to it if you have Overall: Administer with the changes that came
in with 1.651.2 unless there's a permission knob under the covers we
haven't managed to figure out yet.

-Andy-

-- 
Andrew J Grimberg
Systems Administrator
Release Engineering Team Lead
The Linux Foundation



signature.asc
Description: OpenPGP digital signature
___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Zaro]

ahh, jenkins.io page confused me since it says latest LTS is 1.651.3


On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
 wrote:
> The 1.652.x series is an lts  release, so fixes were backported to it  that
> are not in subsequent dev releases.
>
> Darragh Bailey
> "Nothing is foolproof to a sufficiently talented fool" - unknown
>
> On 14 Jun 2016 20:02, "Zaro"  wrote:
>>
>> - [ snippet ] 
>> >
>> > The behavior changed between 1.651.1 and 1.652.2.
>> >
>> > Specifically this was a security fix that came in with 1.652.2. See the
>> > security fixes [0] that came with the release notes. Search for
>> > SECURITY-250 or CVE-2016-3723.
>> >
>> > -Andy-
>> >
>> > [0]
>> >
>> > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
>>
>> Hmm.  I just tested with Jenkins ver 1.653 and was still able to
>> access plugin info using REST api as an anonymous user.
>> I enabled security with following settings:
>>  * jenkins own db
>>  * logged-in user can do anything
>>  * prevent cross site request
>>
>> While not logged in I can get plugin info using
>> '/pluginManager/api/json?depth=1'
>>
>> Maybe this there's some setting you have enabled that's causing your
>> jenkins to require admin to access plugin info?

___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Darragh Bailey]

The 1.652.x series is an lts  release, so fixes were backported to it  that
are not in subsequent dev releases.

Darragh Bailey
"Nothing is foolproof to a sufficiently talented fool" - unknown
On 14 Jun 2016 20:02, "Zaro"  wrote:

> - [ snippet ] 
> >
> > The behavior changed between 1.651.1 and 1.652.2.
> >
> > Specifically this was a security fix that came in with 1.652.2. See the
> > security fixes [0] that came with the release notes. Search for
> > SECURITY-250 or CVE-2016-3723.
> >
> > -Andy-
> >
> > [0]
> >
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
>
> Hmm.  I just tested with Jenkins ver 1.653 and was still able to
> access plugin info using REST api as an anonymous user.
> I enabled security with following settings:
>  * jenkins own db
>  * logged-in user can do anything
>  * prevent cross site request
>
> While not logged in I can get plugin info using
> '/pluginManager/api/json?depth=1'
>
> Maybe this there's some setting you have enabled that's causing your
> jenkins to require admin to access plugin info?
>
___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Zaro]

- [ snippet ] 
>
> The behavior changed between 1.651.1 and 1.652.2.
>
> Specifically this was a security fix that came in with 1.652.2. See the
> security fixes [0] that came with the release notes. Search for
> SECURITY-250 or CVE-2016-3723.
>
> -Andy-
>
> [0]
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

Hmm.  I just tested with Jenkins ver 1.653 and was still able to
access plugin info using REST api as an anonymous user.
I enabled security with following settings:
 * jenkins own db
 * logged-in user can do anything
 * prevent cross site request

While not logged in I can get plugin info using
'/pluginManager/api/json?depth=1'

Maybe this there's some setting you have enabled that's causing your
jenkins to require admin to access plugin info?

___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Thanh Ha]

On 8 June 2016 at 08:51, Darragh Bailey  wrote:

> On 7 June 2016 at 21:35, Thanh Ha  wrote:
>
>> Taking a look at the code, I realized the test command allowed spoofing
>> of the plugins_info. I thought I'd try and see what happens if we allowed
>> spoofing with the update command too and submitted this patch:
>>
>> https://review.openstack.org/326722
>>
>> I'm wondering if this could be a possible solution to the Administrator
>> permissions issue assuming that providing the plugins_info yaml file causes
>> JJB to not query the live Jenkins system for the info.
>>
>
> Definitely worth looking at, though probably worth digging in first to
> understand why the information couldn't be retrieved in case some
> documentation is needed to help users.
>

As Andy mentioned it looks like it was introduced in Jenkins 1.652.2 which
we upgraded to this past weekend so now this problem is affecting us
although not completely just yet. Luckily we do not currently use any of
the features that need plugin_info for so we're able to take advantage of
the query_plugins_info=False setting to disable it but we should definitely
find a solution to this issue.

I updated my patch:

 https://review.openstack.org/326722/

>From my testing this patch seems to work and I introduced a new command
called "generate-plugins-info" I'm not sure what the best name for it is
but it will generate a plugins_info.yaml file which can be stored somewhere
and shared with users who can then pull it in via the "update -p
plugins_info.yaml" parameter.

Regards,
Thanh
___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Andrew Grimberg]

On 06/08/2016 05:51 AM, Darragh Bailey wrote:

--[snip]--

> 
> Unfortunately it's come to our attention that this feature in
> Jenkins requires the Administrator permission which can be
> problematic if you have an environment where you prefer not to
> give this permission out. I think the ideal solution is to build
> into Jenkins a separate permission for viewing plugin
> information. I'll try contacting Jenkins devs to see if this is
> something they can do inside Jenkins.
> 
> 
> 
> Curious to know what version of Jenkins you used? Is this a new security
> feature added by recent versions, or is it something depending on what
> other permissions have been enabled by default for various users?
> 
> Because I can query a 1.565.3 installation of Jenkins for it's list of
> plugins as an anonyous user using the following URL:

The behavior changed between 1.651.1 and 1.652.2.

Specifically this was a security fix that came in with 1.652.2. See the
security fixes [0] that came with the release notes. Search for
SECURITY-250 or CVE-2016-3723.

-Andy-

[0]
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

-- 
Andrew J Grimberg
Systems Administrator
Release Engineering Team Lead
The Linux Foundation



signature.asc
Description: OpenPGP digital signature
___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Darragh Bailey]

Hi Thanh,


Comments inline.


On 7 June 2016 at 21:35, Thanh Ha  wrote:

> Taking a look at the code, I realized the test command allowed spoofing of
> the plugins_info. I thought I'd try and see what happens if we allowed
> spoofing with the update command too and submitted this patch:
>
> https://review.openstack.org/326722
>
> I'm wondering if this could be a possible solution to the Administrator
> permissions issue assuming that providing the plugins_info yaml file causes
> JJB to not query the live Jenkins system for the info.
>

Definitely worth looking at, though probably worth digging in first to
understand why the information couldn't be retrieved in case some
documentation is needed to help users.



> On 7 June 2016 at 15:34, Thanh Ha  wrote:
>
>> Hi Everyone,
>>
> 

> Unfortunately it's come to our attention that this feature in Jenkins
>> requires the Administrator permission which can be problematic if you have
>> an environment where you prefer not to give this permission out. I think
>> the ideal solution is to build into Jenkins a separate permission for
>> viewing plugin information. I'll try contacting Jenkins devs to see if this
>> is something they can do inside Jenkins.
>>
>

Curious to know what version of Jenkins you used? Is this a new security
feature added by recent versions, or is it something depending on what
other permissions have been enabled by default for various users?

Because I can query a 1.565.3 installation of Jenkins for it's list of
plugins as an anonyous user using the following URL:

/pluginManager/api/json?depth=1

Perhaps it's a new behaviour for the 2.x series to prevent access to this
part of the XML API by default?

Definitely worth following up with Jenkins devs after looking closely at
the permissions with your



> Failing that maybe we can somehow make the plugin info optional in JJB?
>> any thoughts around this topic?
>>
>> One of our use cases with this is that we have a sandbox instance of
>> Jenkins deployed for our community to test jobs with however for obvious
>> reasons we cannot give folks administrator access to this instance but
>> unfortunately if someone is trying to use a plugin (such as the Slack
>> plugin) that needs to inspect plugin versions jjb fails to push the job.
>>
>

I'd like to know what's changed either way, if we do need additional privs
to read this information over being a normal user, or if some privilege in
something like the matrix security plugin or role based authentication
plugin is needed, it would be important to be able to call this out in the
documentation.

That way if you don't want to make this information directly available to
JJB, you could still allow an approved script (that runs with higher
privileges) to be run as a build step to generate the plugins info for it
to be read in by the user running JJB.

-- 
Darragh Bailey
"Nothing is foolproof to a sufficiently talented fool"
___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Thanh Ha]

Taking a look at the code, I realized the test command allowed spoofing of
the plugins_info. I thought I'd try and see what happens if we allowed
spoofing with the update command too and submitted this patch:

https://review.openstack.org/326722

I'm wondering if this could be a possible solution to the Administrator
permissions issue assuming that providing the plugins_info yaml file causes
JJB to not query the live Jenkins system for the info.

Regards,
Thanh

On 7 June 2016 at 15:34, Thanh Ha  wrote:

> Hi Everyone,
>
> I've been meaning to bring this up for awhile. It seems some plugins are
> getting a bit smarter and using the "parser.registry.get_plugin_info"
> command to parse plugin versions to figure out what version of a plugin is
> installed in Jenkins.
>
> Unfortunately it's come to our attention that this feature in Jenkins
> requires the Administrator permission which can be problematic if you have
> an environment where you prefer not to give this permission out. I think
> the ideal solution is to build into Jenkins a separate permission for
> viewing plugin information. I'll try contacting Jenkins devs to see if this
> is something they can do inside Jenkins.
>
> Failing that maybe we can somehow make the plugin info optional in JJB?
> any thoughts around this topic?
>
> One of our use cases with this is that we have a sandbox instance of
> Jenkins deployed for our community to test jobs with however for obvious
> reasons we cannot give folks administrator access to this instance but
> unfortunately if someone is trying to use a plugin (such as the Slack
> plugin) that needs to inspect plugin versions jjb fails to push the job.
>
> Regards,
> Thanh
>
>
___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra