Submitted by rtyler on Tue, 2010-11-30 05:30
There's been a lot of discussion on the new mailing lists as of late regarding some of the infrastructure and ownership of the Hudson project. In case you haven't been following along at home, I'll try to catch you up as impartially as possible.
- 2009.06.02: After substantial problems with Java.net infrastructure, the
dev community discusses new infrastructure
including SourceForge, Google Code, Kenai, Berlios, GitHub, etc. Instead of
moving the entire project, some key components such as the
issues.hudson-ci.org are moved off of
Java.net. Discussions about moving source code off of Java.net and onto other hosts like
GitHub come up almost every four months on the mailing lists, typically
coinciding with serious Java.net downtime or reliability issues..
- 2010.11.01: A discussion occurs on the developers mailing list about
adding Winston Prakash, the Oracle engineer re-assigned to replace Kohsuke Kawaguchi (Hudson
founder/lead developer), as a co-owner to the Java.net project. Winston
mentions that his question was driven by Oracle management who felt he should
"co-own the project." After a round of discussion, it's decided by the devs
list that it's acceptable and grants Winston co-ownership of the project as a
sign of good faith from the community towards Oracle.
- 2010.11.17: Andrew Bayer, core contributor
and maintainer of numerous plugins emails the users and devs list with a
proposal to move the mailing lists off of Java.net which has had notorious
reliability issues within the Java ecosystem and was scheduled for a series of
downtimes and migrations over the coming weeks. Google Groups is selected as the
most reasonable by the community.
- 2010.11.19: Hudson project is lumped into the same Java.net migration bucket as Glassfish. Emails are sent to project owners, the users and the developers list. The mail to users and developers never arrives due to the sender not being subscribed. Both project owners (Kohsuke, Winston) miss the message, leaving the Hudson community in the dark regarding the pending migration.
- 2010.11.22: Shortly after midnight, Jacob Robertson reports that his
SVN credentials no longer work, Kohsuke informs the developers list that the project is
locked due to the migration, SVN is inaccessible and mailing lists fail shortly after that. The Hudson Java.net project
begins its migration from the legacy infrastructure to the newer
Java.net infrastructure (formerly known as "Kenai"). A group of core Hudson
community members accelerate the move to Google Groups, pushing out
announcements via this
twitter hoping to keep as many members in the
loop as possible.
- 2010.11.23: Frustrated by the locking down of Hudson's source code,
which sees between 3-8 commits to "core" a day, not counting the 300+
plugins, Kohsuke proposes moving to
on the new developers mailing list. The general consensus amongst the plugin
and core developers was to go forward with moving to GitHub, no major
objections were raised by the developer community.
- 2010.11.27: After Thanksgiving, Andrew Bayer submits the "formal
for migrating over to GitHub, Sets a deadline of the following tuesday
(2010.11.30) for raising any major objections before "flipping the switch."
The Monday morning prior to the planned switchover to GitHub, Oracle Senior VP
of Tools and Middleware Ted
Farrell sent a
message to the users list expressing concerns he had regarding the migration of
the Hudson codebase from Java.net to GitHub:
As Kohsuke mentioned in this post, the Java.net migration has caught just about everybody off-guard in the Hudson community.
The tools we use hosted by Java.net are essentially locked from us until further notice (no ETA on the migration) which is, as you might imagine frustrating both for the core developers but hundreds of plugin developers that make Hudson the best damned CI server on the planet.
For source code we're working on getting something in place for contributions on GitHub thanks to some assistance from the GitHub team.
For mailing lists we've gone ahead and dumped Java.net mailing lists in favor of a collection of Google Groups:
Contrary to popular belief, you do not need a Google account to subscribe to these lists, else we wouldn't have chosen Google Groups. All you need to do is send an email to "firstname.lastname@example.org" and you'll receive a confirmation email from the mailing list server shortly.
Since our issues.hudson-ci.org isn't actually hosted on Java.net, but rather on a machine provided by Oracle, they should continue to function as per usual. The login for the systems is somewhat tied to Java.net so I am honestly not sure how stable they will be this week.
I apologize sincerely for the confusion and frustration, you can trust that we're likely ten-times more frustrated with this situation right now.
In late 2008, the Hudson team released version 1.264 which added an anonymous reporting feature (you can opt-out in the "Manage Hudson" screen). The reporting feature has been sending information back to the Hudson team to help us understand how Hudson is used in aggregate; the info being reported includes the number of jobs configured, slave configurations, what plugins (and what versions of those plugins) are installed, and more. This data has not been available publicly until now! The raw data needed to be decrypted and scrubbed of any potentially identifying information, such as non-public plugin names or usernames in snapshot versions. We've finally scrubbed the data and are making it available!
The data is currently in monthly JSON bundles, organized by unique install key. We've filtered out reports of installations without any jobs configured, as well as any installations with only one report in a given month.
Hot on the heels of Hudson 1.370, which was released last Friday, the Hudson team released 1.371 which addresses a critical vulnerability in all Hudson versions prior to 1.371. The vulnerability was disclosed by InfraDNA in the following security advisory, which details the issue:
This critical vulnerability allows an attacker to use CLI commands that they are otherwise unauthorized for. CLI commands can perform various administrative operations.
It is advised that all Hudson instances be upgraded immediately to avoid data loss or other ill effects from this issue. If you're upgrading from a version earlier than 1.370, you can consult the changelog for details on the other bug fixes and enhancements covered by the upgrade of your version to 1.371.
If you run a Hudson instance, it is recommended that Hudson system admins subscribe to either the security advisories RSS feed or the advisories@ mailing list