Date   

[LOW] CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals

Molly Crowther
 

CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals
Severity

Low
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release v241 and earlier versions
-

UAA release v2.0.0 - v2.7.4.6 & v3.0.0 - v3.6.0
-

UAA bosh release v15 & earlier versions

Description

The profile and authorize approval pages do not contain CSRF tokens, making
an exploit to approve or deny scopes possible.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Upgrade to Cloud Foundry v242 [1] or later
-

For standalone UAA users
-

For users using UAA Version 3.0.0 - 3.6.0, please upgrade to UAA
Release to v3.7.0[2], v3.4.4[3] or v3.3.0.5[4]
-

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.7 [5]
-

For users using UAA bosh release, please upgrade to UAA-Release v16
[6] if upgrading to v3.7.0 [2] ,v12.5 [7] if upgrading to v3.4.4[3] or
v11.5 [8] if upgrading to v3.3.0.5[4]

Credit

GE Digital Security Team
References

-

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v242
-

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.0
-

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.4
-

[4] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.5
-

[5] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.7
-

[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v16
-

[7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.5
-

[8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.5

History

2016-09-26: Initial vulnerability report published


[MEDIUM] CVE-2016-6636 UAA Open Redirect Vulnerability for Subdomains

Molly Crowther
 

CVE-2016-6636 UAA Open Redirect Vulnerability for Subdomains
Severity

Medium
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release v241 and earlier versions
-

UAA release v2.0.0 - v2.7.4.6, v3.0.0 - v3.4.2
-

UAA BOSH release v12.3 & earlier versions

Description

Subdomains in the redirect_uri are not properly validated during OAuth
authorization flow, making it possible to obtain implicit access tokens
using a different subdomain in the request. Clients with the implicit
authorization grant type are affected.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Upgrade to Cloud Foundry v242 [1] or later
-

For standalone UAA users
-

For users using UAA Version 3.0.0 - 3.4.2, please upgrade to UAA
Release to v3.7.0[2], v3.4.4[3] or v3.3.0.5[4]
-

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.7 [5]
-

For users using UAA bosh release, please upgrade to UAA-Release v16
[6] if upgrading to v3.7.0 [2] ,v12.5 [7] if upgrading to v3.4.4[3] or
v11.5 [8] if upgrading to v3.3.0.5[4]

Credit

GE Digital Security Team
References

-

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v242
-

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.0
-

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.4
-

[4] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.5
-

[5] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.7
-

[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v16
-

[7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.5
-

[8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.5

History

2016-09-26: Initial vulnerability report published


[HIGH] CVE-2016-6651: Privilege Escalation in UAA

Molly Crowther
 

CVE-2016-6651: Privilege Escalation in UAA
Severity

High
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release v242 and earlier versions
-

UAA release v3.7.0 & earlier versions
-

UAA bosh release (uaa-release) v16 & earlier versions

Description

A privilege escalation vulnerability has been identified with the
/oauth/token endpoint in UAA allowing users to elevate the privileges in
the token issued.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Upgrade to Cloud Foundry v243 [1] or later
-

For standalone UAA users
-

For users using UAA Version 3.0.0 - 3.7.0, please upgrade to UAA
Release to v3.7.3[2], v3.4.5[3] or v3.3.0.6[4]
-

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.8 [5]
-

For users using UAA bosh release, please upgrade to UAA-Release v17
[6] if upgrading to v3.7.3 [2] ,v12.6 [7] if upgrading to v3.4.5[3] or
v11.7 [8] if upgrading to v3.3.0.6[4]

Credit

SAP HCP Security Team
References

-

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v243
-

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.3
-

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.5
-

[4] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.6
-

[5] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.8
-

[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v17
-

[7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.6
-

[8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.7

History2016-09-26: Initial vulnerability report published


Re: FW: issue tracker permissions

Lisa Doan <ldoan@...>
 

Hi all -- a couple people reached out asking for a date for Viewers can
follow. We are currently targeting November of this year.

Thanks,
Lisa

On Mon, Sep 26, 2016 at 10:03 AM, Lisa Doan <ldoan(a)pivotal.io> wrote:

Hi all,

Just to re-iterate, we do have this feature prioritized on the Tracker
team. I'm sorry we haven't been able to deliver this yet, but there are a
number of other higher priority items that we must attend to before we can
begin this work. We will keep you posted as we get closer to implementing
this.

Thanks,
Lisa

On Sun, Sep 25, 2016 at 12:54 AM, Voelz, Marco <marco.voelz(a)sap.com>
wrote:

Dear Guillaume,

Thanks for your efforts in this direction. As I already stated before, it
is really a pain that you are not able to follow stories or comment when
not being a member in a Pivotaltracker project. However, github issues
aren’t more than a crutch, probably not even a good one.

For example, GH issues cannot be ordered. They are in the order of
creation, priorization is not visible. Therefore, if you look e.g. at the
BOSH mirror [1], there are a bunch of “unstarted” and “unscheduled” issues,
the first “started” one comes on page 2. For bugs, it gets more confusing.
Most people have the github bot activated, which creates a PT story for
each GH issue created. This is already confusing, because you have two
places where potentially updates to this bug could be located in, and
nobody knows where to look. Add in the mirroring, and now you have three
places, see an example for the buildpacks [2]. All of this is not your
fault, it is a restriction on how GH deals with issues and the fact that
we’re distributing information over more than one place.

While I appreciate your efforts and time spent on this: I strongly feel
that is an issue that can only be solved by one of two options:
• The Pivotaltracker team implementing the necessary functionality
• Migrating to a different tracker

I’m trying all I can to push for the first option by talking to Dan and
Lisa, but other features seem to be more important to the PT team. In
November, it has been a year since I asked for this, so my confidence isn’t
very high that it is going to happen at all. For me that just means option
two is getting more and more realistic every day.

Warm regards
Marco

[1] https://github.com/cf-tm-bot/bosh/issues
[2] https://github.com/cloudfoundry/staticfile-buildpack/issues/85



-----Original Message-----
From: Guillaume Berche <bercheg(a)gmail.com>
Date: Saturday, 24 September 2016 at 12:29
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Cc: Chip Childers <cchilders(a)cloudfoundry.org>, "cholick(a)gmail.com" <
cholick(a)gmail.com>, Dan Podsedly <dpodsedly(a)pivotal.io>, Lisa Doan <
ldoan(a)pivotal.io>, "Voelz, Marco" <marco.voelz(a)sap.com>
Subject: Re: [cf-dev] Re: FW: issue tracker permissions

Hi,


The mirroring of foundation projects is around 60% complete. See [5]
for more detailed coverage. This should enable community members to watch
the most active foundation backlogs. I received no notifications of
negative side effects of this mirroring so
far. I'll proceed with mirroring the remaining projects in the next
days/weeks.

There are interesting next steps that could be tackled, such as
enabling commenting on the backlogs, or searching across all foundation
backlog history, see [3]. Let me know if you have interests in discussing
these next steps and current challenges faced by
the mirroring process. The upcoming Frankfurt cfsummit unconference
on monday might be a good place for this, I'd propose a subject if I
receive some interest.


Thanks,


Guillaume.






Guillaume.




On Mon, Sep 5, 2016 at 10:21 PM, Guillaume Berche
<bercheg(a)gmail.com> wrote:

Hi,


We have prototyped at Orange an automatic mirroring of Pivotal
Tracker (PT) stories into github issues. See pivotaltrackermirror at [1],
and the experimental mirror of the buildpack tracker at [2]. I'd like to
thanks the buildpacks team for accepting to join
this experiment and providing us with feedback in the past few weeks.

We hope this could bring the following benefits to the CF community:

1. allow use of the
watching notifications <https://help.github.com/artic
les/about-notifications/#types-of-notifications> github feature to track
progress on public pivotal trackers projects: all stories or selected
stories of interest.
2. allow use of
github search features <https://help.github.com/artic
les/searching-github> to search Pivotal Tracker content (e.g. accross
multiple mirrored PT projects, or along with other github repositories
hosting the associated code)
3. allow use of
github @mentions <https://help.github.com/artic
les/basic-writing-and-formatting-syntax/#mentioning-users-and-teams> to
contact github accounts associated with PT public projects contributors, in
the context with a specific mirrored story
4. mirrored content becomes discoverable: search engines index it,
making it easier to find mirrored PT content such as a stack trace

This is still experimental work. We would like to hear community
feedback about this initiative (how is it useful?), as well as core
contributor teams (are there unexpected side-effects that need to be
handled beyond what we fixed so far [3]?) Do you have
suggestions for enhancements: can you comment/vote/improve in [3]?


Our plan is to progressively extend this experiment to more trackers
listed in [5] (in a rate of a few projects per week). Please report issues
on [3] if you observe negative side effects, or reply to this email if you
have concerns about this mirroring.



There still a fair amount of work ahead to convert this experiment
into a stable tool, and opportunities to provide some new cool features to
the community. Contributions are welcome :-)



Thanks,


Guillaume.



ps: I also recently noticed a PT slack integration [4] that would
also cover use-case #1 (get notifications for all stories in a tracker).
I'm not yet sure what it takes to add it to a given channel.


[1]
https://github.com/orange-cloudfoundry/pivotaltrackermirror <
https://github.com/orange-cloudfoundry/pivotaltrackermirror>
[2] https://github.com/cf-tm-bot/buildpacks
[3]
https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues <
https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues>
[4]
https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker <
https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker>
[5]
https://github.com/cloudfoundry-community/cf-docs-contrib/wiki <
https://github.com/cloudfoundry-community/cf-docs-contrib/wiki>





Guillaume.




On Sun, May 29, 2016 at 8:05 PM, John Wong
<gokoproject(a)gmail.com> wrote:

Just an idea... Is there a feature in Tracker to always cc
someone/some email address? For non security and non confidential stories
we can Cc this email address automatically which will post to a google
group and a thread will be built as comment is added.
This at least allow a read-only mirror.


Just a thought...


On Sunday, May 29, 2016, Voelz, Marco <marco.voelz(a)sap.com> wrote:

Dear Dan, dear Lisa, dear Chip, dear community,

sorry for digging out this old issue again and again. If you are just
tuning in, here is the situation
·
I like Pivotal Tracker as a product
·
I have to use Tracker for my daily work, as it is currently mandatory
for all CFF projects and all of them use it
·
The restrictions in pivotal tracker make it hard to impossible to do
the daily stuff you want to do within a large open-source community.

After initially bringing this up in November last year, here are a
few of the problems I addressed with Dan in a hangout session in February:
·
To follow stories in a project you need to be a member of that
project. Therefore, you cannot track progress on stories in other projects.
·
To comment on stories, the same restrictions as above apply

It has been 3 months since Dan and I talked, I’ve checked back every
4 weeks with him and what I’ve heard so far is ideas. I haven’t seen a
prototype, any specifics on the current state,
any planning details. It’s not like I’m demanding this feature
should be done by now – I just want to know what is going on.

I have to say I am very unhappy in how this topic is treated. From my
point of view, it seems like there is a huge lack of transparency and
feedback. Please, let me know what’s going on.
I don’t want to switch to a different tracker, such as e.g. trello,
but if the requirements of a large open-source community aren’t heard, then
I don’t know what else to do about this.

Warm regards
Marco

PS: What about a public tracker backlog in tracker, so people can
follow their favorite feature stories and see where they are in the
planning and when they’re done?


On 16/01/16 13:09, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:





Dear all,



it has now been more than a month since I sent my feedback concerning
this feature to the tracker team – I haven't received any reaction to it.

@Chip:
Is there an option you could weigh in for this from the Foundation
perspective? That would be great!



Sorry for being so stubborn about this, but in my opinion this is a
crucial feature for a bug tracker/backlog which is used in an open-source
product. I know that all the people
working directly at pivotal don't feel the pain, because they can
either talk directly to everyone in person or have the necessary rights to
comment/follow in the other projects, but for everyone else this is really,
really a problem.



Warm regards

Marco



On 09/12/15 21:20, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:




Thanks for pointing me to this link. However, we seem to have the
same problem here: This seems like a fire-and-forget solution. Where does
this item go? How can I send it to
other people and have them +1 it, like it, follow it, favorite it or
whatever is necessary to indicate that there is more than 1 person wanting
this feature?




Thanks and warm regards

Marco



On 09/12/15 20:01, "Amit Gupta" <agupta(a)pivotal.io> wrote:




If you're logged in to Tracker, there's a "Help & Updates" link at
the top, and one of the options is Provide Feedback.


On Wed, Dec 9, 2015 at 10:59 AM, Voelz, Marco <marco.voelz(a)sap.com>
wrote:

I'd happily submit a feature request to build up some visible demand
for this – could you point me to the right channel here?




Thanks and warm regards

Marco



On 08/12/15 23:01, "Dieu Cao" <dcao(a)pivotal.io> wrote:





Unfortunately in order to follow a story in tracker, the minimum
required level is "member" which allows you to create/comment/delete
stories in tracker.

I would suggest submitting a request to the pivotal tracker team to
help build up evidence that this is a feature that people want.



-Dieu



On Tue, Dec 8, 2015 at 12:49 PM, Matt Cholick <cholick(a)gmail.com>
wrote:

Sorry to resurrect an older thread, but I wanted to chime in that
this is a frustration I have too. There are several stories in the various
CF teams public backlogs that I'd
like to keep track of.


Is it possible for community members to get enough permissions on our
tracker accounts to add ourselves to the follow list?



-Matt



On Mon, Nov 23, 2015 at 3:10 AM, Koper, Dies <
diesk(a)fast.au.fujitsu.com> wrote:

Hi Marco, Jan,

I sent an email to Tracker support about that last week because we
were hoping to close CLI feature requests on GH and let people follow the
stories on Tracker. Support confirmed that people need to have R/W access
to a project to do that.
I have just replied to ask if they'd consider an enhancement. Not
sure what the proper channel would be to get such a story prioritized.
Will let you know if I get a reply.

Regards,
Dies Koper
Cloud Foundry CLI PM

-----Original Message-----
From: Voelz, Marco [mailto:marco.voelz(a)sap.com]
Sent: Monday, November 23, 2015 8:00 PM
To: Discussions about Cloud Foundry projects and the system overall.
Subject: [cf-dev] Re: FW: issue tracker permissions

Thanks Jan for bringing that up, I've had similar problems with that
as well. Any ideas on how to solve this? Is this a feature that the tracker
team actively works on?
Hitting cmd+r every few days on the same stories doesn't seem like
the best way to stay informed about your favorite features.

Warm regards
Marco



On 19/11/15 09:23, "Sievers, Jan" <jan.sievers(a)sap.com> wrote:

>>Hi,
>>
>>I was trying to watch a story I am interested in
>>https://www.pivotaltracker.com/n/projects/892938/stories/105493826
>>
>>
>>I do have an account but it seems I don't have permissions to watch
nor to comment.
>>
>>Is there something I missed?
>>
>>Regards
>>Jan
>>





































































--
Sent from Jeff Dean's printf() mobile console















Re: FW: issue tracker permissions

Lisa Doan <ldoan@...>
 

Hi all,

Just to re-iterate, we do have this feature prioritized on the Tracker
team. I'm sorry we haven't been able to deliver this yet, but there are a
number of other higher priority items that we must attend to before we can
begin this work. We will keep you posted as we get closer to implementing
this.

Thanks,
Lisa

On Sun, Sep 25, 2016 at 12:54 AM, Voelz, Marco <marco.voelz(a)sap.com> wrote:

Dear Guillaume,

Thanks for your efforts in this direction. As I already stated before, it
is really a pain that you are not able to follow stories or comment when
not being a member in a Pivotaltracker project. However, github issues
aren’t more than a crutch, probably not even a good one.

For example, GH issues cannot be ordered. They are in the order of
creation, priorization is not visible. Therefore, if you look e.g. at the
BOSH mirror [1], there are a bunch of “unstarted” and “unscheduled” issues,
the first “started” one comes on page 2. For bugs, it gets more confusing.
Most people have the github bot activated, which creates a PT story for
each GH issue created. This is already confusing, because you have two
places where potentially updates to this bug could be located in, and
nobody knows where to look. Add in the mirroring, and now you have three
places, see an example for the buildpacks [2]. All of this is not your
fault, it is a restriction on how GH deals with issues and the fact that
we’re distributing information over more than one place.

While I appreciate your efforts and time spent on this: I strongly feel
that is an issue that can only be solved by one of two options:
• The Pivotaltracker team implementing the necessary functionality
• Migrating to a different tracker

I’m trying all I can to push for the first option by talking to Dan and
Lisa, but other features seem to be more important to the PT team. In
November, it has been a year since I asked for this, so my confidence isn’t
very high that it is going to happen at all. For me that just means option
two is getting more and more realistic every day.

Warm regards
Marco

[1] https://github.com/cf-tm-bot/bosh/issues
[2] https://github.com/cloudfoundry/staticfile-buildpack/issues/85



-----Original Message-----
From: Guillaume Berche <bercheg(a)gmail.com>
Date: Saturday, 24 September 2016 at 12:29
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Cc: Chip Childers <cchilders(a)cloudfoundry.org>, "cholick(a)gmail.com" <
cholick(a)gmail.com>, Dan Podsedly <dpodsedly(a)pivotal.io>, Lisa Doan <
ldoan(a)pivotal.io>, "Voelz, Marco" <marco.voelz(a)sap.com>
Subject: Re: [cf-dev] Re: FW: issue tracker permissions

Hi,


The mirroring of foundation projects is around 60% complete. See [5]
for more detailed coverage. This should enable community members to watch
the most active foundation backlogs. I received no notifications of
negative side effects of this mirroring so
far. I'll proceed with mirroring the remaining projects in the next
days/weeks.

There are interesting next steps that could be tackled, such as
enabling commenting on the backlogs, or searching across all foundation
backlog history, see [3]. Let me know if you have interests in discussing
these next steps and current challenges faced by
the mirroring process. The upcoming Frankfurt cfsummit unconference
on monday might be a good place for this, I'd propose a subject if I
receive some interest.


Thanks,


Guillaume.






Guillaume.




On Mon, Sep 5, 2016 at 10:21 PM, Guillaume Berche
<bercheg(a)gmail.com> wrote:

Hi,


We have prototyped at Orange an automatic mirroring of Pivotal Tracker
(PT) stories into github issues. See pivotaltrackermirror at [1], and the
experimental mirror of the buildpack tracker at [2]. I'd like to thanks the
buildpacks team for accepting to join
this experiment and providing us with feedback in the past few weeks.

We hope this could bring the following benefits to the CF community:

1. allow use of the
watching notifications <https://help.github.com/
articles/about-notifications/#types-of-notifications> github feature to
track progress on public pivotal trackers projects: all stories or selected
stories of interest.
2. allow use of
github search features <https://help.github.com/
articles/searching-github> to search Pivotal Tracker content (e.g.
accross multiple mirrored PT projects, or along with other github
repositories hosting the associated code)
3. allow use of
github @mentions <https://help.github.com/articles/basic-writing-and-
formatting-syntax/#mentioning-users-and-teams> to contact github accounts
associated with PT public projects contributors, in the context with a
specific mirrored story
4. mirrored content becomes discoverable: search engines index it,
making it easier to find mirrored PT content such as a stack trace

This is still experimental work. We would like to hear community
feedback about this initiative (how is it useful?), as well as core
contributor teams (are there unexpected side-effects that need to be
handled beyond what we fixed so far [3]?) Do you have
suggestions for enhancements: can you comment/vote/improve in [3]?


Our plan is to progressively extend this experiment to more trackers
listed in [5] (in a rate of a few projects per week). Please report issues
on [3] if you observe negative side effects, or reply to this email if you
have concerns about this mirroring.



There still a fair amount of work ahead to convert this experiment
into a stable tool, and opportunities to provide some new cool features to
the community. Contributions are welcome :-)



Thanks,


Guillaume.



ps: I also recently noticed a PT slack integration [4] that would also
cover use-case #1 (get notifications for all stories in a tracker). I'm not
yet sure what it takes to add it to a given channel.


[1]
https://github.com/orange-cloudfoundry/pivotaltrackermirror <
https://github.com/orange-cloudfoundry/pivotaltrackermirror>
[2] https://github.com/cf-tm-bot/buildpacks
[3]
https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues <
https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues>
[4]
https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker <
https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker>
[5]
https://github.com/cloudfoundry-community/cf-docs-contrib/wiki <
https://github.com/cloudfoundry-community/cf-docs-contrib/wiki>





Guillaume.




On Sun, May 29, 2016 at 8:05 PM, John Wong
<gokoproject(a)gmail.com> wrote:

Just an idea... Is there a feature in Tracker to always cc
someone/some email address? For non security and non confidential stories
we can Cc this email address automatically which will post to a google
group and a thread will be built as comment is added.
This at least allow a read-only mirror.


Just a thought...


On Sunday, May 29, 2016, Voelz, Marco <marco.voelz(a)sap.com> wrote:

Dear Dan, dear Lisa, dear Chip, dear community,

sorry for digging out this old issue again and again. If you are just
tuning in, here is the situation
·
I like Pivotal Tracker as a product
·
I have to use Tracker for my daily work, as it is currently mandatory
for all CFF projects and all of them use it
·
The restrictions in pivotal tracker make it hard to impossible to do
the daily stuff you want to do within a large open-source community.

After initially bringing this up in November last year, here are a few
of the problems I addressed with Dan in a hangout session in February:
·
To follow stories in a project you need to be a member of that
project. Therefore, you cannot track progress on stories in other projects.
·
To comment on stories, the same restrictions as above apply

It has been 3 months since Dan and I talked, I’ve checked back every 4
weeks with him and what I’ve heard so far is ideas. I haven’t seen a
prototype, any specifics on the current state,
any planning details. It’s not like I’m demanding this feature should
be done by now – I just want to know what is going on.

I have to say I am very unhappy in how this topic is treated. From my
point of view, it seems like there is a huge lack of transparency and
feedback. Please, let me know what’s going on.
I don’t want to switch to a different tracker, such as e.g. trello,
but if the requirements of a large open-source community aren’t heard, then
I don’t know what else to do about this.

Warm regards
Marco

PS: What about a public tracker backlog in tracker, so people can
follow their favorite feature stories and see where they are in the
planning and when they’re done?


On 16/01/16 13:09, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:





Dear all,



it has now been more than a month since I sent my feedback concerning
this feature to the tracker team – I haven't received any reaction to it.

@Chip:
Is there an option you could weigh in for this from the Foundation
perspective? That would be great!



Sorry for being so stubborn about this, but in my opinion this is a
crucial feature for a bug tracker/backlog which is used in an open-source
product. I know that all the people
working directly at pivotal don't feel the pain, because they can
either talk directly to everyone in person or have the necessary rights to
comment/follow in the other projects, but for everyone else this is really,
really a problem.



Warm regards

Marco



On 09/12/15 21:20, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:




Thanks for pointing me to this link. However, we seem to have the same
problem here: This seems like a fire-and-forget solution. Where does this
item go? How can I send it to
other people and have them +1 it, like it, follow it, favorite it or
whatever is necessary to indicate that there is more than 1 person wanting
this feature?




Thanks and warm regards

Marco



On 09/12/15 20:01, "Amit Gupta" <agupta(a)pivotal.io> wrote:




If you're logged in to Tracker, there's a "Help & Updates" link at the
top, and one of the options is Provide Feedback.


On Wed, Dec 9, 2015 at 10:59 AM, Voelz, Marco <marco.voelz(a)sap.com>
wrote:

I'd happily submit a feature request to build up some visible demand
for this – could you point me to the right channel here?




Thanks and warm regards

Marco



On 08/12/15 23:01, "Dieu Cao" <dcao(a)pivotal.io> wrote:





Unfortunately in order to follow a story in tracker, the minimum
required level is "member" which allows you to create/comment/delete
stories in tracker.

I would suggest submitting a request to the pivotal tracker team to
help build up evidence that this is a feature that people want.



-Dieu



On Tue, Dec 8, 2015 at 12:49 PM, Matt Cholick <cholick(a)gmail.com>
wrote:

Sorry to resurrect an older thread, but I wanted to chime in that this
is a frustration I have too. There are several stories in the various CF
teams public backlogs that I'd
like to keep track of.


Is it possible for community members to get enough permissions on our
tracker accounts to add ourselves to the follow list?



-Matt



On Mon, Nov 23, 2015 at 3:10 AM, Koper, Dies <
diesk(a)fast.au.fujitsu.com> wrote:

Hi Marco, Jan,

I sent an email to Tracker support about that last week because we
were hoping to close CLI feature requests on GH and let people follow the
stories on Tracker. Support confirmed that people need to have R/W access
to a project to do that.
I have just replied to ask if they'd consider an enhancement. Not sure
what the proper channel would be to get such a story prioritized.
Will let you know if I get a reply.

Regards,
Dies Koper
Cloud Foundry CLI PM

-----Original Message-----
From: Voelz, Marco [mailto:marco.voelz(a)sap.com]
Sent: Monday, November 23, 2015 8:00 PM
To: Discussions about Cloud Foundry projects and the system overall.
Subject: [cf-dev] Re: FW: issue tracker permissions

Thanks Jan for bringing that up, I've had similar problems with that
as well. Any ideas on how to solve this? Is this a feature that the tracker
team actively works on?
Hitting cmd+r every few days on the same stories doesn't seem like the
best way to stay informed about your favorite features.

Warm regards
Marco



On 19/11/15 09:23, "Sievers, Jan" <jan.sievers(a)sap.com> wrote:

>>Hi,
>>
>>I was trying to watch a story I am interested in
>>https://www.pivotaltracker.com/n/projects/892938/stories/105493826
>>
>>
>>I do have an account but it seems I don't have permissions to watch
nor to comment.
>>
>>Is there something I missed?
>>
>>Regards
>>Jan
>>





































































--
Sent from Jeff Dean's printf() mobile console















Re: FW: issue tracker permissions

Carlo Alberto Ferraris
 

Guillaume,
thank you so much! One beer at the next CF summit is on me. :)

Carlo


Re: [ANN] Utilities PMC projects graduating from incubation

Shah, Harshit
 

Thanks Mike and CF Community.

We would like to invite the attendees at CF Summit Europe this week to learn more about .NET tools integration and scenarios these project enables.

Please join the office hours for info and questions you may have for engineers who have contributed these projects.

Date: Sep 28th ( Wed )
Time: 11 AM (Frankfurt time)
Location: HPE Booth (Booth #1 ) at CF Summit

Thanks
Harshit

From: Dr Nic Williams <drnicwilliams(a)gmail.com>
Date: Monday, September 26, 2016 at 7:31 AM
To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Cc: "Shah, Harshit" <harshit.shah(a)hpe.com>
Subject: Re: [cf-dev] [ANN] Utilities PMC projects graduating from incubation

Thanks HPE!

On Mon, Sep 26, 2016 at 5:22 AM +0200, "Mike Dalessio" <mdalessio(a)pivotal.io<mailto:mdalessio(a)pivotal.io>> wrote:
Hi all,

In May 2015, the Utilities PMC began incubating a handful of .NET developer tools created and maintained by engineers at HPE.

These projects have been maintained by HPE over the last 16 months, and so I think it's overdue to move these projects out of Incubation and declare them to be Active Projects according to the CF Development Governance Policy [1].

I'm pleased to announce that these three projects have graduated:

* cloudfoundry/cf-msbuild-tasks
* cloudfoundry/cf-dotnet-sdk
* cloudfoundry/cf-vs-extension
Big thanks to the HPE team!

Worth noting, Harshit Shah, the PM of the HPE team, would like to hold office hours at CF Summit Europe this week for anyone who's interested. He'll reply to this email with details, and is CCed if you'd like to reach out to him directly with questions.

Cheers,
-m


[1]: https://www.cloudfoundry.org/wp-content/uploads/2015/09/CFF_Development_Governance.pdf


Re: [ANN] Utilities PMC projects graduating from incubation

Dr Nic Williams <drnicwilliams@...>
 

Thanks HPE!

On Mon, Sep 26, 2016 at 5:22 AM +0200, "Mike Dalessio" <mdalessio(a)pivotal.io> wrote:










Hi all,
In May 2015, the Utilities PMC began incubating a handful of .NET developer tools created and maintained by engineers at HPE.
These projects have been maintained by HPE over the last 16 months, and so I think it's overdue to move these projects out of Incubation and declare them to be Active Projects according to the CF Development Governance Policy [1].
I'm pleased to announce that these three projects have graduated:cloudfoundry/cf-msbuild-tasks
cloudfoundry/cf-dotnet-sdk
cloudfoundry/cf-vs-extension
Big thanks to the HPE team!
Worth noting, Harshit Shah, the PM of the HPE team, would like to hold office hours at CF Summit Europe this week for anyone who's interested. He'll reply to this email with details, and is CCed if you'd like to reach out to him directly with questions.
Cheers,-m

  [1]: https://www.cloudfoundry.org/wp-content/uploads/2015/09/CFF_Development_Governance.pdf


[ANN] Utilities PMC projects graduating from incubation

Mike Dalessio
 

Hi all,

In May 2015, the Utilities PMC began incubating a handful of .NET developer
tools created and maintained by engineers at HPE.

These projects have been maintained by HPE over the last 16 months, and so
I think it's overdue to move these projects out of Incubation and declare
them to be *Active Projects* according to the CF Development Governance
Policy [1].

I'm pleased to announce that these three projects have graduated:

- cloudfoundry/cf-msbuild-tasks
- cloudfoundry/cf-dotnet-sdk
- cloudfoundry/cf-vs-extension

Big thanks to the HPE team!

Worth noting, *Harshit Shah*, the PM of the HPE team, would like to hold
office hours at CF Summit Europe this week for anyone who's interested.
He'll reply to this email with details, and is CCed if you'd like to reach
out to him directly with questions.

Cheers,
-m


[1]:
https://www.cloudfoundry.org/wp-content/uploads/2015/09/CFF_Development_Governance.pdf


Re: FW: issue tracker permissions

Marco Voelz
 

Dear Guillaume,

Thanks for your efforts in this direction. As I already stated before, it is really a pain that you are not able to follow stories or comment when not being a member in a Pivotaltracker project. However, github issues aren’t more than a crutch, probably not even a good one.

For example, GH issues cannot be ordered. They are in the order of creation, priorization is not visible. Therefore, if you look e.g. at the BOSH mirror [1], there are a bunch of “unstarted” and “unscheduled” issues, the first “started” one comes on page 2. For bugs, it gets more confusing. Most people have the github bot activated, which creates a PT story for each GH issue created. This is already confusing, because you have two places where potentially updates to this bug could be located in, and nobody knows where to look. Add in the mirroring, and now you have three places, see an example for the buildpacks [2]. All of this is not your fault, it is a restriction on how GH deals with issues and the fact that we’re distributing information over more than one place.

While I appreciate your efforts and time spent on this: I strongly feel that is an issue that can only be solved by one of two options:
• The Pivotaltracker team implementing the necessary functionality
• Migrating to a different tracker

I’m trying all I can to push for the first option by talking to Dan and Lisa, but other features seem to be more important to the PT team. In November, it has been a year since I asked for this, so my confidence isn’t very high that it is going to happen at all. For me that just means option two is getting more and more realistic every day.

Warm regards
Marco

[1] https://github.com/cf-tm-bot/bosh/issues
[2] https://github.com/cloudfoundry/staticfile-buildpack/issues/85

-----Original Message-----
From: Guillaume Berche <bercheg(a)gmail.com>
Date: Saturday, 24 September 2016 at 12:29
To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Cc: Chip Childers <cchilders(a)cloudfoundry.org>, "cholick(a)gmail.com" <cholick(a)gmail.com>, Dan Podsedly <dpodsedly(a)pivotal.io>, Lisa Doan <ldoan(a)pivotal.io>, "Voelz, Marco" <marco.voelz(a)sap.com>
Subject: Re: [cf-dev] Re: FW: issue tracker permissions

Hi,


The mirroring of foundation projects is around 60% complete. See [5] for more detailed coverage. This should enable community members to watch the most active foundation backlogs. I received no notifications of negative side effects of this mirroring so
far. I'll proceed with mirroring the remaining projects in the next days/weeks.

There are interesting next steps that could be tackled, such as enabling commenting on the backlogs, or searching across all foundation backlog history, see [3]. Let me know if you have interests in discussing these next steps and current challenges faced by
the mirroring process. The upcoming Frankfurt cfsummit unconference on monday might be a good place for this, I'd propose a subject if I receive some interest.


Thanks,


Guillaume.






Guillaume.




On Mon, Sep 5, 2016 at 10:21 PM, Guillaume Berche
<bercheg(a)gmail.com> wrote:

Hi,


We have prototyped at Orange an automatic mirroring of Pivotal Tracker (PT) stories into github issues. See pivotaltrackermirror at [1], and the experimental mirror of the buildpack tracker at [2]. I'd like to thanks the buildpacks team for accepting to join
this experiment and providing us with feedback in the past few weeks.

We hope this could bring the following benefits to the CF community:

1. allow use of the
watching notifications <https://help.github.com/articles/about-notifications/#types-of-notifications> github feature to track progress on public pivotal trackers projects: all stories or selected stories of interest.
2. allow use of
github search features <https://help.github.com/articles/searching-github> to search Pivotal Tracker content (e.g. accross multiple mirrored PT projects, or along with other github repositories hosting the associated code)
3. allow use of
github @mentions <https://help.github.com/articles/basic-writing-and-formatting-syntax/#mentioning-users-and-teams> to contact github accounts associated with PT public projects contributors, in the context with a specific mirrored story
4. mirrored content becomes discoverable: search engines index it, making it easier to find mirrored PT content such as a stack trace

This is still experimental work. We would like to hear community feedback about this initiative (how is it useful?), as well as core contributor teams (are there unexpected side-effects that need to be handled beyond what we fixed so far [3]?) Do you have
suggestions for enhancements: can you comment/vote/improve in [3]?


Our plan is to progressively extend this experiment to more trackers listed in [5] (in a rate of a few projects per week). Please report issues on [3] if you observe negative side effects, or reply to this email if you have concerns about this mirroring.



There still a fair amount of work ahead to convert this experiment into a stable tool, and opportunities to provide some new cool features to the community. Contributions are welcome :-)



Thanks,


Guillaume.



ps: I also recently noticed a PT slack integration [4] that would also cover use-case #1 (get notifications for all stories in a tracker). I'm not yet sure what it takes to add it to a given channel.


[1]
https://github.com/orange-cloudfoundry/pivotaltrackermirror <https://github.com/orange-cloudfoundry/pivotaltrackermirror>
[2] https://github.com/cf-tm-bot/buildpacks
[3]
https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues <https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues>
[4]
https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker <https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker>
[5]
https://github.com/cloudfoundry-community/cf-docs-contrib/wiki <https://github.com/cloudfoundry-community/cf-docs-contrib/wiki>





Guillaume.




On Sun, May 29, 2016 at 8:05 PM, John Wong
<gokoproject(a)gmail.com> wrote:

Just an idea... Is there a feature in Tracker to always cc someone/some email address? For non security and non confidential stories we can Cc this email address automatically which will post to a google group and a thread will be built as comment is added.
This at least allow a read-only mirror.


Just a thought...


On Sunday, May 29, 2016, Voelz, Marco <marco.voelz(a)sap.com> wrote:

Dear Dan, dear Lisa, dear Chip, dear community,

sorry for digging out this old issue again and again. If you are just tuning in, here is the situation
·
I like Pivotal Tracker as a product
·
I have to use Tracker for my daily work, as it is currently mandatory for all CFF projects and all of them use it
·
The restrictions in pivotal tracker make it hard to impossible to do the daily stuff you want to do within a large open-source community.

After initially bringing this up in November last year, here are a few of the problems I addressed with Dan in a hangout session in February:
·
To follow stories in a project you need to be a member of that project. Therefore, you cannot track progress on stories in other projects.
·
To comment on stories, the same restrictions as above apply

It has been 3 months since Dan and I talked, I’ve checked back every 4 weeks with him and what I’ve heard so far is ideas. I haven’t seen a prototype, any specifics on the current state,
any planning details. It’s not like I’m demanding this feature should be done by now – I just want to know what is going on.

I have to say I am very unhappy in how this topic is treated. From my point of view, it seems like there is a huge lack of transparency and feedback. Please, let me know what’s going on.
I don’t want to switch to a different tracker, such as e.g. trello, but if the requirements of a large open-source community aren’t heard, then I don’t know what else to do about this.

Warm regards
Marco

PS: What about a public tracker backlog in tracker, so people can follow their favorite feature stories and see where they are in the planning and when they’re done?


On 16/01/16 13:09, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:





Dear all,



it has now been more than a month since I sent my feedback concerning this feature to the tracker team – I haven't received any reaction to it.

@Chip:
Is there an option you could weigh in for this from the Foundation perspective? That would be great!



Sorry for being so stubborn about this, but in my opinion this is a crucial feature for a bug tracker/backlog which is used in an open-source product. I know that all the people
working directly at pivotal don't feel the pain, because they can either talk directly to everyone in person or have the necessary rights to comment/follow in the other projects, but for everyone else this is really, really a problem.



Warm regards

Marco



On 09/12/15 21:20, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:




Thanks for pointing me to this link. However, we seem to have the same problem here: This seems like a fire-and-forget solution. Where does this item go? How can I send it to
other people and have them +1 it, like it, follow it, favorite it or whatever is necessary to indicate that there is more than 1 person wanting this feature?




Thanks and warm regards

Marco



On 09/12/15 20:01, "Amit Gupta" <agupta(a)pivotal.io> wrote:




If you're logged in to Tracker, there's a "Help & Updates" link at the top, and one of the options is Provide Feedback.


On Wed, Dec 9, 2015 at 10:59 AM, Voelz, Marco <marco.voelz(a)sap.com> wrote:

I'd happily submit a feature request to build up some visible demand for this – could you point me to the right channel here?




Thanks and warm regards

Marco



On 08/12/15 23:01, "Dieu Cao" <dcao(a)pivotal.io> wrote:





Unfortunately in order to follow a story in tracker, the minimum required level is "member" which allows you to create/comment/delete stories in tracker.

I would suggest submitting a request to the pivotal tracker team to help build up evidence that this is a feature that people want.



-Dieu



On Tue, Dec 8, 2015 at 12:49 PM, Matt Cholick <cholick(a)gmail.com> wrote:

Sorry to resurrect an older thread, but I wanted to chime in that this is a frustration I have too. There are several stories in the various CF teams public backlogs that I'd
like to keep track of.


Is it possible for community members to get enough permissions on our tracker accounts to add ourselves to the follow list?



-Matt



On Mon, Nov 23, 2015 at 3:10 AM, Koper, Dies <diesk(a)fast.au.fujitsu.com> wrote:

Hi Marco, Jan,

I sent an email to Tracker support about that last week because we were hoping to close CLI feature requests on GH and let people follow the stories on Tracker. Support confirmed that people need to have R/W access to a project to do that.
I have just replied to ask if they'd consider an enhancement. Not sure what the proper channel would be to get such a story prioritized.
Will let you know if I get a reply.

Regards,
Dies Koper
Cloud Foundry CLI PM

-----Original Message-----
From: Voelz, Marco [mailto:marco.voelz(a)sap.com]
Sent: Monday, November 23, 2015 8:00 PM
To: Discussions about Cloud Foundry projects and the system overall.
Subject: [cf-dev] Re: FW: issue tracker permissions

Thanks Jan for bringing that up, I've had similar problems with that as well. Any ideas on how to solve this? Is this a feature that the tracker team actively works on?
Hitting cmd+r every few days on the same stories doesn't seem like the best way to stay informed about your favorite features.

Warm regards
Marco



On 19/11/15 09:23, "Sievers, Jan" <jan.sievers(a)sap.com> wrote:

>>Hi,
>>
>>I was trying to watch a story I am interested in
>>https://www.pivotaltracker.com/n/projects/892938/stories/105493826
>>
>>
>>I do have an account but it seems I don't have permissions to watch nor to comment.
>>
>>Is there something I missed?
>>
>>Regards
>>Jan
>>





































































--
Sent from Jeff Dean's printf() mobile console


Re: FW: issue tracker permissions

Guillaume Berche
 

Hi,

The mirroring of foundation projects is around 60% complete. See [5] for
more detailed coverage. This should enable community members to watch the
most active foundation backlogs. I received no notifications of negative
side effects of this mirroring so far. I'll proceed with mirroring the
remaining projects in the next days/weeks.

There are interesting next steps that could be tackled, such as enabling
commenting on the backlogs, or searching across all foundation backlog
history, see [3]. Let me know if you have interests in discussing these
next steps and current challenges faced by the mirroring process. The
upcoming Frankfurt cfsummit unconference on monday might be a good place
for this, I'd propose a subject if I receive some interest.

Thanks,

Guillaume.



Guillaume.

On Mon, Sep 5, 2016 at 10:21 PM, Guillaume Berche <bercheg(a)gmail.com> wrote:

Hi,

We have prototyped at Orange an automatic mirroring of Pivotal Tracker
(PT) stories into github issues. See pivotaltrackermirror at [1], and the
experimental mirror of the buildpack tracker at [2]. I'd like to thanks the
buildpacks team for accepting to join this experiment and providing us with
feedback in the past few weeks.

We hope this could bring the following benefits to the CF community:

1. allow use of the watching notifications
<https://help.github.com/articles/about-notifications/#types-of-notifications>
github feature to track progress on public pivotal trackers projects: all
stories or selected stories of interest.
2. allow use of github search features
<https://help.github.com/articles/searching-github> to search Pivotal
Tracker content (e.g. accross multiple mirrored PT projects, or along with
other github repositories hosting the associated code)
3. allow use of github @mentions
<https://help.github.com/articles/basic-writing-and-formatting-syntax/#mentioning-users-and-teams>
to contact github accounts associated with PT public projects contributors,
in the context with a specific mirrored story
4. mirrored content becomes discoverable: search engines index it,
making it easier to find mirrored PT content such as a stack trace

This is still experimental work. We would like to hear community feedback
about this initiative (how is it useful?), as well as core contributor
teams (are there unexpected side-effects that need to be handled beyond
what we fixed so far [3]?) Do you have suggestions for enhancements: can
you comment/vote/improve in [3]?

Our plan is to progressively extend this experiment to more trackers
listed in [5] (in a rate of a few projects per week). Please report issues
on [3] if you observe negative side effects, or reply to this email if you
have concerns about this mirroring.

There still a fair amount of work ahead to convert this experiment into a
stable tool, and opportunities to provide some new cool features to the
community. Contributions are welcome :-)

Thanks,

Guillaume.

ps: I also recently noticed a PT slack integration [4] that would also
cover use-case #1 (get notifications for all stories in a tracker). I'm not
yet sure what it takes to add it to a given channel.

[1] https://github.com/orange-cloudfoundry/pivotaltrackermirror
[2] https://github.com/cf-tm-bot/buildpacks
[3] https://github.com/orange-cloudfoundry/pivotaltrackermirror/issues
[4] https://cloudfoundry.slack.com/apps/A0F82E7H8-pivotal-tracker
[5] https://github.com/cloudfoundry-community/cf-docs-contrib/wiki



Guillaume.

On Sun, May 29, 2016 at 8:05 PM, John Wong <gokoproject(a)gmail.com> wrote:

Just an idea... Is there a feature in Tracker to always cc someone/some
email address? For non security and non confidential stories we can Cc this
email address automatically which will post to a google group and a thread
will be built as comment is added. This at least allow a read-only mirror.

Just a thought...


On Sunday, May 29, 2016, Voelz, Marco <marco.voelz(a)sap.com> wrote:

Dear Dan, dear Lisa, dear Chip, dear community,



sorry for digging out this old issue again and again. If you are just
tuning in, here is the situation

· I like Pivotal Tracker as a product

· I have to use Tracker for my daily work, as it is currently
mandatory for all CFF projects and all of them use it

· The restrictions in pivotal tracker make it hard to
impossible to do the daily stuff you want to do within a large open-source
community.



After initially bringing this up in November last year, here are a few
of the problems I addressed with Dan in a hangout session in February:

· To follow stories in a project you need to be a member of
that project. Therefore, you cannot track progress on stories in other
projects.

· To comment on stories, the same restrictions as above apply



It has been 3 months since Dan and I talked, I’ve checked back every 4
weeks with him and what I’ve heard so far is ideas. I haven’t seen a
prototype, any specifics on the current state, any planning details. It’s
not like I’m demanding this feature should be done by now – I just want to
know what is going on.



I have to say I am very unhappy in how this topic is treated. From my
point of view, it seems like there is a huge lack of transparency and
feedback. Please, let me know what’s going on. I don’t want to switch to a
different tracker, such as e.g. trello, but if the requirements of a large
open-source community aren’t heard, then I don’t know what else to do about
this.



Warm regards

Marco



PS: What about a public tracker backlog in tracker, so people can follow
their favorite feature stories and see where they are in the planning and
when they’re done?





On 16/01/16 13:09, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:



Dear all,



it has now been more than a month since I sent my feedback concerning
this feature to the tracker team – I haven't received any reaction to it.

*@Chip: *Is there an option you could weigh in for this from the
Foundation perspective? That would be great!



Sorry for being so stubborn about this, but in my opinion this is a
crucial feature for a bug tracker/backlog which is used in an open-source
product. I know that all the people working directly at pivotal don't feel
the pain, because they can either talk directly to everyone in person or
have the necessary rights to comment/follow in the other projects, but for
everyone else this is really, really a problem.



Warm regards

Marco



On 09/12/15 21:20, "Voelz, Marco" <marco.voelz(a)sap.com> wrote:



Thanks for pointing me to this link. However, we seem to have the same
problem here: This seems like a fire-and-forget solution. Where does this
item go? How can I send it to other people and have them +1 it, like it,
follow it, favorite it or whatever is necessary to indicate that there is
more than 1 person wanting this feature?



Thanks and warm regards

Marco



On 09/12/15 20:01, "Amit Gupta" <agupta(a)pivotal.io> wrote:



If you're logged in to Tracker, there's a "Help & Updates" link at the
top, and one of the options is Provide Feedback.



On Wed, Dec 9, 2015 at 10:59 AM, Voelz, Marco <marco.voelz(a)sap.com>
wrote:

I'd happily submit a feature request to build up some visible demand for
this – could you point me to the right channel here?



Thanks and warm regards

Marco



On 08/12/15 23:01, "Dieu Cao" <dcao(a)pivotal.io> wrote:



Unfortunately in order to follow a story in tracker, the minimum
required level is "member" which allows you to create/comment/delete
stories in tracker.

I would suggest submitting a request to the pivotal tracker team to help
build up evidence that this is a feature that people want.



-Dieu



On Tue, Dec 8, 2015 at 12:49 PM, Matt Cholick <cholick(a)gmail.com> wrote:

Sorry to resurrect an older thread, but I wanted to chime in that this
is a frustration I have too. There are several stories in the various CF
teams public backlogs that I'd like to keep track of.



Is it possible for community members to get enough permissions on our
tracker accounts to add ourselves to the follow list?



-Matt



On Mon, Nov 23, 2015 at 3:10 AM, Koper, Dies <diesk(a)fast.au.fujitsu.com>
wrote:

Hi Marco, Jan,

I sent an email to Tracker support about that last week because we were
hoping to close CLI feature requests on GH and let people follow the
stories on Tracker. Support confirmed that people need to have R/W access
to a project to do that.
I have just replied to ask if they'd consider an enhancement. Not sure
what the proper channel would be to get such a story prioritized.
Will let you know if I get a reply.

Regards,
Dies Koper
Cloud Foundry CLI PM


-----Original Message-----
From: Voelz, Marco [mailto:marco.voelz(a)sap.com]
Sent: Monday, November 23, 2015 8:00 PM
To: Discussions about Cloud Foundry projects and the system overall.
Subject: [cf-dev] Re: FW: issue tracker permissions

Thanks Jan for bringing that up, I've had similar problems with that as
well. Any ideas on how to solve this? Is this a feature that the tracker
team actively works on?
Hitting cmd+r every few days on the same stories doesn't seem like the
best way to stay informed about your favorite features.

Warm regards
Marco



On 19/11/15 09:23, "Sievers, Jan" <jan.sievers(a)sap.com> wrote:

Hi,

I was trying to watch a story I am interested in
https://www.pivotaltracker.com/n/projects/892938/stories/105493826


I do have an account but it seems I don't have permissions to watch
nor to comment.

Is there something I missed?

Regards
Jan






















--
Sent from Jeff Dean's printf() mobile console


CF CLI v6.22.0 and v6.22.1 Released

Koper, Dies <diesk@...>
 

The CF CLI team just cut 6.22.1. Ignore 6.22.0.
Binaries and link to release notes are available at:

https://github.com/cloudfoundry/cli#downloads
Improved help pages

The cf help page now lists commands in columns and no longer lists commands that app developers rarely use, or cannot use (such as admin-only commands).

This reduces the length of the output greatly, making it easier to discover commands.
The help page listing all commands and their descriptions is now available under cf help -a.
Also, the individual help pages for most commands have an added SEE ALSO section listing commands you would likely use together with the current command, or even consider instead.

Debian package repository
You can now use apt-get to install & update the cf CLI on Debian systems. On Ubuntu you'd:
# ...first add the Cloud Foundry Foundation public key and package repository to your system
$ wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add -
$ echo "deb http://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list
# ...then, update your local package index, then finally install the cf CLI
$ sudo apt-get update
$ sudo apt-get install cf-cli
RPM package repository
You can now use yum to install & update the cf CLI on Fedora systems (RHEL6/CentOS6 and up):
# ...first configure the Cloud Foundry Foundation package repository
$ sudo wget -O /etc/yum.repos.d/cloudfoundry-cli.repo https://packages.cloudfoundry.org/fedora/cloudfoundry-cli.repo
# ...then, install the cf CLI (which will also download and add the public key to your system)
$ sudo yum install cf-cli
Windows installation without administrator permissions

The Windows installer will now ask you whether you want to install the cf CLI for all users or only the current user.

The latter does not require administrator permissions, so should make the installation process easier on restricted systems. (#935<https://github.com/cloudfoundry/cli/issues/935>)
Note that to install the cf CLI for all users, the installer needs to be run as administrator (e.g. right-click on it and select "Run as administrator"), or else this option is disabled.

Updated translations

IBM has contributed updated translations of CLI messages again.
As the update came in mid-release and a number of message strings changed since, you may find some untranslated messages (in particular in the help pages). (#940<https://github.com/cloudfoundry/cli/pull/940>)

Mac OS Sierra

The cf CLI is now built with Golang 1.7.1, adding support for Mac OS Sierra as well as showing a reduction in filesize of binaries and installers for all platforms.

Bumped loggregator library

The bundled loggregator library (used to retrieve log files) was updated to the latest version, incorporating support for HTTP proxies with basic authentication. (#949<https://github.com/cloudfoundry/cli/issues/949>)

Fixed regressions

* A bug fix to the push command caused the uploaded archive with application files to no longer be compressed. This is now fixed. (#898<https://github.com/cloudfoundry/cli/issues/898>)
* A change in DNS resolution in Golang 1.5 caused resolution of domains to fail on Linux when the primary DNS server responded that the domain was not registered, instead of querying the next DNS server. There was a work-around that stopped working in CF CLI v6.17.1 when we started to statically link the Linux binaries. This issue is now fixed due to improvements in Golang 1.7.1. (#763<https://github.com/cloudfoundry/cli/issues/763>)
* install-plugin's -f option was not accepted as a stand-alone option in cf CLI 6.22.0. (#964<https://github.com/cloudfoundry/cli/issues/964>)
* bind-route-service's deprecated -f option was not accepted in cf CLI 6.22.0.

Updated commands

* plugins now lists the plugins in stable order. (#923<https://github.com/cloudfoundry/cli/issues/923>)
* help now lists the plugin commands in stable order.
* push now displays a better error message when omitting both application name and manifest filepath. (#920<https://github.com/cloudfoundry/cli/issues/920>)
* start no longer waits and polls for started application instances if the application has 0 instances. (#917<https://github.com/cloudfoundry/cli/issues/917>)
* Application start-up and staging related environment variables CF_STARTUP_TIMEOUT and CF_STAGING_TIMEOUT are now described in the relevant commands' help pages (push, start, restart, restage, copy-source) instead of the main help page.
* Standard error output from plugin commands is now propagated to the terminal. (#928<https://github.com/cloudfoundry/cli/issues/928>)
* The scope of keys in JSON output in CF trace that is redacted to prevent sensitive information to be logged is widened to cover any key that includes "password" and "token" (regardless of case). (#926<https://github.com/cloudfoundry/cli/pull/926>)
Enjoy!

Regards,
Dies Koper
Cloud Foundry Product Manager - CLI


Re: OpenSSL CVE

Molly Crowther
 

As you may have heard, Canonical released a regression USN (
http://www.ubuntu.com/usn/usn-3087-2/) to cover an issue introduced in the
fix released yesterday (http://www.ubuntu.com/usn/usn-3087-1/).

New stemcells are currently being built.

Molly Crowther
CFF Security Team

On Thu, Sep 22, 2016 at 8:24 AM, Molly Crowther <mcrowther(a)cloudfoundry.org>
wrote:

Hello All,

If you get questions about the recent SSL CVE today - it is a high and the
BOSH team will be acting on it as soon as we have an Ubuntu update from
Canonical. I will reply with new stemcell version numbers when we have them.

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6304.html

Please let me know if you have any questions.

Thanks,
Molly Crowther
CFF Security Team


OpenSSL CVE

Molly Crowther
 

Hello All,

If you get questions about the recent SSL CVE today - it is a high and the
BOSH team will be acting on it as soon as we have an Ubuntu update from
Canonical. I will reply with new stemcell version numbers when we have them.

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6304.html

Please let me know if you have any questions.

Thanks,
Molly Crowther
CFF Security Team


how can i connect doppler(firehose) with doppler vm's IP?

inho cho
 

I have test noaa's sample to collect metrics from doppler firehose.
When i set "DOPPLER_ADDR" to "wss://doppler.bosh-lite.com:443", it worked well.

I just wondering if it is possible to connect doppler firehose with doppler vm's IP.
for example, if doppler vm's ip is "10.244.0.142", set "DOPPLER_ADDR" to "10.244.0.142".

Does it possible?

Thanks in advance.


Re: SSL termination for private domains

James Leavers
 

Ha, just for fun we detailed how you could, technically, request a
letsencrypt cert via a CF app :-) [1]

I would agree that a user would like the ability to auto-renew certs, if
they are currently doing this via cron on Apache or another webserver [2]

[1]
https://blog.cloudhelix.io/authorising-lets-encrypt-certificate-requests-using-a-cloud-foundry-app-71b2d0920ac9
[2]
https://community.letsencrypt.org/t/how-to-automatically-renew-certificates/4393

On 21 September 2016 at 21:47:20, Shannon Coen (scoen(a)pivotal.io) wrote:

On Tue, Sep 20, 2016 at 10:00 PM, Carlo Alberto Ferraris <
carlo.ferraris(a)rakuten.com> wrote:

While we're talking about TLS, but this is only partially related, it
would be awesome if we were to implement (or some hooks were provided to be
able to complete) either the http or tls ACME challenges. That would be the
ultimate dream. :D
Wasn't familiar with ACME until I just googled it. Do you mean some
mechanism for automated generation of certs?


Re: SSL termination for private domains

Carlo Alberto Ferraris
 

Yes, it's the protocol[1] proposed by ISRG letsencrypt[2] (under the linux foundation umbrella) that allows automated generation and PKI signing of TLS certificates.
For the record, there's a go implementation of the acme protocol that may end up in the standard library sooner or later[3].

[1]: https://tools.ietf.org/html/draft-ietf-acme-acme-03
[2]: https://letsencrypt.org/
[3]: https://godoc.org/golang.org/x/crypto/acme


Re: SSL termination for private domains

Carlo Alberto Ferraris
 

Our current policy to our users is SNI by default, i.e. unless they explicitly require non-SNI TLS termination they get SNI termination. We went with this because browser support seems good[1] and because there are "easy" (albeit manual) workarounds (request a non-SNI VIP, use a CDN).

Granted, even with SNI TLS termination in gorouter we should still be able to perform TLS termination somewhere else for the few cases in which no SNI is really a requirement - but for this it's enough to not change the HTTP listener behavior.

[1]: http://caniuse.com/#feat=sni


Re: SSL termination for private domains

Shannon Coen
 

Thank you all for your responses.

A follow up question: for the gorouter to host certs for multiple domains,
it seems only natural that it would do this via SNI. Is client support for
SNI ubiquitous among apps running on your CF deployments? Would it be
reasonable to require client SNI support for TLS termination at gorouter?

Thanks again.

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Wed, Sep 21, 2016 at 5:52 AM, James Leavers <james(a)cloudhelix.io> wrote:

It sounds like we are in a similar situation to Carlo, i.e.


- We have an external pair of LBs
- These are used for SSL termination
- We upload SSL certificates to the LBs for various domains, which
point to the same VIP


If something became available that would easily allow app developers /
users to upload their own certificates, I too would happily move SSL
termination from the LBs to gorouter, as it would mean one less automation
workflow for us :-)


On 21 September 2016 at 02:04:48, Shannon Coen (scoen(a)pivotal.io) wrote:

Carlo, Mike, others,

Do you store certs in the LB config itself, or federate/offload TLS
termination to some secure store? I'm thinking about storing user-provided
certs in the Routing API and offering them to routers/LBs from there. Would
we instead have to send the certs to some other proprietary system from
where the router/LB would have to pull from?

I've heard a few requests for integrating with systems that store the
certs so that the routers don't have access to the keys.

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Tue, Sep 20, 2016 at 5:44 PM, Carlo Alberto Ferraris <
carlo.ferraris(a)rakuten.com> wrote:

Mike,
thanks for keeping the ball rolling!
For the TLS termination part we are currently using a setup very similar
to the one described by Mike. We sit behind a bunch of SLBs that handle
termination for us. The main difference is that we're moving out of the
"one VIP per cert" model Mike describes to "one SNI VIP for all certs" - a
choice we made exactly to keep options open when it comes to automating
this process.
The biggest pain comes from the fact that the SLB in our organization is
handled by a different team and that therefore every cert add/update/delete
operation requires a manual operation spanning three teams (application
team, our team, SLB team); in the worst cases such operations can take
days. We may be different in this from other CF operators, but this
situation happens fairly frequently.
To put it simply, if CF (gorouter or a different component) had a way to
dynamically apply certificates specified by the users (and operators) we
would gladly switch away from our current setup.
We were also considering (idea stage, nothing really planned yet) using
either nginx or a custom-built TLS terminator for this very purpose (the
main reason we're considering something custom built is because it's
somewhat hard to get session ticket key rotation right with nginx when you
have multiple servers) - but if something functionally equivalent were to
appear upstream we would definitely prefer it.

I hope everything makes sense, if not I'll gladly answer any question you
may have.

Thanks for looking into this!

Carlo


Re: SSL termination for private domains

Shannon Coen
 

On Tue, Sep 20, 2016 at 10:00 PM, Carlo Alberto Ferraris <
carlo.ferraris(a)rakuten.com> wrote:

While we're talking about TLS, but this is only partially related, it
would be awesome if we were to implement (or some hooks were provided to be
able to complete) either the http or tls ACME challenges. That would be the
ultimate dream. :D
Wasn't familiar with ACME until I just googled it. Do you mean some
mechanism for automated generation of certs?

3661 - 3680 of 9429