►
From YouTube: GSoC 2021 Git credentials binding 2021 08 04
Description
Jenkins git credentials binding office hours August 4, 2021. Topics included discussing issues with private keys, using the sshd-core library to resolve the primary private key algorithms, and dependeng on a plugin vs depending directly on sshd-core.
Meeting notes are available at https://docs.google.com/document/d/1gZneYIDWrT5S-1ACG641wfvxs7vnDC0RCYqy-EuuhwY/edit#heading=h.m0lph2u36pvh
A
A
B
C
C
D
D
C
D
Yeah,
so
I
found
out
that
the
the
fingerprint
of
the
private
key
that
is
generated
using
the
decrypted
privacy
that
is
generated
using
the
ssj
library
is
different
from
the
fingerprint
of
the
private
key.
That
is,
you
know
encrypted.
So
I
think,
due
to
that,
we
are
not
able
to
connect,
so
the
keys
are
different,
so
the
server
won't
be
able
to
recognize
a
match
for
that
private
key
with
the
public
key.
C
D
C
Yeah
I
mean
the
I
thought
that
the
fastest
way
to
know
if
ssj
will
be
able
to
decrypt
the
keys
correctly,
and
then
you
know
they
it
is
going
to
provide
this
keys,
which
are
going
to
work,
is
to
use
their
own
client
to
establish
a
connection
with
any
server
any
you
know
any
place
which
has
a
22
port
open
and
we
can
establish
a
connection
with
them.
If
that
is
possible,
then
those
keys,
we
can
be
sure
that
ssj
is
not
creating
an
issue
for
us.
C
D
D
D
C
D
So
but
the
issue
I'm
facing
is
you
know
the
dependency
issue,
so
I
think
I
mentioned
it
on
the
gita
chart.
So
so
what
should
we
do
next
right?
Should
we
define
this
dependency
explicitly
in
git
plugin,
and
if
we
do
that,
then
we
have
to
you
know,
increase
the
jenkins
version
great
more
than
two
point
above
I
think
it's
two
point.
Eight.
D
B
C
B
A
A
B
B
So
but
if
you're
on
2.289.2
you're
not
in
danger,
because
the
security
fix
is
backported
to
it
so
making
it
2.289.1
seems
very
reasonable
to
me,
and
I
knew
we
knew
we
were
going
to
have
to
eventually
upgrade
yeah.
There
will
be
people
who
say,
but
I
want
to
run
the
credentials
binding
without
having
to
upgrade
to
289
289.1.
And
the
answer
is
sorry.
You
can't.
B
B
A
B
E
B
Okay,
what's
what's
the
what's
the?
What
do
you
call
the
address
of
that
thing?
The
coordinates
of
that
thing
you're
looking
at.
Is
it
org.jenkins.ci.modules
yeah?
It
is
okay.
So
that's
the
thing
that
that
ssh
server
or
that
git
server
plug-in
depends
on,
and
I
think
is
so
harsh
it
is-
is
sshd
from
apache
or
from
this
code.
The
thing
that
provides
the
method
you
need
or
do
you
need
something
that's
actually
in
the
git
server
plugin.
D
D
E
B
C
C
C
D
C
No,
but
you
can
exclude
the
depend
since
you're
going
to
directly
use
this
library
this
dependency.
Then
you
can
exclude
that
from
the
the
plugin,
which
requires
a
newer
jenkins
version,
and
then
you
can
use
directly
this
time.
I
don't
understand.
Why
would
we
need
a
new
gentleman's
version
for
that.
C
D
B
So
so
back
to
richard's
question,
but
to
ask
it
in
the
form
of
the
question:
is
org.apache.sshd
version
2.7.0
enough
for
you
to
have
the
api
you
need
harshad,
or
do
you
need
something
that
is?
It
is
yeah
okay.
So
then
I
I'm
prone
to
agree
with
with
rashab
that
we
should
at
least
try
to
just
depend
on
that
library.
If
that
still
requires
us
to
upgrade
jenkins.version.
B
B
Well-
and
I
think
sshd
plugin
is
an
unavoidable
plugin
because
it
was
bundled
in
core.
Oh
was
it
oh,
I
think
so
I
think
there's
I
think,
sshd
plug-in
is
one
that
was
discussed
just
recently
on
the
mailing
list
with
wow.
Why
is
this
there?
I
don't
need
sshd,
and
the
answer
is
well
because
it
was
bundled
in
core
and
years
ago,
and
thus
it's
still
its
api
still
has
to
be
available
in
core
okay.
Well,.
D
D
B
C
D
E
C
B
B
Odd,
when
I
tell
it
to
depend
on
to
to
require
jenkins
2.289.1,
it
doesn't
even
have
a
dependency
on
ssh
decor,
interesting
okay,
but
you
you've
done
the
experiment
harshit,
and
you
said
that
by
upgrading
the
by
forcing
the
jenkins
jenkins.version
to
2.289.1,
you
get
the
you
get
access
to
the
sshd
core
library
version.
You.
B
D
B
Yeah-
and
I
think
I
think
that's
the
right
approach,
I
think
we
should
accept
that
in
order
to
get
this
functionality
they
have
to
at
least
be
running
jenkins
2.289.1,
because
we
need
the
version
of
sshd
core
that
apache
provides,
and
that
is
that
is
available
only
beginning
with
2.289.1.
That's
that's.
B
D
D
C
D
A
D
C
A
Yeah,
I
guess
from
a
from
a
process
and
work
perspective
like
if
it's
easy
for
you
to
get
them
all
in
one
pr,
like
maybe
that's
okay,
I
guess
one
thing
I
could
see
is
like
if
it's
hard
to
start
getting
the
bouncy
castle
stuff,
then
maybe
it's
a
good
idea
to
start
with
the
the
most
critical
algorithms
to
cover
and
then
do
those
in
a
pr.
But
then
I
I
also
realized,
there's
some
testing
and
stuff
like
that
involved
too.
So
those
are
the
things
that
I
would
think
about
for
that.
B
B
D
B
B
B
C
B
C
B
B
B
B
Okay,
so
I
would
expect
jenkins
will
say
I've
already
loaded,
sshd
core.
I
refuse
to
load
another
one
and
then
we'll
be
stuck
because
git
plugin,
though,
won't
be
able
to
find
the
apis.
It
needs
that
are
only
available
with
newer
than
1.7.0
harshit.
I
think
I
was
describing
it
correctly.
Do
you
need
to
correct
something?
I
said
there
and
tell
me
no
mark.
You
made
a
mistake.
D
Myself
so
I
know
the
error
will
be,
you
know
no
class,
no
class
found
exception.
You
know
that
was
coming
because
the
library
that
was
loaded
was
one
ssd,
co
1.7
and
I
need
the
libraries
of
ssd
core
2.7.
So
there
was,
I
was
stuck
for.
You
know
for
one
day
whole
one
day
depending
on
what
why?
Why
is
it
this
happening?
A
B
Sure
but
but
this
issue
is,
I
think
this
is
a
major
victory
that
you've
reached.
As
far
as
you
have
keep
going,
that's
great,
and
did
you
see
harshit
that
we
have
one
more
person
who's
interested
in
in
the
work
and
did
some
experiments?
We
can
ignore
their
results
if
we
need
to,
but
I
was
delighted
it's
great,
that
we
got
people
who
want
to
use
your
code.
B
So
I
I
had
closed
the
bug
report
from
someone
who
asked
for
the
ability
to
add
a
special
case
to
the
jenkins
git
publisher.
That
would
allow
it
to
push
push
multiple
tags
and
the
the
person
actually
submitted
a
pull
request
to
the
get
plug-in
saying:
hey,
here's,
the
implementation
and
it
was
a
good
implementation.
They
did
a
good
job
with
it.
B
A
B
B
Yeah
and-
and
I
pointed
the
user
and
said-
hey
use,
username
password,
it
works
now
and
he
said
no.
I
have
to
have
private
key
and
this
is
his
effort
trying
to
work
with
private
keys.
So
that's
great
nice
yeah.
Yes,
it
didn't
work.
That's
that's
not
a
problem.
The
fact
that
we've
got
one
more
person
trying
it
is
really
great.
A
B
D
C
B
C
D
B
B
If
that's,
if
that's
easy
enough
for
you,
I
that
would
be
the
way
I
would
go
if,
if
you
find
it
easier
to
combine
them
into
a
single
pr
and
still
allow
us
to
do,
allow
me
and
others
to
do
testing
that
that's
fine
too,
but
for
me,
a
separate
pr
with
the
bouncy
castle.
Work
feels
better
just
because
I
want
to
be
sure
that
rsa
and
ed25519
keys
work,
because
those
are
the
keys
that
are
important
to
me.
D
B
B
I
I
just
don't
want
to
be
blocked,
testing,
rsa
or
ed25519
because
of
a
format
that
I
don't
use
now.
Other
people
may
have
a
very
different
opinion
and
say:
hey.
I
use
pem
format
all
the
time,
but
I
truly
do
not
recall
ever
using
a
no.
Maybe
I
guess
I
did
use
one
once
because
some
of
the
cloud
vendors
give
you
a
pim
format
key.