How will this work in regards to plugins that might have security issues? Will the same pull request system be done so that the plugin maintainer can manage the releases and repo content?
slide On Sat, Sep 22, 2012 at 10:29 AM, Kohsuke Kawaguchi <kkawagu...@cloudbees.com> wrote: > > Occasionally people discover vulnerabilities in Jenkins. Because of the > nature of the problem, we need a closed-door venue to discuss and work on > the fixes. > > We discussed about improving this process in the last project meeting [1], > and as per the consensus, I created a new private mailing list [2]. This > list will be used to discuss the fixes and vulnerabilities until the fix > gets released. It receive notifications for tickets filed in the SECURITY > project in JIRA [4]. > > This e-mail is a call for volunteers who would be willing to work on the > security related issues. Because of the nature of the problem, we can't just > add everyone like we do on our other repositories, but we do need several > people on it to reduce the bus factor [5]. > > I request that only those who are interested in actually working on the fix > to apply. We'd also like to require that you place CLA [6] before you apply. > > > > [1] > http://meetings.jenkins-ci.org/jenkins/2012/jenkins.2012-09-19-18.00.html > [2] https://groups.google.com/forum/#!forum/jenkinsci-cert > [3] https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories > [4] https://issues.jenkins-ci.org/browse/SECURITY > [5] http://en.wikipedia.org/wiki/Bus_factor > [6] > https://wiki.jenkins-ci.org/display/JENKINS/Governance+Document#GovernanceDocument-ContributorLicenseAgreement%28CLA%29 > -- > Kohsuke Kawaguchi | CloudBees, Inc. | http://cloudbees.com/ > Try Nectar, our professional version of Jenkins -- Website: http://earl-of-code.com
