I like the sound of it, and seems a well trodden path as used by those other projects mentioned.
On Wednesday, November 2, 2016 at 11:59:28 PM UTC+11, Daniel Beck wrote: > > Hi everyone, > > When the security team receives a report about a plugin, we try to contact > the maintainer and work with them to fix the issue. But between > unmaintained plugins, unresponsive maintainers, or maintainers with no time > to fix even security vulnerabilities, this doesn't always work out. > > Unfortunately, the security team does not have the capacity to fix all > security vulnerabilities in all plugins -- so we may have reports, but no > way to fix the reported problems. Just sitting on the reports and hoping > for a new maintainer to dump the issues on is not a solution. > > So what can we do instead? > > My plan is that we adopt a policy similar to that of Wordpress[1] and > Drupal[2] (and possibly Typo3[3]): > > We try to contact the maintainer. If they refuse (no time, no interest), > or don't respond in a timely manner (several weeks), and the security team > doesn't have the capacity to fix it, do the following: > > 1. Publish a security advisory about the plugin, describing the nature of > the vulnerability as usual, but noting that there is no fix other than no > longer using the plugin (if there are workarounds, include them). > 2. Stop publishing the vulnerable plugin on the Jenkins update site. > 3. Add metadata to the plugin site indicating vulnerable plugins to inform > admins who already have the plugin installed. > > #1 and #2 can be implemented immediately, but #3 needs infra and core > support. That said, it's more of a 'convenience' feature. The important > bits really are #1 and #2. > > I will implement this plan going forward unless there are well-reasoned > objections. > > Daniel > > 1: https://wordpress.org/about/security/ > 2: https://www.drupal.org/security-team > 3: I found > https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-020/ > > which indicates they use a similar approach. > > > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/505be1f3-39a8-4ab6-9b2d-452450f0ef60%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
