Hi Daniel, Surprised to see scriptler there, wasn't expecting it given the number of people using it. If there is anything I can do to help, just let me know. I am a bit busy this week, but can definitely stop a couple of hours two or three days this week and maybe during the upcoming holidays to help fixing some issues.
I can try to help with scriptler (have been studying it to submit some pull requests / RFE's) and possibly with dynamicparameter. uno-choice was created based on dynamicparameter, so likely we can compare the code, look at some git commits, and try to pull the fix (likely security script plug-in integration?) into dynamicparameter. Happy to test, reproduce bugs, or try to submit one or two pull requests if necessary. >-- What should we do differently in the future, if a situation similar to this >one ever comes up again? Excellent approach. Let's tackle the problem, not the blame :-) It is not clear from your e-mail if that was a case of a problem in the process used to communicate issues to plug-in maintainers, or if it was caused due to the number of issues vs. number of people working on the issues. Do we need to increase the number of people in the security team, or define some timely process, like having a dashboard or notification system, that sends an e-mail every week with the number of issues pending notification? Cheers Bruno ________________________________ From: Daniel Beck <m...@beckweb.net> To: Jenkins Developers <jenkinsci-dev@googlegroups.com> Cc: Bruno P. Kinoshita <brunodepau...@yahoo.com.br>; neuralsandw...@gmail.com Sent: Tuesday, 11 April 2017 9:51 PM Subject: Yesterday's security advisory Hi everyone, We now had the situation where the number of vulnerabilities far exceeded what the security team could handle. https://jenkins.io/security/advisory/2017-04-10/ As previously discussed on this list, I've suspended distribution of plugins that are currently vulnerable. https://jenkins.io/blog/2017/04/10/security-advisory/#distributing-vulnerable-plugins List of affected plugins: https://github.com/jenkins-infra/backend-update-center2/blob/1be044d25a312ca90336044f501e0b9e38ca3b2e/src/main/resources/artifact-ignores.properties#L187...L209 Any thoughts about this, now that it has happened? --- As I wrote in the blog post, I was unable to contact all maintainers. Most maintainers of affected plugins with fewer than 500 installations didn't learn about this in advance. This is really not how we usually work. I consider this to be an exceptional situation. So, again, to affected plugin maintainers, I really am sorry. I just didn't see a feasible alternative to the chosen approach. Perhaps this thread can result in some ideas -- What should we do differently in the future, if a situation similar to this one ever comes up again? --- And then there's plugins that needed to be delisted since they have mandatory dependencies on delisted plugins: https://github.com/jenkins-infra/backend-update-center2/blob/1be044d25a312ca90336044f501e0b9e38ca3b2e/src/main/resources/artifact-ignores.properties#L212...L218 >From a security POV, there's nothing wrong (that I'm aware of) with any of >these, other than that they bring along with them an unsafe plugin. Some of >these are clearly tied to build-flow, so while that is gone, so are they. >Then, there are the others (maintainers in CC): - uno-choice: This depends on Scriptler. I discussed that plugin with Domi (Scriptler's maintainer) when we couldn't get the fixes finished, and plan to work with him to fix the various issues over the next several weeks or so. Once that gets restored, uno-choice would also be published again. - externalresource-dispatcher: This depends on Build Flow, whose maintainers added a deprecation notice to the plugin wiki last year. I would be surprised if that got revived again. So there's probably no good solution, other than cutting this dependency, if we keep unsafe plugins delisted. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/1232115132.555969.1491904981368%40mail.yahoo.com. For more options, visit https://groups.google.com/d/optout.
