The Active Choices (uno-choice) Plugin <https://wiki.jenkins.io/display/JENKINS/Active+Choices+Plugin> has been blacklisted (removed) from the Jenkins update site together with several others due to the security advisory of April 2017 https://jenkins.io/security/advisory/2017-04-10/#active-choices-uno-choice-plugin
This plugin allowed users with Job/Configure permissions to run arbitrary Groovy code inside the Jenkins JVM. This vulnerability had been* disclosed, and fixed in Active Choices Plugin 1.5.1 in 2016*, before the security advisory was issued. The reason the Active Choices plugin continues to be on the security black list, is a *soft dependency *on Scriptler, whose distribution has been suspended for similar reasons https://jenkins.io/security/advisory/2017-04-10/#scriptler-plugin We now propose to remove the dependency on Scriptler and allow users to install Active Choices with *just the use of groovy secure scripts*. Only if users had independently installed Scriptler there would be an option to run a script from the Scriptler library. We are posting this on the list to obtains feedback from the Jenkins community whether this approach makes sense and would facilitate the return of Active Choices to the Jenkins update center. We have been *surprised by the uproar the removal of this very unique and helpful plugin from the Jenkins update center has caused* and we are trying to best balance the requirements for security with those for usability and user choice in an open source project. best regards Ioannis -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/d05421dc-d89f-48cb-815b-ad37adaa3db1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
