Heads up, JEP-200 has been accepted. I am going to proceed with the current
roll-out plan which targets delivery in weekly in 2.102 (next weekly)
unless there is no major issues discovered.
My current plans:
- Jan 9 morning, EU TZ - Get Remoting 3.16 and all packaging
(Docker/Swarm) released
- Jan 9 EoD, EU TZ - Send announcement to the mailing list with the
testing guidelines so that others can try the patch if they want
- it's generally available for more than 1 month by now, but it will be
easier to do testing with guidelines
- Jan 10..12 - More testing + feedback processing
- Jan 12 - Integrate
https://github.com/jenkins-infra/jenkins.io/pull/1293 with the announcement
to Jenkins users
Best regards,
Oleg Nenashev
понедельник, 8 января 2018 г., 18:24:40 UTC+1 пользователь Oleg Nenashev
написал:
>
> We have discussed the single whitelist concern with Jesse and agreed that
> there is no immediate need to implement it as a part of this JEP.
> The testing concern has been also addressed last week, all recommended and
> other popular plugins have been tested by ATH/PCT.
>
> There was no other feedback regarding JEP-200 in this thread and other
> channels, so I am going to accept it. I am going to continue testing the
> change in order to improve the coverage and maybe catch some missing
> whitelist entries. Tomorrow I will send a separate email with testing
> guidelines so that any plugin maintainer can test his/her plugin if needed.
>
> The final pull-request to JEP-200 is here:
> https://github.com/jenkinsci/jep/pull/43
> Once it is integrated, the JEP will be officially accepted. If you have
> any concerns, please shout about it ASAP
>
> Best regards,
> Oleg
>
>
> вторник, 26 декабря 2017 г., 15:52:51 UTC+1 пользователь Oleg Nenashev
> написал:
>>
>> They sound unrelated to security and are best addressed, if required, by
>>> plugin developers on their own initiative.
>>>
>>
>> Let's park this question for now. I am going to play with the current PR
>> state, and then I will provide a response around Jan 02.
>>
>> My IMHO is that it would be preferable to separate Remoting and XStream
>> from very beginning, so that the plugin maintainers will think twice when
>> they try to save custom classes on the disk or to send them via Remoting.
>> But I agree it may be over-engineering. All contributors are welcome to
>> comment.
>>
>> BR, Oleg
>>
>> понедельник, 18 декабря 2017 г., 13:41:20 UTC+1 пользователь Oleg
>> Nenashev написал:
>>>
>>> Hi all,
>>>
>>> I am starting this thread in order to collect extra feedback about
>>> JEP-200, which proposes switching Remoting/XStream implementations from a
>>> blacklist to a whitelist. The intention is to significantly reduce risks of
>>> class deserialization attacks, which was hitting Jenkins project seriously
>>> over last 2 years (e.g. SECUIRTY-429 this April
>>> <https://jenkins.io/security/advisory/2017-04-26/>). This JEP is
>>> accepted as a draft, and the current state is published here
>>> <https://github.com/oleg-nenashev/jep/tree/master/jep/200>.
>>>
>>> I am assigned as a BDFL Delegate who makes a decision about
>>> accepting/rejecting this Jenkins Enhancement Proposal (see JEP-1
>>> <https://github.com/jenkinsci/jep/tree/master/jep/1> for more info
>>> about the process). Over the next week I will be reviewing this JEP and
>>> providing feedback in this thread and in pull requests.
>>>
>>> I also call other interested contributors to comment regarding this JEP.
>>> It is important, because the proposal implies a *high risk *of
>>> regressions in plugins and other Jenkins components. The JEP sponsor made a
>>> significant amount of testing, but there may be some gaps. Any feedback and
>>> extra testing of the reference implementation will be appreciated.
>>>
>>> There are several ways to provide the feedback:
>>>
>>> - Comment in this thread
>>> - Create a pull request with document edits
>>> - Ping me (oleg-nenashev) and Jesse Glick (jglick) in IRC
>>>
>>> My current plan is to finalize the Draft reviews/edits by December 30
>>> though it depends on the sponsor's availability during the Christmas break
>>> if there is a discussion needed. If you have any comments or interest to
>>> review the JEP deeper, please respond by this date.
>>>
>>>
>>> Best regards,
>>> Oleg Nenashev
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/ab00784a-6d0b-4560-934b-c361c7394556%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
