Dear plugin developers and maintainers,
Just in case you have not been following the JEP-200 <https://github.com/jenkinsci/jep/tree/master/jep/200> threads, this change is going to land in the next weekly. - What? JEP-200 switches XStream/Remoting from Blacklist to Whitelist - Why? Security concerns about class deserialization. More info is in JEP-200 / Motivation <https://github.com/jenkinsci/jep/tree/master/jep/200#motivation> - Why is it important? The change implies a high risk of regressions in plugins by design - Any particular cases? If you use classes from jar-packaged libraries in Remoting/XStream serialization, you likely have a problem. Classes in plugins are fine Over the last weeks we have spent much timetesting the change with help of Acceptance Test Harness <https://github.com/jenkinsci/acceptance-test-harness/> and Plugin Compat Tester <https://github.com/jenkinsci/plugin-compat-tester>. You can find summaries for the recent tests in this Google Doc <https://docs.google.com/document/d/1uQcyaaLvGFwFDe0mQ27JHeG2icdX0XfCHILbHGOtAmA>. We have discovered and fixed many issues, but obviously we cannot verify all plugins. Nevertheless, we (as a Security Team) want to release this change in weeklies in order to get it well tested before the next LTS cutoff. We will make sure that all communications is sent to users. Known issues will be tracked on this Wiki page <https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+fix+for+JEP-200>. Jenkins admins will also get explicit error messages, which will point them to this page and to the blogpost with issue reporting guidelines (Pending PR <https://github.com/jenkins-infra/jenkins.io/pull/1293>). And of course, we will be tracking issue trackers in order to quickly resolve reported issues or to provide workarounds. Patterns to be aware of... - Serialization over XStream: - java.lang.UnsupportedOperationException: Refusing to marshal ${CLASS} for security reasons; see https://jenkins.io/redirect/class-filter/ - Serialization over Remoting: - WARNING jenkins.security.ClassFilterImpl#lambda$isBlacklisted$1: ${CLASS} in JRE might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/ If you are interested in testing your plugin OR in testing the change on your test instances, please see the guidelines below: How to test your plugin(s)? - Manual: Download the Jenkins WAR from here <https://ci.jenkins.io/job/Core/job/jenkins/view/change-requests/job/PR-3120/lastSuccessfulBuild/artifact/war/target/> - Running functional tests: 1. Checkout sources from https://github.com/jenkinsci/jenkins/pull/3120 2. Install local snapshot of the core ("mvn clean install -DskipTests -Dfindbugs.skip=true" takes several minutes) 3. Update Jenkins core requirement in your pom.xml or Gradle definition 1. If you use Plugin POM 2.x, specify the "jenkins.version=2.102-SNAPSHOT” and then set the "java.level" property to "8" 2. For Gradle and old plugin POMs more updates may be required. Your mileage may vary 4. Run tests Please do not hesitate to respond to this thread, we will process the questions with the highest priority. Best regards, Oleg Nenashev -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b8acba5f-5efb-49e7-853e-c040a7bb2edd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
