As of JENKINS-41745, merged in Jenkins 2.54 more than a year and a half ago, the Remoting transport for the Jenkins CLI has been deprecated as inherently hard to secure and just plain unwise. As far as I know, all important CLI commands have long since removed any dependency on this mode, or offered an alternative mode. The UI warns you if you enable it. Is it time to finally remove this code?
I bring this up now because of Java 11 work: https://github.com/jenkinsci/jenkins/pull/3759 made the physical layout of Jenkins core more complex, just in order to maintain some exploit tests which were really only interesting in CLI over Remoting, and not even that interesting anyway after JEP-200. (Deserialization attacks via agents could still be launched, but again, that would be much harder after JEP-200.) I propose this `jenkins-test-jdk8` module and its three test suites and ysoserial library be deleted, whether or not CLI over Remoting is also removed, so that we can remove `jenkins-test-parent` and go back to having only `jenkins-test`. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3RN-dRrPFXW%2Bn1S9V8VXDPRqxQL02t0NHcVyqwEq1n3g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
