https://github.com/jenkins-infra/jenkins.io/pull/4547#pullrequestreview-747378748
On Monday, September 6, 2021 at 6:25:41 PM UTC+1 jn...@cloudbees.com wrote:
> > This is already covered as far as I can tell:
>
> I think Tim was referring to the "subject to risk" rather than "not a bug".
>
> As
> This is already covered as far as I can tell:
I think Tim was referring to the "subject to risk" rather than "not a bug".
As I read
Any user can propose that a bug fix be backported to LTS by labeling
with lts-candidate
Right, re-reading this part well (thanks Tim), I think this should be
enough indeed?
Not fully sure about the term "fix" being too precise, or vague :), but
probably that's nitpicking.
WDYT James, do you feel making a more precise note around "dependency
update with known CVE" or so would still
This is already covered as far as I can tell:
https://www.jenkins.io/download/lts/#backporting-process
> Aside from the model set out above, backporters apply some subjective
selection — for example whether a fix is easy and safe to backport,
confidence in the fix, importance/impact of the
Sure,
I was just asking it to be added to the list of eligible criteria. As with
any bug that is also eligible there is a decision to be made as to if we
are to cherry-pick the change or not.
(on a randomly different note - if we where actually vulnerable - we would
not have this luxury!)
I am +0.5, but being eligible does not immediately mean the change would be
backported. Dependency updates may also introduce regressions. As any other
backport, risks need to be evaluated. IMHO it should be up for backporting
requesters to prove the safety of changes and to ensure there is
Are there specific libraries we can list for safe upgrades? Like XStream,
Jackson, Commons, etc, for common upgrades. I wouldn’t be super comfortable
with a blanket policy, but for all our more stable ones, I think it’s a good
idea.
Matt Sicker
> On Aug 31, 2021, at 09:01,
Totally agree. Especially when the update is not a major bump of 3
versions. Most of the time it's just a minor/bug version bump.
That will greatly help on the security scanners area, where the "fear"
dominates the market :-)
Thanks James for the suggestion, great idea.
Wadeck
On Tuesday,
Hi all,
I would like to propose that we add to the list of eligible criteria for
backporting the following
* is a dependency update with a known security issue
The reason for this if we have a dependency with a security issue that is
exploitable from Jenkins we already do include that as a
