Occasionally people discover vulnerabilities in Jenkins. Because of the
nature of the problem, we need a closed-door venue to discuss and work
on the fixes.
We discussed about improving this process in the last project meeting
[1], and as per the consensus, I created a new private mailing list [2].
This list will be used to discuss the fixes and vulnerabilities until
the fix gets released. It receive notifications for tickets filed in the
SECURITY project in JIRA [4].
This e-mail is a call for volunteers who would be willing to work on the
security related issues. Because of the nature of the problem, we can't
just add everyone like we do on our other repositories, but we do need
several people on it to reduce the bus factor [5].
I request that only those who are interested in actually working on the
fix to apply. We'd also like to require that you place CLA [6] before
you apply.
[1]
http://meetings.jenkins-ci.org/jenkins/2012/jenkins.2012-09-19-18.00.html
[2] https://groups.google.com/forum/#!forum/jenkinsci-cert
[3] https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories
[4] https://issues.jenkins-ci.org/browse/SECURITY
[5] http://en.wikipedia.org/wiki/Bus_factor
[6]
https://wiki.jenkins-ci.org/display/JENKINS/Governance+Document#GovernanceDocument-ContributorLicenseAgreement%28CLA%29
--
Kohsuke Kawaguchi | CloudBees, Inc. | http://cloudbees.com/
Try Nectar, our professional version of Jenkins
