We haven't really thought of this all out, but I'd imagine we'll be
doing it like Drupal does [1] --- interacting with the plugin maintainer
to work on the fix.
jenkinsci-c...@googlegroups.com supports anyone to post so it should be
easy to run an e-mail thread with the plugin maintainer + the list.
[1] https://www.acquia.com/blog/keeping-drupal-secure
On 09/26/2012 03:04 PM, Bap wrote:
Quoting Slide <slide.o....@gmail.com>:
How will this work in regards to plugins that might have security
issues? Will the same pull request system be done so that the plugin
maintainer can manage the releases and repo content?
I'd suggest, that if a security report was submitted for a plugin, the
first action of the security team should be to directly contact the
maintainer of the plugin.
The maintainer is likely to be in the best position to understand and
fix the issue.
--
Kohsuke Kawaguchi | CloudBees, Inc. | http://cloudbees.com/
Try Nectar, our professional version of Jenkins
