I think it's a valid concern.
AFAIK, once you sign up for an account on jenkins-ci.org, you can push
to the Maven repository, and therefore to the update centre.
In this specific instance, I've filed INFRA-287 to try and get Maven
push access disabled. Long term, I don't know what a good solution
would look like. In the shorter term, if there's a "allow Maven access"
flag in LDAP, maybe we can hook it up to the IRC bot.
Regards,
Chris
On 30/04/15 02:26, Richard Bywater wrote:
Not sure if I'm the only one who has this concern (or even if its a
valid concern), but it seems rather easy for someone to easily stick any
old plugin into the update centre. Is there a potential that someone
could load up nefarious plugins that trick users into installing them
and having them do bad things? (Yes you could do that to any of the
plugins that currently exist but at least there's some track of stuff in
Github - well, mostly - for JenkinsCI org-hosted ones anyway)
Richard.
On Thu, 30 Apr 2015 at 01:09 Christopher Orr <[email protected]
<mailto:[email protected]>> wrote:
Hey,
On 29/04/15 07:37, anitha vivedhan wrote:
> I created a wiki page for Chat Room jenkins plugin.But that wiki page
> not listed in jenkins Update center .can You please suggest the
solution.
>
> https://wiki.jenkins-ci.org/display/JENKINS/ChatRoom+Plugin
The wiki page you mention here links to a repo with no code in it:
https://github.com/anithavivedhan/jenkins-ChatRoom/tree/9c867e9
The plugin itself seems to have been published from a different repo
with a very similar name and the same plugin ID in the pom.xml:
https://github.com/anithavivedhan/ChatRoom-plugin/tree/c91028d
The code in that repo looks similar to the "Sample Plugin" you published
last week:
https://github.com/anithavivedhan/jenkins-sample
At that time, I asked you to kindly stop publishing plugins, as the
plugin was nonsense, appeared to attempt to duplicate the existing
HipChat plugin, and (like the other Git repos here) is a complete mess:
https://groups.google.com/forum/#!msg/jenkinsci-dev/BJ_t1GTPmiA/gYq18vK_CDAJ
This "Chat Room plugin" is similarly nonsense, and contains hardcoded
references to an ASP.NET <http://ASP.NET> app on localhost, with
parameters which look
like they've been taken from the deprecated HipChat v1 API:
https://github.com/anithavivedhan/ChatRoom-plugin/blob/c91028d/target/checkout/src/main/java/jenkins/plugins/ChatRooms/StandardChatService.java#L70-L82
https://www.hipchat.com/docs/api/method/rooms/message
I also hope that isn't a live HipChat API token you've hardcoded there.
Anyway, as I mentioned, there is an existing HipChat plugin, which also
lets you use a locally-hosted HipChat server, if that's what you're
trying to do:
https://wiki.jenkins-ci.org/display/JENKINS/HipChat+Plugin
Otherwise, this plugin looks very specific to your use case and, as I
mentioned in the above email, you do not need to publish to the Jenkins
Update Centre in this case — you can install your own custom plugins
directly via the Jenkins Plugin Manager UI.
This plugin is of really low quality, has an incredibly generic name, no
useful documentation, and there seems to be a poor understanding of how
Git works.
As I mentioned before, *please* stop publishing plugins to the Jenkins
Update Centre until you can resolve all of these issues. The plugins
are of no use to anybody.
If you can explain what your plugin is meant to do, or you have
questions about Jenkins plugin development, feel free to let us know.
But until then, please refrain from publishing any more plugins.
Thanks,
Chris
--
You received this message because you are subscribed to the Google Groups "Jenkins
Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/55417C22.6020408%40orr.me.uk.
For more options, visit https://groups.google.com/d/optout.
