On 30.04.2015, at 02:26, Richard Bywater <[email protected]> wrote: > Not sure if I'm the only one who has this concern (or even if its a valid > concern), but it seems rather easy for someone to easily stick any old plugin > into the update centre. Is there a potential that someone could load up > nefarious plugins that trick users into installing them and having them do > bad things? (Yes you could do that to any of the plugins that currently exist > but at least there's some track of stuff in Github - well, mostly - for > JenkinsCI org-hosted ones anyway)
I am also concerned about this. I doubt any of our users expect this to even be possible, it is so ludicrous. It'd be trivial for any of several hundred users to upload a patched Email-ext or Maven plugin and get a few thousand installs before we even notice. This is one of the reasons I want us to require that plugins need to be released from jenkinsci repos. It should be fairly straightforward to match release tags to plugin releases, and if the tag is missing, we don't publish a release in the UC. And if not everyone were in the 'Everyone' group with write access to every plugin repo by default [1], we could even ensure that the user who released the artifact is (or was at the time the plugin was released) in fact one of the plugin committers. We already have a 'Github ID' field in LDAP/the account app, so this could be matched automatically. Neither of these would be 100% safe, but I expect that this would make it much more difficult to upload any artifact and have it actually distributed. We're not an 'App Store', we don't vet what we offer. But preventing the most obvious ways to exploit the update center should be shut down. 1: There is nothing wrong with giving users permissions like that when they ask for it (and maybe explain why they want it), but let's not do this by default. 400 people have push (--force) privileges to 1200 repos. What could possibly go wrong?! -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/A47D3F53-CCC7-438C-B9F0-415FB088A479%40beckweb.net. For more options, visit https://groups.google.com/d/optout.
