>
> The annotation processing to deliver BigFatSecuritySwitch (or deferring to
> another method) is basically what I'd do.
>
It would be a simple way, but it does not allow a fine-grain control. The
impact of the pending and potential fixes is too high, so many Jenkins
installations may blow up.
Well @Restricted(DoNotUse.class) should give you a build time failure
> if you are using the Maven toolchain... if you are using the groovy
> toolchain I presume you can add the same checks...
> We could then add an Admin monitor that looks at the until fields on
> Jenkins and tells you if any of your plugins were compiled against a
> version of Jenkins older than the until... similarly the plugin
> manager could alert you for plugins that are compiled against an older
> jenkins than your oldest until...
>
I like the idea of a second unsafe method, but we will also need to notify
users that a plugin uses unsafe API. Otherwise instance maintainers won't
be aware that they are installing a plugin having a security risk.
There are following TODOs:
- Just warn users about it in UC
- Process the limitations in Script Security Plugin
- [Optional] - Allow filtering out plugins with unsafe API by a global
switch in UC
- [Optional] - Process plugins during the load/installation procedure
and add all kinds admin monitors
- It is especially required to cover the use-case with manual plugin
installation
I suspect the efforts would be quite big in any case.
среда, 16 сентября 2015 г., 17:02:54 UTC+3 пользователь Jesse Glick написал:
>
> On Wed, Sep 16, 2015 at 7:27 AM, Stephen Connolly
> <[email protected] <javascript:>> wrote:
> > @UnsecureAlternative(name="getFooUnsafe", until="1.650")
> > public Foo getFoo(...) {
> > ...
> > }
>
> Too complicated, too reflective. Let us keep it to basic
> statically-checked idioms as much as possible.
>
> Anyway I am not convinced the actual problems at hand warrant this
> much fuss, or any incompatibility at all, but it cannot be discussed
> here.
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/869ee2f4-01eb-40e3-8de1-9ce209955b4a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
