Hi everyone, We now had the situation where the number of vulnerabilities far exceeded what the security team could handle. https://jenkins.io/security/advisory/2017-04-10/
As previously discussed on this list, I've suspended distribution of plugins that are currently vulnerable. https://jenkins.io/blog/2017/04/10/security-advisory/#distributing-vulnerable-plugins List of affected plugins: https://github.com/jenkins-infra/backend-update-center2/blob/1be044d25a312ca90336044f501e0b9e38ca3b2e/src/main/resources/artifact-ignores.properties#L187...L209 Any thoughts about this, now that it has happened? --- As I wrote in the blog post, I was unable to contact all maintainers. Most maintainers of affected plugins with fewer than 500 installations didn't learn about this in advance. This is really not how we usually work. I consider this to be an exceptional situation. So, again, to affected plugin maintainers, I really am sorry. I just didn't see a feasible alternative to the chosen approach. Perhaps this thread can result in some ideas -- What should we do differently in the future, if a situation similar to this one ever comes up again? --- And then there's plugins that needed to be delisted since they have mandatory dependencies on delisted plugins: https://github.com/jenkins-infra/backend-update-center2/blob/1be044d25a312ca90336044f501e0b9e38ca3b2e/src/main/resources/artifact-ignores.properties#L212...L218 >From a security POV, there's nothing wrong (that I'm aware of) with any of >these, other than that they bring along with them an unsafe plugin. Some of >these are clearly tied to build-flow, so while that is gone, so are they. >Then, there are the others (maintainers in CC): - uno-choice: This depends on Scriptler. I discussed that plugin with Domi (Scriptler's maintainer) when we couldn't get the fixes finished, and plan to work with him to fix the various issues over the next several weeks or so. Once that gets restored, uno-choice would also be published again. - externalresource-dispatcher: This depends on Build Flow, whose maintainers added a deprecation notice to the plugin wiki last year. I would be surprised if that got revived again. So there's probably no good solution, other than cutting this dependency, if we keep unsafe plugins delisted. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/00D75873-E881-4BB6-9F8B-C6B2B8A335F0%40beckweb.net. For more options, visit https://groups.google.com/d/optout.
