Hi all, I am starting this thread in order to collect extra feedback about JEP-200, which proposes switching Remoting/XStream implementations from a blacklist to a whitelist. The intention is to significantly reduce risks of class deserialization attacks, which was hitting Jenkins project seriously over last 2 years (e.g. SECUIRTY-429 this April <https://jenkins.io/security/advisory/2017-04-26/>). This JEP is accepted as a draft, and the current state is published here <https://github.com/oleg-nenashev/jep/tree/master/jep/200>.
I am assigned as a BDFL Delegate who makes a decision about accepting/rejecting this Jenkins Enhancement Proposal (see JEP-1 <https://github.com/jenkinsci/jep/tree/master/jep/1> for more info about the process). Over the next week I will be reviewing this JEP and providing feedback in this thread and in pull requests. I also call other interested contributors to comment regarding this JEP. It is important, because the proposal implies a *high risk *of regressions in plugins and other Jenkins components. The JEP sponsor made a significant amount of testing, but there may be some gaps. Any feedback and extra testing of the reference implementation will be appreciated. There are several ways to provide the feedback: - Comment in this thread - Create a pull request with document edits - Ping me (oleg-nenashev) and Jesse Glick (jglick) in IRC My current plan is to finalize the Draft reviews/edits by December 30 though it depends on the sponsor's availability during the Christmas break if there is a discussion needed. If you have any comments or interest to review the JEP deeper, please respond by this date. Best regards, Oleg Nenashev -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/197b6cff-99db-4355-960d-bcc67dd7e2ee%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
