We have discussed the single whitelist concern with Jesse and agreed that there is no immediate need to implement it as a part of this JEP. The testing concern has been also addressed last week, all recommended and other popular plugins have been tested by ATH/PCT.
There was no other feedback regarding JEP-200 in this thread and other channels, so I am going to accept it. I am going to continue testing the change in order to improve the coverage and maybe catch some missing whitelist entries. Tomorrow I will send a separate email with testing guidelines so that any plugin maintainer can test his/her plugin if needed. The final pull-request to JEP-200 is here: https://github.com/jenkinsci/jep/pull/43 Once it is integrated, the JEP will be officially accepted. If you have any concerns, please shout about it ASAP Best regards, Oleg вторник, 26 декабря 2017 г., 15:52:51 UTC+1 пользователь Oleg Nenashev написал: > > They sound unrelated to security and are best addressed, if required, by >> plugin developers on their own initiative. >> > > Let's park this question for now. I am going to play with the current PR > state, and then I will provide a response around Jan 02. > > My IMHO is that it would be preferable to separate Remoting and XStream > from very beginning, so that the plugin maintainers will think twice when > they try to save custom classes on the disk or to send them via Remoting. > But I agree it may be over-engineering. All contributors are welcome to > comment. > > BR, Oleg > > понедельник, 18 декабря 2017 г., 13:41:20 UTC+1 пользователь Oleg Nenashev > написал: >> >> Hi all, >> >> I am starting this thread in order to collect extra feedback about >> JEP-200, which proposes switching Remoting/XStream implementations from a >> blacklist to a whitelist. The intention is to significantly reduce risks of >> class deserialization attacks, which was hitting Jenkins project seriously >> over last 2 years (e.g. SECUIRTY-429 this April >> <https://jenkins.io/security/advisory/2017-04-26/>). This JEP is >> accepted as a draft, and the current state is published here >> <https://github.com/oleg-nenashev/jep/tree/master/jep/200>. >> >> I am assigned as a BDFL Delegate who makes a decision about >> accepting/rejecting this Jenkins Enhancement Proposal (see JEP-1 >> <https://github.com/jenkinsci/jep/tree/master/jep/1> for more info about >> the process). Over the next week I will be reviewing this JEP and providing >> feedback in this thread and in pull requests. >> >> I also call other interested contributors to comment regarding this JEP. >> It is important, because the proposal implies a *high risk *of >> regressions in plugins and other Jenkins components. The JEP sponsor made a >> significant amount of testing, but there may be some gaps. Any feedback and >> extra testing of the reference implementation will be appreciated. >> >> There are several ways to provide the feedback: >> >> - Comment in this thread >> - Create a pull request with document edits >> - Ping me (oleg-nenashev) and Jesse Glick (jglick) in IRC >> >> My current plan is to finalize the Draft reviews/edits by December 30 >> though it depends on the sponsor's availability during the Christmas break >> if there is a discussion needed. If you have any comments or interest to >> review the JEP deeper, please respond by this date. >> >> >> Best regards, >> Oleg Nenashev >> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/82b32386-6233-4c43-b280-e9a7cbb8da38%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
