Security best practices should not be opt-in. I receive the manifest (daily) emails and did not see this topic. Many others likely did not either.
Jenkins is viewed by many as Critical Cyber Infrastructure and plays an important role in the global software supply chain. That supply chain was just weakened today, on purpose. I understand the volunteer perspective. I lead multiple OWASP projects and spend a considerable amount of time doing open source projects. I get it. Just know that the software supply chain affects everyone including CloudBees Enterprise customers and every downstream consumer of projects built using Jenkins. On Monday, June 15, 2020 at 10:27:01 AM UTC-5 Oleg Nenashev wrote: > Hi Steve, > > Duly noted. Note that we offered an alternate way for maintainers to get > their password delivered if they are not fine with the current delivery > method. In my message from Jub 12:* If anyone has concerns about such a > method and wants to use alternate channels for encrypted password transfer, > please send us a message through the Jenkins Infrastructure mailing list > from your email registered in Jenkins. In this email please provide your > public GPG key so that we can reset a password again in a secure way. *You > did not contact us, and hence you got your password reset with the standard > process. If you want to get your password reset in a secure way, please > feel free to use this process. > > Again, we operate with resources and tools we have. The Jenkins project > and its infrastructure are driven by volunteers, and we have limited > capacity when it comes to fixing urgent things due to uncoordinated > disclosures. You may call it insane, but it was the solution we delivered > with given circumstances. Contributors have families and other commitments, > and please know that the situation has taken a high toll on them. Everybody > is welcome to contribute and to contribute to the infrastructure. I am > cordially grateful to those several contributors who stepped up and helped > to get the issue fixed, or offered to help, or sent kind words over > different channels. This is an example to follow. > > Everyone is welcome to join the team and to work together on a better > solution for user management so that we can prevent a similar situation in > the future. > > Best regards, > Oleg > > > On Mon, Jun 15, 2020 at 5:02 PM Steve Springett <[email protected]> > wrote: > >> "Technical debt" is not an excuse to reset plugin maintainers accounts >> and include a clear-text email containing their username AND password. >> That's insane. As a security professional I will not stand for that. I will >> no longer be maintaining Jenkins plugins and will attempt to find new >> maintainers for the ones I do. No guarantees. >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Jenkins Developers" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/jenkinsci-dev/3UvrCTflXGk/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/4547a00e-e223-4075-a2a1-9162b4634b5bo%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jenkinsci-dev/4547a00e-e223-4075-a2a1-9162b4634b5bo%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/da467d52-3ad4-41f5-8d8b-2f86a68487a1n%40googlegroups.com.
