This topic brings up a reminder I was going to bring up today. I like routines, so my routine for hosting (as long as it's just me) is every thursday I go through the hosting requests, run the checks, and approve things that have no outstanding issues. Thursday is the day. Best case it'll take a week (thursday to thursday) to approve, most likely it'll be 2 weeks.
> Could we at least make a rudimentary review mandatory before admitting plugins? The recent bunch of plugins had so many obvious problems, just pinging me and calling it a day isn't a good solution. We're worse than the Android App Store here. Remember "we" is code for "someone not me" So sure, someone other than you can do more in-depth reviews of the code. I've been doing absolute basic checks with the expertise I have. I was very clear when I took over the hosting lead position that I wasn't going to be spending much time doing reviews. I'm absolutely happy for someone to step up and do more code reviews. But for now, that's my schedule. I'd love help from more experienced people. Gavin On Thu, Sep 16, 2021 at 7:07 PM [email protected] (Jira) < [email protected]> wrote: > There is *1 comment*. > > > Plugin Hosting Requests <https://issues.jenkins.io/browse/HOSTING> / > HOSTING-1133 <https://issues.jenkins.io/browse/HOSTING-1133> To Do > Request to host Keeper Secrets Manager plugin > > View issue <https://issues.jenkins.io/browse/HOSTING-1133> ยท Add > comment <https://issues.jenkins.io/browse/HOSTING-1133#add-comment> > > 1 comment > > *Daniel Beck* on 2021-09-16 18:56 > > > There seems to be no reason for + in > https://github.com/jsupun/keeper-secrets-manager-plugin/blob/5c63d56f0c066a2c47ba0da8401c929676723e58/src/main/java/io/jenkins/plugins/ksm/KsmSecret.java#L52 > making this regex inefficient. > > Missing permission check in > https://github.com/jsupun/keeper-secrets-manager-plugin/blob/51a7d547b994bd1ff066da4e7db807aa0dd385e4/src/main/java/io/jenkins/plugins/ksm/credential/KsmCredential.java#L121-L133 > > > https://github.com/jsupun/keeper-secrets-manager-plugin/blob/63893eaa06e4f9e540eac2c5701169feff84565e/src/main/java/io/jenkins/plugins/ksm/builder/KsmBuilder.java#L187-L189 > credentials enumeration vulnerability here > > Also here: > https://github.com/jsupun/keeper-secrets-manager-plugin/blob/5c63d56f0c066a2c47ba0da8401c929676723e58/src/main/java/io/jenkins/plugins/ksm/builder/KsmBuilder.java#L187-L189 > > There being a separate step, rather than integrating with Credentials and > just using withCredentials, is likely not great for secret masking in > console output. > > > https://github.com/jsupun/keeper-secrets-manager-plugin/blob/5c63d56f0c066a2c47ba0da8401c929676723e58/src/main/java/io/jenkins/plugins/ksm/builder/KsmBuilder.java#L172 > unmodified sample plugin > > > https://github.com/jsupun/keeper-secrets-manager-plugin/blob/main/src/main/java/io/jenkins/plugins/ksm/builder/KsmEnvironmentContributingAction.java#L46 > that's not a user friendly name, why even bother? > > I have some reservations around KsmEnvironmentContributingAction. In > contrast, credentials-binding uses a BuildWrapper that declares all > variables to be *sensitive* (i.e. should not be shown on the UI). > ------------------------------ > > Could we at least make a rudimentary review mandatory before admitting > plugins? The recent bunch of plugins had so many obvious problems, just > pinging me and calling it a day isn't a good solution. We're worse than the > Android App Store here. > > > This message was sent by Atlassian Jira (v8.13.5#813005-sha1:c18f263) [image: > Atlassian logo] > Jira is improving email notifications, share your feedback > <https://surveys.atlassian.com/jfe/form/SV_aWUQ0lsYz9m8obb>! > Get Jira notifications on your phone! Download the Jira Server app for > Android > <https://play.google.com/store/apps/details?id=com.atlassian.jira.server> > or iOS <https://apps.apple.com/us/app/id1405353949>. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuuQOuLixoU431u9gqsrKzniNsWFfQ55JjLAOqBfkhUHHw%40mail.gmail.com.
