> On 17. Sep 2021, at 04:32, 'Gavin Mogan' via Jenkins Developers
> <[email protected]> wrote:
>
> So sure, someone other than you can do more in-depth reviews of the code.
> I've been doing absolute basic checks with the expertise I have. I was very
> clear when I took over the hosting lead position that I wasn't going to be
> spending much time doing reviews. I'm absolutely happy for someone to step up
> and do more code reviews.
Thanks for starting this conversation.
My preferred option (that I mentioned in Jira) is to have a basic review of the
plugin. My offer from August to give you access to the code scanning rules for
plugins to quickly identify the low hanging fruit at least still stands. I
haven't heard back from you about that.
Another option could be not have reviews, instead to do something similar to
what Mozilla does[1], and prominently display that plugins are not reviewed for
security. At least then we let admins know what they're getting. This would
require criteria for other badges that need maintaining however, and certainly
will take time to set up.
I'm sure there are other approaches we can take, but admitting code with very
obvious security flaws doesn't seem like a great approach given how critical
Jenkins is for many of its users.
1: https://support.mozilla.org/en-US/kb/add-on-badges
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/8E216E2D-EA35-4A21-99C8-44A026BFD592%40beckweb.net.
