I can run them before approving / reviewing them In addition, i would like to help manage end users expectation about what kind of support a plugin might have (Core, Community, Professional, etc). Just one more thing to do on the todo list.
Gavin On Fri, Sep 17, 2021 at 8:16 PM Gavin Mogan <[email protected]> wrote: > I Lost track of where you did the ping to me. Sounds out I need to be > clearer. if I get more scripts to run, I can run them before > > On Thu, Sep 16, 2021 at 10:10 PM Gavin Mogan <[email protected]> wrote: > >> I'm sorry I thought you were offering them up. I didn't realize you were >> asking if I wanted them. I can certainly try them out >> >> As for the banner. It might be worth some sort of verified publisher or >> something else that indicates when the company maintains the plugin and you >> should contact thier support, vs community maintained plugins with >> community support avenues. >> >> On Thu., Sep. 16, 2021, 9:16 p.m. 'Daniel Beck' via Jenkins Developers, < >> [email protected]> wrote: >> >>> >>> >>> > On 17. Sep 2021, at 04:32, 'Gavin Mogan' via Jenkins Developers < >>> [email protected]> wrote: >>> > >>> > So sure, someone other than you can do more in-depth reviews of the >>> code. I've been doing absolute basic checks with the expertise I have. I >>> was very clear when I took over the hosting lead position that I wasn't >>> going to be spending much time doing reviews. I'm absolutely happy for >>> someone to step up and do more code reviews. >>> >>> Thanks for starting this conversation. >>> >>> My preferred option (that I mentioned in Jira) is to have a basic review >>> of the plugin. My offer from August to give you access to the code scanning >>> rules for plugins to quickly identify the low hanging fruit at least still >>> stands. I haven't heard back from you about that. >>> >>> Another option could be not have reviews, instead to do something >>> similar to what Mozilla does[1], and prominently display that plugins are >>> not reviewed for security. At least then we let admins know what they're >>> getting. This would require criteria for other badges that need maintaining >>> however, and certainly will take time to set up. >>> >>> I'm sure there are other approaches we can take, but admitting code with >>> very obvious security flaws doesn't seem like a great approach given how >>> critical Jenkins is for many of its users. >>> >>> >>> 1: https://support.mozilla.org/en-US/kb/add-on-badges >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-dev/8E216E2D-EA35-4A21-99C8-44A026BFD592%40beckweb.net >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_Dusvy%3D0f_XCDrGpZ8FS5HmOdck4xORvtjdScfzc43iu3gQ%40mail.gmail.com.
