I understand the case that we wan't to make sure users/administrators can somehow trust what is offered in the public/official update center. But I don't like the idea of restricting or putting up barriers for new contributors to join the project, or hindering the potential innovation coming in from the outside. It was the welcoming and open approach of "just ask and you shall receive" that made me like this community so much and stay around for 11 years and hopefully many more. There must be some way we can address both without sacrificing one? So by all means, run the script to find the issues, but please don't block a contribution based on the findings from it.
/B Den lör 18 sep. 2021 kl 05:20 skrev 'Gavin Mogan' via Jenkins Developers < [email protected]>: > I can run them before approving / reviewing them > > In addition, i would like to help manage end users expectation about what > kind of support a plugin might have (Core, Community, Professional, etc). > Just one more thing to do on the todo list. > > Gavin > > On Fri, Sep 17, 2021 at 8:16 PM Gavin Mogan <[email protected]> wrote: > >> I Lost track of where you did the ping to me. Sounds out I need to be >> clearer. if I get more scripts to run, I can run them before >> >> On Thu, Sep 16, 2021 at 10:10 PM Gavin Mogan <[email protected]> >> wrote: >> >>> I'm sorry I thought you were offering them up. I didn't realize you were >>> asking if I wanted them. I can certainly try them out >>> >>> As for the banner. It might be worth some sort of verified publisher or >>> something else that indicates when the company maintains the plugin and you >>> should contact thier support, vs community maintained plugins with >>> community support avenues. >>> >>> On Thu., Sep. 16, 2021, 9:16 p.m. 'Daniel Beck' via Jenkins Developers, < >>> [email protected]> wrote: >>> >>>> >>>> >>>> > On 17. Sep 2021, at 04:32, 'Gavin Mogan' via Jenkins Developers < >>>> [email protected]> wrote: >>>> > >>>> > So sure, someone other than you can do more in-depth reviews of the >>>> code. I've been doing absolute basic checks with the expertise I have. I >>>> was very clear when I took over the hosting lead position that I wasn't >>>> going to be spending much time doing reviews. I'm absolutely happy for >>>> someone to step up and do more code reviews. >>>> >>>> Thanks for starting this conversation. >>>> >>>> My preferred option (that I mentioned in Jira) is to have a basic >>>> review of the plugin. My offer from August to give you access to the code >>>> scanning rules for plugins to quickly identify the low hanging fruit at >>>> least still stands. I haven't heard back from you about that. >>>> >>>> Another option could be not have reviews, instead to do something >>>> similar to what Mozilla does[1], and prominently display that plugins are >>>> not reviewed for security. At least then we let admins know what they're >>>> getting. This would require criteria for other badges that need maintaining >>>> however, and certainly will take time to set up. >>>> >>>> I'm sure there are other approaches we can take, but admitting code >>>> with very obvious security flaws doesn't seem like a great approach given >>>> how critical Jenkins is for many of its users. >>>> >>>> >>>> 1: https://support.mozilla.org/en-US/kb/add-on-badges >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Jenkins Developers" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/jenkinsci-dev/8E216E2D-EA35-4A21-99C8-44A026BFD592%40beckweb.net >>>> . >>>> >>> -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_Dusvy%3D0f_XCDrGpZ8FS5HmOdck4xORvtjdScfzc43iu3gQ%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_Dusvy%3D0f_XCDrGpZ8FS5HmOdck4xORvtjdScfzc43iu3gQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- *Robert Sandell* Senior Software Engineer CloudBees, Inc. <http://www.cloudbees.com> E: [email protected] Twitter: robert_sandell -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALzHZS3g-9xxNYc_MQRMwJVb%2BUbnJuc6hNHRwxE7VEJz7zE9EQ%40mail.gmail.com.
