We've been doing it for a long time already. Allowing insecure plugins into the infra creates a LOT of work for the security folks. I think it's a benefit to run the security checks to reduce that already heavy workload. It usually just takes a couple of back and forth discussions on Jira for hosting issues to get things resolved to cover most of the security issues. It's not a large barrier to overcome in my opinion.
On Tue, Sep 21, 2021 at 8:57 AM Robert Sandell <[email protected]> wrote: > I understand the case that we wan't to make sure users/administrators can > somehow trust what is offered in the public/official update center. > But I don't like the idea of restricting or putting up barriers for new > contributors to join the project, or hindering the potential innovation > coming in from the outside. > It was the welcoming and open approach of "just ask and you shall receive" > that made me like this community so much and stay around for 11 years and > hopefully many more. > There must be some way we can address both without sacrificing one? > So by all means, run the script to find the issues, but please don't block > a contribution based on the findings from it. > > /B > > Den lör 18 sep. 2021 kl 05:20 skrev 'Gavin Mogan' via Jenkins Developers < > [email protected]>: > >> I can run them before approving / reviewing them >> >> In addition, i would like to help manage end users expectation about what >> kind of support a plugin might have (Core, Community, Professional, etc). >> Just one more thing to do on the todo list. >> >> Gavin >> >> On Fri, Sep 17, 2021 at 8:16 PM Gavin Mogan <[email protected]> wrote: >> >>> I Lost track of where you did the ping to me. Sounds out I need to be >>> clearer. if I get more scripts to run, I can run them before >>> >>> On Thu, Sep 16, 2021 at 10:10 PM Gavin Mogan <[email protected]> >>> wrote: >>> >>>> I'm sorry I thought you were offering them up. I didn't realize you >>>> were asking if I wanted them. I can certainly try them out >>>> >>>> As for the banner. It might be worth some sort of verified publisher or >>>> something else that indicates when the company maintains the plugin and you >>>> should contact thier support, vs community maintained plugins with >>>> community support avenues. >>>> >>>> On Thu., Sep. 16, 2021, 9:16 p.m. 'Daniel Beck' via Jenkins Developers, >>>> <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> > On 17. Sep 2021, at 04:32, 'Gavin Mogan' via Jenkins Developers < >>>>> [email protected]> wrote: >>>>> > >>>>> > So sure, someone other than you can do more in-depth reviews of the >>>>> code. I've been doing absolute basic checks with the expertise I have. I >>>>> was very clear when I took over the hosting lead position that I wasn't >>>>> going to be spending much time doing reviews. I'm absolutely happy for >>>>> someone to step up and do more code reviews. >>>>> >>>>> Thanks for starting this conversation. >>>>> >>>>> My preferred option (that I mentioned in Jira) is to have a basic >>>>> review of the plugin. My offer from August to give you access to the code >>>>> scanning rules for plugins to quickly identify the low hanging fruit at >>>>> least still stands. I haven't heard back from you about that. >>>>> >>>>> Another option could be not have reviews, instead to do something >>>>> similar to what Mozilla does[1], and prominently display that plugins are >>>>> not reviewed for security. At least then we let admins know what they're >>>>> getting. This would require criteria for other badges that need >>>>> maintaining >>>>> however, and certainly will take time to set up. >>>>> >>>>> I'm sure there are other approaches we can take, but admitting code >>>>> with very obvious security flaws doesn't seem like a great approach given >>>>> how critical Jenkins is for many of its users. >>>>> >>>>> >>>>> 1: https://support.mozilla.org/en-US/kb/add-on-badges >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Jenkins Developers" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/jenkinsci-dev/8E216E2D-EA35-4A21-99C8-44A026BFD592%40beckweb.net >>>>> . >>>>> >>>> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_Dusvy%3D0f_XCDrGpZ8FS5HmOdck4xORvtjdScfzc43iu3gQ%40mail.gmail.com >> <https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_Dusvy%3D0f_XCDrGpZ8FS5HmOdck4xORvtjdScfzc43iu3gQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > *Robert Sandell* > Senior Software Engineer > CloudBees, Inc. > <http://www.cloudbees.com> > E: [email protected] > Twitter: robert_sandell > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CALzHZS3g-9xxNYc_MQRMwJVb%2BUbnJuc6hNHRwxE7VEJz7zE9EQ%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-dev/CALzHZS3g-9xxNYc_MQRMwJVb%2BUbnJuc6hNHRwxE7VEJz7zE9EQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Website: http://earl-of-code.com -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPiUgVdJr-m0fZg-WibjsFSyAHb2dNb6pvzLqHh5XFrCj%2BbmSg%40mail.gmail.com.
