Gavin, This is a conversation I am very interested in. I think having a clear "tiering" system would be fantastic and was one of the first things on my plate to look into.
Do you think I can maybe set up a call with you, Mark Waite, Daniel and myself? Thank you for bringing this up! Jake On Friday, September 17, 2021 at 11:20:12 PM UTC-4 [email protected] wrote: > I can run them before approving / reviewing them > > In addition, i would like to help manage end users expectation about what > kind of support a plugin might have (Core, Community, Professional, etc). > Just one more thing to do on the todo list. > > Gavin > > On Fri, Sep 17, 2021 at 8:16 PM Gavin Mogan <[email protected]> wrote: > >> I Lost track of where you did the ping to me. Sounds out I need to be >> clearer. if I get more scripts to run, I can run them before >> >> On Thu, Sep 16, 2021 at 10:10 PM Gavin Mogan <[email protected]> >> wrote: >> >>> I'm sorry I thought you were offering them up. I didn't realize you were >>> asking if I wanted them. I can certainly try them out >>> >>> As for the banner. It might be worth some sort of verified publisher or >>> something else that indicates when the company maintains the plugin and you >>> should contact thier support, vs community maintained plugins with >>> community support avenues. >>> >>> On Thu., Sep. 16, 2021, 9:16 p.m. 'Daniel Beck' via Jenkins Developers, < >>> [email protected]> wrote: >>> >>>> >>>> >>>> > On 17. Sep 2021, at 04:32, 'Gavin Mogan' via Jenkins Developers < >>>> [email protected]> wrote: >>>> > >>>> > So sure, someone other than you can do more in-depth reviews of the >>>> code. I've been doing absolute basic checks with the expertise I have. I >>>> was very clear when I took over the hosting lead position that I wasn't >>>> going to be spending much time doing reviews. I'm absolutely happy for >>>> someone to step up and do more code reviews. >>>> >>>> Thanks for starting this conversation. >>>> >>>> My preferred option (that I mentioned in Jira) is to have a basic >>>> review of the plugin. My offer from August to give you access to the code >>>> scanning rules for plugins to quickly identify the low hanging fruit at >>>> least still stands. I haven't heard back from you about that. >>>> >>>> Another option could be not have reviews, instead to do something >>>> similar to what Mozilla does[1], and prominently display that plugins are >>>> not reviewed for security. At least then we let admins know what they're >>>> getting. This would require criteria for other badges that need >>>> maintaining >>>> however, and certainly will take time to set up. >>>> >>>> I'm sure there are other approaches we can take, but admitting code >>>> with very obvious security flaws doesn't seem like a great approach given >>>> how critical Jenkins is for many of its users. >>>> >>>> >>>> 1: https://support.mozilla.org/en-US/kb/add-on-badges >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Jenkins Developers" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/jenkinsci-dev/8E216E2D-EA35-4A21-99C8-44A026BFD592%40beckweb.net >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/1161143f-c04d-4e88-8b22-d373ba221013n%40googlegroups.com.
