On 11.01.2016, at 10:00, Boris Serdiuk <[email protected]> wrote: > Well, I read release notes and reasoning behind it but I don't get why that > breaking change wasn't made as opt-in.
Security in Jenkins is currently opt-in for mostly historical reasons. That's fine on your team's local network. And one would think people wouldn't run an unsecured Jenkins on a publicly accessible server. We've recently learned that one would be wrong, and I had the great joy of writing a security advisory(!) basically telling people to not be complete idiots[1]. Therefore I decided to err on the side of caution on this change (and FWIW the rest of the security team agreed). As to the impact on plugins, we identified several plugins that would be affected and provided guides for the most popular ones. I'd be happy to keep updating the wiki page with definitive information on other plugins as well. And I'm planning to add an option to the security configuration UI to make this option more discoverable and easier to change. 1: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-10-01 -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/E87B14E5-D05D-4A2C-A374-9E075CE69D1D%40beckweb.net. For more options, visit https://groups.google.com/d/optout.
