Re: CVE-2023-50164 Struts question

Hello Randall, If it's for a single plugin, the easiest way is to use `mvn dependency:tree` to check if you are using Struts or not. Usually if you include Struts indirectly (through transitive dependencies) there is low likelihood that you are effectively using it. Most of the Jenkins plugins

Re: [Information] Release block "Beta" program

Wednesday, September 6, 2023 at 1:51:18 PM UTC+2 timja...@gmail.com wrote: > On Wed, 6 Sept 2023 at 12:42, 'wfoll...@cloudbees.com' via Jenkins > Developers wrote: > >> Last time we tested, the branch locking has the problem to be visible for >> anyone. This means that you can

Re: [Information] Release block "Beta" program

like enabling auto merge for when the release block is over >> >> On Tue, 5 Sep 2023 at 17:13, 'wfoll...@cloudbees.com' via Jenkins >> Developers wrote: >> >>> Dear plugin maintainers, >>> >>> *Context* >>> In situations where the securi

Re: Removing inactive CERT members to reduce risk

ess will follow soon. If you think your proposal should be implemented, I would suggest you to start a new thread, as it's beyond the original scopes of the existing ones. On Tuesday, July 18, 2023 at 4:59:19 PM UTC+2 m...@basilcrow.com wrote: > On Tue, Jul 18, 2023 at 1:05 AM 'wfoll...@cloudbees.co

Re: Removing inactive CERT members to reduce risk

. On Monday, July 17, 2023 at 8:19:40 PM UTC+2 m...@basilcrow.com wrote: > On Fri, Jul 14, 2023 at 6:55 AM 'wfoll...@cloudbees.com' via Jenkins > Developers wrote: > > > > This email is a continuation of > https://groups.google.com/g/jenkinsci-dev/c/8cy8w

Removing inactive CERT members to reduce risk

Hello everyone, This email is a continuation of https://groups.google.com/g/jenkinsci-dev/c/8cy8w7ZqyB8/m/eZfaenQzEAAJ. The "CERT" (= Security team) has access to some confidential information like not-yet-disclosed vulnerabilities, which fixes are in progress, internal discussions about

Re: Requesting admin access to the jenkinsci GitHub organization

+1 On Tuesday, June 6, 2023 at 10:36:39 AM UTC+2 Adrien Lecharpentier wrote: > +1 as well from me. > > Le mar. 6 juin 2023, 10:15, Baptiste Mathus a écrit : > >> +1. >> >> Le lun. 5 juin 2023 à 19:33, Srikanth Jana a >> écrit : >> >>> +1 from me >>> >>> On Mon, Jun 5, 2023 at 11:01 PM

Re: Requesting Admin access to the jenkinsci organization

+1 Thanks Alex for your continued effort in the project :-) On Monday, June 5, 2023 at 1:15:42 PM UTC+2 timja...@gmail.com wrote: > +1 > > On Mon, 5 Jun 2023 at 10:05, Ullrich Hafner wrote: > >> +1 from me >> >> Am 05.06.2023 um 09:50 schrieb Alexander Brandes : >> >> Hey everyone, >> >> I

Hosting request - Update on the security audit part

Hello there, To give you a bit of context, let me give you my definition of the return on investment (ROI) for the security team. I consider the investment mainly as time and task difficulty. For the value, it's mainly the number of users receiving a more secure application. Directly from

Re: Removing inactive Core maintainers to reduce risk

> [...] jenkinsci/inactive-core-maintainers [...] +1 for the idea And thanks for providing additional rationales behind the approach. For Basil: As it's about reducing the risk and not eliminating it, the approach was voluntarily not aggressive. If you want to have a stricter / more aggressive

Re: Removing inactive Core maintainers to reduce risk

> [...] I think it should’ve been discussed on the mailing list publicly For the CERT list, I will post a message in the mailing list before removing the inactive users. On Sunday, January 29, 2023 at 8:53:27 PM UTC+1 m...@basilcrow.com wrote: > On Sun, Jan 29, 2023 at 4:52 AM 'wfoll...@clou

Re: Removing inactive Core maintainers to reduce risk

secure! > > > Was this decision made in concert with other core maintainers > > I was not aware of such a change, but I heavily endorse the cleanup :) > > Alex > > On Friday, 27 January 2023 at 16:59:41 UTC+1 m...@basilcrow.com wrote: > >> On Fri, Jan 27, 2023 at 1:

Re: Revert of breadcrumb bar accessibility change

Thanks Basil for the message (I especially liked the references). I can only +1 your proposal as I was thinking about that in https://github.com/jenkinsci/jenkins/pull/6912#issuecomment-1331141923. Compared to you, I didn't take the time to move the idea further, thanks for the effort. The

Re: JDK19 is now available on ci.jenkins.io

+1 for the edge approach, to not create "superficial" tech debt On Thursday, December 8, 2022 at 8:34:12 AM UTC-8 slide wrote: > I think the edge idea is a good one. This reduces the churn on Jenkinsfile > changes to support building on the latest. It would be nice if we, as > plugin

Re: Proposal to ensure new plugin hosting requests use Maven instead of Gradle

+1 On Thursday, December 8, 2022 at 8:27:13 AM UTC-8 Adrien Lecharpentier wrote: > +1 as well from me. > > Le jeu. 8 déc. 2022 à 17:19, Damien Duportal a > écrit : > >> +1 >> >> Le mercredi 7 décembre 2022 à 15:49:42 UTC+1, bma...@gmail.com a écrit : >> >>> +1. >>> >>> At least such a move

Re: End of year holidays and Jenkins 2.375.2 release schedule

For the delay of the LTS realease, with pleasure! :-) For the RC, no opinion. On Tuesday, November 22, 2022 at 3:53:47 PM UTC+1 Mark Waite wrote: > In the past few years, we've taken a break from our regular LTS schedule > over the holiday season. I propose we take a break this year, though

Re: Next LTS baseline selection

FTR 2.375 was released ~4h ago, the changelog page is not even updated (to receive the feedback). With the list of regression/bug fix it seems to be a good candidate, but I think we should monitor carefully the user feedbacks and be ready to provide backports to a previous version. To ease

Re: Proposal: Alexander Brandes (@NotMyFault) to join the Core team

+1, thanks Alex for the several contributions you did over the recent period. Looking forward for the next period ;) On Thursday, October 13, 2022 at 3:12:04 PM UTC+2 Kevin Martens wrote: > +1 from me too! > > On Thu, Oct 13, 2022 at 5:52 AM 'Olblak' via Jenkins Developers < >

Re: GSoC Project - Plugin Health Score Survey for Maintainers

Hello Dheeraj, Are you able to share the data distribution for the individual probes you already have in place? This will greatly help us understanding what should be done with the rules. E.g. if all plugins have a code coverage of 50%+, the weight should take that into consideration, in

Re: Security approval required on UI-related PRs in Jenkins core

TC+2 db...@cloudbees.com wrote: > On Wed, Jun 22, 2022 at 9:26 PM 'wfoll...@cloudbees.com' via Jenkins > Developers wrote: > >> Great idea Alex => *@jenkinsci/core-security-review* created >> >> Thanks for the feedback and yes Tim, I will allocate more people to t

Re: Security approval required on UI-related PRs in Jenkins core

>> looked at ASAP then that would be great. >> >> Let’s add this as an agenda item for the next UX sig meeting to review >> how it’s going >> >> Thanks >> Tim >> >> On Wed, 22 Jun 2022 at 18:37, 'wfoll...@cloudbees.com' via Jenkins >> Deve

Security approval required on UI-related PRs in Jenkins core

Today the Jenkins project released a security version that contains several high severity vulnerabilities. Five vulnerabilities from Jenkins core were introduced very recently during UI improvement work. Such security issues discovered

Re: Backporting for LTS 2.346.1 started

> advance. >> >> ~ Alex >> >> On Tuesday, 7 June 2022 at 18:20:52 UTC+2 wfoll...@cloudbees.com wrote: >> >>> Hey there, especially Alex, >>> >>> Usually we have a two weeks period for the RC, once the backports are >>> merged. I

Re: Backporting for LTS 2.346.1 started

Hey there, especially Alex, Usually we have a two weeks period for the RC, once the backports are merged. In this case, we have a PR that is still pending, ~one week after the expected delay. PR in question: https://github.com/jenkinsci/jenkins/pull/6618 So, two questions: 1) Is it OK if we

Re: Correct permission checks to add

Hello, Superficial read => I imagine you should use Item.CONFIGURE and not the generic Permission.CONFIGURE. Wadeck On Thursday, April 28, 2022 at 1:12:47 AM UTC+2 tim.va...@gmail.com wrote: > Hi, > > I added the Jenkins security scan to my plugin on GitHub and resolved all > the issues.Or,

Re: File Leak Detector

+1 On Tuesday, March 1, 2022 at 1:02:21 PM UTC+1 manuel.ramon...@gmail.com wrote: > +1 > > On Tue, Mar 1, 2022 at 12:28 PM Oleg Nenashev wrote: > >> +1 >> >> >> On Tuesday, March 1, 2022 at 8:36:47 AM UTC+1 timja...@gmail.com wrote: >> >>> +1 >>> >>> On Tue, 1 Mar 2022 at 01:26, Mark Waite

Re: Backporting for LTS 2.319.3 started

Please Ilde, also include https://issues.jenkins.io/browse/JENKINS-67702 to prevent scanners to complain about XStream On Monday, January 31, 2022 at 9:56:23 AM UTC+1 Vincent Latombe wrote: > +1 from me to backport it. > > Vincent > > > Le lun. 31 janv. 2022 à 09:43, 'Ildefonso Montero' via

Re: Release team members

Good initiative Tim, thank you :) (yes you can add me ^^) Wadeck On Friday, September 24, 2021 at 9:52:30 AM UTC+2 Ildefonso Montero wrote: > No issues from my side :-) Thanks for driving this Tim! > > On Thu, Sep 23, 2021 at 9:29 PM Mark Waite wrote: > >> I would like to be a member of that

Re: Proposal: Adding Basil Crow to the Jenkins Core maintainers team

+1 as well, really involved in the community so it's just natural :-) On Wednesday, September 22, 2021 at 2:05:32 PM UTC+2 Jesse Glick wrote: > If he is interested, absolutely +1! > > By the way there are a number of people in > https://github.com/orgs/jenkinsci/teams/core/members who are no

Re: LTS backporting policy

Totally agree. Especially when the update is not a major bump of 3 versions. Most of the time it's just a minor/bug version bump. That will greatly help on the security scanners area, where the "fear" dominates the market :-) Thanks James for the suggestion, great idea. Wadeck On Tuesday,

Re: Hosting

Thank you very much Alex for the effort you invested on this area. This is a really important piece of the process for the security perspective. The fact that you did the preliminary security checks and if something was weird, to ask the security team to make a more complete audit, was of a

Re: Allowed licenses for libraries in Jenkins plugins?

Hello Mark, I dunno for the license aspect, but just adding a bit of color about the library itself. Their GitHub has only 13 Stars / 9 Forks, with 1 main contributors and 2 others. This means that the library will not necessary receive the