Re: Security approval required on UI-related PRs in Jenkins core

2022-08-31 Thread Basil Crow
On Wed, Jun 22, 2022 at 10:37 AM 'wfoll...@cloudbees.com' via Jenkins Developers wrote: > For this reason, as the security officer and effective as of today, I want to > block the merge of any UI-related PRs until they have received at least one > approval from someone in CERT. […] > Do you

Re: Security approval required on UI-related PRs in Jenkins core

2022-06-30 Thread Alexander Brandes
+1, labels indeed help to make it more clear what still needs to be done. We could add something like "needs-security-fix" next to the "needs-fix" label. On Thursday, 30 June 2022 at 12:37:18 UTC+2 timja...@gmail.com wrote: > I'd suggest another label for security review complete but needs

Re: Security approval required on UI-related PRs in Jenkins core

2022-06-30 Thread Tim Jacomb
I'd suggest another label for security review complete but needs fixes. There's currently 12 PRs showing as blocked by needing security review (1 or 2 of these may need a fix and a label could make that clearer)

Re: Security approval required on UI-related PRs in Jenkins core

2022-06-22 Thread 'wfoll...@cloudbees.com' via Jenkins Developers
The team got "triage" permission, so that they can add the newly created label "security-approved", so that it's easier to understand when it's good to go. That will also "solve" Daniel's concern about regular review ;-) On Wednesday, June 22, 2022 at 9:30:47 PM UTC+2 db...@cloudbees.com wrote:

Re: Security approval required on UI-related PRs in Jenkins core

2022-06-22 Thread 'Daniel Beck' via Jenkins Developers
On Wed, Jun 22, 2022 at 9:26 PM 'wfoll...@cloudbees.com' via Jenkins Developers wrote: > Great idea Alex => *@jenkinsci/core-security-review* created > > Thanks for the feedback and yes Tim, I will allocate more people to those > reviews, compared to the hosting requests that were mainly

Re: Security approval required on UI-related PRs in Jenkins core

2022-06-22 Thread 'wfoll...@cloudbees.com' via Jenkins Developers
Great idea Alex => *@jenkinsci/core-security-review* created Thanks for the feedback and yes Tim, I will allocate more people to those reviews, compared to the hosting requests that were mainly out-of-order stuff we are doing. On Wednesday, June 22, 2022 at 8:57:15 PM UTC+2 mc.ca...@gmail.com

Re: Security approval required on UI-related PRs in Jenkins core

2022-06-22 Thread Alexander Brandes
Hey Wadeck, > until they have received at least one approval from someone in CERT. Could we add a "security" team with read permissions on jenkinsci/jenkins, core maintainers can request a review upon if a PR touches UI components? I'm aware that Basil (?) created a label, but GitHub honors

Re: Security approval required on UI-related PRs in Jenkins core

2022-06-22 Thread Tim Jacomb
Hi Wadeck We can monitor this in the short term. My concern would be around responsiveness and turn around time. RPU hosting requests already can take a fair amount of time if there’s a few at a time It already takes a long time to get some of the UI pull requests in. As long as the security

Security approval required on UI-related PRs in Jenkins core

2022-06-22 Thread 'wfoll...@cloudbees.com' via Jenkins Developers
Today the Jenkins project released a security version that contains several high severity vulnerabilities. Five vulnerabilities from Jenkins core were introduced very recently during UI improvement work. Such security issues discovered