Request to join the Jenkins Security Team
54 views
Skip to first unread message
Bruno P. Kinoshita
Jul 22, 2017, 5:38:12 AM7/22/17
to Jenkins Developers
Hi,
I would like to request to be added to the Jenkins Security Team. My main interest is in helping to fix issues in any dependency of the plug-ins I maintain, as well as in the core. Right now Scriptler is a plug-in I would like to try and see if I could help, as it is blocking active-choices-plugin.
GitHub with 2FA enabled: kinow
FreeNode user: kinow
Thank you
Bruno
Oleg Nenashev
Jul 24, 2017, 8:06:08 AM7/24/17
to Jenkins Developers, brunod...@yahoo.com.br
Hi Bruno,
Generally I am +1 with this request. Having more people is definitely useful.
OTOH you probably do not need to be a member of the Security team if you just want to fix Scriptler. It's vulnerabilities are publicly listed in this advisory: https://jenkins.io/security/advisory/2017-04-10/ . Regarding plugins maintained by active contributors, we usually assign security issues to them. In all other cases like core fixes, yes it makes sense to join the security team.
Best regards,
Oleg
суббота, 22 июля 2017 г., 12:38:12 UTC+3 пользователь kinow написал:
Generally I am +1 with this request. Having more people is definitely useful.
OTOH you probably do not need to be a member of the Security team if you just want to fix Scriptler. It's vulnerabilities are publicly listed in this advisory: https://jenkins.io/security/advisory/2017-04-10/ . Regarding plugins maintained by active contributors, we usually assign security issues to them. In all other cases like core fixes, yes it makes sense to join the security team.
Best regards,
Oleg
суббота, 22 июля 2017 г., 12:38:12 UTC+3 пользователь kinow написал:
Bruno P. Kinoshita
Jul 24, 2017, 9:04:36 AM7/24/17
to o.v.ne...@gmail.com, Jenkins Developers
Hi Oleg,
I had seen the security advisory, and in the Wiki and GitHub I can see some progress made to fix some of the 5 issues.
But I think the maintainer is the only one with access to read and comment in the SECURITY-XXX tickets.
At least that's what I recall from when I worked on an SECURITY issue. My intention was to check the progress of tickets, see if there was a patch somewhere to be tested, or a discussion going on. And then try to help scriptler and any other plugin I use/used or that is a dependency in one of the plugins I use.
But I can wait till the maintainer has made further progress on the issues. I will re-read the description of the security issues with more calm over the next days, check latest code and try to liaise directly with the maintainer if I have a patch.
Cheers
Bruno
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20d20e3c-a222-4d53-8309-3dd6daee74a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Stephen Connolly
Jul 24, 2017, 9:34:28 AM7/24/17
to jenkin...@googlegroups.com, o.v.ne...@gmail.com
More the merrier IMHO, I am +1 on you joining
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20d20e3c-a222-4d53-8309-3dd6daee74a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/614930702.4539161.1500901468492%40mail.yahoo.com.To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
Daniel Beck
Jul 26, 2017, 8:33:43 AM7/26/17
to jenkin...@googlegroups.com
> On 24. Jul 2017, at 15:04, 'Bruno P. Kinoshita' via Jenkins Developers <jenkin...@googlegroups.com> wrote:
>
> I had seen the security advisory, and in the Wiki and GitHub I can see some progress made to fix some of the 5 issues.
>
> But I think the maintainer is the only one with access to read and comment in the SECURITY-XXX tickets.
>
> At least that's what I recall from when I worked on an SECURITY issue. My intention was to check the progress of tickets, see if there was a patch somewhere to be tested, or a discussion going on. And then try to help scriptler and any other plugin I use/used or that is a dependency in one of the plugins I use.
>
> But I can wait till the maintainer has made further progress on the issues. I will re-read the description of the security issues with more calm over the next days, check latest code and try to liaise directly with the maintainer if I have a patch.
>
First, you're welcome to join the security team. We can always use the additional help!
In this special case, if you're just interested in fixing this one issue, I can also make available whatever internal discussion and proposed code changes exists related to this issue.
Whichever way you prefer, just let me know.
Daniel
Reply all
Reply to author
Forward
0 new messages