--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/F19A59C9-3A7B-43AC-B116-498D0F88E80F%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
+1 for that plan.
Given a real security issue, the Jenkins Project is IMO definitely expected to take down the offending plugin to stop propagation as much as possible. This is not a final measure, it can always be made public again once a fixed release has been published.
Plus, #2 only stops new installs.... All three items seem good practice.
On Wed, Nov 2, 2016 at 10:35 AM, Stephen Connolly
<stephen.alan.connolly@gmail.com> wrote:
> I think it would be irresponsible of the project to continue to publish a
> plugin with a known vulnerability. If and admin really wants to install it
> they can pull it down via the maven repository
>
> On 2 November 2016 at 14:24, Ullrich Hafner <ullrich...@gmail.com>
> wrote:
>>
>> > 1. Publish a security advisory about the plugin, describing the nature
>> > of the vulnerability as usual, but noting that there is no fix other than no
>> > longer using the plugin (if there are workarounds, include them).
>> > 2. Stop publishing the vulnerable plugin on the Jenkins update site.
>> > 3. Add metadata to the plugin site indicating vulnerable plugins to
>> > inform admins who already have the plugin installed.
>> >
>>
>> I think 1 and 3 is ok, but 2 is a little bit to harsh (depends on the type
>> or severity of vulnerability). I think if 1 and 3 is available an admin can
>> decide on his own whether to install a plugin or not.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to jenkinsci-dev+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-dev/F19A59C9-3A7B-43AC-B116-498D0F88E80F%40gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CA%2BnPnMx_85jv9wOZ_Tw5SP74jDscKcL1HHH4fNP%3DiupkpuASMA%40mail.gmail.com.
>
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAArU9iYzJbFRudmn82%2B4%3DxPHdtMfkNfnPR8bm7iP%2Be0FKavEzA%40mail.gmail.com.