Request to join the Jenkins Security Team

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Request to join the Jenkins Security Team

Jenkins dev mailing list
Hi,

I would like to request to be added to the Jenkins Security Team. My main interest is in helping to fix issues in any dependency of the plug-ins I maintain, as well as in the core. Right now Scriptler is a plug-in I would like to try and see if I could help, as it is blocking active-choices-plugin.

GitHub with 2FA enabled: kinow
FreeNode user: kinow

Thank you
Bruno

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/1708666797.3173034.1500716039118%40mail.yahoo.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Request to join the Jenkins Security Team

Oleg Nenashev
Hi Bruno,

Generally I am +1 with this request. Having more people is definitely useful.

OTOH you probably do not need to be a member of the Security team if you just want to fix Scriptler. It's vulnerabilities are publicly listed in this advisory: https://jenkins.io/security/advisory/2017-04-10/ . Regarding plugins maintained by active contributors, we usually assign security issues to them. In all other cases like core fixes, yes it makes sense to join the security team.

Best regards,
Oleg

суббота, 22 июля 2017 г., 12:38:12 UTC+3 пользователь kinow написал:
Hi,

I would like to request to be added to the Jenkins Security Team. My main interest is in helping to fix issues in any dependency of the plug-ins I maintain, as well as in the core. Right now Scriptler is a plug-in I would like to try and see if I could help, as it is blocking active-choices-plugin.

GitHub with 2FA enabled: kinow
CLA: <a href="https://github.com/jenkinsci/infra-cla/pull/48" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Finfra-cla%2Fpull%2F48\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHfK8nF9BzMQSoMGt_9z8OBkf-OaA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Finfra-cla%2Fpull%2F48\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHfK8nF9BzMQSoMGt_9z8OBkf-OaA&#39;;return true;">https://github.com/jenkinsci/infra-cla/pull/48
FreeNode user: kinow

Thank you
Bruno

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20d20e3c-a222-4d53-8309-3dd6daee74a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Request to join the Jenkins Security Team

Jenkins dev mailing list
Hi Oleg,

I had seen the security advisory, and in the Wiki and GitHub I can see some progress made to fix some of the 5 issues.

But I think the maintainer is the only one with access to read and comment in the SECURITY-XXX tickets.

At least that's what I recall from when I worked on an SECURITY issue. My intention was to check the progress of tickets, see if there was a patch somewhere to be tested, or a discussion going on. And then try to help scriptler and any other plugin I use/used or that is a dependency in one of the plugins I use.

But I can wait till the maintainer has made further progress on the issues. I will re-read the description of the security issues with more calm over the next days, check latest code and try to liaise directly with the maintainer if I have a patch.

Cheers
Bruno 



On Tue, 25 Jul 2017 at 0:06, Oleg Nenashev
Hi Bruno,

Generally I am +1 with this request. Having more people is definitely useful.

OTOH you probably do not need to be a member of the Security team if you just want to fix Scriptler. It's vulnerabilities are publicly listed in this advisory: https://jenkins.io/security/advisory/2017-04-10/ . Regarding plugins maintained by active contributors, we usually assign security issues to them. In all other cases like core fixes, yes it makes sense to join the security team.

Best regards,
Oleg

суббота, 22 июля 2017 г., 12:38:12 UTC+3 пользователь kinow написал:
Hi,

I would like to request to be added to the Jenkins Security Team. My main interest is in helping to fix issues in any dependency of the plug-ins I maintain, as well as in the core. Right now Scriptler is a plug-in I would like to try and see if I could help, as it is blocking active-choices-plugin.

GitHub with 2FA enabled: kinow
FreeNode user: kinow

Thank you
Bruno

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20d20e3c-a222-4d53-8309-3dd6daee74a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/614930702.4539161.1500901468492%40mail.yahoo.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Request to join the Jenkins Security Team

stephenconnolly
More the merrier IMHO, I am +1 on you joining

On 24 July 2017 at 06:04, 'Bruno P. Kinoshita' via Jenkins Developers <[hidden email]> wrote:
Hi Oleg,

I had seen the security advisory, and in the Wiki and GitHub I can see some progress made to fix some of the 5 issues.

But I think the maintainer is the only one with access to read and comment in the SECURITY-XXX tickets.

At least that's what I recall from when I worked on an SECURITY issue. My intention was to check the progress of tickets, see if there was a patch somewhere to be tested, or a discussion going on. And then try to help scriptler and any other plugin I use/used or that is a dependency in one of the plugins I use.

But I can wait till the maintainer has made further progress on the issues. I will re-read the description of the security issues with more calm over the next days, check latest code and try to liaise directly with the maintainer if I have a patch.

Cheers
Bruno 



On Tue, 25 Jul 2017 at 0:06, Oleg Nenashev
Hi Bruno,

Generally I am +1 with this request. Having more people is definitely useful.

OTOH you probably do not need to be a member of the Security team if you just want to fix Scriptler. It's vulnerabilities are publicly listed in this advisory: https://jenkins.io/security/advisory/2017-04-10/ . Regarding plugins maintained by active contributors, we usually assign security issues to them. In all other cases like core fixes, yes it makes sense to join the security team.

Best regards,
Oleg

суббота, 22 июля 2017 г., 12:38:12 UTC+3 пользователь kinow написал:
Hi,

I would like to request to be added to the Jenkins Security Team. My main interest is in helping to fix issues in any dependency of the plug-ins I maintain, as well as in the core. Right now Scriptler is a plug-in I would like to try and see if I could help, as it is blocking active-choices-plugin.

GitHub with 2FA enabled: kinow
FreeNode user: kinow

Thank you
Bruno

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20d20e3c-a222-4d53-8309-3dd6daee74a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/614930702.4539161.1500901468492%40mail.yahoo.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CA%2BnPnMynB%2B%3D0afMpt9q_SDa%2BENAChyiR7OepuQ72BkMH%3Dsu4LQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Request to join the Jenkins Security Team

Daniel Beck
In reply to this post by Jenkins dev mailing list

> On 24. Jul 2017, at 15:04, 'Bruno P. Kinoshita' via Jenkins Developers <[hidden email]> wrote:
>
> I had seen the security advisory, and in the Wiki and GitHub I can see some progress made to fix some of the 5 issues.
>
> But I think the maintainer is the only one with access to read and comment in the SECURITY-XXX tickets.
>
> At least that's what I recall from when I worked on an SECURITY issue. My intention was to check the progress of tickets, see if there was a patch somewhere to be tested, or a discussion going on. And then try to help scriptler and any other plugin I use/used or that is a dependency in one of the plugins I use.
>
> But I can wait till the maintainer has made further progress on the issues. I will re-read the description of the security issues with more calm over the next days, check latest code and try to liaise directly with the maintainer if I have a patch.
>

Hi Bruno,

First, you're welcome to join the security team. We can always use the additional help!

In this special case, if you're just interested in fixing this one issue, I can also make available whatever internal discussion and proposed code changes exists related to this issue.

Whichever way you prefer, just let me know.

Daniel

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/0CB35FBE-A5EE-47C0-B8C9-3D07CB0B2C6D%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.