Jenkins › Jenkins dev

Call for volunteers to work on security issues

Classic

List

Threaded

10 messages Options

kohsuke Kawaguchi (CB)

Call for volunteers to work on security issues

Occasionally people discover vulnerabilities in Jenkins. Because of the
nature of the problem, we need a closed-door venue to discuss and work
on the fixes.

We discussed about improving this process in the last project meeting
[1], and as per the consensus, I created a new private mailing list [2].
This list will be used to discuss the fixes and vulnerabilities until
the fix gets released. It receive notifications for tickets filed in the
SECURITY project in JIRA [4].

This e-mail is a call for volunteers who would be willing to work on the
security related issues. Because of the nature of the problem, we can't
just add everyone like we do on our other repositories, but we do need
several people on it to reduce the bus factor [5].

I request that only those who are interested in actually working on the
fix to apply. We'd also like to require that you place CLA [6] before
you apply.

[1]
http://meetings.jenkins-ci.org/jenkins/2012/jenkins.2012-09-19-18.00.html
[2] https://groups.google.com/forum/#!forum/jenkinsci-cert
[3] https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories
[4] https://issues.jenkins-ci.org/browse/SECURITY
[5] http://en.wikipedia.org/wiki/Bus_factor
[6]
https://wiki.jenkins-ci.org/display/JENKINS/Governance+Document#GovernanceDocument-ContributorLicenseAgreement%28CLA%29
--
Kohsuke Kawaguchi | CloudBees, Inc. | http://cloudbees.com/
Try Nectar, our professional version of Jenkins

nicolas de loof-2

Re: Call for volunteers to work on security issues

I'd like to join

My CLA is already in https://github.com/jenkinsci/infra-cla/tree/master/collected/icla/ndeloof

2012/9/22 Kohsuke Kawaguchi <[hidden email]>

Occasionally people discover vulnerabilities in Jenkins. Because of the nature of the problem, we need a closed-door venue to discuss and work on the fixes.

We discussed about improving this process in the last project meeting [1], and as per the consensus, I created a new private mailing list [2]. This list will be used to discuss the fixes and vulnerabilities until the fix gets released. It receive notifications for tickets filed in the SECURITY project in JIRA [4].

This e-mail is a call for volunteers who would be willing to work on the security related issues. Because of the nature of the problem, we can't just add everyone like we do on our other repositories, but we do need several people on it to reduce the bus factor [5].

I request that only those who are interested in actually working on the fix to apply. We'd also like to require that you place CLA [6] before you apply.

[1] http://meetings.jenkins-ci.org/jenkins/2012/jenkins.2012-09-19-18.00.html
[2] https://groups.google.com/forum/#!forum/jenkinsci-cert
[3] https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories
[4] https://issues.jenkins-ci.org/browse/SECURITY
[5] http://en.wikipedia.org/wiki/Bus_factor
[6] https://wiki.jenkins-ci.org/display/JENKINS/Governance+Document#GovernanceDocument-ContributorLicenseAgreement%28CLA%29
--
Kohsuke Kawaguchi | CloudBees, Inc. | http://cloudbees.com/
Try Nectar, our professional version of Jenkins

Michael Clarke

Re: Call for volunteers to work on security issues

I'd also like to join. I've submitted a pull request with my CLA.

On 22 September 2012 20:17, nicolas de loof <[hidden email]> wrote:

I'd like to join
My CLA is already in https://github.com/jenkinsci/infra-cla/tree/master/collected/icla/ndeloof

2012/9/22 Kohsuke Kawaguchi <[hidden email]>

Occasionally people discover vulnerabilities in Jenkins. Because of the nature of the problem, we need a closed-door venue to discuss and work on the fixes.

We discussed about improving this process in the last project meeting [1], and as per the consensus, I created a new private mailing list [2]. This list will be used to discuss the fixes and vulnerabilities until the fix gets released. It receive notifications for tickets filed in the SECURITY project in JIRA [4].

This e-mail is a call for volunteers who would be willing to work on the security related issues. Because of the nature of the problem, we can't just add everyone like we do on our other repositories, but we do need several people on it to reduce the bus factor [5].

I request that only those who are interested in actually working on the fix to apply. We'd also like to require that you place CLA [6] before you apply.

[1] http://meetings.jenkins-ci.org/jenkins/2012/jenkins.2012-09-19-18.00.html
[2] https://groups.google.com/forum/#!forum/jenkinsci-cert
[3] https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories
[4] https://issues.jenkins-ci.org/browse/SECURITY
[5] http://en.wikipedia.org/wiki/Bus_factor
[6] https://wiki.jenkins-ci.org/display/JENKINS/Governance+Document#GovernanceDocument-ContributorLicenseAgreement%28CLA%29
--
Kohsuke Kawaguchi | CloudBees, Inc. | http://cloudbees.com/
Try Nectar, our professional version of Jenkins

Jesse Glick-4

Re: Call for volunteers to work on security issues

In reply to this post by kohsuke Kawaguchi (CB)

Sign me up. ICLA in pull request.

slide

Re: Call for volunteers to work on security issues

In reply to this post by kohsuke Kawaguchi (CB)

How will this work in regards to plugins that might have security
issues? Will the same pull request system be done so that the plugin
maintainer can manage the releases and repo content?

slide

On Sat, Sep 22, 2012 at 10:29 AM, Kohsuke Kawaguchi
<[hidden email]> wrote:

>
> Occasionally people discover vulnerabilities in Jenkins. Because of the
> nature of the problem, we need a closed-door venue to discuss and work on
> the fixes.
>
> We discussed about improving this process in the last project meeting [1],
> and as per the consensus, I created a new private mailing list [2]. This
> list will be used to discuss the fixes and vulnerabilities until the fix
> gets released. It receive notifications for tickets filed in the SECURITY
> project in JIRA [4].
>
> This e-mail is a call for volunteers who would be willing to work on the
> security related issues. Because of the nature of the problem, we can't just
> add everyone like we do on our other repositories, but we do need several
> people on it to reduce the bus factor [5].
>
> I request that only those who are interested in actually working on the fix
> to apply. We'd also like to require that you place CLA [6] before you apply.
>
>
>
> [1]
> http://meetings.jenkins-ci.org/jenkins/2012/jenkins.2012-09-19-18.00.html
> [2] https://groups.google.com/forum/#!forum/jenkinsci-cert
> [3] https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories
> [4] https://issues.jenkins-ci.org/browse/SECURITY
> [5] http://en.wikipedia.org/wiki/Bus_factor
> [6]
> https://wiki.jenkins-ci.org/display/JENKINS/Governance+Document#GovernanceDocument-ContributorLicenseAgreement%28CLA%29
> --
> Kohsuke Kawaguchi | CloudBees, Inc. | http://cloudbees.com/
> Try Nectar, our professional version of Jenkins

--
Website: http://earl-of-code.com

Bap

Re: Call for volunteers to work on security issues

Quoting Slide <[hidden email]>:

> How will this work in regards to plugins that might have security
> issues? Will the same pull request system be done so that the plugin
> maintainer can manage the releases and repo content?

I'd suggest, that if a security report was submitted for a plugin, the
first action of the security team should be to directly contact the
maintainer of the plugin.

The maintainer is likely to be in the best position to understand and
fix the issue.

Vojtech Juranek

Re: Call for volunteers to work on security issues

In reply to this post by kohsuke Kawaguchi (CB)

Hi,
I'd like also to join.
I've sent signed ICLA to jenkins-cla and also pull request [1]
Thanks
Vojta

[1] https://github.com/jenkinsci/infra-cla/pull/9

On Saturday 22 September 2012 10:29:27 Kohsuke Kawaguchi wrote:

> Occasionally people discover vulnerabilities in Jenkins. Because of the
> nature of the problem, we need a closed-door venue to discuss and work
> on the fixes.
>
> We discussed about improving this process in the last project meeting
> [1], and as per the consensus, I created a new private mailing list [2].
> This list will be used to discuss the fixes and vulnerabilities until
> the fix gets released. It receive notifications for tickets filed in the
> SECURITY project in JIRA [4].
>
> This e-mail is a call for volunteers who would be willing to work on the
> security related issues. Because of the nature of the problem, we can't
> just add everyone like we do on our other repositories, but we do need
> several people on it to reduce the bus factor [5].
>
> I request that only those who are interested in actually working on the
> fix to apply. We'd also like to require that you place CLA [6] before
> you apply.
>
>
>
> [1]
> http://meetings.jenkins-ci.org/jenkins/2012/jenkins.2012-09-19-18.00.html
> [2] https://groups.google.com/forum/#!forum/jenkinsci-cert
> [3] https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories
> [4] https://issues.jenkins-ci.org/browse/SECURITY
> [5] http://en.wikipedia.org/wiki/Bus_factor
> [6]
> https://wiki.jenkins-ci.org/display/JENKINS/Governance+Document#GovernanceDo
> cument-ContributorLicenseAgreement%28CLA%29

Kohsuke Kawaguchi

Re: Call for volunteers to work on security issues

Administrator

In reply to this post by kohsuke Kawaguchi (CB)

I finally come back to this and added all those that volunteered.

... except Michael, where Google didn't let me. It said you opted out of
being added/invited to a group. Any other e-mail address I can use to
add you there?

On 09/22/2012 10:29 AM, Kohsuke Kawaguchi wrote:

>
> Occasionally people discover vulnerabilities in Jenkins. Because of the
> nature of the problem, we need a closed-door venue to discuss and work
> on the fixes.
>
> We discussed about improving this process in the last project meeting
> [1], and as per the consensus, I created a new private mailing list [2].
> This list will be used to discuss the fixes and vulnerabilities until
> the fix gets released. It receive notifications for tickets filed in the
> SECURITY project in JIRA [4].
>
> This e-mail is a call for volunteers who would be willing to work on the
> security related issues. Because of the nature of the problem, we can't
> just add everyone like we do on our other repositories, but we do need
> several people on it to reduce the bus factor [5].
>
> I request that only those who are interested in actually working on the
> fix to apply. We'd also like to require that you place CLA [6] before
> you apply.
>
>
>
> [1]
> http://meetings.jenkins-ci.org/jenkins/2012/jenkins.2012-09-19-18.00.html
> [2] https://groups.google.com/forum/#!forum/jenkinsci-cert
> [3] https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories
> [4] https://issues.jenkins-ci.org/browse/SECURITY
> [5] http://en.wikipedia.org/wiki/Bus_factor
> [6]
> https://wiki.jenkins-ci.org/display/JENKINS/Governance+Document#GovernanceDocument-ContributorLicenseAgreement%28CLA%29
>

--
Kohsuke Kawaguchi http://kohsuke.org/

kohsuke Kawaguchi (CB)

Re: Call for volunteers to work on security issues

In reply to this post by Bap

We haven't really thought of this all out, but I'd imagine we'll be
doing it like Drupal does [1] --- interacting with the plugin maintainer
to work on the fix.

[hidden email] supports anyone to post so it should be
easy to run an e-mail thread with the plugin maintainer + the list.

[1] https://www.acquia.com/blog/keeping-drupal-secure

On 09/26/2012 03:04 PM, Bap wrote:

> Quoting Slide <[hidden email]>:
>
>> How will this work in regards to plugins that might have security
>> issues? Will the same pull request system be done so that the plugin
>> maintainer can manage the releases and repo content?
>
> I'd suggest, that if a security report was submitted for a plugin, the
> first action of the security team should be to directly contact the
> maintainer of the plugin.
>
> The maintainer is likely to be in the best position to understand and
> fix the issue.
>
>

--
Kohsuke Kawaguchi | CloudBees, Inc. | http://cloudbees.com/
Try Nectar, our professional version of Jenkins

Michael Clarke

Re: Call for volunteers to work on security issues

In reply to this post by Kohsuke Kawaguchi

I've modified my account to allow you to add my to groups. Could you try again?

Thanks,

Michael

On 21 November 2012 18:15, Kohsuke Kawaguchi <[hidden email]> wrote:

I finally come back to this and added all those that volunteered.

... except Michael, where Google didn't let me. It said you opted out of being added/invited to a group. Any other e-mail address I can use to add you there?

On 09/22/2012 10:29 AM, Kohsuke Kawaguchi wrote:

Occasionally people discover vulnerabilities in Jenkins. Because of the
nature of the problem, we need a closed-door venue to discuss and work
on the fixes.

We discussed about improving this process in the last project meeting
[1], and as per the consensus, I created a new private mailing list [2].
This list will be used to discuss the fixes and vulnerabilities until
the fix gets released. It receive notifications for tickets filed in the
SECURITY project in JIRA [4].

This e-mail is a call for volunteers who would be willing to work on the
security related issues. Because of the nature of the problem, we can't
just add everyone like we do on our other repositories, but we do need
several people on it to reduce the bus factor [5].

I request that only those who are interested in actually working on the
fix to apply. We'd also like to require that you place CLA [6] before
you apply.

[1]
http://meetings.jenkins-ci.org/jenkins/2012/jenkins.2012-09-19-18.00.html
[2] https://groups.google.com/forum/#!forum/jenkinsci-cert
[3] https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories
[4] https://issues.jenkins-ci.org/browse/SECURITY
[5] http://en.wikipedia.org/wiki/Bus_factor
[6]
https://wiki.jenkins-ci.org/display/JENKINS/Governance+Document#GovernanceDocument-ContributorLicenseAgreement%28CLA%29

--
Kohsuke Kawaguchi http://kohsuke.org/