> On 18. Jun 2020, at 22:50, Tim Jacomb <timjaco...@gmail.com> wrote:
>
> The security team already uses a different project in Jira to everyone else,
> I don't think we need to change that currently, maintainers will just use
> whatever the security team decides I would think?
>
> Mentioned this earlier:
> > One thing I think is important to mention is that the security project can
> > be a special case and should be fine to either stay on jira or possibly
> > there’s a better tool for it, we shouldn’t block a move because the
> > security project has a very well defined process that works well in Jira
I already explained earlier that the effectiveness of our work depends on
maintainers getting, and then not just ignoring, notifications from Jira.
That's made more difficult when they don't use it. Depending on how you count
we have between 1 and 4 people contacting maintainers for hundreds of issues a
year, anything that makes this more effort or introduces delays will negatively
impact our effectiveness.
Additionally, with the vast majority of issues being tracked in Jira, we can
fairly easily subscribe to the feed of new issues and move publicly reported
vulnerabilities into the private tracker. That doesn't exist on GitHub.
Similarly, users should be able to report security issues without having to
jump through hoops. Right now, that's done by accepting reports via email and
in the issue tracker most other stuff uses anyway.
I would be surprised if we wouldn't regularly get 0-days because people with
just a GH account don't bother to do it properly, and just report issues on GH.
If that is enabled in repos without someone regularly reviewing incoming
issues, or by a maintainer who's unaware of how we handle security issues in
the project, reports may linger in public for months or even years.
Having a screen like
https://github.com/jenkinsci/configuration-as-code-plugin/issues/new/choose
could help here, but that's far from universal right now. Is this something
that could be defined via .github? Having a screen similar to this would be the
bare minimum for GH issue tracking already today.
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/8E2ACAC0-AC5D-456E-AF21-E60F92203931%40beckweb.net.
