Thank you, Daniel. I received a few of your pull requests on the plugins I try to co-maintain. I accepted some of them, but quickly realized, thanks to the help of Mark Waite, that there was more to it than just clicking "Merge". The scan then creates potentially hundreds of alerts that maintainers have to deal with.
Depending on their involvement in the plugin, their understanding of the existing codebase, the choices made before they joined the maintainers group, and their comprehension of the alerts created, this process could range from a walk in the park to hauling a one-metric-ton rock to the top of a mountain. I will do my homework and try to sort between false positives, real issues I can solve, and things that are too complicated for me. In the meantime, the other PRs you created for the plugins I try to maintain will have to wait. Please don't get discouraged if your PRs don't get merged or reviewed in other repositories quickly. We experienced a similar situation when Mark and I proposed the move to JDK21 to hundreds of plugins last year. Don't get me wrong: adding the Jenkins Security Scan is a very sane and safe move. As far as I know, it runs on GitHub, so it should not impact our infrastructure. It will just deepen our vendor-lock dependency with GitHub, but we're already knee-deep in that relationship, so it shouldn't make much difference. Once again, thanks a lot for your work. I truly appreciate the effort, and I'm sure the rest of the community will too. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CACtV%3DdcCtfdtGpZG0%3D%3DY_-ocy7ksnOGpEM6CbcD%2BdtCYRdDJYA%40mail.gmail.com.
