Skip to content
Commit e24ceef2 authored by Kohsuke Kawaguchi's avatar Kohsuke Kawaguchi
Browse files

Disabling this subsystem by default. 

As much as we'd like to enable this by default, what we've learned over
the past few days indicate that this is just too disruptive a change. In a nutshell,

 - The change is just too big. It touches more than 4000 lines just in the core and remoting,
   which makes this by far the biggest change we've done in secret. The chance of something
   going wrong is just too high. As recently as yesterday we are still finding significant
   problems with this subsystem.

 - We've learnt that Subversion 1.x contains Callables that we cannot just whitelist, but
   that version is used by roughly a third of users. If we put this on by default, they will
   see their builds break.

 - Every time we come up with a new way to scan plugins to find impacted code, we always
   find several plugins that are affected, indicating that we probably have missed more
   plugins that will be impacted.

 - We haven't really analyzed past versions of any plugins at all, but as the Subversion
   version distribution indicates, considerable portion of people run old plugins.

As we see in the Wiki page (http://jenkins-ci.org/security-144), vast majority of Jenkins
installations will fit in the category of "I have set up Jenkins master and all slaves by
myself", for whom this subsystem is entirely redundant.

Based on the knowledge we now have about the impact of this addition, and considering people
who benefit from this vs people who don't benefit from this, I'm not enabling this feature
out of the box, just yet.

Our plan is to advertise this feature, then get necesary plugin updates in place over time.
At some later point, we can make this feature on by default, which will only impact new
installations. Further down the road, we can inch up the warning given to people who run
without this feature, or remove the GUI configuration and force this feature on, to get
close to the ideal state of having everyone run with this feature on.

Jesse doesn't like this, but I think he understands where I'm coming from. Sorry Jesse,
this time I'm having this my way.
parent 8a105ce5
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment