-
Bug
-
Resolution: Cannot Reproduce
-
Major
-
None
Currently, plugin (security) updates are announced via update-center.json (and a Jenkins installation can become aware that they exist), and can be announced as available on security advisories, when they are not actually available, yet.
When this happens, it results in 404 errors (wrapped in Java traces) on the update center.
This situation is undesirable from a security point of view. It would be desirable to hold back public notification on available security updates (and thus notification on new vulnerabilities to the general public) until patches are actually available. Otherwise it worsens the race between Jenkins administrators and those crafting exploits.
It was suggested that this (holding back announcement on updates) may be difficult to achieve because some of the mirror servers are not under direct (Jenkins/Cloudbees) project control. However, while certainly more complex and error prone (if the implementation would be too simple), I can see how this can still be achieved with a clever combination of a cron job, curl/wget and tracking state.
(Please update "Components" as needed - I was unable to identify the correct ones.)
(I initially brought this up on IRC, but was kindly referred here.)