►
From YouTube: JCasC Project meeting, Aug 14, 2019
Description
It is a Jenkins World time, but we met anyway! Overview of the recent JCasC security fixes, incoming changes, and the JCasC Developer tools status sync-up. Meeting notes: https://docs.google.com/document/d/1Hm07Q1egWL6VVAqNgu27bcMnqNZhYJmXKRvknVw4Y84/edit#heading=h.pairl9h3t928
A
C
A
Okay,
so
yeah.
This
is
a
regular
Jake
asked
officers
meeting
today
is
August
14th
yeah,
it's
the
ropes
holding
small
time
frame,
but
since
we
have
people
around,
we
decided
to
meet
anyway.
We
have
three
contributors
on
the
cold
Steam
odden
for
works
on
the
community.
Liberationist
content
mean
we
had
this.
We
didn't
have
any
specific
agenda,
but
we
can
show
it
on
the
fight
okay,
so
you
losers,
I,
guess
we
have
some
at
least.
A
Last
meeting
was
when
we
released
1.24,
so
there
was
a
number
of
changes
there
and
just
one
day
before
the
security
advisory,
hi
Damien,
so
an
able
to
talk
about
this
huge
dead
by
the
way.
But
basically
there
was
a
release
with
number
of
security
fixes
very
inside
drinks,
figuration
of
sport.
So
here
you
can
see
four
security
fixes.
They
are
mostly
related
to
exposure
secrets
in
plaintext
to
system,
roads
and
train
portal
configurations.
There
was
also
a
kicks
for
schema
and
the
instrumentation
expert
without
administer
permissions.
A
Exporting
configuration
Yama's,
so
basically
it
was
possible
to
define,
has
been
killed
in
the
configuration
example.
If
you
have
an
emissions
by
the
dem
you
or
agent
configuration
and
then
when
you
mean
was
exporting
the
field,
not
jet
exposing
rotation
but
checking
it
and
reimbursing
the
game,
it
was
possible
to
access
all
system
variables
and
the
passwords
using
word,
so
he
was
also
fixed,
so
yeah
just
p
security
fixes,
in
addition
to
date,
in
this
security
advisory.
A
So
we
say
knowing
because
it's
on
the
top
and
writes
browser
windows.
Okay,
so
we
in
addition
to
these
security
fixes,
we
also
had
one
fits
in.
The
previous
version
was
one
not
just
winking,
also
him,
basically
proxy
credentials
proxy
credentials.
I
think
you
can
configure
the
plug-in
manager
to
manage
surprising
the
proxy
proxy
across
the
entire
chain
consensus,
so
configuration
is
called.
A
Plugin
has
its
own
proxy
configuration
because
we
still
have
intended
called
purchase
to
make
it
possible
without
custom
patch,
and
apparently
there
was
a
bug
before
this
weeks,
because
this
part
wasn't
masked
at
all
meeting
system
modes
and
duration
levels.
So
now
it's
fixed.
It
was
also
announced.
A
It
was
generate
31st,
we're
basically
right
after
meeting
current
and
this
fixes,
which
one
asked
yeah
one
thing
to
know
all
the
three
are.
These
fixes
are
breakin,
so
we
mark
this
is
incompatible
because
you
might
need
to
review
configuration
Yama's,
even
the
reservists
of
exposed,
passports
or
even
is
a
risk
or
available
expressions
so
that
you
need
computation
demos
and
also,
if
you
use
apxs,
to
make
your
JSON
schema.
Well,
assuming
it
works.
But
now
you
need
administer
technicians
to
do
that.
A
Okay,
so
yeah
it
was
225,
3ds,
I
wanna
do
this
and
one
because
it
was
weak,
so
it
was
a
full
fix
for
big
bomb
rated,
which
was
also
exposing
secrets
persisting
loads
in
some
cases.
So
now
it's
also
fixed.
There
was
a
separate
advisory
for
that
because
there
was
a
follow-up
report,
so
we
used
an
opportunity
of
the
next
security
advisory
to
just
fix
it
and
post
the
stories
with
security.
Different
energy
cars.
B
Sure
so
one
of
the
ones
was
the
reducing
login
level,
which
was
a
lot
of
some
of
those
security
fixes,
makes
it
sort
of
a
moot
point
for
the
login
once
before.
By
default,
we
logged
it
in
for
level
every
change.
We
were
doing.
We've
changed
that
to
log
it
fine,
so
you
have
to
configure
a
login
rule
now,
if
you
want
to
debug,
but
it
means
that
for
most
cases
it's
not
spamming
your
logs
and
it
also
reduces
the
risk
of
accidentally
exposing
any
secrets
and
the
logs
just
just
good.
B
B
A
Data
binding
for
the
country,
B
descriptor,
so
very
issue
release
pull
request
of
it
is
that
it
uses
some
changes
which
are
not
an
inertia.
Yet
it's
a
bit
big
for
such
small
change.
So
maybe
is
somebody
will
propose
a
simple
fix
later
so
nickel.
We
did
a
great
job
to
prototype
here.
Here's
the
job
205,
but
yeah.
It's
pretty
big
yeah.
B
Yeah,
it's
also
not
used
as
much
these
days
for
emails,
remove
obsolete,
plug-in
management
section
from
different,
so
there
was
a
screenshot
on
the
readme
that
was
confusing
someone,
that's
screenshots
been
refreshed,
and
some
maintainer
just
make
some
code
styles
for
IntelliJ
have
been
added
to
the
repo
to
make
it
easier
for
people
using
IntelliJ
and
the
public
whisperer
templates
being
changed.
So
that
commits
me
to
just
go
at
the
top,
and
it
reads
more
naturally,.
A
A
A
So
yeah
there
was
quite
a
number
of
changes,
mostly
quality
of
life
and
documentation,
but
all
the
changes
available
to
the
users.
There
are
some
pending
changes,
but
nothing
really
specific
right
now,
so
joseph
has
spent
some
time
in
order
to
finally
fix
collision
because
for
us
one
of
the
issues
was
so
that
khadisha
was
continuously
fighting
for
food
requests
and
yeah
now
is
doing.
A
C
A
Fujita's,
which
is
not
a
neutral
or
generic
plugin,
we
would
rather
use
urging
his
beginning
persistent
to
make
it
accessible
false
using
report.
All
plug-in
was
national
choice.
It
was
this
plugin
all
of
the
inputs.
I
want
to
teach
its
full
revolt,
including,
for
example,
th
was
provider
so
yeah
that
is
dependent
who
requests
justifies
taking
ownership
of
this
bringing
so
yeah
I
think
eventually,
you'll
end.
A
A
Yeah
history
of
such
minor
changes,
also
yeah
I,
think
we
cannot
forbid.
If
we
communicated
properly,
they
can
again
market
the
plug-in
as
incompatible
like
we
did
for
one
25,
so
yeah
I
think
we
can
easily
do
it
and
we
are
right
now.
We
also
work
on
plugging
site
improvements
and
support
of
github
by
change
locks
there.
So
this
breaking
changes
should
become
more
visible
to
users
when
they
fire
updates.
Even
now,
a
big
data
working,
ok.
D
A
For
example,
if
you
take
this
advice
away,
which
was
released
in
April
this
year,
it
is
quite
a
list
of
plugins
and
the
most
of
the
plugins
in
the
lists
for
financials
in
plain
text,
so
what
it
means
they
basically
use
strings
to
persist.
The
data
on
the
DS
they
also
usually
use
strings
as
I
type
in
they
each
race
and
for
configuration
is
called
plug-in.
But
it's
basically
no
way
to
determine
the
this
field
is
supposed
to
be
secret
so
that
it's
supposed
to
be
part
of
a
password
educast
plug-in
relies
on
constructors.
A
Better
setters
feels
in
order
to
determine
whether
they
feel
a
secret
or
not
to
define
whether
it
masks
it.
So
there
is
a
proposal
who
introduced
additional
hardening
where
you
basically
just
take
common,
try
phrases
and
suffixes
like
password
whatever,
so
this
list
has
been
created
after
the
abuse.
Basically
taking
thanks
a
lot
to
Daniel
that
for
making
some
statistics
from
plugins,
you
have
20
minutes
remaining.
Okay,
you
have
20
minutes
remaining.
A
A
Information
that
this
attribute
is
safe
to
be
exported,
so
obviously,
maybe
a
kind
of
breaking
change
I
mean
because
even
if
we
prevent
common
cases
from
being
exposed,
for
example,
if
you
have
a
natural,
beautiful
us
passport
or
something
like
that,
then
it
will
be
most
biological
talking
by
default.
So
there
are
some
ways
to
actually
opt
out
from
this
behavior
example.
A
A
So,
basically,
it's
a
security
hardening.
There
was
no
normal
security
abilities,
except
this
one's
and
yeah.
That
is
a
proposal
to
just
get
it
inertia
so
that
you
have
even
more
basic
filtering,
hopefully
secrets,
but
the
anxiety
that
create
attentional
processes
and
regulations
because
gets
aggressive
filtering
and
we
cannot
say
for
sure
what
it
will
bring.
A
A
A
Administered
variations
would
have
whatever
I
did
on
magnin's
a
technician
whatever
it's
called
so
unity
explore,
requested
it's
called
system
rate
and
we
basically,
the
attempt-
is
to
have
some
configurations
controlled
by
this
definition,
so
that,
for
example,
you
can
access
three
monitors
because
you
don't
you
go
change
you
there
unless
in
dismiss
monitors
and
so
on,
but
again
the
most
important
thing
in
system
configuration
and
management
things.
You
can
see
that
there
also
some
changes
here
to
make
it
possible.
So
the
tricky
part
there
with
changing
configuration
is
always
painful
and
Jenkins.
A
Yeah
hope
that
we
will
be
able
to
enter
this
change
in
some
sense.
So
we
here
in
this
petition,
is
implied
by
admin,
so
it
should
be
working
out
of
the
box
if
you
use
classic
strategies,
so
we
can
use
throat
stratagem
month
some
position.
It
should
work
by
default.
You
know
this.
These
changes
are
subject
to
extensive
testing.
B
A
Yeah
so
I
think
that
yeah.
So
this
is
a
long
way
to
get
this
pull
request
for
abortion
because
they
keep
remaining.
It
cannot
be
done
in
a
single
iteration,
but
yeah
I
think
that
we
should
be
able
to
mention
soon
and
of
course,
it's
accurate
testing,
because
some
actions
may
not
protect
it,
because
you
know
about
some
changes,
for
example,
on
fix,
see
a
rapacious
and
Commission
issues
and
by
methadone
drugs
as
potentially
remains,
and
you
see
security
issues
for
some
actions
which
are
not
properly
protected
by
system
admin.
A
A
B
C
B
A
For
you,
so
basically
we
would
need
something
quite
a
bit
for
the
new
permission
is
some
EPS.
So
basically,
this
plug-in
would
employ
deflection
and
under
to
check
whether
the
technician
is
accessible
or
not,
and
if
you
have
a
similar
to
again
a
lower
version
subjective
so
that
I
can
maintain
your
bottom
lip.
So
the
biggest
challenge
for
us
is
that
they
told
it's
been
using
yeah.
B
A
D
Yeah
yeah,
so
I
think
help
you
might
run
out
of
Pioneer,
but
so
I
think
we
were
discussing
about
the
way
we
could
actually
implement
some
of
the
the
schema
generation
for
having
aloha
quite
some
problems
with
some
of
the
approaches.
Actually,
we
discussed
with
that.
We
could
have
bit
either
convert
the
entire
thing
into
a.
D
D
Okay,
so
yeah,
so
one
of
the
things
that
we
plan
to
do
is:
can
you
see
my
scream
at
it?
Yes,
yeah
yeah
yeah.
So
what
we
and
I
thought
was
that
we
could
initially
convert
it
converted
to
a
JSON,
some
also
converting
of
amyl
to
it.
This
one
is
very
simple,
and
so
you
would
take
that
this
one
with
all
of
these
example
values
using
using
a
library
and
then
pass
a
JSON
and
get
an
accurate
or
more
than
I,
create
kind
of
a
schema.
D
If
you
have
a
look
at
this
screen
here
yeah,
so
he
could
give
it
a
particular
JSON.
You
would
get
up.
Freddy
Freddy
I
carried
JSON
schema
so
yeah,
so
we
would
get
our
JSON
schema
like
this,
but
the
problem-
and
this
was
we-
wouldn't
need
to
actually
fill
that
every
single,
every
single
run,
every
single
value
in
the
credential
in
our
particular
in
and
then
have
it
uploaded.
So
so
we
kind
of
eliminated
this
option.
D
The
other
option
that
we
kind
of
discussed
was
we
are
this
one,
the
one
way
we
maybe
convert
the
schema
door
close
dynamically.
Now,
that's
that's
very,
very
difficult
because
as
far
as
I
read
about
it,
it
involves
bit
manipulation
and
stuff
so
convert
to
write
a
class
on
its
own.
That
would
be
I
mean
that
would
be
hazardous
because
then
we
would
have
to
construct
the
subclasses
and
so
so
that
that
was
that
was
out
as
well.
D
So
I
think
the
last
approach
that
we
recently
discussed
was
this
one
yeah,
the
one
way
we
actually
use
the
VAM
l
export,
so
I
think
the
authority
would
explain
it
to
me.
Adding
I
think
you
would.
You
are
going
to
I
think
Amin
on
how
exactly
are
we
going
to
use
that
I
tried
skipping
through
it
by
a
debugger
I
went
through
the
entire,
like
code
of
the
ML
expose
and
stuff
so
yeah,
so
I
did
go
through
it
and
if
I'm
not
wrong,
there's
a
c-note
actually
hold
an
attribute
value.
D
A
C
B
B
So
if
you
go
so
this
is
a
Dickens
core
class
I
mean
these
ones
configure
engine
in
the
default.
It's
unclassified
in
security,
it's
an
extension
point
as
well.
So
you
know
tools
and
credentials
come
in
via
the
extension
point,
so
it's
good
to
be
familiar
with
and
that
they
they
will
configure
it
from
category
configurator
in
configuration
is
code
plugin,
okay,
and
that
will
configure
that
configures
all
of
the
pack
giri's.
B
B
D
B
B
B
B
D
Basically,
if
I
so,
for
example,
if
it's
a
credentials
plug-in
home,
maybe
yeah
maybe
take
their
dog,
you
know
whatever,
so
we
meet
as
a
single
subclasses
right.
So,
for
example,
if
I
wanted
to
access
the
knocker
API
except
the
URI
in
so
that
would
it
would
have
more
than
one
indentation
right.
So
how
is
that?
How
is
that
I
know?
I
mean
I?
Think
there
was
an
example
I
put
in
the
title,
if
it
has
indentation
always
vary
with.
B
Subclasses,
you
need
to
add
a
symbol
which
says
which
one
you
want
to
use
if
it's
multiple
implementations,
so
in
these
European
agents,
plug-in
and
you've
got
you've
got
multiple
different
retention
strategies
for
how
you
want
the
VMS
to
be
kept.
You've
got
like
run
once
you've
got
keep
around
for
60
minutes
and
you've
got
any
read
elites
in
each
of
those
have
got
a
symbol
until
you
need
to,
because
you
have
to
add
another
field
in
the
ml.
One
line
down
saying
which,
which
type
that
you
want.
A
Description
is
quite
complicated
yeah
because
you
use
existing
frameworks.
It
should
help
us
and
we
had
taken
a
big
experience
with
the
recent
security
fixes.
The
weekend
progressed
after
refactoring
this
code,
maybe
moving
common
methods
and
common
common
tweaks
to
utility
classes,
so
it
might
help
in
the
future,
but
yeah
right
now,
just
utilize
what
you
have,
and
there
is
no
object
to
make
a
JSON
schema,
CD
laughter,
very
first
iteration.