It is a follow-up to the discussion in HOSTING-492 with casz . The plugin does not whitelist base classes, and it's high risk of regressions in API user plugins. E.g. see JENKINS-49699

> What to serialize? It is a complicated topic. Jenkins 2.102+ will reject serialization of classes over Remoting and XStream, so the rule would be the following:

• Every class plugin developers persist on the disk
• Every class plugin developers send over the channel to agents

> I would say that the most of the classes should be whitelisted by plugin developers, but the library could whitelist Kotlin base classes (like kotlin.collections.EmptyList in JENKINS-49699). You can find examples of whitelisted base classes for Java here: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/resources/jenkins/security/whitelisted-classes.txt