ruby-runtime is a plugin that allows Jenkins plugins to be implemented in Ruby.
It has quite a number of problems:
* The source code situation is a mess, with two separate repositories.
https://github.com/jenkinsci/ruby-runtime-plugin/pull/6#issuecomment-383842017
https://github.com/jenkinsci/ruby-runtime-plugin/
https://github.com/jenkinsci/jenkins.rb/tree/master/java-runtime
* It is unmaintained, with the latest release (0.12) in 2013. While the
changelog claims that 0.13 was released in 2016, it's not actually available on
update sites. The last real activity seems to have happened around 2014.
http://plugins.jenkins.io/ruby-runtime
* It caused problem after a core update a few months back due to a faulty
assumption. As the plugin is unmaintained, and parts get packaged in dependent
plugins (i.e. fixing ruby-runtime isn't enough), we had to revert part of the
core change, or accept that ruby-runtime based plugins remain broken until they
all _individually_ get updated.
https://jenkins.io/changelog/#v2.92
https://issues.jenkins-ci.org/browse/JENKINS-48116
https://github.com/jenkinsci/jenkins/pull/3154
https://issues.jenkins-ci.org/browse/JENKINS-48116?focusedCommentId=320469&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-320469
* It required extensive whitelisting in core to achieve JEP-200 compatibility
due to the JRuby glue.
https://github.com/jenkinsci/jenkins/blob/91e1cf2d3e0fa1c4766c62f2db54cd3a28cd9d32/core/src/main/resources/jenkins/security/whitelisted-classes.txt#L171...L197
ruby-runtime is used by 22 other plugins as a dependency. Most of them appear
to not be actively maintained, not having received a new release in several
years. Only three were released in the past two years and/or have more than
1000 installs.
https://plugins.jenkins.io/buddycloud was last released Jun 05, 2014 (1 install)
https://plugins.jenkins.io/capitomcat was last released Feb 17, 2015 (980
installs)
https://plugins.jenkins.io/chef was last released Aug 29, 2015 (451 installs)
https://plugins.jenkins.io/ci-skip was last released Dec 23, 2013 (406 installs)
https://plugins.jenkins.io/commit-message-trigger-plugin was last released Sep
30, 2014 (272 installs)
https://plugins.jenkins.io/cucumber was last released Mar 13, 2013 (493
installs)
https://plugins.jenkins.io/devstack was last released Sep 17, 2012 (18 installs)
https://plugins.jenkins.io/git-notes was last released Apr 23, 2012 (692
installs)
https://plugins.jenkins.io/gitlab-hook was last released Apr 17, 2016 (9667
installs)
https://plugins.jenkins.io/ikachan was last released Jun 04, 2012 (12 installs)
https://plugins.jenkins.io/jenkinspider was last released Jun 19, 2015 (12
installs)
https://plugins.jenkins.io/mysql-job-databases was last released Sep 20, 2014
(233 installs)
https://plugins.jenkins.io/pathignore was last released Nov 18, 2011 (331
installs)
https://plugins.jenkins.io/perl was last released Mar 07, 2013 (178 installs)
https://plugins.jenkins.io/perl-smoke-test was last released Sep 26, 2014 (30
installs)
https://plugins.jenkins.io/pry was last released May 31, 2012 (80 installs)
https://plugins.jenkins.io/pyenv was last released Aug 06, 2014 (903 installs)
https://plugins.jenkins.io/rbenv was last released Apr 18, 2016 (983 installs)
https://plugins.jenkins.io/rvm was last released Aug 10, 2016 (2261 installs)
https://plugins.jenkins.io/singleuseslave was last released May 07, 2015 (131
installs)
https://plugins.jenkins.io/travis-yml was last released Nov 13, 2016 (434
installs)
https://plugins.jenkins.io/yammer was last released Jul 19, 2013 (129 installs)
The by far most popular plugin based on ruby-runtime is gitlab-hook at just
under 10k installs. It is part of last week's security advisory, as its
maintainer published a fix for a (fairly minor, but still) security
vulnerability two years ago, but never actually released it, or informed the
security team that he worked on it in public, so can be considered not actively
maintained.
https://jenkins.io/security/advisory/2018-05-09/#SECURITY-263
https://github.com/jenkinsci/gitlab-hook-plugin/commit/8e127c3ee8fb164acbf9f73530215f788b531033
I don't think any of the above problems are inherently unrecoverable, but
unless somebody is ready to take ownership of ruby-runtime, and fixes its
problems, my proposal is to remove ruby-runtime from distribution, and announce
its deprecation. Distribution of dependent plugins would necessarily be
suspended as well, until reimplemented in Java, similar to other plugins with
unsatisfiable dependencies.
Generally there's no reason for something to be removed from distribution just
because it doesn't work well. But ruby-runtime has caused quite some work for
core maintainers, as the above references show, and wasted time better spent
elsewhere. I think it's only a matter of time until things break in ways not
easily recoverable, and the longer we wait, the more painful it will be.
WDYT?
Daniel
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/6797DF59-E37F-4361-B007-9F60A856E1FB%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
