I love deleting deprecated code, so big +1 from me. I especially like the emphasis on always using an encrypted+authenticated connection for remoting to ensure that users will have a properly secure experience out of the box.
On Sat, Jan 11, 2020 at 2:27 PM Oleg Nenashev <o.v.nenas...@gmail.com> wrote: > > Thanks a lot to Jeff for this update and for the hard work he is doing to > maintain Jenkins Remoting! Even in 2020 it remains one of the most critical > parts of the Jenkins ecosystem, and it is essential to the project to keep > the component up to date. And to keep it secure, of course. > > Just to provide some context here, the removal of this protocols was > discussed in the user mailing list (here). > Although it is not the best channel for such discussions, I believe the > removal is well justified. > > JNLP1..3 protocols were announced as deprecated more than 2 years ago (Aug > 2017, announcement blogpost) > Although we recommend disabling the protocols && disable them by default on > new instances, we still some instances using the old protocols as a fallback > when Jenkins is misconfigured > JNLP1 and JNLP2 are not encrypted, which allows various kinds of channel > sniffing attacks on instances which do not disable protocols (protocol > downgrade from encrypted JNLP4 to unencrypted JNLP2) > JNLP3 is just unstable, JNLP1/2 have known stability issues. They have not > been supported since the deprecation announcement, except a number of bugfixes > With the WebSocket support in JEP-222, there will be more protocols to > maintain. Getting rid of deprecated and unstable protocols redues the > maintenance overhead > > There are some consequences to keep in mind: > > Remoting 3.40 does not longer support Jenkins versions before 2.32, and for > 2.32 special flags need to be set (JNLP4 protocol was in Beta) > New versions old jenkins/slave and jenkins/jnlp-slave Docjer images will not > not support old Jenkins versions either (we should finally rename these > images...) > The change formally breaks the binary compatibility in the core though we are > not aware about any real use-case when it gets impacted. Wrappers like > ruby-runtime and jenkins.py are usual suspects, but I am not sure they are > operational in any case for recent versions > > Best regards, > Oleg Nenashev > // also a former Remoting maintainer > > > > On Friday, January 10, 2020 at 7:33:33 PM UTC+1, Jeff Thompson wrote: >> >> Hi, >> >> For historical reasons, Jenkins has still shipped with old, deprecated >> protocols, JNLP1-connect, JNLP2-connect, and JNLP3-connect. These are also >> known currently as Inbound TCP Agent Protocol/1, Inbound TCP Agent >> Protocol/2, and Inbound TCP Agent Protocol/3. These all have fundamental >> issues and known bugs. They were all superseded by the JNLP4-connect >> protocol released in Jenkins 2.27 over three years ago (October 2016). They >> have all been deprecated and unsupported since Jenkins 2.75 over two years >> ago. Since then there have been UI messages and an administrative monitor >> strongly discouraging their use. (See more information about the protocols >> at https://github.com/jenkinsci/remoting/blob/master/docs/protocols.md ) >> >> We have been discussing plans to remove these old protocols in various >> places, including the Users list and a couple of PRs. This removal is in >> process with major steps occurring now. >> >> These protocols were removed from Remoting 3.40, released two weeks ago. >> On the Jenkins master side, the changes were integrated towards Jenkins >> 2.214 weekly. ETA is next Monday. The next LTS baseline is expected to have >> the protocols removed as well. >> Jenkins docker agent image updates are in process. ETA is next Monday. >> Swarm Plugin Client is updated, but we need a release. >> >> Jeff > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/0a4ec6f4-78f1-4db7-b6b4-da225373874a%40googlegroups.com. -- Matt Sicker Senior Software Engineer, CloudBees -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oy1p%3DNu%3Dn5CMGufgrZ6k5bbj5ec9-61KMRockYtYMSLBw%40mail.gmail.com.
