We should definitely update the library and detach it, rather sooner than later. Otherwise the next CVE in Apache Mina may make our life very fun. Since we had a new LTS cutoff recently, it is a good timing for such change.
Some notes about Apache Mina update to 2.x: - There are multiple plugins using Apache Mina code https://github.com/search?l=Java&q=org%3Ajenkinsci+%22org.apache.sshd%22&type=Code . Examples: Git Server, SSH Credentials, Gerrit Trigger, Remote Terminal Access, SSH CLI. Since the update is a potentially breaking change, it would be great to verify these plugins before the changes land - There is at least one proprietary plugin depending on Mina SSH code I definitely support a two-stage update when the first plugin version uses old Apache Mina. Best regards, Oleg On Friday, February 12, 2021 at 1:06:00 PM UTC+1 [email protected] wrote: > Hi, > > I have a bunch of PRs ready to move forward for a few months, these PRs > are to convert the SSHD Module to a plugin and after that bump the Apache > Minda sshd library. > We are using a really old Apache Minda sshd that is a security risk and > move the SSHD module outside of the core could help to have simpler Jenkins > instances without services you do not need/want. > Thus I would like to make progress and close stuff to start new things > related to that in the SSH Build Agents plugin. How we can manage this? > > https://github.com/jenkinsci/sshd-module/pull/38 > https://github.com/jenkinsci/jenkins/pull/5049 > https://github.com/jenkinsci/sshd-module/pull/40 > > Update the Apache Minda sshd library > https://github.com/jenkinsci/sshd-module/pull/37 > > -- > BR > Iván Fernández Calvo > > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/62eba768-3d6a-449b-b83d-125c31b374ffn%40googlegroups.com.
