Re: Using JDK 11 instead of JDK 8 in default docker images

2021-08-03 Thread Mark Waite 
I've submitted the Jenkins Enhancement Proposal that proposes to switch 
from JDK 8 to JDK 11 for the Jenkins 2.302.1 LTS release on Aug 25, 2021.

Pull request is https://github.com/jenkinsci/jep/pull/374/files

File content view is:

https://github.com/jenkinsci/jep/blob/401af5fa324867d30fac61dce91418fdc4a3caa5/jep//README.adoc
 
is the 

On Friday, July 2, 2021 at 7:51:22 AM UTC-6 Mark Waite wrote:

> I believe that the plan from the Contributor Summit aligns with Oleg's 
> vote that he cast in advance.  The Platform SIG will meet today and has 
> Java 11 on the agenda for further discussion.
>
> Contributor summit notes are recorded in a Google Doc 
> .
>   
> The YouTube video  of the session is also 
> available.
>
> My summary of the proposed plan from the Contributor Summit is:
>
> Weekly release
>
>- Jenkins Docker controller images for weekly releases switch to Java 
>11 4-6 weeks before the September LTS release.  That includes 
>jenkins/jenkins:latest, jenkins/jenkins:alpine, jenkins/jenkins:centos7, 
>and more.
>- Jenkins Docker controller images for weekly releases add a Java 8 
>tag 4-6 weeks before the September LTS release as an escape hatch for 
> users 
>that require Java 8.  That would be jenkins/jenkins:latest-jdk8, 
>jenkins/jenkins:alpine-jdk8, and jenkins/jenkins:centos7-jdk8
>
> LTS release
>
>- Jenkins Docker controller images for LTS releases switch to Java 11 
>with the September LTS release.  That includes jenkins/jenkins:lts, 
>jenkins/jenkins:lts-alpine, jenkins/jenkins:centos7, and more
>- Jenkins Docker controller images for LTS releases add a Java 8 tag 
>with the September LTS release   as an escape hatch for users that require 
>Java 8.  That would be jenkins/jenkins:lts-jdk8, 
>jenkins/jenkins:lts-alpine-jdk8, and jenkins/jenkins:lts-centos7-jdk8
>
> A blog post will be provided for the weekly change and an additional blog 
> post and an upgrade guide entry will be provided for the LTS change.
>
> A JEP will be submitted that details the proposed transition plan so that 
> we can review the transition plan in greater detail.
>
> We'll discuss further and in more detail in the Platform SIG meeting later 
> today.
>
> Mark Waite
>
> On Monday, June 28, 2021 at 9:51:42 PM UTC-6 Oleg Nenashev wrote:
>
>> Hi all,
>>
>> Looking forward to see the discussion from the contributor summit 
>> summarized here. Sadly I missed it due to having another session, but I've 
>> heard it was a great discussion that resulted in a proposal. Thanks to Mike 
>> Cirioli and Mark Waite for driving this topic at the summit, and thanks to 
>> all contributors. Just posting the links shared by Mike and Runxia in the 
>> Google Doc:
>>
>>
>>- Slides: 
>>
>> https://docs.google.com/presentation/d/1i1gkUQ0Ha-CRgFvRRpRWUDjbpPr383D0DSywLGAFN-Y/edit?usp=sharing
>>- Meeting notes: 
>>
>> https://docs.google.com/document/d/1BwllcgX3rmsvwRKIFkmE24g7zHGo8kufcimL0BnWaWE/edit?usp=sharing
>>
>> I might be unavailable when the decision making happens, so I would like 
>> to cast my votes in advance. Note that I have not fully went through the 
>> notes, and might be misaligned. I am happy to support whatever decision 
>> made by the community. My votes are:
>>
>>- +1 for making Java 11 a default in all Jenkins distributions 
>>starting from September LTS. It applies to Jenkins controller and agent 
>>Docker images. It also applies to Helm chart, Jenkins Operator and 
>> whatever 
>>other packaging that happens to include Java. Jenkinsfile Runner already 
>>ships Java 11 by default FTR.
>>- +1 for allowing Java 11 only plugins starting from the September 
>>LTS. We have tooling embedded into the Jenkins core and Jenkins update 
>>centers starting from LTS releases in 2018 (2.164.x IIRC), so all modern 
>>Jenkins versions will be able to properly notify users in the UI Plugin 
>>manager. https://github.com/jenkinsci/plugin-pom/pull/133 should be 
>>finalized to make it possible in the tooling
>>- Dropping Java 8 support
>>   - -1 for dropping Java 8 support in the September LTS
>>   - +0.5 for officially announcing it as deprecated. Needs more 
>>   planning and definition what deprecation actually means
>>   - +1 for declaring an intent to drop support for Java 8 in the 
>>   coming years
>>- Java 17 support:
>>   - +1 for any coordinated efforts on this front, and thanks to all 
>>   contributors. I will be exploring Java 17 in the coming months, but I 
>> might 
>>   be unable to contribute.
>>   - +1 for library updates and non-severe breaking changes if they 
>>   are needed to support Java 17
>>
>> Best regards,
>> Oleg
>>
>>
>>
>>
>> On Friday, June 25, 2021 at 12:36:16 AM UTC+2 m...@basilcrow.com wrote:
>>

Re: KeyStoreExceptions (unrecognised algorithm) occurring on ci.jenkins.io

2021-08-03 Thread Mark Waite 
Thanks!

The OpenJDK release was about a week ago.  I've been running 11.0.12 and
some 8u302 for about a week and have not detected any issues.

I see that AdoptOpenJDK has been released for Linux amd64, Windows amd64,
and macOS.  No 8u302 or 11.0.12 for Arm64, ppc64, or s390x yet.

The AdoptOopenJDK Docker images that we use as our Docker image base have
not been updated yet.  I assume that will happen over the course of the
next week or two.

Mark Waite

On Tue, Aug 3, 2021 at 5:10 AM Chris Kilding 
wrote:

> It looks like JDK 8u302 was released in upstream OpenJDK on 20th July.
> I've opened an issue about this at the place where I *think* the JDK
> version is set for ci.jenkins.io:
> https://github.com/jenkins-infra/packer-images/issues/77
>
> Chris
>
> On Tue, 15 Jun 2021, at 3:10 PM, Chris Kilding wrote:
>
> Hi Mark,
>
> Thanks for confirming :) I'll wait on that next OpenJDK release then.
>
> Chris
>
> On Tue, 15 Jun 2021, at 10:40 AM, Mark Waite wrote:
>
> The JDK version used for builds on ci.jenkins.io was updated recently
> from JDK 8u242 to JDK 8u292.  The  PBEWithSHA1AndDESede algorithm has been
> removed from JDK 8u292   Based on
> https://bugs.openjdk.java.net/browse/JDK-8266261 it appears the removal
> was inadvertent and the algorithm will be added to the next Open
> JDK release, 8u302.
>
> On Tue, Jun 15, 2021 at 3:36 AM Chris Kilding <
> chris+jenk...@chriskilding.com> wrote:
>
> Hi,
>
> Recently I have seen the following error on ci.jenkins.io when building
> plugins that use cryptography features:
>
> java.security.KeyStoreException: Key protection  algorithm not found:
> java.security.UnrecoverableKeyException: Encrypt Private Key failed:
> unrecognized algorithm name: PBEWithSHA1AndDESede
>
> The errors are temperamental and don't always show up. They also don't
> consistently occur with any particular JDK version.
>
> Has something maybe changed about the JDK crypto features that are
> installed on the ci.jenkins.io build agents? I could make sense of this
> if, say, SHA1-based algorithms have recently been removed entirely from the
> JDK.
>
> Chris
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/6fbb6c63-7ef5-4c3e-828e-93446647bb17%40www.fastmail.com
> .
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFOsRJGgr-Cc84Rgcr8d4WRM72iqh2EH91pu0w-KeM7jQ%40mail.gmail.com
> 
> .
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/4460abbc-652c-4609-85ac-2194ad7d280c%40www.fastmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtH8TD06Eyws3msXF3hP%2BakaNGJ8dmBwiU8RYa6CK0aVDw%40mail.gmail.com.

Re: KeyStoreExceptions (unrecognised algorithm) occurring on ci.jenkins.io

2021-08-03 Thread Tim Jacomb 
I was looking at this yesterday in context of the docker images but they
don’t appear to be published yet. Although I did find the binaries, they’ve
moved to the adoptium project now

On Tue, 3 Aug 2021 at 12:10, Chris Kilding 
wrote:

> It looks like JDK 8u302 was released in upstream OpenJDK on 20th July.
> I've opened an issue about this at the place where I *think* the JDK
> version is set for ci.jenkins.io:
> https://github.com/jenkins-infra/packer-images/issues/77
>
> Chris
>
> On Tue, 15 Jun 2021, at 3:10 PM, Chris Kilding wrote:
>
> Hi Mark,
>
> Thanks for confirming :) I'll wait on that next OpenJDK release then.
>
> Chris
>
> On Tue, 15 Jun 2021, at 10:40 AM, Mark Waite wrote:
>
> The JDK version used for builds on ci.jenkins.io was updated recently
> from JDK 8u242 to JDK 8u292.  The  PBEWithSHA1AndDESede algorithm has been
> removed from JDK 8u292   Based on
> https://bugs.openjdk.java.net/browse/JDK-8266261 it appears the removal
> was inadvertent and the algorithm will be added to the next Open
> JDK release, 8u302.
>
> On Tue, Jun 15, 2021 at 3:36 AM Chris Kilding <
> chris+jenk...@chriskilding.com> wrote:
>
> Hi,
>
> Recently I have seen the following error on ci.jenkins.io when building
> plugins that use cryptography features:
>
> java.security.KeyStoreException: Key protection  algorithm not found:
> java.security.UnrecoverableKeyException: Encrypt Private Key failed:
> unrecognized algorithm name: PBEWithSHA1AndDESede
>
> The errors are temperamental and don't always show up. They also don't
> consistently occur with any particular JDK version.
>
> Has something maybe changed about the JDK crypto features that are
> installed on the ci.jenkins.io build agents? I could make sense of this
> if, say, SHA1-based algorithms have recently been removed entirely from the
> JDK.
>
> Chris
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/6fbb6c63-7ef5-4c3e-828e-93446647bb17%40www.fastmail.com
> .
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFOsRJGgr-Cc84Rgcr8d4WRM72iqh2EH91pu0w-KeM7jQ%40mail.gmail.com
> 
> .
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/4460abbc-652c-4609-85ac-2194ad7d280c%40www.fastmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BidOYGYohF7V34RiQ-kYoPtH4W_Rtn1iv%3DJdOZE3BOBPeQ%40mail.gmail.com.

Re: KeyStoreExceptions (unrecognised algorithm) occurring on ci.jenkins.io

2021-08-03 Thread Chris Kilding 
It looks like JDK 8u302 was released in upstream OpenJDK on 20th July. I've 
opened an issue about this at the place where I *think* the JDK version is set 
for ci.jenkins.io: https://github.com/jenkins-infra/packer-images/issues/77

Chris

On Tue, 15 Jun 2021, at 3:10 PM, Chris Kilding wrote:
> Hi Mark,
> 
> Thanks for confirming :) I'll wait on that next OpenJDK release then.
> 
> Chris
> 
> On Tue, 15 Jun 2021, at 10:40 AM, Mark Waite wrote:
>> The JDK version used for builds on ci.jenkins.io was updated recently from 
>> JDK 8u242 to JDK 8u292.  The  PBEWithSHA1AndDESede algorithm has been 
>> removed from JDK 8u292   Based on 
>> https://bugs.openjdk.java.net/browse/JDK-8266261 it appears the removal was 
>> inadvertent and the algorithm will be added to the next Open JDK release, 
>> 8u302.
>> 
>> On Tue, Jun 15, 2021 at 3:36 AM Chris Kilding 
>> mailto:chris%2bjenk...@chriskilding.com>> 
>> wrote:
>>> Hi,
>>> 
>>> Recently I have seen the following error on ci.jenkins.io when building 
>>> plugins that use cryptography features:
>>> 
>>> java.security.KeyStoreException: Key protection  algorithm not found: 
>>> java.security.UnrecoverableKeyException: Encrypt Private Key failed: 
>>> unrecognized algorithm name: PBEWithSHA1AndDESede
>>> 
>>> The errors are temperamental and don't always show up. They also don't 
>>> consistently occur with any particular JDK version.
>>> 
>>> Has something maybe changed about the JDK crypto features that are 
>>> installed on the ci.jenkins.io build agents? I could make sense of this if, 
>>> say, SHA1-based algorithms have recently been removed entirely from the JDK.
>>> 
>>> Chris
>>> 
>>> -- 
>>> You received this message because you are subscribed to the Google Groups 
>>> "Jenkins Developers" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>> email to jenkinsci-dev+unsubscr...@googlegroups.com 
>>> .
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/jenkinsci-dev/6fbb6c63-7ef5-4c3e-828e-93446647bb17%40www.fastmail.com.
>> 
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to jenkinsci-dev+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFOsRJGgr-Cc84Rgcr8d4WRM72iqh2EH91pu0w-KeM7jQ%40mail.gmail.com
>>  
>> .
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/4460abbc-652c-4609-85ac-2194ad7d280c%40www.fastmail.com.

Re: Choosing Jenkins September LTS release baseline

2021-08-03 Thread Tim Jacomb 
Hello

This is sorted now, thanks for the report Bea

On Tue, 3 Aug 2021 at 08:21, Beatriz Munoz  wrote:

> Morning!
>
> I created https://github.com/bmunozm/jenkins/tree/towards-2.302
>  but I
> cannot push it to https://github.com/jenkinsci/jenkins. I need someone
> with rights that replace
> https://github.com/jenkinsci/jenkins/tree/stable-2.302 by
> https://github.com/bmunozm/jenkins/tree/towards-2.302 using the name
> `stable-2.302` for the branch
>
> Thank you so much in advance.
>
> El 2 ago 2021, a las 12:50, Daniel Beck  escribió:
>
>
>
> On Mon, Aug 2, 2021 at 12:35 PM Beatriz Munoz 
> wrote:
>
>> Hi all
>>
>> Looking into next LTS I released something is really strange in branch
>> `stable-2.302`. If you compare the branch and the tag `jenkins-2.302` there
>> are more than 240 files with changes. As the backports are not done yet, I
>> guess the difference should me minimal.
>>
>> https://github.com/jenkinsci/jenkins/compare/jenkins-2.302..stable-2.302
>>
>
> Looking at https://github.com/jenkinsci/jenkins/commits/stable-2.302 it
> seems the branch is based on a weekly intermediate state around 2.298/2.299
> (~June 21) + some stuff related to PR#5583, rather than 2.302. The branch
> should be deleted and recreated. Besides being the wrong baseline, security
> fixes from 2.300 would be missing as well.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BLx0OREhYS5%2BLB7mueyKRN5MDqiZuHFTBZ5ESd7cMgGQ%40mail.gmail.com
> 
> .
>
>
> Beatriz Muñoz Manso
> Sr Software Engineer
> CloudBees, Inc.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/5A41AE32-6F20-4C81-A7F1-59AF89548DA6%40cloudbees.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3Bid9%3DMKNmpH9yX4qA%3DqxxBYiOJgJy_NDimnwPjUCcD6OuQ%40mail.gmail.com.

Re: Choosing Jenkins September LTS release baseline

2021-08-03 Thread Beatriz Munoz 
Morning!

I created https://github.com/bmunozm/jenkins/tree/towards-2.302 
 but I cannot 
push it to https://github.com/jenkinsci/jenkins 
. I need someone with rights that replace 
https://github.com/jenkinsci/jenkins/tree/stable-2.302 
 by 
https://github.com/bmunozm/jenkins/tree/towards-2.302 
 using the name 
`stable-2.302` for the branch

Thank you so much in advance.

> El 2 ago 2021, a las 12:50, Daniel Beck  escribió:
> 
> 
> 
> On Mon, Aug 2, 2021 at 12:35 PM Beatriz Munoz  > wrote:
> Hi all
> 
> Looking into next LTS I released something is really strange in branch 
> `stable-2.302`. If you compare the branch and the tag `jenkins-2.302` there 
> are more than 240 files with changes. As the backports are not done yet, I 
> guess the difference should me minimal.
> 
> https://github.com/jenkinsci/jenkins/compare/jenkins-2.302..stable-2.302 
> 
> 
> Looking at https://github.com/jenkinsci/jenkins/commits/stable-2.302 
>  it seems the 
> branch is based on a weekly intermediate state around 2.298/2.299 (~June 21) 
> + some stuff related to PR#5583, rather than 2.302. The branch should be 
> deleted and recreated. Besides being the wrong baseline, security fixes from 
> 2.300 would be missing as well.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-dev+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BLx0OREhYS5%2BLB7mueyKRN5MDqiZuHFTBZ5ESd7cMgGQ%40mail.gmail.com
>  
> .

Beatriz Muñoz Manso
Sr Software Engineer 
CloudBees, Inc.



-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/5A41AE32-6F20-4C81-A7F1-59AF89548DA6%40cloudbees.com.