Re: Impact of BOM on plugin versions
Ok, thanks for the clarification. And I assumed it based on all the Maven knowledge you have. ;) On Wed, Aug 28, 2019 at 10:43 AM Jesse Glick wrote: > > On Wed, Aug 28, 2019 at 11:15 AM Matt Sicker wrote: > > I thought you were already on the Maven PMC. > > Perhaps you were thinking of Stephen. > > > are you suggesting that I shouldn't use the bom in credentials? > > No, I was just linking to an IT demonstrating that—so far as I can > tell—it is safe to consume an older release of a BOM in a component > which is then in turn included in a newer release of the same BOM. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3aPg%2BF6-Zd2K%2BpcqSFcQTNA8uh2a%3D4jTfYv-MwMY_TRA%40mail.gmail.com. -- Matt Sicker Senior Software Engineer, CloudBees -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oy%3DvCGBN71xcqLsWGOmM9K5OSD07SLMCFP8%3DDM%3D8_%3DQXg%40mail.gmail.com.
Re: Impact of BOM on plugin versions
On Wed, Aug 28, 2019 at 11:15 AM Matt Sicker wrote: > I thought you were already on the Maven PMC. Perhaps you were thinking of Stephen. > are you suggesting that I shouldn't use the bom in credentials? No, I was just linking to an IT demonstrating that—so far as I can tell—it is safe to consume an older release of a BOM in a component which is then in turn included in a newer release of the same BOM. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3aPg%2BF6-Zd2K%2BpcqSFcQTNA8uh2a%3D4jTfYv-MwMY_TRA%40mail.gmail.com.
Re: Impact of BOM on plugin versions
And here I thought you were already on the Maven PMC. Perhaps you could try reminding them on the dev lists? Also, are you suggesting that I shouldn't use the bom in credentials? Or is that issue resolved? On Tue, Aug 27, 2019 at 11:07 AM Jesse Glick wrote: > > On Tue, Aug 27, 2019 at 11:09 AM Matt Sicker wrote: > > I've made two new releases for credentials since then (2.2.1 and > > 2.3.0, the latter of which was released just yesterday). > > …which may have broken something, by the way: > > https://github.com/jenkinsci/bom/pull/77 > > > it's somewhat amusing > > that it imports a dependencyManagement for itself, though it doesn't > > appear to adversely affect the build at all. > > Still waiting for > > https://github.com/apache/maven-integration-testing/pull/25 > > :-( > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1cDFNCj0GhfWdAJK3TXTTZRvyvmnZW7FX%3DBoR4GwEBTg%40mail.gmail.com. -- Matt Sicker Senior Software Engineer, CloudBees -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4owwc5ToDkiuZY7rJ1ZOYNh5Uuz%3D%3DE0c1setTpb2KQcrsg%40mail.gmail.com.
Re: Impact of BOM on plugin versions
On Tue, Aug 27, 2019 at 11:09 AM Matt Sicker wrote: > I've made two new releases for credentials since then (2.2.1 and > 2.3.0, the latter of which was released just yesterday). …which may have broken something, by the way: https://github.com/jenkinsci/bom/pull/77 > it's somewhat amusing > that it imports a dependencyManagement for itself, though it doesn't > appear to adversely affect the build at all. Still waiting for https://github.com/apache/maven-integration-testing/pull/25 :-( -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1cDFNCj0GhfWdAJK3TXTTZRvyvmnZW7FX%3DBoR4GwEBTg%40mail.gmail.com.
Re: Impact of BOM on plugin versions
I've made two new releases for credentials since then (2.2.1 and 2.3.0, the latter of which was released just yesterday). Also, I started using that bom in credentials-plugin, so it's somewhat amusing that it imports a dependencyManagement for itself, though it doesn't appear to adversely affect the build at all. On Mon, Aug 26, 2019 at 4:11 PM Jesse Glick wrote: > > On Mon, Aug 26, 2019 at 4:46 PM Mark Waite wrote: > > I've generally preferred to keep the dependency at oldest version I can > > reasonably trust. > > Well, the BOM is designed to give you the newest version compatible > with your LTS line. > > > I believe in this case that the credentials plugin 2.2.0 is the required > > dependency from the BOM because it is the version which includes the most > > recent security fix for the credentials plugin. > > No, it is just the latest available version according to Dependabot. > > > Am I correct [that using the BOM] means [users] will generally have newer > > dependencies than they did in the past? > > Yes. > > Now as to whether you _want_ to publish new releases of one plugin > that depend only on old releases of another plugin, this is certainly > a matter of judgment. You would be offering a special benefit to the > user that spends an hour looking over the *Updates* tab, poring > through release notes, and hand-picking certain updates according to > features or fixes they think they want. But your plugin’s tests will > only be verifying compatibility with a rather old snapshot of the > Jenkins ecosystem, and you will likely even be writing new code which > calls APIs that were deprecated years ago. > > The assumption behind the BOM is that most people just accept all > updates most of the time, and if something breaks they will just roll > everything back, or tolerate it until a fix is released; plugin > maintainers should “fixing forward”. (Jenkins core is somewhat > artificially given a special position in this view, as something that > is cumbersome and particularly risky to update.) > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2FysL-2e6PPtkdHHYXFEJkFhhcstK1BV3eu-WWLT%3Dopw%40mail.gmail.com. -- Matt Sicker Senior Software Engineer, CloudBees -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxccC6CrehBM%2BFjgXyXTUM2x%2BNgV9pUzr284RBzMdPcHw%40mail.gmail.com.
Re: Impact of BOM on plugin versions
On Mon, Aug 26, 2019 at 4:46 PM Mark Waite wrote: > I've generally preferred to keep the dependency at oldest version I can > reasonably trust. Well, the BOM is designed to give you the newest version compatible with your LTS line. > I believe in this case that the credentials plugin 2.2.0 is the required > dependency from the BOM because it is the version which includes the most > recent security fix for the credentials plugin. No, it is just the latest available version according to Dependabot. > Am I correct [that using the BOM] means [users] will generally have newer > dependencies than they did in the past? Yes. Now as to whether you _want_ to publish new releases of one plugin that depend only on old releases of another plugin, this is certainly a matter of judgment. You would be offering a special benefit to the user that spends an hour looking over the *Updates* tab, poring through release notes, and hand-picking certain updates according to features or fixes they think they want. But your plugin’s tests will only be verifying compatibility with a rather old snapshot of the Jenkins ecosystem, and you will likely even be writing new code which calls APIs that were deprecated years ago. The assumption behind the BOM is that most people just accept all updates most of the time, and if something breaks they will just roll everything back, or tolerate it until a fix is released; plugin maintainers should “fixing forward”. (Jenkins core is somewhat artificially given a special position in this view, as something that is cumbersome and particularly risky to update.) -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2FysL-2e6PPtkdHHYXFEJkFhhcstK1BV3eu-WWLT%3Dopw%40mail.gmail.com.
