Re: JEP-227 & JEP-228: request for assistance
Paying down technical debt is always cause for celebration. Kudos! On Fri, Nov 6, 2020 at 3:51 PM Basil Crow wrote: > > On Fri, Nov 6, 2020 at 1:38 PM Jesse Glick wrote: > > > > Merged toward 2.266. > > Nice work on some long-needed changes. As a community member I would > like to thank your employer for funding this work and to thank you for > implementing it. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjpdzMaZwiWzq22JxMRpKimNLXxW5Q8_CUO_%3DzvHtowQ4A%40mail.gmail.com. -- Matt Sicker Senior Software Engineer, CloudBees -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ox2YQQx6Az0EpYP7jnW7F6nbpCU9CuzJMv7oEfXQ8EXeQ%40mail.gmail.com.
Re: JEP-227 & JEP-228: request for assistance
On Fri, Nov 6, 2020 at 1:38 PM Jesse Glick wrote: > > Merged toward 2.266. Nice work on some long-needed changes. As a community member I would like to thank your employer for funding this work and to thank you for implementing it. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjpdzMaZwiWzq22JxMRpKimNLXxW5Q8_CUO_%3DzvHtowQ4A%40mail.gmail.com.
Re: JEP-227 & JEP-228: request for assistance
Merged toward 2.266. Remember to use `jep-227` or `jep-228` labels, respectively, for any Jira issues you report related to these, and CC jglick to be sure. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1v6tGXfnQzbHzL3Jydf4mP%3DxHPGEQZ7m6sgC-R9tF0NQ%40mail.gmail.com.
Re: JEP-227 & JEP-228: request for assistance
Moving towards merging these two. If you intended to add a review, or have reservations, please scream now! -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0L5F8BVyLb8T7YoOXCnNGRr1HMJJ66_J-esoyzd%3DRpYw%40mail.gmail.com.
Re: JEP-227 & JEP-228: request for assistance
Thanks for the clarification! If there is no demand to get it released tomorrow, we are on the same page. Let's try to facilitate reviews, especially from the security team. Unfortunately I cannot commit my own time. Due to my current work assignments and personal commitments, I will have no time for reviewing big changes in the upcoming months. > And there is a jQuery change coming? Yes, but not in 2.264. As requested by Felix, it is on hold until 2.266/267 https://github.com/jenkinsci/jenkins/pull/4929#issuecomment-715904763 On Mon, Oct 26, 2020 at 8:59 PM Jesse Glick wrote: > On Mon, Oct 26, 2020 at 3:52 PM Oleg Nenashev > wrote: > > I would vote for getting more reviews from the Jenkins Security Team > members before it gets merged. > > Oh agreed! > > > I am -0.5 regarding expediting this pull request. > > Neither needs to be expedited indeed. I would just not want to be > waiting weeks here (unless of course a concrete problem comes up that > forces more work). > > > XStream also includes a security risk due to class deserialization. > > Yes this aspect needs to be considered during review. (Existing tests > in that area pass, and the change _should_ not be modifying JEP-200 > behavior.) > > > We are already upgrading Winstone and changing tabs to divs in 2.264 > > And there is a jQuery change coming? (#4929) > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Jenkins Developers" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/jenkinsci-dev/ESpL69Paeg8/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1ycaO5q9OiZ%3Dmt_c5wFGiVbdfnuZe0grV_%3Dv624sOXew%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLCA8zW29PHDqkoTpGJ1H-XQ_K6MvRXwz%2BkV9xb8MyziYw%40mail.gmail.com.
Re: JEP-227 & JEP-228: request for assistance
On Mon, Oct 26, 2020 at 3:52 PM Oleg Nenashev wrote: > I would vote for getting more reviews from the Jenkins Security Team members > before it gets merged. Oh agreed! > I am -0.5 regarding expediting this pull request. Neither needs to be expedited indeed. I would just not want to be waiting weeks here (unless of course a concrete problem comes up that forces more work). > XStream also includes a security risk due to class deserialization. Yes this aspect needs to be considered during review. (Existing tests in that area pass, and the change _should_ not be modifying JEP-200 behavior.) > We are already upgrading Winstone and changing tabs to divs in 2.264 And there is a jQuery change coming? (#4929) -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1ycaO5q9OiZ%3Dmt_c5wFGiVbdfnuZe0grV_%3Dv624sOXew%40mail.gmail.com.
Re: JEP-227 & JEP-228: request for assistance
Hi Jesse, First of all, thanks for working on these changes! Cleanup of the dependencies is very important, and this changes help to reduce the technical debt in the project. For https://github.com/jenkinsci/jenkins/pull/4848, the pull request has got only one approval so far, it cannot be merged according to the current process where at least 2 approvals are required for substantial pull requests. Taking the nature of the change, I would vote for getting more reviews from the Jenkins Security Team members before it gets merged. I am -0.5 regarding expediting this pull request. For https://github.com/jenkinsci/jenkins/pull/4944, this pull request is not ready for merge. There are no ready changelog and upgrade guide drafts there. Also, it would be nice to have review by the Security Team since XStream also includes a security risk due to class deserialization. Taking the current state, my vote is to postpone both pull requests until 2.265 (next week?) and to facilitate reviews. We are already upgrading Winstone and changing tabs to divs in 2.264, and both these changes are likely to cause regressions. There are more than 3 months until the next LTS baseline, and IMHO there is no rush to bypass the review/merge process to get these changes in 2.264 tomorrow. Best regards, Oleg On Monday, October 26, 2020 at 8:37:44 PM UTC+1 Jesse Glick wrote: > As mentioned in previous threads, I am proposing to get > > https://github.com/jenkinsci/jenkins/pull/4848 > https://github.com/jenkinsci/jenkins/pull/4944 > > into trunk soon, since 2.263 was accepted as an LTS baseline so we > have the maximum number of weeklies available to iron out any issues > before the next line is cut. Would like to get some code reviews; yes > I know the Spring one is a pretty big diff, and includes some tricky > code changes, though a lot of it is routine search-and-replace stuff. > The XStream PR is a more modest diff, though still with a large > impact. > > The other crucial request is for maintainers and power users of > potentially affected plugins to look over the compatibility tables > > https://github.com/jenkinsci/jep/blob/master/jep/227/compatibility.adoc > https://github.com/jenkinsci/jep/blob/master/jep/228/compatibility.adoc > > I have done my best to offer fixes for all widely used plugins, but > there is more to be done: > > If you are a plugin maintainer, please check if there is a PR for your > plugin listed in either chart, and if so review, merge, _and release_ > that PR in advance so users can have a smooth upgrade experience. (Or > if the PR does not look right, contact me of course!) > > If you are a power user of a plugin which is shown as being currently > incompatible, please help verify that any proposed fixes are safe to > apply with current versions of Jenkins and (ideally) also work as > expected with the proposed patched version¹ of Jenkins; and consider > adopting an orphaned plugin if only to perform emergency releases. For > example, installation statistics claim there are a fair number of > people running Reverse Proxy Auth as a security realm, but it is going > to flat-out break (throwing errors, no login possible) unless somebody > merges & releases > > https://github.com/jenkinsci/reverse-proxy-auth-plugin/pull/40 > > yet there is currently no active maintainer. > > > ¹Prior to an actual merge of the core PR, you can download preview > builds, linked from the *Incrementals* status of the PR; most recent > available as of this writing: > > > https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/main/jenkins-war/2.264-rc30680.a82950864304/jenkins-war-2.264-rc30680.a82950864304.war > (JEP-227) > > https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/main/jenkins-war/2.264-rc30542.af44d4186663/jenkins-war-2.264-rc30542.af44d4186663.war > (JEP-228) > > The same is true of plugin PRs in most cases, for example > > > https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/plugins/email-ext/2.77-rc1331.63266610ebc4/email-ext-2.77-rc1331.63266610ebc4.hpi > > which can be downloaded & installed manually in the *Advanced* tab. If > you are missing a downloadable build of some PR, mention @jglick in > the PR. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f7e1f32b-fe2e-4025-b84a-9d786a0634ffn%40googlegroups.com.
