Re: Proposal: Adopting Stapler as official Jenkins project

[Tim Jacomb]

I've moved stapler to Jenkinsci as part of
https://issues.jenkins.io/browse/INFRA-2908
Core team has access

Jesse has taken care of most of the rest of the proposals already

On Wed, 26 May 2021 at 17:03, Oleg Nenashev  wrote:

> Thanks to Kohsuke for your approval! And thanks to Kohsuke and Jesse for
> feedback!
>
> I do feel, however, that "not encourag[ing] external use" is an
>> unnecessarily negative way of framing the mission of the new sub-project.
>> Stapler is an unique web framework that enables the extensibility of
>> Jenkins, and for that and all the other practical reasons it just makes
>> more sense for the project to be adopted to Jenkins. The focus will be on
>> serving Jenkins well. I think that's all that need to be said.
>>
>
>
>> I think there is a reason for specifically *discouraging* use outside
>> Jenkins: that we have found the need to fix security vulnerabilities by
>> defining interfaces in Stapler which are then implemented in Jenkins core.
>> An external project is unlikely to keep up with these developments, and
>> thus potentially remain vulnerable. It would be irresponsible to advertise
>> a library which is unsafe to use on its own.
>>
>
> I agree with both statements. Let me think about how to frame it properly.
> I will submit a pull request to jenkins.io with the proposal based on the
> feedback here and on the private conversation with Kohsuke. Then we can
> review it together and approve the wording. Kohsuke is the founder of the
> Stapler project, and indeed we should respect and address the feedback.
>
> Best regards,
> Oleg
>
>
>
>
> On Wed, May 26, 2021 at 5:27 PM Jesse Glick  wrote:
>
>> On Wed, May 26, 2021 at 11:16 AM Kohsuke Kawaguchi 
>> wrote:
>>
>>> "not encourag[ing] external use" is an unnecessarily negative way of
>>> framing the mission
>>>
>>
>> I think there is a reason for specifically *discouraging* use outside
>> Jenkins: that we have found the need to fix security vulnerabilities by
>> defining interfaces in Stapler which are then implemented in Jenkins core.
>> An external project is unlikely to keep up with these developments, and
>> thus potentially remain vulnerable. It would be irresponsible to advertise
>> a library which is unsafe to use on its own.
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Jenkins Developers" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/jenkinsci-dev/1T3yDHl1nEQ/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> jenkinsci-dev+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2-T0_Yxc1RG34oV66JJhY6yegH_oMOrAN%2BY1-fPCL2VA%40mail.gmail.com
>> 
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLDcv93AbnGKdHQCtMaOSDctWiTREpSuqETt58jR--qpFQ%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3Bieot1SLEZFR84ddwr-1Qh7TH3omaXTCY2Q2cubOJN_3gw%40mail.gmail.com.

Re: Proposal: Adopting Stapler as official Jenkins project

[Oleg Nenashev]

Thanks to Kohsuke for your approval! And thanks to Kohsuke and Jesse for
feedback!

I do feel, however, that "not encourag[ing] external use" is an
> unnecessarily negative way of framing the mission of the new sub-project.
> Stapler is an unique web framework that enables the extensibility of
> Jenkins, and for that and all the other practical reasons it just makes
> more sense for the project to be adopted to Jenkins. The focus will be on
> serving Jenkins well. I think that's all that need to be said.
>


> I think there is a reason for specifically *discouraging* use outside
> Jenkins: that we have found the need to fix security vulnerabilities by
> defining interfaces in Stapler which are then implemented in Jenkins core.
> An external project is unlikely to keep up with these developments, and
> thus potentially remain vulnerable. It would be irresponsible to advertise
> a library which is unsafe to use on its own.
>

I agree with both statements. Let me think about how to frame it properly.
I will submit a pull request to jenkins.io with the proposal based on the
feedback here and on the private conversation with Kohsuke. Then we can
review it together and approve the wording. Kohsuke is the founder of the
Stapler project, and indeed we should respect and address the feedback.

Best regards,
Oleg




On Wed, May 26, 2021 at 5:27 PM Jesse Glick  wrote:

> On Wed, May 26, 2021 at 11:16 AM Kohsuke Kawaguchi  wrote:
>
>> "not encourag[ing] external use" is an unnecessarily negative way of
>> framing the mission
>>
>
> I think there is a reason for specifically *discouraging* use outside
> Jenkins: that we have found the need to fix security vulnerabilities by
> defining interfaces in Stapler which are then implemented in Jenkins core.
> An external project is unlikely to keep up with these developments, and
> thus potentially remain vulnerable. It would be irresponsible to advertise
> a library which is unsafe to use on its own.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Jenkins Developers" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/jenkinsci-dev/1T3yDHl1nEQ/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2-T0_Yxc1RG34oV66JJhY6yegH_oMOrAN%2BY1-fPCL2VA%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLDcv93AbnGKdHQCtMaOSDctWiTREpSuqETt58jR--qpFQ%40mail.gmail.com.

Re: Proposal: Adopting Stapler as official Jenkins project

[Jesse Glick]

On Wed, May 26, 2021 at 11:16 AM Kohsuke Kawaguchi  wrote:

> "not encourag[ing] external use" is an unnecessarily negative way of
> framing the mission
>

I think there is a reason for specifically *discouraging* use outside
Jenkins: that we have found the need to fix security vulnerabilities by
defining interfaces in Stapler which are then implemented in Jenkins core.
An external project is unlikely to keep up with these developments, and
thus potentially remain vulnerable. It would be irresponsible to advertise
a library which is unsafe to use on its own.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2-T0_Yxc1RG34oV66JJhY6yegH_oMOrAN%2BY1-fPCL2VA%40mail.gmail.com.

Re: Proposal: Adopting Stapler as official Jenkins project

[Kohsuke Kawaguchi]

Hey, sorry for coming late, I'm happy to move the project closer to where 
the action is. Happy to transfer any/all assets involved.

I do feel, however, that "not encourag[ing] external use" is an 
unnecessarily negative way of framing the mission of the new sub-project. 
Stapler is an unique web framework that enables the extensibility of 
Jenkins, and for that and all the other practical reasons it just makes 
more sense for the project to be adopted to Jenkins. The focus will be on 
serving Jenkins well. I think that's all that need to be said. 

On Thursday, May 20, 2021 at 3:04:28 PM UTC-7 Oleg Nenashev wrote:

> At the governance meeting on May 19 (link 
> ) we agreed to 
> adopt Stapler and its components. We also agreed that a final sign-off from 
> Kohsuke as the project creator is needed before we proceed.
>
> On Wednesday, May 19, 2021 at 6:15:06 AM UTC+2 Oleg Nenashev wrote:
>
>> Thanks to everyone for the feedback!
>> Added the final sign-off to the today's governance meeting agenda
>>
>> On Monday, May 10, 2021 at 9:48:11 PM UTC+2 Jesse Glick wrote:
>>
>>> On Mon, May 10, 2021 at 2:04 PM Oleg Nenashev  
>>> wrote:
>>>
 Other Stapler related personal repositories can be also moved to the 
 jenkinsci org

>>>
>>> Sure; do you know of any?
>>>
>>> https://javadoc.jenkins.io/component/stapler/ includes Javadoc only for 
 https://github.com/stapler/stapler

>>>
>>> https://github.com/stapler/stapler/tree/master/core specifically. The 
>>> other modules do not expose useful Java-level APIs that plugin authors 
>>> should use that I know of.
>>>
>>> Other Stapler repositories like 
 https://github.com/stapler/maven-stapler-plugin are not included

>>>
>>> I do not think there is any need to publish Javadoc for any other 
>>> miscellaneous component. If and when a need arises, it is simple to include.
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/b0bb7284-84ee-45f7-8372-7ba3473900a6n%40googlegroups.com.

Re: Proposal: Adopting Stapler as official Jenkins project

[Oleg Nenashev]

At the governance meeting on May 19 (link 
) we agreed to 
adopt Stapler and its components. We also agreed that a final sign-off from 
Kohsuke as the project creator is needed before we proceed.

On Wednesday, May 19, 2021 at 6:15:06 AM UTC+2 Oleg Nenashev wrote:

> Thanks to everyone for the feedback!
> Added the final sign-off to the today's governance meeting agenda
>
> On Monday, May 10, 2021 at 9:48:11 PM UTC+2 Jesse Glick wrote:
>
>> On Mon, May 10, 2021 at 2:04 PM Oleg Nenashev  
>> wrote:
>>
>>> Other Stapler related personal repositories can be also moved to the 
>>> jenkinsci org
>>>
>>
>> Sure; do you know of any?
>>
>> https://javadoc.jenkins.io/component/stapler/ includes Javadoc only for 
>>> https://github.com/stapler/stapler
>>>
>>
>> https://github.com/stapler/stapler/tree/master/core specifically. The 
>> other modules do not expose useful Java-level APIs that plugin authors 
>> should use that I know of.
>>
>> Other Stapler repositories like 
>>> https://github.com/stapler/maven-stapler-plugin are not included
>>>
>>
>> I do not think there is any need to publish Javadoc for any other 
>> miscellaneous component. If and when a need arises, it is simple to include.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/5e47a375-141b-45c6-a35a-6e2a17cd27e0n%40googlegroups.com.

Re: Proposal: Adopting Stapler as official Jenkins project

[Oleg Nenashev]

Thanks to everyone for the feedback!
Added the final sign-off to the today's governance meeting agenda

On Monday, May 10, 2021 at 9:48:11 PM UTC+2 Jesse Glick wrote:

> On Mon, May 10, 2021 at 2:04 PM Oleg Nenashev  wrote:
>
>> Other Stapler related personal repositories can be also moved to the 
>> jenkinsci org
>>
>
> Sure; do you know of any?
>
> https://javadoc.jenkins.io/component/stapler/ includes Javadoc only for 
>> https://github.com/stapler/stapler
>>
>
> https://github.com/stapler/stapler/tree/master/core specifically. The 
> other modules do not expose useful Java-level APIs that plugin authors 
> should use that I know of.
>
> Other Stapler repositories like 
>> https://github.com/stapler/maven-stapler-plugin are not included
>>
>
> I do not think there is any need to publish Javadoc for any other 
> miscellaneous component. If and when a need arises, it is simple to include.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/e88ed0c9-b0a8-4f62-a671-d152d895faa6n%40googlegroups.com.

Re: Proposal: Adopting Stapler as official Jenkins project

[Jesse Glick]

On Mon, May 10, 2021 at 2:04 PM Oleg Nenashev 
wrote:

> Other Stapler related personal repositories can be also moved to the
> jenkinsci org
>

Sure; do you know of any?

https://javadoc.jenkins.io/component/stapler/ includes Javadoc only for
> https://github.com/stapler/stapler
>

https://github.com/stapler/stapler/tree/master/core specifically. The other
modules do not expose useful Java-level APIs that plugin authors should use
that I know of.

Other Stapler repositories like
> https://github.com/stapler/maven-stapler-plugin are not included
>

I do not think there is any need to publish Javadoc for any other
miscellaneous component. If and when a need arises, it is simple to include.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1Yz39ELgJRKu7rOPzcowqkh7NwD0sMx--N6LNFJU70Kg%40mail.gmail.com.

Re: Proposal: Adopting Stapler as official Jenkins project

[Tim Jacomb]

+1

On Mon, 10 May 2021 at 19:10, Basil Crow  wrote:

> +1 for normalizing Stapler as a standard Jenkins sub-project. Keeping
> it as an independent project complicates maintenance efforts and does
> not provide a strong benefit.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjoM%3Dxfx_U_QU98T7kets4aOsgUauJOGva5TB5LY3E2NUQ%40mail.gmail.com
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3Bie9o%3DK7StKmXdBB5ga6__4ZBD42Ys_Zr1vn%3DDJp3sOt1Q%40mail.gmail.com.

Re: Proposal: Adopting Stapler as official Jenkins project

[Basil Crow]

+1 for normalizing Stapler as a standard Jenkins sub-project. Keeping
it as an independent project complicates maintenance efforts and does
not provide a strong benefit.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjoM%3Dxfx_U_QU98T7kets4aOsgUauJOGva5TB5LY3E2NUQ%40mail.gmail.com.

Re: Proposal: Adopting Stapler as official Jenkins project

[Oleg Nenashev]

Thanks Jesse! Would also appreciate feedback w.r.t "TBD: We move Stapler 
repositories to jenkinsci . If there are other related personal 
repositories, we move them as well".
Responded to the rest below

> other related personal repositories 
>> What does this mean? 

Did not finish the bullet, sorry. "Other Stapler related personal 
repositories can be also moved to the jenkinsci org"

> http://stapler.kohsuke.org/  is deprecated 
and replaced by a reference to the Jenkins sub-project page

Thanks!

> Javadoc for Stapler components is republished on javadoc.jenkins.io

https://javadoc.jenkins.io/component/stapler/ includes Javadoc only for 
https://github.com/stapler/stapler
Other Stapler repositories like 
https://github.com/stapler/maven-stapler-plugin are not included 
No, I do not know whether any other component is actually needed.







On Monday, May 10, 2021 at 6:41:36 PM UTC+2 Jesse Glick wrote:

> On Mon, May 10, 2021 at 12:06 PM Oleg Nenashev  
> wrote:
>
>>
>>- Stapler is adopted as a Jenkins sub-project, with explicit 
>>expectation that we do not encourage external use
>>
>> +1 
>
>>
>>- maybe even target replacing it by another active OSS project later 
>>if not mission impossible
>>
>> This is impossible, let us not waste time discussing it.
>
>>
>>- We move Stapler repositories to jenkinsci.
>>
>> +1 (see INFRA-2908 )
>
>>
>>- other related personal repositories
>>
>> What does this mean?
>
>>
>>- We archive all repositories which are no longer used by Jenkins.
>>
>> +1 
>
>>
>>- http://stapler.kohsuke.org/ is deprecated and replaced by a 
>>   reference to the Jenkins sub-project page
>>   - Javadoc for Stapler components is republished on 
>>   javadoc.jenkins.io
>>
>> Both already done.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/d3287767-71b6-4e5a-b531-cbcf68a9f04en%40googlegroups.com.

Re: Proposal: Adopting Stapler as official Jenkins project

[Jesse Glick]

On Mon, May 10, 2021 at 12:06 PM Oleg Nenashev 
wrote:

>
>- Stapler is adopted as a Jenkins sub-project, with explicit
>expectation that we do not encourage external use
>
> +1

>
>- maybe even target replacing it by another active OSS project later
>if not mission impossible
>
> This is impossible, let us not waste time discussing it.

>
>- We move Stapler repositories to jenkinsci.
>
> +1 (see INFRA-2908 )

>
>- other related personal repositories
>
> What does this mean?

>
>- We archive all repositories which are no longer used by Jenkins.
>
> +1

>
>- http://stapler.kohsuke.org/ is deprecated and replaced by a
>   reference to the Jenkins sub-project page
>   - Javadoc for Stapler components is republished on
>   javadoc.jenkins.io
>
> Both already done.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1kFr0_4Qk0rRx__gV2OCcG9JEjVLhAX2TEArqtu3gZbg%40mail.gmail.com.