Re: Updating detached plugins
On Tue, Apr 9, 2024 at 12:33 PM 'Daniel Beck' via Jenkins Developers wrote: > > Are you aware of examples of this problem other than the two Jira issues? Daniel, I am not aware of any such examples. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjr3%2BoyzLUaE8_uOcGhiz0f_kXj4qNtJR8rf00cy1MQYyA%40mail.gmail.com.
Re: Updating detached plugins
On Tue, Apr 9, 2024 at 8:28 PM Basil Crow wrote: > Third, we have occasionally seen a need to mitigate the impact of > JENKINS-69361. > Since 2022 I have been regularly updating detached plugins, justified > as an exception to the usual policy in order to mitigate the impact of > JENKINS-69361. Are you aware of examples of this problem other than the two Jira issues? Only instance-identity has been explicitly mentioned (and one comment mentions unspecified other plugins, which I guess are the javax-* plugins). I think I have a plausible explanation for the bug that would limit the problem to just these plugins, but lack further information about the scope of the problem. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLJMyNgSDbahd%3DCuTK9js_AH56gjVbNBTqE5YU3D9B3UQ%40mail.gmail.com.
Updating detached plugins
Since before my involvement as a core maintainer, we have apparently had a policy to "only update detached plugins when we are forced to, for example because there was a security advisory," and to run LoadDetachedPluginsTest#noUpdateSiteWarnings when updating them. This policy predates my involvement as a core maintainer, and when it was introduced to me the reasoning behind it was not explicitly stated. In recent years a few things have changed. First, we have seen an increased need to update libraries to satisfy security scanners, even when the old versions are not exploitable in Jenkins. Second, Dependabot is now proposing updates to these detached plugins, and ignoring these updates results in stagnant PRs. Third, we have occasionally seen a need to mitigate the impact of JENKINS-69361. Since 2022 I have been regularly updating detached plugins, justified as an exception to the usual policy in order to mitigate the impact of JENKINS-69361. At this point in 2024, the exception has become the rule, so I would like to propose a change in policy to update detached plugins as the Dependabot PRs come in, for the reasons given in the preceding paragraph. Since manually running LoadDetachedPluginsTest#noUpdateSiteWarnings for each Dependabot PR is a nuisance, I would also like to propose that we drop the requirement for running this test or that we enable the test by default, accepting in the latter case that it will cause some friction during the small window of time after a security advisory marks a plugin release as vulnerable but before the relevant Dependabot PR(s) is/are picked up. The main issue regarding updating detached plugins, if I recall correctly, was that this may (possibly?) limit users' ability to downgrade these plugins below the version that we bundle. I am not sure if this claim was ever verified. If this claim is verified, either by a user reporting the inability to downgrade such a plugin, or by manual testing, then I could possibly be fine with retaining the existing policy but disabling Dependabot updates to detached plugins to reduce PR noise. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjpd4XsQfQ49PfYU2EdmGrWGUiXKj0PJTV32CnpSAmNENA%40mail.gmail.com.
Re: ASM in core
On Sat, Jan 13, 2024 at 5:09 AM Valentin Delaye (jonesbusy) wrote: > > Jumping into this Are you still interested in removing ASM from core? I checked usage in plugins, and I believe all significant plugins are now linking against the ASM library plugin. The last major blocker was the JaCoCo plugin, which was released today. I also checked the CloudBees Update Center and didn't find any ASM usages there. We are at the beginning of a new LTS development cycle, so I think now is the ideal time to remove ASM from core. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjq%3D_LRta%2BfAmBMhpTwBC2aXQ2BriDhnWC2y2FFVrcg8Ug%40mail.gmail.com.