JEP-227 & JEP-228: request for assistance

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

JEP-227 & JEP-228: request for assistance

Jesse Glick-4
As mentioned in previous threads, I am proposing to get

https://github.com/jenkinsci/jenkins/pull/4848
https://github.com/jenkinsci/jenkins/pull/4944

into trunk soon, since 2.263 was accepted as an LTS baseline so we
have the maximum number of weeklies available to iron out any issues
before the next line is cut. Would like to get some code reviews; yes
I know the Spring one is a pretty big diff, and includes some tricky
code changes, though a lot of it is routine search-and-replace stuff.
The XStream PR is a more modest diff, though still with a large
impact.

The other crucial request is for maintainers and power users of
potentially affected plugins to look over the compatibility tables

https://github.com/jenkinsci/jep/blob/master/jep/227/compatibility.adoc
https://github.com/jenkinsci/jep/blob/master/jep/228/compatibility.adoc

I have done my best to offer fixes for all widely used plugins, but
there is more to be done:

If you are a plugin maintainer, please check if there is a PR for your
plugin listed in either chart, and if so review, merge, _and release_
that PR in advance so users can have a smooth upgrade experience. (Or
if the PR does not look right, contact me of course!)

If you are a power user of a plugin which is shown as being currently
incompatible, please help verify that any proposed fixes are safe to
apply with current versions of Jenkins and (ideally) also work as
expected with the proposed patched version¹ of Jenkins; and consider
adopting an orphaned plugin if only to perform emergency releases. For
example, installation statistics claim there are a fair number of
people running Reverse Proxy Auth as a security realm, but it is going
to flat-out break (throwing errors, no login possible) unless somebody
merges & releases

https://github.com/jenkinsci/reverse-proxy-auth-plugin/pull/40

yet there is currently no active maintainer.


¹Prior to an actual merge of the core PR, you can download preview
builds, linked from the *Incrementals* status of the PR; most recent
available as of this writing:

https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/main/jenkins-war/2.264-rc30680.a82950864304/jenkins-war-2.264-rc30680.a82950864304.war
(JEP-227)
https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/main/jenkins-war/2.264-rc30542.af44d4186663/jenkins-war-2.264-rc30542.af44d4186663.war
(JEP-228)

The same is true of plugin PRs in most cases, for example

https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/plugins/email-ext/2.77-rc1331.63266610ebc4/email-ext-2.77-rc1331.63266610ebc4.hpi

which can be downloaded & installed manually in the *Advanced* tab. If
you are missing a downloadable build of some PR, mention @jglick in
the PR.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0GBOCK_69zhKWWLGkDMzurJQyAVSD4x9aQDo0QCnFmvw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: JEP-227 & JEP-228: request for assistance

Oleg Nenashev
Hi Jesse,

First of all, thanks for working on these changes! Cleanup of the dependencies is very important, and this changes help to reduce the technical debt in the project.

For https://github.com/jenkinsci/jenkins/pull/4848, the pull request has got only one approval so far, it cannot be merged according to the current process where at least 2 approvals are required for substantial pull requests. Taking the nature of the change, I would vote for getting more reviews from the Jenkins Security Team members before it gets merged. I am -0.5 regarding expediting this pull request.

For https://github.com/jenkinsci/jenkins/pull/4944, this pull request is not ready for merge. There are no ready changelog and upgrade guide drafts there. Also, it would be nice to have review by the Security Team since XStream also includes a security risk due to class deserialization.

Taking the current state, my vote is to postpone both pull requests until 2.265 (next week?) and to facilitate reviews. We are already upgrading Winstone and changing tabs to divs in 2.264, and both these changes are likely to cause regressions. There are more than 3 months until the next LTS baseline, and IMHO there is no rush to bypass the review/merge process to get these changes in 2.264 tomorrow.

Best regards,
Oleg


On Monday, October 26, 2020 at 8:37:44 PM UTC+1 Jesse Glick wrote:
As mentioned in previous threads, I am proposing to get

https://github.com/jenkinsci/jenkins/pull/4848
https://github.com/jenkinsci/jenkins/pull/4944

into trunk soon, since 2.263 was accepted as an LTS baseline so we
have the maximum number of weeklies available to iron out any issues
before the next line is cut. Would like to get some code reviews; yes
I know the Spring one is a pretty big diff, and includes some tricky
code changes, though a lot of it is routine search-and-replace stuff.
The XStream PR is a more modest diff, though still with a large
impact.

The other crucial request is for maintainers and power users of
potentially affected plugins to look over the compatibility tables

https://github.com/jenkinsci/jep/blob/master/jep/227/compatibility.adoc
https://github.com/jenkinsci/jep/blob/master/jep/228/compatibility.adoc

I have done my best to offer fixes for all widely used plugins, but
there is more to be done:

If you are a plugin maintainer, please check if there is a PR for your
plugin listed in either chart, and if so review, merge, _and release_
that PR in advance so users can have a smooth upgrade experience. (Or
if the PR does not look right, contact me of course!)

If you are a power user of a plugin which is shown as being currently
incompatible, please help verify that any proposed fixes are safe to
apply with current versions of Jenkins and (ideally) also work as
expected with the proposed patched version¹ of Jenkins; and consider
adopting an orphaned plugin if only to perform emergency releases. For
example, installation statistics claim there are a fair number of
people running Reverse Proxy Auth as a security realm, but it is going
to flat-out break (throwing errors, no login possible) unless somebody
merges & releases

https://github.com/jenkinsci/reverse-proxy-auth-plugin/pull/40

yet there is currently no active maintainer.


¹Prior to an actual merge of the core PR, you can download preview
builds, linked from the *Incrementals* status of the PR; most recent
available as of this writing:

https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/main/jenkins-war/2.264-rc30680.a82950864304/jenkins-war-2.264-rc30680.a82950864304.war
(JEP-227)
https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/main/jenkins-war/2.264-rc30542.af44d4186663/jenkins-war-2.264-rc30542.af44d4186663.war
(JEP-228)

The same is true of plugin PRs in most cases, for example

https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/plugins/email-ext/2.77-rc1331.63266610ebc4/email-ext-2.77-rc1331.63266610ebc4.hpi

which can be downloaded & installed manually in the *Advanced* tab. If
you are missing a downloadable build of some PR, mention @jglick in
the PR.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f7e1f32b-fe2e-4025-b84a-9d786a0634ffn%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: JEP-227 & JEP-228: request for assistance

Jesse Glick-4
On Mon, Oct 26, 2020 at 3:52 PM Oleg Nenashev <[hidden email]> wrote:
> I would vote for getting more reviews from the Jenkins Security Team members before it gets merged.

Oh agreed!

> I am -0.5 regarding expediting this pull request.

Neither needs to be expedited indeed. I would just not want to be
waiting weeks here (unless of course a concrete problem comes up that
forces more work).

> XStream also includes a security risk due to class deserialization.

Yes this aspect needs to be considered during review. (Existing tests
in that area pass, and the change _should_ not be modifying JEP-200
behavior.)

> We are already upgrading Winstone and changing tabs to divs in 2.264

And there is a jQuery change coming? (#4929)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1ycaO5q9OiZ%3Dmt_c5wFGiVbdfnuZe0grV_%3Dv624sOXew%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: JEP-227 & JEP-228: request for assistance

Oleg Nenashev
Thanks for the clarification! If there is no demand to get it released tomorrow, we are on the same page. Let's try to facilitate reviews, especially from the security team. Unfortunately I cannot commit my own time. Due to my current work assignments and personal commitments, I will have no time for reviewing big changes in the upcoming months.
 
And there is a jQuery change coming?
Yes, but not in 2.264. As requested by Felix, it is on hold until 2.266/267
https://github.com/jenkinsci/jenkins/pull/4929#issuecomment-715904763



On Mon, Oct 26, 2020 at 8:59 PM Jesse Glick <[hidden email]> wrote:
On Mon, Oct 26, 2020 at 3:52 PM Oleg Nenashev <[hidden email]> wrote:
> I would vote for getting more reviews from the Jenkins Security Team members before it gets merged.

Oh agreed!

> I am -0.5 regarding expediting this pull request.

Neither needs to be expedited indeed. I would just not want to be
waiting weeks here (unless of course a concrete problem comes up that
forces more work).

> XStream also includes a security risk due to class deserialization.

Yes this aspect needs to be considered during review. (Existing tests
in that area pass, and the change _should_ not be modifying JEP-200
behavior.)

> We are already upgrading Winstone and changing tabs to divs in 2.264

And there is a jQuery change coming? (#4929)

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/ESpL69Paeg8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1ycaO5q9OiZ%3Dmt_c5wFGiVbdfnuZe0grV_%3Dv624sOXew%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLCA8zW29PHDqkoTpGJ1H-XQ_K6MvRXwz%2BkV9xb8MyziYw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: JEP-227 & JEP-228: request for assistance

Jesse Glick-4
Moving towards merging these two. If you intended to add a review, or
have reservations, please scream now!

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0L5F8BVyLb8T7YoOXCnNGRr1HMJJ66_J-esoyzd%3DRpYw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: JEP-227 & JEP-228: request for assistance

Jesse Glick-4
Merged toward 2.266. Remember to use `jep-227` or `jep-228` labels,
respectively, for any Jira issues you report related to these, and CC
jglick to be sure.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1v6tGXfnQzbHzL3Jydf4mP%3DxHPGEQZ7m6sgC-R9tF0NQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: JEP-227 & JEP-228: request for assistance

Basil Crow
On Fri, Nov 6, 2020 at 1:38 PM Jesse Glick <[hidden email]> wrote:
>
> Merged toward 2.266.

Nice work on some long-needed changes. As a community member I would
like to thank your employer for funding this work and to thank you for
implementing it.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjpdzMaZwiWzq22JxMRpKimNLXxW5Q8_CUO_%3DzvHtowQ4A%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: JEP-227 & JEP-228: request for assistance

Matt Sicker
Paying down technical debt is always cause for celebration. Kudos!

On Fri, Nov 6, 2020 at 3:51 PM Basil Crow <[hidden email]> wrote:

>
> On Fri, Nov 6, 2020 at 1:38 PM Jesse Glick <[hidden email]> wrote:
> >
> > Merged toward 2.266.
>
> Nice work on some long-needed changes. As a community member I would
> like to thank your employer for funding this work and to thank you for
> implementing it.
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjpdzMaZwiWzq22JxMRpKimNLXxW5Q8_CUO_%3DzvHtowQ4A%40mail.gmail.com.



--
Matt Sicker
Senior Software Engineer, CloudBees

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ox2YQQx6Az0EpYP7jnW7F6nbpCU9CuzJMv7oEfXQ8EXeQ%40mail.gmail.com.