Jenkins Plugin pom (future of)

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Plugin pom (future of)

James Nord-3
do you have a PR I can checkout locally?


On Monday, January 20, 2020 at 10:13:54 PM UTC, Ullrich Hafner wrote:
Ok, thanks. 2.164 would be ok for me. 

Now I get:

mvn validate
[INFO] Scanning for projects...
[ERROR] [ERROR] Some problems were encountered while processing the POMs:
[ERROR] 'dependencies.dependency.version' for org.kohsuke:access-modifier-annotation:jar must be a valid version but is '${access-modifier-annotation.version}'. @ org.jenkins-ci.main:jenkins-bom:2.164.3, /Users/hafner/.m2/repository/org/jenkins-ci/main/jenkins-bom/2.164.3/jenkins-bom-2.164.3.pom, line 211, column 18
 @ 
[ERROR] The build could not read 1 project -> [Help 1]
[ERROR]   
[ERROR]   The project org.jvnet.hudson.plugins:analysis-pom:2.0.0-beta-2-SNAPSHOT (/Users/hafner/Development/git/warnings-ng-plugin-devenv/analysis-pom-plugin/pom.xml) has 1 error
[ERROR]     'dependencies.dependency.version' for org.kohsuke:access-modifier-annotation:jar must be a valid version but is '${access-modifier-annotation.version}'. @ org.jenkins-ci.main:jenkins-bom:2.164.3, /Users/hafner/.m2/repository/org/jenkins-ci/main/jenkins-bom/2.164.3/jenkins-bom-2.164.3.pom, line 211, column 18
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] <a href="http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FMAVEN%2FProjectBuildingException\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHawWAYN54fx2abNlDOAU9KkUVeLw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FMAVEN%2FProjectBuildingException\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHawWAYN54fx2abNlDOAU9KkUVeLw&#39;;return true;">http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException


Am 20.01.2020 um 14:09 schrieb James Nord <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="3t1yPNe0EAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jn...@...>:

On Friday, January 17, 2020 at 1:28:09 PM UTC, James Nord wrote:

On Friday, January 17, 2020 at 12:46:15 PM UTC, Ullrich Hafner wrote:
Would its make sense to remove that part from the pom until we have older Jenkins versions supported? Otherwise we will hardly find some testers for the changes...

Am 17.01.2020 um 12:16 schrieb Oleg Nenashev <[hidden email]>:

IIUC James was about retrospectively doing releases for older versions.
<a href="https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-bom/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Frepo.jenkins-ci.org%2Freleases%2Forg%2Fjenkins-ci%2Fmain%2Fjenkins-bom%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFhuT9JZ9I9nvh-xw85sJYzYteWWg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Frepo.jenkins-ci.org%2Freleases%2Forg%2Fjenkins-ci%2Fmain%2Fjenkins-bom%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFhuT9JZ9I9nvh-xw85sJYzYteWWg&#39;;return true;">https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-bom/ now lists only 2.190.x indeed


2.190.x was retrospectively published.  I have an internal task (now up) to publish some boms for CloudBees' fixed lines (which is pretty much 2.164.[1-3] ) , which will be adapted for OSS jenkins and make their way into <a href="http://repo.jenkins.org/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Frepo.jenkins.org%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHf5g-2OdYtFzSmVCwYd3lebPsecA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Frepo.jenkins.org%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHf5g-2OdYtFzSmVCwYd3lebPsecA&#39;;return true;">repo.jenkins.org, it just got paused due to Christmas/New Year,  sickness and investigating <a href="https://issues.jenkins-ci.org/browse/JENKINS-60754" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FJENKINS-60754\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFDSKCZD2vB3kU9bgnG_e7N907mJg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FJENKINS-60754\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFDSKCZD2vB3kU9bgnG_e7N907mJg&#39;;return true;">https://issues.jenkins-ci.org/browse/JENKINS-60754 (thanks Jesse!).

However anything older than 2.164 should be a security risk now (I do not know of any other companies performing releases with backports of Jenkins security fixes) - so I am not intending to publish anything else other than the 2.164 line as this enables users bad habits of upgrading plugins to get new features whilst still running an insecure core, hence I would recommend bumping to at least 2.164.x in the warnings-ng plugins in preparation.

of note 93% of users who are using the latest warnings-ng plugin are on 2.190.1 or higher and 99% are on 2.164.1 or higher, so I would not expect this to be an issue for users of your (well at least warnings-ng) plugins.


2.164.[1-3] and 2.176.[1-4] have now been published to <a href="http://repo.jenkins-ci.org" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Frepo.jenkins-ci.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH-lqjQdpr_N3OJq6LbHFX-8CE0vg&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Frepo.jenkins-ci.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH-lqjQdpr_N3OJq6LbHFX-8CE0vg&#39;;return true;">repo.jenkins-ci.org.

I'm not intending to publish more versions, however if there is a demonstrable need then I can publish some more.

For trying to track down changes between versions you can still use -Djenkins.version=x.zyz if you also specify -Djenkins-bom.version=a.abc which will not be 100% correct but should be close enough. (only ant,slf4j commons-codec and spotbugs-annotations have changed between the published versions)

/James
 

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="3t1yPNe0EAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkin...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/9640e383-2686-41fe-b80b-26df95d5d13e%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/9640e383-2686-41fe-b80b-26df95d5d13e%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/9640e383-2686-41fe-b80b-26df95d5d13e%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/9640e383-2686-41fe-b80b-26df95d5d13e%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/94a1c57b-7c5f-4f66-8047-07055920bf90%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Plugin pom (future of)

James Nord-3
Never mind, several of the retrospective BOMs are garbage because I used a non local parent and the resolved parent is flattened so the properties where missing :-(

I guess I can republish them (which is just awful because releases are golden).  but I don't think there is much other good solutions.

/James


On Tuesday, January 21, 2020 at 2:32:38 PM UTC, James Nord wrote:
do you have a PR I can checkout locally?


On Monday, January 20, 2020 at 10:13:54 PM UTC, Ullrich Hafner wrote:
Ok, thanks. 2.164 would be ok for me. 

Now I get:

mvn validate
[INFO] Scanning for projects...
[ERROR] [ERROR] Some problems were encountered while processing the POMs:
[ERROR] 'dependencies.dependency.version' for org.kohsuke:access-modifier-annotation:jar must be a valid version but is '${access-modifier-annotation.version}'. @ org.jenkins-ci.main:jenkins-bom:2.164.3, /Users/hafner/.m2/repository/org/jenkins-ci/main/jenkins-bom/2.164.3/jenkins-bom-2.164.3.pom, line 211, column 18
 @ 
[ERROR] The build could not read 1 project -> [Help 1]
[ERROR]   
[ERROR]   The project org.jvnet.hudson.plugins:analysis-pom:2.0.0-beta-2-SNAPSHOT (/Users/hafner/Development/git/warnings-ng-plugin-devenv/analysis-pom-plugin/pom.xml) has 1 error
[ERROR]     'dependencies.dependency.version' for org.kohsuke:access-modifier-annotation:jar must be a valid version but is '${access-modifier-annotation.version}'. @ org.jenkins-ci.main:jenkins-bom:2.164.3, /Users/hafner/.m2/repository/org/jenkins-ci/main/jenkins-bom/2.164.3/jenkins-bom-2.164.3.pom, line 211, column 18
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] <a href="http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FMAVEN%2FProjectBuildingException\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHawWAYN54fx2abNlDOAU9KkUVeLw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FMAVEN%2FProjectBuildingException\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHawWAYN54fx2abNlDOAU9KkUVeLw&#39;;return true;">http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException


Am 20.01.2020 um 14:09 schrieb James Nord <[hidden email]>:

On Friday, January 17, 2020 at 1:28:09 PM UTC, James Nord wrote:

On Friday, January 17, 2020 at 12:46:15 PM UTC, Ullrich Hafner wrote:
Would its make sense to remove that part from the pom until we have older Jenkins versions supported? Otherwise we will hardly find some testers for the changes...

Am 17.01.2020 um 12:16 schrieb Oleg Nenashev <[hidden email]>:

IIUC James was about retrospectively doing releases for older versions.
<a href="https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-bom/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Frepo.jenkins-ci.org%2Freleases%2Forg%2Fjenkins-ci%2Fmain%2Fjenkins-bom%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFhuT9JZ9I9nvh-xw85sJYzYteWWg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Frepo.jenkins-ci.org%2Freleases%2Forg%2Fjenkins-ci%2Fmain%2Fjenkins-bom%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFhuT9JZ9I9nvh-xw85sJYzYteWWg&#39;;return true;">https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-bom/ now lists only 2.190.x indeed


2.190.x was retrospectively published.  I have an internal task (now up) to publish some boms for CloudBees' fixed lines (which is pretty much 2.164.[1-3] ) , which will be adapted for OSS jenkins and make their way into <a href="http://repo.jenkins.org/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Frepo.jenkins.org%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHf5g-2OdYtFzSmVCwYd3lebPsecA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Frepo.jenkins.org%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHf5g-2OdYtFzSmVCwYd3lebPsecA&#39;;return true;">repo.jenkins.org, it just got paused due to Christmas/New Year,  sickness and investigating <a href="https://issues.jenkins-ci.org/browse/JENKINS-60754" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FJENKINS-60754\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFDSKCZD2vB3kU9bgnG_e7N907mJg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FJENKINS-60754\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFDSKCZD2vB3kU9bgnG_e7N907mJg&#39;;return true;">https://issues.jenkins-ci.org/browse/JENKINS-60754 (thanks Jesse!).

However anything older than 2.164 should be a security risk now (I do not know of any other companies performing releases with backports of Jenkins security fixes) - so I am not intending to publish anything else other than the 2.164 line as this enables users bad habits of upgrading plugins to get new features whilst still running an insecure core, hence I would recommend bumping to at least 2.164.x in the warnings-ng plugins in preparation.

of note 93% of users who are using the latest warnings-ng plugin are on 2.190.1 or higher and 99% are on 2.164.1 or higher, so I would not expect this to be an issue for users of your (well at least warnings-ng) plugins.


2.164.[1-3] and 2.176.[1-4] have now been published to <a href="http://repo.jenkins-ci.org" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Frepo.jenkins-ci.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH-lqjQdpr_N3OJq6LbHFX-8CE0vg&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Frepo.jenkins-ci.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH-lqjQdpr_N3OJq6LbHFX-8CE0vg&#39;;return true;">repo.jenkins-ci.org.

I'm not intending to publish more versions, however if there is a demonstrable need then I can publish some more.

For trying to track down changes between versions you can still use -Djenkins.version=x.zyz if you also specify -Djenkins-bom.version=a.abc which will not be 100% correct but should be close enough. (only ant,slf4j commons-codec and spotbugs-annotations have changed between the published versions)

/James
 

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/9640e383-2686-41fe-b80b-26df95d5d13e%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/9640e383-2686-41fe-b80b-26df95d5d13e%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/9640e383-2686-41fe-b80b-26df95d5d13e%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/9640e383-2686-41fe-b80b-26df95d5d13e%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e003ee7f-0829-45fb-818e-b00201301a91%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Plugin pom (future of)

James Nord-3
Hi all,

The following versions of the jenkins-bom where all garbage and have been *deleted* from the repository and republished

* 2.164.1
* 2.164.2
* 2.164.3
* 2.176.1
* 2.176.2
* 2.176.3
* 2.176.4

if you have already tried to use one of these versions then you will need to remove the version from your local repository cache (~/.m2/repository) as well as any maven proxies you may be using.

I do not think these have been pulled in builds on ci.jenkins.io yet (which uses its own cache) but if you see the failure that Ulli saw on CI but not locally due to the bom then please let me know and I will file an INFRA ticket and try and get them cleaned up).

/James

On Tuesday, January 21, 2020 at 2:42:23 PM UTC, James Nord wrote:
Never mind, several of the retrospective BOMs are garbage because I used a non local parent and the resolved parent is flattened so the properties where missing :-(

I guess I can republish them (which is just awful because releases are golden).  but I don't think there is much other good solutions.

/James


On Tuesday, January 21, 2020 at 2:32:38 PM UTC, James Nord wrote:
do you have a PR I can checkout locally?


On Monday, January 20, 2020 at 10:13:54 PM UTC, Ullrich Hafner wrote:
Ok, thanks. 2.164 would be ok for me. 

Now I get:

mvn validate
[INFO] Scanning for projects...
[ERROR] [ERROR] Some problems were encountered while processing the POMs:
[ERROR] 'dependencies.dependency.version' for org.kohsuke:access-modifier-annotation:jar must be a valid version but is '${access-modifier-annotation.version}'. @ org.jenkins-ci.main:jenkins-bom:2.164.3, /Users/hafner/.m2/repository/org/jenkins-ci/main/jenkins-bom/2.164.3/jenkins-bom-2.164.3.pom, line 211, column 18
 @ 
[ERROR] The build could not read 1 project -> [Help 1]
[ERROR]   
[ERROR]   The project org.jvnet.hudson.plugins:analysis-pom:2.0.0-beta-2-SNAPSHOT (/Users/hafner/Development/git/warnings-ng-plugin-devenv/analysis-pom-plugin/pom.xml) has 1 error
[ERROR]     'dependencies.dependency.version' for org.kohsuke:access-modifier-annotation:jar must be a valid version but is '${access-modifier-annotation.version}'. @ org.jenkins-ci.main:jenkins-bom:2.164.3, /Users/hafner/.m2/repository/org/jenkins-ci/main/jenkins-bom/2.164.3/jenkins-bom-2.164.3.pom, line 211, column 18
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] <a href="http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FMAVEN%2FProjectBuildingException\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHawWAYN54fx2abNlDOAU9KkUVeLw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FMAVEN%2FProjectBuildingException\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHawWAYN54fx2abNlDOAU9KkUVeLw&#39;;return true;">http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException


Am 20.01.2020 um 14:09 schrieb James Nord <[hidden email]>:

On Friday, January 17, 2020 at 1:28:09 PM UTC, James Nord wrote:

On Friday, January 17, 2020 at 12:46:15 PM UTC, Ullrich Hafner wrote:
Would its make sense to remove that part from the pom until we have older Jenkins versions supported? Otherwise we will hardly find some testers for the changes...

Am 17.01.2020 um 12:16 schrieb Oleg Nenashev <[hidden email]>:

IIUC James was about retrospectively doing releases for older versions.
<a href="https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-bom/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Frepo.jenkins-ci.org%2Freleases%2Forg%2Fjenkins-ci%2Fmain%2Fjenkins-bom%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFhuT9JZ9I9nvh-xw85sJYzYteWWg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Frepo.jenkins-ci.org%2Freleases%2Forg%2Fjenkins-ci%2Fmain%2Fjenkins-bom%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFhuT9JZ9I9nvh-xw85sJYzYteWWg&#39;;return true;">https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-bom/ now lists only 2.190.x indeed


2.190.x was retrospectively published.  I have an internal task (now up) to publish some boms for CloudBees' fixed lines (which is pretty much 2.164.[1-3] ) , which will be adapted for OSS jenkins and make their way into <a href="http://repo.jenkins.org/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Frepo.jenkins.org%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHf5g-2OdYtFzSmVCwYd3lebPsecA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Frepo.jenkins.org%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHf5g-2OdYtFzSmVCwYd3lebPsecA&#39;;return true;">repo.jenkins.org, it just got paused due to Christmas/New Year,  sickness and investigating <a href="https://issues.jenkins-ci.org/browse/JENKINS-60754" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FJENKINS-60754\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFDSKCZD2vB3kU9bgnG_e7N907mJg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FJENKINS-60754\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFDSKCZD2vB3kU9bgnG_e7N907mJg&#39;;return true;">https://issues.jenkins-ci.org/browse/JENKINS-60754 (thanks Jesse!).

However anything older than 2.164 should be a security risk now (I do not know of any other companies performing releases with backports of Jenkins security fixes) - so I am not intending to publish anything else other than the 2.164 line as this enables users bad habits of upgrading plugins to get new features whilst still running an insecure core, hence I would recommend bumping to at least 2.164.x in the warnings-ng plugins in preparation.

of note 93% of users who are using the latest warnings-ng plugin are on 2.190.1 or higher and 99% are on 2.164.1 or higher, so I would not expect this to be an issue for users of your (well at least warnings-ng) plugins.


2.164.[1-3] and 2.176.[1-4] have now been published to <a href="http://repo.jenkins-ci.org" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Frepo.jenkins-ci.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH-lqjQdpr_N3OJq6LbHFX-8CE0vg&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Frepo.jenkins-ci.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH-lqjQdpr_N3OJq6LbHFX-8CE0vg&#39;;return true;">repo.jenkins-ci.org.

I'm not intending to publish more versions, however if there is a demonstrable need then I can publish some more.

For trying to track down changes between versions you can still use -Djenkins.version=x.zyz if you also specify -Djenkins-bom.version=a.abc which will not be 100% correct but should be close enough. (only ant,slf4j commons-codec and spotbugs-annotations have changed between the published versions)

/James
 

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/9640e383-2686-41fe-b80b-26df95d5d13e%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/9640e383-2686-41fe-b80b-26df95d5d13e%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/9640e383-2686-41fe-b80b-26df95d5d13e%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/9640e383-2686-41fe-b80b-26df95d5d13e%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/6064f310-23f0-487a-871e-e367426c76b5%40googlegroups.com.
12