We should definitely update the library and detach it, rather sooner than later. Otherwise the next CVE in Apache Mina may make our life very fun.
Since we had a new LTS cutoff recently, it is a good timing for such change.
Some notes about Apache Mina update to 2.x:
There are multiple plugins using Apache Mina code https://github.com/search?l=Java&q=org%3Ajenkinsci+%22org.apache.sshd%22&type=Code . Examples: Git Server, SSH Credentials, Gerrit Trigger, Remote Terminal Access, SSH CLI. Since the update is a potentially breaking change, it would be great to verify these plugins before the changes land
There is at least one proprietary plugin depending on Mina SSH code
I definitely support a two-stage update when the first plugin version uses old Apache Mina.
On Friday, February 12, 2021 at 1:06:00 PM UTC+1 [hidden email] wrote:
I have a bunch of PRs ready to move forward for a few months, these PRs are to convert the SSHD Module to a plugin and after that bump the Apache Minda sshd library.
We are using a really old Apache Minda sshd that is a security risk and move the SSHD module outside of the core could help to have simpler Jenkins instances without services you do not need/want.
Thus I would like to make progress and close stuff to start new things related to that in the SSH Build Agents plugin. How we can manage this?