Added the proposal sign-off to the today's Governance meeting agenda. The pull requests are up and running: https://github.com/jenkinsci/jenkins/pull/2950
BR, Oleg пятница, 28 июля 2017 г., 14:59:53 UTC+2 пользователь Baptiste Mathus написал: > > Having seen recently a customer simply switch from JNLP2 to JNLP4 and get > their instance back to working, after they had disabled JNLP4 after some > mistake I'm +1 to help drive users more towards the "right"/recommended > version. > > 2017-07-28 10:02 GMT+02:00 Stephen Connolly <stephen.al...@gmail.com > <javascript:>>: > >> +1 >> >> On Fri 28 Jul 2017 at 08:53, Oleg Nenashev <o.v.ne...@gmail.com >> <javascript:>> wrote: >> >>> Hi all, >>> >>> It is almost one year since the release of JNLP4 protocol in Remoting >>> 3.0. This protocol is available in Jenkins LTS since 2.32.1, and so far it >>> demonstrates good stability being compared to JNLP2 and especially to >>> JNLP3. The protocol was enabled by default in 2.46.x, and we do not have >>> confirmed JNLP4 issues since that. >>> >>> I propose to disable the previous protocols. I have created >>> JENKINS-45841 <https://issues.jenkins-ci.org/browse/JENKINS-45841> for >>> it. >>> >>> >>> *Why?* >>> >>> - JNLP2 stability concerns >>> - There are known issues in JNLP2 connection management. The >>> engine is complex and barely diagnosable >>> - Examples: >>> - https://github.com/jenkinsci/remoting/pull/156 >>> - JENKINS-31735 >>> <https://issues.jenkins-ci.org/browse/JENKINS-31735> - >>> NioChannelHub thread dies sometimes >>> - JENKINS-24155 >>> <https://issues.jenkins-ci.org/browse/JENKINS-24155> - Slaves >>> going offline in NIO mode >>> - In many cases update to JNLP4 was a resolution >>> - JNLP1/JNLP2/CLI1 are known to be unencrypted >>> - Sam Gleske also made it explicit in UI, Jenkins 2.41+ (pull >>> request <https://github.com/jenkinsci/jenkins/pull/2682>) >>> - It is not a security issue, they have been never claimed to be >>> encrypted >>> - Jenkins CERT team agreed that disabling protocols is reasonable >>> from the security hardening standpoint >>> >>> *How?* >>> >>> - UPD: When installation wizard is enabled && it runs in the new >>> installation mode, disable the old protocols during the instance >>> initialization >>> - It is similar to what we do for Remoting CLI disabling and the >>> default security initialization in Jenkins 2.0 >>> - ADD: administrative monitor, which warns about obsolete >>> Remoting protocols and points to the errata documents (like this one) >>> - ADD: Explicit deprecation notice to the built-in HTML documentation >>> >>> *Compatibility concerns* >>> >>> - Old instances won't be affected, protocols will be still enabled >>> for them >>> - "New" Jenkins instances installed via setup wizard may be affected >>> in age cases. Examples: >>> - Agents with Remoting older than 3.0 will be unable to connect. >>> - One may bundle old Remoting in his custom Docker images, AMIs, >>> etc. >>> - Swarm Plugin >>> <https://wiki.jenkins.io/display/JENKINS/Swarm+Plugin>: old >>> versions of Swarm Client (before 3.3) will be unable to connect, >>> because >>> Remoting 2.x is bundled >>> - **Very** old jenkins-cli.jar without CLI2 support will be >>> unable to connect >>> >>> *Not affected:* >>> >>> - Newly installed instances created from scratch >>> - Instances using the "-Djenkins.install.runSetupWizard=false" flag >>> (all configuration-as-code instances) >>> - SSH Slaves Plugin, any newly installed agent type, >>> community-provided Docker packages for agents, etc. >>> >>> *Announcement* >>> >>> - It's a potentially breaking change, hence it should be announced >>> in blog posts >>> - The change and the corner cases should be addressed in the upgrade >>> guide, which should be published within the blogpost >>> >>> >>> >>> *I think it's a good time to finally do this change. WDYT?Thanks in >>> advance,Oleg Nenashev* >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to jenkinsci-de...@googlegroups.com <javascript:>. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-dev/7a7e2b81-8795-48bd-b1c2-d0ee31123df3%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/jenkinsci-dev/7a7e2b81-8795-48bd-b1c2-d0ee31123df3%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> Sent from my phone >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-de...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CA%2BnPnMw-mrET-X9xO4Y2B%3Dy2MfQ%3DyduKedp9wLiFL-Xk_eKYjQ%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/jenkinsci-dev/CA%2BnPnMw-mrET-X9xO4Y2B%3Dy2MfQ%3DyduKedp9wLiFL-Xk_eKYjQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/601824cd-7a04-4d8c-8194-10f0db590926%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
