Deprecating ruby-runtime

Daniel Beck Mon, 14 May 2018 07:04:42 -0700

ruby-runtime is a plugin that allows Jenkins plugins to be implemented in Ruby. 
It has quite a number of problems:


* The source code situation is a mess, with two separate repositories.
        
https://github.com/jenkinsci/ruby-runtime-plugin/pull/6#issuecomment-383842017
        https://github.com/jenkinsci/ruby-runtime-plugin/
        https://github.com/jenkinsci/jenkins.rb/tree/master/java-runtime

* It is unmaintained, with the latest release (0.12) in 2013. While the 
changelog claims that 0.13 was released in 2016, it's not actually available on 
update sites. The last real activity seems to have happened around 2014.
        http://plugins.jenkins.io/ruby-runtime

* It caused problem after a core update a few months back due to a faulty 
assumption. As the plugin is unmaintained, and parts get packaged in dependent 
plugins (i.e. fixing ruby-runtime isn't enough), we had to revert part of the 
core change, or accept that ruby-runtime based plugins remain broken until they 
all _individually_ get updated.
        https://jenkins.io/changelog/#v2.92
        https://issues.jenkins-ci.org/browse/JENKINS-48116
        https://github.com/jenkinsci/jenkins/pull/3154
        
https://issues.jenkins-ci.org/browse/JENKINS-48116?focusedCommentId=320469&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-320469

* It required extensive whitelisting in core to achieve JEP-200 compatibility 
due to the JRuby glue.
        
https://github.com/jenkinsci/jenkins/blob/91e1cf2d3e0fa1c4766c62f2db54cd3a28cd9d32/core/src/main/resources/jenkins/security/whitelisted-classes.txt#L171...L197

ruby-runtime is used by 22 other plugins as a dependency. Most of them appear 
to not be actively maintained, not having received a new release in several 
years. Only three were released in the past two years and/or have more than 
1000 installs.

https://plugins.jenkins.io/buddycloud was last released Jun 05, 2014 (1 install)
https://plugins.jenkins.io/capitomcat was last released Feb 17, 2015 (980 
installs)
https://plugins.jenkins.io/chef was last released Aug 29, 2015 (451 installs)
https://plugins.jenkins.io/ci-skip was last released Dec 23, 2013 (406 installs)
https://plugins.jenkins.io/commit-message-trigger-plugin was last released Sep 
30, 2014 (272 installs)
https://plugins.jenkins.io/cucumber was last released Mar 13, 2013 (493 
installs)
https://plugins.jenkins.io/devstack was last released Sep 17, 2012 (18 installs)
https://plugins.jenkins.io/git-notes was last released Apr 23, 2012 (692 
installs)
https://plugins.jenkins.io/gitlab-hook was last released Apr 17, 2016 (9667 
installs)
https://plugins.jenkins.io/ikachan was last released Jun 04, 2012 (12 installs)
https://plugins.jenkins.io/jenkinspider was last released Jun 19, 2015 (12 
installs)
https://plugins.jenkins.io/mysql-job-databases was last released Sep 20, 2014 
(233 installs)
https://plugins.jenkins.io/pathignore was last released Nov 18, 2011 (331 
installs)
https://plugins.jenkins.io/perl was last released Mar 07, 2013 (178 installs)
https://plugins.jenkins.io/perl-smoke-test was last released Sep 26, 2014 (30 
installs)
https://plugins.jenkins.io/pry was last released May 31, 2012 (80 installs)
https://plugins.jenkins.io/pyenv was last released Aug 06, 2014 (903 installs)
https://plugins.jenkins.io/rbenv was last released Apr 18, 2016 (983 installs)
https://plugins.jenkins.io/rvm was last released Aug 10, 2016 (2261 installs)
https://plugins.jenkins.io/singleuseslave was last released May 07, 2015 (131 
installs)
https://plugins.jenkins.io/travis-yml was last released Nov 13, 2016 (434 
installs)
https://plugins.jenkins.io/yammer was last released Jul 19, 2013 (129 installs)

The by far most popular plugin based on ruby-runtime is gitlab-hook at just 
under 10k installs. It is part of last week's security advisory, as its 
maintainer published a fix for a (fairly minor, but still) security 
vulnerability two years ago, but never actually released it, or informed the 
security team that he worked on it in public, so can be considered not actively 
maintained.
https://jenkins.io/security/advisory/2018-05-09/#SECURITY-263
https://github.com/jenkinsci/gitlab-hook-plugin/commit/8e127c3ee8fb164acbf9f73530215f788b531033

I don't think any of the above problems are inherently unrecoverable, but 
unless somebody is ready to take ownership of ruby-runtime, and fixes its 
problems, my proposal is to remove ruby-runtime from distribution, and announce 
its deprecation. Distribution of dependent plugins would necessarily be 
suspended as well, until reimplemented in Java, similar to other plugins with 
unsatisfiable dependencies.

Generally there's no reason for something to be removed from distribution just 
because it doesn't work well. But ruby-runtime has caused quite some work for 
core maintainers, as the above references show, and wasted time better spent 
elsewhere. I think it's only a matter of time until things break in ways not 
easily recoverable, and the longer we wait, the more painful it will be.

WDYT?

Daniel

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/6797DF59-E37F-4361-B007-9F60A856E1FB%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

Deprecating ruby-runtime

Reply via email to