Hi Jesse, First of all, thanks for working on these changes! Cleanup of the dependencies is very important, and this changes help to reduce the technical debt in the project.
For https://github.com/jenkinsci/jenkins/pull/4848, the pull request has got only one approval so far, it cannot be merged according to the current process where at least 2 approvals are required for substantial pull requests. Taking the nature of the change, I would vote for getting more reviews from the Jenkins Security Team members before it gets merged. I am -0.5 regarding expediting this pull request. For https://github.com/jenkinsci/jenkins/pull/4944, this pull request is not ready for merge. There are no ready changelog and upgrade guide drafts there. Also, it would be nice to have review by the Security Team since XStream also includes a security risk due to class deserialization. Taking the current state, my vote is to postpone both pull requests until 2.265 (next week?) and to facilitate reviews. We are already upgrading Winstone and changing tabs to divs in 2.264, and both these changes are likely to cause regressions. There are more than 3 months until the next LTS baseline, and IMHO there is no rush to bypass the review/merge process to get these changes in 2.264 tomorrow. Best regards, Oleg On Monday, October 26, 2020 at 8:37:44 PM UTC+1 Jesse Glick wrote: > As mentioned in previous threads, I am proposing to get > > https://github.com/jenkinsci/jenkins/pull/4848 > https://github.com/jenkinsci/jenkins/pull/4944 > > into trunk soon, since 2.263 was accepted as an LTS baseline so we > have the maximum number of weeklies available to iron out any issues > before the next line is cut. Would like to get some code reviews; yes > I know the Spring one is a pretty big diff, and includes some tricky > code changes, though a lot of it is routine search-and-replace stuff. > The XStream PR is a more modest diff, though still with a large > impact. > > The other crucial request is for maintainers and power users of > potentially affected plugins to look over the compatibility tables > > https://github.com/jenkinsci/jep/blob/master/jep/227/compatibility.adoc > https://github.com/jenkinsci/jep/blob/master/jep/228/compatibility.adoc > > I have done my best to offer fixes for all widely used plugins, but > there is more to be done: > > If you are a plugin maintainer, please check if there is a PR for your > plugin listed in either chart, and if so review, merge, _and release_ > that PR in advance so users can have a smooth upgrade experience. (Or > if the PR does not look right, contact me of course!) > > If you are a power user of a plugin which is shown as being currently > incompatible, please help verify that any proposed fixes are safe to > apply with current versions of Jenkins and (ideally) also work as > expected with the proposed patched version¹ of Jenkins; and consider > adopting an orphaned plugin if only to perform emergency releases. For > example, installation statistics claim there are a fair number of > people running Reverse Proxy Auth as a security realm, but it is going > to flat-out break (throwing errors, no login possible) unless somebody > merges & releases > > https://github.com/jenkinsci/reverse-proxy-auth-plugin/pull/40 > > yet there is currently no active maintainer. > > > ¹Prior to an actual merge of the core PR, you can download preview > builds, linked from the *Incrementals* status of the PR; most recent > available as of this writing: > > > https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/main/jenkins-war/2.264-rc30680.a82950864304/jenkins-war-2.264-rc30680.a82950864304.war > (JEP-227) > > https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/main/jenkins-war/2.264-rc30542.af44d4186663/jenkins-war-2.264-rc30542.af44d4186663.war > (JEP-228) > > The same is true of plugin PRs in most cases, for example > > > https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/plugins/email-ext/2.77-rc1331.63266610ebc4/email-ext-2.77-rc1331.63266610ebc4.hpi > > which can be downloaded & installed manually in the *Advanced* tab. If > you are missing a downloadable build of some PR, mention @jglick in > the PR. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f7e1f32b-fe2e-4025-b84a-9d786a0634ffn%40googlegroups.com.
