> Just to make sure I get your point/stance: > * you would agree we mark the current PR as ready-for-merge > * [provided we enrich the JEP-231 with the following [?]] > * to make things better for the future, you recommend we create a digester3-api plugin so these plugins can all be updated in one go.
Taking two votes here and many approvals in https://github.com/jenkinsci/jenkins/pull/5320, I am not against that. I would prefer us to rather follow the new JEP-1 process draft in https://github.com/jenkinsci/jep/pull/359 so that we could verify and dry run the changes, but I do not want to do modifications for them. I am not ready to support the PR on my own though, because we should firstly release the API plugin and do the better effort in reaching out to plugin maintainers and getting releases or explicit up-for-adoption where possible. If other core maintainers do not want to wait, I am ready to accept this decision. And I definitely do not want the PR to miss the LTS merge window. On Sunday, May 30, 2021 at 11:19:25 PM UTC+2 Baptiste Mathus wrote: > Le dim. 30 mai 2021 à 20:55, Oleg Nenashev <o.v.ne...@gmail.com> a écrit : > >> Hi all, >> >> I have commented about the plugins removal in another thread. I have a >> question about creating a detached plugin for commons-digester: *" The >> current plan causes plugins which depend on Jenkins to provide Digester to >> fail unless they are updated. This could be mitigated by moving this >> dependency to a detached plugin. We decided against creating a detached >> pluging because there were a small number of affected plugins and only a >> few of them have significant install base. The creating and maintaining of >> a detached plugin would still be a significant amount of work and would >> cause the security vulnerabilities we are trying to address to remain open"* >> >> I agree with the reasoning and the decision. At the same time time it >> does not explain why the commons-digester3 library is being injected as a >> direct dependency in pull requests, e.g. >> https://github.com/jenkinsci/vs-code-metrics-plugin/pull/5/ . Would it >> make sense to create a new API plugin instead? Otherwise we risk running >> into compatibility concerns at some point. Creating an API plugin is not >> discussed in the JEP at all. >> > > Right. We could create a digester3-api plugin. > > Indeed, to follow your point: currently, plugins were theoritically (in > practice never, given digester2 is loooong deprecated) getting this > centralized at Jenkins Core level. > It was kinda like these plugins were using an api-plugin. > > Now for adjusted plugins, each one would have to upgrade separately > when/if a new release is made for digester3. > > Just to make sure I get your point/stance: > * you would agree we mark the current PR as ready-for-merge > * [provided we enrich the JEP-231 with the following [?]] > * to make things better for the future, you recommend we create a > digester3-api plugin so these plugins can all be updated in one go. > > I think I like this idea. This whole Digester2 work is about cleaning up > some burden of Jenkins, and such an API plugin would avoid having to > manually update dozens of plugins if a vulnerability fix was to be released > on the digester3 line. > > We can definitely and happily commit to create such an API plugin and > adapt active plugins if that is the last blocker us to move forward and > merge this PR in the Core :-). > > Are we missing anything else to allow this merge? > > What do you think Oleg? What do you all think? > > >> Best regards, >> Oleg Nenashev >> >> P.S: Sorry for being a bit late to comment >> >> On Saturday, May 29, 2021 at 2:41:26 AM UTC+2 boa...@gmail.com wrote: >> >>> +1 thanks for doing your due diligence! >>> >>> On Fri, May 28, 2021 at 19:14 Basil Crow <m...@basilcrow.com> wrote: >>> >>>> +1 from me >>> >>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Jenkins Developers" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to jenkinsci-de...@googlegroups.com. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjrQBdo645Zs5cboXStgo_7zJEEsnQ3iCxQ6qC4iw4M%3D4g%40mail.gmail.com >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-de...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/4b2291aa-2a87-4d62-992b-c944b1c19aa4n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jenkinsci-dev/4b2291aa-2a87-4d62-992b-c944b1c19aa4n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/6d186d75-1d7d-4f05-b874-ef74941828cdn%40googlegroups.com.
