Le lun. 31 mai 2021 à 17:41, Oleg Nenashev <o.v.nenas...@gmail.com> a écrit :
> > Just to make sure I get your point/stance: > > * you would agree we mark the current PR as ready-for-merge > > * [provided we enrich the JEP-231 with the following [?]] > > * to make things better for the future, you recommend we create a > digester3-api plugin so these plugins can all be updated in one go. > > Taking two votes here and many approvals in > https://github.com/jenkinsci/jenkins/pull/5320, I am not against that. I > would prefer us to rather follow the new JEP-1 process draft in > https://github.com/jenkinsci/jep/pull/359 so that we could verify and dry > run the changes, but I do not want to do modifications for them. > > I am not ready to support the PR on my own though, > I am not sure exactly sure what you mean by this, but I am certainly not requesting nor expecting you to support any fallout of this PR. Our team will obviously step up if something bad arises. > because we should firstly release the API plugin > While, again, I am totally OK to create such a plugin and I'll happily make it happen this week or so, I disagree with the need to absolutely release an API plugin before we merge the Core PR. Given the important plugins are already fixed and released, currently this is more of a maintenance & technical debt issue. Functionally, users will see no difference. What I'm trying to avoid here is stalling this work. We created this PR on the 1st of March. The most recent PR to fix even the CMVC plugin (18 installs *worldwide*) is soon 30 days old. and do the better effort in reaching out to plugin maintainers and getting > releases or explicit up-for-adoption where possible. > Care to elaborate please? IIUC you mean sending an email to the last known maintainers for plugins that are going to be broken when we merge the Core PR. Reading your email on the users list, if you'd like us to step up and at least temporarily adopt cloverphp & emma to release them, we can do this. I'll even start the discussion now. If other core maintainers do not want to wait, I am ready to accept this > decision. And I definitely do not want the PR to miss the LTS merge window. > Thank you. Yes, it would certainly be bad for Jenkins future too that it takes us so long to remove anything :-(. TBH after this, I fear a bit the Guava upgrade that we want to help on next... > > > > > > > > > > > > On Sunday, May 30, 2021 at 11:19:25 PM UTC+2 Baptiste Mathus wrote: > >> Le dim. 30 mai 2021 à 20:55, Oleg Nenashev <o.v.ne...@gmail.com> a >> écrit : >> >>> Hi all, >>> >>> I have commented about the plugins removal in another thread. I have a >>> question about creating a detached plugin for commons-digester: *" The >>> current plan causes plugins which depend on Jenkins to provide Digester to >>> fail unless they are updated. This could be mitigated by moving this >>> dependency to a detached plugin. We decided against creating a detached >>> pluging because there were a small number of affected plugins and only a >>> few of them have significant install base. The creating and maintaining of >>> a detached plugin would still be a significant amount of work and would >>> cause the security vulnerabilities we are trying to address to remain open"* >>> >>> I agree with the reasoning and the decision. At the same time time it >>> does not explain why the commons-digester3 library is being injected as a >>> direct dependency in pull requests, e.g. >>> https://github.com/jenkinsci/vs-code-metrics-plugin/pull/5/ . Would it >>> make sense to create a new API plugin instead? Otherwise we risk running >>> into compatibility concerns at some point. Creating an API plugin is not >>> discussed in the JEP at all. >>> >> >> Right. We could create a digester3-api plugin. >> >> Indeed, to follow your point: currently, plugins were theoritically (in >> practice never, given digester2 is loooong deprecated) getting this >> centralized at Jenkins Core level. >> It was kinda like these plugins were using an api-plugin. >> >> Now for adjusted plugins, each one would have to upgrade separately >> when/if a new release is made for digester3. >> >> Just to make sure I get your point/stance: >> * you would agree we mark the current PR as ready-for-merge >> * [provided we enrich the JEP-231 with the following [?]] >> * to make things better for the future, you recommend we create a >> digester3-api plugin so these plugins can all be updated in one go. >> >> I think I like this idea. This whole Digester2 work is about cleaning up >> some burden of Jenkins, and such an API plugin would avoid having to >> manually update dozens of plugins if a vulnerability fix was to be released >> on the digester3 line. >> >> We can definitely and happily commit to create such an API plugin and >> adapt active plugins if that is the last blocker us to move forward and >> merge this PR in the Core :-). >> >> Are we missing anything else to allow this merge? >> >> What do you think Oleg? What do you all think? >> >> >>> Best regards, >>> Oleg Nenashev >>> >>> P.S: Sorry for being a bit late to comment >>> >>> On Saturday, May 29, 2021 at 2:41:26 AM UTC+2 boa...@gmail.com wrote: >>> >>>> +1 thanks for doing your due diligence! >>>> >>>> On Fri, May 28, 2021 at 19:14 Basil Crow <m...@basilcrow.com> wrote: >>>> >>>>> +1 from me >>>> >>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Jenkins Developers" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to jenkinsci-de...@googlegroups.com. >>>>> >>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjrQBdo645Zs5cboXStgo_7zJEEsnQ3iCxQ6qC4iw4M%3D4g%40mail.gmail.com >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to jenkinsci-de...@googlegroups.com. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-dev/4b2291aa-2a87-4d62-992b-c944b1c19aa4n%40googlegroups.com >>> <https://groups.google.com/d/msgid/jenkinsci-dev/4b2291aa-2a87-4d62-992b-c944b1c19aa4n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/6d186d75-1d7d-4f05-b874-ef74941828cdn%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-dev/6d186d75-1d7d-4f05-b874-ef74941828cdn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS45j1i3JVxdmBXZf9%3DMu-%3DkqZe%3Dq-jxLY7ntAGGYMUu3Q%40mail.gmail.com.
