[JEP-233] Blog post about Guava library upgrade #4640
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| --- | ||
| name: "Basil Crow" | ||
| github: basil | ||
| twitter: bcrow | ||
| linkedin: basilcrow | ||
| --- | ||
| Basil is a long-time Jenkins user and contributor, a Jenkins core maintainer, and the maintainer of the plugin:email-ext[Email Extension], plugin:timestamper[Timestamper], and plugin:swarm[Swarm] plugins (among others). | ||
| Basil enjoys working on open source software in his free time. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,71 @@ | ||||||
| --- | ||||||
| layout: post | ||||||
| title: "Guava library upgrade (breaking changes!)" | ||||||
| tags: | ||||||
| - jenkins | ||||||
| - core | ||||||
| - developer | ||||||
| - announcement | ||||||
| author: basil | ||||||
| description: > | ||||||
| Jenkins has upgraded the Guava library to the latest version. | ||||||
| As a result, plugins must be upgraded for compatibility. | ||||||
| opengraph: | ||||||
| image: /images/post-images/2021-11-guava-upgrade/guava-upgrade.png | ||||||
| --- | ||||||
|
|
||||||
| image:/images/post-images/2021-11-guava-upgrade/guava-upgrade.png[Guava Upgrade, role=center] | ||||||
|
|
||||||
| == Summary | ||||||
|
|
||||||
| Jenkins bundles https://guava.dev/[Guava], a core Java library from Google. | ||||||
| Beginning with Jenkins 2.TODO (released on TODO), Jenkins has upgraded the Guava library from https://github.com/google/guava/releases/tag/v11.0.1[11.0.1] (released on January 9, 2012) to https://github.com/google/guava/releases/tag/v31.0.1[31.0.1] (released on September 27, 2021). | ||||||
basil marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| Plugins have already been prepared to support the new version of Guava in link:https://issues.jenkins.io/issues/?jql=labels%20in%20(JEP-233)[JEP-233]. | ||||||
| **Use the Plugin Manager to upgrade all plugins before _and_ after upgrading to Jenkins 2.TODO.** | ||||||
|
|
||||||
| == Motivation | ||||||
|
|
||||||
| Many security-conscious organizations using, or planning to use, Jenkins run off-the-shelf security scanners to look for known vulnerabilities. | ||||||
| These commonly flag the obsolete Guava library as susceptible to a serialization-related vulnerability (https://github.com/google/guava/wiki/CVE-2018-10237[CVE-2018-10237]) and recommend upgrading. | ||||||
| While Jenkins uses link:/blog/2018/03/15/jep-200-lts/[JEP-200] to form an explicit list of allowed classes for deserialization, | ||||||
| and the two Guava classes affected by CVE-2018-10237 are not and will never be added to the list, | ||||||
| it is time-consuming for the link:/security/team/[security team] to respond to purported security reports | ||||||
| and for users to justify exemptions from policy to use Jenkins anyway. | ||||||
|
|
||||||
| Furthermore, the decade-old version of Guava has long been a maintenance burden for Jenkins developers. | ||||||
| In a world where Dependabot offers upgrades to libraries released just hours before, | ||||||
| it is unpleasant to be working with dependencies that are many years old. | ||||||
|
|
||||||
| For more information, see https://github.com/jenkinsci/jep/blob/master/jep/233/README.adoc[JEP-233]. | ||||||
|
|
||||||
| == Upgrading | ||||||
|
|
||||||
| The vast majority of plugins have already been prepared to support the new version of Guava in link:https://issues.jenkins.io/issues/?jql=labels%20in%20(JEP-233)[JEP-233]. | ||||||
| Jenkins users need only upgrade plugins to compatible versions as documented in the "Released As" field in Jira. | ||||||
| **It is critical to use the Plugin Manager to upgrade all plugins before _and_ after upgrading to Jenkins 2.TODO.** | ||||||
| Failure to upgrade plugins to compatible versions may result in `ClassNotFoundException`, `NoClassDefFoundError`, or other low-level Java errors. | ||||||
|
|
||||||
| == Reporting issues | ||||||
|
|
||||||
| If you find a regression in a plugin, please file a bug report in Jira: | ||||||
|
|
||||||
| * link:https://issues.jenkins.io/issues/?jql=labels%20in%20(JEP-233)%20and%20status%20not%20in%20(resolved%2C%20closed)[Open JEP-233 issues] | ||||||
|
There was a problem hiding this comment. Jira makes it hard to find but there a search term for "unresolved". Slightly cleaner than "not in (resolved, closed)".
Suggested change
There was a problem hiding this comment. This query excludes issues whose status is "Fixed but Unreleased." I want to include such issues in the query because from the user's perspective the plugin still has a compatibility problem until a release occurs. |
||||||
|
|
||||||
| When reporting an issue, include the following information: | ||||||
|
|
||||||
| . Use the `JEP-233` label. | ||||||
| . Provide the _complete_ list of installed plugins as suggested in the link:/doc/book/system-administration/diagnosing-errors/#how-to-report-a-bug[bug reporting guidelines]. | ||||||
| . Provide the _complete_ stack trace, if relevant. | ||||||
| . Provide steps to reproduce the issue _from scratch_ on a minimal Jenkins installation; the scenario should fail when the steps are followed on Jenkins 2.TODO or later and pass when the steps are followed on Jenkins 2.TODO or earlier. | ||||||
|
|
||||||
| If you maintain a Jenkins plugin with an open JEP-233 issue, | ||||||
| then please check if there is a pull request awaiting merge or release. | ||||||
| If you use an unmaintained Jenkins plugin with an open JEP-233 issue, | ||||||
| consider stepping up and link:/doc/developer/plugin-governance/adopt-a-plugin/[adopting the plugin] to release a compatible version. | ||||||
|
|
||||||
| == Conclusion | ||||||
|
|
||||||
| We expect to see a bit of disruption from these changes | ||||||
| but hope that in the long run they will save time for core and plugin developers | ||||||
| and lead to a more secure and stable tool. | ||||||
| Please reach out on the link:/mailing-lists/[developers' list] with any questions or suggestions. | ||||||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First blog post! 👋