Hi everyone,
I pushed a change to the update center today.
TLDR: Wiki edits could have inadvertently removed plugins from the update site, breaking the suggested plugin installation experience for new Jenkins users. We fixed that by no longer relying on wiki data during update site generation. We also dropped the wiki URL requirement for the pom.xml.
----
You've probably seen these messages scroll by on this mailing list: "My plugin isn't on the update center, why?", or, worse, "My plugin disappeared from the update center, why?". While well-intentioned, the wiki URL requirement meant that plugins with no wiki page (e.g. because it was renamed), or a wiki page with the plugin-deprecated label, would not be distributed. Coupled with the setup wizard relying on the update site to get a useful initial set of plugins, and we have a potential disaster when someone with bad intentions figures out that anyone can rename or re-label wiki pages.
While we'd typically discuss changes that impact plugin developers like this in advance, as security officer I decided to prepare this in private, giving Jenkins CERT members and a number of other long time contributors the chance to review the proposal and request changes. Otherwise we'd have opened ourselves up to someone actually changing things around in the wiki, deliberately causing damage, and potentially break new Jenkins installs for everyone.
Since we now cannot rely on the wiki pages to exist, how can be accomplish the goals of having some minimal information for all plugins? Well, since October or so, we have
plugins.jenkins.io, with a simple URL for every plugin. It shows all the metadata the plugin-info macro in the wiki did, just nicer -- and if there's a wiki URL, it gets scraped and shown right there. So the update center will now link to
plugins.jenkins.io URLs for all plugins.
What other features did the wiki provide that we now cannot rely on anymore?
1. Deprecating plugins
The update center generator has a blacklist, and I've recently migrated over all plugins whose wiki pages were marked plugin-deprecated. Plugins will from now on be deprecated here as the sole source of truth:
https://github.com/jenkins-infra/backend-update-center2/blob/master/src/main/resources/artifact-ignores.properties
2. Titles and descriptions
The update center had a feature by which the name of the wiki page would be used if no <name/> for the plugin was defined in the pom.xml. Similarly, it actually preferred the wiki page {excerpt} to the <description/> in the pom.xml. These features are now gone, and whatever is in the pom.xml as <name/> and <description/> will be used.
3. Labels
Wiki page labels were used to categorize plugins in Jenkins. So I exported all labels as of a few days ago, and created this file based on that:
https://github.com/jenkins-infra/backend-update-center2/blob/master/src/main/resources/label-definitions.properties
The downside: No longer can plugin maintainers change the labels just by editing the wiki page, but need to file a PR.
The upside: No longer can some random people change the labels just by editing the wiki page; and this allows for easier large-scale changes. A new technology gains some rapid adoption and there's no label? It's much easier to relabel a bunch of things in a coordinated manner.
----
Contributor documentation (probably mostly the 'Hosting Plugins' wiki page and IRC bot generated Jira comments) will be updated accordingly.
As a side effect, this means that Tyler will now finally be able to update the wiki, as we don't have to fear that'll break update site generation.
I'd be happy to discuss proposals how to improve this. I think this solution improves the situation for developers, users, and the Jenkins project, and I'm looking forward to you telling me how wrong I am ;-)
Daniel