Choosing Jenkins September LTS release baseline

127 views
Skip to first unread message

Mark Waite

unread,
Jul 16, 2021, 8:26:15 AM7/16/21
to Jenkins Developers
We need to select the baseline for the next Jenkins LTS release.  The candidates are:
  • 2.300 - security release
  • 2.301 - Regression fix for 2.298 XML parsing issue, Jetty upgraded to 9.4.42
  • 2.302 - Optimize some ACL checks, remove two unused Java classes
The ratings from https://www.jenkins.io/changelog/ do not show any significant concerns.  I recommend we select 2.302 as the baseline for the September LTS release.

Comments, concerns?

Mark Waite

Ullrich Hafner

unread,
Jul 16, 2021, 12:27:48 PM7/16/21
to JenkinsCI Developers
+1 for 2.302

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/510557fe-24c4-4934-97d0-45085b0b63efn%40googlegroups.com.

Tim Jacomb

unread,
Jul 22, 2021, 2:45:23 AM7/22/21
to Jenkins Developers
Hi all

Thanks for starting this Mark.

2.302 has been selected as the next LTS baseline.

I will create the origin branches now so that Basil can continue with the rest of it

Thanks
Tim



Beatriz Munoz

unread,
Aug 2, 2021, 6:35:24 AM8/2/21
to jenkin...@googlegroups.com
Hi all

Looking into next LTS I released something is really strange in branch `stable-2.302`. If you compare the branch and the tag `jenkins-2.302` there are more than 240 files with changes. As the backports are not done yet, I guess the difference should me minimal.








Beatriz Muñoz Manso
Sr Software Engineer
CloudBees, Inc.


Daniel Beck

unread,
Aug 2, 2021, 6:50:54 AM8/2/21
to JenkinsCI Developers
On Mon, Aug 2, 2021 at 12:35 PM Beatriz Munoz <bmu...@cloudbees.com> wrote:
Hi all

Looking into next LTS I released something is really strange in branch `stable-2.302`. If you compare the branch and the tag `jenkins-2.302` there are more than 240 files with changes. As the backports are not done yet, I guess the difference should me minimal.


Looking at https://github.com/jenkinsci/jenkins/commits/stable-2.302 it seems the branch is based on a weekly intermediate state around 2.298/2.299 (~June 21) + some stuff related to PR#5583, rather than 2.302. The branch should be deleted and recreated. Besides being the wrong baseline, security fixes from 2.300 would be missing as well.

Beatriz Munoz

unread,
Aug 3, 2021, 3:21:42 AM8/3/21
to jenkin...@googlegroups.com
Morning!

I created https://github.com/bmunozm/jenkins/tree/towards-2.302 but I cannot push it to https://github.com/jenkinsci/jenkins. I need someone with rights that replace https://github.com/jenkinsci/jenkins/tree/stable-2.302 by https://github.com/bmunozm/jenkins/tree/towards-2.302 using the name `stable-2.302` for the branch

Thank you so much in advance.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

Tim Jacomb

unread,
Aug 3, 2021, 3:44:52 AM8/3/21
to Jenkins Developers
Hello

This is sorted now, thanks for the report Bea

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/5A41AE32-6F20-4C81-A7F1-59AF89548DA6%40cloudbees.com.

Beatriz Munoz

unread,
Aug 10, 2021, 8:08:52 AM8/10/21
to jenkin...@googlegroups.com
El 3 ago 2021, a las 9:44, Tim Jacomb <timja...@gmail.com> escribió:

Hello

This is sorted now, thanks for the report Bea

On Tue, 3 Aug 2021 at 08:21, Beatriz Munoz <bmu...@cloudbees.com> wrote:
Morning!

I created https://github.com/bmunozm/jenkins/tree/towards-2.302 but I cannot push it to https://github.com/jenkinsci/jenkins. I need someone with rights that replace https://github.com/jenkinsci/jenkins/tree/stable-2.302 by https://github.com/bmunozm/jenkins/tree/towards-2.302 using the name `stable-2.302` for the branch

Thank you so much in advance.

El 2 ago 2021, a las 12:50, Daniel Beck <db...@cloudbees.com> escribió:



On Mon, Aug 2, 2021 at 12:35 PM Beatriz Munoz <bmu...@cloudbees.com> wrote:
Hi all

Looking into next LTS I released something is really strange in branch `stable-2.302`. If you compare the branch and the tag `jenkins-2.302` there are more than 240 files with changes. As the backports are not done yet, I guess the difference should me minimal.


Looking at https://github.com/jenkinsci/jenkins/commits/stable-2.302 it seems the branch is based on a weekly intermediate state around 2.298/2.299 (~June 21) + some stuff related to PR#5583, rather than 2.302. The branch should be deleted and recreated. Besides being the wrong baseline, security fixes from 2.300 would be missing as well.


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BLx0OREhYS5%2BLB7mueyKRN5MDqiZuHFTBZ5ESd7cMgGQ%40mail.gmail.com.

Beatriz Muñoz Manso
Sr Software Engineer
CloudBees, Inc.

<screenshot 1.png>


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/5A41AE32-6F20-4C81-A7F1-59AF89548DA6%40cloudbees.com.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

Basil Crow

unread,
Aug 11, 2021, 2:16:24 AM8/11/21
to jenkin...@googlegroups.com
Thanks for getting this started! I'd like to propose also adding the
core API for JENKINS-66001 (to which I just added the "lts-candidate"
label) from https://github.com/jenkinsci/jenkins/pull/5599 to this LTS
release. This API is intended to be consumed by the Pipeline plugins,
and including it in an LTS release will facilitate the release of this
new functionality in Pipeline. Nothing in core consumes the new API,
so there is no risk of regression here.

On Tue, Aug 10, 2021 at 5:08 AM Beatriz Munoz <bmu...@cloudbees.com> wrote:
>
> Morning!
>
> I created https://github.com/jenkinsci/jenkins/pull/5659 with the possible candidates for tomorrow release candidate LTS. These candidates are:
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/17D03184-C4C1-4725-9619-13D295C49ACF%40cloudbees.com.

Daniel Beck

unread,
Aug 11, 2021, 2:29:17 AM8/11/21
to JenkinsCI Developers
On Wed, Aug 11, 2021 at 8:16 AM Basil Crow <m...@basilcrow.com> wrote:
Thanks for getting this started! I'd like to propose also adding the
core API for JENKINS-66001 (to which I just added the "lts-candidate"
label) from https://github.com/jenkinsci/jenkins/pull/5599 to this LTS
release. This API is intended to be consumed by the Pipeline plugins,
and including it in an LTS release will facilitate the release of this
new functionality in Pipeline. Nothing in core consumes the new API,
so there is no risk of regression here

New APIs are generally not great to backport. Core dependency version number semantics means anyone on a weekly release after the LTS baseline but before the change made it into core regularly, will not have that API and plugins will fail while appearing compatible.

That out of the way, this change made it into 2.304, so there's only one weekly release the above will apply to (2.303), which is probably safe to ignore if we deem the change important enough.

Given that only dependency updates went into 2.303, there's also an argument for us to choose that as the new baseline instead of 2.302; eliminating the above problem entirely without adding a lot of risk through unproven changes (I would expect commons-compress and spring-security updates to be safe enough).

Basil Crow

unread,
Aug 11, 2021, 3:00:48 AM8/11/21
to jenkin...@googlegroups.com
On Tue, Aug 10, 2021 at 11:28 PM Daniel Beck <db...@cloudbees.com> wrote:
> Core dependency version number semantics means anyone on a weekly release after the LTS baseline but before the change made it into core regularly, will not have that API and plugins will fail while appearing compatible.

Ah right, I hadn't considered that.

> Given that only dependency updates went into 2.303, there's also an argument for us to choose that as the new baseline instead of 2.302; eliminating the above problem entirely without adding a lot of risk through unproven changes (I would expect commons-compress and spring-security updates to be safe enough).

If it isn't too late to switch to 2.303, that sounds ideal to me. I
can easily update the BOM line. But I don't feel strongly either way.

Tim Jacomb

unread,
Aug 11, 2021, 4:09:28 AM8/11/21
to Jenkins Developers
I think we can switch the baseline to newer? Either way I think it's fine to include the above change.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjoS1MQP3LzjcXDkETPc9MjoMv10yd6ZLKcPekZsawNcDA%40mail.gmail.com.

Baptiste Mathus

unread,
Aug 11, 2021, 4:44:25 AM8/11/21
to Jenkins Developers
I agree the diff seems reasonably small between 2.302 and 2.303.
Still, we are re-running our CloudBees testsuite on the 2.303 to assess the impact, if any. Stay tuned.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BidRD5GC1cv%2BPzkcZJ%3DSVwxf93%2B%2B7_ckGWRCQb12y-K2_A%40mail.gmail.com.

jn...@cloudbees.com

unread,
Aug 11, 2021, 5:04:41 AM8/11/21
to Jenkins Developers
I do not think that this should go into the LTS.  I would have been a -1 earlier on the PR itself had seen the PR but well that bird has flown (and I left a comment in the PR as to why).

The LTS was selected a while ago, there has been a not insignificant amount of work done in preparation for this.  I do not believe that this PR warrants a backport so late into the process.

/James

jn...@cloudbees.com

unread,
Aug 11, 2021, 5:33:38 AM8/11/21
to Jenkins Developers
https://issues.jenkins.io/browse/JENKINS-66139https://github.com/jenkinsci/jenkins/pull/5621 that made it into 2.304 fixes a bug and should be eligible for backporting (it was missed as the issue was not closed and missing the tag).

Beatriz Munoz

unread,
Aug 11, 2021, 6:12:34 AM8/11/21
to jenkin...@googlegroups.com
James I included into https://github.com/jenkinsci/jenkins/pull/5659. This is independent of the LTS discussion 
El 11 ago 2021, a las 11:33, jn...@cloudbees.com <jn...@cloudbees.com> escribió:

https://issues.jenkins.io/browse/JENKINS-66139https://github.com/jenkinsci/jenkins/pull/5621 that made it into 2.304 fixes a bug and should be eligible for backporting (it was missed as the issue was not closed and missing the tag).
Beatriz Muñoz Manso
Sr Software Engineer
CloudBees, Inc.


Baptiste Mathus

unread,
Aug 12, 2021, 4:20:05 AM8/12/21
to Jenkins Developers
2.303 testing was fine and revealed no further issues than on 2.302.

(Thanks Beatriz for driving this testing!)  

Beatriz Munoz

unread,
Aug 12, 2021, 5:15:57 AM8/12/21
to jenkin...@googlegroups.com
That’s awesome!  Any ETA for decision to be taken? 

Beatriz Muñoz Manso
Sr Software Engineer
CloudBees, Inc.


Tim Jacomb

unread,
Aug 12, 2021, 6:44:27 AM8/12/21
to Jenkins Developers
Hello

I'm a little confused on the discussion about 2.303, there was an API that was proposed to be included which was merged in 2.304.

What's the benefit of moving to 2.303 if we don't include the API?
Or is it just to include those dependency updates

FTR we have the current RC available here (delivered via incrementals):

Thanks
Tim

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/F1205487-B73F-4327-A06D-18D4E2E0D597%40cloudbees.com.

Daniel Beck

unread,
Aug 12, 2021, 6:58:36 AM8/12/21
to JenkinsCI Developers
On Thu, Aug 12, 2021 at 12:44 PM Tim Jacomb <timja...@gmail.com> wrote:
I'm a little confused on the discussion about 2.303, there was an API that was proposed to be included which was merged in 2.304.

With the API backported into LTS, we run into the plugin dependency problem I explained above if we remain on 2.302.
 
What's the benefit of moving to 2.303 if we don't include the API?
Or is it just to include those dependency updates

If we decide against backporting the API, it's just those dependencies.

They fix (irrelevant) CVEs so shutting up scanners would be a nice side effect, but the case is a lot weaker for changing the baseline, as these could easily be backports into .2 if we deem them necessary.

Tim Jacomb

unread,
Aug 12, 2021, 7:07:30 AM8/12/21
to Jenkins Developers
Ok let's go for 2.303 then

I've pushed a new origin branch and updated Bea's pull request.

James are you still against this API going in given https://github.com/jenkinsci/jenkins/pull/5599?

Thanks for doing the testing on this Bea and all involved

Tim

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLz8rjPSgUsRkk%2BgiYzkJ0duDJkjJox_iRcvYP%3DhFfX%3DA%40mail.gmail.com.

jn...@cloudbees.com

unread,
Aug 12, 2021, 11:06:14 AM8/12/21
to Jenkins Developers
> James are you still against this API going in given https://github.com/jenkinsci/jenkins/pull/5599?

my vote would still be against that PR, I had a large answer on the PR but I am no longer sure where to have that discussion and how to make it productive so have not published it.  

I also understand that I have one vote out of many so this could get back ported despite my vote.

/James

Jesse Glick

unread,
Aug 13, 2021, 7:09:59 AM8/13/21
to Jenkins Dev
PR-5599 does not meet our usual criteria for a backport: that it be a small, safe-looking, uncontroversial fix for an important bug with no change to API surface.
Reply all
Reply to author
Forward
0 new messages