Proposal: Adopting Stapler as official Jenkins project

[Oleg Nenashev]

Hi all,

I would like to follow-up on the previous discussions about the future of Stapler. De-facto Stapler is a legacy project widely used only in Jenkins (Jenkins core and plugins, and the old account app). I'd guess there are little to no external usages left.

Stapler currently resides in a separate GitHub org: https://github.com/stapler/ . It consists of 25 repositories, some of them seem to be fully abandoned and unused.

I would suggest the following:

• Stapler is adopted as a Jenkins sub-project, with explicit expectation that we do not encourage external use (and maybe even target replacing it by another active OSS project later if not mission impossible)
  
• TBD: We move Stapler repositories to jenkinsci . If there are other related personal repositories, we move them as well
• We archive all repositories which are no longer used by Jenkins.
• Component Ownership
• The Jenkins Core team becomes the nominal owner of https://github.com/stapler/stapler and other components included in the Jenkins core
• Other permissions are retained, e.g. Denys Digtiar will remain the maintainer of the Intellij IDEA Stapler plugin
• The Jenkins Code of Conduct applies to Stapler
• Infrastructure
• http://stapler.kohsuke.org/ is deprecated and replaced by a reference to the Jenkins sub-project page
• Javadoc for Stapler components is republished on javadoc.jenkins.io

Would appreciate feedback from the community members and Stapler maintainers.

Best regards,

Oleg Nenashev

[Jesse Glick]

On Mon, May 10, 2021 at 12:06 PM Oleg Nenashev <o.v.ne...@gmail.com> wrote:

• Stapler is adopted as a Jenkins sub-project, with explicit expectation that we do not encourage external use

+1 

• maybe even target replacing it by another active OSS project later if not mission impossible
  

This is impossible, let us not waste time discussing it.

• We move Stapler repositories to jenkinsci.

+1 (see INFRA-2908)

• other related personal repositories
  

What does this mean?

• We archive all repositories which are no longer used by Jenkins.
  

+1 

• http://stapler.kohsuke.org/ is deprecated and replaced by a reference to the Jenkins sub-project page
• Javadoc for Stapler components is republished on javadoc.jenkins.io

Both already done.

[Oleg Nenashev]

Thanks Jesse! Would also appreciate feedback w.r.t "TBD: We move Stapler repositories to jenkinsci . If there are other related personal repositories, we move them as well".

Responded to the rest below

> other related personal repositories

>> What does this mean?

Did not finish the bullet, sorry. "Other Stapler related personal repositories can be also moved to the jenkinsci org"

> http://stapler.kohsuke.org/ is deprecated and replaced by a reference to the Jenkins sub-project page

Thanks!

> Javadoc for Stapler components is republished on javadoc.jenkins.io

https://javadoc.jenkins.io/component/stapler/ includes Javadoc only for https://github.com/stapler/stapler

Other Stapler repositories like https://github.com/stapler/maven-stapler-plugin are not included

No, I do not know whether any other component is actually needed.

[Basil Crow]

+1 for normalizing Stapler as a standard Jenkins sub-project. Keeping
it as an independent project complicates maintenance efforts and does
not provide a strong benefit.

[Tim Jacomb]

+1

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjoM%3Dxfx_U_QU98T7kets4aOsgUauJOGva5TB5LY3E2NUQ%40mail.gmail.com.

[Jesse Glick]

On Mon, May 10, 2021 at 2:04 PM Oleg Nenashev <o.v.ne...@gmail.com> wrote:

Other Stapler related personal repositories can be also moved to the jenkinsci org

Sure; do you know of any?

https://javadoc.jenkins.io/component/stapler/ includes Javadoc only for https://github.com/stapler/stapler

https://github.com/stapler/stapler/tree/master/core specifically. The other modules do not expose useful Java-level APIs that plugin authors should use that I know of.

Other Stapler repositories like https://github.com/stapler/maven-stapler-plugin are not included

I do not think there is any need to publish Javadoc for any other miscellaneous component. If and when a need arises, it is simple to include.

[Oleg Nenashev]

Thanks to everyone for the feedback!

Added the final sign-off to the today's governance meeting agenda

[Oleg Nenashev]

At the governance meeting on May 19 (link) we agreed to adopt Stapler and its components. We also agreed that a final sign-off from Kohsuke as the project creator is needed before we proceed.

[Kohsuke Kawaguchi]

Hey, sorry for coming late, I'm happy to move the project closer to where the action is. Happy to transfer any/all assets involved.

I do feel, however, that "not encourag[ing] external use" is an unnecessarily negative way of framing the mission of the new sub-project. Stapler is an unique web framework that enables the extensibility of Jenkins, and for that and all the other practical reasons it just makes more sense for the project to be adopted to Jenkins. The focus will be on serving Jenkins well. I think that's all that need to be said. 

[Jesse Glick]

On Wed, May 26, 2021 at 11:16 AM Kohsuke Kawaguchi <k...@kohsuke.org> wrote:

"not encourag[ing] external use" is an unnecessarily negative way of framing the mission

I think there is a reason for specifically discouraging use outside Jenkins: that we have found the need to fix security vulnerabilities by defining interfaces in Stapler which are then implemented in Jenkins core. An external project is unlikely to keep up with these developments, and thus potentially remain vulnerable. It would be irresponsible to advertise a library which is unsafe to use on its own.

[Oleg Nenashev]

Thanks to Kohsuke for your approval! And thanks to Kohsuke and Jesse for feedback!

I do feel, however, that "not encourag[ing] external use" is an unnecessarily negative way of framing the mission of the new sub-project. Stapler is an unique web framework that enables the extensibility of Jenkins, and for that and all the other practical reasons it just makes more sense for the project to be adopted to Jenkins. The focus will be on serving Jenkins well. I think that's all that need to be said. 

 

I think there is a reason for specifically discouraging use outside Jenkins: that we have found the need to fix security vulnerabilities by defining interfaces in Stapler which are then implemented in Jenkins core. An external project is unlikely to keep up with these developments, and thus potentially remain vulnerable. It would be irresponsible to advertise a library which is unsafe to use on its own.

 

I agree with both statements. Let me think about how to frame it properly. I will submit a pull request to jenkins.io with the proposal based on the feedback here and on the private conversation with Kohsuke. Then we can review it together and approve the wording. Kohsuke is the founder of the Stapler project, and indeed we should respect and address the feedback.

Best regards,

Oleg

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/1T3yDHl1nEQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2-T0_Yxc1RG34oV66JJhY6yegH_oMOrAN%2BY1-fPCL2VA%40mail.gmail.com.

[Tim Jacomb]

I've moved stapler to Jenkinsci as part of https://issues.jenkins.io/browse/INFRA-2908

Core team has access

Jesse has taken care of most of the rest of the proposals already

You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLDcv93AbnGKdHQCtMaOSDctWiTREpSuqETt58jR--qpFQ%40mail.gmail.com.