Provide LTS 1.609.4 with security updates from 1.625.2 ?
29 views
Skip to first unread message
guido.wojke
Nov 24, 2015, 4:06:32 AM11/24/15
to Jenkins Users
Hello everybody,
due to a JDK 6 dependency on our build system we can't upgrade to Jenkins 1.625.2 which forces a JDK 7 or higher to build maven job type.
We use the LTS 1.609.3 with the security workaround desribed here:
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
Is it possible to provide a LTS Version 1.609.4 with the security update(s) provided in
the 1.625.1->1.625.2 update (f.e. the Important security fixes)?
Best regards,
Guido
due to a JDK 6 dependency on our build system we can't upgrade to Jenkins 1.625.2 which forces a JDK 7 or higher to build maven job type.
We use the LTS 1.609.3 with the security workaround desribed here:
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
Is it possible to provide a LTS Version 1.609.4 with the security update(s) provided in
the 1.625.1->1.625.2 update (f.e. the Important security fixes)?
Best regards,
Guido
Vincent Latombe
Nov 24, 2015, 6:01:11 AM11/24/15
to Jenkins Users
Hi Guido,
the community maintains the LTS line for 12 weeks and this is already a time-consuming operation on volunteers time.
Here are the options I see available for you :
- Migrate your jobs out of the maven job type. It has been pointed out too many times on this ML how 'evil' it is.
- If your build systems allow it, you can migrate to JDK7+ but still compile using JDK6 using the maven toolchain
- Consider buying support from commercial offering which offer longer-term support (Cloudbees supports LTS up to 1 year, disclaimer : I work for them)
- Backport the important security fixes you need on your own fork
Best regards,
Vincent
Vincent
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/4a82a4bb-a0b1-43fb-b173-3a72c338514a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Stephen Connolly
Nov 24, 2015, 8:01:13 AM11/24/15
to jenkins...@googlegroups.com
On 24 November 2015 at 11:00, Vincent Latombe <vincent...@gmail.com> wrote:
Hi Guido,the community maintains the LTS line for 12 weeks and this is already a time-consuming operation on volunteers time.Here are the options I see available for you :- Migrate your jobs out of the maven job type. It has been pointed out too many times on this ML how 'evil' it is.- If your build systems allow it, you can migrate to JDK7+ but still compile using JDK6 using the maven toolchain- Consider buying support from commercial offering which offer longer-term support (Cloudbees supports LTS up to 1 year, disclaimer : I work for them)
FYI I also work for CloudBees, and to clarify, we dropped support for JDK6 when we dropped support for 1.580.x at the end of last month. Here is our JDK support policy: https://cloudbees.zendesk.com/hc/en-us/articles/203601234 (note that page mentions 1.580.x but that version is no longer supported by us)
- Backport the important security fixes you need on your own forkBest regards,VincentVincent2015-11-24 10:06 GMT+01:00 guido.wojke <guido...@1und1.de>:Hello everybody,--
due to a JDK 6 dependency on our build system we can't upgrade to Jenkins 1.625.2 which forces a JDK 7 or higher to build maven job type.
We use the LTS 1.609.3 with the security workaround desribed here:
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
Is it possible to provide a LTS Version 1.609.4 with the security update(s) provided in
the 1.625.1->1.625.2 update (f.e. the Important security fixes)?
Best regards,
Guido
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/4a82a4bb-a0b1-43fb-b173-3a72c338514a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAH-zGChYmYwUV%3Dr22UbOB0aFn6U2G%3DwFrOEex4fRiBWwYVV09Q%40mail.gmail.com.
Mark Bidewell
Nov 30, 2015, 4:20:17 PM11/30/15
to Jenkins Users
We are in a similar position and another option (while exploring migration away from the Maven type) is that, while Maven itself must run JDK 7+, it can fork to a lower JDK. This forking is handled by Jenkins automatically and coiuld serve as a stopgap.
Reply all
Reply to author
Forward
0 new messages