Next LTS baseline

[Mark Waite]

It is time to select the next LTS baseline.

Based on the results from the weekly ratings, I believe that Jenkins 2.361 is the best choice for the baseline.  The folders plugin will need to have a pull request merged for the project configuration form improvements.  I think that we have enough time before the LTS release for that pull request to be completed and merged.

See recent changelogs and their ratings at https://www.jenkins.io/changelog/

Tim Jacomb, what do you think of the proposal to use 2.361 as the baseline?

Thanks,

Mark Waite

[Basil Crow]

On Fri, Jul 29, 2022 at 3:52 AM Mark Waite <mark.ea...@gmail.com> wrote:
> The folders plugin will need to have a pull request merged for the project configuration form improvements. I think that we have enough time before the LTS release for that pull request to be completed and merged.

Folders 6.758.vfd75d09eea_a_1 was released this morning and I have
verified that Folders and Multibranch Pipeline jobs are now consistent
in appearance with other job types. I agree that 2.361 should be a
good baseline.

[Alexander Brandes]

+1 for 2.361

It's worth to mention that 2.361 contains several regression fixes too, which you don't want to miss out.

[Daniel Beck]

On Fri, Jul 29, 2022 at 7:53 PM Alexander Brandes <mc.ca...@gmail.com> wrote:+1 for 2.361

It's worth to mention that 2.361 contains several regression fixes too, which you don't want to miss out.

They could always be backported into 2.360.x. So the question to ask is, do we want everything in 2.361?

FWIW I think 2.361 looks reasonable, all bad feedback is about a plugin that isn't even bundled, and the changes look reasonable enough.

[Olivier Lamy]

Hi

If LTS will be 2.361 it would be good to have winstone upgrade in. https://github.com/jenkinsci/jenkins/pull/6955

it will avoid all security scanners to complain with false alarms on the Jetty versions.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKj6xQzPNc7d3ozpPQC4-03W%3D4ynYCUkVD%3DLyAHF2xO7w%40mail.gmail.com.

--

Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy

[Tim Jacomb]

(as mentioned on the PR)

My concern with backporting the Jetty changes is that this PR will never go to weekly as weekly is now on Jetty 10.

But if we don't backport it, that would mean security scanners complaining about a new LTS line which isn't ideal...

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPoyBqQXCEMSf0iZ9n6Ymu-KxBHc%2BV%2B0paKSq%2Bouiusj0SSRgA%40mail.gmail.com.

[Basil Crow]

Are we talking about the version of Jetty to be shipped in 2.346.3 or
the version of Jetty to be shipped in 2.361.1?

2.361.1 is far enough away that I would be in favor of a backport of
Jetty 10.0.11, once it has been in the weekly release for a week or
two without serious regressions. This would not require us to make any
exception to the usual rules.

For 2.346.3 I am not sure there is a need to do any Jetty backporting,
but I would be willing to discuss it if there was a need.

[Olivier Lamy]

As explained in the PR there are no real security issues but some companies using scanners may have to live a long time with alarms etc...

And they don't have any "safe" (by "safe" I mean CVEs free :))  solution to upgrade before the version with Jetty 10.0.11 land into LTS (and I do not mention companies who are not ready yet to upgrade to java 11)

anyway no big drama here I was just thinking as solution to help users/companies with strict restrictions. 

This may not happen and we cannot support old versions forever but as long as we have a LTS with java 8 there can be some need for it.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjpcek4uaLV3WqGV%2Bgt5ncvJdXyT9ZwfNCA-P152OtqkSg%40mail.gmail.com.

[Tim Jacomb]

Hello

2.361 has been selected as the next baseline

Thanks

Tim

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPoyBqQ%3DRDT3ot0MaRFJW%2BMWSs54vnphj6SS_J73RhhQ4iyH_Q%40mail.gmail.com.

[Olivier Lamy]

Hi,

I'd like to mitigate my previous "there are no real security issues"

to something such "there are no real security issues per default"

BUT as long as a user activates http2 there will be a security issue see https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j

I think it still worth to have this in the LTS as we don;t want to have immediately Jetty 10 in LTS.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifZ4i65SNZj%2B0N%2B78pokLF%3DD_2uV0ATtKP4y3jKy7u1Sg%40mail.gmail.com.

[Mark Waite]

On Fri, Aug 12, 2022 at 5:22 PM Olivier Lamy <olive...@gmail.com> wrote:

Hi,

I'd like to mitigate my previous "there are no real security issues"

to something such "there are no real security issues per default"

BUT as long as a user activates http2 there will be a security issue see https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j

I think it still worth to have this in the LTS as we don;t want to have immediately Jetty 10 in LTS.

Since Jetty 10 was included in Jenkins 2.363, I'd prefer that we consider a backport of Jetty 10 as first preference.  I've seen no reports of any issues with Jetty 10 in Jenkins 2.363 and I hope that pattern will continue.  It worked well in the testing that I performed with 2.363.

Mark Waite

 

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPoyBqR6%2BSVB%3DGzoxoic0hA0ZUWfNNmZqCuDUVX2GO5Y%2BSmqVA%40mail.gmail.com.

[Olivier Lamy]

On Sat, 13 Aug 2022 at 10:18, Mark Waite <mark.ea...@gmail.com> wrote:

On Fri, Aug 12, 2022 at 5:22 PM Olivier Lamy <olive...@gmail.com> wrote:

Hi,

I'd like to mitigate my previous "there are no real security issues"

to something such "there are no real security issues per default"

BUT as long as a user activates http2 there will be a security issue see https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j

I think it still worth to have this in the LTS as we don;t want to have immediately Jetty 10 in LTS.

Since Jetty 10 was included in Jenkins 2.363, I'd prefer that we consider a backport of Jetty 10 as first preference.  I've seen no reports of any issues with Jetty 10 in Jenkins 2.363 and I hope that pattern will continue.  It worked well in the testing that I performed with 2.363.

Sounds good to me too if we can be a bit "aggressive" on the backporting and having the first LTS with this change.

But what I'd really like for the LTS is to have one or the other. 

And having it with Jetty 10 sounds even better.

Thanks

Olivier