JSR-305
241 views
Skip to first unread message
James Nord
Mar 26, 2020, 7:38:48 AM3/26/20
to Jenkins Developers
Hi all,
its been on my TODO list for a while to remove JSR-305 annotations from core.
the reason behind this is
1) the framework is deader than a dodo
2) the annotations have a questionable licence
3) the annotations are in the reserved javax namespace and there is no public release of the spec (nor is there ever likely to be see point 1).
The natural replacement is SpotBugs, however there are a couple of missing annotations that have no mapping.
- javax.annotation.concurrent.GuardedBy (14 occurrences)
- javax.annotation.concurrent.Immutable (2 occurrences)
- javax.annotation.Nonnegative (3 occurrences)
The first 2 annotations have some possible replacements in Checker Framework, Error Prone, and JCIP annotations.
The last only appears to have a replacement in Checker Framework, or in java Beans validation.
The licence of JCIP annotations means we are likely not able to use it, whilst there is a Clean room implementation by Stephen Connolly I recall finding a bug in it the other week as it was not up to date.
So there are a few possibilities, use annotations from error-prone and ignore the non negative, include annotations from checker-framework.
If we start using either error prone or checker framework annotations the existing spotbugs tooling will not report on any violations - (they support jcip only today).
So as I see it we have a few alternatives
1) do nothing (I do not think this is wise due to the points at the start of this mail)
2) use an alternative annotation which is not checked and for documentation only
3) use an alternative annotation and checking framework (unclear if there is a replacement for findsec-bugs)
What do people think?
/James
James Nord
Mar 26, 2020, 12:33:08 PM3/26/20
to Jenkins Developers
Seems like we already include jcip annotations in core so I am leaning towards using jcip (the licence seems to be ok (CC-by-A and we list licences in the about screen)
As for the 3 Nonnegative annotations - I'm going to remove them - let's have some conversation in the soon to be submitted PR :)
/James
Jesse Glick
Mar 26, 2020, 5:27:59 PM3/26/20
to Jenkins Dev
The main obstacle was that the available annotations in the
`edu.umd.cs.findbugs.annotations` package were all `@Deprecated` and
told you to use `javax.annotation`, so we would be peppering the
source code with deprecation warnings. This seems to have been
resolved with
https://github.com/jenkinsci/jenkins/pull/4062
Note that JSR 305 is still pulled in as a dep of `spotbugs-annotations`, e.g.
@javax.annotation.Nonnull(when = When.MAYBE)
but perhaps you can exclude that dep without breaking any tools.
`edu.umd.cs.findbugs.annotations` package were all `@Deprecated` and
told you to use `javax.annotation`, so we would be peppering the
source code with deprecation warnings. This seems to have been
resolved with
https://github.com/jenkinsci/jenkins/pull/4062
Note that JSR 305 is still pulled in as a dep of `spotbugs-annotations`, e.g.
@javax.annotation.Nonnull(when = When.MAYBE)
but perhaps you can exclude that dep without breaking any tools.
James Nord
Mar 30, 2020, 7:53:28 AM3/30/20
to Jenkins Developers
https://github.com/jenkinsci/jenkins/pull/4604
jsr-305 is excluded from the war but kept in core. The reason being tooling will pick up if you do something bad with any library that Jenkins pulls in that is using these annotations.
/James
Ullrich Hafner
Mar 30, 2020, 9:25:47 AM3/30/20
to Jenkins Developers
I like the idea! (I also removed the JSR305 dependency from my plugins during the warnings-ng rewrite.)
What does that mean for plugins that currently use these JSR 305 annotations without an explicit dependency? Will they break if the annotations are not part of the war anymore?
/James--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e3601d8c-1695-4941-a413-b742f1b21639%40googlegroups.com.
James Nord
Mar 30, 2020, 6:02:58 PM3/30/20
to Jenkins Developers
missing annotation classes do not cause a class loading issue and so the class referencing them should load fine.
when someone bumps core in their plugin they will still (today) have the annotations via transitive dependency however they /may/ need to update their own plugins where they override a Jenkins class.
Jesse Glick
Mar 31, 2020, 10:19:23 AM3/31/20
to Jenkins Dev
On Mon, Mar 30, 2020 at 6:03 PM James Nord <james...@gmail.com> wrote:
> when someone bumps core in their plugin they will still (today) have the annotations via transitive dependency
Can we adjust `plugin-pom` (4.x) to offer only/preferably our
> when someone bumps core in their plugin they will still (today) have the annotations via transitive dependency
recommended annotations to plugins updated to the latest parent,
despite using an older `jenkins.version`?
Reply all
Reply to author
Forward
0 new messages