[JENKINS-65988] Upgrade guava to 30.0-jre #336
Conversation
|
The main thing that may cause issues here will be in plugins. For example, searching for In order to upgrade Guava, we'll likely need some additional glue code for backward compatibility with the version distributed in Jenkins if anything here breaks. The Spring Security upgrade JEP shows how this can potentially be non-trivial. These concerns are what you can describe in the "Compatibility" section of this JEP. |
|
|
||
| == Prototype Implementation | ||
|
|
||
| link:https://github.com/jenkinsci/jenkins/pull/5059[jenkins #5059] is the main change. |
| |link:https://plugins.jenkins.io/ant/[ant] | ||
| |To be investigated | ||
| | | ||
|
|
There was a problem hiding this comment.
jglick
changed the title
| @@ -0,0 +1,131 @@ | |||
| = JEP-311: Upgrade guava to 30.0-jre | |||
There was a problem hiding this comment.
Please follow the instructions in JEP-1 for drafting a JEP. In particular, you do not get to pick a number: this should be jep/0000/README.adoc and should refer to JEP-0000.
There was a problem hiding this comment.
I can change it before merging
| == Testing | ||
|
|
||
| Besides tests inside Jenkins core itself, | ||
| CloudBees will endeavor to verify that all |
There was a problem hiding this comment.
Uh, no, CloudBees does not make any such promise at this time. (Copy-pasta?)
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
| == Abstract | ||
|
|
||
| Jenkins uses guava version 11.0.1, which is seriously dated. | ||
| Security AppScan are not happy about this version. |
There was a problem hiding this comment.
Note that security scans detect a serialization-related vulnerability in Guava, but Jenkins uses JEP 200 to form an explicit list of allowed classes for deserialization, and the affected Guava class(es) are not and will never be added to the list. Getting security scanners to stop complaining about it, though, is certainly a useful goal as that was why there were recent JEPs to do all the tedious work to upgrade both Spring Security and XStream, both of which also had security scan complaints that were irrelevant in Jenkins and involved libraries that had broken backward compatibility.
However, if we can successfully upgrade Guava, then that will make it so that plugins might actually be able to more reliably use Guava themselves rather than avoiding it due to being an outdated dependency.
oleg-nenashev
left a comment
oleg-nenashev
left a comment
There was a problem hiding this comment.
Thanks for starting this draft @dbreheret!
Requesting changes because of the CloudBees commitment reference. If there is no explicit and public commitment from a company contributor, it should not be mentioned like that even in the draft.
For other matters, there is a pending conversation in jenkinsci/jenkins#5059 which could be taken into account in the JEP specification. Addressing this feedback does not block the JEP from being merged as a draft
|
BTW we are now guava 30.1-jre :) |
|
Smashing :) |
|
@jenkinsci/core @basil @batmat Taking https://groups.google.com/g/jenkinsci-dev/c/aYUJ4VuOuVc/m/I9IEEzovAgAJ , would we like to revive and continue this proposal? CC @dbreheret in case he is still interested |
Yes, still interested. |
| utility classes, google's collections, io classes, and much | ||
| much more. | ||
|
|
||
| Guava (complete) has only one code dependency - javax.annotation, |
There was a problem hiding this comment.
which we should not ship - but in this case as it is annotations we can exclude it without issue.
| Refer to general information about link:README.adoc#backwards-compatibility[backwards compatibility] | ||
| for tips on searching for potentially problematic API usages. | ||
|
|
||
| Plugins which do not do anything special with Guava need not be listed. |
There was a problem hiding this comment.
what classifies as special here?
batmat
changed the title
|
obsoleted by #375? |
7 participants
As advised by Matt Sicker, created a jep for guava upgrade.