Take a plugin which has a dependency on maven-plugin, such as copyartifact. Now update the dependency to 2.7.1 and try to run functional tests. Everything blows up:
=== Starting CopyArtifactTest.testMavenJobWithArchivePostBuildStep
... hudson.model.AbstractBuild$AbstractBuildExecution reportError
WARNING: Publisher hudson.tasks.ArtifactArchiver aborted due to exception
java.lang.SecurityException: class "org.jenkinsci.remoting.CallableDecorator"'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(ClassLoader.java:952)
at java.lang.ClassLoader.preDefineClass(ClassLoader.java:666)
at java.lang.ClassLoader.defineClass(ClassLoader.java:794)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at jenkins.FilePathFilter.current(FilePathFilter.java:108)
at hudson.FilePath.reading(FilePath.java:2677)
at hudson.FilePath.access$000(FilePath.java:190)
at hudson.FilePath$40.invoke(FilePath.java:2034)
at hudson.FilePath$40.invoke(FilePath.java:2027)
at hudson.FilePath.act(FilePath.java:980)
at hudson.FilePath.act(FilePath.java:958)
at hudson.FilePath.copyRecursiveTo(FilePath.java:2027)
at jenkins.model.StandardArtifactManager.archive(StandardArtifactManager.java:61)
at hudson.tasks.ArtifactArchiver.perform(ArtifactArchiver.java:218)
at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:74)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:734)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.post2(MavenModuleSetBuild.java:1037)
at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:683)
at hudson.model.Run.execute(Run.java:1770)
at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:529)
at hudson.model.ResourceController.execute(ResourceController.java:89)
at hudson.model.Executor.run(Executor.java:240)
This is because remoting.jar is signed (which IMO it should not be), yet SECURITY-144-compat.jar is not.
As a workaround it suffices to add
<exclusions>
<exclusion>
<groupId>org.jenkins-ci</groupId>
<artifactId>SECURITY-144-compat</artifactId>
</exclusion>
</exclusions>
to the dependency, but this is not going to be sustainable if other plugins start adding the dep too.