Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43610

Split Trilead out from Core


    • Split Trilead out from Jenkins Core
    • Jenkins 2.186

      Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following:

      1. Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version
      2. Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core).

      Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be

      1. Copy the Trilead library and supporting classes into a plugin
      2. Update plugins that require Trilead so they depend on this new plugin
      3. Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin

      More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`.

      Current changes required:

      Component Changes PR Raised PR Merged Change Released
      Jenkins Core (Phase 1)
      1. Replace Trilead Base64 references with java.util.Base64 references (various classes)
      2. Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)
      Yes Yes Yes
      Jenkins Core (Phase 2)
      1. Move SFTP client into Trilead plugin and remove from core
      2. Update sshd-module and ssh-cli-module dependencies to latest version
      3. Remove Trilead dependency from core
      4. Set Trilead dependency in CLI project to 'optional' to prevent core visibility
      5. Set Trilead API Plugin as a detached plugin
      Yes Yes Yes
      Token Macro Plugin Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro Yes Yes Yes
      SSHD Module
      1. Upgrade SSH CLI Module dependency to a new version (1.2 or above)
      2. Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions
      Yes Yes Yes
      SSH CLI Auth Module
      1. Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing)
      2. Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)
      Yes Yes Yes
      Credentials Plugin Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64 Yes Yes Yes
      Trilead API Plugin Create new plugin containing Trilead library from Jenkins core and release it to update centre Yes Yes Yes

      Other changed to be confirmed

            ifernandezcalvo Ivan Fernandez Calvo
            mc1arke Michael Clarke
            5 Vote for this issue
            15 Start watching this issue