Details
-
Epic
-
Status: Resolved (View Workflow)
-
Major
-
Resolution: Fixed
-
Split Trilead out from Jenkins Core
-
-
Jenkins 2.186
Description
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following:
- Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version
- Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core).
Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be
- Copy the Trilead library and supporting classes into a plugin
- Update plugins that require Trilead so they depend on this new plugin
- Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin
More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`.
Current changes required:
| Component | Changes | PR Raised | PR Merged | Change Released |
|---|---|---|---|---|
| Jenkins Core (Phase 1) |
|
Yes | Yes | Yes |
| Jenkins Core (Phase 2) |
|
Yes | Yes | Yes |
| Token Macro Plugin | Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro | Yes | Yes | Yes |
| SSHD Module |
|
Yes | Yes | Yes |
| SSH CLI Auth Module |
|
Yes | Yes | Yes |
| Credentials Plugin | Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64 | Yes | Yes | Yes |
| Trilead API Plugin | Create new plugin containing Trilead library from Jenkins core and release it to update centre | Yes | Yes | Yes |
Other changed to be confirmed
Attachments
Issue Links
- causes
-
JENKINS-58483 Jenkins 2.185 won't connect to SSH agents
-
- Resolved
-
- links to
Activity
| Field | Original Value | New Value |
|---|---|---|
| Link | This issue depends on HOSTING-322 [ HOSTING-322 ] |
| Description |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) \\ # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java) | No | n/a | n/a |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core \\ # Update sshd-module and ssh-cli-module dependencies to latest version \\ # Remove Trilead dependency from core \\ # Set Trilead dependency in CLI project to 'optional' to prevent core visibility | No | n/a | n/a |Token Macro Plugin| Remove unused import to com.trilead.ssh2. |
| Description |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) \\ # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java) | No | n/a | n/a |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core \\ # Update sshd-module and ssh-cli-module dependencies to latest version \\ # Remove Trilead dependency from core \\ # Set Trilead dependency in CLI project to 'optional' to prevent core visibility | No | n/a | n/a |Token Macro Plugin| Remove unused import to com.trilead.ssh2. |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) \\ # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java) | No | n/a | n/a |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core \\ # Update sshd-module and ssh-cli-module dependencies to latest version \\ # Remove Trilead dependency from core \\ # Set Trilead dependency in CLI project to 'optional' to prevent core visibility | No | n/a | n/a |Token Macro Plugin| Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro | [Yes| |
| Description |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) \\ # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java) | No | n/a | n/a |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core \\ # Update sshd-module and ssh-cli-module dependencies to latest version \\ # Remove Trilead dependency from core \\ # Set Trilead dependency in CLI project to 'optional' to prevent core visibility | No | n/a | n/a |Token Macro Plugin| Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro | [Yes| |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|No|n/a|n/a| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|No|n/a|n/a| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|No| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|No|No| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|No|No| *Other changed to be confirmed* |
Code changed in jenkins
User: Michael Clarke
Path:
src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java
http://jenkins-ci.org/commit/credentials-plugin/e4dedd9a39a13a42071a7d8e77dbabed0f6905da
Log:
JENKINS-43610 Remove references to Trilead classes
Code changed in jenkins
User: Stephen Connolly
Path:
src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java
http://jenkins-ci.org/commit/credentials-plugin/a21b0d37cd4f4c566b599ef0042d5986c92acf07
Log:
Merge pull request #84 from mc1arke/JENKINS-43610-remove-trilead-references
JENKINS-43610 Remove references to Trilead classes
Compare: https://github.com/jenkinsci/credentials-plugin/compare/b2e31fb146d7...a21b0d37cd4f
| Description |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|No|n/a|n/a| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|No|n/a|n/a| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|No| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|No|No| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|No|No| *Other changed to be confirmed* |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|No|n/a|n/a| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|No|n/a|n/a| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|No| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|No| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|No| *Other changed to be confirmed* |
| Issue Type | Task [ 3 ] | Epic [ 10001 ] |
| Labels | api jenkins plugin |
| Epic Name | Split Trilead out from Jenkins Core |
| Epic Child |
|
| Epic Child |
|
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Component/s | ssh-credentials-plugin [ 17424 ] | |
| Component/s | ssh-slaves-plugin [ 15578 ] |
| Epic Child |
|
Code changed in jenkins
User: Oleg Nenashev
Path:
pom.xml
src/main/java/org/jenkinsci/main/modules/sshd/PublicKeyAuthenticatorImpl.java
src/main/java/org/jenkinsci/main/modules/sshd/SSHD.java
src/main/java/org/jenkinsci/main/modules/sshd/UserAuthNamedFactory.java
http://jenkins-ci.org/commit/sshd-module/f3a82b49c0b5d149a9de218b52d22b9939ae8113
Log:
Merge branch 'master' into JENKINS-43610-remove-trilead-references
Code changed in jenkins
User: Oleg Nenashev
Path:
pom.xml
src/main/java/org/jenkinsci/main/modules/sshd/PublicKeyAuthenticatorImpl.java
http://jenkins-ci.org/commit/sshd-module/534ebac23ff600f5d5a564d04c24ae4ecbc11cd0
Log:
Merge pull request #13 from mc1arke/JENKINS-43610-remove-trilead-references
JENKINS-43668 - Remove Trilead references
Compare: https://github.com/jenkinsci/sshd-module/compare/04216b8201ae...534ebac23ff6
| Assignee | Michael Clarke [ mc1arke ] | Ivan Fernandez Calvo [ ifernandezcalvo ] |
| Description |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|No|n/a|n/a| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|No|n/a|n/a| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|No| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|No| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|No| *Other changed to be confirmed* |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|Yes|Yes|Yes| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|Yes|No|No| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|Yes| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|Yes| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|No| *Other changed to be confirmed* |
| Epic Child |
|
| Epic Child |
|
| Labels | api jenkins plugin | api split-plugins-from-core |
| Description |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|Yes|Yes|Yes| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|Yes|No|No| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|Yes| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|Yes| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|No| *Other changed to be confirmed* |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|Yes|Yes|Yes| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|Yes|No|No| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|Yes| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|Yes|Yes| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|Yes|Yes| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|Yes| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|No| *Other changed to be confirmed* |
| Description |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|Yes|Yes|Yes| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|Yes|No|No| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|Yes| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|Yes|Yes| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|Yes|Yes| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|Yes| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|No| *Other changed to be confirmed* |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|Yes|Yes|Yes| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|Yes|No|No| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|Yes| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|Yes|Yes| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|Yes| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|No| *Other changed to be confirmed* |
Repositories affected
- acceptance-test-harness
- cloudbees-plugin-gateway
- extras-ec2-launcher
- svnkit
Plugins affected
- BlameSubversion
- digitalocean
- docker
- ec2
- ec2-cloud-axis
- ec2-plugin
- external-logging-elasticsearch
- git-client
- jclouds
- libvirt-slave
- mansion-cloud
- nodepool-agents
- openstack-cloud
- pxe
- scaleway-cloud
- ssh-agent
- ssh-cli
- ssh-cli-auth
- ssh-credentials
- ssh-slaves
- ssh2easy
- subversion
- svn-release-mgr
| Remote Link | This issue links to "Jenkins Core PR (Web Link)" [ 23121 ] |
| Description |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|Yes|Yes|Yes| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|Yes|No|No| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|Yes| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|Yes|Yes| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|Yes| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|No| *Other changed to be confirmed* |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|Yes|Yes|Yes| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|Yes|No|No| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|Yes| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|Yes|Yes| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|Yes| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|Yes| *Other changed to be confirmed* |
| Link |
This issue causes |
| Released As | Jenkins 2.185 | |
| Resolution | Fixed [ 1 ] | |
| Status | In Progress [ 3 ] | Resolved [ 5 ] |
| Resolution | Fixed [ 1 ] | |
| Status | Resolved [ 5 ] | Reopened [ 4 ] |
| Epic Child |
|
Jenkins 2.186 integrates the regression fixes. https://jenkins.io/changelog/#v2.186
I assume this EPIC is completed, unless new regressions are reported
| Released As | Jenkins 2.185 | Jenkins 2.186 |
| Resolution | Fixed [ 1 ] | |
| Status | Reopened [ 4 ] | Fixed but Unreleased [ 10203 ] |
| Description |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|Yes|Yes|Yes| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|Yes|No|No| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|Yes| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|Yes|Yes| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|Yes| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|Yes| *Other changed to be confirmed* |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|Yes|Yes|Yes| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|Yes|Yes|Yes| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|Yes| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|Yes|Yes| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|Yes| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|Yes| *Other changed to be confirmed* |
| Description |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|Yes|Yes|Yes| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|Yes|Yes|Yes| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|Yes| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|Yes|Yes| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|No|No| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|Yes| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|Yes| *Other changed to be confirmed* |
Jenkins core currently bundles version 8 of the Jenkins fork of Trilead to provide SSH client functionality. Multiple plugins depend on this provision to utilize Trilead classes, so don't bundle Trilead directly. A new version of Trilead has recently been released containing a number of security enhancements (strong MAC algorithms, strong key exchange methods, curve based cryptographic keys etc), but this requires one of the following: # Jenkins core to update the bundled Trilead library. This means anyone using the weekly release from the point we include a new bundled library gets the new features, but users who only upgrade plugins or who are on an LTS release are stuck with an old Trilead version # Any plugin that wants hardened SSH capabilities bundles Trilead directly, but then potentially breaks functionality shared between plugins: SSH credentials uses `Class.isAssignableFrom` to check it can provide credentials, which stops this plugin working if the plugin needing credentials hasn't loaded Trilead from the same classloader (currently core). Since nothing in Jenkins core actually needs Trilead or the supporting classes that have been added to core for it, the logical change would be # Copy the Trilead library and supporting classes into a plugin # Update plugins that require Trilead so they depend on this new plugin # Remove Trilead from the core and bundle the new Trilead plugin as a detached plugin More plugins will be added to the components list for this issue as investigation is performed into what plugins depend on Trilead. Some plugins may be updated to remove references to Trilead classes where they're only using utility methods from Trilead, such as Base64 methods and `IOUtils.closeQuitely`. Current changes required: ||Component||Changes||PR Raised||PR Merged||Change Released|| |Jenkins Core (Phase 1)| # Replace Trilead Base64 references with java.util.Base64 references (various classes) # Replace Trilead MD5 reference with MessageDigest.getInstance("MD5") (ConsistentHash.java)|Yes|Yes|Yes| |Jenkins Core (Phase 2)| # Move SFTP client into Trilead plugin and remove from core # Update sshd-module and ssh-cli-module dependencies to latest version # Remove Trilead dependency from core # Set Trilead dependency in CLI project to 'optional' to prevent core visibility # Set Trilead API Plugin as a detached plugin|Yes|Yes|Yes| |Token Macro Plugin|Remove unused import to com.trilead.ssh2.crypto.digest.MAC from JobDescriptionMacro|[Yes|https://github.com/jenkinsci/token-macro-plugin/pull/29]|Yes|Yes| |SSHD Module| # Upgrade SSH CLI Module dependency to a new version (1.2 or above) # Remove direct references to Trilead classes, instead using SSH CLI Auth Module's key comparison functionality found in newer versions|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|Yes|Yes| |SSH CLI Auth Module| # Replace reference to Trilead Base64 with one from Hudson Remoting (could potentially use java.util.Base64, but would required bump to Java 8 which I'm not planning on doing) # Replace reference to Trilead TypesWriter in PublicKeySignatureWriter with a simple PEM writer (only need to support BigInteger, String, int, and byte arrays)|[Yes|https://github.com/jenkinsci/ssh-cli-auth-module/pull/5]|Yes|Yes| |Credentials Plugin|Replace references to Trilead Base64 in CertificateCredentialsImpl.java with hudson.remoting.Base64|[Yes|https://github.com/jenkinsci/credentials-plugin/pull/84/files]|Yes|Yes| |Trilead API Plugin|Create new plugin containing Trilead library from Jenkins core and release it to update centre|Yes|Yes|Yes| *Other changed to be confirmed* |
| Status | Fixed but Unreleased [ 10203 ] | Resolved [ 5 ] |
dicomj23 Could you open a new issue? and there put the Jenkins Core version, ssh-slaves, and git-client plugin you use
Dicom J
added a comment - ifernandezcalvo, you've got it https://issues.jenkins-ci.org/browse/JENKINS-59676. Please find "Environment" section for the details about Jenkins version, plugins and theirs dependencies in square brackets.
Dicom J
added a comment - ifernandezcalvo , you've got it https://issues.jenkins-ci.org/browse/JENKINS-59676 . Please find "Environment" section for the details about Jenkins version, plugins and theirs dependencies in square brackets. Dicom J
made changes -
| Comment |
[ [~oleg_nenashev], with that amount of plugins {code:java} configuration-as-code-support:latest configuration-as-code:latest credentials-binding:latest docker-workflow:latest filesystem_scm:latest git:latest pipeline-model-definition:latest pipeline-utility-steps:latest ssh-agent:latest ssh-steps:latest workflow-cps:latest ws-cleanup:latest{code} all having latest, today I've got something like `java.lang.ClassNotFoundException: org.kohsuke.putty.PuTTYKey` on scm step {code:java} java.lang.ClassNotFoundException: org.kohsuke.putty.PuTTYKey at jenkins.util.AntClassLoader.findClassInComponents(AntClassLoader.java:1383) at jenkins.util.AntClassLoader.findClass(AntClassLoader.java:1336) at jenkins.util.AntClassLoader.loadClass(AntClassLoader.java:1083) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) Caused: java.lang.NoClassDefFoundError: org/kohsuke/putty/PuTTYKey at com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey.getPrivateKeys(BasicSSHUserPrivateKey.java:174) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.createSshKeyFile(CliGitAPIImpl.java:1878) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1793) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$500(CliGitAPIImpl.java:78) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:545) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$2.execute(CliGitAPIImpl.java:758) at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1152) at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1192) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:124) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:93) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:80) at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) {code} After explicitly adding trilead-api:latest to the list of plugins issue's gone. So something's wrong with dependencies ? ] |
Code changed in jenkins
User: Michael Clarke
Path:
src/main/java/org/jenkinsci/plugins/tokenmacro/impl/JobDescriptionMacro.java
http://jenkins-ci.org/commit/token-macro-plugin/9ad9f3b5528b684098366e3d991586dba941bc3d
Log:
JENKINS-43610Remove unnecessary Trilead class import (#29)