-
Bug
-
Resolution: Fixed
-
Critical
-
Jenkins 2.46.2 and Jenkins 2.60.1
Our Jenkins is set up to automatically install the newest plugin version on startup. Since the release of cradle-plugin 1.27 last week we're getting endless automatic updates of the gradle plugin with constant restarts. Since there were no other significant errors I suspect a problem with the version set in the plugin vs. the repository.
Pinning the version of the gradle-plugin to 1.26 solved the issue but should only be a temporary fix.
[JENKINS-45126] Gradle plugin 1.27 declares a snapshot version
Nick Walke
added a comment - Updated today and seeing the same versioning issue: 1.27-SNAPSHOT (private-06/23/2017 09:49-wolf)
Nick Walke
added a comment - Updated today and seeing the same versioning issue: 1.27-SNAPSHOT (private-06/23/2017 09:49-wolf) jglick or some other CloudBees person: Is this a malicious plugin? Is this a security issue? Should we be concerned?
I would have thought all the plugins being built by Jenkins would prevent this from ever happening?
Sounds like gradle-jpi-plugin has a bug, and the 1.27 release was corrupted.
CloudBees person
It's not clear to me how CloudBees is involved here. The plugin is maintained by someone else, and the Jenkins project is independent. CloudBees (my employer) is just a major contributor to the Jenkins project.
Is this a malicious plugin? Is this a security issue? Should we be concerned?
Likely not; wolfs is a long time contributor and has maintained the plugin for over a year.
I would have thought all the plugins being built by Jenkins would prevent this from ever happening?
Plugins are released by their maintainers, in this case wolfs, typically through maven-release-plugin. Not sure what you mean here.
Proposed blacklisting of 1.27 at https://github.com/jenkins-infra/backend-update-center2/pull/154
Daniel Spilker
added a comment - danielbeck jglick I did 5 job-dsl releases with the current version of gradle-jpi-plugin without problems, so I don't think that it's a fundamental issue. I noticed the wolfs did an upgrade to Gradle 4.0 before releasing 1.27. I never tested 4.0. Maybe something is incompatible. Looks like the manifest has not been recreated after changing the version. Please file an issue for gradle-jpi-plugin is the problem is reproducible.
Daniel Spilker
added a comment - danielbeck jglick I did 5 job-dsl releases with the current version of gradle-jpi-plugin without problems, so I don't think that it's a fundamental issue. I noticed the wolfs did an upgrade to Gradle 4.0 before releasing 1.27. I never tested 4.0. Maybe something is incompatible. Looks like the manifest has not been recreated after changing the version. Please file an issue for gradle-jpi-plugin is the problem is reproducible. Plugins are released by their maintainers, in this case wolfs, typically through maven-release-plugin. Not sure what you mean here.
I was under the impression most (if not all) of the jenkins plugins were built on a Jenkins server owned by Cloudbees/Official-Jenkins. This seems to be the case here: https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fgradle-plugin/activity
In my experience (which is probably not the case here) releases can only be done via the Jenkins system; not directly by developers.
Hence my concern: a -SNAPSHOT got released into the official plugin LTS list.
docwhat some clarifications:
I was under the impression most (if not all) of the jenkins plugins were built on a Jenkins server owned by Cloudbees/Official-Jenkins. This seems to be the case here: https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fgradle-plugin/activity
Yes, pull-request testing is generally provided by the the Jenkins Project infrastructure. And it got opened to full Jenkins Pipeline usage even more recently. Unrelated to releases.
In my experience (which is probably not the case here) releases can only be done via the Jenkins system; not directly by developers.
That's it indeed, not the case here for the Jenkins Project. 99 to 100% of Jenkins and Jenkins plugins releases are done from the developer's machine.
Hence my concern: a -SNAPSHOT got released into the official plugin LTS list.
Probably nit-picking, but clarifying for future reference/readers: there's nothing really such as a "official plugin LTS list".
Shortly, again: releases are done independently from the maintainer, ~100% released from their machines. That is then processed by the Jenkins infra in a handful of hours to regenerate/update https://updates.jenkins.io/current/update-center.json, and that file is downloaded every few hours by Jenkins instances in the world (generally through mirrors), and new releases are then presented to users. That's it.
Note: again, I'm just posting here for future ref if people wonder about your message. If you have more general questions/concerns, please better take them to the dev list, not here.
I appreciate it batmat. From the outside (and as someone who only contributes bug fixes, doc fixes, and bug reports) that wasn't obvious to me at all.
As I said above, I assumed that if it was in the jenkinsci org that it maintained through a Jenkins Project Jenkins server and other "blessed" processes.
Code changed in jenkins
User: Stefan Wolf
Path:
RELEASING.md
build.gradle
gradle.properties
http://jenkins-ci.org/commit/gradle-plugin/3663c35032833b099688b87eb8f73382846b6110
Log:
Add a safety net for releasing
1.27 was released with the wrong version in the jar/hpi manifest.
Let's make sure this does not ever happen again.
[FIXES JENKINS-45126]
Stefan Wolf
added a comment - I just released gradle-plugin version 1.27.1, this time with the right version in the manifest. Sorry for the confusion. It looks like the gradle-jpi plugin has some issues with incremental builds. These mostly stem from the fact that inputs (the manifests of the jar and the hpi file) are changed within a doFirst, which is not captured by Gradle's up-to-date checks which happen before execution. I added above workaround to the gradle-plugin. If I have time I will have a closer look at the gradle-jpi-plugin and see if there is a better fix.
gamma: Please check if this issue is now resolved for you and sorry for the problems caused by this release.
Stefan Wolf
added a comment - I just released gradle-plugin version 1.27.1, this time with the right version in the manifest. Sorry for the confusion. It looks like the gradle-jpi plugin has some issues with incremental builds. These mostly stem from the fact that inputs (the manifests of the jar and the hpi file) are changed within a doFirst , which is not captured by Gradle's up-to-date checks which happen before execution. I added above workaround to the gradle-plugin. If I have time I will have a closer look at the gradle-jpi-plugin and see if there is a better fix.
gamma : Please check if this issue is now resolved for you and sorry for the problems caused by this release. Code changed in jenkins
User: Daniel Beck
Path:
src/main/resources/artifact-ignores.properties
http://jenkins-ci.org/commit/backend-update-center2/1af657ad4c8d06f7ec84a125773ea87c35b9266f
Log:
JENKINS-45126 Remove Gradle plugin 1.27
Code changed in jenkins
User: Daniel Beck
Path:
src/main/resources/artifact-ignores.properties
http://jenkins-ci.org/commit/backend-update-center2/d214dfcd99ed03fdce360f7ebc5c1fc0531dbb56
Log:
Merge pull request #154 from daniel-beck/JENKINS-45126
JENKINS-45126 Remove Gradle plugin 1.27
Compare: https://github.com/jenkins-infra/backend-update-center2/compare/25a90b616fdc...d214dfcd99ed
Daniel Spilker
added a comment - wolfs thanks for the analysis, I will fix incremental builds with gradle-jpi-plugin.
Daniel Spilker
added a comment - wolfs thanks for the analysis, I will fix incremental builds with gradle-jpi-plugin .
Stefan Wolf
added a comment - daspilker Thanks Daniel. I would be happy to review the PR when you are ready. Please @ mention me on Github.
Stefan Wolf
added a comment - daspilker Thanks Daniel. I would be happy to review the PR when you are ready. Please @ mention me on Github. Code changed in jenkins
User: Daniel Spilker
Path:
src/test/groovy/org/jenkinsci/gradle/plugins/jpi/JpiManifestSpec.groovy
http://jenkins-ci.org/commit/gradle-jpi-plugin/7b88919bee4399742c2907ca591da4255dd6d91e
Log:
added tests to reproduce JENKINS-45126
Code changed in jenkins
User: Daniel Spilker
Path:
CHANGELOG.md
src/main/groovy/org/jenkinsci/gradle/plugins/jpi/JpiPlugin.groovy
src/test/groovy/org/jenkinsci/gradle/plugins/jpi/JpiManifestSpec.groovy
http://jenkins-ci.org/commit/gradle-jpi-plugin/4c3b137381ad1a4e912fb67d59d5ba3e4c7b2170
Log:
Merge pull request #89 from daspilker/JENKINS-45126-2
JENKINS-45126 fixed incremental build
Compare: https://github.com/jenkinsci/gradle-jpi-plugin/compare/19252c966787...4c3b137381ad
It seems the cause of this is that the 1.27 plugin has 1.27-SNAPSHOT (private-06/23/2017 09:49-wolf) as its version number, but the update server reports that 1.27 is the latest version. Thus the mismatch causes the update loop.
If you are not auto-updating you can see this in the plugin manager where there is now always an update for Gradle pending.