Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45126

Gradle plugin 1.27 declares a snapshot version

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • gradle-plugin
    • Jenkins 2.46.2 and Jenkins 2.60.1

      Our Jenkins is set up to automatically install the newest plugin version on startup. Since the release of cradle-plugin 1.27 last week we're getting endless automatic updates of the gradle plugin with constant restarts. Since there were no other significant errors I suspect a problem with the version set in the plugin vs. the repository.

      Pinning the version of the gradle-plugin to 1.26 solved the issue but should only be a temporary fix.

          [JENKINS-45126] Gradle plugin 1.27 declares a snapshot version

          Gerry Weißbach created issue -

          Jeroen Bogers added a comment -

          It seems the cause of this is that the 1.27 plugin has 1.27-SNAPSHOT (private-06/23/2017 09:49-wolf) as its version number, but the update server reports that 1.27 is the latest version. Thus the mismatch causes the update loop.

          If you are not auto-updating you can see this in the plugin manager where there is now always an update for Gradle pending.

          Jeroen Bogers added a comment - It seems the cause of this is that the 1.27 plugin has 1.27-SNAPSHOT (private-06/23/2017 09:49-wolf) as its version number, but the update server reports that 1.27 is the latest version. Thus the mismatch causes the update loop. If you are not auto-updating you can see this in the plugin manager where there is now always an update for Gradle pending.

          Nick Walke added a comment -

          Updated today and seeing the same versioning issue: 1.27-SNAPSHOT (private-06/23/2017 09:49-wolf)

          Nick Walke added a comment - Updated today and seeing the same versioning issue: 1.27-SNAPSHOT (private-06/23/2017 09:49-wolf)

          Christian Höltje added a comment -

          jglick or some other CloudBees person:  Is this a malicious plugin? Is this a security issue? Should we be concerned?

          I would have thought all the plugins being built by Jenkins would prevent this from ever happening?

          Christian Höltje added a comment - jglick or some other CloudBees person:  Is this a malicious plugin? Is this a security issue? Should we be concerned? I would have thought all the plugins being built by Jenkins would prevent this from ever happening?
          Christian Höltje made changes -
          Environment Original: Jenkins 2.46.2 New: Jenkins 2.46.2 and Jenkins 2.60.1

          Jesse Glick added a comment -

          Sounds like gradle-jpi-plugin has a bug, and the 1.27 release was corrupted.

          Jesse Glick added a comment - Sounds like gradle-jpi-plugin has a bug, and the 1.27 release was corrupted.

          Daniel Beck added a comment -

          daspilker FYI

          Daniel Beck added a comment - daspilker FYI

          Daniel Beck added a comment -

          CloudBees person

          It's not clear to me how CloudBees is involved here. The plugin is maintained by someone else, and the Jenkins project is independent. CloudBees (my employer) is just a major contributor to the Jenkins project.

          Is this a malicious plugin? Is this a security issue? Should we be concerned?

          Likely not; wolfs is a long time contributor and has maintained the plugin for over a year.

          I would have thought all the plugins being built by Jenkins would prevent this from ever happening?

          Plugins are released by their maintainers, in this case wolfs, typically through maven-release-plugin. Not sure what you mean here.

          Daniel Beck added a comment - CloudBees person It's not clear to me how CloudBees is involved here. The plugin is maintained by someone else, and the Jenkins project is independent. CloudBees (my employer) is just a major contributor to the Jenkins project. Is this a malicious plugin? Is this a security issue? Should we be concerned? Likely not; wolfs is a long time contributor and has maintained the plugin for over a year. I would have thought all the plugins being built by Jenkins would prevent this from ever happening? Plugins are released by their maintainers, in this case wolfs , typically through maven-release-plugin. Not sure what you mean here.

          Daniel Beck added a comment -

          This is wrong:

          https://repo.jenkins-ci.org/webapp/#/artifacts/browse/tree/ViewSource/releases/org/jenkins-ci/plugins/gradle/1.27/gradle-1.27.hpi!/META-INF/MANIFEST.MF

          (line 8)

          Daniel Beck added a comment - This is wrong: https://repo.jenkins-ci.org/webapp/#/artifacts/browse/tree/ViewSource/releases/org/jenkins-ci/plugins/gradle/1.27/gradle-1.27.hpi!/META-INF/MANIFEST.MF (line 8)

          Daniel Beck added a comment -

          Proposed blacklisting of 1.27 at https://github.com/jenkins-infra/backend-update-center2/pull/154

          Daniel Beck added a comment - Proposed blacklisting of 1.27 at https://github.com/jenkins-infra/backend-update-center2/pull/154

            wolfs Stefan Wolf
            gamma Gerry Weißbach
            Votes:
            13 Vote for this issue
            Watchers:
            19 Start watching this issue

              Created:
              Updated:
              Resolved: