Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65159

Jenkins Git client plugin unbounded SSH Credentials Plugin dependency

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Major Major
    • git-client-plugin
    • None
    • jenkins LTS 2.277.1

      Jenkins Git client plugin has in its pom a dependency on SSH credential but no version is specified.
      see https://github.com/jenkinsci/git-client-plugin/blob/master/pom.xml#L257-L260

      Currently that pulls 1.18.1 and that version is requiring jenkins core 2.282+ which is not an LTS.

      My LTS 2.277.1 deployment is bricked until this is fixed.

      I downgraded the ssh-credentials dep to 1.17.4 but will not start:

      java.io.IOException: Failed to load: Jenkins Git client plugin (3.6.0)
      
          Update required: SSH Credentials Plugin (1.17.4) to be updated to 1.18.1 or higher
      

          [JENKINS-65159] Jenkins Git client plugin unbounded SSH Credentials Plugin dependency

          Mark Waite added a comment -

          The ssh-credentials plugin 1.18.1 was released Jan 2020, 14 months ago. It requires Jenkins 2.190.1 or later per its pom at https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/ssh-credentials/1.18.1/ssh-credentials-1.18.1.pom.

          The ssh-credentials plugin 1.18.2 requires Jenkins 2.282, but unless you're explicitly stating that you require 1.18.2, the plugin installation manager will not download 1.18.2 if it detects that you're running 2.277.1.

          The git client plugin pom file at https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/git-client/3.6.0/git-client-3.6.0.pom lists the version number of the dependencies required. It uses the plugin bill of materials (bom) to simplify dependency management and allow others to do the hard work of assuring that compatible versions are selected.

          The git client plugin dependency on ssh-credentials 1.18.1 is correct and is in use in thousands of installations.

          Mark Waite added a comment - The ssh-credentials plugin 1.18.1 was released Jan 2020, 14 months ago. It requires Jenkins 2.190.1 or later per its pom at https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/ssh-credentials/1.18.1/ssh-credentials-1.18.1.pom . The ssh-credentials plugin 1.18.2 requires Jenkins 2.282, but unless you're explicitly stating that you require 1.18.2, the plugin installation manager will not download 1.18.2 if it detects that you're running 2.277.1. The git client plugin pom file at https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/git-client/3.6.0/git-client-3.6.0.pom lists the version number of the dependencies required. It uses the plugin bill of materials (bom) to simplify dependency management and allow others to do the hard work of assuring that compatible versions are selected. The git client plugin dependency on ssh-credentials 1.18.1 is correct and is in use in thousands of installations.

          It did pull 1.18.2 and I manually reverted to 1.17.4 which I now see is a mistake. I'll try 1.18.1

          Any known reasons why it would pull a dependency that is not compatible with core version?

          Thanks for the quick response

          Samuel Beaulieu added a comment - It did pull 1.18.2 and I manually reverted to 1.17.4 which I now see is a mistake. I'll try 1.18.1 Any known reasons why it would pull a dependency that is not compatible with core version? Thanks for the quick response

          Mark Waite added a comment - - edited

          If you're using plugin installation manager tool to retrieve the versions, it has an unexpected default behavior for dependency version retrieval. At least, it was unexpected to me.

          Without the --latest false argument to plugin installation manager tool, it retrieves the most recent version of a dependency, even if the dependency is already mentioned in the plugins.txt file at an earlier version. See my comment and the reply from Tim Jacomb that points to a good discussion and proposed solution.

          If you're using install-plugins.sh, then the best answer is to switch to use plugin installation manager.

          Mark Waite added a comment - - edited If you're using plugin installation manager tool to retrieve the versions, it has an unexpected default behavior for dependency version retrieval. At least, it was unexpected to me. Without the --latest false argument to plugin installation manager tool, it retrieves the most recent version of a dependency, even if the dependency is already mentioned in the plugins.txt file at an earlier version. See my comment and the reply from Tim Jacomb that points to a good discussion and proposed solution . If you're using install-plugins.sh, then the best answer is to switch to use plugin installation manager.

          I used the UI, which for most cases has been able to handle transient dependencies properly. I will look into plugin installation manager tool.

          Samuel Beaulieu added a comment - I used the UI, which for most cases has been able to handle transient dependencies properly. I will look into plugin installation manager tool.

            markewaite Mark Waite
            sbeaulie Samuel Beaulieu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: