Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65159

Jenkins Git client plugin unbounded SSH Credentials Plugin dependency

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Not A Defect
    • Component/s: git-client-plugin
    • Labels:
      None
    • Environment:
      jenkins LTS 2.277.1
    • Similar Issues:

      Description

      Jenkins Git client plugin has in its pom a dependency on SSH credential but no version is specified.
      see https://github.com/jenkinsci/git-client-plugin/blob/master/pom.xml#L257-L260

      Currently that pulls 1.18.1 and that version is requiring jenkins core 2.282+ which is not an LTS.

      My LTS 2.277.1 deployment is bricked until this is fixed.

      I downgraded the ssh-credentials dep to 1.17.4 but will not start:

      java.io.IOException: Failed to load: Jenkins Git client plugin (3.6.0)
      
          Update required: SSH Credentials Plugin (1.17.4) to be updated to 1.18.1 or higher
      

        Attachments

          Activity

          Hide
          markewaite Mark Waite added a comment -

          The ssh-credentials plugin 1.18.1 was released Jan 2020, 14 months ago. It requires Jenkins 2.190.1 or later per its pom at https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/ssh-credentials/1.18.1/ssh-credentials-1.18.1.pom.

          The ssh-credentials plugin 1.18.2 requires Jenkins 2.282, but unless you're explicitly stating that you require 1.18.2, the plugin installation manager will not download 1.18.2 if it detects that you're running 2.277.1.

          The git client plugin pom file at https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/git-client/3.6.0/git-client-3.6.0.pom lists the version number of the dependencies required. It uses the plugin bill of materials (bom) to simplify dependency management and allow others to do the hard work of assuring that compatible versions are selected.

          The git client plugin dependency on ssh-credentials 1.18.1 is correct and is in use in thousands of installations.

          Show
          markewaite Mark Waite added a comment - The ssh-credentials plugin 1.18.1 was released Jan 2020, 14 months ago. It requires Jenkins 2.190.1 or later per its pom at https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/ssh-credentials/1.18.1/ssh-credentials-1.18.1.pom . The ssh-credentials plugin 1.18.2 requires Jenkins 2.282, but unless you're explicitly stating that you require 1.18.2, the plugin installation manager will not download 1.18.2 if it detects that you're running 2.277.1. The git client plugin pom file at https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/git-client/3.6.0/git-client-3.6.0.pom lists the version number of the dependencies required. It uses the plugin bill of materials (bom) to simplify dependency management and allow others to do the hard work of assuring that compatible versions are selected. The git client plugin dependency on ssh-credentials 1.18.1 is correct and is in use in thousands of installations.
          Hide
          sbeaulie Samuel Beaulieu added a comment -

          It did pull 1.18.2 and I manually reverted to 1.17.4 which I now see is a mistake. I'll try 1.18.1

          Any known reasons why it would pull a dependency that is not compatible with core version?

          Thanks for the quick response

          Show
          sbeaulie Samuel Beaulieu added a comment - It did pull 1.18.2 and I manually reverted to 1.17.4 which I now see is a mistake. I'll try 1.18.1 Any known reasons why it would pull a dependency that is not compatible with core version? Thanks for the quick response
          Hide
          markewaite Mark Waite added a comment - - edited

          If you're using plugin installation manager tool to retrieve the versions, it has an unexpected default behavior for dependency version retrieval. At least, it was unexpected to me.

          Without the --latest false argument to plugin installation manager tool, it retrieves the most recent version of a dependency, even if the dependency is already mentioned in the plugins.txt file at an earlier version. See my comment and the reply from Tim Jacomb that points to a good discussion and proposed solution.

          If you're using install-plugins.sh, then the best answer is to switch to use plugin installation manager.

          Show
          markewaite Mark Waite added a comment - - edited If you're using plugin installation manager tool to retrieve the versions, it has an unexpected default behavior for dependency version retrieval. At least, it was unexpected to me. Without the --latest false argument to plugin installation manager tool, it retrieves the most recent version of a dependency, even if the dependency is already mentioned in the plugins.txt file at an earlier version. See my comment and the reply from Tim Jacomb that points to a good discussion and proposed solution . If you're using install-plugins.sh, then the best answer is to switch to use plugin installation manager.
          Hide
          sbeaulie Samuel Beaulieu added a comment -

          I used the UI, which for most cases has been able to handle transient dependencies properly. I will look into plugin installation manager tool.

          Show
          sbeaulie Samuel Beaulieu added a comment - I used the UI, which for most cases has been able to handle transient dependencies properly. I will look into plugin installation manager tool.

            People

            Assignee:
            markewaite Mark Waite
            Reporter:
            sbeaulie Samuel Beaulieu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: