Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: backporting 2.440.3 #9113

Merged
merged 7 commits into from Apr 4, 2024
Merged

chore: backporting 2.440.3 #9113

merged 7 commits into from Apr 4, 2024

Conversation

krisstern
Copy link
Member

@krisstern krisstern commented Apr 2, 2024
edited 

Latest core version: jenkins-2.448

Postponed
---------

JENKINS-68631           Minor                   2.446
        Hovering over stuck builds hides the progress bar (regression in 2.21)
        regression
        https://issues.jenkins.io/browse/JENKINS-68631

Fixed
-----

JENKINS-72954           Minor                   2.452, 2.440.3
        Update Mina SSH to 2.12.1 in Jenkins CLI
        https://issues.jenkins.io/browse/JENKINS-72954

JENKINS-72900           Minor                   2.450, 2.440.3
        Update Spring Security to 5.8.11 and Spring Framework to 5.3.33
        https://issues.jenkins.io/browse/JENKINS-72900

JENKINS-72856           Minor                   2.449, 2.440.3
        Update bundled trilead-api to 2.84.86.vf9c960e9b_458
        https://issues.jenkins.io/browse/JENKINS-72856

JENKINS-72799           Minor                   2.448, 2.440.3
        ConsoleLogFilter is not applied to all SlaveComputer logging
        https://issues.jenkins.io/browse/JENKINS-72799

JENKINS-72796           Minor                   2.449, 2.440.3
        Computer.threadPoolForRemoting can be poisoned by bad code
        https://issues.jenkins.io/browse/JENKINS-72796

Submitter checklist

Edit tasklist title
Beta Give feedback Tasklist Submitter checklist, more options

Delete tasklist

Delete tasklist block?
Are you sure? All relationships in this tasklist will be removed.
  1. The Jira issue, if it exists, is well-described.
    Options
  2. The changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developers, depending on the change) and are in the imperative mood (see examples). Fill in the Proposed upgrade guidelines section only if there are breaking changes or changes that may require extra steps from users during upgrade.
    Options
  3. There is automated testing or an explanation as to why this change has no tests.
    Options
  4. New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadocs, as appropriate.
    Options
  5. New deprecations are annotated with @Deprecated(since = "TODO") or @Deprecated(forRemoval = true, since = "TODO"), if applicable.
    Options
  6. New or substantially changed JavaScript is not defined inline and does not call eval to ease future introduction of Content Security Policy (CSP) directives (see documentation).
    Options
  7. For dependency updates, there are links to external changelogs and, if possible, full differentials.
    Options
  8. For new APIs and extension points, there is a link to at least one consumer.
    Options

Before the changes are marked as ready-for-merge:

Maintainer checklist

Edit tasklist title
Beta Give feedback Tasklist Maintainer checklist, more options

Delete tasklist

Delete tasklist block?
Are you sure? All relationships in this tasklist will be removed.
  1. There are at least two (2) approvals for the pull request and no outstanding requests for change.
    Options
  2. Conversations in the pull request are over, or it is explicit that a reviewer is not blocking the change.
    Options
  3. Changelog entries in the pull request title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood.
    Options
  4. Proper changelog labels are set so that the changelog can be generated automatically.
    Options
  5. If the change needs additional upgrade steps from users, the upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the pull request title (see example).
    Options
  6. If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).
    Options

@github-actions github-actions bot added the into-lts This PR is filed against an LTS branch label Apr 2, 2024
@krisstern krisstern changed the title Feat/stable 2.440/backporting 2.440.3 feat: backporting 2.440.3 Apr 2, 2024
@krisstern krisstern mentioned this pull request Apr 2, 2024
Closed
44 tasks
@kmartens27 kmartens27 mentioned this pull request Apr 2, 2024
Merged
@daniel-beck
Copy link
Member

daniel-beck commented Apr 2, 2024
edited

JENKINS-69113 / 47ac4a9 seems a bit much as a backport. While it fixes a regression it's not a recent one and not the core purpose of the change, so IMO we can live without it for another month. Thoughts?

@basil
Copy link
Member

basil commented Apr 2, 2024

I think it will be important to backport the Mina SSHD detached plugin changes to make the scanners happy. Rather than try to figure out how to do a minimal backport, I would recommend simply backporting all bundled plugin updates from trunk. While this includes more than just security fixes, it is tested in the latest weekly and should be safer than an untested surgical/minimal backport in my opinion.

@krisstern krisstern requested a review from timja April 3, 2024 20:05
@timja
Copy link
Member

timja commented Apr 4, 2024

JENKINS-69113 / 47ac4a9 seems a bit much as a backport. While it fixes a regression it's not a recent one and not the core purpose of the change, so IMO we can live without it for another month. Thoughts?

I agree I think this can be dropped unless anyone has strong opinions on it.

daniel-beck and others added 6 commits April 4, 2024 19:18
@daniel-beck @krisstern
Update bundled trilead-api to 2.84.86.vf9c960e9b_458 (jenkinsci#9022)
7aaedac 
Co-authored-by: Daniel Beck <daniel-beck@users.noreply.github.com>
(cherry picked from commit 3a07440)
@jtnord @krisstern
[JENKINS-72796] stable context classloader for Computer.threadPoolFor…
57cab7a 
…Remoting (jenkinsci#9012)

* [JENKINS-72796] stable context classloader for Computer.threadPoolForRemoting

Whilst the threadpool used reset the context classloader at the end of
any task, it did not ensure that the initial c;lassloader used was
anything sepcific, rather it would use whatever the calling threads
contextClassLoader was.

This is now fixed as we use the Jenkins WebApp classloader (same as
the Timer) which is used by (A)PeriodicTasks.

Whilst we should really not have a context classloader (aka null) and
this should be set where needed by code, almost everywhere in Jenkins
the context classloader is already the webapp classloader, and so
setting this to be different depending on how things where called would
seemingly be a little scary.  Arguably this and other context
classloaders should be all set to null and any code that wants different
should be changed, but this is a larger piece of work that would have
potential impact on an unknown number of plugins in the ecosystem, so
this fix uses what was set > 90% of the time.

* Update core/src/test/java/hudson/model/ComputerTest.java

---------

Co-authored-by: Tim Jacomb <21194782+timja@users.noreply.github.com>
(cherry picked from commit 89195cc)
@jglick @krisstern
[JENKINS-72799] Apply SlaveComputer.decorate also to openLogFile (j…
0c9eb0c 
…enkinsci#9009)

(cherry picked from commit c7ccbfd)
@dependabot @krisstern
Bump org.springframework:spring-framework-bom from 5.3.32 to 5.3.33 (j…
2ca228a 
…enkinsci#9042)

Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 5.3.32 to 5.3.33.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v5.3.32...v5.3.33)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit e9923d3)
@dependabot @krisstern
Bump org.springframework.security:spring-security-bom from 5.8.10 to …
1dba772 
…5.8.11 (jenkinsci#9047)

Bump org.springframework.security:spring-security-bom

Bumps [org.springframework.security:spring-security-bom](https://github.com/spring-projects/spring-security) from 5.8.10 to 5.8.11.
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](spring-projects/spring-security@5.8.10...5.8.11)

---
updated-dependencies:
- dependency-name: org.springframework.security:spring-security-bom
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit 4666cae)
@daniel-beck @krisstern
Bump Mina to 2.12.1 in the CLI (jenkinsci#9089)
f25c5d0 
Bump Mina to 2.12.1

Co-authored-by: Daniel Beck <daniel-beck@users.noreply.github.com>
Co-authored-by: Mark Waite <mark.earl.waite@gmail.com>
(cherry picked from commit 5e6387a)
@krisstern krisstern force-pushed the feat/stable-2.440/backporting-2.440.3 branch from 5b4427a to f25c5d0 Compare April 4, 2024 11:18
@krisstern
Copy link
Member Author

No problem, just dropped JENKINS-69113 / 47ac4a9 from the LTS

@krisstern krisstern changed the title feat: backporting 2.440.3 chore: backporting 2.440.3 Apr 4, 2024
basil
basil approved these changes Apr 4, 2024
View reviewed changes
Copy link
Member

@basil basil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since both @krisstern and @NotMyFault reacted with a thumbs up emoji to #9113 (comment), and nobody had any feedback against it, I have implemented this in commit 387f5a6, tested the same way as #9091. With that having been addressed, the scanners should be happy with everything we are bundling and therefore I am approving this PR.

@basil basil merged commit ef340a4 into jenkinsci:stable-2.440 Apr 4, 2024
4 of 5 checks passed
@krisstern krisstern deleted the feat/stable-2.440/backporting-2.440.3 branch April 4, 2024 19:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@basil basil basil approved these changes

@timja timja Awaiting requested review from timja

Assignees
No one assigned
Labels
into-lts This PR is filed against an LTS branch
Projects
None yet
Milestone
No milestone
6 participants
@krisstern @daniel-beck @basil @timja @jtnord @jglick