Closed MarkEWaite closed 11 months ago
I built over 240 of the top 250 plugins with the settings.xml file listed later (using repo.jenkins-ci.org for the releases repository, the jgit repository, and the netbeans repository).
I had to download the jbcrypt library separately but other than that, I was able to build without running tests.
The repositories that did not build with those settings are:
One plugin (gradle-plugin) does not build with Maven, so I can't check it.
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
http://maven.apache.org/xsd/settings-1.0.0.xsd">
<pluginGroups>
<pluginGroup>org.jenkins-ci.tools</pluginGroup>
</pluginGroups>
<profiles>
<profile>
<id>jenkins</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<repositories>
<repository>
<id>repo.jenkins-ci.org</id>
<url>https://repo.jenkins-ci.org/releases/</url>
</repository>
<repository>
<id>jgit.repo.jenkins-ci.org</id>
<url>https://repo.jenkins-ci.org/jgit/</url>
</repository>
<repository>
<id>netbeans.repo.jenkins-ci.org</id>
<url>https://repo.jenkins-ci.org/netbeans/</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>repo.jenkins-ci.org</id>
<url>https://repo.jenkins-ci.org/releases/</url>
</pluginRepository>
</pluginRepositories>
</profile>
</profiles>
</settings>
@daniel-beck do you have a recommendation or a preference for the location where the org.connectbot.jbcrypt:jbcrypt:1.0.0 artifact from jcenter-cache should be placed? My first thought was to place it in the Jenkins releases repository because it is required for a Jenkins release and not available in our other repositories.
According to mvnrepository.com, that library is available from the Spring plugins repository and the Spring Lib M repository. The 1.0.1 and 1.0.2 versions of that library are available from repo.maven.apache.org, but the 1.0.0 version is not.
or update whatever is using 1.0.0 to a newer version?
My first thought was to place it in the Jenkins releases repository because it is required for a Jenkins release and not available in our other repositories.
That's an approach we've used in the past but would consider it mostly legacy from when just everything went into releases
(there are issues complaining about differences in artifacts in releases
vs. elsewhere, for example). Consider a new repo also added to the public
virtual repo (populate exclusively by copying from cache to that new repo as admin).
or update whatever is using 1.0.0 to a newer version?
That would break builds of previous versions of Jenkins core, since it requires jbcrypt 1.0.0. I failed the last time that I tried to update the jbcrypt 1.0.0 dependency to a newer version. I don't have notes on the failure, but I remember that the attempt did not succeed.
I think it is a good idea to update the version of jbcrypt to a newer release if possible, but I think that should be handled separately from this effort.
Consider a new repo also added to the
public
virtual repo (populate exclusively by copying from cache to that new repo as admin).
Thanks. I've updated the text of the issue to propose the creation of a new repository, addition of that new repository to the public virtual repository, and the move of the jbcrypt 1.0.0 artifact into the new repository.
This plan looks good to me, I'm gonna proceed with the first step. proposal for the new repository name: orphans
to convey the "status" of the hosted artifacts within this repo.
Create a new repository on repo.jenkins-ci.org and copy the org.connectbot.jbcrypt:jbcrypt:1.0.0 artifact from jcenter-cache to the new repository (required for Jenkins core, appears to only be available from jcenter-cache). Add the new repository to the public virtual repository
orphans
has been created and added to the permission set "Anything" which grant read access to anyone (e.g. public access)public
virtual repository (yet?).See: https://repo.jenkins-ci.org/artifactory/orphans/org/connectbot/jbcrypt/jbcrypt/
cc @MarkEWaite so you can continue your tests.
The artifactory plugin has a dependency on the token macro plugin 2.12. The token macro plugin 2.12 has a dependency on com.jayway.jsonpath:json-path:2.4.0. Our cached copy of the JGit repository includes an outdated copy of the json-path 2.4.0 pom file for the 2.4.0 release of json-path.
Based on comments in https://github.com/openhab/openhab-addons/issues/10102#issuecomment-775779992 , we need to replace our outdated copy of 2.4.0 with an updated pom file and jar file.
If we don't want to replace the file in our cached copy of the JGit repository (because the outdated file still exists in the Eclipse JGit repository), we could place a fresh copy into the orphans repository and move the orphans repository before the JGit repository in our virtual repository search order.
Is there a way to safely remove or exclude the outdated / incorrect json-path 2.4.0 that we are getting from the Eclipse repository?
The configuration as code plugin depends on the crowd2 plugin. The crowd2 plugin depends on the crowd-integration-client-common 5.1.5 library that appears to only be available from our jcenter-cache. Since crowd2 is an Atlassian product, I expected it to be in the atlassian-cache repository, but it does not seem to be there.
We could add the Atlassian repository to the configuration as code plugin like this:
diff --git a/pom.xml b/pom.xml
index f8c7d60e..9a1d5c37 100644
--- a/pom.xml
+++ b/pom.xml
@@ -51,6 +51,10 @@
<id>repo.jenkins-ci.org</id>
<url>https://repo.jenkins-ci.org/public/</url>
</repository>
+ <repository>
+ <id>Atlassian</id>
+ <url>https://packages.atlassian.com/mvn/maven-atlassian-external/</url>
+ </repository>
</repositories>
<pluginRepositories>
That won't solve the case for other projects that depend on the Atlassian libraries. It also does not explain why the Atlassian libraries are not in our atlassian-cache repository but are in our jcenter-cache repository.
The Jira plugin depends on Atlassian libraries that are available from our jcenter-cache but are not found unless jcenter-cache is included.
The build passed after I added the Atlassian repository to the jira-plugin pom file:
diff --git a/pom.xml b/pom.xml
index e3ca697..d56a0ff 100644
--- a/pom.xml
+++ b/pom.xml
@@ -330,6 +330,10 @@
<id>repo.jenkins-ci.org</id>
<url>https://repo.jenkins-ci.org/public/</url>
</repository>
+ <repository>
+ <id>Atlassian</id>
+ <url>https://packages.atlassian.com/mvn/maven-atlassian-external</url>
+ </repository>
</repositories>
<pluginRepositories>
The robot plugin requires Java 11. It won't build with Java 21.
The robot plugin has a dependency on com.jayway.jsonpath:json-path:2.4.0. Our cached copy of the JGit repository includes an outdated copy of the json-path 2.4.0 pom file for the 2.4.0 release of json-path.
Based on comments in https://github.com/openhab/openhab-addons/issues/10102#issuecomment-775779992 , we need to replace our outdated copy of 2.4.0 with an updated pom file and jar file.
If we don't want to replace the file in our cached copy of the JGit repository (because the outdated file still exists in the Eclipse JGit repository), we could place a fresh copy into the orphans repository and move the orphans repository before the JGit repository in our virtual repository search order.
Is there a way to safely remove or exclude the outdated / incorrect json-path 2.4.0 that we are getting from the Eclipse repository?
The promoted builds plugin has an optional dependency on the project inheritance plugin 21.04.03. The project inheritance plugin 21.04.03 pom file uses http instead of https in its repository URL references. Maven rejects attempts to from an http repository.
There are hints like this on several pages that http blocking can be bypassed with a mirrorOf
definition, but I've not been able to make it work.
The artifact org.connectbot.jbcrypt:jbcrypt:1.0.0 has been deployed to this new repository, along with its POM, sources and javadoc. A Maven metadat file has been autogenerated and looks the same as jcenter's
Any particular reason why?
The artifact org.connectbot.jbcrypt:jbcrypt:1.0.0 has been deployed to this new repository, along with its POM, sources and javadoc. A Maven metadat file has been autogenerated and looks the same as jcenter's
Any particular reason why?
I could not find the artifact org.connectbot.jbcrypt:jbcrypt:1.0.0 on repo.jenkins-ci.org in any repository other than jcenter-cache. Since the goal is to remove jcenter-cache from the definition of the public virtual repository, it seemed like we need to copy that artifact to a new repository that can be included in the public virtual repository without including all of jcenter-cache.
Did that address your question or is there something more that I'm not understanding in the question?
Did that address your question or is there something more that I'm not understanding in the question?
From my proposal of the new repo holding these dependencies:
populate exclusively by copying from cache to that new repo as admin
That trivially ensures identical artifacts. Per Damien,
has been deployed to this new repository, along with its POM, sources and javadoc. A Maven metadat file has been autogenerated and looks the same as jcenter's
That looks very manual and results in differences. For example, we don't have *.asc
files now. No idea whether they're needed, but any difference seems unnecessary.
If my proposed approach is not possible, or has drawbacks I'm unaware of, and that's the reason for the different approach, I'd like to know.
Is there a way to safely remove or exclude the outdated / incorrect json-path 2.4.0 that we are getting from the Eclipse repository?
Googling brings up https://jfrog.com/help/r/jfrog-artifactory-documentation/basic-settings-for-remote-repositories which shows that you can configure exclude patterns on a remote repository (i.e., a cache). Based on this documentation I think we should delete the json-path
dependency from our Eclipse remote repository (i.e., our cache) and add an exclude pattern so that it won't be downloaded again. Then requests for it from the JGit remote repository should 404 and the lookup should proceed to the (valid) version on Central.
~See this page for more information on the Atlassian repositories. https://packages.atlassian.com/maven-public/ contains just the core Atlassian libraries (sort of like our releases
) while https://packages.atlassian.com/maven-external/ contains a lot of other stuff, including third-party libraries (sort of like our public
). That is, the former could be cached by us, but the latter couldn't (otherwise we'd have the same bandwidth issue as with JCenter). Unfortunately, the Jira library is present in maven-public
but the Crowd library is only available in maven-external
. So I don't see a way around https://github.com/jenkinsci/crowd2-plugin depending directly on https://packages.atlassian.com/maven-external/ (including all its dependencies, which thankfully is only https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/integrations which is not published in any releases). For the Jira plugin, https://packages.atlassian.com/maven-public/ could be added to the build as in https://github.com/jenkinsci/jira-plugin/pull/578 (including downstream consumers, of which the only significant one is https://github.com/jenkinsci/blueocean-plugin/pull/2531), or we could start caching https://packages.atlassian.com/maven-public/ and include that in our public
virtual repository, in which case we wouldn't need https://github.com/jenkinsci/jira-plugin/pull/578 or the <repository>
portion of https://github.com/jenkinsci/blueocean-plugin/pull/2531.~
Edit: This already exists: https://repo.jenkins-ci.org/ui/repos/tree/General/atlassian which is part of public
.
promoted-builds
can only be fixed by adopting and re-releasing project-inheritance
I think.
promoted-builds
can only be fixed by adopting and re-releasingproject-inheritance
I think.
@MarkEWaite Would you like to do this or shall I?
promoted-builds
can only be fixed by adopting and re-releasingproject-inheritance
I think.@MarkEWaite Would you like to do this or shall I?
I'd prefer that you do it. Thanks for the analysis that there really isn't another way except to adopt and release a new version.
https://plugins.jenkins.io/scp/ hasn't been released in 13 years and has an open security vulnerability, so I think we should be deprecating this plugin rather than getting it to build.
@MarkEWaite I'd prefer that you do it.
project-inheritance
can't actually be adopted because it isn't in our GitHub organization. Rather I have filed https://github.com/jenkinsci/promoted-builds-plugin/pull/272 to remove promoted-builds
's (optional) integration with it.
Open action items from my perspective:
json-path
from Eclipse remote repository, and delete bad json-path
library from cachescp
and project-inheritance
.I just discovered that we already have https://repo.jenkins-ci.org/ui/repos/tree/General/atlassian (which we are not being asked to disable), and it is already part of https://repo.jenkins-ci.org/artifactory/public. In any case, I confirmed that Jira plugin builds correctly with nothing but https://repo.jenkins-ci.org/releases/, https://repo.jenkins-ci.org/orphans/, https://repo.jenkins-ci.org/atlassian/, and Central (in that order), and I confirmed that Crowd2 plugin builds correctly with nothing but https://repo.jenkins-ci.org/releases, https://repo.jenkins-ci.org/atlassian, and Central (in that order). Based on these results I have closed the PRs in jira-plugin
and crowd2-plugin
(as well as the downstream PRs in blueocean-plugin
and configuration-as-code-plugin
).
I do not know why this was not included in https://github.com/jenkins-infra/helpdesk/issues/3842#issuecomment-1837820356. For the experiment to have scientific rigor, it should have included everything that is part of https://repo.jenkins-ci.org/artifactory/public, in the same order (minus JCenter, of course). If the experiment had been done this way, I do not think these false positives would have turned up.
In my opinion it would be valuable to re-run the experiment from https://github.com/jenkins-infra/helpdesk/issues/3842#issuecomment-1837820356 but with the exact list of remote repositories that are in public
(in the same order), minus JCenter, and with the addition of orphans
(in the same position that we expect to add it to public
), preferably also after implementing https://github.com/jenkins-infra/helpdesk/issues/3842#issuecomment-1839521681, but before the brownout. The expected results of this experiment re-run would be the disappearance of Jira-related problems, and the (potential!) appearance of new problems that we could not see before due to an unrealistic test environment.
Did that address your question or is there something more that I'm not understanding in the question?
From my proposal of the new repo holding these dependencies:
populate exclusively by copying from cache to that new repo as admin
That trivially ensures identical artifacts. Per Damien,
has been deployed to this new repository, along with its POM, sources and javadoc. A Maven metadat file has been autogenerated and looks the same as jcenter's
That looks very manual and results in differences. For example, we don't have
*.asc
files now. No idea whether they're needed, but any difference seems unnecessary.If my proposed approach is not possible, or has drawbacks I'm unaware of, and that's the reason for the different approach, I'd like to know.
I failed to find a way to copy only selected dependency from the cache, so I did a manual "deploy" through the UI.
Thanks for pointing this out, I misunderstood your first message. Currently trying to copy from the cache repo following https://jfrog.com/help/r/jfrog-artifactory-documentation/move-and-copy-artifacts to see if it adds the .asc
files.
The recommendation from @basil was exactly right. I've redefined my settings.xml
to include exactly the repositories that are included in the search order of the Jenkins repository and I believe I've found an additional issue that we should test during the brownout tomorrow.
@dduportal shared that the list of repositories included in the public
virtual repository is available with the command:
curl https://repo.jenkins-ci.org/api/repositories/public
That provides the following output:
{
"key": "public",
"packageType": "maven",
"description": "All public repositories aggregated for the purpose of building Jenkins and its plugins",
"repositories": [
"snapshots",
"releases",
"shibboleth",
"maven.jenkins-ci.org",
"maven.twttr.com",
"javanet2",
"tmate",
"jcenter",
"oss.sonatype.org-releases",
"cloudbees.public.release",
"jgit",
"netbeans",
"fusesource",
"atlassian"
],
"rclass": "virtual"
}
When I define my settings.xml based on that definition, many of the artifacts that I expected to be delivered by Apache Maven Central are instead delivered from the oss.sonatype.org-releases
cache on repo.jenkins-ci.org.
I think that we need to disable jcenter
, jcenter-cache
, and oss.sonatype.org-releases
during the brownout tomorrow. When I remove those from my settings file, I see that the expected artifacts are retrieved from Apache Maven Central.
The settings.xml file that I'm using is:
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
http://maven.apache.org/xsd/settings-1.0.0.xsd">
<pluginGroups>
<pluginGroup>org.jenkins-ci.tools</pluginGroup>
</pluginGroups>
<profiles>
<profile>
<id>faster</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<forkCount>1C</forkCount>
</properties>
</profile>
<profile>
<id>jenkins</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<repositories>
<repository>
<id>snapshots</id>
<url>https://repo.jenkins-ci.org/snapshots/</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
<releases>
<enabled>false</enabled>
</releases>
</repository>
<repository>
<!-- intentionally named repo.jenkins-ci.org to override public -->
<id>repo.jenkins-ci.org</id>
<url>https://repo.jenkins-ci.org/releases/</url>
</repository>
<repository>
<id>shibboleth</id>
<url>https://repo.jenkins-ci.org/shibboleth/</url>
</repository>
<repository>
<id>maven.jenkins-ci.org</id>
<url>https://repo.jenkins-ci.org/maven.jenkins-ci.org/</url>
</repository>
<repository>
<id>maven.twttr.com</id>
<url>https://repo.jenkins-ci.org/maven.twttr.com/</url>
</repository>
<repository>
<id>javanet2</id>
<url>https://repo.jenkins-ci.org/javanet2/</url>
</repository>
<repository>
<id>tmate</id>
<url>https://repo.jenkins-ci.org/tmate/</url>
</repository>
<!-- <repository> -->
<!-- <id>jcenter</id> -->
<!-- <url>https://repo.jenkins-ci.org/jcenter/</url> -->
<!-- </repository> -->
<!-- <repository> -->
<!-- <id>oss.sonatype.org-releases</id> -->
<!-- <url>https://repo.jenkins-ci.org/oss.sonatype.org-releases/</url> -->
<!-- </repository> -->
<repository>
<id>cloudbees.public.release</id>
<url>https://repo.jenkins-ci.org/cloudbees.public.release/</url>
</repository>
<repository>
<id>jgit</id>
<url>https://repo.jenkins-ci.org/jgit/</url>
</repository>
<repository>
<id>netbeans</id>
<url>https://repo.jenkins-ci.org/netbeans/</url>
</repository>
<repository>
<id>fusesource</id>
<url>https://repo.jenkins-ci.org/fusesource/</url>
</repository>
<repository>
<id>atlassian</id>
<url>https://repo.jenkins-ci.org/atlassian/</url>
</repository>
<repository>
<id>orphans</id>
<url>https://repo.jenkins-ci.org/orphans/</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>repo.jenkins-ci.org</id>
<url>https://repo.jenkins-ci.org/releases/</url>
</pluginRepository>
</pluginRepositories>
</profile>
</profiles>
</settings>
With the settings.xml that includes orphans and replacing the https://repo.jenkins-ci.org/public/ with https://repo.jenkins-ci.org/releases/ in the pom.xml file of the configuration as code plugin, the plugin build fails because it cannot find crowd-integration-client-common-5.1.5.pom
:
Downloading from repo.jenkins-ci.org: https://repo.jenkins-ci.org/releases/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from shibboleth: https://repo.jenkins-ci.org/shibboleth/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from maven.jenkins-ci.org: https://repo.jenkins-ci.org/maven.jenkins-ci.org/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from maven.twttr.com: https://repo.jenkins-ci.org/maven.twttr.com/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from javanet2: https://repo.jenkins-ci.org/javanet2/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from tmate: https://repo.jenkins-ci.org/tmate/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from cloudbees.public.release: https://repo.jenkins-ci.org/cloudbees.public.release/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from jgit: https://repo.jenkins-ci.org/jgit/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from netbeans: https://repo.jenkins-ci.org/netbeans/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from fusesource: https://repo.jenkins-ci.org/fusesource/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from atlassian: https://repo.jenkins-ci.org/atlassian/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from incrementals: https://repo.jenkins-ci.org/incrementals/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from central: https://repo.maven.apache.org/maven2/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
[WARNING] The POM for com.atlassian.crowd:crowd-integration-client-common:jar:5.1.5 is missing, no dependency information available
If I restore the https://repo.jenkins-ci.org/public/ in pom.xml, then that dependency is found in the "public" repository. The build output is:
Downloading from repo.jenkins-ci.org: https://repo.jenkins-ci.org/public/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloaded from repo.jenkins-ci.org: https://repo.jenkins-ci.org/public/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom (3.4 kB at 8.5 kB/s)
I think that means that the atlassian crowd components needed by the configuration as code plugin integration test are only available from one of the repositories that I've excluded from the settings.xml file (either jcenter or oss.sonatype.org-releases). The atlassian
repository that is included in the configuration does not currently include those components.
Based on that, I expect tomorrow's brownout to fail the build of the configuration as code plugin while public
does not include the jcenter
repository.
I can reproduce the problem in crowd2-plugin
and configuration-as-code
's integrations
module. Running
$ curl https://repo.jenkins-ci.org/api/repositories/atlassian
{
"key" : "atlassian",
"packageType" : "maven",
"description" : "",
"url" : "https://maven.atlassian.com/content/repositories/atlassian-public/",
"rclass" : "remote"
I see the remote repository is for https://maven.atlassian.com/content/repositories/atlassian-public/ but note from this page that
We are in the process of deprecating all maven.atlassian.com URLs. If you are using any of those, please change them to a URL mentioned above as soon as practical. We will advise the developer community more widely when we expect to permanently decommission the maven.atlassian.com URLs.
That page (which itself is about three years old) mentions https://packages.atlassian.com/maven-external/ which is a virtual repository for (at least) https://packages.atlassian.com/maven-3rdparty/, https://packages.atlassian.com/maven-public/, and https://packages.atlassian.com/maven-public-snapshot/. It seems that https://maven.atlassian.com/content/repositories/atlassian-public/ maps to https://packages.atlassian.com/maven-public/ which contains the Jira libraries but not the Crowd libraries.
Unfortunately https://packages.atlassian.com/maven-external/ contains 3rd-party libraries, so we cannot easily mirror it without introducing similar bandwidth problems as with JCenter. And after doing some Googling I can't find any other repository that contains the Crowd libraries. So I would suggest adding https://packages.atlassian.com/maven-external/ to the <repositories>
section of crowd2-plugin
and any downstream consumers (currently just configuration-as-code
's integrations
module). If a repository is identified that contains Crowd libraries but not other 3rd party libraries, then we could mirror it and add it to the public
virtual repository.
The public
virtual repository should also be updated to use https://packages.atlassian.com/maven-public/ in favor of the deprecated https://maven.atlassian.com/content/repositories/atlassian-public/.
After scouring the Internet a little further, I think I have found where it lives:
https://packages.atlassian.com/mvn/maven-atlassian-external/
I confirmed that between https://packages.atlassian.com/maven-public/ and https://packages.atlassian.com/mvn/maven-atlassian-external/ Crowd 2 can be built successfully.
My new recommendation is to create two new remote repositories corresponding to https://packages.atlassian.com/maven-public/ and https://packages.atlassian.com/mvn/maven-atlassian-external/ and replace the existing atlassian
entry with these two new ones during the brownout. This should be equivalent to what is currently coming from JCenter, without dragging in tons of other third-party libraries.
I have built 244 out of 248 repositories using the previous settings.xml with the addition of https://packages.atlassian.com/maven-public/ and https://packages.atlassian.com/mvn/maven-atlassian-external/ as repositories.
The Atlassian libraries were unavailable during the brownout, as seen by a failure in building a repository permissions updater pull request:
The failure message was:
07:15:07 + mvn -U -B -ntp clean verify
07:15:08 [INFO] Scanning for projects...
07:15:09 [INFO]
07:15:09 [INFO] ----------< io.jenkins.infra:repository-permissions-updater >-----------
07:15:09 [INFO] Building Artifactory Upload Permissions Updater 1.0-SNAPSHOT
07:15:09 [INFO] from pom.xml
07:15:09 [INFO] --------------------------------[ jar ]---------------------------------
07:15:34 [INFO] ------------------------------------------------------------------------
07:15:34 [INFO] BUILD FAILURE
07:15:34 [INFO] ------------------------------------------------------------------------
07:15:34 [INFO] Total time: 26.495 s
07:15:34 [INFO] Finished at: 2023-12-06T14:15:34Z
07:15:34 [INFO] ------------------------------------------------------------------------
07:15:34 [ERROR] Failed to execute goal on project repository-permissions-updater: Could not resolve dependencies for project io.jenkins.infra:repository-permissions-updater:jar:1.0-SNAPSHOT: Failed to collect dependencies at com.atlassian.jira:jira-rest-java-client-core:jar:5.2.7: Failed to read artifact descriptor for com.atlassian.jira:jira-rest-java-client-core:jar:5.2.7: The following artifacts could not be resolved: com.atlassian.jira:jira-rest-java-client-core:pom:5.2.7 (absent): Could not transfer artifact com.atlassian.jira:jira-rest-java-client-core:pom:5.2.7 from/to repo.jenkins-ci.org (https://repo.jenkins-ci.org/public/): status code: 401, reason phrase: (401) -> [Help 1]
We had added the Atlassian repositories as remote repositories at the start of the brownout, but maybe they were not populated?
The artifacts are there in the remote repositories:
https://repo.jenkins-ci.org/atlassian-maven-public/ is returning 401, not 404. Seems like it was not set up for anonymous access (i.e., an unrealistic test environment).
Based on https://twitter.com/askatlassian/status/1732550688176005520 it appears that the next step is to file a ticket at https://developer.atlassian.com/support to ask them which combination of repositories contains Jira and Crowd libraries but not other third-party software.
closed source Atlassian proprietary binaries are in https://packages.atlassian.com/mvn/maven-closedsource/
but as per the URL - these are not open source software contained here - they are subject to the atlassian licence https://www.atlassian.com/legal/software-license-agreemen (the parents track eventually to a version of https://packages.atlassian.com/mvn/maven-closedsource/com/atlassian/pom/closedsource-pom/ but in any case they are in the closedsource repo!)
so the question is should hosting of these plugins be allowed per https://www.jenkins.io/doc/developer/publishing/preparation/#license and that the libraries they require are not open source
Yep, https://packages.atlassian.com/mvn/maven-closedsource/com/atlassian/crowd/atlassian-crowd/5.2.1/atlassian-crowd-5.2.1.pom is a child of closedsource-pom
. I think we have three options:
Since this ticket is time and budget sensitive, my preference would be either for options 1 or 2. I don't see 1 as being a horrible workaround since it is really just preserving the status quo, which is admittedly not great. But 2 also seems fine because the Crowd 2 plugin only has 2,000 installations, so its tests could be temporarily excluded from Configuration as Code's test suite if needed.
a child of
closedsource-pom
What license is this stuff distributed under? If it's proprietary, we should just suspend the plugin. See e.g. https://github.com/jenkins-infra/helpdesk/issues/3742 or https://github.com/jenkins-infra/update-center2/pull/720. (Even during any grace period we may offer the maintainers to address this without suspension, we don't really need to care about supporting their rule violations.)
https://www.atlassian.com/legal/software-license-agreement is proprietary, and that suggestion corresponds to (2) in my previous post.
but as per the URL - these are not open source software contained here - they are subject to the atlassian licence https://www.atlassian.com/legal/software-license-agreement (the parents track eventually to a version of https://packages.atlassian.com/mvn/maven-closedsource/com/atlassian/pom/closedsource-pom/ but in any case they are in the closedsource repo!)
so the question is should hosting of these plugins be allowed per https://www.jenkins.io/doc/developer/publishing/preparation/#license and that the libraries they require are not open source
I agree with @jtnord and @basil that the dependency com.atlassian.crowd:crowd-integration-api:jar:5.1.5
is not open source. The pom file for that dependency does not include a license, but I've tracked back through the parent poms and the trail leads to closedsource-pom:6.2.2 that includes the license https://www.atlassian.com/legal/software-license-agreement
I think that we should take option 2 as described by @basil . I've submitted the following issue to Jenkins infra help desk to suspend distribution of the Crowd2 integration plugin:
Confluence Publisher is also impacted: https://github.com/jenkins-infra/helpdesk/issues/3856
The artifacts are there in the remote repositories:
* https://packages.atlassian.com/maven-public/com/atlassian/jira/jira-rest-java-client-core/5.2.7/ * https://packages.atlassian.com/mvn/maven-atlassian-external/com/atlassian/jira/jira-rest-java-client-core/5.2.7/
https://repo.jenkins-ci.org/atlassian-maven-public/ is returning 401, not 404. Seems like it was not set up for anonymous access (i.e., an unrealistic test environment).
Pairing operation with @MarkEWaite today: the repository https://repo.jenkins-ci.org/artifactory/atlassian-maven-public is now available publicly (added to the permissions scheme "Any Remote" which adds Read and Cache to the anonymous
user.
Start of the 2nd brownout on repo.jenkins-ci.org with @MarkEWaite:
We've updated the public
virtual repository to the following setup:
curl --silent https://repo.jenkins-ci.org/api/repositories/public | jq -r '.'
{
"key": "public",
"packageType": "maven",
"description": "All public repositories aggregated for the purpose of building Jenkins and its plugins",
"repositories": [
"releases",
"orphans",
"atlassian-maven-public",
"shibboleth",
"maven.jenkins-ci.org",
"maven.twttr.com",
"javanet2",
"tmate",
"cloudbees.public.release",
"jgit",
"netbeans",
"fusesource",
"snapshots"
],
"rclass": "virtual"
}
jcenter
and atlassian
orphans
and atlassian-maven-public
After implementing the production change, we found that the artifactory plugin depends on a 3.1.7 release of a platform pom that is only available from the Spring plugins repository at https://repo.spring.io/plugins-release/ . Other versions of that artifact are available from Atlassian public, but not that version.
@dduportal created a jcenter-orphans remote repository that includes a specific item
com.atlassian.pom:public-pom:pom:4.0.7 was then missing. That was fixed by adding another entry to jcenter-orphans
com.atlassian.sal:sal-api:jar:3.0.7 was missing.
Items that were missing have been added to the jcenter-orphans remote repository with a narrow inclusion definition to avoid including any more of jcenter than those few items that are not available elsewhere. The jcenter-orphans repository is intentionally placed near the end of the search list so that the official Atlassian repository cache is used first.,
The crawler job that detects updated tools is failing on ci.jenkins.io with a Grape error
Resolved by adding Maven central to the Grape repository list in:
The crawler job that detects updated tools is failing on ci.jenkins.io with a Grape error
* https://ci.jenkins.io/job/Infra/job/crawler/job/master
Resolved by adding Maven central to the Grape repository list in:
* [Add Maven Central to Grape configuration crawler#134](https://github.com/jenkins-infra/crawler/pull/134)
Thanks @basil for the batch of PRs to fix and improve the crawler (and @MarkEWaite @timja @NotMyFault for the revies/deploys).
Update:
jcenter
to solve https://github.com/jenkins-infra/helpdesk/issues/3872 (see issue for details)jcenter-cache
and atlassian-cache
from both Any Remote
and Anything
permissions scheme to ensure they cannot be reached anonymously (as such the outbound bandwidth should drastically decrease)
- Removed
jcenter-cache
andatlassian-cache
from bothAny Remote
andAnything
permissions scheme to ensure they cannot be reached anonymously (as such the outbound bandwidth should drastically decrease)
Thanks very much. Should the same change be applied to oss.sonatype.org-releases
since it also contains a copy of Apache Maven Central?
Jenkins core 2.439 and later now depend on a version of the jbcrypt library that is available from Apache Maven Central. Thanks to @andham for that improvement. Refer to the merged pull request:
Service(s)
Artifactory
Summary
The data transfer volume from https://repo.jenkins-ci.org is still unexpectedly high. Log file analysis for a recent 5 day period shows that the top repositories based on the sum of the sizes of the requested files are:
JFrog has explained that even though we removed Apache Maven Central from the public repository, the contents of Apache Maven Central still exist as copies in the jcenter repository. We need to also remove the jcenter repository and the jcenter-cache repository from the definition of the public repository so that binaries from Apache Maven Central will be resolved from Apache Maven Central instead of being resolved from our repository.
When I had tried some initial experiments removing jcenter, several months ago, there were some cases where it appeared that we depend on artifacts that are only in jcenter and possibly only in our cache of jcenter. Unfortunately, my memory is weak and I cannot find any notes that reference that experiment.
I think that we should take the following steps:
com.jayway.jsonpath
groupId and all its packages from thejgit-cache
. The artifactory plugin build failure and the robot plugin build failure will be resolved by that exclusion. The comment from @basil includes more detailsweekly-test
configuration of the plugin bill of materialsweekly-test
configuration of the plugin bill of materialsReproduction steps
Steps that I took to analyze the requests:
select repo,sum(size_bytes)/1024/1024/1024 as SUM_GB from logs group by repo order by SUM_GB desc limit 10;