Deprecate and remove GHPRB plugin #143
Comments
|
The GitHub branch source plugin is not a direct replacement for the GHPRB plugin since it is not compatible with freestyle jobs. This would require that all freestyle jobs that use the GHPRB plugin would need to be migrated to Multibranch pipeline jobs. Therefore I'd recommend that we adapt our documentation to deprecate using the GHPRB plugin and encourage projects to switch to the Branch Source plugin. I don't see an easy way of "force-removing" the GHPRB plugin without breaking a significant number of build jobs. |
Right, thanks. I forgot about this fact.
👍 |
|
Also, there has been a recent push (jenkinsci/ghprb-plugin@255bf6a) to add support for JCasC. It should help us a bit. Do you think we could also contribute something to remove the security warning from the plugin? |
|
Shouldn't we be fine with running https://github.com/jenkinsci-cert/SECURITY-261 only once on every Jenkins instance? There should be no Jenkins instance that has an old version of the GHPRB plugin installed.
|
|
True, but it's still annoying (at least with my paranoiac OCD to have 0 security warnings — I know we can deactivate the warning, but it's still there, lying around ;)) |
|
That's why I proposed that running the script once across all JIPPs should be enough to remove the underlying security issue and satisfy your paranoia. ;) |
If some jobs have been run with a version < 1.40.0, they are still affected by https://www.jenkins.io/security/advisory/2018-03-26/#SECURITY-261, so it's quite hard to know if we're at risk or not (apart from running https://github.com/jenkinsci-cert/SECURITY-261 on a regular basis).
Also, the plugin is for adoption and advise to switch to https://plugins.jenkins.io/github-branch-source/ which is preferable anyway.
@fredg02, what do you think?
The text was updated successfully, but these errors were encountered: