maven-hpi-plugin icon indicating copy to clipboard operation
maven-hpi-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Explicit list of packaged libraries

Open jglick opened this issue 1 year ago • 6 comments

Currently this plugin bundles all compile-scoped dependencies whose trail does not include a plugin in WEB-INF/lib/*.jar. #140 / #172 / #192 shows that there are subtleties here. #130 at least makes it clear what is being bundled and (usually) why to a developer paying attention to the build log, but of course most of the time no one is looking.

As suggested in https://github.com/jenkinsci/blueocean-plugin/pull/2433#discussion_r1188667397 and https://github.com/jenkinsci/plugin-pom/issues/705#issuecomment-1462144045, it would be more reliable to simply require that the plugin pom explicitly list the JARs it expects to bundle so there needs to be a conscious decision to start bundling something and this decision is apparent to reviewers.

Some more examples of why this would be safer:

  • https://github.com/jenkinsci/google-compute-engine-plugin/pull/398 / https://github.com/jenkinsci/google-compute-engine-plugin/pull/402
  • https://github.com/jenkinsci/workflow-remote-loader-plugin/pull/18
  • https://groups.google.com/g/jenkinsci-dev/c/POxcfeUTRzo/m/bRiyei3ZAgAJ
  • https://github.com/jenkinsci/plugin-pom/pull/864
  • https://github.com/jenkinsci/plugin-pom/issues/705#issuecomment-1462144045

Suggested implementation:

  • Add a new mojo parameter for a sorted list of artifactIds corresponding to dependency JARs which ought to be bundled. (version is obvious from dependency:tree and other things; groupId could be included for clarity, though the default basename in the WAR just uses artifactId.)
  • If the actual list as computed by the current algorithm differs from the declared list, fail the build, printing the computed list. Otherwise proceed as now (including logging from #130, perhaps toned down).
  • Define a POM property for the list in plugin-pom (probably meaning the mojo parameter must be String-valued, unless Maven has some clever way to bind a variable expression to a List<String>). The default value should be empty. Make sure that the mojo failure message shows you the exact line you need to add to <properties>.
  • Prominently announce this as a breaking change for the corresponding POM release.
  • File PRs for at least the most commonly maintained plugins in @jenkinsci adding the property with the current computed value. Harmless against an older POM, but makes sure that the Dependabot POM bump will pass uneventfully.

jglick avatar Nov 27 '23 15:11 jglick

I feel neutral about this change overall because while it does avoid some pathological cases, it also adds a bit of unnecessary extra work for normal cases. However, let me state from the outset that I will not support any breaking change that does not include a clear migration plan for, say, the top 200 plugins or similar. The work can possibly be shared, especially if others in the community are interested in helping, but I feel strongly that the work should not be deferred to "someone, sometime," because that is likely to create friction that will slow down unrelated future efforts. As far as my own personal interest in helping with the migration is concerned, I will participate to the degree that others participate. So, for example, if others migrate 5 plugins then I will also migrate 5 plugins, and if others migrate 0 plugins then I will also migrate 0 plugins.

basil avatar Dec 07 '23 21:12 basil

a bit of unnecessary extra work

Yes of course, but small I think (one line of XML which you would be prompted to add to the POM); and the alternative is not just the risk of a regression (occasionally causing linkage errors, size bloat, licensing issues, security scanner flags, etc.) but actually more work to manually validate whether changes like https://github.com/jenkinsci/aws-java-sdk-plugin/pull/1159 or https://github.com/jenkinsci/pipeline-model-definition-plugin/pull/684 are actually doing what they claim.

Upon reflection I guess it should be possible to do this compatibly (set the default value to some “undeclared” token) so that we can start by having selected plugins opt into declaring their bundled libraries, and get some practical validation of the approach, before ultimately making it mandatory.

jglick avatar Dec 11 '23 14:12 jglick

File PRs for at least the most commonly maintained plugins in https://github.com/jenkinsci adding the property with the current computed value.

Will there be a goal to compute the list even for a plugin with older parent POM hpi dependency, so it's a basic mvn call to obtain the list for any (reasonably maintained) plugin?

daniel-beck avatar Dec 11 '23 17:12 daniel-beck

Seems easy enough to just update the parent (or run with -Dhpi-plugin.version=…), but TBD.

jglick avatar Dec 11 '23 17:12 jglick

Seems easy enough to just update the parent

Have you ever tried to do this for the top 200 plugins? I would love to know, when you finish, how easy it was.

basil avatar Dec 11 '23 17:12 basil

I would generally be in favour of an approach that would fail a build. I have been hit once too often by dependabot bumps. Bonus points if we can get it to find libraries that should be plugins too (with an opt out/in).

jtnord avatar Dec 18 '23 10:12 jtnord