Update plugin parent POM and BOM

[basil]

No description provided.

[basil]

@GLundh A release of this would facilitate Java 17 PCT testing.

[basil]

@rsandell 🙏

[GLundh]

I can handle this in the end of the coming week the earliest. But please know that you, @basil, are free to release it yourself too. As a cloudbees employee, you should have the needed access rights?

[basil]

Thanks for merging, @GLundh! I'm not sure where you got that impression from, but it is not accurate. The only people with Artifactory permissions to do releases for a plugin are those who are listed in repository-permissions-updater:

https://github.com/jenkins-infra/repository-permissions-updater/blob/master/permissions/plugin-rebuild.yml

There is no generic permission for CloudBees employees.

[GLundh]

Apologies! But was not the last (security related) release made by cloudbees (Kevin-CB)?

Anyways, feel free to add yourself to the repository permission yaml. :)

[basil]

Apologies! But was not the last (security related) release made by cloudbees (Kevin-CB)?

I can't comment on security releases, which may have a different process. But what I wrote is the case for regular releases.

Anyways, feel free to add yourself to the repository permission yaml. :)

I am not interested in becoming a maintainer of this plugin.

[GLundh]

I did not think so. Worth a try, since all requests for new releases comes from cloudbees and I don't work much with Jenkins these days. I'll try a new release sometime this week and then put it up for adoption.

[basil]

Worth a try, since all requests for new releases comes from cloudbees

I don't think that's a fair generalization. I have been doing you the favor of keeping your plugin's build up-to-date and testing your plugin for compatibility with other Jenkins plugins in jenkinsci/bom, and I have been doing this since before I joined CloudBees.

All you have to do in order to keep receiving this benefit from me is merge PRs and cut releases. If you set up JEP-229, all you would need to do is apply the right label when merging the PR and the release would be done automatically.

If, on the other hand, you don't want to receive this benefit from me, fine. If you stop merging and releasing PRs and nobody else steps up to maintain this plugin, I will probably just remove this plugin from the compatibility testing matrix in jenkinsci/bom. That would be a net loss for Jenkins users, but the choice is yours.

[GLundh]

Hi basil. I'm not trying to be offending or anything. I'm sorry if it came off that way.

I took over the maintenance a couple of years ago, since we (like many other companies) relied on it and it was practically dead. The plugin was in dire need of maintenance. There where quite a few PRs that really needed to be merged.

Since then I have reviewed a lot of code and released quite a few releases. As expected from a maintainer.

What I'm saying is that my role at work has changed a bit, and I do not have time to maintain this plug-in anymore. Most work is done on my spare time. I am just not interested in maintaining this plugin for a lot longer.

Historically, Cloudbees has been asking for a few releases. Often due to security reasons, but also compatibility-releases with new versions of Jenkins. (Which is great) So. I asked about Cloudbees maintaining it, since I figured it was in the company's direct interest, due to the fact that the plugin provides a core feature of Jenkins and have therefore 50k installs. (And most PRs nowadays comes from Cloudbees).

I understand that Cloudbees do not want to pickup this plugin, but as I no longer have time to maintain the plugin I figured the correct process was to put it up for adoption. If it is not, please let me know if there is a better way to proceed.

And to be clear, I'm very happy about all the work you are doing. And I certainly know that rebuilder (and many other plugins) benefit from your work. And the community as a whole. I think this PR is great. I'm just trying to find a solution for this plugin to live on, since the community relies on it.

[basil]

I no longer have time to maintain the plugin I figured the correct process was to put it up for adoption. If it is not, please let me know if there is a better way to proceed.

Yes, that is the correct process. We would be sad to see you go, but (as I wrote above) the choice is yours.

[Wadeck]

@GLundh Hello, that's an interesting feedback about the perception of CloudBees having the ownership on the plugin ecosystem.

Concerning the security releases, the Jenkins CERT (= Jenkins security team) members have administrator permission on the whole jenkinsci organization, for their security tasks.
Currently, the active CERT members are employed by CloudBees (who is sponsoring the security job), but this is not a required relationship, anyone interested in security could join that team.

The team is led by the elected security officer, currently me, in the past it was Daniel Beck. We are both working for CloudBees but again this is not a requirement at all. It's just that recently there was close to no interest from anyone else to present themselves for the role.

We are trying to ensure the maintainers are pinged / asked / consulted when there is a security release coming. We often give them the possibility to decide if they release it themselves or let us do the release.
In our last interaction, it was a particular case as it's a coordinated releases that involved multiple plugins with the same vulnerabilities.

If you have any questions, please reach out :-)

[basil]

Gentle ping; a release of this would be appreciated! Many thanks again for your efforts.

[GLundh]

Sorry. Lost my disks in a crash. Had to re-setup my jenkins-dev-environment. I'm on it.

[GLundh]

Done. Sorry for the delay!

[basil]

Many thanks! Your diligence is highly appreciated.