JEP-7: Deprecation of Ruby and Python plugin runtimes

Table 1. Metadata

JEP	7
Title	Deprecation of Ruby and Python plugin runtimes
Sponsor	Daniel Beck, Gavin Mogan, Oleg Nenashev
Status	Draft 💬
Type	Process
Created	2018-06-06

Table of Contents

• Abstract
• Specification
  • Rollout plan
• Motivation
• Reasoning
  • Impact on current users
• Backwards Compatibility
  • Affected plugins, Ruby runtime
  • Affected plugins, Python runtime
• Security
• Infrastructure Requirements
• Testing
• Prototype Implementation
• References
• Change history

Abstract

Distribution of the unmaintained Ruby Runtime plugin and Jenkins Python SDK will be suspended. Distribution of plugins depending on them will be suspended until their dependency is removed.

Specification

Ruby runtime and Python SDK will be added to the artifact-ignores file of the update center generator, so they are no longer available for download on update sites. Plugins with a mandatory dependency on the runtimes will be added to the same file, as they will not be installable without the respective runtimes being available.

A warning will be added to the update center so that all users of the plugins receive a warning in advance. Plugins depending on either the Ruby runtime or the Python SDK will be also marked for adoption so that users can step up and take over maintenance (by switching to the regular Java runtime) without a 2 weeks waiting delay.

The Git repositories holding the ruby-runtime and Python SDK source code will be archived on GitHub.

Support for Ruby Runtime in the Jenkins core may be removed in future Jenkins versions. This includes but not limited to:

• Stapler JRuby library bundled in the Jenkins core

• Permit lists for JEP-200: Switch Remoting/XStream denylist to a permitlist

• XStream converters for JRuby components

The jruby module will be removed from Stapler.

No future core development will consider the impact on Ruby/Python runtimes and plugins based on them. Bug reports to core and related components about their impact on ruby-runtime and plugins based on it will be closed as Won’t Fix.

Rollout plan

At least 2 weeks before removal

• Announcement blogpost on jenkins.io with the user-focused overview of the change and the delivery plan

• Plugins are marked for adoption

• Plugins will be deprecated in the Update site immediately after the announcement. The deprecation notice will reference the announcement blogpost as justification.

Removal date

• Plugins are removed from official Jenkins update centers. Users of both weekly and LTS release baselines will no longer be able to install or update the plugins.

• If there are any unpublished security issues related to the depublished plugins, a security advisory is released for them shortly after depublishing.

• Ruby and Python plugin runtime codebases are archived on GitHub.

After the removal

A pull request may be submitted to the Jenkins core at some point, with a cleanup of the code and functionality slated for deletion. Stapler JRuby library might be also deleted from the Stapler codebase. This is a breaking change. Once the pull request is merged, the next weekly release will no longer be able to run the Ruby/Python runtime based plugins properly, with undefined behavior and likely Jenkins startup failure as a result. This needs to be explicitly referenced in the changelog.

Jenkins LTS users will be able to continue using the deprecated/depublished plugins until a new LTS baseline picks up the change. ETA for it - the March 2022 LTS release. After this release new Jenkins LTS versions will not be able to run the plugins as well. This change will be documented in the LTS upgrade guidelines.

Plugins may be restored in the update centers once there are contributors who take ownership of a plugin and migrate it to the standard Java plugin runtime. It may be done in a compatible or incompatible way.

Motivation

The ruby-runtime plugin allows plugins to be written in Ruby, rather than the usual Java/Groovy. Development of ruby-runtime stopped around 2013. There are currently two Git repositories holding different states of its source code: jenkinsci/ruby-runtime-plugin and jenkinsci/jenkins.rb. It is unmaintained and the changelog mentions a version 0.13 that has never actually been released.

Over the past years, multiple changes to core negatively impacted ruby-runtime based plugins, and core maintainers had to implement workarounds to address these problems. Example: JEP-200: Switch Remoting/XStream denylist to a permitlist. Due to its design, it is not always possible to apply corresponding changes to ruby-runtime itself. Instead, every dependent plugin may need to be adapted individually, if a change to core results in problems to ruby-runtime.

There currently are no plugins based on ruby-runtime that are both actively maintained (a release in the last two years, i.e. since June 2016) and popular (>2500 reported installations). In a Jenkins developers mailing list thread proposing the deprecation of ruby-runtime in May 2018, nobody volunteered to maintain ruby-runtime and address its problems.

Therefore this JEP proposed the deprecation of ruby-runtime, and to suspend its distribution via Jenkins project update sites.

The same concerns apply to the Jenkins Python SDK. Although we have not experienced issues with that due to the low adoption, potentially it may lead to the core maintenance overhead. Low adoption and lack of interest in Jenkins plugin development for Python suggests that we can just remove the support as a part of this JEP. This SDK is used just for one plugin at the moment.

Reasoning

We have a limited set of tools available to deal with problems like this.

• Security warnings don’t really apply here, as UI labels specifically mention 'security'.

• Wiki pages and other plugin documentation is easy to overlook, especially in automated deployments.

• There are no ways for users to provide feedback for plugins like there is for core (via changelog 'weather').

• There are no ways to mark plugins as incompatible and, for example, warn users on upgrade, other than to suspend distribution. Additionally, we’d need to test every core change for ruby-runtime impact to know of the problem in advance.

So the viable options are the following:

• We could continue to distribute ruby-runtime while reverting the changes in Jenkins core that make it work. This will just result in a bad user experience, as ruby-runtime based plugins remain available while not working with new Jenkins releases.

• We could continue to distribute ruby-runtime and keep the already implemented changes to core around, hoping no further problems occur. If they do, we can still implement this proposed deprecation of ruby-runtime. In this case, there would be no advance warning of current ruby-runtime users, and the number of users may increase in the mean time, making it more difficult to justify such a change.

• We could continue to distribute ruby-runtime, keep the already implemented changes to core around, and fix any future problems. This option comes with potentially significant work with very little benefit, as ruby-runtime based plugins are neither very popular, nor actively maintained.

Impact on current users

Feedback on the developers list expressed concern for current users of any of these plugins and a 'configuration-as-code' approach that sets up new Jenkins instances on a regular basis. This will be addressed in the next section.

Backwards Compatibility

Existing users can continue to use ruby-runtime based plugins. ruby-runtime and plugins depending on it can still be downloaded from Artifactory to support legacy environments. This is also expected to apply to most configuration-as-code approaches supporting installation of arbitrary plugin versions.

Users of 'configuration-as-code' methods for Jenkins will be impacted by this fairly quickly. Workarounds for this include downloading affected plugins from Artifactory, and possibly hosting their own update sites.

If previous core compatibility fixes are reverted, or future core changes break ruby-runtime, users of those plugins will be impacted.

Affected plugins, Ruby runtime

Below you can find a list of the affected plugins which are/were being hosted in the main Jenkins update center. There might be other 3rd-party plugins affected.

Gitlab Hook

Last released 5 years ago.
Contains multiple security vulnerabilties.
Suggestion: Use the GitLab plugin or the GitLab Branch Source plugin.

Cucumber

Last released 8 years ago.
Suggestion: Use sh or bat to run cucumber from the command line.

pyenv

Last released 7 years ago.
Suggestion: Use sh or bat to run pyenv from the command line.

Rvm

Last released 5 years ago.
Suggestion: Use sh or bat to run rvm from the command line.

Capitomcat

Last released 6 years ago.
Suggestion: Install Ruby and Capistrano and use sh or bat to invoke them from the command line.

Commit Message Trigger

Last released 7 years ago.
Suggestion: Use sh, bat, or other scripts to read git commit messages and conditionally execute Pipeline steps.

Git notes

Last released 9 years ago.
Suggestion: Use sh, bat, or other scripts to run git to annotate commits.

rbenv

Last released 5 years ago.
Suggestion: Use sh or bat to run rbenv from the command line.

Chef

Last released 6 years ago.
Suggestion: Use sh or bat to run chef from the command line.

CI Skip

Last released 7 years ago.
Suggestion: Use the GitHub Commit Skip SCM Behaviour, Bitbucket Commit Skip SCM Behaviour, or SCM Skip to skip builds based on the content of commit messages. Alternately, use sh, bat, or other scripts to read git commit messages and conditionally execute Pipeline steps.

MySQL Job Databases

Last released 7 years ago.
Suggestion: Use Jenkins Job Database Manager Plugin for MySQL.

Pathignore

Last released 9 years ago.
Suggestion: Use the path ignore features of various plugins or use sh, bat, or other scripts to read git commit messages and conditionally execute Pipeline steps.

Perl

Last released 8 years ago.
Suggestion: Use sh or bat to run perl from the command line.

pry

Last released 9 years ago.
Suggestion: Use the Jenkins groovy console and its interface from the Jenkins command line interface.

Single Use Slave

Last released 6 years ago.
Suggestion: Use cloud agents (Fargate, Azure Container Instances, Docker, etc.) to allocate agents for a single use and then release them.

Travis YML

Last released 4 years ago.
Suggestion: Rewrite the travis.yml file as a Jenkinsfile, a Jenkins Templating Engine file, a Pipeline as YAML, or a Jenkins Modular Pipeline Library.

Yammer

Last released 8 years ago.
Suggestion: Use the Yammer REST API to post messages.

DevStack

Last released 9 years ago.

Ikachan

Last released 9 years ago.

Jenkinspider

Last released 6 years ago.

Perl Smoke Test

Last released 7 years ago.

buddycloud

Last released 7 years ago.

Affected plugins, Python runtime

InstallShield

Last released 7 years ago.

Security

There are no security risks related to this proposal. If there are known issues for the removed/deprecated plugins, the security advisory will be released after depublishing of the plugins.

Infrastructure Requirements

This JEP will be implemented by using a well established feature of the update center generator.

There are no new infrastructure requirements related to this proposal.

Testing

There are no testing issues related to this proposal.

Prototype Implementation

n/a

References

• https://groups.google.com/d/msg/jenkinsci-dev/Ve0fqAud3Mk/MTIxw6ZyBwAJ

• Ruby Runtime Plugin

• Announcement Draft

• Announcement blogpost

Change history

• December 2021 - Extend the scope to include the Python plugin runtime, clarify the scope and the rollout plan based on the dev list discussion.