Deprecate and remove GHPRB plugin

[mbarbero]

If some jobs have been run with a version < 1.40.0, they are still affected by https://www.jenkins.io/security/advisory/2018-03-26/#SECURITY-261, so it's quite hard to know if we're at risk or not (apart from running https://github.com/jenkinsci-cert/SECURITY-261 on a regular basis).

Also, the plugin is for adoption and advise to switch to https://plugins.jenkins.io/github-branch-source/ which is preferable anyway.

@fredg02, what do you think?

[fredg02]

The GitHub branch source plugin is not a direct replacement for the GHPRB plugin since it is not compatible with freestyle jobs. This would require that all freestyle jobs that use the GHPRB plugin would need to be migrated to Multibranch pipeline jobs.

Therefore I'd recommend that we adapt our documentation to deprecate using the GHPRB plugin and encourage projects to switch to the Branch Source plugin. I don't see an easy way of "force-removing" the GHPRB plugin without breaking a significant number of build jobs.

[mbarbero]

The GitHub branch source plugin is not a direct replacement for the GHPRB plugin since it is not compatible with freestyle jobs. This would require that all freestyle jobs that use the GHPRB plugin would need to be migrated to Multibranch pipeline jobs.

Right, thanks. I forgot about this fact.

Therefore I'd recommend that we adapt our documentation to deprecate using the GHPRB plugin and encourage projects to switch to the Branch Source plugin. I don't see an easy way of "force-removing" the GHPRB plugin without breaking a significant number of build jobs.

👍

[mbarbero]

Also, there has been a recent push (jenkinsci/ghprb-plugin@255bf6a) to add support for JCasC. It should help us a bit.

Do you think we could also contribute something to remove the security warning from the plugin?

[fredg02]

Shouldn't we be fine with running https://github.com/jenkinsci-cert/SECURITY-261 only once on every Jenkins instance? There should be no Jenkins instance that has an old version of the GHPRB plugin installed.

Do you think we could also contribute something to remove the security warning from the plugin?
Probably yes, otherwise we could see if we can at least disable the security warning in the admin monitor across all instances.

[mbarbero]

True, but it's still annoying (at least with my paranoiac OCD to have 0 security warnings — I know we can deactivate the warning, but it's still there, lying around ;))

[fredg02]

That's why I proposed that running the script once across all JIPPs should be enough to remove the underlying security issue and satisfy your paranoia. ;)