Jenkins jobs: maven-3.8 as default


Robert Varga
 

Hello TSC members,

during infrastructure-side preparation for odlparent-10's requirement of maven-3.8+ in Sulfur, we have discovered an issue with our current JJB setup.

It essentially means that attempts to override job group definitions' use of maven-3.5 are fruitless.

After sparing a bit with Anil on Slack, we have concluded that the cleanest solution is to:
- set our default to mvn38
- remove all current overrides of this default

This would result in all our jobs using maven-3.8, including Silicon and Phosphorus.

This change is purely in our build infrastructure and nothing changes in terms of the ability to build Silicon/Phosphorus projects with maven-3.5+.

In terms of compatibility, I have been using maven-3.8.2+ for all local builds for a couple of months now and experienced no issues at all.

There is another angle to this, which is that maven-3.8.1 is a security, as detailed here:
https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2020-13956
https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291

Hence we would like to merge https://git.opendaylight.org/gerrit/c/releng/builder/+/98646 and follow that up with a cleanup of superfluous mvn-version directives.

Are there any objections to this plan of action?

Thanks,
Robert

Join TSC@lists.opendaylight.org to automatically receive all group messages.