JSCH is too old in Gradle distribution or a classloader problem


I’m using ‘org.apache.maven.wagon:wagon-ssh:2.10’ as maven deployer in uploadArchive task. It is working correctly, but it removes all “ecdsa-sha2-nistp256” keys from ~/.ssh/known_hosts after deploy (sic!). I found root cause of the problem - wagon-ssh:2.10 depends on jsch:0.1.50 which does not support this new key format. During deployment it rewrites know_hosts file ignoring keys it doesn’t recognize. Fortunately ecdsa-sha2-* keys are supported in newest version (http://www.jcraft.com/jsch/ChangeLog).
I tried to force version 0.1.53 which is working correctly by adding this configuration:

 configurations.all {
        // wagon-ssh:2.10 depends on jsch:0.1.50 which is too old
        resolutionStrategy.force 'com.jcraft:jsch:0.1.53'

Here is the problem. Even if I force version 0.1.53 (which is working correctly) behaviour doesn’t change - simply JSCH from dependencies is ignored. Gradle 2.8 distribution contains copy of JSCH library (in lib/plugins/jsch-0.1.51.jar) which somehow has precedence in classpath. When I replaced jsch-0.1.51.jar with jsch-0.1.53.jar (name has to stay the same) it started to work correctly with new jsch version.


  • it may be a problem with plugin - it should has separate classloader
  • or Gradle should deliver newer version of JSCH to workaround this problem (at least for me :slight_smile: )

When you declare configurations.all { ... } you are only affecting the project configurations defined within your build.gradle.

I believe you want to use buildscript.configurations.all { ... } to affect the classpath of the plugins.

It is not a problem with configuration, I’ve tried buildscript.configurations.all. Dependency is overwritten correctly:
gradle dependencies

\--- org.apache.maven.wagon:wagon-ssh:2.10
     +--- com.jcraft:jsch:0.1.50 -> 0.1.53

I’ve cleaned gradle cache and only version 0.1.53 was downloaded. Regardless of changes uploadArchive task always worked as with 0.1.51 version. Replacing content of jsch-0.1.51.jar in lib/plugins with version 0.1.53 helped.

Gradle is loading lib/plugins/jsch-0.1.51.jar during startup, regardless of configuration. Then it stays in classpath/classloader and has precedence to any dependency you provide. If in future version of wagon-ssh it will depend on version 0.1.53 it won’t work - Gradle will force jar from it’s distribution.

There’s been some discussion about plugin classloader isolation and overriding plugin dependencies but nothing has been implemented yet.

Looks like you want this

Yep, overriding builtin plugin dependencies would be great but I can imagine that it may be hard to implement. For now new version of jsch will be sufficient :smile:

@kmaterka looks like you have done some good investigation into this. Would you be interested upgrading the version of JSCH used by gradle and submitting a pull request?

I’ve bumped the version: https://github.com/gradle/gradle/commit/7586aef948585a162fe5119d31380ce83386943e

This will be in Gradle 2.10.