JSCH is too old in Gradle distribution or a classloader problem

kmaterka · October 30, 2015, 8:51am

Hi,

I’m using ‘org.apache.maven.wagon:wagon-ssh:2.10’ as maven deployer in uploadArchive task. It is working correctly, but it removes all “ecdsa-sha2-nistp256” keys from ~/.ssh/known_hosts after deploy (sic!). I found root cause of the problem - wagon-ssh:2.10 depends on jsch:0.1.50 which does not support this new key format. During deployment it rewrites know_hosts file ignoring keys it doesn’t recognize. Fortunately ecdsa-sha2-* keys are supported in newest version (http://www.jcraft.com/jsch/ChangeLog).
I tried to force version 0.1.53 which is working correctly by adding this configuration:

 configurations.all {
        // wagon-ssh:2.10 depends on jsch:0.1.50 which is too old
        resolutionStrategy.force 'com.jcraft:jsch:0.1.53'
    }

Here is the problem. Even if I force version 0.1.53 (which is working correctly) behaviour doesn’t change - simply JSCH from dependencies is ignored. Gradle 2.8 distribution contains copy of JSCH library (in lib/plugins/jsch-0.1.51.jar) which somehow has precedence in classpath. When I replaced jsch-0.1.51.jar with jsch-0.1.53.jar (name has to stay the same) it started to work correctly with new jsch version.

So:

it may be a problem with plugin - it should has separate classloader
or Gradle should deliver newer version of JSCH to workaround this problem (at least for me )

Lance_Java · October 30, 2015, 1:11pm

When you declare configurations.all { ... } you are only affecting the project configurations defined within your build.gradle.

I believe you want to use buildscript.configurations.all { ... } to affect the classpath of the plugins.

kmaterka · October 30, 2015, 2:49pm

It is not a problem with configuration, I’ve tried buildscript.configurations.all. Dependency is overwritten correctly:
gradle dependencies

deployerJars
\--- org.apache.maven.wagon:wagon-ssh:2.10
     +--- com.jcraft:jsch:0.1.50 -> 0.1.53

I’ve cleaned gradle cache and only version 0.1.53 was downloaded. Regardless of changes uploadArchive task always worked as with 0.1.51 version. Replacing content of jsch-0.1.51.jar in lib/plugins with version 0.1.53 helped.

Gradle is loading lib/plugins/jsch-0.1.51.jar during startup, regardless of configuration. Then it stays in classpath/classloader and has precedence to any dependency you provide. If in future version of wagon-ssh it will depend on version 0.1.53 it won’t work - Gradle will force jar from it’s distribution.

Lance_Java · October 30, 2015, 4:09pm

There’s been some discussion about plugin classloader isolation and overriding plugin dependencies but nothing has been implemented yet.

Looks like you want this
https://issues.gradle.org/plugins/servlet/mobile#issue/GRADLE-723

kmaterka · October 31, 2015, 5:25pm

Yep, overriding builtin plugin dependencies would be great but I can imagine that it may be hard to implement. For now new version of jsch will be sufficient

Adrian_Kelly · November 3, 2015, 4:39am

@kmaterka looks like you have done some good investigation into this. Would you be interested upgrading the version of JSCH used by gradle and submitting a pull request?

luke_daley · November 3, 2015, 5:36am

I’ve bumped the version: https://github.com/gradle/gradle/commit/7586aef948585a162fe5119d31380ce83386943e

This will be in Gradle 2.10.

Topic		Replies	Views
Milestone-8 : jsch-0.1.42.jar missing, Ivy SFTPResolver can not be be used anymore Old Forum Archive	4	770	February 16, 2012
How can I get gradle maven via SSH to ignore host key checking? Help/Discuss plugins	0	2097	October 26, 2015
How do I prevent strict host checking in uploadArchives Bugs	1	1865	November 11, 2015
Regression in build script compilation on 2.12 Bugs	0	1168	March 14, 2016
Gradle sometimes stucks on resolving dependencies when called via ssh using jsch Bugs	0	932	September 22, 2016

JSCH is too old in Gradle distribution or a classloader problem

Related topics